Cis microsoft windows server 2016 rtm release 1607 benchmark - Доктор Windows

Checklist Summary:

This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows Server.

Checklist Role:

Server

Known Issues:

Not provided.

Target Audience:

This document is intended for system and application administrators, security specialists, auditors, help desk, and platform deployment personnel who plan to develop, deploy, assess, or secure solutions that incorporate Microsoft Windows Server.

Target
Operational Environment:

Managed

Testing Information:

This guide was tested on a system running Windows Server 2016.

Regulatory
Compliance:

Not provided.

Comments/Warnings/Miscellaneous:

Not provided.

Disclaimer:

https://www.cisecurity.org/cis-securesuite/cis-securesuite-membership-terms-of-use/

Product Support:

support@cisecurity.org

Point of Contact:

support@cisecurity.org

Sponsor:

Not provided.

Licensing:

https://www.cisecurity.org/cis-securesuite/cis-securesuite-membership-terms-of-use/

Change History:

Updated to FINAL - 05/05/2017
Corrected title - 2/20/19
Status Updated to FINAL - 3/20/19
Updated URLs - 9/24/19

Dependency/Requirements:

URL	Description

References:

Reference URL	Description

NIST checklist record last modified on 09/24/2019

Источник

Remove From My Forums

Question
Hi, I need to implement CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark recommended settings both to domain controllers and domain member servers all running Windows Server 2016 (Release 1607). I have downloaded
Microsoft Security Compliance Toolkit 1.0 — Policy Analyzer
and Windows 10 Version 1607 and Windows Server 2016 Security Baseline.zip. Inside .zip file there are following baselines for Windows Server 2016:

I hope these security baselines are mapped to settings recommended by CIS benchmark. If so then I should create two new GPOs, one linked to the DCs OU and other one linked to the domain — in first GPO I should import settings from Domain Controllers Baseline
GPO and in second GPO import settings from Member Server Baseline — Computer GPO. Is this correct way? If not how to accomplish this since CIS Benchmark pdf has 800+ pages with myriad of settings — doing this manually would be insane.
- Edited by
  
  Friday, April 6, 2018 1:54 PM

Источник

Product Overview

What’s Included

Note: Always ensure your operating system is current for your needs.

This product includes both of the software packages described below:

This image of Microsoft Windows Server 2016 is preconfigured by CIS to the recommendations in the associated CIS Benchmark. CIS Benchmarks are vendor agnostic, consensus-based security configuration guides both developed and accepted by government, business, industry, and academia. CIS Benchmarks also provide a foundation to comply with numerous cybersecurity frameworks.

Cloud environments and operating systems are not secure by default. Launching an image hardened according to the trusted security configuration baselines prescribed by a CIS Benchmark will reduce cost, time, and risk to an organization. This image has been hardened by CIS and is configured with the majority of the recommendations included in the free PDF version of the corresponding CIS Benchmark. The Level 1 Profile settings within the CIS Benchmark have been applied with the intent to provide a clear security benefit without inhibiting the utility of the technology beyond acceptable means. The hardening of this instance was configured through the utilization of local group policy.

To learn more or access the corresponding CIS Benchmark, please visit the Center for Internet Security website or visit our community platform, CIS WorkBench.

If the intention is to use this instance in a domain environment where policies are managed globally, the majority of the security settings will be changed and managed by domain policies. CIS Benchmarks are developed in a unique consensus-based process.

Amazon EC2 running Microsoft Windows Server is a fast and dependable environment for deploying applications using the Microsoft Web Platform. Amazon EC2 enables you to run any compatible Windows-based solution on AWS’ high-performance, reliable, cost-effective, cloud computing platform. Common Windows use cases include Enterprise Windows-based application hosting, website and web-service hosting, data processing, media transcoding, distributed testing, ASP.NET application hosting, and any other application requiring Windows software.

Operating System

Windows, Windows Server 2016 Base 10.0.14393

Delivery Methods

Amazon Machine Image

Pricing Information

Usage Information

Support Information

Customer Reviews

Источник

CIS Microsoft Windows Server 2016 RTM (Release 1607)

Benchmark

v1.0.0 — 03-31-2017
1 | P a g e

This work is licensed under a Creative Commons
Attribution-NonCommercial-ShareAlike

4.0 International Public License. The link to the license terms
can be found at

https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode

To further clarify the Creative Commons license related to CIS
Benchmark content, you are

authorized to copy and redistribute the content for use by you,
within your organization

and outside your organization for non-commercial purposes only,
provided that (i)

appropriate credit is given to CIS, (ii) a link to the license
is provided. Additionally, if you

remix, transform or build upon the CIS Benchmark(s), you may
only distribute the modified

materials if they are subject to the same license terms as the
original Benchmark license

and your derivative will no longer be a CIS Benchmark.
Commercial use of CIS Benchmarks

is subject to the prior approval of the Center for Internet
Security.

https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode
2 | P a g e

Table of Contents Overview
……………………………………………………………………………………………………………………………………………
24

Intended Audience
……………………………………………………………………………………………………………………….
24

Consensus Guidance
…………………………………………………………………………………………………………………….
24

Typographical Conventions
……………………………………………………………………………………………………….
25

Scoring Information
…………………………………………………………………………………………………………………….
25

Profile Definitions
………………………………………………………………………………………………………………………..
26

Acknowledgements
……………………………………………………………………………………………………………………..
28

Recommendations
……………………………………………………………………………………………………………………………
29

1 Account Policies
………………………………………………………………………………………………………………………..
29

1.1 Password Policy
…………………………………………………………………………………………………………………
29

1.1.1 (L1) Ensure ‘Enforce password history’ is set to ’24 or
more password(s)’

(Scored)
…………………………………………………………………………………………………………………………………
29

1.1.2 (L1) Ensure ‘Maximum password age’ is set to ’60 or fewer
days, but not 0′

(Scored)
…………………………………………………………………………………………………………………………………
32

1.1.3 (L1) Ensure ‘Minimum password age’ is set to ‘1 or more
day(s)’ (Scored) ….. 34

1.1.4 (L1) Ensure ‘Minimum password length’ is set to ’14 or
more character(s)’

(Scored)
…………………………………………………………………………………………………………………………………
36

1.1.5 (L1) Ensure ‘Password must meet complexity requirements’
is set to ‘Enabled’

(Scored)
…………………………………………………………………………………………………………………………………
38

1.1.6 (L1) Ensure ‘Store passwords using reversible encryption’
is set to ‘Disabled’

(Scored)
…………………………………………………………………………………………………………………………………
41

1.2 Account Lockout Policy
…………………………………………………………………………………………………….
43

1.2.1 (L1) Ensure ‘Account lockout duration’ is set to ’15 or
more minute(s)’

(Scored)
…………………………………………………………………………………………………………………………………
43

1.2.2 (L1) Ensure ‘Account lockout threshold’ is set to ’10 or
fewer invalid logon

attempt(s), but not 0′ (Scored)
………………………………………………………………………………………….
45

1.2.3 (L1) Ensure ‘Reset account lockout counter after’ is set
to ’15 or more

minute(s)’ (Scored)
……………………………………………………………………………………………………………..
47

2 Local Policies
……………………………………………………………………………………………………………………………..
49

2.1 Audit Policy
…………………………………………………………………………………………………………………………
49
3 | P a g e

2.2 User Rights Assignment
……………………………………………………………………………………………………
49

2.2.1 (L1) Ensure ‘Access Credential Manager as a trusted
caller’ is set to ‘No One’

(Scored)
…………………………………………………………………………………………………………………………………
49

2.2.2 (L1) Configure ‘Access this computer from the network’
(Scored) …………………. 51

2.2.3 (L1) Ensure ‘Act as part of the operating system’ is set
to ‘No One’ (Scored) .. 53

2.2.4 (L1) Ensure ‘Add workstations to domain’ is set to
‘Administrators’ (DC only)

(Scored)
…………………………………………………………………………………………………………………………………
55

2.2.5 (L1) Ensure ‘Adjust memory quotas for a process’ is set to
‘Administrators,

LOCAL SERVICE, NETWORK SERVICE’ (Scored)
……………………………………………………………
57

2.2.6 (L1) Configure ‘Allow log on locally’ (Scored)
………………………………………………………
59

2.2.7 (L1) Configure ‘Allow log on through Remote Desktop
Services’ (Scored) ……. 61

2.2.8 (L1) Ensure ‘Back up files and directories’ is set to
‘Administrators’ (Scored) 63

2.2.9 (L1) Ensure ‘Change the system time’ is set to
‘Administrators, LOCAL

SERVICE’ (Scored)
……………………………………………………………………………………………………………….
65

2.2.10 (L1) Ensure ‘Change the time zone’ is set to
‘Administrators, LOCAL SERVICE’

(Scored)
…………………………………………………………………………………………………………………………………
68

2.2.11 (L1) Ensure ‘Create a pagefile’ is set to
‘Administrators’ (Scored) ……………….. 70

2.2.12 (L1) Ensure ‘Create a token object’ is set to ‘No One’
(Scored) ……………………… 72

2.2.13 (L1) Ensure ‘Create global objects’ is set to
‘Administrators, LOCAL SERVICE,

NETWORK SERVICE, SERVICE’ (Scored)
…………………………………………………………………………
74

2.2.14 (L1) Ensure ‘Create permanent shared objects’ is set to
‘No One’ (Scored) … 76

2.2.15 (L1) Configure ‘Create symbolic links’ (Scored)
……………………………………………….. 78

2.2.16 (L1) Ensure ‘Debug programs’ is set to ‘Administrators’
(Scored) ……………….. 80

2.2.17 (L1) Configure ‘Deny access to this computer from the
network’ (Scored) … 82

2.2.18 (L1) Ensure ‘Deny log on as a batch job’ to include
‘Guests’ (Scored) ………….. 84

2.2.19 (L1) Ensure ‘Deny log on as a service’ to include
‘Guests’ (Scored) ………………. 86

2.2.20 (L1) Ensure ‘Deny log on locally’ to include ‘Guests’
(Scored) ……………………….. 88

2.2.21 (L1) Ensure ‘Deny log on through Remote Desktop Services’
to include

‘Guests, Local account’ (Scored)
……………………………………………………………………………………….
90

2.2.22 (L1) Configure ‘Enable computer and user accounts to be
trusted for

delegation’ (Scored)
…………………………………………………………………………………………………………….
92

2.2.23 (L1) Ensure ‘Force shutdown from a remote system’ is set
to ‘Administrators’

(Scored)
…………………………………………………………………………………………………………………………………
94
4 | P a g e

2.2.24 (L1) Ensure ‘Generate security audits’ is set to ‘LOCAL
SERVICE, NETWORK

SERVICE’ (Scored)
……………………………………………………………………………………………………………….
96

2.2.25 (L1) Configure ‘Impersonate a client after
authentication’ (Scored) ……………. 98

2.2.26 (L1) Ensure ‘Increase scheduling priority’ is set to
‘Administrators’ (Scored)

……………………………………………………………………………………………………………………………………………….
100

2.2.27 (L1) Ensure ‘Load and unload device drivers’ is set to
‘Administrators’

(Scored)
……………………………………………………………………………………………………………………………….
102

2.2.28 (L1) Ensure ‘Lock pages in memory’ is set to ‘No One’
(Scored) …………………. 104

2.2.29 (L2) Ensure ‘Log on as a batch job’ is set to
‘Administrators’ (DC Only)

(Scored)
……………………………………………………………………………………………………………………………….
106

2.2.30 (L1) Configure ‘Manage auditing and security log’
(Scored) ………………………… 108

2.2.31 (L1) Ensure ‘Modify an object label’ is set to ‘No One’
(Scored) ………………….. 110

2.2.32 (L1) Ensure ‘Modify firmware environment values’ is set
to ‘Administrators’

(Scored)
……………………………………………………………………………………………………………………………….
112

2.2.33 (L1) Ensure ‘Perform volume maintenance tasks’ is set to
‘Administrators’

(Scored)
……………………………………………………………………………………………………………………………….
114

2.2.34 (L1) Ensure ‘Profile single process’ is set to
‘Administrators’ (Scored) ……… 116

2.2.35 (L1) Ensure ‘Profile system performance’ is set to
‘Administrators, NT

SERVICEWdiServiceHost’ (Scored)
………………………………………………………………………………
118

2.2.36 (L1) Ensure ‘Replace a process level token’ is set to
‘LOCAL SERVICE,

NETWORK SERVICE’ (Scored)
…………………………………………………………………………………………
120

2.2.37 (L1) Ensure ‘Restore files and directories’ is set to
‘Administrators’ (Scored)

