Exercise: Security Configuration Assessment - Fooster171/Wazuh-SEIM-Home-Lab GitHub Wiki

Wazuh is capable of checking devices against a security checklist of recommended configuration settings. This is appropriately named a benchmark as there are some circumstances where these settings might not be needed, but this can offer a simple way to scan devices and find methods to harden your environment.

From the main dashboard, select the "Wazuh" menu and click on "Agents". I'm going to use the Domain controller :

Once the device is selected, there should be a dashboard section for "SCA: Latest Scans" which will have a link for the "CIS Microsoft Windows Server 2019 Benchmark":

Next, we will filter down the list to the checklist items that failed. If you click on the red number under "Failed" it will filter the results down to the ones we might want to change. This will give us a more definitive list of what we need to work with:

For this example I'm going to use ID 16532. If I click on that item, it will provide a full description and remediation steps we can follow:

To implement this change, we will log into our Domain controller. From the search bar open up "Group Policy Manager". Go to Forest -> Domains -> YOURDOMAIN -> Right click on "Default Domain" and select "Edit". This will bring up the Group Policy management editor.

From the Management Editor, go to Computer Configration-> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options. From there, scroll down to the "Network Access" options.

Double click this entry to open the option to enable. Enabled this option and select "Apply":

After applying the change and hitting "okay" I restarted the device. After a restart I can be sure that the change is in place and our Wazuh agent should be reporting this back to our Wazuh server to reflect that this item passes the checklist now. If we navigate back to the Security benchmark and enter ID "16532" into the search bar, we can see that this item now passes inspection and we have one fewer item listed as failed: