System Security Misconfigurations for servers and endpoints

With the Attack Surface Analyzer for servers and endpoints, you can identify the indicators of exposure (IOE) in your organizational network by analyzing the Group Policy settings applied to the computers and comparing them against industry standard benchmarks. The insights gained on security misconfigurations enable you to effectively reduce your network's attack surface.

Prerequisites

• The Group Policy Management Console ( GPMC ) needs to be installed in the machine where ADAudit Plus is installed. Refer to this page for installation steps.
• The ADAudit Plus user should have domain admin or local admin access to all scanned computers so that the resultant set of policies (RSoP) can be retrieved.
• A few administrative template files (ADMX/ADML) need to be installed/updated to properly retrieve administrative settings from the RSoP. Refer to the Required ADMX files section for the list of files.

Create a profile

You can create profiles and add your desired computers (domain controllers, Windows servers, or Windows Workstations) to scan and retrieve their RSoP. The retrieved RSoP will be compared against the selected benchmark templates. Follow the steps below to create a profile:

1. Log in to the ADAudit Plus web console.
2. Navigate to the Server Audit tab > Attack Surface Analyzer.
3. Click Profile Management under the System Security Misconfigurations tab and click + Create Profile.
4. Enter a desired profile name and description.
5. Select the domain from the Domain drop-down.
6. Select your desired template from the list of available benchmark templates.
7. Under the DC, Member Server, and Workstation tabs, select the list of computers you want to scan for.
8. Click Create Profile.

View misconfiguration reports

Misconfiguration reports show the list of misconfigured Group Policy Object (GPO) settings, along with recommended actions you can take to fix them and secure your computer.

1. Navigate to the Server Audit tab > Attack Surface Analyzer.
2. Click Profile Overview under the System Security Misconfigurations tab.
3. Choose your desired domain from the Domain drop-down.
4. Select your desired scan schedule from the Available Scan Schedules drop-down. You will now see the list of scanned profiles in the selected domain for the selected scan schedule.
5. Click one of the tabs next to the profile for which you want to view the misconfiguration reports. You can choose:
   • Scanned Computers: Shows the list of computers scanned under the profile.
   • Highly Exposed Computers: Shows the list of computers that are highly misconfigured.
   • Moderately Exposed Computers: Shows the list of computers that are moderately misconfigured.
   • Mildly Exposed Computers: Shows the list of computers that are mildly misconfigured.
   • Scan Failed Computers: Shows the list of computers for which the scan failed.

   Note: The metrics to define high, moderate, and mild exposure are based on a series of parameters such as the number of GPO settings that do not conform to the benchmarks, the value and impact of the settings on system security, etc.

6. You can hover over the profile name and click the export icon that appears in the top-right corner to export the misconfiguration report of the entire profile.
7. Further, click on individual computers to gain further insights on the misconfiguration. You will be taken to the GPO insights page. Here, you can:
   • View the total number of properly configured and misconfigured GPO settings
   • View the comparison report of each setting in Tree view or Table view.
   • Click Details in the Recommended value column to know the impact of misconfiguration and steps you can take to secure your computer.
   • Change the Domain, Profile, and Scan Schedules from the respective drop-downs at the top.
   • Export the misconfiguration report for the selected computer by clicking the Export as button on the top.

RSoP methodology

The RSoP can be retrieved using two modes: Planning Mode and Logging Mode.

• Planning Mode involves calculating the GPO settings for individual computers by analyzing the winning GPO policies directly from the primary domain controller. It does not require the target computers to be active. However, local policies applied directly to the computers are not retrieved in this mode.
• Logging Mode retrieves the GPO settings applied to each computer by directly querying them. In this mode, the computers must be active to allow their RSoP data to be collected.

Available benchmarks

Listed below are the available benchmark templates that can be used for comparison:

• CIS Microsoft Windows Server 2022 Benchmark v2.0.0
• CIS Microsoft Windows Server 2019 Benchmark v2.0.0
• CIS Microsoft Windows Server 2016 Benchmark v2.0.0
• CIS Microsoft Windows Server 2012 R2 Benchmark v2.0.0
• CIS Microsoft Windows 11 Enterprise Benchmark v2.0.0
• CIS Microsoft Windows 10 Enterprise Benchmark v2.0.0

Required ADMX files

Administrative template	ADMX file
LAPS	AdmPwd.admx/adml
MS Security Guide	SecGuide.admx/adml
MSS (Legacy)	MSS legacy.admx/adml
Network \DNS Client	DnsClient.admx/adml
TCPIP Settings	tcpip.admx/adml
Printers	Printing.admx/adml
System\Local Security Authority	LocalSecurityAuthority.admx/adml
Security Account Manager	SAM.admx/adml
Data Collection and Preview Builds	Windows.admx/adml
Desktop App Installer	DesktopAppInstaller.admx/adml
Microsoft Defender Antivirus	WindowsDefender.admx/adml
Remote Desktop Services	TerminalServer.admx/adml
Search	Search.admx/adml
Windows Ink Workspace	WindowsInkWorkspace.admx/adml
Windows Logon Options	WinLogon.admx/adml
Explorer	Explorer.admx/adml
Passport	Passport.admx/adml
Widgets	NewsAndInterests.admx/adml
Microsoft Defender Application Guard	AppHVSI.admx/adml
Windows Defender SmartScreen	SmartScreen.admx/adml
Enhanced Phishing Protection	WebThreatDefense.admx/adml
Cloud Content	CloudContent.admx/adml
File Explorer	Explorer.admx/adml
Windows Game Recording	GameDVR.admx/adml