CMMC Assessment Workshop Syllabus · CompTIA CySA+. Certified Network Defense Architect (CNDA) CASP+ . Certified Chief Information Security Officer (CCISO) CompTIA PenTest+ . CompTIA

CMMC Assessment Workshop Syllabus

Overview: This workshop will provide insight and understanding to the major roles associated with the CMMC process, focusing on the use of existing infrastructure and Microsoft 365 Cloud. Participants will experience hands-on labs learning with your own Microsoft 365 Cloud instance. Skills learned will be focused on how to:

• Perform a CMMC Self-Assessment • Produce a Gap Assessment • Deliver Gap Assessment Mitigation Strategies • Implement Mitigation Strategies and Controls • Update Artifacts for CMMC Crosswalk Approval • Be Confident before the CMMC Assessment • Continuous Monitoring

Key Learning Objectives:

Microsoft 365 Configuration for CMMC Compliance

Active Directory and Access Control for CMMC Compliance

Auditing and Continuous Monitoring for CMMC Compliance

Security Controls and Test Results

Artifacts for CMMC Compliance

System Security Plan (SSP)

Plan of Action and Milestones (POA&M)

CMMC Assessment Workshop


Overview• Perform a CMMC Self-Assessment• Produce a Gap Assessment• Deliver Gap Assessment Mitigation

Strategies• Implement Mitigation Strategies and

Controls• Update Artifacts for CMMC Crosswalk

Approval • Be Confident before the CMMC

Assessment• Continuous Monitoring

Key Learning Objectives• Microsoft 365 Configuration for CMMC

Compliance• Active Directory and Access Control for

CMMC Compliance• Auditing and Continuous Monitoring for

CMMC Compliance• Security Controls and Test Results• Artifacts for CMMC Compliance• System Security Plan (SSP)• Plan of Action and Milestones (POA&M)

Why?Experience• Founded in 2012• Training, Services, & Software• Executed over 300 training classes, seminars, and boot camps• Certified over 3000 people in Advanced Cyber Certifications

Proven Track Record• 20+ years of industry experience on information security

engineering solutions for customers• Dynamic Trainers with experience in training that contribute

to content and help deliver custom training to meet your needs

Past Performance• Trained 3000+ people from over 100 organizations• Continuing to engineer solutions for many businesses

Large Social Community• Actively involved in the IT and Security Community• Collaborate and Partner with local academia (middle/high

school & college)

UNITED STATES MARINE CORPS

COLORADO NATIONAL GUARD

FEDERAL EMERGENCY MANAGEMENT AGENCY

SOCIAL SECURITY ADMINISTRATION

HUNTSVILLE CITY SCHOOLS

MADISON CITY SCHOOLS

Prime Contracts

OUR CLIENTS

Partnerships

Secure Software Engineering Services

Microsoft Azure - Build, manage, and deploy scalable, highly available, and performant web applications.

Amazon Web Services- Amazon Web Services (AWS) provides scalable cloud computing for creating Web applications. Design, build, and run applications on the AWS platform.

Vulnerability Genius

Automated Compliance andRisk Assessments for

RMF, DFARS, and CMMC

Contact us today at [email protected]

256.401.7072

CyberProtex

got cyber? ®

TM

CyberProtex, Vulnerability Genius ™CMMC Tracking Software

https://cmmc.cyberprotex.com/

CyberProtex, Azure Labs


Replica of eMASS for training purposes

Trained over 500 all around the country

Software as a Service (SaaS)

Test Prep Software – Cyber Ninja Mobile AppTake our most popular game and test preparation tool, the CyberNinja for a test drive and join over 40,000 other students who have used the software.

Screenshot of CyberNinja

ISC2 CompTIA EC-CouncilCISSP Core Certifications: Computer Hacking Forensic Investigator (CHFI)SSCP IT Fundamentals+ EC-Council Disaster Recovery Professional (EDRP)CCSP CompTIA A+ Certified Security Computer UserCAP CompTIA Network+ Certified Network Defender (CND)CSSLP CompTIA Security+ Certified Ethical Hacker (CEH)CISSP - ISSAP EC-Council Certified Security Analyst (ECSA)CISSP - ISSEP Infrastructure Certifications: Licensed Penetration Tester (LPT)CISSP - ISSMP CompTIA Server+ Computer Hacking Forensic Investigator (CHFI)

CompTIA Cloud+ EC-Council Disaster Recovery Professional (EDRP)CompTIA Linux+ EC-Council Certified Incident Handler (ECIH)

EC-Council Certified Encryption Specialist (ECES)Cybersecurity Certifications: EC-Council Certified Security Specialist (ECSS)CompTIA CySA+ Certified Network Defense Architect (CNDA)CASP+ Certified Chief Information Security Officer (CCISO)CompTIA PenTest+ CompTIA Project+CompTIA Cloud Essentials

Certification Training – In-Person, Online and Self-Paced

• Up to date Videos• SME & Animation

• Security Awareness Compliance

• Quiz Engine

• Certificate of completion

• Software as a Service (SaaS)

Security Awareness Training Software

Cyber Range Labs

Over 100 hands-on labs with exercises that cover real world scenarios.

Dynamically access host labs and Virtual Machines

Lab exercises can be accessed 24x7,

Easy to use with no required instructor or administrative interaction.

Cyber Range – On Demand Hands-On Labs


CMMCSecurity

AssessmentsTraining

CMMC Levels and Descriptions

Practice “Good Cyber Hygiene”

Cybersecurity Maturity Model Certification (CMMC)

• A maturity model that provides a benchmark against which an organization can evaluate the current level of capability of it process, practices, and methods and set goals and priorities for improvement.

• To measure progression, maturity models typically have levels along a scale.

• Takes input from the Defense Industrial Base (DIB) and the Department of Defense (DoD)

CMMC Certification – Just the facts• Prime contractors and subcontractors must be certified under CMMC

standards to any one of five levels. The highest levels are reserved for organizations exposed to the most sensitive information.

• The implementation rollout will begin 1 September 2020, and take up to 5 years.

• If a contract requires CMMC certification it will be listed in the Request For Proposal (RFP) Sections C and L.

• The CMMC-AB will provide the standard for applying the model and certify trainers who will train assessors.

• The CMMC-AB will provide an online marketplace where organizations can find an available, qualified C3PAO.

• A certification will last 3 years, provided there are no incidents or other triggers inducing a second look at an organization.

Source : https://www.cmmcab.org/contractors

https://cmmcab.org/c3pao

https://www.cmmcab.org/contractors

CMMC Model Framework – Hierarchical View

• The CMMC model organizes processes and practices into a set of domains and maps them across five levels

CMMC Levels

• The process range from “Performed” at Level 1 to “Optimizing” at Level 5

• The practices range from “Basic Cyber Hygiene” at Level 1 to “Advanced/Progressive” at Level 5

CMMC Focus

• Regulations• Type and Sensitivity of

information

• Threats• Costs• Implementation

• Complexity• Diversity – DIB Sector• Assessment Implications

Level 1: Safeguard Federal Contract Information (FCI)

Level 2: Serve as a transition step in cybersecurity maturity progression to protect CUI

Level 3: Protect Controlled Unclassified Information (CUI)

Levels 4-5: Protect CUI and reduce risk of Advanced Persistent Threats (APTs)

Levels Focus

CMMC Level 1

CMMC Level 2

CMMC Level 3

CMMC Level 4

CMMC Level 5

CMMC – 17 Domains

• 17 Domains

• FIPS 200

• NIST 800-171 ++• Asset Management (AM)• Recovery (RE)• Situational Awareness (SA)

Domain to CapabilitiesMapping

• Each Domain consists of a set of processes and capabilities across the five levels

• 43 Capabilities areassociated with the 17domains

CMMC – Maturity Levels

CMMC – Practices per Level• Level 1 = FAR Clause

52.204-21

• Level 3 – All Security Requirements of NIST 800-171 plus other practices

Multiple References Make up CMMC

Questions via WebEx Chat

CMMC Course Overview• Perform a CMMC Self-Assessment

• Produce a Gap Assessment

• Deliver Gap Assessment Mitigation Strategies

• Implement Mitigation Strategies and Controls

• Update Artifacts for CMMC Crosswalk Approval

• Be Confident before the CMMC Assessment

• Continuous Monitoring

CMMC – Perform Self AssessmentCyber Governance – Effective Collaboration

Cyber Governance - A concept in which stakeholders ensure that IT resources align to objectives and add value

• Constantly evaluating and trying to mitigate risks associated with IT resources.

• Concerned with what the organization can achieve with IT and automation

• IT resources must align with business needs.• Enables IT management to determine how to

achieve goals. Senior Management Buy-in

CMMC – Perform Self-AssessmentImpacts of Good Governance

• Increases likelihood of creating business value from IT resources.

• Security is no exception.

• Security resources create value by protecting assets crucial to business operations.

• Resources must be cost-effective and meet high- and low-level requirements.

• Good governance contributes to success and survivability of the organization.

• Resources failing to uphold good governance may bring harm to the organization.

38

CMMCPerforming a

Self-Assessment &

Gap Analysis

What level of CMMC Compliance are you looking for? Most will need Level 3

You must assess the effectiveness of the assessment program itself.

