Compliance checks come to windows

You might already be aware of and using the Tutela Windows Agent. We are about to upgrade the Tutela windows agent to include compliance checks. Compliance checks are a set of security best practice rules which are regularly updated by organizations such as Microsoft, the US Department of Defense and the Center for Internet Security. Adhering to these security best practices is of course optional, but they do greatly enhance the preventative aspect of your security posture. The Tutela windows agent will now have the capability to check these security best practice rules and report both passed and failed checks back to the Tutela dashboard. Currently we support Windows 10 and Windows Server 2019.

I’ll proceed to showcase this capability on a test Windows 10 system. The Windows agent is run as per usual (a scheduled job or manually run via the command line), however we included a new parameter:

--compliance-check

Adding this flag to your command will instruct the agent to activate the compliance module. The compliance rules are updated frequently, so the agent requires the ability to contact github.com where we store the list of checks to be done. Once updated, the agent proceeds to perform the checks and upload them to our dashboard without any administrator intervention. Once uploaded, you can view results under the “Analyze > Discover > Compliance Checks”:

The dashboard should be familiar to those of you already using Tutela for vulnerability management. This is what a typical scan would reveal:

Alerts have the usual pending / resolved status that is updated automatically on every scan. A status of “resolved” means the given check has been satisfied on that particular host. Alerts which are not resolved are given a “severity” indicating the criticality which the issuing organization has given. Each individual row can be expanded to review a bit more detail on the alert. For example, let’s take a “resolved” alert which means the windows system was found to be compliant with the security best practice rule:

The “Description” field shows all details for example “Method” is set to “registry” indicating this is a registry based check, along with details of which path was checked and so on. The Category and Name fields give an indication of what the check is actually doing (in the above case, checking if the Public Firewall profile is enabled. Another example, this time “Pending”, meaning the test system does not satisfy the security best practice check:

The description shows that the check relates to the “Minimum session security for NTLM”, and by clicking on the reference we get more details on the check and how to remediate the system:

The above should help guide you to:

• Setup security best practices to minimize your attack footprint across your windows infrastructure
• Monitor your windows infrastructure to ensure adherence to your security compliance policies