Cis microsoft windows server benchmark

Microsoft Windows and Windows Server Benchmarks

Problem

I’m having difficulty understanding which Microsoft Windows Benchmark my organization needs.

Solution

All published CIS Microsoft Windows Benchmarks can be found at the CIS Microsoft Windows Benchmarks community in CIS WorkBench. The following tables list each type of Microsoft Windows Benchmark and their intended use:

Windows Server Benchmarks	Intended For
CIS Microsoft Windows Server 2022 Benchmark	This secure configuration guide is based on Microsoft Windows Server 2022 (Release 21H2) and is intended for all versions of Microsoft Windows Server 2022 operating system, including older versions.
CIS Azure Compute Microsoft Windows Server 2022 Benchmark	This secure configuration guide is based on Server 2022 settings available via built in Microsoft profiles in Azure and is intended for all versions of the Server 2022 operating system, including older versions.
CIS Microsoft Windows Server 2019 Benchmark	This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows Server. This guide was tested against Microsoft Windows Server 2019 Datacenter.
CIS Microsoft Windows Server 2019 STIG Benchmark	This secure configuration guide is based on Microsoft Windows Server 2019 Security Technical Implementation Guide (STIG) and is intended for all versions of the Server 2019 operating system, including older versions.
CIS Azure Compute Microsoft Windows Server 2019 Benchmark	This secure configuration guide is based on Server 2019 settings available via built in Microsoft profiles in Azure, and is intended for all versions of the Server 2019 operating system, including older versions.
CIS Microsoft Windows Server 2016 Benchmark	This secure configuration guide is based on Microsoft Windows Server 2016 and is intended for all versions of the Server 2016 operating system, including older versions.
CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark	This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows Server. This guide was tested against Microsoft Windows Server 2016 Datacenter.
CIS Microsoft Windows Server 2016 STIG Benchmark	This secure configuration guide is based on Microsoft Windows Server 2016 (ADMX/ADML Template Release for 21H2) and is intended for all versions of the Server 2016 operating system, including older versions.
CIS Microsoft Windows Server 2012 R2 Benchmark	This secure configuration guide is based on Windows Server 2012 R2 and is intended for all versions of the Server 2012 R2 operating system, including older versions.
CIS Microsoft Windows Server 2012 (non-R2) Benchmark	This secure configuration guide is based on Windows Server 2012 and is intended for all versions of the Server 2012 operating system, including older versions.
CIS Microsoft Windows Server 2008 R2 Benchmark	This secure configuration guide is based on Microsoft Windows Server 2008 R2 and is intended for all versions of Server 2008 R2 operating system.
CIS Microsoft Windows Server 2008 (non-R2) Benchmark	This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows Server 2008 (non-R2).

Windows Benchmarks	Intended For
CIS Microsoft Windows 11 Stand-alone Benchmark	This secure configuration guide is based on Microsoft Windows 11 Enterprise Release 21H2 and is intended for all versions of Windows 11 operating system, including older versions.
CIS Microsoft Windows 11 Enterprise Benchmark	This secure configuration guide is based on the Microsoft Windows 11 Enterprise Release 21H2 and is intended for all versions of the Windows 11 operating system, including older versions.
CIS Microsoft Intune for Windows 11 Benchmark	This secure configuration guide is based on Windows 11 and is intended for all versions of the Windows 11 operating system, including older versions.
CIS Microsoft Windows 10 Stand-alone Benchmark	This secure configuration guide is based on Microsoft Windows 10 Enterprise Release 21H2 and is intended for all versions of Windows 10 operating system, including older versions.
CIS Microsoft Windows 10 EMS Gateway Benchmark	This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows 10 installed on an Elections Management System (EMS) Gateway.
CIS Microsoft Windows 10 Enterprise Benchmark \| other releases: 21H1, 20H2, 2004, 1909, 1903, 1809, 1803, 1709, 1703, 1607, 1511, 1507	This secure configuration guide is based on Windows 10 and is intended for all versions of the Windows 10 operating system, including older versions.
CIS Microsoft Windows 8.1 Workstation Benchmark	This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows 8.1.
CIS Microsoft Windows 7 Workstation Benchmark	This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows 7. This guide was tested against Microsoft Windows 7 Enterprise Edition (SP1).
CIS Microsoft Windows XP Benchmark	This document, CIS Microsoft Windows XP Benchmark v3.1.0, provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows XP.

To ensure all new and updated group policy objects (GPOs) are installed on the system, please download the newest version of the ADMX/ADML templates. Unfortunately, Microsoft doesn’t provide a central location to download ADMX/ADML templates, so please search the web for the latest download pages.

The Windows CIS Benchmarks are written for Active Directory domain-joined systems using Group Policy, not stand-alone/workgroup systems. Adjustments/tailoring to some recommendations will be needed to maintain functionality if attempting to implement CIS hardening on stand-alone systems or a system running in the cloud.

Keywords; Microsoft Windows Server 7 10 11 2008 2012 2016 2019 2022

Content by Label

Content by label

There is no content with the specified labels

Center for Internet Security®

Источник

By John Gates, on July 6th, 2022

In February 2022, CIS (Center for Internet Security) released the Microsoft Windows Server 2022 Benchmark v1.0.0 that includes 50+ new features, GPOs (Group Policy Objects), capabilities and services. The document offers a comparison between Server 2019 vs. Server 2022 for similarities and differences as well as similarities and differences of Windows 11 vs Windows 10.

With the benchmark being so new to the public, companies will need to locate a remediation and hardening solution such as CalCom’s Hardening Suite that enforces CIS’ most recent Microsoft Windows Server 2022 Benchmark.

Microsoft has long provided both Standard and Datacenter editions of its Windows Server operating systems, a tradition that persists with the release of Windows Server 2022. However they have included a new feature and improvement with their Windows Server 2022 Datacenter Azure edition. As the moniker suggests, this edition aligns server workloads more intricately with the Microsoft cloud ecosystem and presents distinctive functionalities aimed at enticing customers seeking streamlined patch management and other advantageous incentives.

Windows Server 2019 vs 2022 difference

Windows Server 2022 offers enhanced security, increased flexibility, and improved support for hybrid deployments compared to its Windows Server 2019 predecessor.

The three main differences include updated security features and advanced threat protection:

In the context of security, there are notable distinctions between Windows Server 2019 and Windows Server 2022. Windows Server 2019 provides security features such as Defender Advanced Threat Protection, Exploit Guard, and Attack Surface Reduction. In contrast, Windows Server 2022 introduces a layered security approach, enhancing cryptographic key protection, firmware security, and the security of virtualization environments.

Regarding connectivity, Windows Server 2022 brings advancements with features like Transport Layer 1.3 security, Secure DNS, Server Message Block (SMB), and SMB over QUIC. In contrast, Windows Server 2019 includes Software-Defined Network (SDN) Security.

Recognizing the increasing importance of the cloud in modern IT infrastructure, Microsoft made strides in both versions. In Windows Server 2019, they introduced a hybrid cloud service that maintains compatibility with the server’s core applications. However, Windows Server 2022 takes a step further by integrating Azure Arc technology, enabling centralized management of multiple cloud environments through the Azure platform. This evolution aligns with the evolving needs of cloud-centric IT strategies.

Windows Server 2022 comparison to Windows Server 2019

Windows Server 2022 represents a significant advancement in security compared to its predecessors. It introduces the Secured-Core Server feature, which safeguards not only the operating system but also the hardware and firmware against various threats. Furthermore, the default encryption of the Server Message Block (SMB) network file-sharing protocol enhances security for all users, further bolstering the overall protection of the system. Let’s look at some of the changes in the key features:

Key Features	Windows Server 2019	Windows Server 2022
Automatic Windows Admin Center Updates	No	Yes
Customizable Columns for VM Information	No	Yes
Detachable Events Overview Screen	Configurable	Built-in
Configurable Destination Virtual Switch	No	Yes
Event Workspace to track data	No	Yes
Automated Extension Lifecycle Management	No	Yes
Enhanced Security
Hardware-enforced Stack Protection	No	Yes
TLS	Supports 1.2	1.3 Is Enabled by Default
Secured-core server	No	Yes
Hypervisor-based code integrity	No	Yes
Hybrid Cloud Capabilities
Azure Arc	supported	1.3 Is Enabled by Default
Storage Migration Service	Supported	Deployment and Management Is Simplified
Improved Platform Flexibility
Uncompressed Image Size	Approx. 3.7 GB	Approx. 2.7 GB
Virtualized Time Zone	Mirrors Host Timezone	Configurable Within Container
Group Managed Service Accounts (gMSA) Requires Domain Joining	Yes	No
DSR Routing	No	Yes
Better Kubernetes Experience
HostProcess containers	No	Yes
Multiple Subnets Per Windows Worker Node	No	Yes
Upgraded Hyper V Manager
Action Bar	No	Yes
New Partitioning Tool	No	Yes
Live Storage Migration	No	Yes
Running Workloads Between Server	No	Yes
Affinity and Anti-Affinity Rules	No	Yes
VM Clones	No	Yes

(Source: Accuwebhosting blog ‘Windows Server 2022 vs Windows Server 2019 – Feature Comparison‘)

Windows Server 2022 CIS Benchmark guidelines

CIS benchmarks can be regarded as the dedicated set of the best practices and configuration settings for organizations to ‘harden’ the security of their digital assets. Currently, around 100 benchmarks are made available in around 14 technology groups – including IBM, Microsoft, AWS, and Cisco.

Some ways in which CIS benchmarks tend to be distinct from other security standards are:

While CIS benchmarks are not regulatory requirements, most important compliance frameworks highlight CIS benchmarks according to the industry standards.
CIS benchmarks are developed by consensus between industry experts -including security vendors, SMEs, the benchmarking team, and the global security community through the CIS Workbench.
CIS benchmarks tend to relate particularly to the configuration of the existing assets. They are not known for covering security defenses like EDRs (Endpoint Detection and Response) and firewalls.

CIS Levels

Based on the compliance and security needs of the organization, there are two distinct levels of CIS benchmarks:

Level 1: It is designed for rapidly minimizing the existing attack surface of the organization without affecting business functionality or usability. These CIS standards offer the base level of compliance and security that organizations are expected to meet.

Level 2: It offers access to a highly stringent standard designed for maximizing the security posture of the organization with the help of ‘defense in depth.’ These security standards are aimed for environments wherein security might be crucial.

Implementing CIS Benchmarks

As far as the implementation of CIS benchmarks is concerned, there are some options:

Downloading the CIS benchmarking documents and implementing the suggestions manually -The approach will deliver the benefit of being independent to start. However, it turns into a highly labor-intensive task especially when organizations upgrade, and assets are added.

Using an automated solution for identifying and resolving areas of non-compliance: While it is not possible to implement relevant CIS benchmarks on a manual basis, most companies make use of an automated tool for CIS benchmarks. An automated solution will make it quicker and simpler to implement as well as ensure compliance with the respective CIS benchmarks.

It is important to make use of compliance, security, and integrity tools in the IT departments to quickly reach and maintain compliance with the respective CIS benchmarks. Reliable solutions usually involve scanning functionality for quickly identifying areas of non-compliance, but they are unable to do the remediation.

CalCom’s automated hardening solution, CalCom Hardening Suite (CHS) enforces CIS’ most recent Microsoft Windows Server 2022 Benchmark v1.0.0. CHS eliminates outages and reduces hardening costs by indicating the impact of a security hardening change on the production services. CalCom’s CHS is a must-have solution for any enterprise seeking to quickly and cost-effectively implement CIS benchmarks and maintain extensive, robust server security policies.

Hi, just wanted to let you know we use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.

Источник

Product Overview

CIS Microsoft Windows Server 2022 Level 1 Hardened Image is a pre-configured image built by the Center for Internet Security (CIS) for use on Amazon Elastic Compute Cloud (Amazon EC2). It is built to offer an image secured to industry-recognized security guidance running on Amazon EC2.

This image of Microsoft Windows Server 2022 Level 1 is pre-hardened to CIS Benchmarks guidance and patched monthly according to the security updates released on Microsoft Patch Tuesday. This image is hardened against the corresponding Level 1 profile which is intended to be practical and prudent, provide a clear security benefit, and not inhibit the utility of the technology beyond acceptable means. No components are installed on or removed from this image outside of those already present on the base image or as recommended in alignment with the corresponding CIS Benchmark recommendations.

To demonstrate conformance to the CIS Microsoft Windows Server 2022 Level 1 Benchmark, industry-recognized hardening guidance, each image includes an HTML report from CIS Configuration Assessment Tool (CIS-CAT Pro). Each CIS Hardened Image contains the following files:

Base_CIS-CAT_Report.html — this provides a report of CIS-CAT Pro run against the instance before any change is made by CIS (e.g., software updates, CIS hardening).
CIS-CAT_Report.html — this provides a report of CIS-CAT Pro run against the instance after the corresponding CIS Benchmark was applied to the image.
Exceptions.txt — this provides a list of recommendations that are not applied because the configuration of those recommendations may inhibit the use of this image in this CSP, require environment-specific expertise, or hinder the integration of this image with CSP services or extensions.

These reports are located in C:\CIS Hardening Reports.