Self Assessment - Security Assessment Tools

40

Tool Description

Anti-malware• Include antivirus, anti-spam, endpoint protection, etc.• Use presence of malware to identify potential intrusions.

Reverse engineer• Break down software or hardware solutions.• Detect malware and how it operates or vulnerabilities in legitimate

software.

FIM• Validate integrity of files using hash matching.• Can indicate signs of malicious behavior.

Visualization• Provide graphical representation of organizational assets.• Use network visualization tools to demonstrate topologies, data

flows, etc.

Physical security• Validate strength of locks, doors, containers, checkpoints, etc.• Identifying physical flaws is crucial to overall security assessment.

ReconnaissanceThe phase of an attack or pen test where the attacker/tester gathers information on the target organization.

41

• Can gather information on a target:• Technology used.• Personnel details.• Structure of organization.

• Information helps attacker/tester by exposing potential attack vectors.

• Testers may skip reconnaissance depending on the type of test.

FingerprintingThe reconnaissance technique of determining the type of operating system and services a target uses.

42

• Studies the types and characteristics of packets used during communication.• Relies on TCP/IP for this information.

• Active fingerprinting:• A scanning tool sends specifically crafted packets.• Analyzes response to the packets.• Servers may respond with OS and service info.

• Passive fingerprinting:• Learns about a target without the target knowing.• Sniffs packets used in normal transmissions and analyzes them.• Use of IP stack may uniquely identify an OS or service.

PivotingA technique in which an attacker or tester compromises one host that enables them to spread out to other hosts.

43

• The first host is the pivot.• The other hosts you spread out to are not directly accessible.• Example: Opening a shell on a host.

• You enter commands into the shell to see other subnets the host is connected to.• You can move from this pivot host to a different network segment.

• Port forwarding can be used to pivot.• Attacker accesses an open TCP/IP port on a pivot host.• Attacker forwards traffic from this open port to a port of a host on a different

subnet.

OSINTUseful information that is legally collected from publicly available origins.

44

• Used by attackers for easy reconnaissance.• Security testers can identify what types of information are out there.

• May prompt an adjustment of security practices.

• Sources:• Traditional media for personnel information.• Social media for leaked data.• Whois records to identify domain registration information.• DNS records to identify name resolution information.• Routing tables to identify public route paths used with BGP.• Public search engines to find all of the above, and more.

Questions via WebEx Chat

Self-Assessment

Gap Analysis

• Are you already DFARS compliant?• Risk management is a crucial element of good

governance.• IT governance and risk management lay the

groundwork for all you do.• Everything from designing a secure

network architecture to configuring access control.

• Stakeholders expect enterprise to adhere to a risk management framework.

• You may be called on to communicate how IT manages risks.

Gap Analysis - What’s your Risk Exposure?

Risk Exposure - Dictates how susceptible an organization is to loss.

• Exposure = probability of incident occurring times expected loss. • Risk cannot be totally avoided, but ignoring exposure will hurt your

business.

Gap Analysis – Do you have policies?Policy Lifecycle• Reasons for policies are

numerous:• Compliance reasons.• Growth of business.• Meeting contractual obligations.• Response to a breach.

• Begin crafting policy:• Download a free template.• Customize the template to fit your

organization.• Consult with security experts.• Compare and contrast with other

organizations.

• Policy should be easy to understand.• Policy treated as a legal document.• Involve business leaders in policy development.• Policy is a living document that must adapt to:

• New business methods.• New technologies.• Changing environments.• Emerging risks.

Gap Analysis – Process and Procedure Lifecycle

• Process and procedure documents support policies.• How-to style documents used by employees to implement policies.• Must be tailored to the audience that uses them.

• Data handling procedures used by system admins have technical steps.• Data handling procedures used by marketing employees are more generalized.

• Style varies between organizations and industries.• Begin crafting processes and procedures:

• Use document templates provided by security organizations.• Customize documents to fit your needs.• Consult with security experts.• Compare and contrast to other organizations.

• Living documents that must adapt to changes.

Activity: Identifying the Importance of Risk Management in Achieving Good Cyber Governance

• You're a cybersecurity team member for your company• Your company is a Government Contractor and needing at least a CMMC Level 3

Certification.• The CEO has placed you in charge of maintaining CMMC Compliance.• You need to identify how risk can negatively affect your enterprise.• This will ultimately bring value to the business by making it compliant with

CMMC.

Gap Analysis – CMMC FrameworkA framework used to define the baseline, goals, and methods used to secure the business.

61

• CMMC can: • Assess risk and quantify threats to the organization.• Then mitigate each threat, vulnerability, or risk.• Save an organization from losing time, money, and resources.• Provide a roadmap by identifying the risks that pose the greatest liability.

Gap AnalysisThe process of identifying the differences between an existing state and a desired state, as well as identifying how to close the gap.

62

1 • Identify existing controls

2 • Identify existing results

3 • Identify desired results

4 • Identify gap

5 • Identify solutions

6 • Identify solution requirements

Gap Analysis – Assessment Process (Slide 1 of 2)

Assess communication with third parties

Assess external network connectivity

Assess internal network

Assess physical elements

Review security policies

Develop a baseline

Gap Analysis – Assessment Process (Slide 2 of 2)

Assess security awareness and training

Identify human factors

Assess infrastructure devices

Assess hosts

Assess resource accessibility

Assess wireless connectivity

Gap Analysis – Assessing RiskNew Threats

• Attackers are constantly inventing new attacks.• New threats introduce new risks.• Threats can be malicious or unintentional.

• Unintentional example: New office in a coastal city that is subjected to hurricanes.

• Malicious example: New weaknesses found in existing network protocols.

Gap Analysis – Assessing RiskSystem Specific Risk Analysis

• Analyze how systems are used.• How can the systems' CIA be threatened?• Your analysis will depend on each system's context.• Ask questions such as:

• How can an attack be performed?• Are there any patches or workarounds?• How many targets are there?• How likely is an attack?• How can you translate technical risks into business terms?

Activity - Gap Analysis - Guidelines for Assessing RiskAnswer who is in charge of each of these items for yourorganization?

67

• Evaluate new products and technologies.• Stay up-to-date on latest threats.

• Assess user behavior as a point of weakness.• Include data handling requirements in partnership

agreements.• Conduct audits of outsourced assets.

• Conduct audits of your cloud providers.

• Consider influences of compliance, client requirements, and audit findings on risk.

• Consider telecommunication and BYOD impacts on the network perimeter.

• Determine what a threat is, its origin, and risk.• Calculate the threat's SLE and ARO.• Document the assessment results.

Self Assessment - 6 Key Domains CMMC – LEVEL 375 practices of the 130 total

Let’s focus on these

• AC – Access Control• AU – Audit and Accountability• IR – Incident Response• RM – Risk Management• SC – System and Communications Protection• SI – System and Information Integrity

Note: These 6 key domains account for 105 practices of the 171 for CMMC – LEVEL 5

System & Information Integrity (SI)

System & Information Integrity (SI)PRACTICAL EXERCISE – MANAGING SYSTEM INTEGRITY

USER INTERNET WEBSITE

Scenario: Dynamic 1 Billion User A Day WebsiteUse the blank space below to draw a secure network topology solution for Fakebook to manage and secure 1 Billion peoples identity information

System & Information Integrity (SI)

• SI.1.210 System & Information Integrity (SI) Identify, report and correct information and information system flaws in a timely manner.

• SI.1.211 System & Information Integrity (SI) Provide protection from malicious code at appropriate locations within organizational information systems.

• SI.1.212 System & Information Integrity (SI) Update malicious code protection mechanisms when new releases are available.

• SI.1.213 System & Information Integrity (SI) Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened or executed.

• SI.2.214 System & Information Integrity (SI) Monitor system security alerts and advisories and take action in response.

• SI.2.216 System & Information Integrity (SI) Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

• SI.2.217 System & Information Integrity (SI) Identify unauthorized use of organizational systems.

• SI.3.218 System & Information Integrity (SI) Employ spam protection mechanisms at information system access entry and exit points.

• SI.3.219 System & Information Integrity (SI) Implement email forgery protections

• SI.3.220 System & Information Integrity (SI) Utilize email sandboxing to detect or block potentially malicious email.

System & Information

Integrity (SI)SI.3.218 SYSTEM &

INFORMATION INTEGRITY (SI)EMPLOY SPAM

PROTECTION MECHANISMS AT INFORMATION SYSTEM ACCESS ENTRY AND EXIT

POINTS.

SI.3.219 SYSTEM & INFORMATION INTEGRITY (SI)

IMPLEMENT EMAIL FORGERY PROTECTIONS

SI.3.220 SYSTEM & INFORMATION INTEGRITY (SI)

UTILIZE EMAIL SANDBOXING TO DETECT OR

BLOCK POTENTIALLY MALICIOUS EMAIL.

