DoD Secure Host Baseline

2017-06-23T02:30:26
ID N0WHERE:79007
Type n0where
Reporter N0where
Modified 2017-06-23T02:30:26

Description

tldr-200

NSA Information Assurance configuration guidance and files in support of the DoD Secure Host Baseline


The Secure Host Baseline (SHB) provides an automated and flexible approach for assisting the DoD in deploying the latest releases of Windows 10 using a framework that can be consumed by organizations of all sizes.

The DoD CIO issued a memo on November 20, 2015 directing Combatant Commands, Services, Agencies and Field Activities (CC/S/As) to rapidly deploy the Windows 10 operating system throughout their respective organizations with the objective of completing deployment by the end of January 2017. The Deputy Secretary of Defense issued a memo on February 26, 2016 directing the DoD to complete a rapid deployment and transition to Microsoft Windows 10 Secure Host Baseline by the end of January 2017.

Formal product evaluations also support the move to Windows 10. The National Information Assurance Partnership (NIAP) oversees evaluations of commercial IT products for use in National Security Systems . The Common Criteria evaluation of Windows 10 against the NIAP Protection Profile for General Purpose Operating Systems completed April 5, 2016 . The Common Criteria evaluation of Windows 10 against the NIAP Protection Profile for Mobile Device Fundamentals completed January 29, 2016 .

Using a Secure Host Baseline is one of IAD’s top 10 mitigation strategies . The DoD Secure Host Baseline also exemplifies other IAD top 10 mitigation strategies such as using application whitelisting , enabling anti-exploitation features , and using the latest version of the operating system and applications .

This repository hosts Group Policy Objects, configuration tools, and compliance checks in support of the Windows 10 DoD Secure Host Baseline framework. Administrators of National Security Systems , such as those who are part of the Defense Industrial Base , can leverage this repository in lieu of access to the DoD SHB framework which requires a Common Access Card (CAC) or Personal Identification Verification (PIV) smart card to access.

Getting started

  1. Download the repository.
  2. Import the Group Policy Objects to your domain or standalone system.

Downloads

Repository content


Group Policy Objects

  • The Windows folder contains Windows 10 User and Computer policies for the latest version of Windows 10.
  • The Windows Firewall folder contains Windows Firewall Computer policy for the latest version of Windows 10.
  • The AppLocker folder contains AppLocker Computer policy for the latest version of Windows 10.
  • The BitLocker folder contains BitLocker Computer policy for the latest version of Windows 10.
  • The EMET folder contains EMET 5.5 Computer policy for any version of Windows.
  • The Internet Explorer folder contains Internet Explorer 11 Computer and User policies for the latest version of Windows 10.
  • The Office folder contains Office 2013 Group Policy Object.
  • The Chrome folder contains Chrome browser Computer policy for the latest version of Chrome.
  • The Adobe Reader folder contains Adobe Reader DC Computer and User policies for the latest version of Adobe Reader DC.

Scripts and tools

Scripts for aiding users with the SHB are located in the Scripts sub folders of each component. Scripts available for use so far:

Compliance checks

Nessus (aka ACAS in the DoD) audit files and SCAP content will be included in this repository over time. Compliance checks available for use so far:

Importing a GPO

Importing a GPO varies depending on whether it is being imported for a domain versus a standalone system.

Importing a GPO for a domain

  1. On a domain controller, go to Start > Administrative Tools or Start > Control Panel > System and Security > Administrative Tools
  2. Select Group Policy Management
  3. Expand Forest: _ forest name _ , expand Domains , expand _ domain name _ , and expand Group Policy Objects if these have not been expanded already
  4. Create a new empty GPO or skip to the next step if using an existing GPO
    1. Right click on Group Policy Objects and select New
    2. Enter a GPO name in the Name field
  5. Right click the GPO you want to import settings into and select Import Settings
  6. Follow the steps in the Import Wizard and select the GPO backup folder for the GPO you want to import

The PowerShell Group Policy commands can also be used to import a domain GPO on systems that have the PowerShell Group Policy module .

Import-Module GroupPolicy

Import-GPO -Path "path to GPO backup folder"

Importing a GPO for a standalone system

  1. Download the LGPO tool from this Microsoft blog post and copy it to the standalone system
  2. Copy the GPO backup folder for the GPO you want to import to the standalone system
  3. Open an administrative command prompt and type lgpo.exe /g “ _ path to GPO backup folder _ “

DoD Secure Host Baseline Download