Since the Packer build starts with a RTM build of Windows Server, which doesn't have any updates, and updates are essentially required for security reasons, but also PowerShell 5.1 requires some updates and PowerShell Core "6.0" requires some others (~690MB), it took a while to get the final updated Windows Server box built. The Boxstarter takes care of all those issues automagically.
#Cis benchmark server hardening install
A manual script to resolve that particular issue is a messy one and involves unpacking the installation files and attempting to install a related CAB file. PowerShell 5.1) cannot be even installed over WinRM protocol, which is the default protocol used to connect to the built box. why is this one awesome? It uses Boxstarter to solve many many issues caused typically by the fact that Windows needs to be restarted multiple times during installation or after required updates, and that some features (e.g. There are many Packer build templates for Windows Server. I have used an awesome repo (thank you) as a source of a Packer build for Windows Server (2012 R2) which builds a box which can then be imported using Vagrant into VirtualBox. I am a big fan of using plain English to describe test scenarios, so I've decided to use the latter option to describe the security hardening.īut first. `Invoke-Gherkin` - works with *.feature files (using Cucumber BDD language in plain English) and *.Step.ps1 files.`Invoke-Pester` - works with *.Test.ps1 files.It comes in two flavours distinguished by the command used to execute the tests: Pester is the BDD testing framework for PowerShell. I have been asked to use my Windows expertise to look into this. Can I develop the scripts locally in VSCode and run them remotely on a Windows server to improve speed and efficiency of development? No.How do we test the scripts locally (on a MacBook)? Can't do.Are all the required sections implemented correctly? Hard to tell.Are all the required sections implemented? Hard to tell.How do we debug the scripts when something doesn't work as expected? Impossible.How do we continue developing the scripts? Very difficult.How do we manage the scripts? Difficult.but the real problem was that it was impossible to tell what/if/how all the sections and recommendations were actually implemented. The size of the scripts caused a bit of a problem - having it so big is a bad coding practice alone, it's hard to manage, low quality. Implementation.ps1 - cca 600 lines long.Then we were given PowerShell scripts that should do the job, provided by a 3rd party. It has hundreds of rows which lists and describes all the sections, recommendations, rationale and impact of implementing CIS benchmark (security hardening) on a Windows Server.
We have started with an Excel spreadsheet reviewed by our security team. This is a fairly advanced technical overview of how I've used Packer, Vagrant, VirtualBox, PowerShell, Pester and BDD to implement Windows Server hardening.Īs a technology group in our company we want to provide secure Windows Servers to our teams, hardened according to the CIS benchmark.
0 kommentar(er)