System & Information Integrity (SI)Azure Active Directory

• https://www.microsoft.com/en-us/microsoft-365/enterprise-e3-business-software?activetab=pivot%3aoverviewtab

https://www.microsoft.com/en-us/microsoft-365/enterprise-e3-business-software?activetab=pivot%3aoverviewtab

Migration – Microsoft 365 ConfigurationAzure Active Directory

Review Set up and tweakAzure Active Directory Provides user and group management, on-premises directory synchronization, basic reports, self-service password change for cloud users, and single sign-on across Azure, Microsoft 365

Phase 1: Build a foundation of security

Phase 2: Import users, enable synchronization, and manage devices

Phase 3: Manage applications

Phase 4: Audit privileged identities, complete an access review, and manage user lifecycle

Migration – Azure Active DirectoryMicrosoft Architecture – Locking down Remote Users

• Secure operations for remote users• Microsoft Teams• Microsoft 365 data loss prevention• Windows Information Protection• Strengthen your credentials.• Reduce your attack surface area.

• Automate threat response

• Utilize cloud intelligence.

• Enable end-user self-service.

Add-On – ImplementationManage the In-Tune for your organization

Microsoft Intune

Protect data Azure Active Directory

Microsoft Azure

Office 365

Network Access Control partner

Device compliance

policies

App protection policies

Mobile Threat Defense connector

Conditional Access

Custom Web apps

LOB apps

Web console

SaaS apps

App Store

Graph API

Telecom expense

management

Configuration policies

Configure devices

Profiles

Manage apps

Apps App configuration

policies

On-premises network

Apps, Policy and Reporting Data

Authentication & authorization

Device compliance

results

Group targeting

Read device compliance information

Data for compliance calculation

Data from telco on usage

Mobile threat assessment

Device settings assignment

App install status and inventory

Data usage and alerts

RESTful API calls

Microsoft Intune is an MDM and MAM provider for your devices

For personal devices, or bring-your-own devices (BYOD), users may not want their organization administrators to have full control. In this approach, give users options. For example, users enroll their devices if they want full access to your organization resources. Or, if these users only want access to email or Microsoft Teams, then use app protection policies that require multi-factor authentication (MFA) to use these apps.

https://docs.microsoft.com/en-us/mem/intune/enrollment/device-enrollment

Access Control (AU)

Access ControlAC.1.001 Access Control (AC) Limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems).

AC.1.002 Access Control (AC) Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

AC.1.003 Access Control (AC) Verify and control/limit connections to and use of external information systems.

AC.1.004 Access Control (AC) Control information posted or processed on publicly accessible information systems.

AC.2.005 Access Control (AC) Provide privacy and security notices consistent with applicable Controlled Unclassified Information (CUI) rules.

AC.2.006 Access Control (AC) Limit use of portable storage devices on external systems.

AC.2.007 Access Control (AC) Employ the principle of least privilege, including for specific security functions and privileged accounts.

AC.2.008 Access Control (AC) Use non-privileged accounts or roles when accessing nonsecurity functions.

AC.2.009 Access Control (AC) Limit unsuccessful logon attempts.

AC.2.010 Access Control (AC) Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

Access ControlAC.2.011 Access Control (AC) Authorize wireless access prior to allowing such connections.

AC.2.013 Access Control (AC) Monitor and control remote access sessions.

AC.2.015 Access Control (AC) Route remote access via managed access control points.

AC.2.016 Access Control (AC) Control the flow of CUI in accordance with approved authorizations.

AC.3.012 Access Control (AC) Protect wireless access using authentication and encryption.

AC.3.017 Access Control (AC) Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

AC.3.018 Access Control (AC) Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

AC.3.019 Access Control (AC) Terminate (automatically) user sessions after a defined condition.

AC.3.020 Access Control (AC) Control connection of mobile devices.

AC.3.014 Access Control (AC) Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

AC.3.021 Access Control (AC) Authorize remote execution of privileged commands and remote access to security-relevant information.

AC.3.022 Access Control (AC) Encrypt CUI on mobile devices and mobile computing platforms.

Access Control (AC)and Identification & Authentication (IA) Active Directory

(Active Directory) Microsoft's LDAP-compatible directory implementation.

80

• Structures organizational objects into a hierarchy.

• An object is a user, computer, or group.

• Objects are grouped into domains.• Admins can centrally manage and control

access to objects.• Users can find resources anywhere on the

network.

• Schema controls how accounts are created.

Access Control (AC)and Identification & Authentication (IA)Identity Federation

The practice of linking a single identity across multiple disparate identity management systems.

81

• Provides centralized management structure for identities.

• Streamlines user experience into a single account.

• Can create a single point of compromise.• Example: Enterprise closely integrates its

domains with other companies.• No need for each domain to manage identities

separately.• Can reduce risk and lower cost.

Microsoft Account

Access Control – Labs

Active Directory -

Group Policy Objects

AC.1.001 Access Control (AC) Limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems).


AC.2.010 Access Control (AC) Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

Audit and Accountability (AU)

AU.2.041 Audit & Accountability (AU) Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

AU.2.042 Audit & Accountability (AU) Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation and reporting of unlawful or unauthorized system activity.

AU.2.043 Audit & Accountability (AU) Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.

AU.2.044 Audit & Accountability (AU) Review audit logs.

AU.3.045 Audit & Accountability (AU) Review and update logged events.

AU.3.046 Audit & Accountability (AU) Alert in the event of an audit logging process failure.

AU.3.048 Audit & Accountability (AU) Collect audit information (e.g., logs) into one or more central repositories.

AU.3.049 Audit & Accountability (AU) Protect audit information and audit logging tools from unauthorized access, modification and deletion.

AU.3.050 Audit & Accountability (AU) Limit management of audit logging functionality to a subset of privileged users

AU.3.051 Audit & Accountability (AU) Correlate audit record review, analysis and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious or unusual activity

AU.3.052 Audit & Accountability (AU) Provide audit record reduction and report generation to support on-demand analysis and reporting.

Audit and Accountability (AU) - LabsSecurity Auditing






Incident Response (IR)

IR.2.092 Incident Response (IR) Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery and user response activities.

IR.2.093 Incident Response (IR) Detect and report events.

IR.2.094 Incident Response (IR) Analyze and triage events to support event resolution and incident declaration.

IR.2.096 Incident Response (IR) Develop and implement responses to declared incidents according to predefined procedures.

IR.2.097 Incident Response (IR) Perform root cause analysis on incidents to determine underlying causes.

IR.3.098 Incident Response (IR) Track, document and report incidents to designated officials and/or authorities both internal and external to the organization.

IR.3.099 Incident Response (IR) Test the organizational incident response capability.

RISK MANAGEMENTPRACTICAL EXERCISE - CYBER INVESTIGATION

YO ‘MOM’• Infamous cyber criminal Hector the Hacker has infiltrated the company Secure Web

Hosting Inc. and caused disruption among a number of its systems! In this mission,should you choose to accept it, you will be tasked with investigating the scene. Given theinformation you are provided with, determine whether it constitutes as means,opportunity, or motive for Hector’s attack! (Note: Options can be used more than once)

1. Hector was a former employee of Secure Web Hosting Inc., and was laidoff in a series of financial cutbacks

2. Secure Web Hosting Inc. ironically did not have securely set up firewallsor intrusion detection systems to analyze and block incoming networktraffic

3. Hector maintained control of a botnet which he used to DDoS SWH Inc.4. Hector’s old login information from his time at the company was not

disabled5. Hector was able to use escalated privileges from his former employee

account to alter security settings within the company

Incident ResponsePractical Exercise – Computer Virus Outbreak – D.C. Style

SCENARIOYou are in charge of a major political national convention as the cybersecurity engineer. You realize that your system has been compromised with a nasty virus and the perpetrator has

stolen all emails and contact information for all major contributors on your network. Your website has been defaced and your Facebook page is being updated with

“DON’T VOTE FOR ME!!!!” All email is subsequently down!

Work with a partner to come up with steps for bringing email back online, taking control back of your website and Facebook account and try to save

face by figuring out who did it!

IR.3.099

Incident Response (IR)

Test the organizational incident response capability.

SIEM – Security Incident Event Management

A solution that provides real-time or near real-time analysis of security alerts generated by network hardware and applications.

Can be implemented as hardware, software, or managed services.

Enhances incident response capabilities.

Aggregates and correlates event data.

Can streamline network security administration.

Can make log analysis and auditing more productive.

Crucial in security breaches where every second counts.

IR.3.099 Incident Response (IR)Test the organizational incident response capability.Security Audits

The process of performing an evaluation of the security strengths and weaknesses of an organization to ensure that its systems, personnel, and processes are in compliance.

89

• Similar to a security assessment.• Audit is focused more on evaluating if a component adheres to formal criteria.• Criteria come from laws, regulations, standards, and organizational policy.• Most audits performed by third parties.

• Example: External auditor evaluating PCI DSS compliance for an online merchant.• Commonly involve:

• Reviewing logs.• Testing password strength.• Scanning firewalls for open ports.• And more.

• Some audits are internal.• May test higher standards than the external compliance requirement.• Common in large or high-profile corporations.

Guidelines for Selecting Security Assessment Methods (Slide 1 of 2)

90

Review Review sandbox assessment for weak points targeted by malware.

Move Move suspected or known malware to a sandbox for assessment.

Test Test for pivoting vulnerabilities.

Use Use fingerprinting techniques to discover OS and service information.

Choose Choose a box testing method that supports the type of attack you want to simulate.

Be Be aware that pen tests can cause real-world harm.

Ensure Ensure the organization is aware of and consents to pen tests beforehand.

Conduct Conduct pen tests to simulate attacks on your systems.

Select Select vulnerability assessment methods based on your risk profile.

Guidelines for Selecting Security Assessment Methods (Slide 2 of 2)

91

Conduct Conduct regular audits of security controls.

Divide Divide assessment personnel into different teams.

Conduct Conduct self-assessments to determine strength of security operations.

Consult Consult open source intelligence for revealing information on targets.

Conduct Conduct social engineering tests to evaluate the human element.

Use Use a runtime debugger to automate mismanaged memory detection.

Review Review memory dumps to identify mismanaged memory errors.

Mandate Mandate code reviews in the development process.

Risk Management (RM)

• RM.2.141 Risk Management (RM) Periodically assess the risk to organizational operations (including mission, functions, image or reputation), organizational assets and individuals, resulting from the operation of organizational systems and the associated processing, storage or transmission of CUI.

• RM.2.142 Risk Management (RM) Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

• RM.2.143 Risk Management (RM) Remediate vulnerabilities in accordance with risk assessments.

• RM.3.144 Risk Management (RM) Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria.

• RM.3.146 Risk Management (RM) Develop and implement risk mitigation plans.

• RM.3.147 Risk Management (RM) Manage non-vendor-supported products (e.g., end of life) separately and restrict as necessary to reduce risk.

RISK MANAGEMENTPRACTICAL EXERCISE - THE PHYSICAL SECURITY GOALS

• You and a partner have started up a new company that is making use of the five physical security goals.With your partner, use the options listed to place the items with the correct physical security goals!

Deter

Delay

Detect

Assess

Recovery

OPTIONS:

A - Guards, video surveillance, motion detection, lightingB - Alarm response for given intrusions, testing and maintenance systems for determining damaged resources C - Hardware locks, cable locks, barriers, bollards, guards, video surveillance, fences, lighting, locking cabinets, signs, safesD - Mantraps, guards, locked doors and areas, biometrics, proximity cards, physical access logs, and ID badges E - An incident response plan

RM.2.142 Risk Management (RM)Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

Vulnerability Scanners

Tool designed to identify and report on known weaknesses in various devices.

• Can scan apps, systems, networks, etc.

• Use one or more assessment techniques.

• Rely on known vulnerabilities.

• Consider where in the network you execute the scan.• Influences scan results.• Results may be more or less accurate.• Consider how firewalls and routers may block scan traffic.

RM.2.142 Risk Management (RM)Scan for vulnerabilities in organizational systems and applications periodically and when

new vulnerabilities affecting those systems and applications are identified.

95

You have been asked to perform a Vulnerability assessment on the state of the art system. Before you can provide a quote, there are certain things that we need to know. What are they?

Work with a partner to come up with a vision for this vulnerability assessment and be prepared to pitch it. What tool(s) would you use?

Practical Exercise - Scan for vulnerabilities

Security AssessmentsPenetration Test

A method of testing security that uses active tools to simulate an attack on a system.

96

• Verifies existence of threats.• Actively tests and bypasses security controls.• Exploits vulnerabilities.• Simulates real-world attacks rather than just theoretical.

• Designed to see what an attacker sees.• Follows the attack phases: recon, attack, post-attack.

• Requires an organization to assess the impact and begin remediation.

Port ScannersTools that scan a network to identify what devices are reachable, what ports are active, and what protocols those ports use.

97

• Typically rely on TCP, UDP, or ICMP to retrieve info.

• Attackers use open ports as a vector.

• Results will help you pinpoint vulnerabilities.• ICMP often used to check what hosts are

alive.• Reduces strain of checking all 65,535 ports on

a host.• Some devices don't respond to ICMP.

Protocol AnalyzersTools that can decode and analyze traffic sent over a network communication session.

98

• Simplify interpretation of protocols used in traffic.

• Help diagnose connection problems and detect malicious behavior.

• Can also gather traffic statistics for analysis.

• Packet analyzers are similar.• Capture and decode contents of packets.• Can be used to filter certain types of

packets.• Can be used to verify network controls

(e.g., firewall) are working.• Usually provide greater visibility on

wireless networks.

Network EnumeratorsTools that gather information on users, groups, and services on a network without authentication to a device.

99

• Often use ICMP and SNMP to discover hosts and retrieve info.

• Can also use malformed packets to identify host OS.

• Information gleaned can assist attackers in reconnaissance phase.

• Example: Enumerator reveals a poorly secured admin account in the directory.

• Can reveal many other directory-related vulnerabilities.

SCAP ToolsTools that implement a framework developed by NIST that automates the vulnerability management process.

100

• Include identifying flaws in security configurations.• Adhere to standards for scanning, reporting, and prioritization.• Support compliance requirements by benchmarking systems against

baselines.• Use definition standards like OVAL and XCCDF.

• XCCDF is high-level, OVAL is low-level.

• There are multiple OVAL definition sources.• CIS is the official source.• Content is categorized into scan classification and target platform.

Log Analysis ToolsTools that process system, network, and security logs so that they may more easily reveal useful information.

101

• Help personnel and systems identify vulnerabilities and threats.• Assist auditors during a compliance evaluation.• Can exhibit a range of behavior:

• Shaping the view of a log.• Reducing the log's entries or overall size.• Aggregating and correlating entries.

• Most can process logs generated by hosts.• Record everything from account creation to network connections.

• Some specialize in network logs recording bandwidth usage, data flows, etc.

Activity: Using Log Analysis Tools

102

• POWERSHELL LAB

System & Communications

Protection (SC)

SC.1.175 System & Communications Protection (SC) Monitor, control and protect organizational communications (e.g., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

SC.1.176 System & Communications Protection (SC) Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

SC.2.178 System & Communications Protection (SC) Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.

SC.2.179 System & Communications Protection (SC) Use encrypted sessions for the management of network devices.

SC.3.177 System & Communications Protection (SC) Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.


Protection (SC)

SC.3.180 System & Communications Protection (SC) Employ architectural designs, software development techniques and systems engineering principles that promote effective information security within organizational systems.

SC.3.181 System & Communications Protection (SC) Separate user functionality from system management functionality.

SC.3.182 System & Communications Protection (SC) Prevent unauthorized and unintended information transfer via shared system resources.

SC.3.183 System & Communications Protection (SC) Deny network communications traffic by default and allow network communications traffic by exception (e.g., deny all, permit by exception).

SC.3.184 System & Communications Protection (SC) Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (e.g., split tunneling).


Protection (SC)

SC.3.185 System & Communications Protection (SC) Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

SC.3.186 System & Communications Protection (SC) Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.

SC.3.187 System & Communications Protection (SC) Establish and manage cryptographic keys for cryptography employed in organizational systems.

SC.3.188 System & Communications Protection (SC) Control and monitor the use of mobile code.

SC.3.189 System & Communications Protection (SC) Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.

SC.3.190 System & Communications Protection (SC) Protect the authenticity of communications sessions.

SC.3.191 System & Communications Protection (SC) Protect the confidentiality of CUI at rest.

SC.3.192 System & Communications Protection (SC) Implement Domain Name System (DNS) filtering services.

SC.3.193 System & Communications Protection (SC) Implement a policy restricting the publication of CUI on externally-owned, publicly-accessible websites (e.g., forums, LinkedIn, Facebook, Twitter, etc.).

Practical Exercise – Social MediaSC.3.193

System & Communications Protection (SC)Implement a policy restricting the publication of CUI on externally-owned, publicly-accessible websites (e.g., forums, LinkedIn, Facebook, Twitter, etc.).

Practical Exercise: Addressing Security and FCI and CUI Concerns for Mobile Devices

Earlier, you implemented MDM for your mobile workforce.

You still need to recognize the risks mobile devices bring.

This will prepare you to address these risks through MDM.

Reflective Questions

What kind of mobile deployment model does your organization observe, if any?

What security and privacy concerns would you have with employees using wearable technology in the organization?

Self Assessment - 6 Key Domains CMMC – LEVEL 375 practices of the 130 total

Let’s focus on these

• AC – Access Control• AU – Audit and Accountability• IR – Incident Response• RM – Risk Management• SC – System and Communications Protection• SI – System and Information Integrity

Note: These 6 key domains account for 105 practices of the 171 for CMMC – LEVEL 5

Self Assessment – Other Domains CMMC – LEVEL 355 practices of the 130 total

We will NOT focus on these today:

• Asset Management (AM)• Awareness & Training (AT)• Configuration Management (CM)• Identity & Authentication (IA)• Maintenance (MA)• Media Protection (MP)• Physical Protection (PE)• Personnel Security (PS)• Recovery (RE)• Security Assessments (CA)

Asset ManagementThe process of maintaining a detailed record of technology resources for periodic review by network and security administrators.

111

• Enables you to keep track of resources used in many places by many personnel.

• Often use RFID to track assets like mobile devices.

• Can also use geolocation to locate devices using GPS.

• Geofencing can set predefined usage boundaries.

• Asset management is important in every lifecycle phase.

• Assets change states and pass through many hands.

• Helps establish accountability.

Device Usage Boundary

Asset Management - Assessing RiskDe-perimeterization

Perimeter-Changing Concept Risk Consideration

Mobility• Remote employees may tunnel into your network or use mobile

devices.• Expands network's boundaries; more difficult for you to control.

Cloud• You may have less control over cloud environments than local ones.• Provider's security guarantees may be insufficient.• Security controls may not integrate properly with your environments.

BYOD• Work done in the office may not stay there.• May put sensitive data at risk of being lost or stolen.• Users may not secure their devices.

Outsourcing• May shift your security to an environment you have little control over.• Third party may have its own security policies, or none at all.• Outsourcing key elements of the organization may bring significant risk.

• Up to date Videos• SME & Animation

• Security Awareness Compliance

• Quiz Engine

• Certificate of completion

• Software as a Service (SaaS)

Security Awareness Training Software

Configuration ManagementStandard Operating Environment

114

• Develop a consistent configuration baseline for an OS.• Reduces admin effort.• Can be used from host to host.• Scalable and adaptable to new threats/vulnerabilities.

• Example configuration for a standard environment is to restrict access to apps.• Whitelist:

• List of apps you specifically allow.• Apps not on the list are blocked.

• Blacklist:• List of apps you specifically block.• Apps not on the list are allowed.

• Whitelist is preferable.

Allowed Apps

System apps

Microsoft Office

Google Chrome

KeePass

Configuration ManagementGuidelines for Implementing

Network Security Controls

• Implement secure configuration and baseline of network components.

• Lock down security configurations.

• Implement change monitoring for network configurations.

• Implement availability controls on network infrastructure.

• Implement ACLs on network devices.

• Construct DMZs around public-facing resources.

• Separate critical assets using VLANs.

• Use network sensors and monitors to see high-level network flows.

• Use DPI to verify the content of data transmissions conforms to policy.

• Configure network devices to use security mechanisms like port security.

• Establish NAC systems to enforce policies on network hosts.

• Choose network management/monitoring tools that fulfill security needs.

• Write custom rules and alert definitions.

• Prevent alert fatigue by tuning alert thresholds to be more precise.

Configuration Management

Patch Management (Slide 1 of 2)

• Can be a manual, automated, or combined process.

• Automation is preferable, but requires some manual work.• Example: Customized scripts for granular control.

• Configure based on the context of each host.• Mission-critical hosts should be treated differently than non-critical

hosts.• Misapplied patches can leave hosts vulnerable.• Patches may interfere with existing security measures.

• Patch management program might include:• Individuals who subscribe to vendor update newsletters.• Review and triage of updates into categories.• Offline patch testing environment.• Immediate administrative push of urgent patches.• Weekly administrative push of important patches.• Replication of patch management processes.• Evaluation phase and full rollout phase.

Configuration Management Patch Management (Slide 2 of 2)

117

Evaluate

Test

Deploy

1

2

3

Configuration ManagementGuidelines for

Hardening Hosts

• Incorporate tools that enforce security policies.• Install a standard operating environment and

whitelist necessary software.• Restrict shell access per user or per host.• Implement patch management software to test

and deploy updates.• Consider how firmware updates fit into patch

management.• Implement out-of-band interfaces as a

secondary communications channel.• Restrict host access to peripheral protocols.• Restrict host access to peripheral devices.

MaintenanceUnified threat management (UTM)

A system that centralizes various security techniques into a single appliance.Unified threat management (UTM) provides multiple security features and services in a single device or service on the network, protecting users from security threats in a simplified way. UTM includes functions such as anti-virus, anti-spam, content filtering, and web filtering.

119

• Can include:• Firewall.• Anti-malware.• NIDS/NIPS.• URL filtering.• And more.

• Provides a single console for administrators.• Reduces complexity of having discrete systems from different vendors.• Streamlines maintenance of network systems.

• Creates a single point of failure.• Can struggle with latency issues.

Media Protection

Guidelines for Addressing Security

and Privacy Concerns for Mobile Devices

• Consider how mobile devices may be storing data in insecure storage spaces.

• Choose a strong device authentication method.

• Recognize the risks involved in rooting/jailbreaking devices.

• Consider restricting rooting/jailbreaking capabilities.

• Identify how unsigned sideloaded apps can bring risk to Android devices.

• Select mobile devices that incorporate hardware anti-tamper technology.

• Consider using newer Bluetooth devices for improved tethering availability.

• Be aware of how contactless mobile payment methods have NFC vulnerabilities.

• Be aware that some card readers may have been compromised in the supply chain.

• Use a mobile wallet app that incorporates tokenization.

• Use encrypted messaging apps to protect mobile communications.

• Consider testing third-party anti-malware apps on Android devices.

• Identify security/privacy risks involved in wearable technology.

Media Protection – Azure Active DirectoryMicrosoft Architecture – Locking down Remote Users

• Secure operations for remote users

• Microsoft Teams

• Microsoft 365 data loss prevention

• Windows Information Protection

• Strengthen your credentials.

• Reduce your attack surface area.

• Automate threat response

• Utilize cloud intelligence.

• Enable end-user self-service.

Media ProtectionMicrosoft Architecture – Locking down Remote Users Add-On – ImplementationManage the In-Tune for your organization

Microsoft Intune

Protect data Azure Active Directory

Microsoft Azure

Office 365

Network Access Control partner

Device compliance

policies

App protection policies

Mobile Threat Defense connector

Conditional Access

Custom Web apps

LOB apps

Web console

SaaS apps

App Store

Graph API

Telecom expense

management

Configuration policies

Configure devices

Profiles

Manage apps

Apps App configuration

policies

On-premises network

Apps, Policy and Reporting Data

Authentication & authorization

Device compliance

results

Group targeting

Read device compliance information

Data for compliance calculation

Data from telco on usage

Mobile threat assessment

Device settings assignment

App install status and inventory

Data usage and alerts

RESTful API calls

Microsoft Intune is an MDM and MAM provider for your devices

For personal devices, or bring-your-own devices (BYOD), users may not want their organization administrators to have full control. In this approach, give users options. For example, users enroll their devices if they want full access to your organization resources. Or, if these users only want access to email or Microsoft Teams, then use app protection policies that require multi-factor authentication (MFA) to use these apps.

https://docs.microsoft.com/en-us/mem/intune/enrollment/device-enrollment

Mitigation Strategy & Control Selection Risk Response Techniques

Avoid• Eliminate risk by eliminating the source.

Transfer• Move responsibility to third party.

Mitigate• Reduce risk through controls and countermeasures.

Accept• Determine that risk is within the organization's appetite and

do nothing further.

Mitigation Strategy & Control Selection Additional Risk Management Strategies

125

Strategy Description

Identify exemptions

• Legacy systems may be exempt from specific risk processes.• Newer systems may bring on new risk.• You need to account for these exemptions.

Use deterrence

• The process of influencing a threat's decision to exploit or not exploit a risk.

• You can convince a threat it is not worth the effort to attack a system.

Identify inherent risk

• Risk that an event will pose if no mitigating controls are put in place.• Helps you determine which controls to put in place.

Identify residual risk

• Risk that remains after controls are put in place.• Helps you determine the effectiveness of controls.

Tutorial: Access a classroom lab in Azure Lab Services

In this tutorial, you, as a student, connect to a virtual machine (VM) in a classroom lab.

In this tutorial, you do the following actions:

• Register to the lab• Start the VM• Connect to the VM

Register to the lab 1. Navigate to the registration URL that you received from the educator. You don't

need to use the registration URL after you complete the registration. Instead, usethe URL: https://labs.azure.com. Internet Explorer 11 isn't supported yet.

https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/lab-services/classroom-labs/tutorial-connect-virtual-machine-classroom-lab.md


https://labs.azure.com/


2. Sign in to the service using your school account to complete the registration.

Note

A Microsoft account is required for using Azure Lab Services. If you are trying to use your non-Microsoft account such as Yahoo or Google accounts to sign in to the portal, follow instructions to create a Microsoft account that will be linked to your non-Microsoft account. Then, follow the steps to complete the registration process.

3. Once registered, confirm that you see the virtual machine for the lab you have access to.

4. Wait until the virtual machine is ready. On the VM tile, notice the following fields: 1. At the top of the tile, you see the name of the lab. 2. To its right, you see the icon representing the operating system (OS) of the

VM. In this example, it's Windows OS. 3. The progress bar on the tile shows the number of hours used against the

number of quota hours assigned to you. This time is the additional time allotted to you in addition to the scheduled time for the lab.

4. You see icons/buttons at the bottom of the tile to start/stop the VM, and connect to the VM.

5. To the right of the buttons, you see the status of the VM. Confirm that you see the status of the VM is Stopped.

https://docs.microsoft.com/en-us/azure/lab-services/classroom-labs/how-to-configure-student-usage#set-quotas-for-users

Start the VM 1. Start the VM by selecting the first button as shown in the following image. This

process takes some time.

