Policy Enforcement using Baselines

Baselines are industry-recommended settings to simplify security on your devices using Workspace ONE UEM. These one stop configurations significantly reduce the time it takes to set up and secure Windows devices.

In this section you will:

  1. Create a Windows 10 Security baseline and add additional policies.
  2. Test on your Windows VM machine.  
  3. Clean up

 

Lets get started!

Part 1: Create a Baseline

  1. On the ControlCenter2 Machine,
    1. Open Google Chrome browser
    2. Navigate to your Workspace ONE UEM console i.e. cn-livefire.awmdm.com
    3. Navigate to Devices > Profiles & Resources > Baselines.
  1. Under Baselines, click on NEW.
  1. Under General tab,
    1. Enter a Baseline Name as LivefireTest
    2. Enter a Description as Livefire Test Baseline.
    3. Click on NEXT
  1. Under Choose Baseline,
    1. Select Windows 10 Security Benchmarks.
    2. From the Version Drop down, select the latest version 1909.
    3. Click NEXT.

NOTE:  you have 3 options to select from. We are selecting Windows 10 Security Baseline for this demo. Below is a description of the different options you can choose from, 

Setting Description
CIS Windows 10 Benchmarks
 This baseline applies the configuration settings recommended by CIS Benchmarks.

L1 & L2 are two levels of CIS benchmarks. L2 being the most restrictive. Selecting L2 will block Workspace ONE Intelligence HUB from the device by default. Exclusion needs to be made to whitelist WS1 Intelligent HUB if L2 is selected.
Windows 10 Security Baseline
 This baseline applies the configuration settings recommended by Microsoft.

Select the OS version and benchmark level to apply.
Custom Baseline
 Allows you to upload your local policies which cannot be configured using microsoft CSPs. 
  1. Under Customize,
    1. In the Filter, search for Password.
    2. Click on Minimum Password Length in the results below.
    3. Change the Password must be at least to 10
    4. Click NEXT.

NOTE: Password Complexity is enabled by default. You can customize the Baselines to further meet your organizations security policies.

  1. Under ADD POLICY,
    1. In the search field, type registry and press ENTER.
    2. From the list of results, find and click on Prevent access to registry editing tools.
  1. Under Add Policy
    1. Change the Policy from Not Configured to Enabled using the drop down.
    2. Confirm the disabled regedit from running silently is set to YES.
    3. Click on the more information icon. Confirm the policy action for the additional policy created.
    4. Click NEXT.
  1. Under Summary,
    1. Verify the customization & Added policies to your baseline.
    2. Click SAVE & ASSIGN
  1. In Assign Baseline window,
    1. Type ALL DEVICES in the search bar
    2. Select All Devices Smart group.
    3. Click PUBLISH.

Part 2: Test on your Windows VM machine

  1. Confirm the Baseline is created. Click on your VIEW under Install Status and then click on the Count (in this case 1) for your baseline Livefire Test.
  1. If the baseline is not installed, verify the reason under status.

NOTE: In either case, you must restart the device for the baseline to take effect.

  1. Open your Windows Machine, (If you have the Win10Client02 RDP session active, you can skip the below steps and proceed to step 5)  
    1. From the ControlCenter2 Machine Desktop,
    2. Find and open Remote Desktop Folder.
    3. Double click on win10client02 (Windows VM machine) to start the RDP session.

NOTE: This is the same Virtual Machine you enrolled in to Workspace ONE UEM SaaS tenant.  

  1. Login to the VM machine and you should also see a notification: Workspace ONE Policies have been updated. Please restart your device to apply the updates.

NOTE: This might take a few minutes. You can refresh the baseline page on Workspace ONE UEM to confirm the status has changed to installed to see this notification. 

  1. Restart your Windows 10 Machine,
    1. Click on Start Menu > Power > Restart. (NOTE: This will kill the RDP session)
    2. Once Restart is complete, go back to your ControlCenter2 machine > Desktop > Remote Desktops folder. Double click on W10Client02 Virtual Machine to open the RDP session. Notice the RDP session is blocked. This is due to a baseline policy which restricts Remote Desktop sessions.

To navigate to W10Client02 Machine, use the left Console Panel. Scroll down to find W10Client02 Machine and double click. Password is VMware1!

  1. To test if the baseline policy is successfully applied,
    1. Navigate to Search bar. Type Regedit.exe.
    2. Right Click on the Regedit.exe result and Click Run as administrator.

Notice you will see this error message: Registry editing has been disabled by your administrator.

  1. In order to test the Minimum Password Length policy applied by your Baseline, we will add a user account on this machine with password less than 10 characters. To add a user account,
    1. Search Accounts in search bar from your Windows win10Client02 machine.
    2. Click on Add, edit or remove other users.
  1. Under Other Users, Click on Add someone else to this PC.
  1. Click on I don't have this person's sign in information
  1. Click on Add a user without a Microsoft account.
  1. Fill in the information with dummy values.

NOTE: For this test, use a password less than 10 characters in length.

Notice as per our Windows 10 security baseline, password should be greater than 10 characters and must meet the below complexity requirements:

  • Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
  • Be at least six characters in length Contain characters from three of the following four categories: English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Non-alphabetic characters (for example, !, $, #, %)
  1. Change the password to meet your requirement of 10 characters and save. Notice the account is successfully created once you meet the password requirements.

Part 3: Clean Up

Since we will be using the same Windows 10 machine for future labs, lets go ahead and remove the baseline to ensure we have unrestrictive access to our Virtual Machines.

  1. On the ControlCenter2 Machine,
    1. Open the Google Chrome Browser.
    2. Navigate to Workspace ONE UEM console.
    3. Under Devices > Profiles & Resources > Baselines. Select the baseline policy you created above. In this example, select Livefire Test.
    4. Click DELETE.
  1. On the W10Client02 Virtual Machine,
    1. You will see a notification: Workspace ONE policies have been updated. Please restart your device to apply the updates.
    2. Restart the device.

Post restart, you can verify is regedit.exe is accessible. Since we removed the baseline, you will notice, regedit.exe opens successfully.

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.