Secure Host Baseline

About the Secure Host Baseline

The Secure Host Baseline (SHB) provides an automated and flexible approach for assisting the DoD in deploying the latest releases of Windows 10 using a framework that can be consumed by organizations of all sizes.

The DoD CIO issued a memo on November 20, 2015 directing Combatant Commands, Services, Agencies and Field Activities (CC/S/As) to rapidly deploy the Windows 10 operating system throughout their respective organizations with the objective of completing deployment by the end of January 2017. The Deputy Secretary of Defense issued a memo on February 26, 2016 directing the DoD to complete a rapid deployment and transition to Microsoft Windows 10 Secure Host Baseline by the end of January 2017.[1]

Formal product evaluations also support the move to Windows 10. The National Information Assurance Partnership (NIAP) oversees evaluations of commercial IT products for use in National Security Systems. The Common Criteria evaluation of Windows 10 against the NIAP Protection Profile for General Purpose Operating Systems completed April 5, 2016. The Common Criteria evaluation of Windows 10 against the NIAP Protection Profile for Mobile Device Fundamentals completed January 29, 2016. NIST FIPS 140-2 validation of Windows 10 modules was completed on June 2, 2016 as evidenced in certificate numbers 2600, 2601, 2602, 2603, 2604, 2605, 2606, and 2607.

Using a Secure Host Baseline is one of IAD's top 10 mitigation strategies. The DoD Secure Host Baseline also exemplifies other IAD top 10 mitigation strategies such as using application whitelisting, enabling anti-exploitation features, and using the latest version of the operating system and applications.

About this repository

This repository hosts Group Policy Objects, configuration tools, and compliance checks in support of the Windows 10 DoD Secure Host Baseline framework. Administrators of National Security Systems, such as those who are part of the Defense Industrial Base, can leverage this repository in lieu of access to the DoD SHB framework which requires a Common Access Card (CAC) or Personal Identification Verification (PIV) smart card to access.

Questions or comments can be submitted to the issue tracker or posted on Software Forge Windows 10 Secure Host Baseline project forums. Access to Software Forge requires a Common Access Card.

Getting started

1. Download the repository.
2. Import the Group Policy Objects to your domain or standalone system.

Downloads

• Current code - Use this until there is an official release.
• Latest release - There are no official releases yet.

Repository content

Group Policy Objects

• The Windows folder contains Windows 10 [User](./Windows/Group Policy Objects/User) and [Computer](./Windows/Group Policy Objects/Computer/) policies for the latest version of Windows 10.
• The [Windows Firewall folder](./Windows Firewall/README.md) contains Windows Firewall [Computer](./Windows Firewall/Group Policy Objects/Computer/) policy for the latest version of Windows 10.
• The AppLocker folder contains AppLocker [Computer](./AppLocker/Group Policy Objects/Computer/) policy for the latest version of Windows 10.
• The BitLocker folder contains BitLocker [Computer](./BitLocker/Group Policy Objects/Computer/) policy for the latest version of Windows 10.
• The EMET folder contains EMET 5.5 [Computer](./EMET/Group Policy Objects/Computer/) policy for any version of Windows.
• The [Internet Explorer folder](./Internet Explorer/README.md) contains Internet Explorer 11 [Computer](./Internet Explorer/Group Policy Objects/Computer/) and [User](./Internet Explorer/Group Policy Objects/User/) policies for the latest version of Windows 10.
• The Office folder contains Office 2013 [Group Policy Object](./Office/Group Policy Objects/).
• The Chrome folder contains Chrome browser [Computer](./Chrome/Group Policy Objects/Computer/) policy for the latest version of Chrome.
• The [Adobe Reader folder](./Adobe Reader/README.md) contains Adobe Reader DC [Computer](./Adobe Reader/Group Policy Objects/Computer/) and [User](./Adobe Reader/Group Policy Objects/User/) policies for the latest version of Adobe Reader DC.

Scripts and tools

Scripts for aiding users with the SHB are located in the Scripts sub folders of each component. Scripts available for use so far:

• General
• [Adobe Reader](./Adobe Reader/Scripts/)
• BitLocker
• Certificates
• Chrome
• Hardware
• Windows

Users may need to perform 3 steps to run the functions defined in the PowerShell scripts:

1. Change the PowerShell execution policy
2. Unblock the downloaded zip file
3. Dot source the PowerShell script

Changing the PowerShell execution policy

Users may need to change the default PowerShell execution policy. This can be achieved in a number of different ways:

• Open a command prompt and run powershell.exe -ExecutionPolicy Bypass or powershell.exe -ExecutionPolicy Unrestricted and run scripts from that PowerShell session.
• Open a PowerShell prompt and run Set-ExecutionPolicy Unrestricted -Scope CurrentUser and run scripts from any PowerShell session.
• Open an administrative PowerShell prompt and run Set-ExecutionPolicy Unrestricted and run scripts from any PowerShell session.

Unblocking the PowerShell scripts

Users will need to unblock the downloaded zip file since it will be marked as having been downloaded from the Internet. Running the PowerShell scripts inside the zip file without unblocking the file will result in the following warning:

Security warning
Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning message. Do you want to run C:\users\user\Downloads\script.ps1?
[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"):

Open a PowerShell prompt and run the following command Unblock-File -Path '.\master.zip'

If the downloaded zip file is not unblocked before extracting it, then all the individual PowerShell files that were in the zip file will have to be unblocked. Open a PowerShell prompt and run [System.IO.FileInfo[]]@(Get-ChildItem -Path '.\Secure-Host-Baseline') -Recurse -Filter '*.ps1' | Unblock-File

See the Unlbock-File command's documentation for more information on how to use it.

Dot sourcing the PowerShell scripts

Once the PowerShell execution policy has been configured, and the zip file or PowerShell scripts have been unblocked, dot source the file to load the PowerShell code.

1. Open a PowerShell prompt
2. Change directory to where the script is located (e.g. cd .\Hardware\Scripts\)
3. Dot source the script into the PowerShell session (e.g. . .\Hardware.ps1)
4. Execute the PowerShell function (e.g. Test-IsCredentialGuardEnabled)

Eventually the PowerShell scripts will be turned into modules so dot sourcing will not be required.

Compliance checks

Nessus (aka ACAS in the DoD) audit files and SCAP content will be included in this repository over time. Instructions for running the compliance checks in a domain or standalone environment can be found on the Compliance page. Compliance checks available for use so far:

• [Adobe Reader DC](./Adobe Reader/Compliance/)
• Chrome
• EMET
• [Internet Explorer](./Internet Explorer/Compliance/)
• Windows
• [Windows](./Windows Firewall/Compliance/)

Importing a GPO

Importing a GPO varies depending on whether it is being imported for a domain versus a standalone system.

Importing a GPO for a domain

1. On a domain controller, go to Start > Administrative Tools or Start > Control Panel > System and Security > Administrative Tools
2. Select Group Policy Management
3. Expand Forest: forest name, expand Domains, expand domain name, and expand Group Policy Objects if these have not been expanded already
4. Create a new empty GPO or skip to the next step if using an existing GPO
5. Right click on Group Policy Objects and select New
6. Enter a GPO name in the Name field
7. Right click the GPO you want to import settings into and select Import Settings
8. Follow the steps in the Import Wizard and select the GPO backup folder for the GPO you want to import

The PowerShell Group Policy commands can also be used to import a domain GPO on systems that have the PowerShell Group Policy module.

Import-Module GroupPolicy

Import-GPO -Path "path to GPO backup folder"

Importing a GPO for a standalone system

1. Download the LGPO tool from this Microsoft blog post and copy it to the standalone system
2. Copy the GPO backup folder for the GPO you want to import to the standalone system
3. Open an administrative command prompt and type lgpo.exe /g "path to GPO backup folder"

License

This Work was prepared by a United States Government employee and, therefore, is excluded from copyright by Section 105 of the Copyright Act of 1976.

Copyright and Related Rights in the Work worldwide are waived through the CC0 1.0 Universal license.

Disclaimer of Warranty

This Work is provided "as is." Any express or implied warranties, including but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall the United States Government be liable for any direct, indirect, incidental, special, exemplary or consequential damages (including, but not limited to, procurement of substitute goods or services, loss of use, data or profits, or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this Guidance, even if advised of the possibility of such damage.

The User of this Work agrees to hold harmless and indemnify the United States Government, its agents and employees from every claim or liability (whether in tort or in contract), including attorneys' fees, court costs, and expenses, arising in direct consequence of Recipient's use of the item, including, but not limited to, claims or liabilities made for injury to or death of personnel of User or third parties, damage to or destruction of property of User or third parties, and infringement or other violations of intellectual property or technical data rights.

Nothing in this Work is intended to constitute an endorsement, explicit or implied, by the United States Government of any particular manufacturer's product or service.

Disclaimer of Endorsement

Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, in this Work does not constitute an endorsement, recommendation, or favoring by the United States Government and shall not be used for advertising or product endorsement purposes.