……………………………………………………………………………………………………………………………………………….
122

2.2.38 (L1) Ensure ‘Shut down the system’ is set to
‘Administrators’ (Scored) ……. 124

2.2.39 (L1) Ensure ‘Synchronize directory service data’ is set
to ‘No One’ (DC only)

(Scored)
……………………………………………………………………………………………………………………………….
126

2.2.40 (L1) Ensure ‘Take ownership of files or other objects’ is
set to

‘Administrators’ (Scored)
…………………………………………………………………………………………………
128

2.3 Security Options
………………………………………………………………………………………………………………
130

2.3.1.1 (L1) Ensure ‘Accounts: Administrator account status’ is
set to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
130

2.3.1.2 (L1) Ensure ‘Accounts: Block Microsoft accounts’ is set
to ‘Users can’t add or

log on with Microsoft accounts’ (Scored)
………………………………………………………………………
132

2.3.1.3 (L1) Ensure ‘Accounts: Guest account status’ is set to
‘Disabled’ (Scored) .. 134
5 | P a g e

2.3.1.4 (L1) Ensure ‘Accounts: Limit local account use of blank
passwords to console

logon only’ is set to ‘Enabled’ (Scored)
………………………………………………………………………….
136

2.3.1.5 (L1) Configure ‘Accounts: Rename administrator account’
(Scored) …………. 138

2.3.1.6 (L1) Configure ‘Accounts: Rename guest account’ (Scored)
………………………… 140

2.3.2.1 (L1) Ensure ‘Audit: Force audit policy subcategory
settings (Windows Vista

or later) to override audit policy category settings’ is set to
‘Enabled’ (Scored) ….. 142

2.3.2.2 (L1) Ensure ‘Audit: Shut down system immediately if
unable to log security

audits’ is set to ‘Disabled’ (Scored)
…………………………………………………………………………………
144

2.3.4.1 (L1) Ensure ‘Devices: Allowed to format and eject
removable media’ is set to

‘Administrators’ (Scored)
…………………………………………………………………………………………………
146

2.3.4.2 (L1) Ensure ‘Devices: Prevent users from installing
printer drivers’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
148

2.3.5.1 (L1) Ensure ‘Domain controller: Allow server operators
to schedule tasks’ is

set to ‘Disabled’ (DC only) (Scored)
……………………………………………………………………………….
150

2.3.5.2 (L1) Ensure ‘Domain controller: LDAP server signing
requirements’ is set to

‘Require signing’ (DC only) (Scored)
……………………………………………………………………………..
152

2.3.5.3 (L1) Ensure ‘Domain controller: Refuse machine account
password changes’

is set to ‘Disabled’ (DC only) (Scored)
……………………………………………………………………………
154

2.3.6.1 (L1) Ensure ‘Domain member: Digitally encrypt or sign
secure channel data

(always)’ is set to ‘Enabled’ (Scored)
……………………………………………………………………………..
156

2.3.6.2 (L1) Ensure ‘Domain member: Digitally encrypt secure
channel data (when

possible)’ is set to ‘Enabled’ (Scored)
…………………………………………………………………………….
158

2.3.6.3 (L1) Ensure ‘Domain member: Digitally sign secure
channel data (when

possible)’ is set to ‘Enabled’ (Scored)
…………………………………………………………………………….
160

2.3.6.4 (L1) Ensure ‘Domain member: Disable machine account
password changes’

is set to ‘Disabled’ (Scored)
……………………………………………………………………………………………..
162

2.3.6.5 (L1) Ensure ‘Domain member: Maximum machine account
password age’ is

set to ’30 or fewer days, but not 0′ (Scored)
…………………………………………………………………
164

2.3.6.6 (L1) Ensure ‘Domain member: Require strong (Windows 2000
or later)

session key’ is set to ‘Enabled’ (Scored)
………………………………………………………………………..
166

2.3.7.1 (L1) Ensure ‘Interactive logon: Do not display last user
name’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
168

2.3.7.2 (L1) Ensure ‘Interactive logon: Do not require
CTRL+ALT+DEL’ is set to

‘Disabled’ (Scored)
…………………………………………………………………………………………………………….
170
6 | P a g e

2.3.7.3 (L1) Ensure ‘Interactive logon: Machine inactivity
limit’ is set to ‘900 or

fewer second(s), but not 0′ (Scored)
………………………………………………………………………………
172

2.3.7.4 (L1) Configure ‘Interactive logon: Message text for
users attempting to log

on’ (Scored)
…………………………………………………………………………………………………………………………
174

2.3.7.5 (L1) Configure ‘Interactive logon: Message title for
users attempting to log

on’ (Scored)
…………………………………………………………………………………………………………………………
176

2.3.7.6 (L2) Ensure ‘Interactive logon: Number of previous
logons to cache (in case

domain controller is not available)’ is set to ‘4 or fewer
logon(s)’ (MS only) (Scored)

……………………………………………………………………………………………………………………………………………….
178

2.3.7.7 (L1) Ensure ‘Interactive logon: Prompt user to change
password before

expiration’ is set to ‘between 5 and 14 days’ (Scored)
………………………………………………. 180

2.3.7.8 (L1) Ensure ‘Interactive logon: Require Domain
Controller Authentication to

unlock workstation’ is set to ‘Enabled’ (MS only) (Scored)
………………………………………. 182

2.3.7.9 (L1) Ensure ‘Interactive logon: Smart card removal
behavior’ is set to ‘Lock

Workstation’ or higher (Scored)
……………………………………………………………………………………..
184

2.3.8.1 (L1) Ensure ‘Microsoft network client: Digitally sign
communications

(always)’ is set to ‘Enabled’ (Scored)
……………………………………………………………………………..
186

2.3.8.2 (L1) Ensure ‘Microsoft network client: Digitally sign
communications (if

server agrees)’ is set to ‘Enabled’ (Scored)
…………………………………………………………………..
189

2.3.8.3 (L1) Ensure ‘Microsoft network client: Send unencrypted
password to third-

party SMB servers’ is set to ‘Disabled’ (Scored)
…………………………………………………………..
192

2.3.9.1 (L1) Ensure ‘Microsoft network server: Amount of idle
time required before

suspending session’ is set to ’15 or fewer minute(s), but not 0′
(Scored) ……………… 194

2.3.9.2 (L1) Ensure ‘Microsoft network server: Digitally sign
communications

(always)’ is set to ‘Enabled’ (Scored)
……………………………………………………………………………..
196

2.3.9.3 (L1) Ensure ‘Microsoft network server: Digitally sign
communications (if

client agrees)’ is set to ‘Enabled’ (Scored)
…………………………………………………………………….
199

2.3.9.4 (L1) Ensure ‘Microsoft network server: Disconnect
clients when logon hours

expire’ is set to ‘Enabled’
(Scored)………………………………………………………………………………….
202

2.3.9.5 (L1) Ensure ‘Microsoft network server: Server SPN target
name validation

level’ is set to ‘Accept if provided by client’ or higher (MS
only) (Scored) …………….. 204

2.3.10.1 (L1) Ensure ‘Network access: Allow anonymous SID/Name
translation’ is

set to ‘Disabled’ (Scored)
………………………………………………………………………………………………….
206

2.3.10.2 (L1) Ensure ‘Network access: Do not allow anonymous
enumeration of SAM

accounts’ is set to ‘Enabled’ (MS only)
(Scored)…………………………………………………………..
208
7 | P a g e

2.3.10.3 (L1) Ensure ‘Network access: Do not allow anonymous
enumeration of SAM

accounts and shares’ is set to ‘Enabled’ (MS only) (Scored)
…………………………………….. 210

2.3.10.4 (L2) Ensure ‘Network access: Do not allow storage of
passwords and

credentials for network authentication’ is set to ‘Enabled’
(Scored) ………………………. 212

2.3.10.5 (L1) Ensure ‘Network access: Let Everyone permissions
apply to

anonymous users’ is set to ‘Disabled’ (Scored)
……………………………………………………………
214

2.3.10.6 (L1) Configure ‘Network access: Named Pipes that can be
accessed

anonymously’
(Scored)……………………………………………………………………………………………………..
216

2.3.10.7 (L1) Configure ‘Network access: Remotely accessible
registry paths’

(Scored)
……………………………………………………………………………………………………………………………….
218

2.3.10.8 (L1) Configure ‘Network access: Remotely accessible
registry paths and

sub-paths’ (Scored)
……………………………………………………………………………………………………………
220

2.3.10.9 (L1) Ensure ‘Network access: Restrict anonymous access
to Named Pipes

and Shares’ is set to ‘Enabled’ (Scored)
…………………………………………………………………………
223

2.3.10.10 (L1) Ensure ‘Network access: Restrict clients allowed
to make remote calls

to SAM’ is set to ‘Administrators: Remote Access: Allow’ (MS
only) (Scored) ………. 225

2.3.10.11 (L1) Ensure ‘Network access: Shares that can be
accessed anonymously’ is

set to ‘None’ (Scored)
………………………………………………………………………………………………………..
227

2.3.10.12 (L1) Ensure ‘Network access: Sharing and security
model for local

accounts’ is set to ‘Classic — local users authenticate as
themselves’ (Scored) ………. 229

2.3.11.1 (L1) Ensure ‘Network security: Allow Local System to
use computer

identity for NTLM’ is set to ‘Enabled’ (Scored)
…………………………………………………………….
231

2.3.11.2 (L1) Ensure ‘Network security: Allow LocalSystem NULL
session fallback’ is

set to ‘Disabled’ (Scored)
………………………………………………………………………………………………….
233

2.3.11.3 (L1) Ensure ‘Network Security: Allow PKU2U
authentication requests to

this computer to use online identities’ is set to ‘Disabled’
(Scored) ………………………… 235

2.3.11.4 (L1) Ensure ‘Network security: Configure encryption
types allowed for

Kerberos’ is set to ‘RC4_HMAC_MD5, AES128_HMAC_SHA1,
AES256_HMAC_SHA1,

Future encryption types’ (Scored)
………………………………………………………………………………….
237

2.3.11.5 (L1) Ensure ‘Network security: Do not store LAN Manager
hash value on

next password change’ is set to ‘Enabled’ (Scored)
…………………………………………………….
239

2.3.11.6 (L1) Ensure ‘Network security: Force logoff when logon
hours expire’ is set

to ‘Enabled’ (Scored)
…………………………………………………………………………………………………………
241

2.3.11.7 (L1) Ensure ‘Network security: LAN Manager
authentication level’ is set to

‘Send NTLMv2 response only. Refuse LM & NTLM’ (Scored)
……………………………………. 243
8 | P a g e

2.3.11.8 (L1) Ensure ‘Network security: LDAP client signing
requirements’ is set to

‘Negotiate signing’ or higher (Scored)
……………………………………………………………………………
246

2.3.11.9 (L1) Ensure ‘Network security: Minimum session security
for NTLM SSP

based (including secure RPC) clients’ is set to ‘Require NTLMv2
session security,

Require 128-bit encryption’ (Scored)
……………………………………………………………………………
248

2.3.11.10 (L1) Ensure ‘Network security: Minimum session
security for NTLM SSP

based (including secure RPC) servers’ is set to ‘Require NTLMv2
session security,

Require 128-bit encryption’ (Scored)
……………………………………………………………………………
250

2.3.13.1 (L1) Ensure ‘Shutdown: Allow system to be shut down
without having to

log on’ is set to ‘Disabled’ (Scored)
…………………………………………………………………………………
252

2.3.15.1 (L1) Ensure ‘System objects: Require case insensitivity
for non-Windows

subsystems’ is set to ‘Enabled’ (Scored)
………………………………………………………………………..
254

2.3.15.2 (L1) Ensure ‘System objects: Strengthen default
permissions of internal

system objects (e.g. Symbolic Links)’ is set to ‘Enabled’
(Scored) …………………………… 256

2.3.17.1 (L1) Ensure ‘User Account Control: Admin Approval Mode
for the Built-in

Administrator account’ is set to ‘Enabled’
(Scored)…………………………………………………….
258

2.3.17.2 (L1) Ensure ‘User Account Control: Allow UIAccess
applications to prompt

for elevation without using the secure desktop’ is set to
‘Disabled’ (Scored) ……….. 260

2.3.17.3 (L1) Ensure ‘User Account Control: Behavior of the
elevation prompt for

administrators in Admin Approval Mode’ is set to ‘Prompt for
consent on the secure

desktop’ (Scored)
……………………………………………………………………………………………………………….
262

2.3.17.4 (L1) Ensure ‘User Account Control: Behavior of the
elevation prompt for

standard users’ is set to ‘Automatically deny elevation
requests’ (Scored) …………… 264

2.3.17.5 (L1) Ensure ‘User Account Control: Detect application
installations and

prompt for elevation’ is set to ‘Enabled’ (Scored)
……………………………………………………….
266

2.3.17.6 (L1) Ensure ‘User Account Control: Only elevate
UIAccess applications that

are installed in secure locations’ is set to ‘Enabled’ (Scored)
…………………………………… 268

2.3.17.7 (L1) Ensure ‘User Account Control: Run all
administrators in Admin

Approval Mode’ is set to ‘Enabled’ (Scored)
…………………………………………………………………
270

2.3.17.8 (L1) Ensure ‘User Account Control: Switch to the secure
desktop when

prompting for elevation’ is set to ‘Enabled’ (Scored)
…………………………………………………. 272

2.3.17.9 (L1) Ensure ‘User Account Control: Virtualize file and
registry write failures

to per-user locations’ is set to ‘Enabled’ (Scored)
……………………………………………………….
274

3 Event Log
………………………………………………………………………………………………………………………………….
275

4 Restricted Groups
……………………………………………………………………………………………………………………
275
9 | P a g e

5 System Services
……………………………………………………………………………………………………………………….
275

6
Registry……………………………………………………………………………………………………………………………………..
275

7 File System
……………………………………………………………………………………………………………………………….
275

8 Wired Network (IEEE 802.3) Policies
…………………………………………………………………………………
275

9 Windows Firewall With Advanced Security
……………………………………………………………………….
276

9.1 Domain Profile
………………………………………………………………………………………………………………….
276

9.1.1 (L1) Ensure ‘Windows Firewall: Domain: Firewall state’ is
set to ‘On

(recommended)’ (Scored)
………………………………………………………………………………………………..
276

9.1.2 (L1) Ensure ‘Windows Firewall: Domain: Inbound
connections’ is set to ‘Block

(default)’ (Scored)
……………………………………………………………………………………………………………..
278

9.1.3 (L1) Ensure ‘Windows Firewall: Domain: Outbound
connections’ is set to

‘Allow (default)’ (Scored)
…………………………………………………………………………………………………
280

9.1.4 (L1) Ensure ‘Windows Firewall: Domain: Settings: Display a
notification’ is set

to ‘No’ (Scored)
…………………………………………………………………………………………………………………..
282

9.1.5 (L1) Ensure ‘Windows Firewall: Domain: Settings: Apply
local firewall rules’ is

set to ‘Yes (default)’
(Scored)…………………………………………………………………………………………..
284

9.1.6 (L1) Ensure ‘Windows Firewall: Domain: Settings: Apply
local connection

security rules’ is set to ‘Yes (default)’ (Scored)
……………………………………………………………
286

9.1.7 (L1) Ensure ‘Windows Firewall: Domain: Logging: Name’ is
set to

‘%SYSTEMROOT%System32logfilesfirewalldomainfw.log’ (Scored)
…………….. 288

9.1.8 (L1) Ensure ‘Windows Firewall: Domain: Logging: Size limit
(KB)’ is set to

‘16,384 KB or greater’ (Scored)
………………………………………………………………………………………
290

9.1.9 (L1) Ensure ‘Windows Firewall: Domain: Logging: Log
dropped packets’ is set

to ‘Yes’
(Scored)………………………………………………………………………………………………………………….
292

9.1.10 (L1) Ensure ‘Windows Firewall: Domain: Logging: Log
successful

connections’ is set to ‘Yes’ (Scored)
……………………………………………………………………………….
294

9.2 Private Profile
…………………………………………………………………………………………………………………..
296

9.2.1 (L1) Ensure ‘Windows Firewall: Private: Firewall state’ is
set to ‘On

(recommended)’ (Scored)
………………………………………………………………………………………………..
296

9.2.2 (L1) Ensure ‘Windows Firewall: Private: Inbound
connections’ is set to ‘Block

(default)’ (Scored)
……………………………………………………………………………………………………………..
298

9.2.3 (L1) Ensure ‘Windows Firewall: Private: Outbound
connections’ is set to ‘Allow

(default)’ (Scored)
……………………………………………………………………………………………………………..
300
10 | P a g e

9.2.4 (L1) Ensure ‘Windows Firewall: Private: Settings: Display
a notification’ is set

to ‘No’ (Scored)
…………………………………………………………………………………………………………………..
302

9.2.5 (L1) Ensure ‘Windows Firewall: Private: Settings: Apply
local firewall rules’ is

set to ‘Yes (default)’
(Scored)…………………………………………………………………………………………..
304

9.2.6 (L1) Ensure ‘Windows Firewall: Private: Settings: Apply
local connection

security rules’ is set to ‘Yes (default)’ (Scored)
……………………………………………………………
306

9.2.7 (L1) Ensure ‘Windows Firewall: Private: Logging: Name’ is
set to

‘%SYSTEMROOT%System32logfilesfirewallprivatefw.log’ (Scored)
……………… 308

9.2.8 (L1) Ensure ‘Windows Firewall: Private: Logging: Size
limit (KB)’ is set to

‘16,384 KB or greater’ (Scored)
………………………………………………………………………………………
310

9.2.9 (L1) Ensure ‘Windows Firewall: Private: Logging: Log
dropped packets’ is set

to ‘Yes’
(Scored)………………………………………………………………………………………………………………….
312

9.2.10 (L1) Ensure ‘Windows Firewall: Private: Logging: Log
successful connections’

is set to ‘Yes’ (Scored)
……………………………………………………………………………………………………….
314

9.3 Public Profile
…………………………………………………………………………………………………………………….
316

9.3.1 (L1) Ensure ‘Windows Firewall: Public: Firewall state’ is
set to ‘On

(recommended)’ (Scored)
………………………………………………………………………………………………..
316

9.3.2 (L1) Ensure ‘Windows Firewall: Public: Inbound
connections’ is set to ‘Block

(default)’ (Scored)
……………………………………………………………………………………………………………..
318

9.3.3 (L1) Ensure ‘Windows Firewall: Public: Outbound
connections’ is set to ‘Allow

(default)’ (Scored)
……………………………………………………………………………………………………………..
320

9.3.4 (L1) Ensure ‘Windows Firewall: Public: Settings: Display a
notification’ is set to

‘Yes’ (Scored)
………………………………………………………………………………………………………………………
322

9.3.5 (L1) Ensure ‘Windows Firewall: Public: Settings: Apply
local firewall rules’ is

set to ‘No’ (Scored)
…………………………………………………………………………………………………………….
324

9.3.6 (L1) Ensure ‘Windows Firewall: Public: Settings: Apply
local connection

security rules’ is set to ‘No’ (Scored)
……………………………………………………………………………..
326

9.3.7 (L1) Ensure ‘Windows Firewall: Public: Logging: Name’ is
set to

‘%SYSTEMROOT%System32logfilesfirewallpublicfw.log’ (Scored)
……………….. 328

9.3.8 (L1) Ensure ‘Windows Firewall: Public: Logging: Size limit
(KB)’ is set to

‘16,384 KB or greater’ (Scored)
………………………………………………………………………………………
330

9.3.9 (L1) Ensure ‘Windows Firewall: Public: Logging: Log
dropped packets’ is set to

‘Yes’ (Scored)
………………………………………………………………………………………………………………………
332
11 | P a g e

9.3.10 (L1) Ensure ‘Windows Firewall: Public: Logging: Log
successful connections’

is set to ‘Yes’ (Scored)
……………………………………………………………………………………………………….
334

10 Network List Manager Policies
…………………………………………………………………………………………..
336

11 Wireless Network (IEEE 802.11) Policies
………………………………………………………………………..
336

12 Public Key Policies
………………………………………………………………………………………………………………..
336

13 Software Restriction Policies
……………………………………………………………………………………………..
336

14 Network Access Protection NAP Client Configuration
………………………………………………….. 336

15 Application Control Policies
……………………………………………………………………………………………….
336

16 IP Security Policies
……………………………………………………………………………………………………………….
336

17 Advanced Audit Policy Configuration
……………………………………………………………………………….
337

17.1 Account Logon
……………………………………………………………………………………………………………….
337

17.1.1 (L1) Ensure ‘Audit Credential Validation’ is set to
‘Success and Failure’

(Scored)
……………………………………………………………………………………………………………………………….
337

17.2 Account Management
…………………………………………………………………………………………………..
339

17.2.1 (L1) Ensure ‘Audit Application Group Management’ is set
to ‘Success and

Failure’
(Scored)…………………………………………………………………………………………………………………
339

17.2.2 (L1) Ensure ‘Audit Computer Account Management’ is set to
‘Success and

Failure’
(Scored)…………………………………………………………………………………………………………………
341

17.2.3 (L1) Ensure ‘Audit Distribution Group Management’ is set
to ‘Success and

Failure’ (DC only) (Scored)
………………………………………………………………………………………………
343

17.2.4 (L1) Ensure ‘Audit Other Account Management Events’ is
set to ‘Success and

Failure’
(Scored)…………………………………………………………………………………………………………………
345

17.2.5 (L1) Ensure ‘Audit Security Group Management’ is set to
‘Success and Failure’

(Scored)
……………………………………………………………………………………………………………………………….
347

17.2.6 (L1) Ensure ‘Audit User Account Management’ is set to
‘Success and Failure’

(Scored)
……………………………………………………………………………………………………………………………….
349

17.3 Detailed Tracking
………………………………………………………………………………………………………….
351

17.3.1 (L1) Ensure ‘Audit PNP Activity’ is set to ‘Success’
(Scored) ………………………… 351

17.3.2 (L1) Ensure ‘Audit Process Creation’ is set to ‘Success’
(Scored) ………………… 353

17.4 DS Access
………………………………………………………………………………………………………………………..
355

17.4.1 (L1) Ensure ‘Audit Directory Service Access’ is set to
‘Success and Failure’

(DC only) (Scored)
……………………………………………………………………………………………………………..
355
12 | P a g e

17.4.2 (L1) Ensure ‘Audit Directory Service Changes’ is set to
‘Success and Failure’

(DC only) (Scored)
……………………………………………………………………………………………………………..
357

17.5 Logon/Logoff
………………………………………………………………………………………………………………….
359

17.5.1 (L1) Ensure ‘Audit Account Lockout’ is set to ‘Success
and Failure’ (Scored)

……………………………………………………………………………………………………………………………………………….
359

17.5.2 (L1) Ensure ‘Audit Group Membership’ is set to ‘Success’
(Scored) ……………. 361

17.5.3 (L1) Ensure ‘Audit Logoff’ is set to ‘Success’ (Scored)
…………………………………… 363

17.5.4 (L1) Ensure ‘Audit Logon’ is set to ‘Success and Failure’
(Scored) ……………… 365

17.5.5 (L1) Ensure ‘Audit Other Logon/Logoff Events’ is set to
‘Success and Failure’

(Scored)
……………………………………………………………………………………………………………………………….
367

17.5.6 (L1) Ensure ‘Audit Special Logon’ is set to ‘Success’
(Scored) ……………………… 369

17.6 Object Access
………………………………………………………………………………………………………………….
371

17.6.1 (L1) Ensure ‘Audit Removable Storage’ is set to ‘Success
and Failure’ (Scored)

……………………………………………………………………………………………………………………………………………….
371

17.7 Policy Change
…………………………………………………………………………………………………………………
373

17.7.1 (L1) Ensure ‘Audit Audit Policy Change’ is set to
‘Success and Failure’

(Scored)
……………………………………………………………………………………………………………………………….
373

17.7.2 (L1) Ensure ‘Audit Authentication Policy Change’ is set
to ‘Success’ (Scored)

……………………………………………………………………………………………………………………………………………….
375

17.7.3 (L1) Ensure ‘Audit Authorization Policy Change’ is set to
‘Success’ (Scored)

……………………………………………………………………………………………………………………………………………….
377

17.8 Privilege Use
…………………………………………………………………………………………………………………..
379

17.8.1 (L1) Ensure ‘Audit Sensitive Privilege Use’ is set to
‘Success and Failure’

(Scored)
……………………………………………………………………………………………………………………………….
379

17.9 System
……………………………………………………………………………………………………………………………..
381

17.9.1 (L1) Ensure ‘Audit IPsec Driver’ is set to ‘Success and
Failure’ (Scored) …… 381

17.9.2 (L1) Ensure ‘Audit Other System Events’ is set to
‘Success and Failure’

(Scored)
……………………………………………………………………………………………………………………………….
384

17.9.3 (L1) Ensure ‘Audit Security State Change’ is set to
‘Success’ (Scored) ……….. 386

17.9.4 (L1) Ensure ‘Audit Security System Extension’ is set to
‘Success and Failure’

(Scored)
……………………………………………………………………………………………………………………………….
388

17.9.5 (L1) Ensure ‘Audit System Integrity’ is set to ‘Success
and Failure’ (Scored)

……………………………………………………………………………………………………………………………………………….
390
13 | P a g e

18 Administrative Templates (Computer)
…………………………………………………………………………….
392

18.1 Control Panel
………………………………………………………………………………………………………………….
392

18.1.1.1 (L1) Ensure ‘Prevent enabling lock screen camera’ is
set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
392

18.1.1.2 (L1) Ensure ‘Prevent enabling lock screen slide show’
is set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
394

18.1.2.1 (L1) Ensure ‘Allow Input Personalization’ is set to
‘Disabled’ (Scored) ….. 396

18.2 LAPS
…………………………………………………………………………………………………………………………………
398

18.2.1 (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed
(MS only)

(Scored)
……………………………………………………………………………………………………………………………….
398

18.2.2 (L1) Ensure ‘Do not allow password expiration time longer
than required by

policy’ is set to ‘Enabled’ (MS only) (Scored)
……………………………………………………………….
401

18.2.3 (L1) Ensure ‘Enable Local Admin Password Management’ is
set to ‘Enabled’

(MS only) (Scored)
…………………………………………………………………………………………………………….
403

18.2.4 (L1) Ensure ‘Password Settings: Password Complexity’ is
set to ‘Enabled:

Large letters + small letters + numbers + special characters’
(MS only) (Scored) .. 405

18.2.5 (L1) Ensure ‘Password Settings: Password Length’ is set
to ‘Enabled: 15 or

more’ (MS only) (Scored)
…………………………………………………………………………………………………
407

18.2.6 (L1) Ensure ‘Password Settings: Password Age (Days)’ is
set to ‘Enabled: 30

or fewer’ (MS only) (Scored)
……………………………………………………………………………………………
409

18.3 MSS (Legacy)
………………………………………………………………………………………………………………….
411

18.3.1 (L1) Ensure ‘MSS: (AutoAdminLogon) Enable Automatic Logon
(not

recommended)’ is set to ‘Disabled’ (Scored)
………………………………………………………………..
411

18.3.2 (L1) Ensure ‘MSS: (DisableIPSourceRouting IPv6) IP source
routing

protection level (protects against packet spoofing)’ is set to
‘Enabled: Highest

protection, source routing is completely disabled’ (Scored)
…………………………………….. 413

18.3.3 (L1) Ensure ‘MSS: (DisableIPSourceRouting) IP source
routing protection

level (protects against packet spoofing)’ is set to ‘Enabled:
Highest protection,

source routing is completely disabled’ (Scored)
………………………………………………………….
415

18.3.4 (L1) Ensure ‘MSS: (EnableICMPRedirect) Allow ICMP
redirects to override

OSPF generated routes’ is set to ‘Disabled’ (Scored)
………………………………………………….. 417

18.3.5 (L2) Ensure ‘MSS: (KeepAliveTime) How often keep-alive
packets are sent in

milliseconds’ is set to ‘Enabled: 300,000 or 5 minutes
(recommended)’ (Scored) . 419
14 | P a g e

18.3.6 (L1) Ensure ‘MSS: (NoNameReleaseOnDemand) Allow the
computer to ignore

NetBIOS name release requests except from WINS servers’ is set
to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
421

18.3.7 (L2) Ensure ‘MSS: (PerformRouterDiscovery) Allow IRDP to
detect and

configure Default Gateway addresses (could lead to DoS)’ is set
to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
423

18.3.8 (L1) Ensure ‘MSS: (SafeDllSearchMode) Enable Safe DLL
search mode

(recommended)’ is set to ‘Enabled’ (Scored)
……………………………………………………………….
425

18.3.9 (L1) Ensure ‘MSS: (ScreenSaverGracePeriod) The time in
seconds before the

screen saver grace period expires (0 recommended)’ is set to
‘Enabled: 5 or fewer

seconds’ (Scored)
……………………………………………………………………………………………………………….
427

18.3.10 (L2) Ensure ‘MSS: (TcpMaxDataRetransmissions IPv6) How
many times

unacknowledged data is retransmitted’ is set to ‘Enabled: 3’
(Scored) ………………….. 429

18.3.11 (L2) Ensure ‘MSS: (TcpMaxDataRetransmissions) How many
times

unacknowledged data is retransmitted’ is set to ‘Enabled: 3’
(Scored) ………………….. 431

18.3.12 (L1) Ensure ‘MSS: (WarningLevel) Percentage threshold
for the security

event log at which the system will generate a warning’ is set to
‘Enabled: 90% or

less’ (Scored)
………………………………………………………………………………………………………………………
433

18.4 Network
…………………………………………………………………………………………………………………………..
435

18.4.4.1 (L1) Set ‘NetBIOS node type’ to ‘P-node’ (Ensure NetBT
Parameter

‘NodeType’ is set to ‘0x2 (2)’) (MS Only) (Scored)
………………………………………………………
435

18.4.4.2 (L1) Ensure ‘Turn off multicast name resolution’ is set
to ‘Enabled’ (MS

Only) (Scored)
…………………………………………………………………………………………………………………….
437

18.4.5.1 (L2) Ensure ‘Enable Font Providers’ is set to
‘Disabled’ (Scored) ……………. 439

18.4.8.1 (L1) Ensure ‘Enable insecure guest logons’ is set to
‘Disabled’ (Scored) … 441

18.4.9.1 (L2) Ensure ‘Turn on Mapper I/O (LLTDIO) driver’ is set
to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
443

18.4.9.2 (L2) Ensure ‘Turn on Responder (RSPNDR) driver’ is set
to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
445

18.4.10.2 (L2) Ensure ‘Turn off Microsoft Peer-to-Peer
Networking Services’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
447

18.4.11.2 (L1) Ensure ‘Prohibit installation and configuration
of Network Bridge on

your DNS domain network’ is set to ‘Enabled’ (Scored)
……………………………………………. 449

18.4.11.3 (L1) Ensure ‘Prohibit use of Internet Connection
Sharing on your DNS

domain network’ is set to ‘Enabled’ (Scored)
……………………………………………………………….
451
15 | P a g e

18.4.11.4 (L1) Ensure ‘Require domain users to elevate when
setting a network’s

location’ is set to ‘Enabled’ (Scored)
………………………………………………………………………………
453

18.4.14.1 (L1) Ensure ‘Hardened UNC Paths’ is set to ‘Enabled,
with «Require Mutual

Authentication» and «Require Integrity» set for all NETLOGON and
SYSVOL shares’

(Scored)
……………………………………………………………………………………………………………………………….
455

18.4.19.2.1 (L2) Disable IPv6 (Ensure TCPIP6 Parameter
‘DisabledComponents’ is

set to ‘0xff (255)’) (Scored)
……………………………………………………………………………………………..
458

18.4.20.1 (L2) Ensure ‘Configuration of wireless settings using
Windows Connect

Now’ is set to ‘Disabled’ (Scored)
……………………………………………………………………………………
460

18.4.20.2 (L2) Ensure ‘Prohibit access of the Windows Connect
Now wizards’ is set

to ‘Enabled’ (Scored)
…………………………………………………………………………………………………………
462

18.4.21.1 (L1) Ensure ‘Minimize the number of simultaneous
connections to the

Internet or a Windows Domain’ is set to ‘Enabled’ (Scored)
……………………………………. 464

18.4.21.2 (L2) Ensure ‘Prohibit connection to non-domain
networks when

connected to domain authenticated network’ is set to ‘Enabled’
(MS only) (Scored)

……………………………………………………………………………………………………………………………………………….
466

18.5 Printers
……………………………………………………………………………………………………………………………
467

18.6 SCM: Pass the Hash Mitigations
………………………………………………………………………………….
468

18.6.1 (L1) Ensure ‘Apply UAC restrictions to local accounts on
network logons’ is

set to ‘Enabled’ (MS only) (Scored)
………………………………………………………………………………..
468

18.6.2 (L1) Ensure ‘WDigest Authentication’ is set to ‘Disabled’
(Scored) …………….. 471

18.7 Start Menu and Taskbar
……………………………………………………………………………………………….
472

18.8 System
……………………………………………………………………………………………………………………………..
473

18.8.3.1 (L1) Ensure ‘Include command line in process creation
events’ is set to

‘Disabled’ (Scored)
…………………………………………………………………………………………………………….
473

18.8.12.1 (L1) Ensure ‘Boot-Start Driver Initialization Policy’
is set to ‘Enabled:

Good, unknown and bad but critical’ (Scored)
……………………………………………………………..
477

18.8.19.2 (L1) Ensure ‘Configure registry policy processing: Do
not apply during

periodic background processing’ is set to ‘Enabled: FALSE’
(Scored) …………………….. 480

18.8.19.3 (L1) Ensure ‘Configure registry policy processing:
Process even if the

Group Policy objects have not changed’ is set to ‘Enabled: TRUE’
(Scored) ………….. 482

18.8.19.4 (L1) Ensure ‘Continue experiences on this device’ is
set to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
484
16 | P a g e

18.8.19.5 (L1) Ensure ‘Turn off background refresh of Group
Policy’ is set to

‘Disabled’ (Scored)
…………………………………………………………………………………………………………….
486

18.8.20.1.1 (L2) Ensure ‘Turn off access to the Store’ is set to
‘Enabled’ (Scored) . 488

18.8.20.1.2 (L2) Ensure ‘Turn off downloading of print drivers
over HTTP’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
490

18.8.20.1.3 (L2) Ensure ‘Turn off handwriting personalization
data sharing’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
492

18.8.20.1.4 (L2) Ensure ‘Turn off handwriting recognition error
reporting’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
494

18.8.20.1.5 (L2) Ensure ‘Turn off Internet Connection Wizard if
URL connection is

referring to Microsoft.com’ is set to ‘Enabled’ (Scored)
…………………………………………….. 496

18.8.20.1.6 (L2) Ensure ‘Turn off Internet download for Web
publishing and online

ordering wizards’ is set to ‘Enabled’ (Scored)
……………………………………………………………..
498

18.8.20.1.7 (L2) Ensure ‘Turn off printing over HTTP’ is set to
‘Enabled’ (Scored) 500

18.8.20.1.8 (L2) Ensure ‘Turn off Registration if URL connection
is referring to

Microsoft.com’ is set to ‘Enabled’ (Scored)
…………………………………………………………………..
502

18.8.20.1.9 (L2) Ensure ‘Turn off Search Companion content file
updates’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
504

18.8.20.1.10 (L2) Ensure ‘Turn off the «Order Prints» picture
task’ is set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
506

18.8.20.1.11 (L2) Ensure ‘Turn off the «Publish to Web» task for
files and folders’ is

set to ‘Enabled’ (Scored)
…………………………………………………………………………………………………..
508

18.8.20.1.12 (L2) Ensure ‘Turn off the Windows Messenger
Customer Experience

Improvement Program’ is set to ‘Enabled’ (Scored)
……………………………………………………
510

18.8.20.1.13 (L2) Ensure ‘Turn off Windows Customer Experience
Improvement

Program’ is set to ‘Enabled’ (Scored)
……………………………………………………………………………..
512

18.8.20.1.14 (L2) Ensure ‘Turn off Windows Error Reporting’ is
set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
514

18.8.23.1 (L2) Ensure ‘Support device authentication using
certificate’ is set to

‘Enabled: Automatic’ (Scored)
…………………………………………………………………………………………
516

18.8.24.1 (L2) Ensure ‘Disallow copying of user input methods to
the system

account for sign-in’ is set to ‘Enabled’ (Scored)
…………………………………………………………..
518

18.8.25.1 (L1) Ensure ‘Block user from showing account details
on sign-in’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
520
17 | P a g e

18.8.25.2 (L1) Ensure ‘Do not display network selection UI’ is
set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
522

18.8.25.3 (L1) Ensure ‘Do not enumerate connected users on
domain-joined

computers’ is set to ‘Enabled’ (Scored)
………………………………………………………………………….
524

18.8.25.4 (L1) Ensure ‘Enumerate local users on domain-joined
computers’ is set to

‘Disabled’ (Scored)
…………………………………………………………………………………………………………….
526

18.8.25.5 (L1) Ensure ‘Turn off app notifications on the lock
screen’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
528

18.8.25.6 (L1) Ensure ‘Turn on convenience PIN sign-in’ is set
to ‘Disabled’ (Scored)

……………………………………………………………………………………………………………………………………………….
530

18.8.26.1 (L1) Ensure ‘Untrusted Font Blocking’ is set to
‘Enabled: Block untrusted

fonts and log events’ (Scored)
…………………………………………………………………………………………
532

18.8.29.5.1 (L2) Ensure ‘Allow network connectivity during
connected-standby (on

battery)’ is set to ‘Disabled’ (Scored)
……………………………………………………………………………..
535

18.8.29.5.2 (L2) Ensure ‘Allow network connectivity during
connected-standby

(plugged in)’ is set to ‘Disabled’ (Scored)
……………………………………………………………………..
537

18.8.29.5.3 (L2) Ensure ‘Require a password when a computer
wakes (on battery)’

is set to ‘Enabled’ (Scored)
……………………………………………………………………………………………….
539

18.8.29.5.4 (L2) Ensure ‘Require a password when a computer
wakes (plugged in)’

is set to ‘Enabled’ (Scored)
……………………………………………………………………………………………….
541

18.8.31.1 (L1) Ensure ‘Configure Offer Remote Assistance’ is set
to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
543

18.8.31.2 (L1) Ensure ‘Configure Solicited Remote Assistance’ is
set to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
545

18.8.32.1 (L1) Ensure ‘Enable RPC Endpoint Mapper Client
Authentication’ is set to

‘Enabled’ (MS only) (Scored)
…………………………………………………………………………………………..
547

18.8.32.2 (L2) Ensure ‘Restrict Unauthenticated RPC clients’ is
set to ‘Enabled:

Authenticated’ (MS only) (Scored)
…………………………………………………………………………………
549

18.8.39.5.1 (L2) Ensure ‘Microsoft Support Diagnostic Tool: Turn
on MSDT

interactive communication with support provider’ is set to
‘Disabled’ (Scored) …. 553

18.8.39.11.1 (L2) Ensure ‘Enable/Disable PerfTrack’ is set to
‘Disabled’ (Scored) 556

18.8.41.1 (L2) Ensure ‘Turn off the advertising ID’ is set to
‘Enabled’ (Scored) …… 558

18.8.44.1.1 (L2) Ensure ‘Enable Windows NTP Client’ is set to
‘Enabled’ (Scored) 560
18 | P a g e

18.8.44.1.2 (L2) Ensure ‘Enable Windows NTP Server’ is set to
‘Disabled’ (MS only)

(Scored)
……………………………………………………………………………………………………………………………….
562

18.9 Windows Components
………………………………………………………………………………………………….
564

18.9.4.1 (L2) Ensure ‘Allow a Windows app to share application
data between users’

is set to ‘Disabled’ (Scored)
……………………………………………………………………………………………..
565

18.9.5.1 (L2) Ensure ‘Let Windows apps *’ is set to ‘Enabled:
Force Deny’ (Scored)

……………………………………………………………………………………………………………………………………………….
567

18.9.6.1 (L1) Ensure ‘Allow Microsoft accounts to be optional’
is set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
571

18.9.6.2 (L2) Ensure ‘Block launching Windows Store apps with
Windows Runtime

API access from hosted content.’ is set to ‘Enabled’ (Scored)
…………………………………… 573

18.9.8.1 (L1) Ensure ‘Disallow Autoplay for non-volume devices’
is set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
575

18.9.8.2 (L1) Ensure ‘Set the default behavior for AutoRun’ is
set to ‘Enabled: Do not

execute any autorun commands’ (Scored)
……………………………………………………………………
577

18.9.8.3 (L1) Ensure ‘Turn off Autoplay’ is set to ‘Enabled: All
drives’ (Scored) ….. 579

18.9.10.1.1 (L1) Ensure ‘Use enhanced anti-spoofing when
available’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
581

18.9.12.1 (L2) Ensure ‘Allow Use of Camera’ is set to ‘Disabled’
(Scored) …………….. 583

18.9.13.1 (L1) Ensure ‘Turn off Microsoft consumer experiences’
is set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
585

18.9.14.1 (L1) Ensure ‘Require pin for pairing’ is set to
‘Enabled’ (Scored) ………….. 587

18.9.15.1 (L1) Ensure ‘Do not display the password reveal
button’ is set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
589

18.9.15.2 (L1) Ensure ‘Enumerate administrator accounts on
elevation’ is set to

‘Disabled’ (Scored)
…………………………………………………………………………………………………………….
591

18.9.16.1 (L1) Ensure ‘Allow Telemetry’ is set to ‘Enabled: 0 —
Security [Enterprise

Only]’ (Scored)
……………………………………………………………………………………………………………………
593

18.9.16.2 (L1) Ensure ‘Disable pre-release features or settings’
is set to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
595

18.9.16.3 (L1) Ensure ‘Do not show feedback notifications’ is
set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
597

18.9.16.4 (L1) Ensure ‘Toggle user control over Insider builds’
is set to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
599
19 | P a g e

18.9.26.1.1 (L1) Ensure ‘Application: Control Event Log behavior
when the log file

reaches its maximum size’ is set to ‘Disabled’ (Scored)
…………………………………………….. 602

18.9.26.1.2 (L1) Ensure ‘Application: Specify the maximum log
file size (KB)’ is set to

‘Enabled: 32,768 or greater’ (Scored)
……………………………………………………………………………
604

18.9.26.2.1 (L1) Ensure ‘Security: Control Event Log behavior
when the log file

reaches its maximum size’ is set to ‘Disabled’ (Scored)
…………………………………………….. 606

18.9.26.2.2 (L1) Ensure ‘Security: Specify the maximum log file
size (KB)’ is set to

‘Enabled: 196,608 or greater’ (Scored)
………………………………………………………………………….
608

18.9.26.3.1 (L1) Ensure ‘Setup: Control Event Log behavior when
the log file reaches

its maximum size’ is set to ‘Disabled’ (Scored)
…………………………………………………………….
610

18.9.26.3.2 (L1) Ensure ‘Setup: Specify the maximum log file
size (KB)’ is set to

‘Enabled: 32,768 or greater’ (Scored)
……………………………………………………………………………
612

18.9.26.4.1 (L1) Ensure ‘System: Control Event Log behavior when
the log file

reaches its maximum size’ is set to ‘Disabled’ (Scored)
…………………………………………….. 614

18.9.26.4.2 (L1) Ensure ‘System: Specify the maximum log file
size (KB)’ is set to

‘Enabled: 32,768 or greater’ (Scored)
……………………………………………………………………………
616

18.9.30.2 (L1) Ensure ‘Configure Windows SmartScreen’ is set to
‘Enabled’ (Scored)

……………………………………………………………………………………………………………………………………………….
619

18.9.30.3 (L1) Ensure ‘Turn off Data Execution Prevention for
Explorer’ is set to

‘Disabled’ (Scored)
…………………………………………………………………………………………………………….
621

18.9.30.4 (L1) Ensure ‘Turn off heap termination on corruption’
is set to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
623

18.9.30.5 (L1) Ensure ‘Turn off shell protocol protected mode’
is set to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
625

18.9.37.2 (L2) Ensure ‘Turn off location’ is set to ‘Enabled’
(Scored) …………………….. 628

18.9.41.1 (L2) Ensure ‘Allow Extensions’ is set to ‘Disabled’
(Scored) …………………… 630

18.9.41.2 (L2) Ensure ‘Allow InPrivate Browsing’ is set to
‘Disabled’ (Scored) ……. 632

18.9.41.3 (L1) Ensure ‘Configure cookies’ is set to ‘Enabled:
Block only 3rd-party

cookies’ or higher (Scored)
………………………………………………………………………………………………
634

18.9.41.4 (L1) Ensure ‘Configure Password Manager’ is set to
‘Disabled’ (Scored)636

18.9.41.5 (L2) Ensure ‘Configure Pop-up Blocker’ is set to
‘Enabled’ (Scored) …….. 638

18.9.41.6 (L1) Ensure ‘Configure search suggestions in Address
bar’ is set to

‘Disabled’ (Scored)
…………………………………………………………………………………………………………….
640

18.9.41.7 (L1) Ensure ‘Configure SmartScreen Filter’ is set to
‘Enabled’ (Scored) . 642
20 | P a g e

18.9.41.8 (L2) Ensure ‘Prevent access to the about:flags page in
Microsoft Edge’ is

set to ‘Enabled’ (Scored)
…………………………………………………………………………………………………..
644

18.9.41.9 (L2) Ensure ‘Prevent bypassing SmartScreen prompts for
files’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
646

18.9.41.10 (L2) Ensure ‘Prevent bypassing SmartScreen prompts
for sites’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
648

18.9.41.11 (L2) Ensure ‘Prevent using Localhost IP address for
WebRTC’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
650

18.9.47.1 (L1) Ensure ‘Prevent the usage of OneDrive for file
storage’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
653

18.9.52.2.2 (L1) Ensure ‘Do not allow passwords to be saved’ is
set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
656

18.9.52.3.2.1 (L2) Ensure ‘Restrict Remote Desktop Services
users to a single

Remote Desktop Services session’ is set to ‘Enabled’ (Scored)
………………………………… 658

18.9.52.3.3.1 (L2) Ensure ‘Do not allow COM port redirection’ is
set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
660

18.9.52.3.3.2 (L1) Ensure ‘Do not allow drive redirection’ is
set to ‘Enabled’ (Scored)

……………………………………………………………………………………………………………………………………………….
662

18.9.52.3.3.3 (L2) Ensure ‘Do not allow LPT port redirection’ is
set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
664

18.9.52.3.3.4 (L2) Ensure ‘Do not allow supported Plug and Play
device redirection’

is set to ‘Enabled’ (Scored)
……………………………………………………………………………………………….
666

18.9.52.3.9.1 (L1) Ensure ‘Always prompt for password upon
connection’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
668

18.9.52.3.9.2 (L1) Ensure ‘Require secure RPC communication’ is
set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
670

18.9.52.3.9.3 (L1) Ensure ‘Set client connection encryption
level’ is set to ‘Enabled:

High Level’ (Scored)
………………………………………………………………………………………………………….
672

18.9.52.3.10.1 (L2) Ensure ‘Set time limit for active but idle
Remote Desktop

Services sessions’ is set to ‘Enabled: 15 minutes or less’
(Scored) ………………………….. 674

18.9.52.3.10.2 (L2) Ensure ‘Set time limit for disconnected
sessions’ is set to

‘Enabled: 1 minute’ (Scored)
……………………………………………………………………………………………
676

18.9.52.3.11.1 (L1) Ensure ‘Do not delete temp folders upon
exit’ is set to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
678
21 | P a g e

18.9.52.3.11.2 (L1) Ensure ‘Do not use temporary folders per
session’ is set to

‘Disabled’ (Scored)
…………………………………………………………………………………………………………….
680

18.9.53.1 (L1) Ensure ‘Prevent downloading of enclosures’ is set
to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
682

18.9.54.2 (L1) Ensure ‘Allow Cortana’ is set to ‘Disabled’
(Scored) ………………………… 684

18.9.54.3 (L1) Ensure ‘Allow Cortana above lock screen’ is set
to ‘Disabled’ (Scored)

……………………………………………………………………………………………………………………………………………….
686

18.9.54.4 (L1) Ensure ‘Allow indexing of encrypted files’ is set
to ‘Disabled’ (Scored)

……………………………………………………………………………………………………………………………………………….
688

18.9.54.5 (L1) Ensure ‘Allow search and Cortana to use location’
is set to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
690

18.9.59.1 (L2) Ensure ‘Turn off KMS Client Online AVS
Validation’ is set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
692

18.9.61.1 (L2) Ensure ‘Disable all apps from Windows Store’ is
set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
694

18.9.61.2 (L1) Ensure ‘Turn off Automatic Download and Install
of updates’ is set to

‘Disabled’ (Scored)
…………………………………………………………………………………………………………….
696

18.9.61.3 (L1) Ensure ‘Turn off the offer to update to the
latest version of Windows’

is set to ‘Enabled’ (Scored)
……………………………………………………………………………………………….
698

18.9.61.4 (L2) Ensure ‘Turn off the Store application’ is set to
‘Enabled’ (Scored) 700

18.9.69.3.1 (L2) Ensure ‘Join Microsoft MAPS’ is set to
‘Disabled’ (Scored) ………….. 704

18.9.69.8.1 (L2) Ensure ‘Configure Watson events’ is set to
‘Disabled’ (Scored)….. 706

18.9.73.1 (L2) Ensure ‘Allow suggested apps in Windows Ink
Workspace’ is set to

‘Disabled’ (Scored)
…………………………………………………………………………………………………………….
708

18.9.73.2 (L1) Ensure ‘Allow Windows Ink Workspace’ is set to
‘Enabled: On, but

disallow access above lock’ OR ‘Disabled’ but not ‘Enabled: On’
(Scored) …………….. 710

18.9.74.1 (L1) Ensure ‘Allow user control over installs’ is set
to ‘Disabled’ (Scored)

……………………………………………………………………………………………………………………………………………….
712

18.9.74.2 (L1) Ensure ‘Always install with elevated privileges’
is set to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
714

18.9.74.3 (L2) Ensure ‘Prevent Internet Explorer security prompt
for Windows

Installer scripts’ is set to ‘Disabled’ (Scored)
……………………………………………………………….
716

18.9.75.1 (L1) Ensure ‘Sign-in last interactive user
automatically after a system-

initiated restart’ is set to ‘Disabled’ (Scored)
……………………………………………………………….
718
22 | P a g e

18.9.84.1 (L1) Ensure ‘Turn on PowerShell Script Block Logging’
is set to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
721

18.9.84.2 (L1) Ensure ‘Turn on PowerShell Transcription’ is set
to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
723

18.9.86.1.1 (L1) Ensure ‘Allow Basic authentication’ is set to
‘Disabled’ (Scored) . 725

18.9.86.1.2 (L1) Ensure ‘Allow unencrypted traffic’ is set to
‘Disabled’ (Scored) … 727

18.9.86.1.3 (L1) Ensure ‘Disallow Digest authentication’ is set
to ‘Enabled’ (Scored)

……………………………………………………………………………………………………………………………………………….
729

18.9.86.2.1 (L1) Ensure ‘Allow Basic authentication’ is set to
‘Disabled’ (Scored) . 731

18.9.86.2.2 (L2) Ensure ‘Allow remote server management through
WinRM’ is set to

‘Disabled’ (Scored)
…………………………………………………………………………………………………………….
733

18.9.86.2.3 (L1) Ensure ‘Allow unencrypted traffic’ is set to
‘Disabled’ (Scored) … 735

18.9.86.2.4 (L1) Ensure ‘Disallow WinRM from storing RunAs
credentials’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
737

18.9.87.1 (L2) Ensure ‘Allow Remote Shell Access’ is set to
‘Disabled’ (Scored) ….. 739

18.9.90.1.1 (L1) Ensure ‘Select when Feature Updates are
received’ is set to

‘Enabled: Current Branch for Business, 180 days’ (Scored)
……………………………………… 742

18.9.90.1.2 (L1) Ensure ‘Select when Quality Updates are
received’ is set to

‘Enabled: 0 days’ (Scored)
………………………………………………………………………………………………..
744

18.9.90.2 (L1) Ensure ‘Configure Automatic Updates’ is set to
‘Enabled’ (Scored) 746

18.9.90.3 (L1) Ensure ‘Configure Automatic Updates: Scheduled
install day’ is set to

‘0 — Every day’ (Scored)
…………………………………………………………………………………………………….
748

18.9.90.4 (L1) Ensure ‘No auto-restart with logged on users for
scheduled automatic

updates installations’ is set to ‘Disabled’ (Scored)
………………………………………………………
750

19 Administrative Templates (User)
………………………………………………………………………………………
752

19.1 Control Panel
………………………………………………………………………………………………………………….
752

19.1.3.1 (L1) Ensure ‘Enable screen saver’ is set to ‘Enabled’
(Scored) …………………. 753

19.1.3.2 (L1) Ensure ‘Force specific screen saver: Screen saver
executable name’ is

set to ‘Enabled: scrnsave.scr’ (Scored)
…………………………………………………………………………..
755

19.1.3.3 (L1) Ensure ‘Password protect the screen saver’ is set
to ‘Enabled’ (Scored)

……………………………………………………………………………………………………………………………………………….
757

19.1.3.4 (L1) Ensure ‘Screen saver timeout’ is set to ‘Enabled:
900 seconds or fewer,

but not 0′ (Scored)
……………………………………………………………………………………………………………..
759
23 | P a g e

19.2 Desktop
……………………………………………………………………………………………………………………………
760

19.3 Network
…………………………………………………………………………………………………………………………..
760

19.4 Shared Folders
……………………………………………………………………………………………………………….
760

19.5 Start Menu and Taskbar
……………………………………………………………………………………………….
760

19.5.1.1 (L1) Ensure ‘Turn off toast notifications on the lock
screen’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
761

19.6 System
……………………………………………………………………………………………………………………………..
763

19.6.5.1.1 (L2) Ensure ‘Turn off Help Experience Improvement
Program’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
764

19.7 Windows Components
………………………………………………………………………………………………….
766

19.7.4.1 (L1) Ensure ‘Do not preserve zone information in file
attachments’ is set to

‘Disabled’ (Scored)
…………………………………………………………………………………………………………….
767

19.7.4.2 (L1) Ensure ‘Notify antivirus programs when opening
attachments’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
769

19.7.7.1 (L2) Ensure ‘Configure Windows spotlight on Lock
Screen’ is set to

Disabled’ (Scored)
……………………………………………………………………………………………………………..
771

19.7.7.2 (L1) Ensure ‘Do not suggest third-party content in
Windows spotlight’ is set

to ‘Enabled’ (Scored)
…………………………………………………………………………………………………………
773

19.7.7.3 (L2) Ensure ‘Turn off all Windows spotlight features’
is set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
775

19.7.26.1 (L1) Ensure ‘Prevent users from sharing files within
their profile.’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
779

19.7.39.1 (L1) Ensure ‘Always install with elevated privileges’
is set to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
783

19.7.43.2.1 (L2) Ensure ‘Prevent Codec Download’ is set to
‘Enabled’ (Scored) ….. 785

Appendix: Summary Table
……………………………………………………………………………………………………………
787

Appendix: Change History
…………………………………………………………………………………………………………….
815
24 | P a g e

Overview This document provides prescriptive guidance for
establishing a secure configuration

posture for Microsoft Windows Server. To obtain the latest
version of this guide, please

visit http://benchmarks.cisecurity.org. If you have questions,
comments, or have identified

ways to improve this guide, please write us at
[email protected]

Intended Audience

This document is intended for system and application
administrators, security specialists,

auditors, help desk, and platform deployment personnel who plan
to develop, deploy,

assess, or secure solutions that incorporate Microsoft Windows
Server.

Consensus Guidance

This benchmark was created using a consensus review process
comprised of subject

matter experts. Consensus participants provide perspective from
a diverse set

Источник

Содержание

Cis benchmark windows 10
Center for Internet Security (CIS) Benchmarks
About CIS Benchmarks
Microsoft and the CIS Benchmarks
Microsoft in-scope cloud platforms & services
Audits, reports, and certificates
How to implement
Frequently asked questions
Use Microsoft Compliance Manager to assess your risk
Cis benchmark windows 10
Solutions
Join CIS
Resources
Cis benchmark windows 10
Solutions
Join CIS
Resources
CIS Benchmarks: лучшие практики, гайдлайны и рекомендации по информационной безопасности
Критические элементы управления безопасностью
Инвентаризация авторизированных и неавторизованных устройств
Инвентаризация авторизированного и неавторизованного программного обеспечения
Безопасные конфигурации для аппаратного и программного обеспечения
Использование административных привилегий
Обслуживание, мониторинг и анализ журналов аудита
Защита электронной почты и веб-браузера
Защита от вредоносных программ
Ограничение и контроль сетевых портов
Возможность восстановления данных
Защищенные конфигурации для сетевых устройств
Защита данных

Cis benchmark windows 10

This repository contains PowerShell DSC code for the secure configuration of Windows according to the following hardening guidelines:

Center for Internet Security (CIS) Benchmarks

About CIS Benchmarks

The Center for Internet Security is a nonprofit entity whose mission is to ‘identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.’ It draws on the expertise of cybersecurity and IT professionals from government, business, and academia from around the world. To develop standards and best practices, including CIS benchmarks, controls, and hardened images, they follow a consensus decision-making model.

CIS benchmarks are configuration baselines and best practices for securely configuring a system. Each of the guidance recommendations references one or more CIS controls that were developed to help organizations improve their cyberdefense capabilities. CIS controls map to many established standards and regulatory frameworks, including the NIST Cybersecurity Framework (CSF) and NIST SP 800-53, the ISO 27000 series of standards, PCI DSS, HIPAA, and others.

Each benchmark undergoes two phases of consensus review. The first occurs during initial development when experts convene to discuss, create, and test working drafts until they reach consensus on the benchmark. During the second phase, after the benchmark has been published, the consensus team reviews the feedback from the internet community for incorporation into the benchmark.

CIS benchmarks provide two levels of security settings:

CIS Hardened Images are securely configured virtual machine images based on CIS Benchmarks hardened to either a Level 1 or Level 2 CIS benchmark profile. Hardening is a process that helps protect against unauthorized access, denial of service, and other cyberthreats by limiting potential weaknesses that make systems vulnerable to cyberattacks.

Microsoft and the CIS Benchmarks

The Center for Internet Security (CIS) has published benchmarks for Microsoft products and services including the Microsoft Azure and Microsoft 365 Foundations Benchmarks, the Windows 10 Benchmark, and the Windows Server 2016 Benchmark. The CIS Microsoft Azure Foundations Benchmark is intended for customers who plan to develop, deploy, assess, or secure solutions that incorporate Azure. The document provides prescriptive guidance for establishing a secure baseline configuration for Azure.

CIS benchmarks are internationally recognized as security standards for defending IT systems and data against cyberattacks. Used by thousands of businesses, they offer prescriptive guidance for establishing a secure baseline configuration. System and application administrators, security specialists, and others who develop solutions using Microsoft products and services can use these best practices to assess and improve the security of their applications.

Like all CIS benchmarks, the Microsoft benchmarks were created using a consensus review process based on input from subject matter experts with diverse backgrounds spanning software development, audit and compliance, security research, operations, government, and law. Microsoft was an integral partner in these CIS efforts. For example, Office 365 was tested against the listed services, and the resulting Microsoft 365 Foundations Benchmark covers a broad range of recommendations for setting appropriate security policies that cover account and authentication, data management, application permissions, storage, and other security policy areas.

In addition to the benchmarks for Microsoft products and services, CIS has published CIS Hardened Images on Azure configured to meet CIS Benchmarks and available from Microsoft Azure Marketplace. These images include the CIS Hardened Images for Windows Server 2016 and Windows Server 2019, as well as many versions of Linux. All CIS Hardened Images that are available in Azure Marketplace are certified to run on Microsoft Azure. As stated by CIS, ‘they have been pre-tested for readiness and compatibility with the Microsoft Azure public cloud, Microsoft Cloud Platform hosted by service providers through the Cloud OS Network, and on-premises private cloud Windows Server Hyper-V deployments managed by customers’.

CIS Hardened Images are securely configured virtual machine images based on CIS Benchmarks hardened to either a Level 1 or Level 2 CIS Benchmark profile. Hardening is a process that helps protect against unauthorized access, denial of service, and other cyber threats by limiting potential weaknesses that make systems vulnerable to cyber attacks. CIS Hardened Images are available on both Azure and Azure Government.

For additional customer assistance, Microsoft provides Azure Blueprints, which is a service that helps you deploy and update cloud environments in a repeatable manner using composable artifacts such as Azure Resource Manager templates to provision resources, role-based access controls, and policies. Resources provisioned through Azure Blueprints adhere to an organization’s standards, patterns, and compliance requirements. The overarching goal of Azure Blueprints is to help automate compliance and cybersecurity risk management in cloud environments. To help you deploy a core set of policies for any Azure-based architecture that must implement CIS Azure Foundations Benchmark recommendations, Microsoft has published the Azure Blueprint for CIS Microsoft Azure Foundations Benchmark. When assigned to an architecture, resources are evaluated by Azure Policy for compliance with assigned policy definitions.

Microsoft in-scope cloud platforms & services

Audits, reports, and certificates

Get a complete list of CIS benchmarks for Microsoft products and services.

How to implement

Frequently asked questions

Will following CIS Benchmark settings ensure the security of my applications?

CIS benchmarks establish the basic level of security for anyone adopting in-scope Microsoft products and services. However, they should not be considered as an exhaustive list of all possible security configurations and architecture but as a starting point. Each organization must still evaluate its specific situation, workloads, and compliance requirements and tailor its environment accordingly.

How often are CIS Benchmarks updated?

The release of revised CIS Benchmarks changes depending on the community of IT professionals who developed it and on the release schedule of the technology the benchmark supports. CIS distributes monthly reports that announce new benchmarks and updates to existing benchmarks. To receive these, register for the CIS Workbench (it’s free) and check Receive newsletter in your profile.

Who contributed to the development of Microsoft CIS Benchmarks?

CIS notes that its ‘Benchmarks are developed through the generous volunteer efforts of subject matter experts, technology vendors, public and private CIS Benchmark community members, and the CIS Benchmark Development team.’ For example, you’ll find a list of Azure contributors on CIS Microsoft Azure Foundations Benchmark v1.0.0 Now Available.

Use Microsoft Compliance Manager to assess your risk

Microsoft Compliance Manager is a feature in the Microsoft 365 compliance center to help you understand your organization’s compliance posture and take actions to help reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.

Источник

Cis benchmark windows 10

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world

Solutions

Secure Your Organization

Prioritized & simplified best practices

Help develop and maintain the Controls

Information security risk assessment method

Assess & measure Controls implementation

Secure Specific Platforms

100+ vendor-neutral configuration guides

Develop & update secure configuration guides

Assess system conformance to CIS Benchmarks

Virtual images hardened to CIS Benchmarks

Start secure and stay secure with integrated cybersecurity tools and resources designed to help you implement CIS Benchmarks and CIS Controls

U.S. State, Local, Tribal & Territorial Governments

Memberships

Cybersecurity resource for SLTT Governments

Election-focused cyber defense suite

Services for Members

Cost-effective Intrusion Detection System

Security monitoring of enterprises devices

Device-level protection and response

Savings on training and software

Prevent Connection to harmful web domains

Join CIS

Get Involved

Resources

Learn

Filter by Topic

Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world.

Secure Your Organization

Prioritized & simplified best practices

Information security risk assessment method

Help develop and maintain the Controls

Assess & measure Controls implementation

Secure Specific Platforms

100+ vendor-neutral configuration guides

Assess system conformance to CIS Benchmarks

Develop & update secure configuration guides

Virtual images hardened to CIS Benchmarks

Start secure and stay secure with integrated cybersecurity tools and resources designed to help you implement CIS Benchmarks and CIS Controls

U.S. State, Local, Tribal & Territorial Governments

Memberships

Cybersecurity resource for SLTT Governments

Election-focused cyber defense suite

Services for Members

Cost-effective Intrusion Detection System

Security monitoring of enterprises devices

Device-level protection and response

Savings on training and software

Prevent Connection to harmful web domains

Get Involved

Resources

Learn

Filter by Topic

Home • Resources • Platforms • Microsoft Intune for Windows 10

Securing Microsoft Intune for Windows 10 An objective, consensus-driven security guideline for the Microsoft Intune for Windows 10 Operating Systems.

An objective, consensus-driven security guideline for the Microsoft Intune for Windows 10 Operating Systems.

A step-by-step checklist to secure Microsoft Intune for Windows 10:

Download Latest CIS Benchmark

For Microsoft Intune for Windows 10 1.0.0 (CIS Microsoft Intune for Windows 10 Release 2004 Benchmark version 1.0.1)

CIS has worked with the community since 2020 to publish a benchmark for Microsoft Intune for Windows 10

Other CIS Benchmark versions:

For Microsoft Intune for Windows 10 (CIS Microsoft Intune for Windows 10 Release 2004 Benchmark version 1.0.0)

Источник

Cis benchmark windows 10

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world

Solutions

Secure Your Organization

Prioritized & simplified best practices

Help develop and maintain the Controls

Information security risk assessment method

Assess & measure Controls implementation

Secure Specific Platforms

100+ vendor-neutral configuration guides

Develop & update secure configuration guides

Assess system conformance to CIS Benchmarks

Virtual images hardened to CIS Benchmarks

Start secure and stay secure with integrated cybersecurity tools and resources designed to help you implement CIS Benchmarks and CIS Controls

U.S. State, Local, Tribal & Territorial Governments

Memberships

Cybersecurity resource for SLTT Governments

Election-focused cyber defense suite

Services for Members

Cost-effective Intrusion Detection System

Security monitoring of enterprises devices

Device-level protection and response

Savings on training and software

Prevent Connection to harmful web domains

Join CIS

Get Involved

Resources

Learn

Filter by Topic

Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world.

Secure Your Organization

Prioritized & simplified best practices

Information security risk assessment method

Help develop and maintain the Controls

Assess & measure Controls implementation

Secure Specific Platforms

100+ vendor-neutral configuration guides

Assess system conformance to CIS Benchmarks

Develop & update secure configuration guides

Virtual images hardened to CIS Benchmarks

Start secure and stay secure with integrated cybersecurity tools and resources designed to help you implement CIS Benchmarks and CIS Controls

U.S. State, Local, Tribal & Territorial Governments

Memberships

Cybersecurity resource for SLTT Governments

Источник

CIS Benchmarks: лучшие практики, гайдлайны и рекомендации по информационной безопасности

Центр интернет-безопасности (CIS) является некоммерческой организацией, которая разрабатывает собственные контрольные показатели и рекомендации, которые позволяют организациям совершенствовать свои программы обеспечения безопасности и соответствия требованиям. Эта инициатива направлена на создание базовых уровней конфигурации безопасности систем, которые обычно встречаются во всех организациях.

Для загрузки доступны несолько десятков гайдлайнов по безопасной настройке различных систем: Windows, Linux, OSX, MySQL, Cisco и многих других: learn.cisecurity.org/benchmarks

В этой статье я рассмотрю «Critical Security Controls Version 6.1» — чеклист проверки безопасности систем.

Критические элементы управления безопасностью

Инвентаризация авторизированных и неавторизованных устройств

Разверните системы автоматического обнаружения устройств и используйте их для создания предварительной инвентаризации систем, подключенных к общедоступным и частной сетям организации. Следует использовать как активные инструменты, которые сканируют диапазоны сетевых адресов IPv4 или IPv6, так и пассивные инструменты, которые идентифицируют хосты на основе анализа их трафика. Используйте сочетание активных и пассивных инструментов и применяйте их в рамках программы непрерывного мониторинга.

Если организация динамически назначает адреса с использованием DHCP, используйте эту информацию для улучшения инвентаризации устройств и обнаружении неизвестных систем.

Убедитесь, что все приобретенное оборудование будет добавлено в инвентаризационные списки.

Ведение списков инвентаризации всех систем, подключенных к сети и самих сетевых устройств, запись по меньшей мере сетевых адресов, имен машин, назначения каждой системы, владельца, ответственного за каждое устройство, и отдела, связанного с каждым устройством.
Инвентаризация должна включать в себя каждую систему с IP-адресом в сети, включая, но не ограничиваясь, АРМ, ноутбуками, серверами, сетевым оборудованием (маршрутизаторы, коммутаторы, брандмауэры и т. д.), принтерами, сетевыми накопителями, IP-телефонами и т. д.

Развертывание проверки уровня сети 802.1x для ограничения и управления подключением устройств к сети. Устройства, использующие 802.1x должны быть привязаны к данным инвентаризации для определения авторизированных или неавторизованных систем.

Используйте сертификаты для проверки подлинности систем перед подключением к частной сети.

Инвентаризация авторизированного и неавторизованного программного обеспечения

Создайте список авторизованного программного обеспечения и версии, которые требуются на предприятии для каждого типа системы, включая серверы, рабочие станции и ноутбуки различного назначения и использования. Этот список должен контролироваться средствами проверки целостности файлов, чтобы подтвердить, что авторизованное программное обеспечение не было изменено. Целостность файла проверяется как часть программы непрерывного мониторинга.

Используйте технологию «белого списка» приложений, которая позволяет системам запускать программное обеспечение только в том случае, если оно включено в белый список и предотвращает выполнение всего другого программного обеспечения в системе. Белый список может быть очень обширным, чтобы пользователи не испытывали неудобств при использовании общего программного обеспечения. Или, для некоторых специальных систем (которые требуют лишь небольшого количества программ для достижения необходимой функциональности бизнеса), белый список может быть довольно узким.

Система инвентаризации программного обеспечения должна отслеживать версию базовой операционной системы, а также приложений, установленных на ней. Системы инвентаризации программного обеспечения должны быть привязаны к инвентаризации оборудования, поэтому все устройства и связанное с ними программное обеспечение отслеживаются из единого источника.

Безопасные конфигурации для аппаратного и программного обеспечения

Установите стандартные безопасные конфигурации ваших операционных систем и программных приложений. (скачать их можно по ссылке в начале статьи).

Отслеживайте конфигурации, создавая безопасные образы установки, которые используются для создания всех новых систем, развернутых на предприятии. Регулярные обновления или исключения для этого образа должны быть интегрированы в процессы управления изменениями организации. Образы должны быть созданы для рабочих станций, серверов и других систем, используемых организацией.

Храните мастер-образы на безопасно настроенных серверах, проверенных с помощью инструментов проверки целостности. В качестве альтернативы, эти образы могут быть сохранены на автономных машинах.

Целостность файлов образов проверяется как часть программы непрерывного мониторинга.

Выполнять все удаленное администрирование серверов, рабочих станций, сетевых устройств и аналогичного оборудования по защищенным каналам. Протоколы, такие как telnet, VNC, RDP или другие, которые не поддерживают шифрование, должны использоваться только в том случае, если они выполняются по вторичному каналу шифрования, например SSL, TLS или IPSEC.

Используйте инструменты проверки целостности файлов, чтобы гарантировать, что критические системные файлы (в том числе чувствительные системные и прикладные исполняемые файлы, библиотеки и конфигурации) не были изменены. Проверки целостности должны идентифицировать подозрительные системные изменения, такие как: права владельца и разрешения на изменения файлов или каталогов; использование альтернативных потоков данных, которые могут быть использованы для скрытия вредоносных действий; и введение дополнительных файлов в ключевые системные области (что может указывать на вредоносную полезную нагрузку, оставленную злоумышленниками или дополнительными файлами, неумышленно добавленными в процессе пакетного распространения).Файловая целостность важных системных файлов проверяется как часть программы непрерывного мониторинга.

Запускайте автоматические инструменты выявления уязвимостей для всех систем в сети на еженедельной или более частой основе и отправляйте приоритетные списки наиболее критических уязвимостей каждому ответственному лицу.

Подпишитесь на рассылки по информации об уязвимостях (security-list, bugtraq), чтобы быть в курсе возникающих рисков и оперативно регагировать. Кроме того, убедитесь, что используемые вами инструменты выявления уязвимостей регулярно обновляются.

Разверните автоматизированные инструменты патч-менеджмента для обновления программного обеспечения для операционной системы и программного обеспечения / приложений на всех системах. Патчи должны применяться ко всем системам, даже автономным.

Использование административных привилегий

Минимизируйте административные привилегии, используйте административные учетные записи, только когда они необходимы. Внедрите целенаправленный аудит по использованию административных привилегированных аккаунтов и контролируйте аномальное поведение.

Используйте автоматические инструменты для инвентаризации всех административных учетных записей и подтвердите, что каждый сотрудник с правами администратора полномочно наделен этими правами в рамках своей деятельности.

Перед развертыванием любых новых устройств в сетевой среде измените все пароли по умолчанию для приложений, операционных систем, маршрутизаторов, брандмауэров, точек беспроводного доступа и других систем.

Настройте системы журналирования и предупреждения, в случае когда учетная запись добавлена или удалена из группы администраторов домена или когда в систему добавлена новая учетная запись локального администратора.

Настройте системы журналирования и предупреждения о любом неуспешном входе в административную учетную запись.

Используйте многофакторную аутентификацию для всего административного доступа, включая доступ к администратору домена. Многофакторная аутентификация может включать в себя множество методов, включая использование смарт-карт, сертификатов, токенов, биометрических данных или других подобных методов аутентификации.

Администраторы должны использовать выделенный компьютер для всех административных задач или задач, требующих повышенного доступа. Эта машина должна быть изолирована от основной сети организации и не иметь доступа к Интернету. Эта машина не должна использоваться для чтения электронной почты, составления документов или серфинга в Интернете.

Обслуживание, мониторинг и анализ журналов аудита

Включите как минимум два синхронизированных источника времени, из которых все серверы и сетевое оборудование регулярно должны получать информацию о времени, для того чтобы метки времени в журналах были согласованы.

Подтвердите параметры журнала аудита для каждого аппаратного устройства и установленного на нем программного обеспечения, чтобы журналы включали дату, временную метку, исходные адреса, адреса назначения и любую другую системную информацию. Системы должны записывать журналы в стандартизованном формате, таком как записи системного журнала или те, которые описаны в инициативе Common Expression (на сайте CIS). Если системы не могут генерировать журналы в стандартизованном формате, необходимо использовать инструменты нормализации и преобразования журналов в такой формат.

Убедитесь, что все системы, в которых хранятся журналы, имеют достаточное место для хранения журналов. Журналы должны архивироваться и подписываться цифровой подписью на периодической основе.

Настройте сетевые пограничные устройства, в том числе брандмауэры, сетевые IPS, входящие и исходящие прокси, чтобы достаточно подробно зарегистрировать весь трафик (как разрешенный, так и заблокированный).

Разверните SIEM (Security Information and Event Management) и для агрегации и консолидации журналов с нескольких компьютеров и для корреляции и анализа журналов. Используя инструмент SIEM, системные администраторы и сотрудники службы безопасности должны разрабатывать профили общих событий из заданных систем, для настройки обнаружения аномалий.

Защита электронной почты и веб-браузера

Убедитесь, что в организации разрешено использовать только полностью поддерживаемые веб-браузеры и почтовые клиенты, в идеале — только самую последнюю версию браузеров,, чтобы использовать последние функции безопасности и исправления.

Удалите или отключите любые ненужные или несанкционированные браузеры или почтовые клиентские плагины/приложения.

Ограничьте использование ненужных языков сценариев во всех веб-браузерах и почтовых клиентах. Это включает использование таких языков, как ActiveX и JavaScript, в системах, где нет необходимости поддерживать такие возможности.

Организация должна поддерживать и применять сетевые фильтры URL-адресов, которые ограничивают способность системы подключаться к веб-сайтам, не утвержденным организацией. Организация должна подписаться на службы категоризации (блэк-листинг) URL-адресов, чтобы обеспечить их актуальность с использованием последних определений категорий веб-сайтов. Некатегоризированные сайты блокируются по умолчанию. Эта фильтрация должна применяться для каждой из систем организации.

Чтобы снизить вероятность подмену сообщений электронной почты, внедрите SPF.

Включите фильтрацию содержимого электронной почты и фильтрацию веб-контента. Y

Защита от вредоносных программ

Используйте автоматизированные инструменты для постоянного мониторинга рабочих станций, серверов и мобильных устройств с помощью антивирусных программ, брандмауэров и IPS. Все события обнаружения вредоносных программ должны быть отправлены на серверные средства администрирования антивирусной защиты и серверы журналов событий.

Используйте программное обеспечение для защиты от вредоносных программ, которое предлагает централизованную инфраструктуру, которая собирает информацию о репутации файлов. После применения обновления автоматизированные системы должны проверить, что каждая система получила обновление.

Настройте ноутбуки, рабочие станции и серверы, чтобы они не могли автоматически запускать контент со съемных носителей, таких как USB-флешки, жесткие диски USB, CD / DVD-диски, устройства FireWire и смонтированные сетевые ресурсы. Настройте системы так, чтобы они автоматически проводили сканирование съемных носителей.

Используйте сетевые средства защиты от вредоносных программ, чтобы идентифицировать исполняемые файлы во всем сетевом трафике и использовать методы, отличные от обнаружения на основе сигнатур, для выявления и отфильтровывания вредоносного контента до того, как он достигнет конечной точки — применяйте превентивные меры защиты.

Ограничение и контроль сетевых портов

Убедитесь, что в каждой системе работают только порты, протоколы и службы с необходимыми бизнес-потребностями.

Выполняйте автоматическое сканирование портов на регулярной основе по всем ключевым серверам. Если обнаружено изменение, которое не указано в утвержденной профиле сервера организации, необходимо создать предупреждение проверить порт.

Разместите брандмауэры приложений перед любыми критическими серверами для проверки трафика, идущего на сервер. Любые несанкционированные попытки доступа или трафик должны быть заблокированы и и предупреждение.

Возможность восстановления данных

Убедитесь, что для каждой системы автоматически создается регламентная резервная копия, а для систем, хранящих конфиденциальную информацию это делается еще чаще.

Чтобы обеспечить возможность быстрого восстановления системы из резервной копии, операционная система, прикладное программное обеспечение и данные на АРМ должны быть включены в общую процедуру резервного копирования. Эти три компонента системы не обязательно должны быть включены в один и тот же файл резервной копии или использовать одно и то же программное обеспечение для резервного копирования. С течением времени должно быть несколько резервных копий, так что в случае заражения вредоносными программами восстановление может осуществляться из версии, которая предшествует первоначальной инфекции. Все политики резервного копирования должны соответствовать нормативным или официальным требованиям.

Убедитесь, что резервные копии надежно защищены с помощью физической безопасности или шифрования при их сохранении, а также при перемещении по сети. Сюда входят удаленные резервные копии и облачные сервисы.

Защищенные конфигурации для сетевых устройств

Сравните конфигурацию брандмауэра, маршрутизатора или коммутатора со стандартными безопасными конфигурациями, определенными для каждого типа сетевого устройства, используемого в организации. Конфигурация безопасности таких устройств должна быть документирована, проверена и одобрена службой ИТ/ИБ. Любые отклонения от стандартной конфигурации или обновления стандартной конфигурации должны быть задокументированы и одобрены в системе управления изменениями.

Все новые правила конфигурации, помимо базовой настройки, которые позволяют трафику проходить через устройства сетевой безопасности, такие как брандмауэры и сетевые IPS, должны быть задокументированы и записаны в системе управления конфигурацией с конкретной бизнес-причиной для каждого изменения и лицом, ответственным за бизнес-потребность.

Используйте автоматические инструменты для проверки стандартных конфигураций устройств и обнаружения изменений. Все изменения в таких файлах должны регистрироваться и автоматически сообщаться сотрудникам службы безопасности.

Установите последнюю стабильную версию любых связанных с безопасностью обновлений на всех сетевых устройствах.

Сетевые инженеры должны использовать выделенный компьютер для всех административных задач или задач, требующих повышенного доступа. Эта машина должна быть изолирована от основной сети организации и не иметь доступа к Интернету. Эта машина не должна использоваться для чтения электронной почты, составления документов или серфинга в Интернете.

Разверните сетевые агенты IDS в DMZ-системах и сетях, которые выявят аномалии и обнаружат компрометацию этих систем. Они могут обнаруживать атаки посредством использования сигнатур, анализа поведения или других механизмов для анализа трафика.

Защита данных

Выполните оценку данных для идентификации конфиденциальной информации, требующей применения средств шифрования и целостности.

Разверните утвержденное программное обеспечение для шифрования жесткого диска для устройств и систем, содержащих конфиденциальные данные.

Используйте сетевые решения DLP для мониторинга и управления потоком данных в пределах сети. Любые аномалии, которые превышают обычные модели трафика следует отметить и принять соответствующие меры по их устранению.

Источник

Archived Forums 301-320

Scripting

Вопрос
0

Нужно войти

Hello,

Are there powershell/batch/other scripts that can help verify if a Windows 2016 server is compliant with all the rules in the CIS_Microsoft_Windows_Server_2016_RTM_Release_1607_Benchmark_v1.1.0 pdf?

Thanks,

Craig

10 июля 2019 г. 14:41

Источник

CIS Check Point Firewall Benchmark v1.1.0

Prescriptive guidance for Check Point Firewall, provides prescriptive guidance for establishing a secure configuration posture for Check Point Firewall versions R75.x – 80.x installed on Gaia Platform. The guide was tested against Check Point R80.10 installed on Gaia.

Special thanks to Jayesh Rajan, Danny Kane, Tom Fowler and the community for their contributions.

Download the CIS Check Point Firewall Benchmark

Our members can visit CIS WorkBench to download other formats and related resources.

CIS Google Kubernetes Engine Benchmark v1.1.0*

This CIS Benchmark only includes controls which can be modified by an end user of GKE. For information on GKE’s performance against the CIS Kubernetes Benchmarks, and for items which cannot be audited or modified, see the GKE documentation.

Download the CIS Google Kubernetes Engine Benchmark

Our members can visit CIS WorkBench to download other formats and related resources.

CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.2.0*

This guide was tested against Microsoft Windows Server 2016 Datacenter. The community made several changes to improve this CIS Benchmark:

Added 15+ new security settings
Moved and renamed several settings due to updated ADMX templates
Updated 20+ recommendations that were outdated
Removed 5+ settings that were outdated

The full change log is included at the end of both the PDF and DOC versions for download.

A huge thank you to the Windows Community and Team for making this happen, and special thanks to Haemish Edgerton.

Download the CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark

CIS VMware ESXi 6.7 Benchmark v1.1.0*

Prescriptive guidance for establishing a secure configuration posture for VMware ESXi 6.7. The guide was tested against VMware ESXi 6.7.

Download the CIS VMware ESXi 6.7 Benchmark

Get Involved – We’re looking for volunteers! Help us develop content, review recommendations, test CIS Benchmarks, and more by joining a community. Drafts are available for review in the communities for the following technologies:

Amazon Web Services
Ubuntu Linux – 20.04
Zoom Video Communication
Kubernetes – multiple CIS Benchmarks underway
Cisco – NX-OS
Oracle MySQL

Have questions about the CIS Benchmark development process, how you can contribute, or how to get involved? Reach out to us at benchmarkinfo@cisecurity.org

*CIS Benchmark content will be included in the next release of CIS-CAT Pro. Learn more about CIS-CAT Pro.

The post CIS Benchmarks June 2020 Update appeared first on CIS.

Источник

Checklist Summary:

Checklist Role:

Known Issues:

Target Audience:

Target Operational Environment:

Testing Information:

Regulatory Compliance:

Comments/Warnings/Miscellaneous:

Disclaimer:

Product Support:

Point of Contact:

Sponsor:

Licensing:

Change History:

Dependency/Requirements:

References:

NIST checklist record last modified on 09/24/2019

Question

Product Overview

What’s Included

Pricing Information

Usage Information

Support Information

Customer Reviews

Cis benchmark windows 10

Center for Internet Security (CIS) Benchmarks

About CIS Benchmarks

Microsoft and the CIS Benchmarks

Microsoft in-scope cloud platforms & services

Audits, reports, and certificates

How to implement

Frequently asked questions

Use Microsoft Compliance Manager to assess your risk

Cis benchmark windows 10

Solutions

Secure Your Organization

Secure Specific Platforms

U.S. State, Local, Tribal & Territorial Governments

Memberships

Services for Members

Join CIS

Get Involved

Resources

Resources

Learn

Filter by Topic

Who We Are

Secure Your Organization

Secure Specific Platforms

U.S. State, Local, Tribal & Territorial Governments

Memberships

Services for Members

Get Involved

Resources

Learn

Filter by Topic

Cis benchmark windows 10

Solutions

Secure Your Organization

Secure Specific Platforms

U.S. State, Local, Tribal & Territorial Governments

Memberships

Services for Members

Join CIS

Get Involved

Resources

Resources

Learn

Filter by Topic

Who We Are

Secure Your Organization

Secure Specific Platforms

U.S. State, Local, Tribal & Territorial Governments

Memberships

CIS Benchmarks: лучшие практики, гайдлайны и рекомендации по информационной безопасности

Критические элементы управления безопасностью

Инвентаризация авторизированных и неавторизованных устройств

Инвентаризация авторизированного и неавторизованного программного обеспечения

Безопасные конфигурации для аппаратного и программного обеспечения

Использование административных привилегий

Target
Operational Environment:

Regulatory
Compliance: