{"id":13596194,"url":"https://github.com/nsacyber/Windows-Secure-Host-Baseline","last_synced_at":"2025-04-09T16:31:50.835Z","repository":{"id":37790258,"uuid":"52628378","full_name":"nsacyber/Windows-Secure-Host-Baseline","owner":"nsacyber","description":"Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings. #nsacyber","archived":true,"fork":false,"pushed_at":"2022-12-24T16:24:21.000Z","size":3752,"stargazers_count":1562,"open_issues_count":15,"forks_count":285,"subscribers_count":210,"default_branch":"master","last_synced_at":"2025-01-21T13:39:01.615Z","etag":null,"topics":["adobe-reader","applocker","audit","auditing","certificates","chrome-browser","compliance","group-policy","internet-explorer","microsoft-office","nessus","windows","windows-10","windows-firewall","windows-server","windows-server-2016"],"latest_commit_sha":null,"homepage":"","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nsacyber.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-02-26T19:43:51.000Z","updated_at":"2025-01-14T15:24:44.000Z","dependencies_parsed_at":"2023-01-30T21:01:11.229Z","dependency_job_id":null,"html_url":"https://github.com/nsacyber/Windows-Secure-Host-Baseline","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nsacyber%2FWindows-Secure-Host-Baseline","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nsacyber%2FWindows-Secure-Host-Baseline/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nsacyber%2FWindows-Secure-Host-Baseline/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nsacyber%2FWindows-Secure-Host-Baseline/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nsacyber","download_url":"https://codeload.github.com/nsacyber/Windows-Secure-Host-Baseline/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248067789,"owners_count":21042357,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["adobe-reader","applocker","audit","auditing","certificates","chrome-browser","compliance","group-policy","internet-explorer","microsoft-office","nessus","windows","windows-10","windows-firewall","windows-server","windows-server-2016"],"created_at":"2024-08-01T16:02:11.689Z","updated_at":"2025-04-09T16:31:45.825Z","avatar_url":"https://github.com/nsacyber.png","language":"HTML","funding_links":[],"categories":["HTML","HTML (177)","Uncategorized","基于Windows的防护","Operating Systems","\u003ca id=\"b478e9a9a324c963da11437d18f04998\"\u003e\u003c/a\u003e工具","Windows-based defenses"],"sub_categories":["Uncategorized","威胁狩猎","Windows Defences","\u003ca id=\"6d2fe834b7662ecdd48c17163f732daf\"\u003e\u003c/a\u003eEnvironment\u0026\u0026环境\u0026\u0026配置","Overlay and Virtual Private Networks (VPNs)"],"readme":"# Windows Secure Host Baseline\r\n\r\n## About the Windows Secure Host Baseline\r\n\r\nThe Windows Secure Host Baseline (SHB) provides an automated and flexible approach for assisting the DoD in deploying the latest releases of Windows 10 using a framework that can be consumed by organizations of all sizes. \r\n\r\n\r\nThe DoD CIO issued a memo on [November 20, 2015](http://www.esi.mil/download.aspx?id=5542) directing Combatant Commands, Services, Agencies and Field Activities (CC/S/As) to rapidly deploy the Windows 10 operating system throughout their respective organizations with the objective of completing deployment by the end of January 2017. The Deputy Secretary of Defense issued a memo on [February 26, 2016](http://www.esi.mil/download.aspx?id=5543) directing the DoD to complete a rapid deployment and transition to Microsoft Windows 10 Secure Host Baseline by the end of January 2017.[[1](http://www.esi.mil/contentview.aspx?id=685)]\r\n\r\n\r\nFormal product evaluations also support the move to Windows 10. The [National Information Assurance Partnership](https://www.niap-ccevs.org) (NIAP) and National Institute of Standards and Technology (NIST) oversees evaluations of commercial IT products for use in [National Security Systems](https://www.iad.gov/iad/news/defining-a-national-security-system.cfm). \r\n* Common Criteria evaluation of Windows 10 against NIAP [Protection Profile for General Purpose Operating Systems](https://www.niap-ccevs.org/Profile/Info.cfm?id=400) completed [April 5, 2016](https://www.niap-ccevs.org/Product/CompliantCC.cfm?CCID=2016.1052) and updated [February 2, 2017](https://www.niap-ccevs.org/Product/CompliantCC.cfm?CCID=2017.1007\u003e\u003chttps://www.niap-ccevs.org/Product/CompliantCC.cfm?CCID=2017.1007) to include Windows Server 2016. \r\n* Common Criteria evaluation of Windows 10 against NIAP [Protection Profile for Mobile Device Fundamentals](https://www.niap-ccevs.org/Profile/Info.cfm?id=353) completed [January 29, 2016](https://www.niap-ccevs.org/Product/Compliant.cfm?pid=10677) and updated [April 12, 2017](https://www.niap-ccevs.org/Product/Compliant.cfm?pid=10752) to include Windows Server 2016. \r\n* Common Criteria evaluation of Windows 10 against NIAP [Protection Profile for IPsec Virtual Private Network (VPN) Clients](https://www.niap-ccevs.org/Profile/Info.cfm?id=333) completed [November 10, 2016](https://www.niap-ccevs.org/Product/Compliant.cfm?pid=10746) and updated [December 29, 2016](https://www.niap-ccevs.org/Product/Compliant.cfm?pid=10753) to include Windows Server 2016. \r\n* [NIST](http://www.nist.gov/) [FIPS 140-2](http://csrc.nist.gov/groups/STM/cmvp/index.html) validation of Windows 10 cryptographic modules was completed on June 2, 2016 (see certificate numbers [2600](http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2600), [2601](http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2601), [2602](http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2602), [2603](http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2603), [2604](http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2604), [2605](http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2605), [2606](http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2606), and [2607](http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2607)).\r\n\r\nUsing a [Secure Host Baseline](https://www.iad.gov/iad/library/ia-guidance/security-tips/secure-host-baseline.cfm) is one of [NSA Information Assurance top 10 mitigation strategies](https://www.iad.gov/iad/library/ia-guidance/iads-top-10-information-assurance-mitigation-strategies.cfm). The DoD Secure Host Baseline also exemplifies other IAD top 10 mitigation strategies such as using [application whitelisting](https://www.iad.gov/iad/library/ia-guidance/security-tips/application-whitelisting.cfm), enabling [anti-exploitation features](https://www.iad.gov/iad/library/ia-guidance/security-tips/anti-exploitation-features.cfm), and using the [latest version of the operating system and applications](https://www.iad.gov/iad/library/ia-guidance/security-tips/take-advantage-of-software-improvement.cfm).\r\n\r\n## About this repository\r\n\r\nThis repository hosts Group Policy objects, compliance checks, and configuration tools in support of the DoD Secure Host Baseline (SHB) framework for Windows 10. Administrators of [National Security Systems](https://www.iad.gov/iad/news/defining-a-national-security-system.cfm), such as those who are part of the [Defense Industrial Base](https://www.dhs.gov/defense-industrial-base-sector), can leverage this repository in lieu of access to the [DoD SHB framework for Windows 10](https://disa.deps.mil/ext/cop/iase/dod-images/Pages/Win10.aspx) which requires a Common Access Card (CAC) or Personal Identification Verification (PIV) smart card to access. \r\n\r\nQuestions or comments can be submitted to the [repository issue tracker](https://github.com/nsacyber/Windows-Secure-Host-Baseline/issues) or posted on [Windows 10 Secure Host Baseline project](https://software.forge.mil/sf/projects/win10shb) forums on Software Forge which requires a CAC or PIV smart card to access.\r\n\r\n## Repository content\r\n\r\n### Group Policy Objects\r\n\r\n* The [ActivClient folder](./ActivClient/README.md) contains  ActivClient [Computer](./ActivClient/Group%20Policy%20Objects/Computer/) policy for those who use smart card logons with ActivClient software.\r\n* The [Adobe Reader folder](./Adobe%20Reader/README.md) contains Adobe Reader DC [Computer](./Adobe%20Reader/Group%20Policy%20Objects/Computer/) and [User](./Adobe%20Reader/Group%20Policy%20Objects/User/) policies for the latest version of Adobe Reader DC.\r\n* The [AppLocker folder](./AppLocker/README.md) contains AppLocker [Computer](./AppLocker/Group%20Policy%20Objects/Computer/) policy for the latest version of Windows 10.\r\n* The [Certificates folder](./Certificates/README.md) contains [Computer](./Certificates/Group%20Policy%20Objects/Computer/) policy for distributing the DoD Root and Intermediate Certificate Authorities.\r\n* The [Chrome folder](./Chrome/README.md) contains Chrome browser [Computer](./Chrome/Group%20Policy%20Objects/Computer/) policy for the latest version of Chrome.\r\n* The [Internet Explorer folder](./Internet%20Explorer/README.md) contains Internet Explorer 11 [Computer](./Internet%20Explorer/Group%20Policy%20Objects/Computer/) and [User](./Internet%20Explorer/Group%20Policy%20Objects/User/) policies for latest version of Windows 10.\r\n* The [Office folder](./Office/README.md) contains [Office 2013](./Office/Office%202013/) and [Office 2016](./Office/Office%202016/) policy.\r\n* The [Windows folder](./Windows/README.md) contains Windows 10 [User](./Windows/Group%20Policy%20Objects/User) and [Computer](./Windows/Group%20Policy%20Objects/Computer/) policies for the latest version of Windows 10.\r\n* The [Windows Firewall folder](./Windows%20Firewall/README.md) contains Windows Firewall [Computer](./Windows%20Firewall/Group%20Policy%20Objects/Computer/) policy for the latest version of Windows 10.\r\n\r\n### Scripts and tools\r\nScripts for aiding users with the SHB are located in the Scripts sub folders of each component. Scripts available for use so far:\r\n\r\n* [Adobe Reader](./Adobe%20Reader/Scripts/)\r\n* [Certificates](./Certificates/Scripts/)\r\n* [Chrome](./Chrome/Scripts/)\r\n* [General](./Scripts/)\r\n* [Windows](./Windows/Scripts/)\r\n\r\n### Compliance checks\r\nNessus (aka [ACAS](http://www.disa.mil/cybersecurity/network-defense/acas) in the DoD) audit files are included in this repository. Compliance checks are available for:\r\n\r\n* [Adobe Reader DC](./Adobe%20Reader/Compliance/)\r\n* [Chrome](./Chrome/Compliance/)\r\n* [Internet Explorer](./Internet%20Explorer/Compliance/)\r\n* [Windows](./Windows/Compliance/)\r\n* [Windows Firewall](./Windows%20Firewall/Compliance/)\r\n\r\nInstructions for running the compliance checks in a domain or standalone environment can be found on the [Compliance](./Compliance/README.md) page.\r\n\r\n## Getting started\r\n\r\nTo get started using the tools:\r\n\r\n1. [Download](#downloading-the-repository) the repository as a zip file \r\n1. [Configure PowerShell](#configuring-the-powershell-environment) \r\n1. [Load the code](#loading-the-code) \r\n1. [Apply the policies](#applying-the-policies) \r\n1. [Check compliance](#checking-compliance)\r\n\r\n## Downloading the repository\r\n\r\nDownload the [current code](https://github.com/nsacyber/Windows-Secure-Host-Baseline/archive/master.zip) to your **Downloads** folder. It will be saved as **Windows-Secure-Host-Baseline-master.zip** by default.\r\n\r\n## Configuring the PowerShell environment\r\nThe PowerShell commands are meant to run from a system with at least PowerShell 3.0 installed. PowerShell may need to be configured to run the commands.