If this instance is used in a domain environment where policies are managed globally, the majority of the security settings will be changed and managed by domain policies.

To speak with us about additional pricing options and private offers, please contact us at cloudsecurity@cisecurity.org.

To learn more or access the corresponding CIS Benchmark, please visit https://www.cisecurity.org/cis-benchmarks or sign up for a free account on our community platform, CIS WorkBench, https://workbench.cisecurity.org/.

Operating System

Windows, Windows Server 2022 Base 2022

Delivery Methods

Amazon Machine Image

Pricing Information

Usage Information

Support Information

Customer Reviews

Источник

CIS Microsoft Windows Server 2016 RTM (Release 1607)

Benchmark

v1.0.0 — 03-31-2017
1 | P a g e

This work is licensed under a Creative Commons
Attribution-NonCommercial-ShareAlike

4.0 International Public License. The link to the license terms
can be found at

https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode

To further clarify the Creative Commons license related to CIS
Benchmark content, you are

authorized to copy and redistribute the content for use by you,
within your organization

and outside your organization for non-commercial purposes only,
provided that (i)

appropriate credit is given to CIS, (ii) a link to the license
is provided. Additionally, if you

remix, transform or build upon the CIS Benchmark(s), you may
only distribute the modified

materials if they are subject to the same license terms as the
original Benchmark license

and your derivative will no longer be a CIS Benchmark.
Commercial use of CIS Benchmarks

is subject to the prior approval of the Center for Internet
Security.

https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode
2 | P a g e

Table of Contents Overview
……………………………………………………………………………………………………………………………………………
24

Intended Audience
……………………………………………………………………………………………………………………….
24

Consensus Guidance
…………………………………………………………………………………………………………………….
24

Typographical Conventions
……………………………………………………………………………………………………….
25

Scoring Information
…………………………………………………………………………………………………………………….
25

Profile Definitions
………………………………………………………………………………………………………………………..
26

Acknowledgements
……………………………………………………………………………………………………………………..
28

Recommendations
……………………………………………………………………………………………………………………………
29

1 Account Policies
………………………………………………………………………………………………………………………..
29

1.1 Password Policy
…………………………………………………………………………………………………………………
29

1.1.1 (L1) Ensure ‘Enforce password history’ is set to ’24 or
more password(s)’

(Scored)
…………………………………………………………………………………………………………………………………
29

1.1.2 (L1) Ensure ‘Maximum password age’ is set to ’60 or fewer
days, but not 0′

(Scored)
…………………………………………………………………………………………………………………………………
32

1.1.3 (L1) Ensure ‘Minimum password age’ is set to ‘1 or more
day(s)’ (Scored) ….. 34

1.1.4 (L1) Ensure ‘Minimum password length’ is set to ’14 or
more character(s)’

(Scored)
…………………………………………………………………………………………………………………………………
36

1.1.5 (L1) Ensure ‘Password must meet complexity requirements’
is set to ‘Enabled’

(Scored)
…………………………………………………………………………………………………………………………………
38

1.1.6 (L1) Ensure ‘Store passwords using reversible encryption’
is set to ‘Disabled’

(Scored)
…………………………………………………………………………………………………………………………………
41

1.2 Account Lockout Policy
…………………………………………………………………………………………………….
43

1.2.1 (L1) Ensure ‘Account lockout duration’ is set to ’15 or
more minute(s)’

(Scored)
…………………………………………………………………………………………………………………………………
43

1.2.2 (L1) Ensure ‘Account lockout threshold’ is set to ’10 or
fewer invalid logon

attempt(s), but not 0′ (Scored)
………………………………………………………………………………………….
45

1.2.3 (L1) Ensure ‘Reset account lockout counter after’ is set
to ’15 or more

minute(s)’ (Scored)
……………………………………………………………………………………………………………..
47

2 Local Policies
……………………………………………………………………………………………………………………………..
49

2.1 Audit Policy
…………………………………………………………………………………………………………………………
49
3 | P a g e

2.2 User Rights Assignment
……………………………………………………………………………………………………
49

2.2.1 (L1) Ensure ‘Access Credential Manager as a trusted
caller’ is set to ‘No One’

(Scored)
…………………………………………………………………………………………………………………………………
49

2.2.2 (L1) Configure ‘Access this computer from the network’
(Scored) …………………. 51

2.2.3 (L1) Ensure ‘Act as part of the operating system’ is set
to ‘No One’ (Scored) .. 53

2.2.4 (L1) Ensure ‘Add workstations to domain’ is set to
‘Administrators’ (DC only)

(Scored)
…………………………………………………………………………………………………………………………………
55

2.2.5 (L1) Ensure ‘Adjust memory quotas for a process’ is set to
‘Administrators,

LOCAL SERVICE, NETWORK SERVICE’ (Scored)
……………………………………………………………
57

2.2.6 (L1) Configure ‘Allow log on locally’ (Scored)
………………………………………………………
59

2.2.7 (L1) Configure ‘Allow log on through Remote Desktop
Services’ (Scored) ……. 61

2.2.8 (L1) Ensure ‘Back up files and directories’ is set to
‘Administrators’ (Scored) 63

2.2.9 (L1) Ensure ‘Change the system time’ is set to
‘Administrators, LOCAL

SERVICE’ (Scored)
……………………………………………………………………………………………………………….
65

2.2.10 (L1) Ensure ‘Change the time zone’ is set to
‘Administrators, LOCAL SERVICE’

(Scored)
…………………………………………………………………………………………………………………………………
68

2.2.11 (L1) Ensure ‘Create a pagefile’ is set to
‘Administrators’ (Scored) ……………….. 70

2.2.12 (L1) Ensure ‘Create a token object’ is set to ‘No One’
(Scored) ……………………… 72

2.2.13 (L1) Ensure ‘Create global objects’ is set to
‘Administrators, LOCAL SERVICE,

NETWORK SERVICE, SERVICE’ (Scored)
…………………………………………………………………………
74

2.2.14 (L1) Ensure ‘Create permanent shared objects’ is set to
‘No One’ (Scored) … 76

2.2.15 (L1) Configure ‘Create symbolic links’ (Scored)
……………………………………………….. 78

2.2.16 (L1) Ensure ‘Debug programs’ is set to ‘Administrators’
(Scored) ……………….. 80

2.2.17 (L1) Configure ‘Deny access to this computer from the
network’ (Scored) … 82

2.2.18 (L1) Ensure ‘Deny log on as a batch job’ to include
‘Guests’ (Scored) ………….. 84

2.2.19 (L1) Ensure ‘Deny log on as a service’ to include
‘Guests’ (Scored) ………………. 86

2.2.20 (L1) Ensure ‘Deny log on locally’ to include ‘Guests’
(Scored) ……………………….. 88

2.2.21 (L1) Ensure ‘Deny log on through Remote Desktop Services’
to include

‘Guests, Local account’ (Scored)
……………………………………………………………………………………….
90

2.2.22 (L1) Configure ‘Enable computer and user accounts to be
trusted for

delegation’ (Scored)
…………………………………………………………………………………………………………….
92

2.2.23 (L1) Ensure ‘Force shutdown from a remote system’ is set
to ‘Administrators’

(Scored)
…………………………………………………………………………………………………………………………………
94
4 | P a g e

2.2.24 (L1) Ensure ‘Generate security audits’ is set to ‘LOCAL
SERVICE, NETWORK

SERVICE’ (Scored)
……………………………………………………………………………………………………………….
96

2.2.25 (L1) Configure ‘Impersonate a client after
authentication’ (Scored) ……………. 98

2.2.26 (L1) Ensure ‘Increase scheduling priority’ is set to
‘Administrators’ (Scored)

……………………………………………………………………………………………………………………………………………….
100

2.2.27 (L1) Ensure ‘Load and unload device drivers’ is set to
‘Administrators’

(Scored)
……………………………………………………………………………………………………………………………….
102

2.2.28 (L1) Ensure ‘Lock pages in memory’ is set to ‘No One’
(Scored) …………………. 104

2.2.29 (L2) Ensure ‘Log on as a batch job’ is set to
‘Administrators’ (DC Only)

(Scored)
……………………………………………………………………………………………………………………………….
106

2.2.30 (L1) Configure ‘Manage auditing and security log’
(Scored) ………………………… 108

2.2.31 (L1) Ensure ‘Modify an object label’ is set to ‘No One’
(Scored) ………………….. 110

2.2.32 (L1) Ensure ‘Modify firmware environment values’ is set
to ‘Administrators’

(Scored)
……………………………………………………………………………………………………………………………….
112

2.2.33 (L1) Ensure ‘Perform volume maintenance tasks’ is set to
‘Administrators’

(Scored)
……………………………………………………………………………………………………………………………….
114

2.2.34 (L1) Ensure ‘Profile single process’ is set to
‘Administrators’ (Scored) ……… 116

2.2.35 (L1) Ensure ‘Profile system performance’ is set to
‘Administrators, NT

SERVICEWdiServiceHost’ (Scored)
………………………………………………………………………………
118

2.2.36 (L1) Ensure ‘Replace a process level token’ is set to
‘LOCAL SERVICE,

NETWORK SERVICE’ (Scored)
…………………………………………………………………………………………
120

2.2.37 (L1) Ensure ‘Restore files and directories’ is set to
‘Administrators’ (Scored)

……………………………………………………………………………………………………………………………………………….
122

2.2.38 (L1) Ensure ‘Shut down the system’ is set to
‘Administrators’ (Scored) ……. 124

2.2.39 (L1) Ensure ‘Synchronize directory service data’ is set
to ‘No One’ (DC only)

(Scored)
……………………………………………………………………………………………………………………………….
126

2.2.40 (L1) Ensure ‘Take ownership of files or other objects’ is
set to

‘Administrators’ (Scored)
…………………………………………………………………………………………………
128

2.3 Security Options
………………………………………………………………………………………………………………
130

2.3.1.1 (L1) Ensure ‘Accounts: Administrator account status’ is
set to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
130

2.3.1.2 (L1) Ensure ‘Accounts: Block Microsoft accounts’ is set
to ‘Users can’t add or

log on with Microsoft accounts’ (Scored)
………………………………………………………………………
132

2.3.1.3 (L1) Ensure ‘Accounts: Guest account status’ is set to
‘Disabled’ (Scored) .. 134
5 | P a g e

2.3.1.4 (L1) Ensure ‘Accounts: Limit local account use of blank
passwords to console

logon only’ is set to ‘Enabled’ (Scored)
………………………………………………………………………….
136

2.3.1.5 (L1) Configure ‘Accounts: Rename administrator account’
(Scored) …………. 138

2.3.1.6 (L1) Configure ‘Accounts: Rename guest account’ (Scored)
………………………… 140

2.3.2.1 (L1) Ensure ‘Audit: Force audit policy subcategory
settings (Windows Vista

or later) to override audit policy category settings’ is set to
‘Enabled’ (Scored) ….. 142

2.3.2.2 (L1) Ensure ‘Audit: Shut down system immediately if
unable to log security

audits’ is set to ‘Disabled’ (Scored)
…………………………………………………………………………………
144

2.3.4.1 (L1) Ensure ‘Devices: Allowed to format and eject
removable media’ is set to

‘Administrators’ (Scored)
…………………………………………………………………………………………………
146

2.3.4.2 (L1) Ensure ‘Devices: Prevent users from installing
printer drivers’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
148

2.3.5.1 (L1) Ensure ‘Domain controller: Allow server operators
to schedule tasks’ is

set to ‘Disabled’ (DC only) (Scored)
……………………………………………………………………………….
150

2.3.5.2 (L1) Ensure ‘Domain controller: LDAP server signing
requirements’ is set to

‘Require signing’ (DC only) (Scored)
……………………………………………………………………………..
152

2.3.5.3 (L1) Ensure ‘Domain controller: Refuse machine account
password changes’

is set to ‘Disabled’ (DC only) (Scored)
……………………………………………………………………………
154

2.3.6.1 (L1) Ensure ‘Domain member: Digitally encrypt or sign
secure channel data

(always)’ is set to ‘Enabled’ (Scored)
……………………………………………………………………………..
156

2.3.6.2 (L1) Ensure ‘Domain member: Digitally encrypt secure
channel data (when

possible)’ is set to ‘Enabled’ (Scored)
…………………………………………………………………………….
158

2.3.6.3 (L1) Ensure ‘Domain member: Digitally sign secure
channel data (when

possible)’ is set to ‘Enabled’ (Scored)
…………………………………………………………………………….
160

2.3.6.4 (L1) Ensure ‘Domain member: Disable machine account
password changes’

is set to ‘Disabled’ (Scored)
……………………………………………………………………………………………..
162

2.3.6.5 (L1) Ensure ‘Domain member: Maximum machine account
password age’ is

set to ’30 or fewer days, but not 0′ (Scored)
…………………………………………………………………
164

2.3.6.6 (L1) Ensure ‘Domain member: Require strong (Windows 2000
or later)

session key’ is set to ‘Enabled’ (Scored)
………………………………………………………………………..
166

2.3.7.1 (L1) Ensure ‘Interactive logon: Do not display last user
name’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
168

