Using CIS/NIST Analyzer for Active Directory

• Nirmal@DynamicPacks.net
• May 6, 2024
• No Comments

The CIS/NIST Analyzer is designed to check CIS recommended GPO Settings in an Active Directory Domain. Currently, NIST/CIS Analyzer supports below templates. These templates are well-defined and written by CIS experts. However, there is no any automated way to check GPO settings defined in below templates.

• CIS Microsoft Windows Server 2022 Benchmark V2.0 Template-NIST SP 800-53
• CIS Microsoft Windows Server 2019 Benchmark V2.0 Template-NIST SP 800-53
• CIS Microsoft Windows Server 2016 Benchmark V2.0 Template-NIST SP 800-53
• CIS Microsoft Windows Server 2012 R2 Benchmark V2.0 Template-NIST SP 800-53
• Hardening MS Windows for NIST SP 800-171 Compliance Template-NIST SP 800-53

Why Check GPO Settings in Active Directory?

Checking Group Policy Object settings in Active Directory can ensure consistent and secure configuration across your Active Directory environment. GPOs enable you to enforce consistent settings, such as security policies, desktop configurations, and software deployment, across all computers in the Active Directory. By regularly checking GPO settings, administrators can ensure that these configurations remain uniform and aligned with your organizational standards. Analyzing GPO settings is also important for security compliance.

Using CIS/NIST Analyzer for Active Directory offers several features as listed below

• The GPO Settings can be checked from a pre-defined CIS Template.
• You can modify a template and remove the settings that you do not wish to check.
• Create your own template.
• For each setting the following status is shown:
  • Not Found – Indicates that the setting is not found in any of the GPO.
  • Failed – Setting found but doesn’t have the recommended value.
  • Passed – Setting found and is configured with the recommended value.

To open the NIST/CIS Analyzer, please click on “NIS/CIS ANALYZER” button in the left pane. By default, there will be no templates. You will need to create a template.

Creating Template:

To create a template, click on “Create New Template” button on the action bar, which, in turn, will show below screen:

In the “Create New Template” screen, provide following inputs:

• Name: Template name. The template name needs to be unique.
• Select CIS Template: Select CIS Template or a custom template created by you.
• Select Domain: Select AD Domain to which the template applies to. Please note one template can be used to check settings in a single domain. If you have multiple AD domains, please create multiple templates for each domain.

Once done, click on the “Add Template” button to add the template.

Opening a Template:

Once the template has been created, from the “Select Template” dropdown, select the template and then click on the “Open Template” button.

The Template will open with all the settings defined in it.

Once the Template has been opened, you can click on “Analyze All Settings” button on the action bar to start checking all GPO Settings defined in the template in the selected AD domain. Once the process has been completed, the template will refresh, and you can see the status of each setting.

Creating a Custom Template

You can also create a custom template using CIS/NIST Analyzer. The idea is to ensure settings that you define are checked in the AD environment by CIS/NIST Analyzer. Please note that a custom template can be created from a pre-defined CIS Template. To create a custom template, open an existing template and then delete the settings and section that you do not wish to include as part of the template. For example, in currently opened template, we selected three settings that we do not wish to include in the template.

After selecting settings click on “Delete Selected” button to delete the settings from the template. Once you have deleted the not required settings, click on “Save As Template” button.

In the “Copy Current Template As” window, please provide following inputs:

• Name: Name of new template.
• Domain Controller Version: The version of the domain controller.
• Member Server Version: Member server version.
• Windows Client Version: Windows Client Version to which this template applies to.

Once done, click on “Create Template” button to create the template. Once the template has been created you can open the template and then analyze the settings which are part of the template.

Understanding Template Attributes

There are several attributes as part of a template. These attributes are explained below:

• AD Domain: Active directory domain to which the template applies to.
• Category: Category of the settings.
• Setting Name: Actual setting name as per CIS Template.
• Domain Controller: Is the setting applicable to Domain Controller or not.
• Member Server: Is the setting applicable to member servers or not.
• Recommended Value: Recommended Value of the setting as per CIS.
• Found in GPO: If setting found then the GPO name in which the setting found.
• Current Value: Current value which is configured in the GPO for setting.
• GPO Links To: The list of OUs to which the GPO links to.
• Status: Status of the setting. Status can be Failed or Passed or Not Found.
• Status Remark:
• Add Rights: Applicableto User Rights Assignment Settings. Shows the necessary Rights that need to be added to the User Rights Assessment Setting.
• Remove Rights: Applicableto User Rights Assignment Settings. Shows the necessary Rights that need to be removed from the User Rights Assessment Setting.
• Recommendation: Shows recommendation text.
• Fix Item: Shows more recommendation.
• NIST Control: Shows related NIST control.

SmartProfiler CIS/NIST Analyzer can check all GPO settings recommended by CIS. It is also worth noting that CIS/NIST Analyzer result can be exported to an excel sheet for easy reviewing.