Lab 7: Baseline Configuration

Scenario

Many organizations standardize server configurations by applying their group policies and hardening rules to reduce risks caused by misconfiguration. Taking Windows Server as an example, it is very common to apply default firewall rules, disabled services, custom registry values, and user & role permission settings. You’ll learn how to use Automation Config to automate baseline configuration for Windows Server.

Task A. Enable Remote Desktop Service (RDS)

  1. Click Configurations > File Server from the side menu
  2. Expand base folder in the file server folder tree
  3. Locate /POV/config-management/windows/base-config/enable_rds.sls
  4. Click enable_rds.sls and examine its SaltStack State File YAML Enable RDS 
    enable_service_rds:
    service.enabled:
        - name: TermService

start_service_rds:
    service.running:
        - name: TermService

reg_enable_rdp_connections:
    reg.present:
        - name: HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
        - vname: fDenyTSConnections
        - vdata: 0
        - vtype: REG_DWORD
  5. Running this state file will enable Remote Desktop Service (RDS) on the target minions, but we are NOT going to run it now. We will apply this state collectively as a baseline configuration

Task B. Disable Printer Spooler Service

  1. Click Configurations > File Server from the side menu
  2. Expand base folder in the file server folder tree
  3. Locate /POV/config-management/windows/base-config/disable_spooler.sls
  4. Click disable_spooler.sls and examine its SaltStack State File YAML 
    disable_print_spooler:
    service.disabled:
        - name: Spooler
stop_print_spooler:
    service.dead:
        - name: Spooler
  5. Running this state file will disable Printer Spooler Service on the target minions, but we are NOT going to run it now. We will apply this state collectively as a baseline configuration

Task C. Install IIS Web Server

  1. Click Configurations > File Server from the side menu
  2. Expand base folder in the file server folder tree
  3. Locate /POV/config-management/windows/base-config/install_iis.sls
  4. Click install_iis.sls and examine its SaltStack State File YAML 
    install_iis:
    cmd.powershell:
        - name: salt://POV/config-management/windows/base-config/install_iis.ps1
  5. As you can see, the state file is refering to a PowerShell script in the File Server
  6. Locate /POV/config-management/windows/base-config/install_iis.ps1
  7. Click install_iis.ps1 and examine this regular PowerShell script 
    Install-WindowsFeature -name Web-Server -IncludeManagementTools
  8. Running this state file will execute the PowerShell script to install IIS web server on the target minions, but we are NOT going to run it now. We will apply this state collectively as a baseline configuration

Task D. Setup Firewall Rules

  1. Click Configurations > File Server from the side menu
  2. Expand base folder in the file server folder tree
  3. Locate /POV/config-management/windows/base-config/setup_firewall.sls
  4. Click setup_firewall.sls and examine its SaltStack State File YAML 
    open_smb_port:
    win_firewall.add_rule:
        - name: SMB (445)
        - localport: 445
        - protocol: tcp
        - action: allow

open_http_port:
    win_firewall.add_rule:
        - name: HTTP (80)
        - localport: 80
        - protocol: tcp
        - action: allow

open_https_port:
    win_firewall.add_rule:
        - name: HTTPS (443)
        - localport: 443
        - protocol: tcp
        - action: allow
  5. Running this state file will add three firewall rules on the target minions top allow incoming SMB, HTTP & HTTPS connection, but we are NOT going to run it now. We will apply this state collectively as a baseline configuration

Task E. Add Default Users

  1. Click Configurations > File Server from the side menu
  2. Expand base folder in the file server folder tree
  3. Locate /POV/config-management/windows/base-config/add_users.sls
  4. Click add_users.sls and examine its SaltStack State File YAML 
    add_user:
    user.present:
        - name: holuser
        - fullname: holuser
        - password: VMware1!
        - groups:
            - Administrators
            - Users
  5. Running this state file will add holuser user to Administrators and Users groups in the target minions, but we are NOT going to run it now. We will apply this state collectively as a baseline configuration

Task F. Create Baseline Configuration

  1. Click Configurations > File Server from the side menu
  2. Expand base folder in the file server folder tree
  3. Locate /POV/config-management/windows/base-config/main.sls
  4. Click main.sls and examine its SaltStack State File YAML 
    include:
    - pov.config-management.windows.base-config.enable_rds.sls
    - pov.config-management.windows.base-config.disable_spooler_service.sls
    - pov.config-management.windows.base-config.install_iis.sls
    - pov.config-management.windows.base-config.setup_firewall.sls
    - pov.config-management.windows.base-config.add_users.sls
  5. Running this state file will apply all above states collectively as a baseline configuration
  6. Next, we will create a job to run this state file

Task G. Create Job - Baseline Configuration

  1. Click Configurations > Jobs in the side menu
  2. Click Create Job button
  3. Input the following details for the new job and save the job
    • Name = Baseline Configuration for Windows
    • Description = Baseline config: RDS, IIS, Firewall & Users, etc.
    • Command = salt
    • Targets = Windows Servers
    • Function = state.apply
    • Environments = base
    • States = POV.config-management.windows.base-config.main
    • Arguments = (Blank)
    • Job Inputs = (Blank) A new job that apply baseline configuration
  4. Click SAVE button
  5. Now that you’ve created a job

Task H. Run Job - Baseline Configuration

  1. In the side menu, click Targets to open the Targets workspace and view your targets
  2. Locate Windows Servers minions target
  3. Click the button besides Windows Servers and select Run job
  4. In the Run Job dialog box
    • Input the following details
      • Job = Baseline Configuration for Windows (the job you have created in the previous task)
      • States = (Unchanged)
      • Run as Test = false
      • Environments = base
      • Options = (Unchanged) Run Job dialog box
  5. Click RUN NOW button
  6. Click Activity > Completed in the side menu
  7. The job will appear on the list once it is done. If not, Refresh the page in your browser
  8. Check if this job is completed successfully without error
    • Check Success is 1 or higher, and Failed is 0

Task I. Check Results - Baseline Configuration

  1. Log on to one of the target Windows minions
  2. Check if Remote Desktop Service (RDS) service is enabled
  3. Check if Printer Spooler service is disabled
  4. Check if IIS Web Server is installed
  5. Check if Firewall rules are configured to allow SMB, HTTP & HTTPS
  6. Check if User holuser is created

Summary

Automation Config provides various flexible ways to apply baseline configuration:

  • Common examples include configuration files, default firewall rules, enabled or disabled services, custom registry values, and user & role permission settings
  • Configuration can be applied via Run Command or Run Job
  • Configuration State Files can be modularized and stacked when used
  • Jobs can be scheduled to run automatically
  • Operating System commands, PowerShell and SaltStack functions are supported
  • Servers could be effectively managed by grouping into custom group of Minions by using Target Management
  • Targets could be securely managed with fine-grained Role-based Access Control (RBAC)
  • Baseline configuration is not just for Windows. In the next lab, baseline configuration for Linux will be covered together with automatic drift remediation