2.3.7.2 (L1) Ensure ‘Interactive logon: Do not require
CTRL+ALT+DEL’ is set to

‘Disabled’ (Scored)
…………………………………………………………………………………………………………….
170
6 | P a g e

2.3.7.3 (L1) Ensure ‘Interactive logon: Machine inactivity
limit’ is set to ‘900 or

fewer second(s), but not 0′ (Scored)
………………………………………………………………………………
172

2.3.7.4 (L1) Configure ‘Interactive logon: Message text for
users attempting to log

on’ (Scored)
…………………………………………………………………………………………………………………………
174

2.3.7.5 (L1) Configure ‘Interactive logon: Message title for
users attempting to log

on’ (Scored)
…………………………………………………………………………………………………………………………
176

2.3.7.6 (L2) Ensure ‘Interactive logon: Number of previous
logons to cache (in case

domain controller is not available)’ is set to ‘4 or fewer
logon(s)’ (MS only) (Scored)

……………………………………………………………………………………………………………………………………………….
178

2.3.7.7 (L1) Ensure ‘Interactive logon: Prompt user to change
password before

expiration’ is set to ‘between 5 and 14 days’ (Scored)
………………………………………………. 180

2.3.7.8 (L1) Ensure ‘Interactive logon: Require Domain
Controller Authentication to

unlock workstation’ is set to ‘Enabled’ (MS only) (Scored)
………………………………………. 182

2.3.7.9 (L1) Ensure ‘Interactive logon: Smart card removal
behavior’ is set to ‘Lock

Workstation’ or higher (Scored)
……………………………………………………………………………………..
184

2.3.8.1 (L1) Ensure ‘Microsoft network client: Digitally sign
communications

(always)’ is set to ‘Enabled’ (Scored)
……………………………………………………………………………..
186

2.3.8.2 (L1) Ensure ‘Microsoft network client: Digitally sign
communications (if

server agrees)’ is set to ‘Enabled’ (Scored)
…………………………………………………………………..
189

2.3.8.3 (L1) Ensure ‘Microsoft network client: Send unencrypted
password to third-

party SMB servers’ is set to ‘Disabled’ (Scored)
…………………………………………………………..
192

2.3.9.1 (L1) Ensure ‘Microsoft network server: Amount of idle
time required before

suspending session’ is set to ’15 or fewer minute(s), but not 0′
(Scored) ……………… 194

2.3.9.2 (L1) Ensure ‘Microsoft network server: Digitally sign
communications

(always)’ is set to ‘Enabled’ (Scored)
……………………………………………………………………………..
196

2.3.9.3 (L1) Ensure ‘Microsoft network server: Digitally sign
communications (if

client agrees)’ is set to ‘Enabled’ (Scored)
…………………………………………………………………….
199

2.3.9.4 (L1) Ensure ‘Microsoft network server: Disconnect
clients when logon hours

expire’ is set to ‘Enabled’
(Scored)………………………………………………………………………………….
202

2.3.9.5 (L1) Ensure ‘Microsoft network server: Server SPN target
name validation

level’ is set to ‘Accept if provided by client’ or higher (MS
only) (Scored) …………….. 204

2.3.10.1 (L1) Ensure ‘Network access: Allow anonymous SID/Name
translation’ is

set to ‘Disabled’ (Scored)
………………………………………………………………………………………………….
206

2.3.10.2 (L1) Ensure ‘Network access: Do not allow anonymous
enumeration of SAM

accounts’ is set to ‘Enabled’ (MS only)
(Scored)…………………………………………………………..
208
7 | P a g e

2.3.10.3 (L1) Ensure ‘Network access: Do not allow anonymous
enumeration of SAM

accounts and shares’ is set to ‘Enabled’ (MS only) (Scored)
…………………………………….. 210

2.3.10.4 (L2) Ensure ‘Network access: Do not allow storage of
passwords and

credentials for network authentication’ is set to ‘Enabled’
(Scored) ………………………. 212

2.3.10.5 (L1) Ensure ‘Network access: Let Everyone permissions
apply to

anonymous users’ is set to ‘Disabled’ (Scored)
……………………………………………………………
214

2.3.10.6 (L1) Configure ‘Network access: Named Pipes that can be
accessed

anonymously’
(Scored)……………………………………………………………………………………………………..
216

2.3.10.7 (L1) Configure ‘Network access: Remotely accessible
registry paths’

(Scored)
……………………………………………………………………………………………………………………………….
218

2.3.10.8 (L1) Configure ‘Network access: Remotely accessible
registry paths and

sub-paths’ (Scored)
……………………………………………………………………………………………………………
220

2.3.10.9 (L1) Ensure ‘Network access: Restrict anonymous access
to Named Pipes

and Shares’ is set to ‘Enabled’ (Scored)
…………………………………………………………………………
223

2.3.10.10 (L1) Ensure ‘Network access: Restrict clients allowed
to make remote calls

to SAM’ is set to ‘Administrators: Remote Access: Allow’ (MS
only) (Scored) ………. 225

2.3.10.11 (L1) Ensure ‘Network access: Shares that can be
accessed anonymously’ is

set to ‘None’ (Scored)
………………………………………………………………………………………………………..
227

2.3.10.12 (L1) Ensure ‘Network access: Sharing and security
model for local

accounts’ is set to ‘Classic — local users authenticate as
themselves’ (Scored) ………. 229

2.3.11.1 (L1) Ensure ‘Network security: Allow Local System to
use computer

identity for NTLM’ is set to ‘Enabled’ (Scored)
…………………………………………………………….
231

2.3.11.2 (L1) Ensure ‘Network security: Allow LocalSystem NULL
session fallback’ is

set to ‘Disabled’ (Scored)
………………………………………………………………………………………………….
233

2.3.11.3 (L1) Ensure ‘Network Security: Allow PKU2U
authentication requests to

this computer to use online identities’ is set to ‘Disabled’
(Scored) ………………………… 235

2.3.11.4 (L1) Ensure ‘Network security: Configure encryption
types allowed for

Kerberos’ is set to ‘RC4_HMAC_MD5, AES128_HMAC_SHA1,
AES256_HMAC_SHA1,

Future encryption types’ (Scored)
………………………………………………………………………………….
237

2.3.11.5 (L1) Ensure ‘Network security: Do not store LAN Manager
hash value on

next password change’ is set to ‘Enabled’ (Scored)
…………………………………………………….
239

2.3.11.6 (L1) Ensure ‘Network security: Force logoff when logon
hours expire’ is set

to ‘Enabled’ (Scored)
…………………………………………………………………………………………………………
241

2.3.11.7 (L1) Ensure ‘Network security: LAN Manager
authentication level’ is set to

‘Send NTLMv2 response only. Refuse LM & NTLM’ (Scored)
……………………………………. 243
8 | P a g e

2.3.11.8 (L1) Ensure ‘Network security: LDAP client signing
requirements’ is set to

‘Negotiate signing’ or higher (Scored)
……………………………………………………………………………
246

2.3.11.9 (L1) Ensure ‘Network security: Minimum session security
for NTLM SSP

based (including secure RPC) clients’ is set to ‘Require NTLMv2
session security,

Require 128-bit encryption’ (Scored)
……………………………………………………………………………
248

2.3.11.10 (L1) Ensure ‘Network security: Minimum session
security for NTLM SSP

based (including secure RPC) servers’ is set to ‘Require NTLMv2
session security,

Require 128-bit encryption’ (Scored)
……………………………………………………………………………
250

2.3.13.1 (L1) Ensure ‘Shutdown: Allow system to be shut down
without having to

log on’ is set to ‘Disabled’ (Scored)
…………………………………………………………………………………
252

2.3.15.1 (L1) Ensure ‘System objects: Require case insensitivity
for non-Windows

subsystems’ is set to ‘Enabled’ (Scored)
………………………………………………………………………..
254

2.3.15.2 (L1) Ensure ‘System objects: Strengthen default
permissions of internal

system objects (e.g. Symbolic Links)’ is set to ‘Enabled’
(Scored) …………………………… 256

2.3.17.1 (L1) Ensure ‘User Account Control: Admin Approval Mode
for the Built-in

Administrator account’ is set to ‘Enabled’
(Scored)…………………………………………………….
258

2.3.17.2 (L1) Ensure ‘User Account Control: Allow UIAccess
applications to prompt

for elevation without using the secure desktop’ is set to
‘Disabled’ (Scored) ……….. 260

2.3.17.3 (L1) Ensure ‘User Account Control: Behavior of the
elevation prompt for

administrators in Admin Approval Mode’ is set to ‘Prompt for
consent on the secure

desktop’ (Scored)
……………………………………………………………………………………………………………….
262

2.3.17.4 (L1) Ensure ‘User Account Control: Behavior of the
elevation prompt for

standard users’ is set to ‘Automatically deny elevation
requests’ (Scored) …………… 264

2.3.17.5 (L1) Ensure ‘User Account Control: Detect application
installations and

prompt for elevation’ is set to ‘Enabled’ (Scored)
……………………………………………………….
266

2.3.17.6 (L1) Ensure ‘User Account Control: Only elevate
UIAccess applications that

are installed in secure locations’ is set to ‘Enabled’ (Scored)
…………………………………… 268

2.3.17.7 (L1) Ensure ‘User Account Control: Run all
administrators in Admin

Approval Mode’ is set to ‘Enabled’ (Scored)
…………………………………………………………………
270

2.3.17.8 (L1) Ensure ‘User Account Control: Switch to the secure
desktop when

prompting for elevation’ is set to ‘Enabled’ (Scored)
…………………………………………………. 272

2.3.17.9 (L1) Ensure ‘User Account Control: Virtualize file and
registry write failures

to per-user locations’ is set to ‘Enabled’ (Scored)
……………………………………………………….
274

3 Event Log
………………………………………………………………………………………………………………………………….
275

4 Restricted Groups
……………………………………………………………………………………………………………………
275
9 | P a g e

5 System Services
……………………………………………………………………………………………………………………….
275

6
Registry……………………………………………………………………………………………………………………………………..
275

7 File System
……………………………………………………………………………………………………………………………….
275

8 Wired Network (IEEE 802.3) Policies
…………………………………………………………………………………
275

9 Windows Firewall With Advanced Security
……………………………………………………………………….
276

9.1 Domain Profile
………………………………………………………………………………………………………………….
276

9.1.1 (L1) Ensure ‘Windows Firewall: Domain: Firewall state’ is
set to ‘On

(recommended)’ (Scored)
………………………………………………………………………………………………..
276

9.1.2 (L1) Ensure ‘Windows Firewall: Domain: Inbound
connections’ is set to ‘Block

(default)’ (Scored)
……………………………………………………………………………………………………………..
278

9.1.3 (L1) Ensure ‘Windows Firewall: Domain: Outbound
connections’ is set to

‘Allow (default)’ (Scored)
…………………………………………………………………………………………………
280

9.1.4 (L1) Ensure ‘Windows Firewall: Domain: Settings: Display a
notification’ is set

to ‘No’ (Scored)
…………………………………………………………………………………………………………………..
282

9.1.5 (L1) Ensure ‘Windows Firewall: Domain: Settings: Apply
local firewall rules’ is

set to ‘Yes (default)’
(Scored)…………………………………………………………………………………………..
284

9.1.6 (L1) Ensure ‘Windows Firewall: Domain: Settings: Apply
local connection

security rules’ is set to ‘Yes (default)’ (Scored)
……………………………………………………………
286

9.1.7 (L1) Ensure ‘Windows Firewall: Domain: Logging: Name’ is
set to

‘%SYSTEMROOT%System32logfilesfirewalldomainfw.log’ (Scored)
…………….. 288

9.1.8 (L1) Ensure ‘Windows Firewall: Domain: Logging: Size limit
(KB)’ is set to

‘16,384 KB or greater’ (Scored)
………………………………………………………………………………………
290

9.1.9 (L1) Ensure ‘Windows Firewall: Domain: Logging: Log
dropped packets’ is set

to ‘Yes’
(Scored)………………………………………………………………………………………………………………….
292

9.1.10 (L1) Ensure ‘Windows Firewall: Domain: Logging: Log
successful

connections’ is set to ‘Yes’ (Scored)
……………………………………………………………………………….
294

9.2 Private Profile
…………………………………………………………………………………………………………………..
296

9.2.1 (L1) Ensure ‘Windows Firewall: Private: Firewall state’ is
set to ‘On

(recommended)’ (Scored)
………………………………………………………………………………………………..
296

9.2.2 (L1) Ensure ‘Windows Firewall: Private: Inbound
connections’ is set to ‘Block

(default)’ (Scored)
……………………………………………………………………………………………………………..
298

9.2.3 (L1) Ensure ‘Windows Firewall: Private: Outbound
connections’ is set to ‘Allow

(default)’ (Scored)
……………………………………………………………………………………………………………..
300
10 | P a g e

9.2.4 (L1) Ensure ‘Windows Firewall: Private: Settings: Display
a notification’ is set

to ‘No’ (Scored)
…………………………………………………………………………………………………………………..
302

9.2.5 (L1) Ensure ‘Windows Firewall: Private: Settings: Apply
local firewall rules’ is

set to ‘Yes (default)’
(Scored)…………………………………………………………………………………………..
304

9.2.6 (L1) Ensure ‘Windows Firewall: Private: Settings: Apply
local connection

security rules’ is set to ‘Yes (default)’ (Scored)
……………………………………………………………
306

9.2.7 (L1) Ensure ‘Windows Firewall: Private: Logging: Name’ is
set to

‘%SYSTEMROOT%System32logfilesfirewallprivatefw.log’ (Scored)
……………… 308

9.2.8 (L1) Ensure ‘Windows Firewall: Private: Logging: Size
limit (KB)’ is set to

‘16,384 KB or greater’ (Scored)
………………………………………………………………………………………
310

9.2.9 (L1) Ensure ‘Windows Firewall: Private: Logging: Log
dropped packets’ is set

to ‘Yes’
(Scored)………………………………………………………………………………………………………………….
312

9.2.10 (L1) Ensure ‘Windows Firewall: Private: Logging: Log
successful connections’

is set to ‘Yes’ (Scored)
……………………………………………………………………………………………………….
314

9.3 Public Profile
…………………………………………………………………………………………………………………….
316

9.3.1 (L1) Ensure ‘Windows Firewall: Public: Firewall state’ is
set to ‘On

(recommended)’ (Scored)
………………………………………………………………………………………………..
316

9.3.2 (L1) Ensure ‘Windows Firewall: Public: Inbound
connections’ is set to ‘Block

(default)’ (Scored)
……………………………………………………………………………………………………………..
318

9.3.3 (L1) Ensure ‘Windows Firewall: Public: Outbound
connections’ is set to ‘Allow

(default)’ (Scored)
……………………………………………………………………………………………………………..
320

9.3.4 (L1) Ensure ‘Windows Firewall: Public: Settings: Display a
notification’ is set to

‘Yes’ (Scored)
………………………………………………………………………………………………………………………
322

9.3.5 (L1) Ensure ‘Windows Firewall: Public: Settings: Apply
local firewall rules’ is

set to ‘No’ (Scored)
…………………………………………………………………………………………………………….
324

9.3.6 (L1) Ensure ‘Windows Firewall: Public: Settings: Apply
local connection

security rules’ is set to ‘No’ (Scored)
……………………………………………………………………………..
326

9.3.7 (L1) Ensure ‘Windows Firewall: Public: Logging: Name’ is
set to

‘%SYSTEMROOT%System32logfilesfirewallpublicfw.log’ (Scored)
……………….. 328

9.3.8 (L1) Ensure ‘Windows Firewall: Public: Logging: Size limit
(KB)’ is set to

‘16,384 KB or greater’ (Scored)
………………………………………………………………………………………
330

9.3.9 (L1) Ensure ‘Windows Firewall: Public: Logging: Log
dropped packets’ is set to

‘Yes’ (Scored)
………………………………………………………………………………………………………………………
332
11 | P a g e

9.3.10 (L1) Ensure ‘Windows Firewall: Public: Logging: Log
successful connections’

is set to ‘Yes’ (Scored)
……………………………………………………………………………………………………….
334

10 Network List Manager Policies
…………………………………………………………………………………………..
336

11 Wireless Network (IEEE 802.11) Policies
………………………………………………………………………..
336

12 Public Key Policies
………………………………………………………………………………………………………………..
336

13 Software Restriction Policies
……………………………………………………………………………………………..
336

14 Network Access Protection NAP Client Configuration
………………………………………………….. 336

15 Application Control Policies
……………………………………………………………………………………………….
336

16 IP Security Policies
……………………………………………………………………………………………………………….
336

17 Advanced Audit Policy Configuration
……………………………………………………………………………….
337

17.1 Account Logon
……………………………………………………………………………………………………………….
337

17.1.1 (L1) Ensure ‘Audit Credential Validation’ is set to
‘Success and Failure’

(Scored)
……………………………………………………………………………………………………………………………….
337

17.2 Account Management
…………………………………………………………………………………………………..
339

17.2.1 (L1) Ensure ‘Audit Application Group Management’ is set
to ‘Success and

Failure’
(Scored)…………………………………………………………………………………………………………………
339

17.2.2 (L1) Ensure ‘Audit Computer Account Management’ is set to
‘Success and

Failure’
(Scored)…………………………………………………………………………………………………………………
341

17.2.3 (L1) Ensure ‘Audit Distribution Group Management’ is set
to ‘Success and

Failure’ (DC only) (Scored)
………………………………………………………………………………………………
343

17.2.4 (L1) Ensure ‘Audit Other Account Management Events’ is
set to ‘Success and

Failure’
(Scored)…………………………………………………………………………………………………………………
345

17.2.5 (L1) Ensure ‘Audit Security Group Management’ is set to
‘Success and Failure’

(Scored)
……………………………………………………………………………………………………………………………….
347

17.2.6 (L1) Ensure ‘Audit User Account Management’ is set to
‘Success and Failure’

(Scored)
……………………………………………………………………………………………………………………………….
349

17.3 Detailed Tracking
………………………………………………………………………………………………………….
351

17.3.1 (L1) Ensure ‘Audit PNP Activity’ is set to ‘Success’
(Scored) ………………………… 351

17.3.2 (L1) Ensure ‘Audit Process Creation’ is set to ‘Success’
(Scored) ………………… 353

17.4 DS Access
………………………………………………………………………………………………………………………..
355

17.4.1 (L1) Ensure ‘Audit Directory Service Access’ is set to
‘Success and Failure’

(DC only) (Scored)
……………………………………………………………………………………………………………..
355
12 | P a g e

17.4.2 (L1) Ensure ‘Audit Directory Service Changes’ is set to
‘Success and Failure’

(DC only) (Scored)
……………………………………………………………………………………………………………..
357

17.5 Logon/Logoff
………………………………………………………………………………………………………………….
359

17.5.1 (L1) Ensure ‘Audit Account Lockout’ is set to ‘Success
and Failure’ (Scored)

……………………………………………………………………………………………………………………………………………….
359

17.5.2 (L1) Ensure ‘Audit Group Membership’ is set to ‘Success’
(Scored) ……………. 361

17.5.3 (L1) Ensure ‘Audit Logoff’ is set to ‘Success’ (Scored)
…………………………………… 363

17.5.4 (L1) Ensure ‘Audit Logon’ is set to ‘Success and Failure’
(Scored) ……………… 365

17.5.5 (L1) Ensure ‘Audit Other Logon/Logoff Events’ is set to
‘Success and Failure’

(Scored)
……………………………………………………………………………………………………………………………….
367

17.5.6 (L1) Ensure ‘Audit Special Logon’ is set to ‘Success’
(Scored) ……………………… 369

17.6 Object Access
………………………………………………………………………………………………………………….
371

17.6.1 (L1) Ensure ‘Audit Removable Storage’ is set to ‘Success
and Failure’ (Scored)

……………………………………………………………………………………………………………………………………………….
371

17.7 Policy Change
…………………………………………………………………………………………………………………
373

17.7.1 (L1) Ensure ‘Audit Audit Policy Change’ is set to
‘Success and Failure’

(Scored)
……………………………………………………………………………………………………………………………….
373

17.7.2 (L1) Ensure ‘Audit Authentication Policy Change’ is set
to ‘Success’ (Scored)

……………………………………………………………………………………………………………………………………………….
375

17.7.3 (L1) Ensure ‘Audit Authorization Policy Change’ is set to
‘Success’ (Scored)

……………………………………………………………………………………………………………………………………………….
377

17.8 Privilege Use
…………………………………………………………………………………………………………………..
379

17.8.1 (L1) Ensure ‘Audit Sensitive Privilege Use’ is set to
‘Success and Failure’

(Scored)
……………………………………………………………………………………………………………………………….
379

17.9 System
……………………………………………………………………………………………………………………………..
381

17.9.1 (L1) Ensure ‘Audit IPsec Driver’ is set to ‘Success and
Failure’ (Scored) …… 381

17.9.2 (L1) Ensure ‘Audit Other System Events’ is set to
‘Success and Failure’

(Scored)
……………………………………………………………………………………………………………………………….
384

17.9.3 (L1) Ensure ‘Audit Security State Change’ is set to
‘Success’ (Scored) ……….. 386

17.9.4 (L1) Ensure ‘Audit Security System Extension’ is set to
‘Success and Failure’

(Scored)
……………………………………………………………………………………………………………………………….
388

17.9.5 (L1) Ensure ‘Audit System Integrity’ is set to ‘Success
and Failure’ (Scored)

……………………………………………………………………………………………………………………………………………….
390
13 | P a g e

18 Administrative Templates (Computer)
…………………………………………………………………………….
392

18.1 Control Panel
………………………………………………………………………………………………………………….
392

18.1.1.1 (L1) Ensure ‘Prevent enabling lock screen camera’ is
set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
392

18.1.1.2 (L1) Ensure ‘Prevent enabling lock screen slide show’
is set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
394

18.1.2.1 (L1) Ensure ‘Allow Input Personalization’ is set to
‘Disabled’ (Scored) ….. 396

18.2 LAPS
…………………………………………………………………………………………………………………………………
398

18.2.1 (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed
(MS only)

(Scored)
……………………………………………………………………………………………………………………………….
398

18.2.2 (L1) Ensure ‘Do not allow password expiration time longer
than required by

policy’ is set to ‘Enabled’ (MS only) (Scored)
……………………………………………………………….
401

18.2.3 (L1) Ensure ‘Enable Local Admin Password Management’ is
set to ‘Enabled’

(MS only) (Scored)
…………………………………………………………………………………………………………….
403

18.2.4 (L1) Ensure ‘Password Settings: Password Complexity’ is
set to ‘Enabled:

Large letters + small letters + numbers + special characters’
(MS only) (Scored) .. 405

18.2.5 (L1) Ensure ‘Password Settings: Password Length’ is set
to ‘Enabled: 15 or

more’ (MS only) (Scored)
…………………………………………………………………………………………………
407

18.2.6 (L1) Ensure ‘Password Settings: Password Age (Days)’ is
set to ‘Enabled: 30

or fewer’ (MS only) (Scored)
……………………………………………………………………………………………
409

18.3 MSS (Legacy)
………………………………………………………………………………………………………………….
411

18.3.1 (L1) Ensure ‘MSS: (AutoAdminLogon) Enable Automatic Logon
(not

recommended)’ is set to ‘Disabled’ (Scored)
………………………………………………………………..
411

18.3.2 (L1) Ensure ‘MSS: (DisableIPSourceRouting IPv6) IP source
routing

protection level (protects against packet spoofing)’ is set to
‘Enabled: Highest

protection, source routing is completely disabled’ (Scored)
…………………………………….. 413

18.3.3 (L1) Ensure ‘MSS: (DisableIPSourceRouting) IP source
routing protection

level (protects against packet spoofing)’ is set to ‘Enabled:
Highest protection,

source routing is completely disabled’ (Scored)
………………………………………………………….
415

18.3.4 (L1) Ensure ‘MSS: (EnableICMPRedirect) Allow ICMP
redirects to override

OSPF generated routes’ is set to ‘Disabled’ (Scored)
………………………………………………….. 417

18.3.5 (L2) Ensure ‘MSS: (KeepAliveTime) How often keep-alive
packets are sent in

milliseconds’ is set to ‘Enabled: 300,000 or 5 minutes
(recommended)’ (Scored) . 419
14 | P a g e

18.3.6 (L1) Ensure ‘MSS: (NoNameReleaseOnDemand) Allow the
computer to ignore

NetBIOS name release requests except from WINS servers’ is set
to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
421

18.3.7 (L2) Ensure ‘MSS: (PerformRouterDiscovery) Allow IRDP to
detect and

configure Default Gateway addresses (could lead to DoS)’ is set
to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
423

18.3.8 (L1) Ensure ‘MSS: (SafeDllSearchMode) Enable Safe DLL
search mode

(recommended)’ is set to ‘Enabled’ (Scored)
……………………………………………………………….
425

18.3.9 (L1) Ensure ‘MSS: (ScreenSaverGracePeriod) The time in
seconds before the

screen saver grace period expires (0 recommended)’ is set to
‘Enabled: 5 or fewer

seconds’ (Scored)
……………………………………………………………………………………………………………….
427

18.3.10 (L2) Ensure ‘MSS: (TcpMaxDataRetransmissions IPv6) How
many times

unacknowledged data is retransmitted’ is set to ‘Enabled: 3’
(Scored) ………………….. 429

18.3.11 (L2) Ensure ‘MSS: (TcpMaxDataRetransmissions) How many
times

unacknowledged data is retransmitted’ is set to ‘Enabled: 3’
(Scored) ………………….. 431

18.3.12 (L1) Ensure ‘MSS: (WarningLevel) Percentage threshold
for the security

event log at which the system will generate a warning’ is set to
‘Enabled: 90% or

less’ (Scored)
………………………………………………………………………………………………………………………
433

18.4 Network
…………………………………………………………………………………………………………………………..
435

18.4.4.1 (L1) Set ‘NetBIOS node type’ to ‘P-node’ (Ensure NetBT
Parameter

‘NodeType’ is set to ‘0x2 (2)’) (MS Only) (Scored)
………………………………………………………
435

18.4.4.2 (L1) Ensure ‘Turn off multicast name resolution’ is set
to ‘Enabled’ (MS

Only) (Scored)
…………………………………………………………………………………………………………………….
437

18.4.5.1 (L2) Ensure ‘Enable Font Providers’ is set to
‘Disabled’ (Scored) ……………. 439

18.4.8.1 (L1) Ensure ‘Enable insecure guest logons’ is set to
‘Disabled’ (Scored) … 441

18.4.9.1 (L2) Ensure ‘Turn on Mapper I/O (LLTDIO) driver’ is set
to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
443

18.4.9.2 (L2) Ensure ‘Turn on Responder (RSPNDR) driver’ is set
to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
445

18.4.10.2 (L2) Ensure ‘Turn off Microsoft Peer-to-Peer
Networking Services’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
447

18.4.11.2 (L1) Ensure ‘Prohibit installation and configuration
of Network Bridge on

your DNS domain network’ is set to ‘Enabled’ (Scored)
……………………………………………. 449

18.4.11.3 (L1) Ensure ‘Prohibit use of Internet Connection
Sharing on your DNS

domain network’ is set to ‘Enabled’ (Scored)
……………………………………………………………….
451
15 | P a g e

18.4.11.4 (L1) Ensure ‘Require domain users to elevate when
setting a network’s

location’ is set to ‘Enabled’ (Scored)
………………………………………………………………………………
453

18.4.14.1 (L1) Ensure ‘Hardened UNC Paths’ is set to ‘Enabled,
with «Require Mutual

Authentication» and «Require Integrity» set for all NETLOGON and
SYSVOL shares’

(Scored)
……………………………………………………………………………………………………………………………….
455

18.4.19.2.1 (L2) Disable IPv6 (Ensure TCPIP6 Parameter
‘DisabledComponents’ is

set to ‘0xff (255)’) (Scored)
……………………………………………………………………………………………..
458

18.4.20.1 (L2) Ensure ‘Configuration of wireless settings using
Windows Connect

Now’ is set to ‘Disabled’ (Scored)
……………………………………………………………………………………
460

18.4.20.2 (L2) Ensure ‘Prohibit access of the Windows Connect
Now wizards’ is set

to ‘Enabled’ (Scored)
…………………………………………………………………………………………………………
462

18.4.21.1 (L1) Ensure ‘Minimize the number of simultaneous
connections to the

Internet or a Windows Domain’ is set to ‘Enabled’ (Scored)
……………………………………. 464

18.4.21.2 (L2) Ensure ‘Prohibit connection to non-domain
networks when

connected to domain authenticated network’ is set to ‘Enabled’
(MS only) (Scored)

……………………………………………………………………………………………………………………………………………….
466

18.5 Printers
……………………………………………………………………………………………………………………………
467

18.6 SCM: Pass the Hash Mitigations
………………………………………………………………………………….
468

18.6.1 (L1) Ensure ‘Apply UAC restrictions to local accounts on
network logons’ is

set to ‘Enabled’ (MS only) (Scored)
………………………………………………………………………………..
468

18.6.2 (L1) Ensure ‘WDigest Authentication’ is set to ‘Disabled’
(Scored) …………….. 471

18.7 Start Menu and Taskbar
……………………………………………………………………………………………….
472

18.8 System
……………………………………………………………………………………………………………………………..
473

18.8.3.1 (L1) Ensure ‘Include command line in process creation
events’ is set to

‘Disabled’ (Scored)
…………………………………………………………………………………………………………….
473

18.8.12.1 (L1) Ensure ‘Boot-Start Driver Initialization Policy’
is set to ‘Enabled:

Good, unknown and bad but critical’ (Scored)
……………………………………………………………..
477

18.8.19.2 (L1) Ensure ‘Configure registry policy processing: Do
not apply during

periodic background processing’ is set to ‘Enabled: FALSE’
(Scored) …………………….. 480

18.8.19.3 (L1) Ensure ‘Configure registry policy processing:
Process even if the

Group Policy objects have not changed’ is set to ‘Enabled: TRUE’
(Scored) ………….. 482

18.8.19.4 (L1) Ensure ‘Continue experiences on this device’ is
set to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
484
16 | P a g e

18.8.19.5 (L1) Ensure ‘Turn off background refresh of Group
Policy’ is set to

‘Disabled’ (Scored)
…………………………………………………………………………………………………………….
486

18.8.20.1.1 (L2) Ensure ‘Turn off access to the Store’ is set to
‘Enabled’ (Scored) . 488

18.8.20.1.2 (L2) Ensure ‘Turn off downloading of print drivers
over HTTP’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
490

18.8.20.1.3 (L2) Ensure ‘Turn off handwriting personalization
data sharing’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
492

18.8.20.1.4 (L2) Ensure ‘Turn off handwriting recognition error
reporting’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
494

18.8.20.1.5 (L2) Ensure ‘Turn off Internet Connection Wizard if
URL connection is

referring to Microsoft.com’ is set to ‘Enabled’ (Scored)
…………………………………………….. 496

18.8.20.1.6 (L2) Ensure ‘Turn off Internet download for Web
publishing and online

ordering wizards’ is set to ‘Enabled’ (Scored)
……………………………………………………………..
498

18.8.20.1.7 (L2) Ensure ‘Turn off printing over HTTP’ is set to
‘Enabled’ (Scored) 500

18.8.20.1.8 (L2) Ensure ‘Turn off Registration if URL connection
is referring to

Microsoft.com’ is set to ‘Enabled’ (Scored)
…………………………………………………………………..
502

18.8.20.1.9 (L2) Ensure ‘Turn off Search Companion content file
updates’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
504

18.8.20.1.10 (L2) Ensure ‘Turn off the «Order Prints» picture
task’ is set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
506

18.8.20.1.11 (L2) Ensure ‘Turn off the «Publish to Web» task for
files and folders’ is

set to ‘Enabled’ (Scored)
…………………………………………………………………………………………………..
508

18.8.20.1.12 (L2) Ensure ‘Turn off the Windows Messenger
Customer Experience

Improvement Program’ is set to ‘Enabled’ (Scored)
……………………………………………………
510

18.8.20.1.13 (L2) Ensure ‘Turn off Windows Customer Experience
Improvement

Program’ is set to ‘Enabled’ (Scored)
……………………………………………………………………………..
512

18.8.20.1.14 (L2) Ensure ‘Turn off Windows Error Reporting’ is
set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
514

18.8.23.1 (L2) Ensure ‘Support device authentication using
certificate’ is set to

‘Enabled: Automatic’ (Scored)
…………………………………………………………………………………………
516

18.8.24.1 (L2) Ensure ‘Disallow copying of user input methods to
the system

account for sign-in’ is set to ‘Enabled’ (Scored)
…………………………………………………………..
518

18.8.25.1 (L1) Ensure ‘Block user from showing account details
on sign-in’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
520
17 | P a g e

18.8.25.2 (L1) Ensure ‘Do not display network selection UI’ is
set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
522

18.8.25.3 (L1) Ensure ‘Do not enumerate connected users on
domain-joined

computers’ is set to ‘Enabled’ (Scored)
………………………………………………………………………….
524

18.8.25.4 (L1) Ensure ‘Enumerate local users on domain-joined
computers’ is set to

‘Disabled’ (Scored)
…………………………………………………………………………………………………………….
526

18.8.25.5 (L1) Ensure ‘Turn off app notifications on the lock
screen’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
528

18.8.25.6 (L1) Ensure ‘Turn on convenience PIN sign-in’ is set
to ‘Disabled’ (Scored)

……………………………………………………………………………………………………………………………………………….
530

18.8.26.1 (L1) Ensure ‘Untrusted Font Blocking’ is set to
‘Enabled: Block untrusted

fonts and log events’ (Scored)
…………………………………………………………………………………………
532

18.8.29.5.1 (L2) Ensure ‘Allow network connectivity during
connected-standby (on

battery)’ is set to ‘Disabled’ (Scored)
……………………………………………………………………………..
535

18.8.29.5.2 (L2) Ensure ‘Allow network connectivity during
connected-standby

(plugged in)’ is set to ‘Disabled’ (Scored)
……………………………………………………………………..
537

18.8.29.5.3 (L2) Ensure ‘Require a password when a computer
wakes (on battery)’

is set to ‘Enabled’ (Scored)
……………………………………………………………………………………………….
539

18.8.29.5.4 (L2) Ensure ‘Require a password when a computer
wakes (plugged in)’

is set to ‘Enabled’ (Scored)
……………………………………………………………………………………………….
541

18.8.31.1 (L1) Ensure ‘Configure Offer Remote Assistance’ is set
to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
543

18.8.31.2 (L1) Ensure ‘Configure Solicited Remote Assistance’ is
set to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
545

18.8.32.1 (L1) Ensure ‘Enable RPC Endpoint Mapper Client
Authentication’ is set to

‘Enabled’ (MS only) (Scored)
…………………………………………………………………………………………..
547

18.8.32.2 (L2) Ensure ‘Restrict Unauthenticated RPC clients’ is
set to ‘Enabled:

Authenticated’ (MS only) (Scored)
…………………………………………………………………………………
549

18.8.39.5.1 (L2) Ensure ‘Microsoft Support Diagnostic Tool: Turn
on MSDT

interactive communication with support provider’ is set to
‘Disabled’ (Scored) …. 553

18.8.39.11.1 (L2) Ensure ‘Enable/Disable PerfTrack’ is set to
‘Disabled’ (Scored) 556

18.8.41.1 (L2) Ensure ‘Turn off the advertising ID’ is set to
‘Enabled’ (Scored) …… 558

18.8.44.1.1 (L2) Ensure ‘Enable Windows NTP Client’ is set to
‘Enabled’ (Scored) 560
18 | P a g e

18.8.44.1.2 (L2) Ensure ‘Enable Windows NTP Server’ is set to
‘Disabled’ (MS only)

(Scored)
……………………………………………………………………………………………………………………………….
562

18.9 Windows Components
………………………………………………………………………………………………….
564

18.9.4.1 (L2) Ensure ‘Allow a Windows app to share application
data between users’

is set to ‘Disabled’ (Scored)
……………………………………………………………………………………………..
565

18.9.5.1 (L2) Ensure ‘Let Windows apps *’ is set to ‘Enabled:
Force Deny’ (Scored)

……………………………………………………………………………………………………………………………………………….
567

18.9.6.1 (L1) Ensure ‘Allow Microsoft accounts to be optional’
is set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
571

18.9.6.2 (L2) Ensure ‘Block launching Windows Store apps with
Windows Runtime

API access from hosted content.’ is set to ‘Enabled’ (Scored)
…………………………………… 573

18.9.8.1 (L1) Ensure ‘Disallow Autoplay for non-volume devices’
is set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
575

18.9.8.2 (L1) Ensure ‘Set the default behavior for AutoRun’ is
set to ‘Enabled: Do not

execute any autorun commands’ (Scored)
……………………………………………………………………
577

18.9.8.3 (L1) Ensure ‘Turn off Autoplay’ is set to ‘Enabled: All
drives’ (Scored) ….. 579

18.9.10.1.1 (L1) Ensure ‘Use enhanced anti-spoofing when
available’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
581

18.9.12.1 (L2) Ensure ‘Allow Use of Camera’ is set to ‘Disabled’
(Scored) …………….. 583

18.9.13.1 (L1) Ensure ‘Turn off Microsoft consumer experiences’
is set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
585

18.9.14.1 (L1) Ensure ‘Require pin for pairing’ is set to
‘Enabled’ (Scored) ………….. 587

18.9.15.1 (L1) Ensure ‘Do not display the password reveal
button’ is set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
589

18.9.15.2 (L1) Ensure ‘Enumerate administrator accounts on
elevation’ is set to

‘Disabled’ (Scored)
…………………………………………………………………………………………………………….
591

18.9.16.1 (L1) Ensure ‘Allow Telemetry’ is set to ‘Enabled: 0 —
Security [Enterprise

Only]’ (Scored)
……………………………………………………………………………………………………………………
593

18.9.16.2 (L1) Ensure ‘Disable pre-release features or settings’
is set to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
595

18.9.16.3 (L1) Ensure ‘Do not show feedback notifications’ is
set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
597

18.9.16.4 (L1) Ensure ‘Toggle user control over Insider builds’
is set to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
599
19 | P a g e

18.9.26.1.1 (L1) Ensure ‘Application: Control Event Log behavior
when the log file

reaches its maximum size’ is set to ‘Disabled’ (Scored)
…………………………………………….. 602

18.9.26.1.2 (L1) Ensure ‘Application: Specify the maximum log
file size (KB)’ is set to

‘Enabled: 32,768 or greater’ (Scored)
……………………………………………………………………………
604

18.9.26.2.1 (L1) Ensure ‘Security: Control Event Log behavior
when the log file

reaches its maximum size’ is set to ‘Disabled’ (Scored)
…………………………………………….. 606

18.9.26.2.2 (L1) Ensure ‘Security: Specify the maximum log file
size (KB)’ is set to

‘Enabled: 196,608 or greater’ (Scored)
………………………………………………………………………….
608

18.9.26.3.1 (L1) Ensure ‘Setup: Control Event Log behavior when
the log file reaches

its maximum size’ is set to ‘Disabled’ (Scored)
…………………………………………………………….
610

18.9.26.3.2 (L1) Ensure ‘Setup: Specify the maximum log file
size (KB)’ is set to

