0 Replies Latest reply: Feb 12, 2013 12:14 PM by Mehul RSS

Windows Server 2012 Best Practice Audit With Nessus/PowerShell

Mehul

Windows Server 2012 has been out for  few months now, and ever since its release, Nessus users have been  asking for a .audit to scan the shiny new OS. In general whenever a new  version of an OS or a App is released there is a always a delay before  industry standard guides such as CIS, DISA STIGs start to kick in.  Luckily for us, Microsoft releases best practice guidelines for its  products as they are released, and they include excellent  recommendations to lock down the systems out of the box.

 

We recently decided to check out the best practice analyzer for Windows Server 2012, and stumbled upon new set of PowerShell cmdlets,  which scan the server configuration for a given server role (for e.g.  Hyper-V, WebServer etc...), and then report back whether the existing  configuration is compliant with the best practice guideline for that  specific server role. These cmdlets are extremely useful from a  configuration auditing/compliance standpoint, and Nessus users familiar  with PowerShell can take advantage of these right from a .audit. Users only need to know which Server role they need to audit, and the cmdlet Get-BPAResult (in combination with Invoke-BPAModel) will do the rest.


The list of roles available on the server can be obtained by running cmdlet Get-BpaModel.

 

 

Get-BpaModel

 

The  Get-BPAModel cmdlet allows you to retrieve and view the list of roles  supported by Best Practices Analyzer (BPA) that are installed on a  computer.


Following roles were available on a default Windows Server 2012 install :

 

PS C:\Users\Administrator> Get-BpaModel | select id

 

Id

--

Microsoft/Windows/ADRMS

Microsoft/Windows/CertificateServices

Microsoft/Windows/DHCPServer

Microsoft/Windows/DirectoryServices

Microsoft/Windows/DNSServer

Microsoft/Windows/FileServices

Microsoft/Windows/Hyper-V

Microsoft/Windows/LightweightDirectoryServices

Microsoft/Windows/NPAS

Microsoft/Windows/RemoteAccessServer

Microsoft/Windows/TerminalServices

Microsoft/Windows/UpdateServices

Microsoft/Windows/VolumeActivation

Microsoft/Windows/WebServer

 

Our Lab server had Hyper-V role enabled, so we decided to audit the configuration for that role. Here are the .audits we used.


Get-BpaResult


The result from Get-BPAResult cmdlet is split into three severity levels (Information, Error, and Warning).

 

1. Informational Results

 

Results that match the best practice rule are reported as Informational.


<custom_item>

type : AUDIT_POWERSHELL

description : "Windows Server 2012 Best Practice Analyzer (BPA) Audit - Hyper-V - 'Informational'"

value_type : POLICY_TEXT

value_data : ""

powershell_args: "Get-BpaResult Microsoft/Windows/Hyper-V | select  Title,ModelId,ResultNumber,Compliance,Severity | Where-Object  {$_.severity -eq 'Information'} | format-list"

only_show_cmd_output: YES

</custom_item>

 

 


info.png

 

2. Warning


Results that are not compliant, and can potentially can cause problems are reported as Warning.

<custom_item>

type : AUDIT_POWERSHELL

description : "Windows Server 2012 Best Practice Analyzer (BPA) Audit - Hyper-V - 'Warning'"

value_type : POLICY_TEXT

value_data : ""

powershell_args: "Get-BpaResult Microsoft/Windows/Hyper-V | select  Title,ModelId,ResultNumber,Problem,Impact,Resolution,Severity,Help |  Where-Object {$_.severity -eq 'Warning'} | format-list"

only_show_cmd_output: YES

severity : MEDIUM

powershell_option : CAN_BE_NULL

</custom_item>

 

warning.png

 

3.Error

 

Results that do not match (non-compliant) are reported as Error.

<custom_item>

type : AUDIT_POWERSHELL

description : "Windows Server 2012 Best Practice Analyzer (BPA) Audit - Hyper-V - 'Error'"

value_type : POLICY_TEXT

value_data : ""

powershell_args: "Get-BpaResult Microsoft/Windows/Hyper-V | select  Title,ModelId,ResultNumber,Problem,Impact,Resolution,Severity,Help |  Where-Object {$_.severity -eq 'Error' } | format-list"

powershell_option : CAN_BE_NULL

</custom_item>

 

fail.png

 

Notice when the checks fail with Error  or Warning, the BPA also includes a Resolution, Impact, and a Help link  for more information.


Note: For Nessus to have access to Get-BPAResult, the cmdlet Invoke-BPAModel ModelID,  needs to be invoked first on the server. This can be done either by  invoking the cmdlet at the console before the scan, or setup as a  scheduled task, and the latest report will be automatically retrieved by  Nessus.  

 

-Mehul