This blog post is a follow-up on our Windows Compliance with InSpec webinar by Joe Gardiner, Senior Solutions Architect and Christoph Hartmann, InSpec Creator that was presented live on April 11, 2017. In that webinar, we describe what Continuous Compliance is and we cover assessment with InSpec and remediation with Chef. This post provides additional material to help you learn more.
Continuous Compliance
In case you missed the webinar, “continuous compliance” is a methodology for automating assessment and remediation of compliance policy with separation of duties for each part of that management cycle. Configuration management tools–like Chef, Puppet, or Ansible–can automate the remediation of compliance violations and InSpec allows you to automate the assessment. What makes this automation “continuous” is moving beyond ad-hoc manually driven periodic assessments and remediation events. To that end, the audit cookbook integrates both assessment and remediation into the same automatic event (a chef-client run) while maintaining the separation of duties critical to most information security standards.
The webinar dives into further detail. Here are some additional materials to help you get started with continuous compliance for Windows systems.
DevSec Baselines
The InSpec development team regularly contributes to DevSec, an open-source project that provides compliance baselines anyone can use. The DevSec hardening framework provides two Windows benchmarks that will help you get started:
Compliance profiles in Chef Automate
If you have a subscription to Chef Automate, that includes access to Chef-maintained and supported profiles that track the CIS industry standard.
- CIS Microsoft Windows 7 Benchmark
- CIS Microsoft Windows 8 Benchmark
- CIS Microsoft Windows 10 Enterprise (Release 1511) Benchmark
- CIS Windows Server 2012 Benchmark
- CIS Windows Server 2012 R2 Benchmark
Custom InSpec profiles
The same technology powering the baselines above, InSpec, also allows you to create and implement your own assessments to automate compliance solutions specific to your needs. InSpec allows you to write your own profiles from scratch, import existing profiles as dependencies, and gives you constructs to pick and choose content from those dependencies so that you can quickly model overlay solutions when (for example) your company’s adopted information security policies deviate from industry standards.
InSpec contains a large set of built-in resources to automate assessments as well as the ability to create new custom resources. For some additional tips on creating custom profiles for Windows, check out this blog post from December.
Windows remediation with Chef
That covers the assessment cycle in-depth, but what about remediation? Chef integrates wonderfully with Windows systems. But when considering remediation options it is important to be aware of existing tools in the Microsoft eco-system and defer to the proper one depending on your use case. Should you use Group Policy or Powershell DSC?
Group Policy
Group Policy is best suited to managing policy on workstations and for controlling patching policy via the WSUS client. It’s not suitable for non-domain joined machines or for programmatic control of devices.
Powershell DSC
DSC is most suited to server baseline builds, automation (DevOps), and applying Compliance remediation policy. It is important to note that existing DSC resources can be mapped into the Chef DSL very easily following the same resource structure as in the example below:
dsc_resource 'NAME' do resource :service property :name, 'NAME' property :startuptype, 'Disabled' property :path, 'D:\\Sites\\Site_name\file_to_run.exe' property :ensure, 'Present' property :state, 'Stopped' end
A more in-depth guide to help you choose is available in this TechNet blog post.
Additional resources
Between the webinar, InSpec tutorials, and the content above you should have enough to get started down the path of Continuous Compliance for Windows. Once you’re ready for more, these links may provide some additional useful places to dig in.
- DevSec Windows Hardening Cookbook – An open source cookbook that remediates all Dev-Sec baseline tests using system tools such as secedit and auditpol, mainly by making registry changes.
- Security policy cookbook – A helper cookbook that adds a Chef custom resource for managing local security policy that is used within the Windows hardening cookbook.
- Both cookbooks above are actively developed and they’re looking for contributors like you!
- Windows Infrastructure Testing and Compliance with InSpec
- InSpec on Azure at Tech Days NL 2016
- Using meta-profiles with Chef Compliance