DISA has distributed the CA certificates for Root CAs 4 and 5, as well as the intermediate CA certificates through 52. The most recent one in the current package on this site is Root CA 3 and Intermediate CA 38.

Hello IAD:

At the very bottom of this page:

 https://github.com/iadgov/Secure-Host-Baseline/blob/master/README.md

There is a link to "Compliance page", but this link is broken (404 not found).

Cheers,
Jason

How does one activate the SHB? We were told to get out own Enterprise license, which we did, but that license cannot be activated? Suggestions?

As mentioned in #13, output for Test-Compliance should be objects so then output could be piped to the console or convert to various formats using ConvertTo-Csv/Export-Csv or ConvertTo-Json cmdlets.

Line 126 and 127 in ReaderDC.adml are missing the comment markers <!-- --> before and after. This causes an error to be displayed when opening the Group Policy Editor.

Hello IAD:

There will be people who will want to run commands like this to save the output of Test-Compliance:

Test-Compliance -Path '..\..\Windows\Compliance\Windows 10.audit' | Out-File -FilePath .\Report.txt

But this will fail because of the Write-Host commands in the function. The following command will work though:

Test-Compliance -Path '..\..\Windows\Compliance\Windows 10.audit' *> .\Report.txt

The "*>" redirection operator is available on PowerShell 3.0 and later.

Please consider adding some guidance on the Compliance Checks page's README.md about how to save the output of Test-Compliance using "*>" since this is not an obvious trick, and showing a one-liner using "Select-String -Pattern 'FAILED'" on the output file to extract the important stuff could also be nice.

(Btw, the above audit file, "Windows 10.audit", has a space character in its name (sorry to nitpick!) and, when used with Test-Compliance, the output includes Get-ChildItem and Get-Service exception errors when there is no McAfee software installed. This is a trivial issue, but it does clutter the output when redirecting the output to a file.)

I'm sure this is not news to you, you're probably planning/working on this already, but it would be even better to change the output of Test-Compliance to an array of objects with properties like ComputerName, Status, Description, Info, etc. This would make it much nicer for the sake of remote compliance scanning with Invoke-Command and saving the output in different formats like CSV, XML or JSON. Most people will just use Nessus of course, so it's not a burning issue.

Thanks for the great project!

Cheers,
Jason

Get-Intersection at https://github.com/iadgov/Secure-Host-Baseline/blob/ede2e06721c5ca0d0c92cf7d5781152aaf6b0065/Scripts/GroupPolicy.psm1#L495 is an example of the issue. It needs to be ,return instead of just return. Look for other cases of this.

As mentioned in #13, two checks throw exceptions when AV isn't installed. Need to handle this more gracefully.

• WN10-00-000125

  • https://github.com/iadgov/Secure-Host-Baseline/blob/master/Windows/Compliance/Windows%2010.audit#L637
  • https://github.com/iadgov/Secure-Host-Baseline/blob/master/Windows/Compliance/Windows%2010.audit#L644

• WN10-00-000045

  • https://github.com/iadgov/Secure-Host-Baseline/blob/master/Windows/Compliance/Windows%2010.audit#L309

Please add the OneDrive ADMX/L templates either the Windows or Office 2016 to the SHB baseline.
Polices are being set for OneDrive:

Prevent users from using the remote file fetch feature to access files on the machine (32-bit) = Enabled
Prevent users from using the remote file fetch feature to access files on the machine (64-bit) = Enabled

Prevent users from configuring personal OneDrive accounts = Enabled.

ADMX/L templates can be found here

There were multiple errors I had to fix to make use of it. I have attached a corrected copy of the ADMX. First, there were duplicates of this line:
definition displayName="$(string.SupportedReader10)" name="SupportedReader10"

Then there was a missing
definition displayName="$(string.SupportedReader95)" name="SupportedReader95"

Fixing that I was then able to get it accepted to the console.

I found another issue with TrustedOSSites. The Setting is reversed as the registry key is a Disable OSTrusted Sites. So setting it to 1 actually turns off the OSSites. I flipped the 0 and the 1 and it works as intended. I didn't update the ADML file to describe whats going on here with this one.
ReaderDC.admx.txt

Hello!

First of all, thanks for this amazing tool, I am getting an error when running Invoke-ApplySecureHostBaseline on a Domain Controller running Windows Server 2008 R2 with Powershell 5.

When I run the command: Invoke-ApplySecureHostBaseline -Path '.\Secure-Host-Baseline' -PolicyNames 'Adobe Reader'

The error says: "The variable cannot be validated because the value is not a valid value for the ToolPath variable"

Thanks!

Is there a documentation somewhere on how to revoke the policy after applied? or modify them?

Use case:

I'm a home single-user only, I tested this SHB policy by following the instructions on README. After applying the policy, I've had some features that I'd like to reset/cancel and even fully disable the SHB so I can re-use my workstation just like before.

I believe the practices published in this very successful repo can be converted to Powershell DSC by hand or using Microsoft/BaselineManagement and checked by Microsoft/DSCEA after the initial run. It would help automate the process and make a quality check after application.

Links with spaces are no longer rendering correctly in Markdown files resulting in broken links. This change appears to coincide with the change to GitHub Flavored Markdown using CommonMark as discussed in these posts

• https://github.com/blog/2333-a-formal-spec-for-github-flavored-markdown
• https://githubengineering.com/a-formal-spec-for-github-markdown/

Test-Compliance on Windows 2016 with the audit file: DISA_STIG_Server_2016_v1r1.audit returns the following error.

Cannot validate argument on parameter 'checkType'. The argument CHECK_REGEX does not belong...

FAILED windows Server 2016 is not installed on this system or the Remote Registry service is disabled on the target.

I am thinking that this is because the audit file calls for CHECK_REGEX and the Compliance.psm1 only supports the audit items:

Script currently supports following audit items:
    ANONYMOUS_SID_SETTING
    AUDIT_POLICY_SUBCATEGORY
    AUDIT_POWERSHELL
    CHECK_ACCOUNT
    FILE_CHECK
    FILE_PERMISSIONS
    FILE_VERSION
    LOCKOUT_POLICY
    PASSWORD_POLICY
    REG_CHECK
    REGISTRY_PERMISSIONS
    REGISTRY_SETTING
    REPORT
    SERVICE_POLICY
    USER_RIGHTS_POLICY

Thanks for the great project!

Trivial thing: in the README.md file there is an example command to unblock files:

[System.IO.FileInfo[]]@(Get-ChildItem -Path '.\Secure-Host-Baseline') -Recurse -Filter '*.ps1' | Unblock-File**

Note that there is also at least one .psm1 file (CreateCIPolicy.psm1) that doesn't match your filter, and the two asterisks at the end (**) is a typo.

Also, the total number of files is small, so is there a reason not to use something simpler like:

cd
dir -path . -recurse | unblock-file

Thanks!

There is a typo in the file Windows/Compliance/Windows 10.audit on line 1591 that gave me a slight chuckle. The line reads as follows (typo bold for emphasis):

description : "WN10-CC-000050: Hardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\*\NETLOLGON and \\*\SYSVOL share."

It should read as follows (correction bold for emphasis):

description : "WN10-CC-000050: Hardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\*\NETLOGON and \\*\SYSVOL share."

Unrelated: a huge THANK YOU for making these resources publicly available!

Upon reviewing the GitHub site: https://github.com/iadgov/Secure-Host-
Baseline/blob/master/Hardware/Dell/Updates.md
I have found HW models below that are compliant based on driver updates for
either device guard or credential guard or both:
Support Windows 10 Device Guard
Latitude E6440
Latitude E6540
Latitude E7240
Latitude E7250
OptiPlex 7010
OptiPlex 7020
OptiPlex 9010
OptiPlex 9020
OptiPlex 9020M
Precision M4800
Precision M6800
Precision R7610
Precision T1700
Precision T5610
Precision Tower 5810
Precision Tower 7910

Updated SecureMOR for Credential Guard
OptiPlex 9010
Precision R7610
Precision T5610

However, the Dell vendor representative for Army Corp of Engineers looked at the Github site, and reported models above will not support security features for device guard and credential guard.

Could anyone confirm on above model list if the GitHub site information posted was correct?

Microsoft has released a new set of administrative templates for the entire Office 2016 suite of products. The files are available at the below link.

https://www.microsoft.com/en-us/download/details.aspx?id=49030

The download includes new ADMX/ ADML files, an updated version of Office Customization Tool (OCT), and an excel file containing details on each office group policy setting. I did run a comparison on a few of the ADMX files and they do contain changes that do not appear in the older versions posted here.

Thanks for the great project!

Trivial issue:

In the "Loading the Code" section, step 6 is to cd into the SHB folder.

Later, in the "Applying The Policies" section, the command as shown is to "Invoke-ApplySecureHostBaseline -Path '.\Secure-Host-Baseline' ...", which will fail if the user is already in the SHB folder from step 6 above.

This is trivial, and people with shell experience will easily figure it out, but PowerShell novices will get errors and struggle unnecessarily.

Thanks!

Hello IAD:

Currently, the instructions are to dot-source the GroupPolicy.ps1 script. Dot-sourcing still works, but it's not Microsoft's recommendation and people new to PowerShell don't like the syntax of using a single period as a command.

Suggestion: rename the extension of GroupPolicy.ps1 to GroupPolicy.psm1, then use the Import-Module cmdlet instead of dot-sourcing, like this:

Import-Module -Name .\Secure-Host-Baseline\Scripts\GroupPolicy.psm1

Using the Import-Module cmdlet like this has been supported since PowerShell 2.0.

In the long run, hopefully this whole SHB project will become a package in the PowerShell Gallery (www.powershellgallery.com) as a "proper" module in its own folder, etc., but the above change can be done immediately.

I've tested the above change on Server 2016 and there were no new error messages (the current errors related to ADMX/ADML files and GPO imports are already known).

Cheers,
Jason

Thanks for the great project!

Trivial issue:

In the "Applying the Policies" section it says the function will "Make a backup copy of existing Group Policy Objects", which implies all GPOs. However, it should say something like "Make a backup copy of existing Group Policy Objects previously created for the Secure Host Baseline" because it does not back up all existing GPOs.

The first time the Invoke-ApplySecureHostBaseline is run, the %UERPROFILE%\Desktop\Backup_yyyyMMddHHmmss folder will still be created, but its subdirectories will be empty because the SHB GPOs don't exist yet. The backup folder shouldn't be created unless there are SHB GPOs to back up.

Thanks!

Issue #20 is still not resolved. The SecGuide.admx does not match the DISA Windows 10 STIG V1R7. Specifically, it is missing Pol_SecGuide_RemoveRunasdifferentuser.

I'm in the process of testing GPOs for several different Win10 SHB clients and have run into a couple of issues that I'm perplexed by. After I join the workstation to the domain and move the workstation into the correct container so policies can be pushed, I run into a couple of unusual errors. Thinking the error might be group policy related, I ran "gpresult.exe" on the workstation to see where the issues might be. Under the "Applied GPOs" section of the report, there is an entry for "LocalGPO" and states that it is applied along with the other GPOs I set up.

Is there a way for me to check the registry for the settings that make up the "LocalGPO"? I've checked the local security policy and none of the settings seem to be out of the ordinary. One of the odd results is that I'm no longer able to right-click on anything on the desktop - and was wondering if this was a setting in the "LocalGPO" that I'm unable to see.

Thanks for the great project!

Command executed which produces errors:

Invoke-ApplySecureHostBaseline -Path '.\Secure-Host-Baseline' -PolicyNames 'Adobe Reader','AppLocker','Certificates','Chrome','EMET','Internet Explorer','Office 2013','Windows','Windows Firewall' -UpdateTemplates

Produces 40+ exceptions for various ADMX and ADML file paths similar to:

Copy-Item : Could not find a part of the path 'C:\Windows\PolicyDefinitions\Office
2013\en-us\access15.adml'.
At C:\temp\Secure-Host-Baseline\Scripts\GroupPolicy.ps1:1485 char:29

• ... Copy-Item -Path $newTemplate -Destination $targetTemplate ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [Copy-Item], DirectoryNotFoundException
  • FullyQualifiedErrorId : System.IO.DirectoryNotFoundException,Microsoft.PowerShell.Commands.C
    opyItemCommand

All of these ADMX/ADML path errors were preceded by this error:

Import-GPO : The system cannot find the path specified. (Exception from HRESULT: 0x80070003)
At C:\temp\Secure-Host-Baseline\Scripts\GroupPolicy.ps1:823 char:5

• Import-GPO -Path $Path -BackupId $BackupGuid -TargetName $Name -C ...
  

• ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [Import-GPO], DirectoryNotFoundException
  • FullyQualifiedErrorId : System.IO.DirectoryNotFoundException,Microsoft.GroupPolicy.Commands.
    ImportGpoCommand

Here is the list of ADMX/ADML files not found:

access15.adml
excel15.adml
inf15.adml
lync15.adml
office15.adml
onent15.adml
outlk15.adml
ppt15.adml
proj15.adml
pub15.adml
spd15.adml
visio15.adml
word15.adml
access15.admx
excel15.admx
inf15.admx
lync15.admx
office15.admx
onent15.admx
outlk15.admx
ppt15.admx
proj15.admx
pub15.admx
spd15.admx
visio15.admx
word15.admx
access16.adml
excel16.adml
lync16.adml
office16.adml
onent16.adml
outlk16.adml
ppt16.adml
proj16.adml
pub16.adml
visio16.adml
word16.adml
access16.admx
excel16.admx
lync16.admx
office16.admx
onent16.admx
outlk16.admx
ppt16.admx
proj16.admx
pub16.admx
visio16.admx
word16.admx

None of the above files are found in these folders:
.\Secure-Host-Baseline\Windows\Group Policy Templates
.\Secure-Host-Baseline\Windows\Group Policy Templates\en-US\

When the -UpdateTemplates switch is not used, the above ADMX/ADML path errors are not thrown, but the Import-GPO errors are still thrown.

My test VM: The eval version of Server 2016 Datacenter with the Desktop Experience, PowerShell 5.1.14393.0, configured as the sole domain controller, logged on as Domain Admin, running PoSh as administrator.

(I suspect the culprit is the [System.Version] test on line 1478 of GroupPolicy.ps1, or maybe the version info in the policy.info files for the GPOs used by the Get-GPODefinitions function, but just guessing, didn't try it out.)

Thanks!

Procedural steps for computer not connected to a domain followed, LGPO.exe file downloaded and extracted as instructed. Please assist or advise how to eliminate ".psm1 521 char:5", ".psm1 522 char 5" ".psm1 709 char 9", etc...
SHB-ticket.txt

Text file attached for reference. Thank you.

What method is used to activate a standalone SHB that does not have internet access. System will not allow telephone activation with the Enterprise License.

This STIG doesn't appear to be applied anywhere.

https://www.stigviewer.com/stig/windows_10/2016-11-03/finding/V-68849

It does flag on the compliance report:

FAILED WN10-00-000150: Structured Exception Handling Overwrite Protection (SEHOP) must be turned on.

Office 2016 policies are not an option when using Invoke-ApplySecureHostBaseline -Path '.\Secure-Host-Baseline' -PolicyNames 'Office 2016'

• Operating System: Windows10 Secure Host Baseline

• Issue: Win10 SHB security blocking virtualization for Oracle VirtualBox

Steps already taken to fix issue:

1.Booted into BIOS and enabled Virtualization Technology (VTx), Virtualization Technology for Directed I/O (VTd), and Trusted Execution Technology (TXT) and SAVED

2.On desktop I have completely disabled Hyper-V

3.The option for 64-bit showed up BUT when computer restarted the option no longer existed and all Virtual Machines created under 64-bit were converted into 32-bit and rendered useless

None of the BIOS settings have changed and Hyper-V is still disabled yet the only option from Oracle VirtualBox is 32-bit when attempting to create a Virtual Machine.

Hello IAD:

On the page for Compliance Checks:

https://github.com/iadgov/Secure-Host-Baseline/blob/master/Compliance/README.md

Consider renaming the Compliance.ps1 script to Compliance.psm1 to make it a module file, then using Import-Module instead of dot-sourcing the script (just like for GroupPolicy.psm1).

I haven't tested this change on Windows 10, but on Server 2016 it worked fine.

Also, on that page above, please consider adding a note that Nessus is not required to run the Test-Compliance function on a standalone machine, e.g., "The following instructions can be used to execute a compliance check locally. This does not require Nessus to be installed." I know this seems obvious, but I've had two students ask this question.

Happy New Years!
Jason

Minor issue but the DISA Windows 10 STIG v1R7 admx/l templates, specifically MSS-legacy and SecGuide, are not included and distributed with the SHB. While minor, this does cause some issues when running RSOP or GPRESULT as the settings contained within come up as "Extra Registry Settings."

User getting SHB v10.0.2 errors during Deployment Summary, screenshot attached. Only changes mentioned in the guide were made to the Deployment Workbench (e.g. no new applications added, core applications were not modified) but received the following 2 errors. Need assistance with how to troubleshoot and what this return code means.

Application SHB Core Required -DoD NIPR Certs returned an unexpected return code 60002
Application SHB Core Required -McAfee Virus Scan Enterprise returned an unexpected return code: 60002

Can the scripts included in the SHB package be signed, so the PowerShell execution policy doesn't need to be set to a less secure level?

For STIG ID WN10-00-000040/Vuln ID V-63349, check CurrentBuild >=14393 and UBR >= 447 for CBB rather than only checking ReleaseID is 1607.

I am trying to get the SHB to work in my enclave.

I have a dell OptiPlex 7040 which is apparently supported according to the IASE links to Dell. Everything works (including the 7040 drivers) except for the CAC reader. No matter what I try, I cannot get SHB win 10 to recognize the reader. Upon bootup, Activeclient complains that it can't find a CAC reader. Device manager gives me an ! mark for "SCR3310 USB Smart Card Reader". I have tried manually installing the driver from MilitaryCAC, and that doesn't help. Tried deleting the driver unplugging and plugging it back in to let windows install the driver. Installing other drivers doesn't help as it says that the existing driver is the "best" driver.

We have no problem with our existing Windows 7 machines with these readers. I even tried a working reader from another machine to rule out a physical defect. It appears to be an issue with WIN 10 SHB and the reader.

Support would be appreciated!

Hello,

thank you for your great project. I found directory "Device Whitelisting" but is without any useful information. Can you update it? :)

Thank you.
Michal

Windows Server 2016 SHB was recently released. I need to add the GPOs and update the scripts that apply the GPOs.

In the ReaderDC.admx administrative template line 273 there is an error that creates the DWORD value "bAdobeSendPluginToggle" in key "cServices" instead of key "cCloud".

Ref Adobe Acrobat DC Continuous Track STIG V1R2 ID V-64937 - Using the Registry Editor, Navigate to the following HKEY_LOCAL_MACHINE\Software\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cCloud
Value Name: bAdobeSendPluginToggle
Type: REG_DWORD
Value: 0

I'm trying to set some local policies for chrome, but it does not seem to work, I'm trying to set the start page, chrome seems to ignore locally defined policies, do you have any idea what that might be?

Using 1607 in a Citrix App Layering VDI setting and we've tried different combinations of trying to get Windows to default to Smart Card.

When turning off Show Last User we get Other User, and from this screen password options are only defaulting, despite setting Default Credential Provider for the Smart Card Provider.

We've even had issues when setting Enforce Smart Card it will still not default to it, and you still have to select sign-in options and choose a smart card.

We've also tried with DoD configuration set in Local GP, but that doesn't seem to change the behavior any. Is it needed to be set?
Does ActivClient use a different provider than the Microsoft one?

On the Citrix side of things, we've tried having ActivClient in OS, Platform and App Layers with no noticeable changes.

Upon reviewing the GitHub site: https://github.com/iadgov/Secure-Host-
Baseline/blob/master/Hardware/Dell/Updates.md
I have found HW models below that are compliant based on driver updates for
either device guard or credential guard or both:
Support Windows 10 Device Guard
Latitude E6440
Latitude E6540
Latitude E7240
Latitude E7250
OptiPlex 7010
OptiPlex 7020
OptiPlex 9010
OptiPlex 9020
OptiPlex 9020M
Precision M4800
Precision M6800
Precision R7610
Precision T1700
Precision T5610
Precision Tower 5810
Precision Tower 7910

Updated SecureMOR for Credential Guard
OptiPlex 9010
Precision R7610
Precision T5610

However, the Dell vendor representative for Army Corp of Engineers looked at the Github site, and reported models above will not support security features for device guard and credential guard.

Could anyone confirm on above model list if the GitHub site information posted was correct?

Thank you.

I recently ran into issues with this issue for STIG ID : WN10-00-000100 and a false positive using the OVAL content. In an effort to double check myself, I looked at what the Windows10.audit file expected and noticed it would be insufficient in determining of IIS is actually installed and running on the system.

The "Windows Process Activation Service" will also install IIS on the system.

The compliance audit run against this does a verification of the number of "Enabled" entries being greater than 0 using Powershell using powershell_args: "((Get-WindowsOptionalFeature -Online -FeatureName IIS*).State | select-string 'Enabled').Count". This doesn't catch this instance of WPA service or it's IIS components installed to C:\Widows\System32\inetsrv

However, if the registry key HKLM\SOFTWARE\Microsoft\Inetstp\Components exists, it generally points to an instance of IIS being installed, based on the OVAL method.

That is about as far as I got before I removed it and moved on.

Are the policies contained within the SHB a mirror of the DISA STIGs for those applications/operating system or is there additional development/tweaks that are done? Thank you in advance.

I'm getting an error when deoying the SHB VM image. I receive a message saying it was successfully deployed then it immediately crashes. Error is your operating system couldn't be loaded because The system registry is missing or corrupt. What am I doing wrong?

Can we please have the '\Windows\Compliance\Windows10.audit' updated to include Build 1703 (Creator's Update) in the CB check (WN10-00-000040: Systems must be maintained at a supported servicing level)

Policy is incorrectly setting:

HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockdown\cServices\bTogglePerfsSync

Proper registry key is

HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockdown\cServices\bTogglePrefsSync

Confirmation of policy is here

Only way I could fix the policy is using Powershell to Remove-GPRegistryValue and then set it using the ADMX/L templates provided. Please let me know if you need additional information.

V/R

I am working on a HP Z230 standalone with 8GB RAM and plenty of HDD space, but I just can't get around this initial error when I launch the Toolbox:

ERROR#1

Importing the PowerShell module for Microsoft Deployment Toolkit. Please wait...
Updating the MDT Deployment Share. Please wait...
Update-MDTDeploymentShare : Exception has been thrown by the target of an invocation.
At C:\SHB\Toolbox\CaptureSHBRef.ps1:100 char:1

• Update-MDTDeploymentShare -path "$SHBDSID`:" -Force >$null

•   + CategoryInfo          : NotSpecified: (:) [Update-MDTDeploymentShare], TargetInvocationException
    + FullyQualifiedErrorId : System.Reflection.TargetInvocationException,Microsoft.BDD.PSSnapIn.UpdateDeploymentPoint
  
  

Creating virtual network switch. Please wait...
VSwitch check #1
Virtual switch SHBInternalNetwork created successfully.
Assigning static IP address to the virtual network adapter. Please wait...

ERROR#2
A connectuion to the reployment share (\10.10.10.10\SHB-DEP$) couls not be made.
DHCP Lease was not obtained for any Networking device! Possible Cause: Check physical connection.
Retry or Cancel.... retry only repeats Error#2

Similar to #41 but for MDM. Might be able to accomplish both with the same mechanism.

• https://docs.microsoft.com/en-us/windows/client-management/mdm/understanding-admx-backed-policies
• https://docs.microsoft.com/en-us/windows/client-management/mdm/enable-admx-backed-policies-in-mdm
• https://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference
• https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider

Are there any policies that block or interfere with access to removable storage, specially on VMs?

Using Citrix AppLayering that utilizes a mini-filter driver to capture changes and write to a vdisk and something might be blocking this. Are there any policies that might be causing this?