Assess and remediate your Windows Servers with Chef

I’m pleased to announce two new Chef assets that enable you to assess and remediate your Windows 2012 R2 Servers using the compliance feature of Chef Automate. They are both basic, initial examples, but demonstrate how you can use a compliance profile in conjunction with a cookbook to apply best practice server hardening.

Windows Hardening Benchmark

Available from the dev-sec project page (maintained by the Chef compliance team), this InSpec compliance profile is a lightweight version of the CIS L1 benchmark available from CIS and packaged in Chef Automate. The team has open sourced this project for testing purposes, but also to demonstrate the scanning capabilities on Windows systems using the compliance tool.

The project source is here: https://github.com/dev-sec/windows-hardening-benchmark

Base Windows 2012 Hardening

This cookbook is built in the same structure as the compliance profiles, and applies the hardening required for all tests from the above benchmark to pass. It offers capabilities such as editing a local security policy. The aim is to develop additional cookbooks to handle specific segments of Windows hardening, such as the security policy, through custom resources. This approach would offer the same modularity we see with corporate compliance profiles being built of technologies instead of following a specific standard.

The project source is here: https://github.com/dev-sec/chef-windows-hardening

Getting Started

To make use of these assets I recommend following the “assess and remediate” process we’ve demonstrated previously during various webinars and event talks. Here’s a great example from Compliance and InSpec co-founder, Christoph Hartmann: Compliance as Code with InSpec 1.0.

Using chef-client on your Windows servers with the audit cookbook allows continuous auditing on the same schedule as the chef-client runs. With appropriately set attributes ,the Windows base profile can be executed against your Windows systems. Note that no configuration will be applied. This is purely for assessment purposes.

Following the assessment stage, the hardening cookbook can be applied to the run-list of a role or node to carry out the appropriate configuration to meet the baseline in the profile.

Contribute to the Projects

We invite you to contribute to both projects and help grow the community. As always, test any software before applying it to your systems. Both projects are in their early stages and are for demonstration and testing purposes only at the moment.

I’d greatly appreciate your feedback and thoughts on how we can move these projects forwards!

Joe Gardiner

Former Chef Employee