2. Confirm that the status of the VM is set to Running.

Notice that the icon of the first button changed to represent a stop operation. You can select this button to stop the VM.

Connect to the VM

1. Select the second button as shown in the following image to connect to the lab's VM.

2. Do one of the following steps: 1. For Windows virtual machines, save the RDP file to the hard disk. Open the

RDP file to connect to the virtual machine. Use the user name and password you get from your educator to sign in to the machine.

2. For Linux virtual machines, you can use SSH or RDP (if it's enabled) to connect to them. For more information, see Enable remote desktop connection for Linux machines.

https://docs.microsoft.com/en-us/azure/lab-services/classroom-labs/how-to-enable-remote-desktop-linux

https://docs.microsoft.com/en-us/azure/lab-services/classroom-labs/how-to-enable-remote-desktop-linux

Lab Manual

Contents Vulnerability Genius – CMMC Tracker Software .......................................................................................... 4

Main Dashboard ............................................................................................................................................ 4

Adding New Systems ..................................................................................................................................... 4

Systems Dashboard ....................................................................................................................................... 5

AC.1.001 ........................................................................................................................................................ 5

Access Control (AC) ....................................................................................................................................... 5

Limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems). ............................................................................................ 5

Step 1: Create a GPO ........................................................................................................................ 6

Step 2: Edit a GPO ............................................................................................................................. 7

Step 3: Review and deploy a GPO ................................................................................................ 9

Step 4: Use a template to create a GPO .................................................................................... 10

Step 5: Delete and restore a GPO ............................................................................................... 12

AC.2.009 Access Control (AC) Limit unsuccessful logon attempts. ........................................................ 14

Account Policies .......................................................................................................................................... 14

In this section ........................................................................................................................................ 14

Lab - Password Policy .............................................................................................................................. 15

In this section ........................................................................................................................................ 16

Select AC.2.009 in the CMMC Tracker Software ......................................................................................... 17

Access Control (AC) ..................................................................................................................................... 18

AC.2.013 Monitor and control remote access sessions. ........................................................................ 18

Remote Desktop ......................................................................................................................................... 18

Lab - Remote Desktop - Allow access to your PC ........................................................................... 18

How to enable Remote Desktop ........................................................................................................ 18

Windows 10 Fall Creator Update (1709) or later .......................................................................... 19

Windows 7 and early version of Windows 10 ............................................................................... 19

All versions of Windows (Legacy method) .................................................................................... 19

Should I enable Remote Desktop? ..................................................................................................... 19

Why allow connections only with Network Level Authentication? ................................................ 20

AU.2.041 Audit & Accountability (AU) Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. ................................... 21

AU.2.042 Audit & Accountability (AU) Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation and reporting of unlawful or unauthorized system activity. ........................................................................................................................................... 21

AU.2.044 Audit & Accountability (AU) Review audit logs. ...................................................................... 21

AU.3.045 Audit & Accountability (AU) Review and update logged events. ........................................... 21

AU.3.046 Audit & Accountability (AU) Alert in the event of an audit logging process failure. .............. 21

Lab - Security auditing ............................................................................................................................. 21

In this section ........................................................................................................................................ 21

Basic security audit policies ..................................................................................................................... 22

In this section ........................................................................................................................................ 22

Create a basic audit policy for an event category ................................................................................ 23

Additional considerations .................................................................................................................... 24

Vulnerability Genius – CMMC Tracker Software https://cmmc.cyberprotex.com

Login using the Credentials you were provided.

Main Dashboard

Click on “New System” and the following screen should appear:

Adding New Systems

Fill in all of the necessary information including Desired CMMC Level = “LEVEL 3” and click “Save”.


Systems Dashboard

AC.1.001

Access Control (AC)

Limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems). Active Directory - Steps for managing GPOs

CYBERPROTEX, LLC

You must complete the following steps to create, edit, review, and deploy GPOs using AGPM. Additionally, you will create a template, delete a GPO, and restore a deleted GPO.

Step 1: Create a GPO

Step 2: Edit a GPO

Step 3: Review and deploy a GPO

Step 4: Use a template to create a GPO

Step 5: Delete and restore a GPO

Step 1: Create a GPO

In an environment with multiple Group Policy administrators, those with the Editor role have the ability to request the creation of new GPOs, but such a request must be approved by someone with the Approver role because the creation of a new GPO impacts the production environment.

In this step, you use an account with the Editor role to request the creation of a new GPO. Using an account with the Approver role, you approve this request and complete the creation of a GPO.

To request the creation of a new GPO managed through AGPM

https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-30#bkmk-manage1





1. On a computer on which you have installed AGPM Client, log on with a user account that has been assigned the Editor role in AGPM.

2. In the Group Policy Management Console tree, click Change Control in the forest and domain in which you want to manage GPOs.

3. Right-click the Change Control node, and then click New Controlled GPO. 4. In the New Controlled GPO dialog box:

1. To receive a copy of the request, type your e-mail address in the Cc field. 2. Type MyGPO as the name for the new GPO. 3. Type a comment for the new GPO. 4. Click Create live so the new GPO will be deployed to the production

environment immediately upon approval. Click Submit. 5. When the AGPM Progress window indicates that overall progress is complete,

click Close. The new GPO is displayed on the Pending tab.

To approve the pending request to create a GPO

1. On a computer on which you have installed AGPM Client, log on with a user account that has been assigned the role of Approver in AGPM.

2. Open the e-mail inbox for the account, and note that you have received an e-mail message from the AGPM alias with the Editor's request to create a GPO.


4. On the Contents tab, click the Pending tab to display the pending GPOs. 5. Right-click MyGPO, and then click Approve. 6. Click Yes to confirm approval of the creation of the GPO. The GPO is moved to

the Controlled tab.

Step 2: Edit a GPO

You can use GPOs to configure computer or user settings and deploy them to many computers or users. In this step, you use an account with the Editor role to check out a GPO from the archive, edit the GPO offline, check the edited GPO into the archive, and request deployment of the GPO to the production environment. For this scenario, you configure a setting in the GPO to require that the password be at least eight characters in length.

To check the GPO out from the archive for editing

1. On a computer on which you have installed AGPM Client, log on with a user account that has been assigned the role of Editor in AGPM.


3. On the Contents tab in the details pane, click the Controlled tab to display the controlled GPOs.

4. Right-click MyGPO, and then click Check Out. 5. Type a comment to be displayed in the history of the GPO while it is checked out,

and then click OK. 6. When the AGPM Progress window indicates that overall progress is complete,

click Close. On the Controlled tab, the state of the GPO is identified as Checked Out.

To edit the GPO offline and configure the minimum password length

1. On the Controlled tab, right-click MyGPO, and then click Edit to open the Group Policy Management Editor window and make changes to an offline copy of the GPO. For this scenario, configure the minimum password length: 1. Under Computer Configuration, double-click Policies, Windows

Settings, Security Settings, Account Policies, and Password Policy. 2. In the details pane, double-click Minimum password length. 3. In the properties window, select the Define this policy setting check box, set

the number of characters to 8, and then click OK. 2. Close the Group Policy Management Editor window.

To check the GPO into the archive

1. On the Controlled tab, right-click MyGPO and then click Check In. 2. Type a comment, and then click OK. 3. When the AGPM Progress window indicates that overall progress is complete,

click Close. On the Controlled tab, the state of the GPO is identified as Checked In.

To request the deployment of the GPO to the production environment

1. On the Controlled tab, right-click MyGPO and then click Deploy. 2. Because this account is not an Approver or AGPM Administrator, you must submit

a request for deployment. To receive a copy of the request, type your e-mail address in the Cc field. Type a comment to be displayed in the history of the GPO, and then click Submit.

3. When the AGPM Progress window indicates that overall progress is complete, click Close. MyGPO is displayed on the list of GPOs on the Pending tab.

Step 3: Review and deploy a GPO

In this step, you act as an Approver, creating reports and analyzing the settings and changes to settings in the GPO to determine whether you should approve them. After evaluating the GPO, you deploy it to the production environment and link it to a domain or an organizational unit (OU) so that it takes effect when Group Policy is refreshed for computers in that domain or OU.

To review settings in the GPO

1. On a computer on which you have installed AGPM Client, log on with a user account that has been assigned the role of Approver in AGPM. (Any Group Policy administrator with the Reviewer role, which is included in all of the other roles, can review the settings in a GPO.)

2. Open the e-mail inbox for the account and note that you have received an e-mail message from the AGPM alias with an Editor's request to deploy a GPO.


4. On the Contents tab in the details pane, click the Pending tab. 5. Double-click MyGPO to display its history. 6. Review the settings in the most recent version of MyGPO:

1. In the History window, right-click the GPO version with the most recent timestamp, click Settings, and then click HTML Report to display a summary of the GPO's settings.

2. In the Web browser, click show all to display all of the settings in the GPO. Close the browser.

7. Compare the most recent version of MyGPO to the first version checked in to the archive: 1. In the History window, click the GPO version with the most recent time stamp.

Press CTRL and click the oldest GPO version for which the Computer Version is not \*.

2. Click the Differences button. The Account Policies/Password Policy section is highlighted in green and preceded by [+], indicating that this setting is configured only in the latter version of the GPO.

