Using the ClearPath Forward Hardening Tool for Windows

Note: The ClearPath Forward Hardening Tool for Windows has been qualified for use with the following operating systems:

Windows Server 2008 R2 SP1
Windows Server 2012

If you wish to use the hardening tool on a later version of an operating system that is supported for use with the fabric, contact your Unisys sales representative for assistance. For more details on the latest list of supported operating systems, refer to the ClearPath Forward Supported Operating Systems link that is available from the ClearPath Forward portion of the Unisys Product Support site.

The ClearPath Forward Hardening Tool for Windows provides a configuration file with predefined security levels for improving the security of the operating system. The tool is a Windows PowerShell script named Apply-Hardening.ps1, and is available at C:\ProgramData\Unisys\Hardening. The script also stores rollback files, logs, and other artifacts it creates in the same folder.

Before running the script, be sure that the Windows PowerShell execution policy is set to RemoteSigned. To check and set the execution policy (if needed),

Locate and right-click Windows PowerShell, select Run as administrator, type Get-ExecutionPolicy at the prompt, and then press Enter.
The current execution policy setting is displayed. By default, the setting is Restricted.
If the setting is not RemoteSigned, note down the setting, type Set-ExecutionPolicy RemoteSigned -force at the prompt, and then press Enter.

If desired, restore the Windows PowerShell execution policy setting to the recorded value after you run the hardening script.

To run the script, locate and right-click Windows PowerShell, select Run as administrator, and then enter the following command at the prompt

C:\ProgramData\Unisys\Hardening\Apply-Hardening.ps1 -level <level number> <options>

Where

<level number> specifies the level of hardening. Valid values are 0, 1, or 2.

<options> specify whether to audit your current operating system security settings and generate a report, apply a configuration file without creating a rollback file of the current settings, or apply a specific configuration file.

Option	Description
–reportOnly	Generates an audit report. By default, the hardening tool applies security settings changes according to rules in the configuration file, and does not generate a report. Include this option to generate a report that compares the current operating system security settings to the recommended settings for the specified level. No changes are made to the operating system security settings. The report file is available at C:\ProgramData\Unisys\Hardening\report.txt.
–noRollback	Skips the creation of a rollback file. By default, before applying any security setting changes, the hardening tool creates a rollback file containing the current settings of the operating system (C:\ProgramData\Unisys\Hardening\rollback<timestamp>.xml). Include this option to omit the creation of a rollback file.
–file <file name>	Specifies a file that contains a set of hardening rules (security settings) in the recognized XML format. Use this option to apply one of the intermediate rollback files previously created by the tool, or to apply a custom configuration file. To create a custom configuration file, make a copy of the Unisys-supplied configuration file and modify the copy with your desired security setting values. If a file is specified, it is used instead of the Unisys-supplied configuration file. If no file is specified, the Unisys-supplied configuration file (C:\ProgramData\Unisys\Hardening\rules<OS version>.xml) is used. This option is ignored if the –level parameter is set to 0.
–verbose	Displays details in the Windows PowerShell window as the hardening script executes. By default, the hardening tool runs silently. Include this option to display details—warning messages appear in yellow, and errors appear in red. This setting does not affect contents of the log or report files.

Remember to reboot your operating system after running the script.

For detailed help and more information on the syntax, enter the following command at a Windows PowerShell prompt:

get-help C:\ProgramData\Unisys\Hardening\Apply-Hardening.ps1 -detailed

Examples

To set the operating system security settings to the level 1 settings in the Unisys-supplied configuration file:

C:\ProgramData\Unisys\Hardening\Apply-Hardening.ps1 -level 1

To generate an audit report of how the current operating system security settings are different from the level 1 settings in the Unisys-supplied configuration file, as well as display the report in the Windows PowerShell window:

C:\ProgramData\Unisys\Hardening\Apply-Hardening.ps1 -level 1 –reportOnly –verbose

To roll back the operating system security settings to the level 0 settings, and display progress in the Windows PowerShell window:

C:\ProgramData\Unisys\Hardening\Apply-Hardening.ps1 –level 0 –verbose

To set the operating system security settings to the level 2 settings in the Unisys-supplied configuration file, without creating a rollback file:

C:\ProgramData\Unisys\Hardening\Apply-Hardening.ps1 -level 2 –noRollback

To roll back the operating system security settings to the level 2 settings in the configuration file captured on September 19, 2013:

C:\ProgramData\Unisys\Hardening\Apply-Hardening.ps1 –level 2 –file C:\ProgramData\
Unisys\hardening\Rollback\intermediate\0919201350804.xml