DoD Security Technical Implementation Guide

The US Department of Defense (DoD) delivers a ZIP file with its Security Technical Implementation Guide (STIG), covering everything from the operating system to the browser to Office and even Adobe. In the field of operating system hardening, the browser is often overlooked. However, it – and email – offer the biggest attack vectors in the enterprise. Browsers and Office have been neglected thus far in this series, but they are worth discussing when you look at hardening.

The DoD provides just south of 25 templates that also cover various legacy operating systems. STIG conforms to the Microsoft baseline, with just one policy per object and no rating by levels or threat scenarios. No assessment tells you which value is more secure than any other. As in the previously mentioned templates, STIG does not have any massive collisions with the other templates; it is simply another assessment of the state of affairs, with a broader perspective.

Administrative templates especially have configuration options that do not just cover security issues but also prevent calls to the help desk when a user has problems – which can be a valid argument to hide or not provide this function in the first place. The DoD regularly works on the settings and publishes updates several times a year with no fixed cycle. The DoD delivers STIG as a GPO backup, each policy residing in its own folder in the ZIP file. Importing policies is a bit tedious because you have to select the manifest.xml file from each folder.

System Hardening by ACSC

The Australian Centers for Cyber Security (ACSC) works with LowPrio , MediumPrio , and HighPrio ratings. The website has recently been rebuilt, and you cannot currently download a ready-to-run GPO backup from the site. Unfortunately, at the moment, the website only provides configurations, plus a DOCX and PDF file; at least they give you the content for the three categories offline.

The ACSC did not keep to the order of the GPO editor, but defined the order itself, which makes the learning curve for familiarization with a GPO very tedious. (One hopes the GPO backup will be available online some time in the future.) The ACSC has historically hardened systems somewhat more rigorously than other template suppliers.

When using the ACSC guide, two things stand out in daily work. When you call a user account control (UAC) dialog, you also need to press Ctrl+Alt+Del; the run keys of the registry are cleared by the GPO and must be controlled by it as well. Although the additional keyboard shortcut is just annoying, controlling programs in Autostart with GPOs causes a massive amount of work.

gp-pack PaT

gp-pack PaT has group policy backups and PowerShell scripts for privacy and telemetry (PaT) and is the only candidate in these template collections solely designed for silencing. Hardening has been covered by many others, which prompted these suppliers to ignore it. What the package aims to do is reduce the exchange of communication with Microsoft. All of the policy settings are available free of charge as an HTML report online. The GPO backup for import, including various scripts to customize the client (e.g., removing apps and Windows features), is available for a fee.

After integrating gp-pack, you might experience more problems in day-to-day operations compared with the previous templates. Because communication with Microsoft is prevented wherever possible, features that may be desirable are also disabled. For example, the Network Connectivity Status Indicator (NCSI) calls up a Microsoft web page and checks its availability every time a user logs on or sets up a network. If the website is accessible, the system network icon reports that it is connected to the Internet. If this information is missing, some products could malfunction. Outlook and Edge respond to the icon and don't even connect to the Internet – because it doesn't exist, according to the network display.

The big issue with silencing is that it involves functionality that is desirable but could collide with the GDPR. Security and silencing with gp-pack are also available for the three major browsers (Chrome, Edge, Firefox), Office, and Defender.