\r\n\r\n### Changing the PowerShell execution policy\r\n\r\nUsers may need to change the default PowerShell execution policy. This can be achieved in a number of different ways:\r\n\r\n* Open a command prompt and run **powershell.exe -ExecutionPolicy Unrestricted** and run scripts from that PowerShell session. \r\n* Open a PowerShell prompt and run **Set-ExecutionPolicy Unrestricted -Scope Process** and run scripts from the current PowerShell session. \r\n* Open an administrative PowerShell prompt and run **Set-ExecutionPolicy Unrestricted** and run scripts from any PowerShell session. \r\n\r\n### Unblocking the PowerShell scripts\r\nUsers will need to unblock the downloaded zip file since it will be marked as having been downloaded from the Internet which PowerShell will block from executing by default. Open a PowerShell prompt and run the following commands to unblock the PowerShell code in the zip file:\r\n\r\n1. `cd $env:USERPROFILE` \r\n1. `cd Downloads` \r\n1. `Unblock-File -Path '.\\Windows-Secure-Host-Baseline-master.zip'`\r\n\r\nRunning the PowerShell scripts inside the zip file without unblocking the file will result in the following warning:\r\n\r\n*Security warning*\r\n*Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning message. Do you want to run C:\\users\\user\\Downloads\\script.ps1?*\r\n*[D] Do not run [R] Run once [S] Suspend [?] Help (default is \"D\"):*\r\n\r\n\r\nIf the downloaded zip file is not unblocked before extracting it, then all the individual PowerShell files that were in the zip file will have to be unblocked. You will need to run the following command after Step 5 in the [Loading the code](#loading-the-code) section:\r\n\r\n```\r\nGet-ChildItem -Path '.\\Windows-Secure-Host-Baseline' -Recurse -Include '*.ps1','*.psm1' | Unblock-File -Verbose\r\n```\r\n\r\nSee the [Unblock-File command's documentation](https://technet.microsoft.com/en-us/library/hh849924.aspx) for more information on how to use it.\r\n\r\n### Loading the code\r\nNow extract the downloaded zip file and load the PowerShell code used for apply the policies.\r\n\r\n1. Right click on the zip file and select **Extract All**\r\n1. At the dialog remove **Windows-Secure-Host-Baseline-master** from the end of the path since it will extract the files to a Windows-Secure-Host-Baseline-master folder by default\r\n1. Click the **Extract** button\r\n1. Rename the **Windows-Secure-Host-Baseline-master** folder to **Windows-Secure-Host-Baseline**\r\n1. Open a PowerShell prompt as an administrator\r\n1. Import the [Group Policy PowerShell module](./Scripts/GroupPolicy.psm1) to load the code into the PowerShell session: `Import-Module -Name .\\Windows-Secure-Host-Baseline\\Scripts\\GroupPolicy.psm1`\r\n\r\n### Applying the policies\r\n\r\nThe **Invoke-ApplySecureHostBaseline** command found in the [Group Policy PowerShell module](./Scripts/GroupPolicy.psm1) is the main command for applying policies. By default this command will:\r\n* Import both Computer and User policies. Use the **-PolicyScopes** option and specify only the **'User'** or **'Computer'** value to import only User or Computer policies.\r\n* Import policies, that have an audit option (e.g. AppLocker), in audit mode. To import those policies in enforcement mode, use the **-PolicyMode** option and specify the **'Enforced'** value.\r\n* Make a backup copy of existing imported SHB Group Policy objects (and Group Policy templates if the -UpdateTemplates option is used) if they exist. The backups will be in a directory located at **%UERPROFILE%\\\\Desktop\\\\Backup_yyyyMMddHHmmss** corresponding to the time when the command was executed. To change this location use the **-BackupPath** option and specify a path to an existing folder where the Backup_yyyyMMddHHmmss will be created.\r\n* **not** update the Group Policy template files that correspond to the applied Group Policy  objects. Use the **-UpdateTemplates** option to update the Group Policy templates.\r\n\r\nOptions for the command are:\r\n* **-Path** - Required. The path to the folder containing the downloaded and extracted GitHub SHB repository.\r\n* **-PolicyNames** - Required. The names of the policies to apply. Can be 1 or more policy names. Available names: 'ActivClient', 'Adobe Reader', 'AppLocker', 'Certificates', 'Chrome', 'Internet Explorer', 'Office 2013', 'Office 2016', 'Windows', 'Windows Firewall'.\r\n* **-PolicyScopes** - Optional. The scope of the policies to apply. Available scopes: 'Computer', 'User'. Defaults to 'Computer','User'.\r\n* **-PolicyType** - Optional. The type of policies to apply. Available types: 'Domain', 'Local'. Defaults to 'Domain' when joined to a domain. Defaults to 'Local' when not joined to a domain.\r\n* **-PolicyMode** - Optional. The mode of policies to apply, if supported by the specific policy. For example, AppLocker supports audit and enforcement modes. Available modes: 'Audit', 'Enforced'. Defaults to 'Audit'.\r\n* **-BackupPath** - Optional. The path to a folder to save backups of existing imported SHB Group Policy objects (and Group Policy templates if the -UpdateTemplates option is used) if they exist in case a rollback is needed. Defaults to $env:USERPROFILE\\Desktop\\Backup_yyyyMMddHHmmss corresponding to when the script was executed.\r\n* **-ToolPath** - Optional. The path to the LGPO tool. Required when PolicyType is 'Local'.\r\n* **-UpdateTemplates** - Optional. Update Group Policy templates that correspond to the applied Group Policy objects.\r\n\r\nType **man Invoke-ApplySecureHostBaseline** at a PowerShell prompt for more help and examples or submit a question to the [repository issue tracker](https://github.com/nsacyber/Windows-Secure-Host-Baseline/issues).\r\n\r\n#### Applying the SHB policies to a standalone system\r\n\r\nIf applying the SHB policies to a standalone system (e.g. not joined to a domain), then download the [LGPO tool](https://msdnshared.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/telligent.evolution.components.attachments/01/4062/00/00/03/65/94/11/LGPO.zip) from [this Microsoft blog post](http://blogs.technet.com/b/secguide/archive/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0.aspx) and extract the executable.\r\n\r\n```\r\nInvoke-ApplySecureHostBaseline -Path '.\\Windows-Secure-Host-Baseline' -PolicyNames 'Adobe Reader','AppLocker','Certificates','Chrome','Internet Explorer','Office 2013','Office 2016','Windows','Windows Firewall' -ToolPath '.\\LGPO\\lgpo.exe'\r\n```\r\n\r\n#### Applying the SHB policies to a domain\r\n\r\nIf applying the SHB policies to a domain, note that the Group Policy objects are only loaded into Active Directory. The policies are not linked to any OUs so the settings do not automatically take affect.\r\n\r\n```\r\nInvoke-ApplySecureHostBaseline -Path '.\\Windows-Secure-Host-Baseline' -PolicyNames 'Adobe Reader','AppLocker','Certificates','Chrome','Internet Explorer','Office 2013','Office 2016','Windows','Windows Firewall'\r\n``` \r\n\r\n### Checking compliance\r\nOnce the policies have been applied (and linked to appropriate OUs in the domain case), see the [Compliance page](./Compliance/README.md) for instructions on how to check compliance to the policies.\r\n\r\n## License\r\nSee [LICENSE](./LICENSE.md).\r\n\r\n## Disclaimer\r\nSee [DISCLAIMER](./DISCLAIMER.md).\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnsacyber%2FWindows-Secure-Host-Baseline","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnsacyber%2FWindows-Secure-Host-Baseline","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnsacyber%2FWindows-Secure-Host-Baseline/lists"}