Since version 5.2, AuditTAP offers a practical Risk Score. This can cause astonished faces under certain circumstances. We explain how to read and interpret the improved and clear compliance report correctly.
How well are your systems really configured?
Do you know the answer to this question? If not, then you should check your operating system (e.g. Windows 10/11 or Windows Server) or individual applications like MS Office with AuditTAP. The free tool generates a detailed report on how well you have configured your system according to known hardening standards – or not.
AuditTAP has always offered very detailed views. These show where your audited systems have some catching up to do in terms of system hardening. With update 5.2 we integrated the Risk Score. This shows at a glance how critical or non-critical the results of your compliance check are.
Is a rating of “critical” really critical? How does AuditTAP arrive at this rating? Which measures should you take and which are better not to take? We will clarify these questions in this article. First, however, we will show the initial situation – because most systems are unfortunately quite insecure by design.
Is a standard Windows well hardened or securely configured?
The clear answer: No!
Microsoft has always delivered Windows with the greatest possible compatibility. This makes many things easier for users. For example, inexperienced private users can quickly and easily connect printers, use expansion cards, install any kind of software or share their game scores via Xbox account.
That means: “ex works” Windows automatically starts numerous services and activates every interface when booting – the functionality could be needed by the user, after all. But this compatibility and ease of use creates a technical attack surface – and thus a high risk for successful cyber attacks.
So a “normal” Windows has relatively little compliance with current hardening standards such as the BSI’s SySiPHuS recommendations. Therefore, the summary of the AuditTAP report in this case looks like this:
Also interesting: A standard Windows does not have much in common with Microsoft’s own security recommendations (the so-called Security Baselines):
This leads to a corresponding risk assessment: The audited system is given the status “critical” in the AuditTAP report.
How exactly does the AuditTAP risk matrix come about?
The AuditTAP Risk Score has two dimensions:
Under “Quantity”, the compliance check understands the quantitative match. This means: How many configuration recommendations of the selected hardening standard are configured according to standardized hardening recommendations in the system you are auditing?
The vertical axis of the matrix (“Severity”) ranks the results according to qualitative standards. In other words, how well are the individual configurations implemented on the system you are auditing?
The following examples show you exactly what is meant by this:
Example 1: Quantity “critical” / Severity “medium”
Explanation: In this example, “volume” compliance is critical. But the most important settings have been implemented so well that only a medium risk arises.
Recommendation: Ensure that overall compliance increases. Use the BSI or CIS recommendations. Especially the “L1” settings of the CIS offer a good start.
Example 2: Quantity “high” / Severity “high”
Explanation: Congratulations! You can still make fine adjustments with this result. A deep insight into the individual settings is necessary to bring out the last potential.
Recommendations: A hardening specialist must check and evaluate the configurations in depth. Among other things, he performs special tests or corresponding checks for this purpose.
Note: Would you like more examples? You can download them from Github in the official code repository under “Samples”. And there are two more examples in this zip file.
Remember the “Basic Hygiene of Cyber Security”
Before you get started with any system hardening, you should meet the “basics” of security configuration management. That is, make sure the basic security mechanisms are enabled.
Almost any notebook or desktop hardware today supports crypto chips (“TPM chips”) that provide important basics for standard security functions. Every operating system provides a firewall, use the anti-malware solutions (for example, Windows Defender or another solution) and enable the so-called “Attack Surface Reduction Rules” (ASR rules).
AuditTAP also checks whether you have implemented these basic functionalities. You can see the results in the “Settings Overview” > “Security Base Data” tab. On a Windows system where this “basic hygiene” has been performed, it looks like this:
When performing the following system hardening, you should always be aware that it is not enough to change only ten or 20 settings!
Role-based hardening based on standards
Are your AuditTAP reports more “red” than “green” and is the Risk Score sobering? Especially companies have to close the detected vulnerabilities as soon as possible, for example by applying the Microsoft Security Baselines and a professional Windows 10 hardening.
There are now various, comprehensive standards that you can use as a guide. For example, BSI, DISA, CIS and the ACSC regularly issue new recommendations. These include several hundred settings that should be applied to harden Windows, for example. If you combine several standards and also include individual applications such as office suites and browsers in your hardening, 1,000 adjustments and more quickly add up.
If you want to close these vulnerabilities manually – and on dozens or even hundreds of systems – you’ll have your work cut out for you. It’s better to do the secure configurations with hardening tools like Enforce Administrator.
But don’t go overboard with hardening! The benefit of System hardening is great – but you may overshoot the mark. Always keep these three protection goals in mind:
100% compliance is (mostly) only possible in theory
It can neither make sense nor be necessary to configure a system in such a way that access to important company data becomes impossible afterwards!
A practical example: Since “Printnightmare” at the latest, it has been clear that the Printspooler service should be deactivated – if the print function is not needed. However, this does not make sense for servers that perform printing services (i.e. print servers). Also on workstations or client systems the print function is usually needed.
From this follows: Trying to configure a server or workstation operating system and the associated middleware layer to be fully compliant with one of the hardening standards is the wrong way to go. Otherwise, you have a – supposedly – secure system, but one that no longer meets the requirements of the users.
Do you need help with the secure configuration of systems?
Do you have questions about AuditTAP? Or do you need support with (automated) system hardening? Do you want to integrate system hardening directly into your deployment or installation processes? Our experts are here for you! Contact us without obligation and we will get back to you as soon as possible.
Images: Smartmockups.com, FB Pro