CIS Logo
tagline: Confidence in the Connected World

CIS Controls Assessment Module for Microsoft Windows Server

CIS is pleased to offer the capability for organizations to measure their application of the CIS Controls in Microsoft Windows Server using CIS-CAT, a configuration assessment tool. Assessment for Microsoft Windows 10 is also available.

Prioritizing cybersecurity best practices

The CIS Controls are a prioritized set of actions to protect your organization and data from known cyber-attack vectors. There are 20 CIS Controls that break down into 171 Sub-Controls, which are prioritized into Implementation Groups. CIS Controls Implementation Group 1 contains 43 Sub-Controls and represents essential cybersecurity best practices that all organizations should strive to implement. The CIS Controls Assessment Module is a semi-automated way to assess Implementation Group 1, using a combination of scripts and survey questions.

Download CIS Controls

Leveraging CIS-CAT

The CIS Controls Assessment Module runs inside of CIS-CAT, a configuration assessment tool. It’s available in both CIS-CAT Lite, a free version, and CIS-CAT Pro Assessor (starting with v4.0.14), which is available as part of CIS SecureSuite Membership. The module leverages CIS-CAT’s ability to conduct both local and remote assessments.

The results are compatible with CIS-CAT Pro Dashboard, allowing CIS SecureSuite Members to view individual assessment results and generate graphs to show compliance over time.

Uploading your results to CIS-CAT Pro Dashboard allows you to see summaries of your assessments, including color-coded PASS/FAIL results for each check in the Results View.

CIS-CAT-Pro-Automated-Checks

The CIS Controls View provides the same information, except checks are organized by Control.

CIS-CAT-Pro-Dashboard-CIS-Control-8

You can also see a graph of your scores over time to monitor your progress.

CIS-CAT-Pro-Dashboard-Benchmark-View

Assessable platforms

The CIS Controls Assessment Module for Microsoft Windows Server environments complements the existing CIS Controls Assessment Module for Microsoft Windows 10. While the new addition is designed primarily for Microsoft Windows Server 2016, this module can also be used to assess other Microsoft Windows Server versions. Simply set “ignore.platform.mismatch=true” in the assessor-cli.properties file in the Assessor config folder, and the CIS Controls Assessment Module for Microsoft Windows Server will be able to assess machines running other versions such as Microsoft Windows Server 2019.

How does the module work?

PowerShell scripts are used to automate 14 of the CIS Sub-Controls in Implementation Group 1: 3.4, 4.2, 6.2, 8.2, 8.4, 8.5, 9.4, 10.1, 10.2, 10.4 13.6, 15.7, 16.9, and 16.11. Some have customizable values that can be configured to better fit your organization. (Note: these values can be set in the Assessor Properties file, which is different than tailoring in CIS WorkBench.) These values include minimum password length, days allowed between backups, days of inactivity before an account is considered dormant, and maximum allowable seconds for the screen timeout.

These automated checks focus on native Microsoft Windows functionality including:

  • Microsoft Windows Server Backup (for CIS Sub-Controls 10.1, 10.2, and 10.4)
  • Microsoft Windows Defender (for CIS Sub-Controls 8.2 and 8.4)
  • Bitlocker (for CIS Sub-Controls 10.4 and 13.6)

Some CIS Sub-Controls are more procedural in nature and don’t lend themselves to automation. For instance, many of the Organizational CIS Sub-Controls (CIS Controls 17-20) fall into this category. Survey questions are used to address these CIS Sub-Controls. Self-assessed answers can be saved in the Assessor Properties file and will be applied to any CIS Controls Assessment Module scans. When something changes (i.e., when your organization implements a new CIS Sub-Control), these answers can be updated for future assessments. Alternatively, questions can be set to be answered interactively by modifying the Assessor Properties file. Any interactive questions will be asked on the command line in CIS-CAT Pro Assessor for each of the machines in the assessment.

There are three profiles available using the CIS Controls Assessment Module, allowing you to run:

  1. Automated checks only
  2. Survey questions only
  3. Both the automated checks and the survey questions for full coverage of Implementation Group 1

Growing together

At CIS, we believe in collaboration. Working with a global community to develop, validate, and promote cybersecurity best practices is what we’re all about. So, where should the CIS Controls Assessment Module go next? We’d love to hear your thoughts! Join the CIS Controls Assessment Module community and help us grow this feature. It’s all taking place on our collaborative CIS WorkBench forums.

Start assessing your application of the CIS Controls

Anyone can get started with the CIS Controls Assessment Module using CIS-CAT Lite.

Download CIS-CAT Lite

CIS SecureSuite Members can also access full reporting features with CIS-CAT Pro Dashboard and more on CIS WorkBench. Membership offers many other benefits for your organization. Click the link below to learn more and get started.