This guide provides step-by-step instructions for implementing the Australian Cyber Security Centre (ACSC) Windows hardening guidelines using Azure Machine Configuration.
- Azure subscription with appropriate permissions
- Azure Policy and Machine Configuration enabled
- Resource group for storing configuration packages
- Storage account for hosting packages
- PowerShell 5.1 or PowerShell Core 7.x
- Az PowerShell modules
- GuestConfiguration PowerShell module
- Windows 10 (supported versions)
- Windows 11 (all versions)
- Windows Server 2016, 2019, 2022
- Azure VM or Arc-enabled server
- System-assigned managed identity
- Machine Configuration extension installed
# Install required modules
Install-Module Az.Accounts -Force -AllowClobber
Install-Module Az.Resources -Force -AllowClobber
Install-Module Az.Storage -Force -AllowClobber
Install-Module Az.PolicyInsights -Force -AllowClobber
Install-Module GuestConfiguration -Force -AllowClobbergit clone https://github.com/your-org/ACSC-WindowsHardening.git
cd ACSC-WindowsHardening# Create all packages
.\scripts\New-ACSCMachineConfigurationPackage.ps1 -ConfigurationLevel All
# Or create specific priority level
.\scripts\New-ACSCMachineConfigurationPackage.ps1 -ConfigurationLevel HighPriority# Deploy with audit mode (recommended for initial deployment)
.\scripts\Deploy-ACSCToAzure.ps1 -SubscriptionId "your-subscription-id" `
-ResourceGroupName "acsc-hardening-rg" `
-StorageAccountName "acscstorage123" `
-Location "Australia East" `
-EnforcementMode "Audit"
# Deploy with enforcement mode (for production deployment)
.\scripts\Deploy-ACSCToAzure.ps1 -SubscriptionId "your-subscription-id" `
-ResourceGroupName "acsc-hardening-rg" `
-StorageAccountName "acscstorage123" `
-Location "Australia East" `
-EnforcementMode "ApplyAndMonitor"The high priority configurations implement the most critical security settings:
- User Account Control (UAC): Enhanced UAC settings for privilege escalation
- Attack Surface Reduction (ASR): Microsoft Defender ASR rules
- Credential Protection: Credential Guard and WDigest configuration
- Controlled Folder Access: Ransomware protection
- Secure Desktop: Secure credential entry
- Early Launch Antimalware: Boot-time malware protection
- Exploit Protection: DEP, ASLR, and SEHOP
- Microsoft Defender: Real-time protection and cloud protection
- LAPS: Local Administrator Password Solution
- Windows Update: Automatic update configuration
- Autoplay/AutoRun: Disabled to prevent malware execution
- Windows Hello for Business: Multi-factor authentication
The medium priority configurations provide additional security hardening:
- Account Lockout Policy: Brute force protection
- Anonymous Connections: Restrict anonymous access
- Audit Event Management: Enhanced logging
- BitLocker: Drive encryption configuration
- Network Authentication: Secure authentication protocols
- Password Policy: Strong password requirements
- PowerShell Security: Script execution policy and logging
- Removable Storage: USB and removable media control
- Remote Desktop: Secure RDP configuration
- Session Locking: Automatic screen lock
- SMB Security: Secure file sharing
- Windows Firewall: Network protection
- Legacy Features: Disable insecure protocols
- Purpose: Assess current compliance without making changes
- Use Case: Initial assessment, testing, compliance reporting
- Impact: No configuration changes applied to machines
- Recommendation: Use for initial deployment and ongoing monitoring
- Purpose: Apply configurations and monitor for drift
- Use Case: Production environments where compliance is required
- Impact: Configurations applied once, then monitored
- Recommendation: Use for stable production environments
- Purpose: Apply configurations and automatically correct drift
- Use Case: High-security environments requiring constant compliance
- Impact: Configurations continuously enforced
- Recommendation: Use with caution, test thoroughly first
- Navigate to Azure Policy in the Azure portal
- View compliance summary and details
- Drill down to specific non-compliant resources
- Review compliance over time
- View detailed per-setting compliance
- Access guest assignment reports
- Review configuration drift detection
- Monitor remediation activities
// Get compliance status for all ACSC configurations
PolicyResources
| where type == "microsoft.guestconfiguration/guestconfigurationassignments"
| where name has "ACSC"
| project name, resourceGroup, complianceStatus, assignmentHash
| order by name
// Get non-compliant machines
PolicyResources
| where type == "microsoft.guestconfiguration/guestconfigurationassignments"
| where name has "ACSC"
| where properties.complianceStatus != "Compliant"
| project name, resourceGroup, complianceStatus, lastComplianceStatusChecked- Issue: DSC configuration compilation errors
- Solution: Check DSC module dependencies and syntax
- Command:
Test-DscConfiguration -Path ./configurations/
- Issue: Insufficient permissions
- Solution: Ensure account has Policy Contributor role
- Permissions:
Microsoft.Authorization/policyDefinitions/write
- Issue: Policy evaluation takes time
- Solution: Wait up to 30 minutes for initial evaluation
- Command:
Start-AzPolicyComplianceScan -ResourceGroupName "rg-name"
- Issue: Extension not installed on target machines
- Solution: Deploy prerequisites policy initiative
- Policy: "Deploy prerequisites to enable Guest Configuration policies on virtual machines"
- Azure VM:
C:\ProgramData\GuestConfig\gc_agent_logs\gc_agent.log - Arc-enabled:
C:\ProgramData\GuestConfig\arc_policy_logs\gc_agent.log
# Check policy compliance
Get-AzPolicyState -ResourceGroupName "your-rg" | Where-Object {$_.PolicyDefinitionName -like "*ACSC*"}
# View guest configuration assignments
Get-AzGuestConfigurationAssignment -ResourceGroupName "your-rg"
# Check machine configuration extension status
Get-AzVMExtension -ResourceGroupName "your-rg" -VMName "your-vm"- Phase 1: Deploy in audit mode to assess current state
- Phase 2: Deploy high priority configurations in apply mode
- Phase 3: Deploy medium priority configurations in apply mode
- Phase 4: Enable auto-correct mode for critical settings
- Test configurations in development environment first
- Verify business application compatibility
- Document any required exceptions
- Establish rollback procedures
- Document any configuration exceptions
- Implement compensating controls for exceptions
- Regularly review and validate exceptions
- Use Azure Policy exemptions for documented exceptions
- Use version control for all configurations
- Implement change management processes
- Document all customizations
- Maintain configuration baselines
- Set up Azure Monitor alerts for compliance changes
- Implement regular compliance reporting
- Monitor for configuration drift
- Review compliance trends over time
- Regularly update machine configuration packages
- Review and update ACSC guidelines alignment
- Test new Azure Machine Configuration features
- Maintain documentation and procedures
This project is licensed under the MIT License - see the LICENSE file for details.