The Windows Secure Host Baseline (SHB) provides an automated and flexible approach for assisting the DoD in deploying the latest releases of Windows 10 using a framework that can be consumed by organizations of all sizes.
The DoD CIO issued a memo on November 20, 2015 directing Combatant Commands, Services, Agencies and Field Activities (CC/S/As) to rapidly deploy the Windows 10 operating system throughout their respective organizations with the objective of completing deployment by the end of January 2017. The Deputy Secretary of Defense issued a memo on February 26, 2016 directing the DoD to complete a rapid deployment and transition to Microsoft Windows 10 Secure Host Baseline by the end of January 2017.
Formal product evaluations also support the move to Windows 10. The National Information Assurance Partnership (NIAP) and National Institute of Standards and Technology (NIST) oversees evaluations of commercial IT products for use in National Security Systems.
Using a Secure Host Baseline is one of NSA Information Assurance top 10 mitigation strategies. The DoD Secure Host Baseline also exemplifies other IAD top 10 mitigation strategies such as using application whitelisting, enabling anti-exploitation features, and using the latest version of the operating system and applications.
This repository hosts Group Policy objects, compliance checks, and configuration tools in support of the DoD Secure Host Baseline (SHB) framework for Windows 10. Administrators of National Security Systems, such as those who are part of the Defense Industrial Base, can leverage this repository in lieu of access to the DoD SHB framework for Windows 10 which requires a Common Access Card (CAC) or Personal Identification Verification (PIV) smart card to access.
Scripts for aiding users with the SHB are located in the Scripts sub folders of each component. Scripts available for use so far:
Nessus (aka ACAS in the DoD) audit files are included in this repository. Compliance checks are available for:
Instructions for running the compliance checks in a domain or standalone environment can be found on the Compliance page.
To get started using the tools:
Download the current code to your Downloads folder. It will be saved as Windows-Secure-Host-Baseline-master.zip by default.
The PowerShell commands are meant to run from a system with at least PowerShell 3.0 installed. PowerShell may need to be configured to run the commands.
Users may need to change the default PowerShell execution policy. This can be achieved in a number of different ways:
Users will need to unblock the downloaded zip file since it will be marked as having been downloaded from the Internet which PowerShell will block from executing by default. Open a PowerShell prompt and run the following commands to unblock the PowerShell code in the zip file:
Unblock-File -Path '.\Windows-Secure-Host-Baseline-master.zip'
Running the PowerShell scripts inside the zip file without unblocking the file will result in the following warning:
Security warning Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning message. Do you want to run C:\users\user\Downloads\script.ps1? [D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"):
If the downloaded zip file is not unblocked before extracting it, then all the individual PowerShell files that were in the zip file will have to be unblocked. You will need to run the following command after Step 5 in the Loading the code section:
Get-ChildItem -Path '.\Windows-Secure-Host-Baseline' -Recurse -Include '*.ps1','*.psm1' | Unblock-File -Verbose
See the Unblock-File command's documentation for more information on how to use it.
Now extract the downloaded zip file and load the PowerShell code used for apply the policies.
Import-Module -Name .\Windows-Secure-Host-Baseline\Scripts\GroupPolicy.psm1
The Invoke-ApplySecureHostBaseline command found in the Group Policy PowerShell module is the main command for applying policies. By default this command will:
Options for the command are:
Type man Invoke-ApplySecureHostBaseline at a PowerShell prompt for more help and examples or submit a question to the repository issue tracker.
Invoke-ApplySecureHostBaseline -Path '.\Windows-Secure-Host-Baseline' -PolicyNames 'Adobe Reader','AppLocker','Certificates','Chrome','Internet Explorer','Office 2013','Office 2016','Windows','Windows Firewall' -ToolPath '.\LGPO\lgpo.exe'
If applying the SHB policies to a domain, note that the Group Policy objects are only loaded into Active Directory. The policies are not linked to any OUs so the settings do not automatically take affect.
Invoke-ApplySecureHostBaseline -Path '.\Windows-Secure-Host-Baseline' -PolicyNames 'Adobe Reader','AppLocker','Certificates','Chrome','Internet Explorer','Office 2013','Office 2016','Windows','Windows Firewall'
Once the policies have been applied (and linked to appropriate OUs in the domain case), see the Compliance page for instructions on how to check compliance to the policies.