This is a use case that I had to implement for a recent PoC and while I was implementing it I thought it would be useful for other people, so I decided to write a blog post about it since it is a handy use case and illustrates how to use policies in order to check registry entries in Windows.Three policies will be created and a Policy Profile in order to have everything fit and running, in next steps components, how does it work and how to implement it will be explained in detail.
Windows Security Profile
- VM and Instance Compliance: Windows Firewall Check
- VM and Instance Control: Check Compliance
- VM and Instance Control: Run Smart State
Overall Policy Profile behaviour:
Performs an SmartState Analysis (SSA) on Windows VMs when “Power On” or “Reset” events are detected, after SSA is performed the policy checks two conditions needed for passing the compliance policy and if both are satisfied the VM is marked as a Compliant in any other case the VM would be marked as Non-Compliant. The two conditions to be checked are two different registry keys in Windows registry, one for checking if firewall for public networks is running and another one for private networks
Windows Firewall Check
Policy objective: Try to make sure that any Windows-based VM has Windows Firewall enabled.
How? The easiest way to check that firewall is enabled from CloudForms is checking the registry using policies, since Windows registry has two different keys for firewall status (one for private networks and another one for public networks) both of them should be checked and made sure that the registry values are the proper ones.
Registry keys to check:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile:EnableFirewall, value should be 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile:EnableFirewall, value should be 1
Windows Firewall Check compliance policy has 2 different Conditions inside, each of this conditions will ensure that the VM OS is Windows as a scope and then will check the value of the registry key.
This registry keys will be checked using SSA so both registry paths should be included in SSA profile otherwise the policy won't be able to check the key´s value.
Run Smart State control policy
Policy objective: On “VM Power On” and “VM Reset” events an SSA will be run if the VM/Instance or the host provider has the policy applied.
How? SSA action should be associated with “VM Reset” or “VM Power events in a policy.
Check Compliance control policy
Policy objective: Every time a VM or Instance has completed SSA performs a compliance check.
How? Check Compliance action should be associated with “VM Reset” or “VM Power events in a policy.
How to implement it?
Steps to follow:
- Create a custom Smart State Analysis profile
- Create “Windows Firewall Check” compliance policy
- Create “Run Smart State” Control Policy
- Create “Check Compliance” Control policy
- Put all together in the “Windows Security Policy” Profile
- Apply to a provider
1. Create Smart Analysis custom profile
For having the job done it is needed to create a custom SSA profile in CloudForms, it is an easy task you just have to follow this steps.
1. Go to top right corner click on user's name and then click on “Configuration”
2. In the left sidebar click on Settings and select sample, once selected sample profile go to the top bar and click on Configuration and after click on “Copy this selected Analysis Profile”.
3. Select a meaningful name for the Analysis Profile, or if you are not going to create more custom profiles you can name it as default.
4. As far as we need to custom two different registry keys to check, Click on Registry tab and click on “New Entry”.
5. Put the path to the desired registry key path removing “HKEY_LOCAL_MACHINE” (CloudForms will take of this part) on “Registry Key” and on “Registry Value” write the registry value to be checked and press “Save”.
6. Repeat the same process for the second registry key, and once done you will have your brand new SSA profile ready to check the desired Windows registries.
2. Create Windows Firewall Check compliance policy
1. Go to /Control/Explorer click in Policies and select “Vm Compliance Policies” then in the upper part of the page click on Configuration and click on Add a New VM and Instance Compliance Policy.
2. In the screen opened it is necessary to fulfil the Description with a descriptive name and click save, there is no need to set a Scope since it will be done in next steps.
3. Select now the policy you just created and go to Configuration and click on “Create a new Condition assigned to this Policy”, fulfil a comprehensive Description. Now it's time to create an expression to validate, click in the drop-down menu and select Registry.
4. Fulfil the registry path in Key and the field name that we’re going to check in Value (take this path from the one you created in SSA profile), in data put the value you´re looking for. Key=HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfileValue=EnableFirewall; Data=1
5. Is time to set the Scope for the Condition, in this case Windows Machines only, so in drop-down inside Scope area select Field, and in the drop-down menu look for “OS Name” in “VM and Instance category”, select “INCLUDES” and windows as a value and click on the validate button for saving the selections done.
6. Click Add
7. Repeat the process but for next registry value: Key=HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandartProfileValue=EnableFirewall; Data=1
That’s all !! you have the compliance policy that checks your windows machines registry looking for firewall´s state for both, Public and Private networks.
3. Run SmartState control profile
1. Go to /Control/Explorer click in Policies and select “Vm Control Policies” in the “Control Policies”
2. In top bar click in Configuration and click on “Add a New VM and Instance Control Policy”, select an appropriate name and click Add.
3. Select the policy you just created and click on Configuration again and select “Edit Policy’s Event assignments”.
4. Now select the proper events in VM Operation events for the recently created policy and click save (as discussed previously “VM Power On” and “VM Reset”).
5. Time to associate actions to the events, so click on one of the events of the policy go to configuration and click on “Edit Actions for this Policy Event”.
6. In the screen opened you can select actions depending on if the condition is true or false, for this policy we want the action to occur when the condition is true, condition for this concrete case is when VM Power On event is detected. Select “Initiate SmartState Analysis for VM” in “Order of Actions if ALL Conditions are True”, click “>” and save.
7. Repeat the process for the second event and you’re done.
4. Create a “Check Compliance” Control policy
In this point we will be following previous step guide almost point for point, a new “Vm Control Policy” show be created, with a proper meaningful name like “Check Compliance”, and then we will assign an event to trigger this policy, the event that will trigger an action will be “VM Analysis Complete” select it and save in the same way was done for “Run Smart State” Policy.Now assign an action to the event, same as did in the previous point and select “Check Host or VM Compliance” action for the even and save.Finished !!
5. Create “Windows Security Profile”
Only putting all together in a policy profile is missing to finish the job, so in this last step we will explain how to put all pieces to run.
1. Click on “Policy Profiles”, select “All Policy Profiles”, click on Configuration drop-down and click again in Add a New Policy Profile.
2. Write a Description, on Policy selection select the policies you just created one per one, “Windows Firewall Check”, “Check Compliance” and “Run SmartState” click on “>” for including it in the policy profile and last but not least click Add.
5. Apply the policy to a provider
This policy can be applied in any Cloud or Infrastructure providers, the only requirement is that the provider should be compatible with SmartState Analysis, you can check it out in the Support Matrix.
1. Go to /Compute/Infrastructure/Providers, click on one of your infrastructure providers.
2. In this particular case vCenter provider will be used, once clicked on the provider you will see a dashboard, now you will find a Policy button on the top bar, click on it and click on “Manage Policies”.
3. In the new screen click on the policy profile you created, from now any new Windows VM, any Windows VM Powered On or any Reset Windows VM will be scanned using SmartState Analysis and after that, a compliance check will be performed.
4. Click save and you have your policy applied and working.
From now any Windows VM in the provider in which a “Power On” o “Reset” event will be detected will be “scanned” by “Windows Security Profile”. Enjoy your Security Profile.