‘Enabled: 32,768 or greater’ (Scored)
……………………………………………………………………………
612

18.9.26.4.1 (L1) Ensure ‘System: Control Event Log behavior when
the log file

reaches its maximum size’ is set to ‘Disabled’ (Scored)
…………………………………………….. 614

18.9.26.4.2 (L1) Ensure ‘System: Specify the maximum log file
size (KB)’ is set to

‘Enabled: 32,768 or greater’ (Scored)
……………………………………………………………………………
616

18.9.30.2 (L1) Ensure ‘Configure Windows SmartScreen’ is set to
‘Enabled’ (Scored)

……………………………………………………………………………………………………………………………………………….
619

18.9.30.3 (L1) Ensure ‘Turn off Data Execution Prevention for
Explorer’ is set to

‘Disabled’ (Scored)
…………………………………………………………………………………………………………….
621

18.9.30.4 (L1) Ensure ‘Turn off heap termination on corruption’
is set to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
623

18.9.30.5 (L1) Ensure ‘Turn off shell protocol protected mode’
is set to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
625

18.9.37.2 (L2) Ensure ‘Turn off location’ is set to ‘Enabled’
(Scored) …………………….. 628

18.9.41.1 (L2) Ensure ‘Allow Extensions’ is set to ‘Disabled’
(Scored) …………………… 630

18.9.41.2 (L2) Ensure ‘Allow InPrivate Browsing’ is set to
‘Disabled’ (Scored) ……. 632

18.9.41.3 (L1) Ensure ‘Configure cookies’ is set to ‘Enabled:
Block only 3rd-party

cookies’ or higher (Scored)
………………………………………………………………………………………………
634

18.9.41.4 (L1) Ensure ‘Configure Password Manager’ is set to
‘Disabled’ (Scored)636

18.9.41.5 (L2) Ensure ‘Configure Pop-up Blocker’ is set to
‘Enabled’ (Scored) …….. 638

18.9.41.6 (L1) Ensure ‘Configure search suggestions in Address
bar’ is set to

‘Disabled’ (Scored)
…………………………………………………………………………………………………………….
640

18.9.41.7 (L1) Ensure ‘Configure SmartScreen Filter’ is set to
‘Enabled’ (Scored) . 642
20 | P a g e

18.9.41.8 (L2) Ensure ‘Prevent access to the about:flags page in
Microsoft Edge’ is

set to ‘Enabled’ (Scored)
…………………………………………………………………………………………………..
644

18.9.41.9 (L2) Ensure ‘Prevent bypassing SmartScreen prompts for
files’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
646

18.9.41.10 (L2) Ensure ‘Prevent bypassing SmartScreen prompts
for sites’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
648

18.9.41.11 (L2) Ensure ‘Prevent using Localhost IP address for
WebRTC’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
650

18.9.47.1 (L1) Ensure ‘Prevent the usage of OneDrive for file
storage’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
653

18.9.52.2.2 (L1) Ensure ‘Do not allow passwords to be saved’ is
set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
656

18.9.52.3.2.1 (L2) Ensure ‘Restrict Remote Desktop Services
users to a single

Remote Desktop Services session’ is set to ‘Enabled’ (Scored)
………………………………… 658

18.9.52.3.3.1 (L2) Ensure ‘Do not allow COM port redirection’ is
set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
660

18.9.52.3.3.2 (L1) Ensure ‘Do not allow drive redirection’ is
set to ‘Enabled’ (Scored)

……………………………………………………………………………………………………………………………………………….
662

18.9.52.3.3.3 (L2) Ensure ‘Do not allow LPT port redirection’ is
set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
664

18.9.52.3.3.4 (L2) Ensure ‘Do not allow supported Plug and Play
device redirection’

is set to ‘Enabled’ (Scored)
……………………………………………………………………………………………….
666

18.9.52.3.9.1 (L1) Ensure ‘Always prompt for password upon
connection’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
668

18.9.52.3.9.2 (L1) Ensure ‘Require secure RPC communication’ is
set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
670

18.9.52.3.9.3 (L1) Ensure ‘Set client connection encryption
level’ is set to ‘Enabled:

High Level’ (Scored)
………………………………………………………………………………………………………….
672

18.9.52.3.10.1 (L2) Ensure ‘Set time limit for active but idle
Remote Desktop

Services sessions’ is set to ‘Enabled: 15 minutes or less’
(Scored) ………………………….. 674

18.9.52.3.10.2 (L2) Ensure ‘Set time limit for disconnected
sessions’ is set to

‘Enabled: 1 minute’ (Scored)
……………………………………………………………………………………………
676

18.9.52.3.11.1 (L1) Ensure ‘Do not delete temp folders upon
exit’ is set to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
678
21 | P a g e

18.9.52.3.11.2 (L1) Ensure ‘Do not use temporary folders per
session’ is set to

‘Disabled’ (Scored)
…………………………………………………………………………………………………………….
680

18.9.53.1 (L1) Ensure ‘Prevent downloading of enclosures’ is set
to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
682

18.9.54.2 (L1) Ensure ‘Allow Cortana’ is set to ‘Disabled’
(Scored) ………………………… 684

18.9.54.3 (L1) Ensure ‘Allow Cortana above lock screen’ is set
to ‘Disabled’ (Scored)

……………………………………………………………………………………………………………………………………………….
686

18.9.54.4 (L1) Ensure ‘Allow indexing of encrypted files’ is set
to ‘Disabled’ (Scored)

……………………………………………………………………………………………………………………………………………….
688

18.9.54.5 (L1) Ensure ‘Allow search and Cortana to use location’
is set to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
690

18.9.59.1 (L2) Ensure ‘Turn off KMS Client Online AVS
Validation’ is set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
692

18.9.61.1 (L2) Ensure ‘Disable all apps from Windows Store’ is
set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
694

18.9.61.2 (L1) Ensure ‘Turn off Automatic Download and Install
of updates’ is set to

‘Disabled’ (Scored)
…………………………………………………………………………………………………………….
696

18.9.61.3 (L1) Ensure ‘Turn off the offer to update to the
latest version of Windows’

is set to ‘Enabled’ (Scored)
……………………………………………………………………………………………….
698

18.9.61.4 (L2) Ensure ‘Turn off the Store application’ is set to
‘Enabled’ (Scored) 700

18.9.69.3.1 (L2) Ensure ‘Join Microsoft MAPS’ is set to
‘Disabled’ (Scored) ………….. 704

18.9.69.8.1 (L2) Ensure ‘Configure Watson events’ is set to
‘Disabled’ (Scored)….. 706

18.9.73.1 (L2) Ensure ‘Allow suggested apps in Windows Ink
Workspace’ is set to

‘Disabled’ (Scored)
…………………………………………………………………………………………………………….
708

18.9.73.2 (L1) Ensure ‘Allow Windows Ink Workspace’ is set to
‘Enabled: On, but

disallow access above lock’ OR ‘Disabled’ but not ‘Enabled: On’
(Scored) …………….. 710

18.9.74.1 (L1) Ensure ‘Allow user control over installs’ is set
to ‘Disabled’ (Scored)

……………………………………………………………………………………………………………………………………………….
712

18.9.74.2 (L1) Ensure ‘Always install with elevated privileges’
is set to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
714

18.9.74.3 (L2) Ensure ‘Prevent Internet Explorer security prompt
for Windows

Installer scripts’ is set to ‘Disabled’ (Scored)
……………………………………………………………….
716

18.9.75.1 (L1) Ensure ‘Sign-in last interactive user
automatically after a system-

initiated restart’ is set to ‘Disabled’ (Scored)
……………………………………………………………….
718
22 | P a g e

18.9.84.1 (L1) Ensure ‘Turn on PowerShell Script Block Logging’
is set to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
721

18.9.84.2 (L1) Ensure ‘Turn on PowerShell Transcription’ is set
to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
723

18.9.86.1.1 (L1) Ensure ‘Allow Basic authentication’ is set to
‘Disabled’ (Scored) . 725

18.9.86.1.2 (L1) Ensure ‘Allow unencrypted traffic’ is set to
‘Disabled’ (Scored) … 727

18.9.86.1.3 (L1) Ensure ‘Disallow Digest authentication’ is set
to ‘Enabled’ (Scored)

……………………………………………………………………………………………………………………………………………….
729

18.9.86.2.1 (L1) Ensure ‘Allow Basic authentication’ is set to
‘Disabled’ (Scored) . 731

18.9.86.2.2 (L2) Ensure ‘Allow remote server management through
WinRM’ is set to

‘Disabled’ (Scored)
…………………………………………………………………………………………………………….
733

18.9.86.2.3 (L1) Ensure ‘Allow unencrypted traffic’ is set to
‘Disabled’ (Scored) … 735

18.9.86.2.4 (L1) Ensure ‘Disallow WinRM from storing RunAs
credentials’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
737

18.9.87.1 (L2) Ensure ‘Allow Remote Shell Access’ is set to
‘Disabled’ (Scored) ….. 739

18.9.90.1.1 (L1) Ensure ‘Select when Feature Updates are
received’ is set to

‘Enabled: Current Branch for Business, 180 days’ (Scored)
……………………………………… 742

18.9.90.1.2 (L1) Ensure ‘Select when Quality Updates are
received’ is set to

‘Enabled: 0 days’ (Scored)
………………………………………………………………………………………………..
744

18.9.90.2 (L1) Ensure ‘Configure Automatic Updates’ is set to
‘Enabled’ (Scored) 746

18.9.90.3 (L1) Ensure ‘Configure Automatic Updates: Scheduled
install day’ is set to

‘0 — Every day’ (Scored)
…………………………………………………………………………………………………….
748

18.9.90.4 (L1) Ensure ‘No auto-restart with logged on users for
scheduled automatic

updates installations’ is set to ‘Disabled’ (Scored)
………………………………………………………
750

19 Administrative Templates (User)
………………………………………………………………………………………
752

19.1 Control Panel
………………………………………………………………………………………………………………….
752

19.1.3.1 (L1) Ensure ‘Enable screen saver’ is set to ‘Enabled’
(Scored) …………………. 753

19.1.3.2 (L1) Ensure ‘Force specific screen saver: Screen saver
executable name’ is

set to ‘Enabled: scrnsave.scr’ (Scored)
…………………………………………………………………………..
755

19.1.3.3 (L1) Ensure ‘Password protect the screen saver’ is set
to ‘Enabled’ (Scored)

……………………………………………………………………………………………………………………………………………….
757

19.1.3.4 (L1) Ensure ‘Screen saver timeout’ is set to ‘Enabled:
900 seconds or fewer,

but not 0′ (Scored)
……………………………………………………………………………………………………………..
759
23 | P a g e

19.2 Desktop
……………………………………………………………………………………………………………………………
760

19.3 Network
…………………………………………………………………………………………………………………………..
760

19.4 Shared Folders
……………………………………………………………………………………………………………….
760

19.5 Start Menu and Taskbar
……………………………………………………………………………………………….
760

19.5.1.1 (L1) Ensure ‘Turn off toast notifications on the lock
screen’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
761

19.6 System
……………………………………………………………………………………………………………………………..
763

19.6.5.1.1 (L2) Ensure ‘Turn off Help Experience Improvement
Program’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
764

19.7 Windows Components
………………………………………………………………………………………………….
766

19.7.4.1 (L1) Ensure ‘Do not preserve zone information in file
attachments’ is set to

‘Disabled’ (Scored)
…………………………………………………………………………………………………………….
767

19.7.4.2 (L1) Ensure ‘Notify antivirus programs when opening
attachments’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
769

19.7.7.1 (L2) Ensure ‘Configure Windows spotlight on Lock
Screen’ is set to

Disabled’ (Scored)
……………………………………………………………………………………………………………..
771

19.7.7.2 (L1) Ensure ‘Do not suggest third-party content in
Windows spotlight’ is set

to ‘Enabled’ (Scored)
…………………………………………………………………………………………………………
773

19.7.7.3 (L2) Ensure ‘Turn off all Windows spotlight features’
is set to ‘Enabled’

(Scored)
……………………………………………………………………………………………………………………………….
775

19.7.26.1 (L1) Ensure ‘Prevent users from sharing files within
their profile.’ is set to

‘Enabled’ (Scored)
……………………………………………………………………………………………………………..
779

19.7.39.1 (L1) Ensure ‘Always install with elevated privileges’
is set to ‘Disabled’

(Scored)
……………………………………………………………………………………………………………………………….
783

19.7.43.2.1 (L2) Ensure ‘Prevent Codec Download’ is set to
‘Enabled’ (Scored) ….. 785

Appendix: Summary Table
……………………………………………………………………………………………………………
787

Appendix: Change History
…………………………………………………………………………………………………………….
815
24 | P a g e

Overview This document provides prescriptive guidance for
establishing a secure configuration

posture for Microsoft Windows Server. To obtain the latest
version of this guide, please

visit http://benchmarks.cisecurity.org. If you have questions,
comments, or have identified

ways to improve this guide, please write us at
[email protected]

Intended Audience

This document is intended for system and application
administrators, security specialists,

auditors, help desk, and platform deployment personnel who plan
to develop, deploy,

assess, or secure solutions that incorporate Microsoft Windows
Server.

Consensus Guidance

This benchmark was created using a consensus review process
comprised of subject

matter experts. Consensus participants provide perspective from
a diverse set

Содержание

Cis benchmark windows 10
Center for Internet Security (CIS) Benchmarks
About CIS Benchmarks
Microsoft and the CIS Benchmarks
Microsoft in-scope cloud platforms & services
Audits, reports, and certificates
How to implement
Frequently asked questions
Use Microsoft Compliance Manager to assess your risk
Cis benchmark windows 10
Solutions
Join CIS
Resources
Cis benchmark windows 10
Solutions
Join CIS
Resources
CIS Benchmarks: лучшие практики, гайдлайны и рекомендации по информационной безопасности
Критические элементы управления безопасностью
Инвентаризация авторизированных и неавторизованных устройств
Инвентаризация авторизированного и неавторизованного программного обеспечения
Безопасные конфигурации для аппаратного и программного обеспечения
Использование административных привилегий
Обслуживание, мониторинг и анализ журналов аудита
Защита электронной почты и веб-браузера
Защита от вредоносных программ
Ограничение и контроль сетевых портов
Возможность восстановления данных
Защищенные конфигурации для сетевых устройств
Защита данных

This repository contains PowerShell DSC code for the secure configuration of Windows according to the following hardening guidelines:

Center for Internet Security (CIS) Benchmarks

About CIS Benchmarks

The Center for Internet Security is a nonprofit entity whose mission is to ‘identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.’ It draws on the expertise of cybersecurity and IT professionals from government, business, and academia from around the world. To develop standards and best practices, including CIS benchmarks, controls, and hardened images, they follow a consensus decision-making model.

CIS benchmarks are configuration baselines and best practices for securely configuring a system. Each of the guidance recommendations references one or more CIS controls that were developed to help organizations improve their cyberdefense capabilities. CIS controls map to many established standards and regulatory frameworks, including the NIST Cybersecurity Framework (CSF) and NIST SP 800-53, the ISO 27000 series of standards, PCI DSS, HIPAA, and others.

Each benchmark undergoes two phases of consensus review. The first occurs during initial development when experts convene to discuss, create, and test working drafts until they reach consensus on the benchmark. During the second phase, after the benchmark has been published, the consensus team reviews the feedback from the internet community for incorporation into the benchmark.

CIS benchmarks provide two levels of security settings:

CIS Hardened Images are securely configured virtual machine images based on CIS Benchmarks hardened to either a Level 1 or Level 2 CIS benchmark profile. Hardening is a process that helps protect against unauthorized access, denial of service, and other cyberthreats by limiting potential weaknesses that make systems vulnerable to cyberattacks.

Microsoft and the CIS Benchmarks

The Center for Internet Security (CIS) has published benchmarks for Microsoft products and services including the Microsoft Azure and Microsoft 365 Foundations Benchmarks, the Windows 10 Benchmark, and the Windows Server 2016 Benchmark. The CIS Microsoft Azure Foundations Benchmark is intended for customers who plan to develop, deploy, assess, or secure solutions that incorporate Azure. The document provides prescriptive guidance for establishing a secure baseline configuration for Azure.

CIS benchmarks are internationally recognized as security standards for defending IT systems and data against cyberattacks. Used by thousands of businesses, they offer prescriptive guidance for establishing a secure baseline configuration. System and application administrators, security specialists, and others who develop solutions using Microsoft products and services can use these best practices to assess and improve the security of their applications.

Like all CIS benchmarks, the Microsoft benchmarks were created using a consensus review process based on input from subject matter experts with diverse backgrounds spanning software development, audit and compliance, security research, operations, government, and law. Microsoft was an integral partner in these CIS efforts. For example, Office 365 was tested against the listed services, and the resulting Microsoft 365 Foundations Benchmark covers a broad range of recommendations for setting appropriate security policies that cover account and authentication, data management, application permissions, storage, and other security policy areas.

In addition to the benchmarks for Microsoft products and services, CIS has published CIS Hardened Images on Azure configured to meet CIS Benchmarks and available from Microsoft Azure Marketplace. These images include the CIS Hardened Images for Windows Server 2016 and Windows Server 2019, as well as many versions of Linux. All CIS Hardened Images that are available in Azure Marketplace are certified to run on Microsoft Azure. As stated by CIS, ‘they have been pre-tested for readiness and compatibility with the Microsoft Azure public cloud, Microsoft Cloud Platform hosted by service providers through the Cloud OS Network, and on-premises private cloud Windows Server Hyper-V deployments managed by customers’.

CIS Hardened Images are securely configured virtual machine images based on CIS Benchmarks hardened to either a Level 1 or Level 2 CIS Benchmark profile. Hardening is a process that helps protect against unauthorized access, denial of service, and other cyber threats by limiting potential weaknesses that make systems vulnerable to cyber attacks. CIS Hardened Images are available on both Azure and Azure Government.

For additional customer assistance, Microsoft provides Azure Blueprints, which is a service that helps you deploy and update cloud environments in a repeatable manner using composable artifacts such as Azure Resource Manager templates to provision resources, role-based access controls, and policies. Resources provisioned through Azure Blueprints adhere to an organization’s standards, patterns, and compliance requirements. The overarching goal of Azure Blueprints is to help automate compliance and cybersecurity risk management in cloud environments. To help you deploy a core set of policies for any Azure-based architecture that must implement CIS Azure Foundations Benchmark recommendations, Microsoft has published the Azure Blueprint for CIS Microsoft Azure Foundations Benchmark. When assigned to an architecture, resources are evaluated by Azure Policy for compliance with assigned policy definitions.

Microsoft in-scope cloud platforms & services

Audits, reports, and certificates

Get a complete list of CIS benchmarks for Microsoft products and services.

How to implement

Frequently asked questions

Will following CIS Benchmark settings ensure the security of my applications?

CIS benchmarks establish the basic level of security for anyone adopting in-scope Microsoft products and services. However, they should not be considered as an exhaustive list of all possible security configurations and architecture but as a starting point. Each organization must still evaluate its specific situation, workloads, and compliance requirements and tailor its environment accordingly.

How often are CIS Benchmarks updated?

The release of revised CIS Benchmarks changes depending on the community of IT professionals who developed it and on the release schedule of the technology the benchmark supports. CIS distributes monthly reports that announce new benchmarks and updates to existing benchmarks. To receive these, register for the CIS Workbench (it’s free) and check Receive newsletter in your profile.

Who contributed to the development of Microsoft CIS Benchmarks?

CIS notes that its ‘Benchmarks are developed through the generous volunteer efforts of subject matter experts, technology vendors, public and private CIS Benchmark community members, and the CIS Benchmark Development team.’ For example, you’ll find a list of Azure contributors on CIS Microsoft Azure Foundations Benchmark v1.0.0 Now Available.

Use Microsoft Compliance Manager to assess your risk

Microsoft Compliance Manager is a feature in the Microsoft 365 compliance center to help you understand your organization’s compliance posture and take actions to help reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.

Источник

Cis benchmark windows 10

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world

Solutions

Secure Your Organization

Prioritized & simplified best practices

Help develop and maintain the Controls

Information security risk assessment method

Assess & measure Controls implementation

Secure Specific Platforms

100+ vendor-neutral configuration guides

Develop & update secure configuration guides

Assess system conformance to CIS Benchmarks

Virtual images hardened to CIS Benchmarks

Start secure and stay secure with integrated cybersecurity tools and resources designed to help you implement CIS Benchmarks and CIS Controls

U.S. State, Local, Tribal & Territorial Governments

Memberships

Cybersecurity resource for SLTT Governments

Election-focused cyber defense suite

Services for Members

Cost-effective Intrusion Detection System

Security monitoring of enterprises devices

Device-level protection and response

Savings on training and software

Prevent Connection to harmful web domains

Join CIS

Get Involved

Resources

Learn

Filter by Topic

Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world.

Secure Your Organization

Prioritized & simplified best practices

Information security risk assessment method

Help develop and maintain the Controls

Assess & measure Controls implementation

Secure Specific Platforms

100+ vendor-neutral configuration guides

Assess system conformance to CIS Benchmarks

Develop & update secure configuration guides

Virtual images hardened to CIS Benchmarks

Start secure and stay secure with integrated cybersecurity tools and resources designed to help you implement CIS Benchmarks and CIS Controls

U.S. State, Local, Tribal & Territorial Governments

Memberships

Cybersecurity resource for SLTT Governments

Election-focused cyber defense suite

Services for Members

Cost-effective Intrusion Detection System

Security monitoring of enterprises devices

Device-level protection and response

Savings on training and software

Prevent Connection to harmful web domains

Get Involved

Resources

Learn

Filter by Topic

Home • Resources • Platforms • Microsoft Intune for Windows 10

Securing Microsoft Intune for Windows 10 An objective, consensus-driven security guideline for the Microsoft Intune for Windows 10 Operating Systems.

An objective, consensus-driven security guideline for the Microsoft Intune for Windows 10 Operating Systems.

A step-by-step checklist to secure Microsoft Intune for Windows 10:

Download Latest CIS Benchmark

For Microsoft Intune for Windows 10 1.0.0 (CIS Microsoft Intune for Windows 10 Release 2004 Benchmark version 1.0.1)

CIS has worked with the community since 2020 to publish a benchmark for Microsoft Intune for Windows 10

Other CIS Benchmark versions:

For Microsoft Intune for Windows 10 (CIS Microsoft Intune for Windows 10 Release 2004 Benchmark version 1.0.0)

Источник

Cis benchmark windows 10

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world

Solutions

Secure Your Organization

Prioritized & simplified best practices

Help develop and maintain the Controls

Information security risk assessment method

Assess & measure Controls implementation

Secure Specific Platforms

100+ vendor-neutral configuration guides

Develop & update secure configuration guides

Assess system conformance to CIS Benchmarks

Virtual images hardened to CIS Benchmarks

Start secure and stay secure with integrated cybersecurity tools and resources designed to help you implement CIS Benchmarks and CIS Controls

U.S. State, Local, Tribal & Territorial Governments

Memberships

Cybersecurity resource for SLTT Governments

Election-focused cyber defense suite

Services for Members

Cost-effective Intrusion Detection System

Security monitoring of enterprises devices

Device-level protection and response

Savings on training and software

Prevent Connection to harmful web domains

Join CIS

Get Involved

Resources

Learn

Filter by Topic

Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world.

Secure Your Organization

Prioritized & simplified best practices

Information security risk assessment method

Help develop and maintain the Controls

Assess & measure Controls implementation

Secure Specific Platforms

100+ vendor-neutral configuration guides

Assess system conformance to CIS Benchmarks

Develop & update secure configuration guides

Virtual images hardened to CIS Benchmarks

Start secure and stay secure with integrated cybersecurity tools and resources designed to help you implement CIS Benchmarks and CIS Controls

U.S. State, Local, Tribal & Territorial Governments

Memberships

Cybersecurity resource for SLTT Governments

Источник

CIS Benchmarks: лучшие практики, гайдлайны и рекомендации по информационной безопасности

Центр интернет-безопасности (CIS) является некоммерческой организацией, которая разрабатывает собственные контрольные показатели и рекомендации, которые позволяют организациям совершенствовать свои программы обеспечения безопасности и соответствия требованиям. Эта инициатива направлена на создание базовых уровней конфигурации безопасности систем, которые обычно встречаются во всех организациях.

Для загрузки доступны несолько десятков гайдлайнов по безопасной настройке различных систем: Windows, Linux, OSX, MySQL, Cisco и многих других: learn.cisecurity.org/benchmarks

В этой статье я рассмотрю «Critical Security Controls Version 6.1» — чеклист проверки безопасности систем.

Критические элементы управления безопасностью

Инвентаризация авторизированных и неавторизованных устройств

Разверните системы автоматического обнаружения устройств и используйте их для создания предварительной инвентаризации систем, подключенных к общедоступным и частной сетям организации. Следует использовать как активные инструменты, которые сканируют диапазоны сетевых адресов IPv4 или IPv6, так и пассивные инструменты, которые идентифицируют хосты на основе анализа их трафика. Используйте сочетание активных и пассивных инструментов и применяйте их в рамках программы непрерывного мониторинга.

Если организация динамически назначает адреса с использованием DHCP, используйте эту информацию для улучшения инвентаризации устройств и обнаружении неизвестных систем.

Убедитесь, что все приобретенное оборудование будет добавлено в инвентаризационные списки.

Ведение списков инвентаризации всех систем, подключенных к сети и самих сетевых устройств, запись по меньшей мере сетевых адресов, имен машин, назначения каждой системы, владельца, ответственного за каждое устройство, и отдела, связанного с каждым устройством.
Инвентаризация должна включать в себя каждую систему с IP-адресом в сети, включая, но не ограничиваясь, АРМ, ноутбуками, серверами, сетевым оборудованием (маршрутизаторы, коммутаторы, брандмауэры и т. д.), принтерами, сетевыми накопителями, IP-телефонами и т. д.

Развертывание проверки уровня сети 802.1x для ограничения и управления подключением устройств к сети. Устройства, использующие 802.1x должны быть привязаны к данным инвентаризации для определения авторизированных или неавторизованных систем.

Используйте сертификаты для проверки подлинности систем перед подключением к частной сети.

Инвентаризация авторизированного и неавторизованного программного обеспечения

Создайте список авторизованного программного обеспечения и версии, которые требуются на предприятии для каждого типа системы, включая серверы, рабочие станции и ноутбуки различного назначения и использования. Этот список должен контролироваться средствами проверки целостности файлов, чтобы подтвердить, что авторизованное программное обеспечение не было изменено. Целостность файла проверяется как часть программы непрерывного мониторинга.

Используйте технологию «белого списка» приложений, которая позволяет системам запускать программное обеспечение только в том случае, если оно включено в белый список и предотвращает выполнение всего другого программного обеспечения в системе. Белый список может быть очень обширным, чтобы пользователи не испытывали неудобств при использовании общего программного обеспечения. Или, для некоторых специальных систем (которые требуют лишь небольшого количества программ для достижения необходимой функциональности бизнеса), белый список может быть довольно узким.

Система инвентаризации программного обеспечения должна отслеживать версию базовой операционной системы, а также приложений, установленных на ней. Системы инвентаризации программного обеспечения должны быть привязаны к инвентаризации оборудования, поэтому все устройства и связанное с ними программное обеспечение отслеживаются из единого источника.

Безопасные конфигурации для аппаратного и программного обеспечения

Установите стандартные безопасные конфигурации ваших операционных систем и программных приложений. (скачать их можно по ссылке в начале статьи).

Отслеживайте конфигурации, создавая безопасные образы установки, которые используются для создания всех новых систем, развернутых на предприятии. Регулярные обновления или исключения для этого образа должны быть интегрированы в процессы управления изменениями организации. Образы должны быть созданы для рабочих станций, серверов и других систем, используемых организацией.

Храните мастер-образы на безопасно настроенных серверах, проверенных с помощью инструментов проверки целостности. В качестве альтернативы, эти образы могут быть сохранены на автономных машинах.

Целостность файлов образов проверяется как часть программы непрерывного мониторинга.

Выполнять все удаленное администрирование серверов, рабочих станций, сетевых устройств и аналогичного оборудования по защищенным каналам. Протоколы, такие как telnet, VNC, RDP или другие, которые не поддерживают шифрование, должны использоваться только в том случае, если они выполняются по вторичному каналу шифрования, например SSL, TLS или IPSEC.

Используйте инструменты проверки целостности файлов, чтобы гарантировать, что критические системные файлы (в том числе чувствительные системные и прикладные исполняемые файлы, библиотеки и конфигурации) не были изменены. Проверки целостности должны идентифицировать подозрительные системные изменения, такие как: права владельца и разрешения на изменения файлов или каталогов; использование альтернативных потоков данных, которые могут быть использованы для скрытия вредоносных действий; и введение дополнительных файлов в ключевые системные области (что может указывать на вредоносную полезную нагрузку, оставленную злоумышленниками или дополнительными файлами, неумышленно добавленными в процессе пакетного распространения).Файловая целостность важных системных файлов проверяется как часть программы непрерывного мониторинга.

Запускайте автоматические инструменты выявления уязвимостей для всех систем в сети на еженедельной или более частой основе и отправляйте приоритетные списки наиболее критических уязвимостей каждому ответственному лицу.

Подпишитесь на рассылки по информации об уязвимостях (security-list, bugtraq), чтобы быть в курсе возникающих рисков и оперативно регагировать. Кроме того, убедитесь, что используемые вами инструменты выявления уязвимостей регулярно обновляются.

Разверните автоматизированные инструменты патч-менеджмента для обновления программного обеспечения для операционной системы и программного обеспечения / приложений на всех системах. Патчи должны применяться ко всем системам, даже автономным.

Использование административных привилегий

Минимизируйте административные привилегии, используйте административные учетные записи, только когда они необходимы. Внедрите целенаправленный аудит по использованию административных привилегированных аккаунтов и контролируйте аномальное поведение.

Используйте автоматические инструменты для инвентаризации всех административных учетных записей и подтвердите, что каждый сотрудник с правами администратора полномочно наделен этими правами в рамках своей деятельности.

Перед развертыванием любых новых устройств в сетевой среде измените все пароли по умолчанию для приложений, операционных систем, маршрутизаторов, брандмауэров, точек беспроводного доступа и других систем.

Настройте системы журналирования и предупреждения, в случае когда учетная запись добавлена или удалена из группы администраторов домена или когда в систему добавлена новая учетная запись локального администратора.

Настройте системы журналирования и предупреждения о любом неуспешном входе в административную учетную запись.

Используйте многофакторную аутентификацию для всего административного доступа, включая доступ к администратору домена. Многофакторная аутентификация может включать в себя множество методов, включая использование смарт-карт, сертификатов, токенов, биометрических данных или других подобных методов аутентификации.

Администраторы должны использовать выделенный компьютер для всех административных задач или задач, требующих повышенного доступа. Эта машина должна быть изолирована от основной сети организации и не иметь доступа к Интернету. Эта машина не должна использоваться для чтения электронной почты, составления документов или серфинга в Интернете.

Обслуживание, мониторинг и анализ журналов аудита

Включите как минимум два синхронизированных источника времени, из которых все серверы и сетевое оборудование регулярно должны получать информацию о времени, для того чтобы метки времени в журналах были согласованы.

Подтвердите параметры журнала аудита для каждого аппаратного устройства и установленного на нем программного обеспечения, чтобы журналы включали дату, временную метку, исходные адреса, адреса назначения и любую другую системную информацию. Системы должны записывать журналы в стандартизованном формате, таком как записи системного журнала или те, которые описаны в инициативе Common Expression (на сайте CIS). Если системы не могут генерировать журналы в стандартизованном формате, необходимо использовать инструменты нормализации и преобразования журналов в такой формат.

Убедитесь, что все системы, в которых хранятся журналы, имеют достаточное место для хранения журналов. Журналы должны архивироваться и подписываться цифровой подписью на периодической основе.

Настройте сетевые пограничные устройства, в том числе брандмауэры, сетевые IPS, входящие и исходящие прокси, чтобы достаточно подробно зарегистрировать весь трафик (как разрешенный, так и заблокированный).

Разверните SIEM (Security Information and Event Management) и для агрегации и консолидации журналов с нескольких компьютеров и для корреляции и анализа журналов. Используя инструмент SIEM, системные администраторы и сотрудники службы безопасности должны разрабатывать профили общих событий из заданных систем, для настройки обнаружения аномалий.

Защита электронной почты и веб-браузера

Убедитесь, что в организации разрешено использовать только полностью поддерживаемые веб-браузеры и почтовые клиенты, в идеале — только самую последнюю версию браузеров,, чтобы использовать последние функции безопасности и исправления.

Удалите или отключите любые ненужные или несанкционированные браузеры или почтовые клиентские плагины/приложения.

Ограничьте использование ненужных языков сценариев во всех веб-браузерах и почтовых клиентах. Это включает использование таких языков, как ActiveX и JavaScript, в системах, где нет необходимости поддерживать такие возможности.

Организация должна поддерживать и применять сетевые фильтры URL-адресов, которые ограничивают способность системы подключаться к веб-сайтам, не утвержденным организацией. Организация должна подписаться на службы категоризации (блэк-листинг) URL-адресов, чтобы обеспечить их актуальность с использованием последних определений категорий веб-сайтов. Некатегоризированные сайты блокируются по умолчанию. Эта фильтрация должна применяться для каждой из систем организации.

Чтобы снизить вероятность подмену сообщений электронной почты, внедрите SPF.

Включите фильтрацию содержимого электронной почты и фильтрацию веб-контента. Y

Защита от вредоносных программ

Используйте автоматизированные инструменты для постоянного мониторинга рабочих станций, серверов и мобильных устройств с помощью антивирусных программ, брандмауэров и IPS. Все события обнаружения вредоносных программ должны быть отправлены на серверные средства администрирования антивирусной защиты и серверы журналов событий.

Используйте программное обеспечение для защиты от вредоносных программ, которое предлагает централизованную инфраструктуру, которая собирает информацию о репутации файлов. После применения обновления автоматизированные системы должны проверить, что каждая система получила обновление.

Настройте ноутбуки, рабочие станции и серверы, чтобы они не могли автоматически запускать контент со съемных носителей, таких как USB-флешки, жесткие диски USB, CD / DVD-диски, устройства FireWire и смонтированные сетевые ресурсы. Настройте системы так, чтобы они автоматически проводили сканирование съемных носителей.

Используйте сетевые средства защиты от вредоносных программ, чтобы идентифицировать исполняемые файлы во всем сетевом трафике и использовать методы, отличные от обнаружения на основе сигнатур, для выявления и отфильтровывания вредоносного контента до того, как он достигнет конечной точки — применяйте превентивные меры защиты.

Ограничение и контроль сетевых портов

Убедитесь, что в каждой системе работают только порты, протоколы и службы с необходимыми бизнес-потребностями.

Выполняйте автоматическое сканирование портов на регулярной основе по всем ключевым серверам. Если обнаружено изменение, которое не указано в утвержденной профиле сервера организации, необходимо создать предупреждение проверить порт.

Разместите брандмауэры приложений перед любыми критическими серверами для проверки трафика, идущего на сервер. Любые несанкционированные попытки доступа или трафик должны быть заблокированы и и предупреждение.

Возможность восстановления данных

Убедитесь, что для каждой системы автоматически создается регламентная резервная копия, а для систем, хранящих конфиденциальную информацию это делается еще чаще.

Чтобы обеспечить возможность быстрого восстановления системы из резервной копии, операционная система, прикладное программное обеспечение и данные на АРМ должны быть включены в общую процедуру резервного копирования. Эти три компонента системы не обязательно должны быть включены в один и тот же файл резервной копии или использовать одно и то же программное обеспечение для резервного копирования. С течением времени должно быть несколько резервных копий, так что в случае заражения вредоносными программами восстановление может осуществляться из версии, которая предшествует первоначальной инфекции. Все политики резервного копирования должны соответствовать нормативным или официальным требованиям.

Убедитесь, что резервные копии надежно защищены с помощью физической безопасности или шифрования при их сохранении, а также при перемещении по сети. Сюда входят удаленные резервные копии и облачные сервисы.

Защищенные конфигурации для сетевых устройств

Сравните конфигурацию брандмауэра, маршрутизатора или коммутатора со стандартными безопасными конфигурациями, определенными для каждого типа сетевого устройства, используемого в организации. Конфигурация безопасности таких устройств должна быть документирована, проверена и одобрена службой ИТ/ИБ. Любые отклонения от стандартной конфигурации или обновления стандартной конфигурации должны быть задокументированы и одобрены в системе управления изменениями.

Все новые правила конфигурации, помимо базовой настройки, которые позволяют трафику проходить через устройства сетевой безопасности, такие как брандмауэры и сетевые IPS, должны быть задокументированы и записаны в системе управления конфигурацией с конкретной бизнес-причиной для каждого изменения и лицом, ответственным за бизнес-потребность.

Используйте автоматические инструменты для проверки стандартных конфигураций устройств и обнаружения изменений. Все изменения в таких файлах должны регистрироваться и автоматически сообщаться сотрудникам службы безопасности.

Установите последнюю стабильную версию любых связанных с безопасностью обновлений на всех сетевых устройствах.

Сетевые инженеры должны использовать выделенный компьютер для всех административных задач или задач, требующих повышенного доступа. Эта машина должна быть изолирована от основной сети организации и не иметь доступа к Интернету. Эта машина не должна использоваться для чтения электронной почты, составления документов или серфинга в Интернете.

Разверните сетевые агенты IDS в DMZ-системах и сетях, которые выявят аномалии и обнаружат компрометацию этих систем. Они могут обнаруживать атаки посредством использования сигнатур, анализа поведения или других механизмов для анализа трафика.

Защита данных

Выполните оценку данных для идентификации конфиденциальной информации, требующей применения средств шифрования и целостности.

Разверните утвержденное программное обеспечение для шифрования жесткого диска для устройств и систем, содержащих конфиденциальные данные.

Используйте сетевые решения DLP для мониторинга и управления потоком данных в пределах сети. Любые аномалии, которые превышают обычные модели трафика следует отметить и принять соответствующие меры по их устранению.

Источник

The following CIS Benchmarks have been updated or released. We’ve highlighted the major updates below. Each Benchmark includes a full changelog that can be referenced to see all changes made.

New CIS Benchmarks Released in April

New CIS MongoDB 6 Benchmark v1.0.0

Our team has devoted significant time and effort to creating the content of this Benchmark, ensuring it is relevant and valuable to Members. Here’s a quick overview:

Support and validated CIS-CAT Pro coverage for MongoDB 6 is included
Recommendations from MongoDB versions 4 and 5 are included, and some were revised to reflect the MongoDB 6 platform
Support for macOS, Windows, and Linux platforms

A huge thank you to the CIS MongoDB Community team for making this Benchmark happen. Special thanks go to Matt Reagan, Vinesh Redkar, and Pralhad Chaskar!