3. Click Account Policies/Password Policy. The Minimum password length setting is also highlighted in green and preceded by [+], indicating that it is configured only in the latter version of the GPO.

4. Close the Web browser.

To deploy the GPO to the production environment

1. On the Pending tab, right-click MyGPO and then click Approve. 2. Type a comment to include in the history of the GPO. 3. Click Yes. When the AGPM Progress window indicates that overall progress is

complete, click Close. The GPO is deployed to the production environment.

To link the GPO to a domain or organizational unit

1. In the GPMC, right-click the domain or an OU to which to apply the GPO that you configured, and then click Link an Existing GPO.

2. In the Select GPO dialog box, click MyGPO, and then click OK.

Step 4: Use a template to create a GPO

In this step, you use an account with the Editor role to create a template—an uneditable, static version of a GPO for use as a starting point for creating new GPOs—and then create a new GPO based upon that template. Templates are useful for quickly creating multiple GPOs that include many of the same settings.

To create a template based on an existing GPO



3. On the Contents tab in the details pane, click the Controlled tab. 4. Right-click MyGPO, and then click Save as Template to create a template

incorporating all settings currently in MyGPO. 5. Type MyTemplate as the name for the template and a comment, and then

click OK. 6. When the AGPM Progress window indicates that overall progress is complete,

click Close. The new template appears on the Templates tab.

To request the creation of a new GPO managed through AGPM

1. Click the Controlled tab. 2. Right-click the Change Control node, and then click New Controlled GPO. 3. In the New Controlled GPO dialog box:

1. To receive a copy of the request, type your e-mail address in the Cc field. 2. Type MyOtherGPO as the name for the new GPO. 3. Type a comment for the new GPO.

4. Click Create live, so the new GPO will be deployed to the production environment immediately upon approval.

5. For From GPO template, select MyTemplate. Click Submit. 4. When the AGPM Progress window indicates that overall progress is complete,

click Close. The new GPO is displayed on the Pending tab.

Use an account that has been assigned the role of Approver to approve the pending request to create the GPO as you did in Step 1: Create a GPO. MyTemplate incorporates all of the settings that you configured in MyGPO. Because MyOtherGPO was created using MyTemplate, it initially contains all of the settings that MyGPO contained at the time that MyTemplate was created. You can confirm this by generating a difference report to compare MyOtherGPO to MyTemplate.

To check the GPO out from the archive for editing


2. Right-click MyOtherGPO, and then click Check Out. 3. Type a comment to be displayed in the history of the GPO while it is checked out,

and then click OK. 4. When the AGPM Progress window indicates that overall progress is complete,

click Close. On the Controlled tab, the state of the GPO is identified as Checked Out.

To edit the GPO offline and configure the account lockout duration

1. On the Controlled tab, right-click MyOtherGPO, and then click Edit to open the Group Policy Management Editor window and make changes to an offline copy of the GPO. For this scenario, configure the minimum password length: 1. Under Computer Configuration, double-click Policies, Windows

Settings, Security Settings, Account Policies, and Account Lockout Policy. 2. In the details pane, double-click Account lockout duration. 3. In the properties window, check Define this policy setting, set the duration

to 30 minutes, and then click OK. 2. Close the Group Policy Management Editor window.

Check MyOtherGPO into the archive and request deployment as you did for MyGPO in Step 2: Edit a GPO. You can compare MyOtherGPO to MyGPO or to MyTemplate using difference reports. Any account that includes the Reviewer role (AGPM Administrator [Full Control], Approver, Editor, or Reviewer) can generate reports.



To compare a GPO to another GPO and to a template

1. To compare MyGPO and MyOtherGPO: 1. On the Controlled tab, click MyGPO. Press CTRL and then click MyOtherGPO. 2. Right-click MyOtherGPO, point to Differences, and click HTML Report.

2. To compare MyOtherGPO and MyTemplate: 1. On the Controlled tab, click MyOtherGPO. 2. Right-click MyOtherGPO, point to Differences, and click Template. 3. Select MyTemplate and HTML Report, and then click OK.

Step 5: Delete and restore a GPO

In this step, you act as an Approver to delete a GPO.

To delete a GPO

1. On a computer on which you have installed AGPM Client, log on with a user account that has been assigned the role of Approver.


3. On the Contents tab, click the Controlled tab to display the controlled GPOs. 4. Right-click MyGPO, and then click Delete. Click Delete GPO from archive and

production to delete both the version in the archive as well as the deployed version of the GPO in the production environment.

5. Type a comment to be displayed in the audit trail for the GPO, and then click OK. 6. When the AGPM Progress window indicates that overall progress is complete,

click Close. The GPO is removed from the Controlled tab and is displayed on the Recycle Bin tab, where it can be restored or destroyed.

Occasionally you may discover after deleting a GPO that it is still needed. In this step, you act as an Approver to restore a GPO that has been deleted.

To restore a deleted GPO

1. On the Contents tab, click the Recycle Bin tab to display deleted GPOs. 2. Right-click MyGPO, and then click Restore. 3. Type a comment to be displayed in the history of the GPO, and then click OK. 4. When the AGPM Progress window indicates that overall progress is complete,

click Close. The GPO is removed from the Recycle Bin tab and is displayed on the Controlled tab.

Note Restoring a GPO to the archive does not automatically redeploy it to the production environment. To return the GPO to the production environment, deploy the GPO as in Step 3: Review and deploy a GPO.

After editing and deploying a GPO, you may discover that recent changes to the GPO are causing a problem. In this step, you act as an Approver to roll back to a previous version of the GPO. You can roll back to any version in the history of the GPO. You can use comments and labels to identify known good versions and when specific changes were made.

To roll back to a previous version of a GPO

1. On the Contents tab, click the Controlled tab to display the controlled GPOs. 2. Double-click MyGPO to display its history. 3. Right-click the version to be deployed, click Deploy, and then click Yes. 4. When the Progress window indicates that overall progress is complete, click Close.

In the History window, click Close.

Note To verify that the version that has been redeployed is the version intended, examine a difference report for the two versions. In the History window for the GPO, select the two versions, right-click them, point to Difference, and then click either HTML Report or XML Report.



Account Policies

An overview of account policies in Windows and provides links to policy descriptions.

All account policies settings applied by using Group Policy are applied at the domain level. Default values are present in the built-in default domain controller policy for Password Policy settings, Account Lockout Policy settings, and Kerberos Policy settings. The domain account policy becomes the default local account policy of any device that is a member of the domain. If these policies are set at any level below the domain level in Active Directory Domain Services (AD DS), they affect only local accounts on member servers.

Note

Each domain can have only one account policy. The account policy must be defined in the default domain policy or in a new policy that is linked to the root of the domain and given precedence over the default domain policy, which is enforced by the domain controllers in the domain. These domain-wide account policy settings (Password Policy, Account Lockout Policy, and Kerberos Policy) are enforced by the domain controllers in the domain; therefore, domain controllers always retrieve the values of these account policy settings from the default domain policy Group Policy Object (GPO).

The only exception is when another account policy is defined for an organizational unit (OU). The account policy settings for the OU affect the local policy on any computers that are contained in the OU. For example, if an OU policy defines a maximum password age that differs from the domain-level account policy, the OU policy will be applied and enforced only when users log on to the local computer. The default local computer policies apply only to computers that are in a workgroup or in a domain where neither an OU account policy nor a domain policy applies.

In this section

T A B L E 1

Topic Description

Password Policy An overview of password policies for Windows and links to information for each policy setting.

Account Lockout Policy

Describes the Account Lockout Policy settings and links to information about each policy setting.

Kerberos Policy Describes the Kerberos Policy settings and provides links to policy setting descriptions.

Lab - Password Policy

An overview of password policies for Windows and links to information for each policy setting.

In many operating systems, the most common method to authenticate a user's identity is to use a secret passphrase or password. A secure network environment requires all users to use strong passwords, which have at least eight characters and include a combination of letters, numbers, and symbols. These passwords help prevent the compromise of user accounts and administrative accounts by unauthorized users who use manual methods or automated tools to guess weak passwords. Strong passwords that are changed regularly reduce the likelihood of a successful password attack.

Introduced in Windows Server 2008 R2 and Windows Server 2008, Windows supports fine-grained password policies. This feature provides organizations with a way to define different password and account lockout policies for different sets of users in a domain. Fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are used instead of user objects) and global security groups.

To apply a fine-grained password policy to users of an OU, you can use a shadow group. A shadow group is a global security group that is logically mapped to an OU to enforce a fine-grained password policy. You add users of the OU as members of the newly created shadow group and then apply the fine-grained password policy to this shadow group. You can create additional shadow groups for other OUs as needed. If you move a user from one OU to another, you must update the membership of the corresponding shadow groups.

Fine-grained password policies include attributes for all the settings that can be defined in the default domain policy (except Kerberos settings) in addition to account lockout

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-policy

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-policy

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-policy

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/kerberos-policy

settings. When you specify a fine-grained password policy, you must specify all of these settings. By default, only members of the Domain Admins group can set fine-grained password policies. However, you can also delegate the ability to set these policies to other users. The domain must be running at least Windows Server 2008 R2 or Windows Server 2008 to use fine-grained password policies. Fine-grained password policies cannot be applied to an organizational unit (OU) directly.

You can enforce the use of strong passwords through an appropriate password policy. There are password policy settings that control the complexity and lifetime of passwords, such as the Passwords must meet complexity requirements policy setting.

You can configure the password policy settings in the following location by using the Group Policy Management Console:

Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy

If individual groups require distinct password policies, these groups should be separated into another domain or forest, based on additional requirements.

The following topics provide a discussion of password policy implementation and best practices considerations, policy location, default values for the server type or GPO, relevant differences in operating system versions, security considerations (including the possible vulnerabilities of each setting), countermeasures that you can take, and the potential impact for each setting.

In this section T A B L E 1

Topic Description

Enforce password history Describes the best practices, location, values, policy management, and security considerations for the Enforce password history security policy setting.

Maximum password age Describes the best practices, location, values, policy management, and security considerations for the Maximum password age security policy setting.

Minimum password age Describes the best practices, location, values, policy management, and security considerations for the Minimum password age security policy setting.

Minimum password length Describes the best practices, location, values, policy management, and security considerations for the Minimum password length security policy setting.

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/enforce-password-history

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/maximum-password-age

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/minimum-password-age

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/minimum-password-length

T A B L E 1

Topic Description

Password must meet complexity requirements

Describes the best practices, location, values, and security considerations for the Password must meet complexity requirements security policy setting.

Store passwords using reversible encryption

Describes the best practices, location, values, and security considerations for the Store passwords using reversible encryption security policy setting.

Select AC.2.009 in the CMMC Tracker Software Enter in Practice Status of “Compliant” and click “Save”

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption

Access Control (AC)

AC.2.013 Monitor and control remote access sessions.

Remote Desktop https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-allow-access

Lab - Remote Desktop - Allow access to your PC

You can use Remote Desktop to connect to and control your PC from a remote device by using a Microsoft Remote Desktop client (available for Windows, iOS, macOS and Android). When you allow remote connections to your PC, you can use another device to connect to your PC and have access to all of your apps, files, and network resources as if you were sitting at your desk.

Note

You can use Remote Desktop to connect to Windows 10 Pro and Enterprise, Windows 8.1 and 8 Enterprise and Pro, Windows 7 Professional, Enterprise, and Ultimate, and Windows Server versions newer than Windows Server 2008. You can't connect to computers running a Home edition (like Windows 10 Home).

To connect to a remote PC, that computer must be turned on, it must have a network connection, Remote Desktop must be enabled, you must have network access to the remote computer (this could be through the Internet), and you must have permission to connect. For permission to connect, you must be on the list of users. Before you start a connection, it's a good idea to look up the name of the computer you're connecting to and to make sure Remote Desktop connections are allowed through its firewall.

How to enable Remote Desktop

The simplest way to allow access to your PC from a remote device is using the Remote Desktop options under Settings. Since this functionality was added in the Windows 10

https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-clients

Fall Creators update (1709), a separate downloadable app is also available that provides similar functionality for earlier versions of Windows. You can also use the legacy way of enabling Remote Desktop, however this method provides less functionality and validation.

Windows 10 Fall Creator Update (1709) or later

You can configure your PC for remote access with a few easy steps.

1. On the device you want to connect to, select Start and then click the Settings icon on the left.

2. Select the System group followed by the Remote Desktop item. 3. Use the slider to enable Remote Desktop. 4. It is also recommended to keep the PC awake and discoverable to facilitate

connections. Click Show settings to enable. 5. As needed, add users who can connect remotely by clicking Select users that can

remotely access this PC. 1. Members of the Administrators group automatically have access.

6. Make note of the name of this PC under How to connect to this PC. You'll need this to configure the clients.

Windows 7 and early version of Windows 10

To configure your PC for remote access, download and run the Microsoft Remote Desktop Assistant. This assistant updates your system settings to enable remote access, ensures your computer is awake for connections, and checks that your firewall allows Remote Desktop connections.

All versions of Windows (Legacy method)

To enable Remote Desktop using the legacy system properties, follow the instructions to Connect to another computer using Remote Desktop Connection.

Should I enable Remote Desktop?

If you only want to access your PC when you are physically using it, you don't need to enable Remote Desktop. Enabling Remote Desktop opens a port on your PC that is visible to your local network. You should only enable Remote Desktop in trusted networks, such as your home. You also don't want to enable Remote Desktop on any PC where access is tightly controlled.

ms-settings:remotedesktop

https://www.microsoft.com/download/details.aspx?id=50042

https://www.microsoft.com/download/details.aspx?id=50042

https://windows.microsoft.com/windows/remote-desktop-connection-faq

Be aware that when you enable access to Remote Desktop, you are granting anyone in the Administrators group, as well as any additional users you select, the ability to remotely access their accounts on the computer.

You should ensure that every account that has access to your PC is configured with a strong password.

Why allow connections only with Network Level Authentication?

If you want to restrict who can access your PC, choose to allow access only with Network Level Authentication (NLA). When you enable this option, users have to authenticate themselves to the network before they can connect to your PC. Allowing connections only from computers running Remote Desktop with NLA is a more secure authentication method that can help protect your computer from malicious users and software. To learn more about NLA and Remote Desktop, check out Configure NLA for RDS Connections.

If you're remotely connecting to a PC on your home network from outside of that network, don't select this option.

https://technet.microsoft.com/library/cc732713(v=ws.11).aspx

https://technet.microsoft.com/library/cc732713(v=ws.11).aspx






Lab - Security auditing Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network.

Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you have determined to be valuable in your risk assessment.

In this section T ABL E 1

Topic Description Basic security audit policies

Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization.

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-security-audit-policies

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-security-audit-policies

T ABL E 1 Topic Description Advanced security audit policies

Advanced security audit policy settings are found in Security Settings\Advanced Audit Policy Configuration\System Audit Policies and appear to overlap with basic security audit policies, but they are recorded and applied differently.

Basic security audit policies auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization.

The event categories that you can choose to audit are:

• Audit account logon events • Audit account management • Audit directory service access • Audit logon events • Audit object access • Audit policy change • Audit privilege use • Audit process tracking • Audit system events

If you choose to audit access to objects as part of your audit policy, you must enable either the audit directory service access category (for auditing objects on a domain controller), or the audit object access category (for auditing objects on a member server or workstation). Once you have enabled the object access category, you can specify the types of access you want to audit for each group or user.

In this section T ABL E 1

Topic Description Create a basic audit policy for an event category

By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. On devices that are joined to a domain, auditing settings for the event categories are undefined by default. On domain controllers, auditing is turned on by default.

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-auditing



https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category




T ABL E 1 Topic Description Apply a basic audit policy on a file or folder

You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log.

View the security event log

The security log records each event as defined by the audit policies you set on each object.

Basic security audit policy settings

Basic security audit policy settings are found under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.

Create a basic audit policy for an event category By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. On devices that are joined to a domain, auditing settings for the event categories are undefined by default. On domain controllers, auditing is turned on by default.

To complete this procedure, you must be logged on as a member of the built-in Administrators group.

To define or modify auditing policy settings for an event category for your local computer

1. Open the Local Security Policy snap-in (secpol.msc), and then click Local Policies. 2. Click Audit Policy. 3. In the results pane, double-click an event category that you want to change the

auditing policy settings for. 4. Do one or both of the following, and then click OK.

o To audit successful attempts, select the Success check box. o To audit unsuccessful attempts, select the Failure check box.

To complete this procedure, you must be logged on as a member of the Domain Admins group.

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder



https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/view-the-security-event-log



https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-security-audit-policy-settings



To define or modify auditing policy settings for an event category for a domain or organizational unit, when you are on a member server or on a workstation that is joined to a domain

1. Open the Group Policy Management Console (GPMC). 2. In the console tree, double-click Group Policy objects in the forest and domain

containing the Default Domain Policy Group Policy object (GPO) that you want to edit.

3. Right-click the Default Domain Policy GPO, and then click Edit. 4. In the GPMC, go to Computer Configuration, Windows Settings, Security

Settings, and then click Audit Policy. 5. In the results pane, double-click an event category that you want to change the

auditing policy settings for. 6. If you are defining auditing policy settings for this event category for the first time,

select the Define these policy settings check box. 7. Do one or both of the following, and then click OK.

o To audit successful attempts, select the Success check box. o To audit unsuccessful attempts, select the Failure check box.

Additional considerations • To audit object access, enable auditing of the object access event category by

following the steps above. Then, enable auditing on the specific object. • After your audit policy is configured, events will be recorded in the Security log.

Open the Security log to view these events. • The default auditing policy setting for domain controllers is No Auditing. This

means that even if auditing is enabled in the domain, the domain controllers do not inherit auditing policy locally. If you want domain auditing policy to apply to domain controllers, you must modify this policy setting.

Documents

CMMC Assessment Workshop Syllabus · CompTIA CySA+. Certified Network Defense Architect (CNDA) CASP+ . Certified Chief Information Security Officer (CCISO) CompTIA PenTest+ . CompTIA