Northrop Grumman - Defining the Future

space
      




Security


Baseline Applicator Tool Frequently Asked Questions

Q: What is the BAT?
A: The Baseline Applicator Tool (BAT) is an easy-to-use software application that helps secure machines running Microsoft Windows. The primary purpose of the BAT is to prepare machines before deployment, but it can be run anywhere, anytime.

Q: What does the BAT do?
A: The BAT automates much of the security baselining process that system administrators perform every time they deploy a new machine. This includes applying operating system security updates, applying local security policy settings, configuring automatic update settings, and installing antivirus software.

Q: What is the BAT Manager?
A: The BAT Manager is an application that allows administrators to easily manage BAT projects. Every facet of the BAT configuration, including the interview process, can be managed within the BAT Manager’s graphic user interface.

Q: Why separate the BAT and BAT Manager into two separate applications?
A: This functional separation isolates policy configuration from policy enforcement, allowing a small number of IT staff members to decide what security policies should be enforced within an enterprise. Since this also shields the end-user from making complex decisions, it ensures that the client process is incredibly simple. So, while the BAT Manager provides limitless power and flexibility, the BAT “just works.”

Q: There are dozens of network-based applications capable of managing my systems. Why do I need the BAT?
A: The BAT is intended to complement other enterprise management tools by adding two key benefits. First, the BAT secures machines before they touch a network. As soon as a system is attached to the network, it becomes vulnerable. Network-based security configuration systems can never 100% guarantee that a system isn’t compromised when the system is first deployed. Second, the BAT’s flexible deployment mechanism removes all network dependencies. If an enterprise has multiple networks, one BAT can handle securing every machine. As an example, the United States Army Europe uses the BAT to secure machines on both its classified and unclassified networks.

Q: Do I need to have any scripting or programming skills in order to use the BAT or BAT Manager?
A: Absolutely not. Both applications provide intuitive graphic user interfaces.

Q: What operating systems are supported by the BAT?
A: The BAT is capable of updating any 32-bit version of Microsoft Windows. The United States Army Europe uses the BAT to update/configure Windows XP Professional, Windows 2000 Professional, Windows 2000 Server, and Windows Server 2003. Adding support for a new Windows OS is a simple operation within the BAT Manager.

Q: Can the BAT update applications?
A: Yes. The BAT can be configured to detect and update just about any Windows application. The United States Army Europe used the BAT to update installations of Microsoft Office and Adobe Acrobat.

Q: What is the BAT process like?
A: The BAT attempts to reduce the time required to baseline a system to an absolute minimum. Most of the updates are done automatically with no intervention from the user. However, the BAT can be configured to take some user input. When the BAT first launches, the user completes a brief interview.

Q: What sorts of questions are asked during the BAT interview?
A: Sometimes, the BAT may need to ask a few questions about the particular machine being secured. Answers are provided in multiple-choice format. Examples include:

  1. Would you like to reset local security policy before the baseline is applied?
  2. Will this computer need to use a modem?
  3. Which network will this computer be connected to?
  4. What is the accreditation level of this computer?
  5. Which update server will this machine be closest to when deployed?
  6. What antivirus software would you like to install?

Q: Why would I want the BAT to reset local security policy?
A: This is useful if existing security policy settings (possibly applied by an older baseline) are causing problems on a machine. Security policy settings can occasionally cause software updates to fail during installation. If you have experienced problems while installing a software update, this new feature might help. Please note that any settings that are cleared are irrecoverable. By default, local security policy will not be reset and the BAT will simply overlay its settings onto the system.

Q: Can the BAT adjust antivirus definitions update settings?
A: Yes.

Q: How long does the BAT take to run?
A: This depends entirely on the speed and state of the system that the BAT is being run on. The BAT scans the machine and only performs necessary updates. If the system is relatively up-to-date, the BAT process can take less than a minute. A slow, out-of-date system can take much longer.

Q: After running the BAT, how can I find out what has been done to a machine?
A: In the system drive root directory (usually c:\), there will be a BatLog.txt file that lists exactly what was done to the machine.

Q: How does the BAT handle system restarts?
A: Some system updates require an immediate restart before other updates can be applied (operating system service packs are a good example of this). When an immediate reboot is required, the user will be notified and a restart button will become available. Clicking this button will restart the system. The user will then have to log back into the system. The BAT will automatically launch and pick up where it left off.

Q: Do I have to run the BAT from a CD?
A: No. CDs are commonly used to run the BAT due to the ubiquity of CD-ROM drives, but the BAT can be run from any form of media. External hard drives, DVD-ROM, even flash media will work just fine, provided they have enough storage capacity to hold the entire BAT image.

Q: Can I run the BAT on a machine that is already baselined?
A: Absolutely! In fact, it is recommended. Running the BAT ensures that your system is updated with all the latest security updates and settings.

Q: Is it okay to run the BAT on the same machine multiple times?
A: Yes! Because the BAT only performs the updates that are required, subsequent BAT installs take very little time.

Q: Will there be a problem if I attempt to run a BAT on an operating system other than one for which the BAT was configured?
A: No, the BAT knows what operating system(s) it is designed to update and will simply close if it detects a problem.

Q: What about Service Packs? What happens if I accidentally run an older BAT on a machine with a more recent service pack?
A: No worries, the BAT will detect this and refuse to run.

Q: Can I run the BAT from a network share?
A: Yes, but make sure the account you use will have access to the network location even if the system reboots. The BAT may need to reboot your machine, so make sure the network location will always be available.

Q: Can I run the BAT and skip the interview process?
A: Yes, all options can be specified using command line switches.

Q: What happens if the BAT fails to apply a policy setting?
A: The BAT scans your machine for vulnerabilities and missing policy settings and applies updates as necessary. If an item fails to install properly, a red X will be displayed next to it in the installation list and the failure will be noted in the log file. In most cases, the BAT will continue applying the baseline, however, failure of some critical updates (usually service packs) will cause the BAT to shut down.