You’ll need the Active Directory network you built in the previous labs.

• We’ll work with the Domain Controller this time.

Blue team hardening and compliance are important components of a comprehensive cybersecurity strategy. The industry standard approach to blue team hardening and compliance involves several key steps:

• Identify the regulatory and compliance requirements applicable to the organization, such as HIPAA, GDPR, PCI-DSS, etc. (These are all key Sec+ Acronyms!)
  • Regulatory and legal frameworks are a big part of the Security+ Exam covered in other parts of the course.
• Conduct a risk assessment to identify potential vulnerabilities and threats impacting the organization's systems and data.
  • This involves conducting threat identification and vulnerability assessment to analyze, evaluate, and mitigate risk. (Many of the tools we learn to use in this course are designed to facilitate the process of both threat identification and vulnerability assessment.)
• Implement Security Controls and hardening measures to reduce the organization’s risk exposure, such as patching, hardening, and implementing access controls.
  • This is the step we will be implementing in this lab!
• Continuous monitoring and auditing.
  • Using solutions like SIEM and SOAR for example. (Key Sec+ Terms)
• Regular review and update of security policies and procedures.

In this lab:

• We will Implement security controls and hardening measures utilizing a ‘SCAP Scanner.’
  • SCAP (Security Content Automation Protocol) compliance is a method of assessing and validating the security configuration of an IT system based on standardized benchmarks and guidelines.
• We will utilize two tools capable of scanning and analyzing IT systems to identify vulnerabilities and non-compliant configurations.
  • We’ll utilize the SCAP scanner provided by the DoD cyber exchange at http://public.cyber.mil
  • Once we perform an automated scan of our system for compliance, we’ll use a common language format to import these results into the DISA STIG Viewer, which will allow us to remediate and harden our system in an organized, methodical manner.
    • DISA: (Defense Information Systems Agency).
    • STIG: Security Technical Implementation Guides

Key Benefits of doing this:

• Active Directory is a complex environment to manage due to its many features, hierarchical structure, and integration with various applications and services. The sheer number of objects and configurations within Active Directory can make learning and managing difficult.
• The processes you’ll learn here will allow you to learn which security components within Active Directory have been deemed the most important by industry experts. They will also provide the necessary experience to investigate and learn more, one step at a time. (Remember, it takes years to get good at this stuff.)

Let’s get into it then!

We will download some files specifically designed to help secure Group Policy for Windows Server 2022.

• Keep in mind that Windows Server can be deployed in two ways:
  • It can be a Domain Controller (This is what we have here.)
  • It can be a Member Server. (Not a domain controller)

This is important because the hardening in this lab is specifically set up for a Domain Controller in an Active Directory environment. The policies we will change won’t be applied to the client computer that Joe and Sue log into. (Although many of the security settings for Domain Controllers and client computers on the network should be the same, the process we’ll learn here should be run separately for Windows 10 workstations using a Windows 10 STIG Benchmark.)

Let’s download the toolset. Windows Server 2019 uses Internet Explorer by default, and IE Enhanced Security Configuration is active, making web browsing a painful experience. We’ll need to turn that off first.

Open the Server Manager and click on the IE Enhanced Security Configuration.