CIS Logo
tagline: Confidence in the Connected World

Update: Benchmarks for Windows

By: Jordan C. Rakoske

We have exciting news about our Windows releases! Over the past year and a half, our Windows community has worked very hard reviewing all of the benchmarks that we had previously released as well as focusing on the new upcoming line of Windows OS's (Windows 10 and Server 2016). Our first big updates released were our Windows 8.1 v2.0.0, Server 2012 R2 v2.0.0, and Windows 10 v1.0.0. Since then we have spent months reviewing all of the new and old Windows settings across all of our Windows Benchmarks. We worked closely with Aaron Margosis and Rick Munck from Microsoft to answer any technical questions that came up in the community and to help address some items within Microsoft Group Policy Templates.

On April 29, 2016, we released complete rewrites to our CIS Microsoft Windows 7 Benchmark v2.1.0 and CIS Microsoft Windows Server 2008 R2 Benchmark v2.1.0. The new version numbers will be get pushed to v3.0.0 because of the massive amount of new additions and changes in these benchmarks. We also released updates to the following benchmarks: CIS Microsoft Windows 8.1 Benchmark v2.2.0, CIS Microsoft Windows Server 2012 R2 Benchmark v2.2.0, and CIS Microsoft Windows 10 Enterprise (Release 1511) Benchmark v1.1.0, which will align all five of these benchmarks so that we maintain the utmost consistency within our benchmarks.

We also have released updated remediation kits along with each release that contain all of the GPO settings for each version of our benchmarks. The GPOs are available for download for all of our Benchmarks members. These GPOs can be imported into an end user’s environment and tailored to the required level of security. In addition, we included some scripts and readme files within the remediation kits so that a non-domain machine can be hardened.

A Few Tips I Like to Share

  • Please take time to review the PDF documents, even if you are skimming through them and only pulling out the items you either won’t be applying or will be modifying to suit your needs. We include a checklist at the end of the benchmark document that you can use to quickly view each recommendation and check off ones that you will be addressing.
  • Do not just apply the GPOs and do your scans. Make sure you understand which settings you are applying to each system. The point of applying this is to lock down the systems but also to understand the level of security that is being applied to these systems.
  • It is OK if you can’t apply everything! These settings are meant to be restrictive in some ways, so not every setting will be able to be applied to all systems.
  • Take a scan of your system prior to applying any of the remediation (CIS-CAT is available to all of our members to download). This will give you a good picture of what the system looked like prior to its being hardened.
  • Test, Test, and Test again... I can’t stress this enough. If you have the ability to test in your environment, please do so. Every environment is different, so you always want to test your configurations prior to rolling this into production.

I know some of these seem pretty basic, but sometimes I think a lot of folks are in a hurry to apply remediation and end up just applying without going through and taking a deep dive first. Knowing exactly what you have and have not applied is key when it comes to system security.

In addition to the docs and remediation kits, we will also be releasing some supporting documentation as well, thanks to one of our Windows editors, Haemish Edgerton, who put together some excellent spreadsheets that outline all of the settings within our benchmark and help make it easier to see what the GPOs look like. These documents will be available to download from the Files tab within the Windows community.

I would like to thank all of the folks in the Windows community who helped make these benchmark what they are today. I would also like to give special thanks to Haemish Edgerton, Hardeep Mehrotara, Kevin Zhang, Adam Montville, Jason Braun, and Mike Harris.