A State retirement services provider contacted me a year ago. They had to solve a major problem.
They are a Windows shop. Being a Government organization they must harden every application server. They were doing it by hand.
They were plagued with outages. They could not meet demand. Administrators spent long nights keeping the machines going.
They had a lot to worry about. People relied on this organization to pay their bills and receive their benefits.
If a server went down, or demand increased, customers suffered.
It took almost a full day to stand up a new application server. Even then; the server would be plagued by the problems manual work creates.
Further they couldn’t pass an audit. They often found security holes on review.
I was referred to them, and told them “I have exactly what you are looking for.” Were we able to help them? Let’s return to this in a little bit.
Use Puppet to meet STIG hardening requirements.
On the Puppet forge you’ll find the secure_windows module. It hardens Windows Server 2016 to STIG standards.
Assign this class to your new WIN 2016 nodes and Puppet will ensure that they are hardened. Without doing anything further; you now have a safe environment.
I can’t think of any platform that makes it this easy. Best of all, if you are already using Puppet, no further purchase is necessary.
At 12:17 the Puppet agent runs again and we find that the password maximum age changed from to 90 days. Of course Puppet put it back. But that’s not all you're getting.
If the we relied on the domain controller to make the change it would be put back. However, we would never know that this change occurred. Further, we now have an approximate time the change occurred. Now we can launch an investigation and find the culprit.
Now in our case it turns out that the culprit was a well-meaning sysadmin who was instructed to bump up the password expiration time. He is shown how to do it using Hiera.
A single line will turn off enforcement of this requirement.
```secure_windows::stig::v73317::enforced: false``
Not only is turning off simple. We get several other advantages. We can view our exceptions in Hiera at any time. We can show auditors what is turned off. Finally we can show auditors who turned off the enforcement, and when it occurred.
Let’s say you’re tasked with finding out what changes need to be made in your organization to bring it up to the STIG requirements.
Puppet has a unique ability to tell you ‘what’ changes it will be making; without making them.
What do I mean? Puppet can be run in a no operation mode. This means we can run our module against a Windows server and see what changes it will make. Without actually making them.
secure_windows comes with a bolt plan that will allow you to show changes that ‘will’ be made if the module is applied. This report was run against a new server.
You can see it details the resource, STIG number and message on what will change. You now have a handy report you can bring to your management to show the change.
Now let’s take a different example. You are at a new company. The day has arrived. It’s now time to move to the cloud. The question get’s asked. How do we move our custom security setup? It’ll take months. We will need weeks to manually review each domain controller and make sure it’s setup correctly.
Here’s where we can leverage Puppet once again to help us. The security configurations are recognized by Puppet and can be reverse engineered through the ```puppet resource``` command.
Let’s get a list of Audit Policies we want to move.
Now that you have a complete set of resources you can pick up and export these to a new cloud, or datacenter.
We have heard stories about companies spending years synching up their computers when creating an initial baseline. Now this work can be done in minutes, is auditable, and enforceable.
Now that you’ve created your baseline security. What else can you do? How about deploy an application server!
Puppet Forge has a module for that too:
This module will harden your IIS environment to CIS standards.
Who else hardens IIS. There probably is software out there that does that, but a quick Google search doesn’t provide any hits.
So how did this help our State Department?
Eight hours is a long time to stand up an application server. More than once their services went down because they didn’t scale.
They began using Puppet to deploy the IIS CIS module. Hardening went from hours to minutes. They now have a system that can be audited. They can scale in an emergency. And, they now have an accelerated path to the cloud.