Update: CIS Microsoft Windows 10 Enterprise (Release 1703) Benchmark v1.0.0

We are excited to announce we have released an update to the CIS Microsoft Windows 10 Benchmark.

The updated CIS Microsoft Windows 10 Enterprise (Release 1703) Benchmark contains new security vulnerability protection, such as disabling SMBv1 and coverage for the 1703 version of Windows. We’ve also added enhancements to the documentation with the addition of which ADMX templates are needed for each section. The ReadMe for the Remediation Kit has been revised to include more detailed information to help with end-user deployment and reduce related support requests.

The Remediation Kit is live and Assessment content will be in the upcoming release of CIS-CAT.

What’s new/changed in this release:

Updated 

  • 2.3.11.4 (L1) Ensure ‘Network security: Configure encryption types allowed for Kerberos’ is set to ‘AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types’
  • 2.3.11.6 (L1) Ensure ‘Network security: Force logoff when logon hours expire’ is set to ‘Enabled’ to be Unscored
  • 18.9.30.2 (L1) Ensure ‘Configure Windows Defender SmartScreen’ is set to ‘Enabled: Warn’
  • Rename and Reorder ‘18.7 – SCM: Pass the Hash Mitigations’ to ‘18.3 – MS Security Guide’
  • 19.7.7.1 (L2 -> L1) Ensure ‘Configure Windows spotlight on Lock Screen’ is set to Disabled’
  • MOVE & RENAME – 18.9.30.2 (L1) Ensure ‘Configure Windows SmartScreen’ is set to ‘Enabled’
  • 18.9.41.6 (L1 -> L2) Ensure ‘Configure search suggestions in Address bar’ is set to ‘Disabled’
  • 9.3.4 (L1) Ensure ‘Windows Firewall: Public: Settings: Display a notification’ is set to ‘Yes’ – change to ‘No’
  • RENAME – 18.9.72 ‘Windows Defender’ section to ‘Windows Defender Antivirus’
  • MOVE & RENAME – 18.9.41.7 (L1) Ensure ‘Configure SmartScreen Filter’ is set to ‘Enabled’
  • MOVE & RENAME – 18.9.41.9 (L2) Ensure ‘Prevent bypassing SmartScreen prompts for files’ is set to ‘Enabled’
  • MOVE & RENAME – 18.9.41.10 (L2) Ensure ‘Prevent bypassing SmartScreen prompts for sites’ is set to ‘Enabled’
  • 18.9.95.1.2 (L1) Ensure ‘Select when Feature Updates are received’ is set to ‘Enabled: Current Branch for Business, 180 days’
  • 5 (L2 -> L1) Ensure ‘Xbox Live Auth Manager (XblAuthManager)’ is set to ‘Disabled’
  • 5 (L2 -> L1) Ensure ‘Xbox Live Game Save (XblGameSave)’ is set to ‘Disabled’
  • 5 (L2 -> L1) Ensure ‘Xbox Live Networking Service (XboxNetApiSvc)’ is set to ‘Disabled’

New

  • 18.3 (L1) Ensure ‘Configure SMB v1 client driver’ is set to ‘Enabled: Disable driver’
  • 18.3 (L1) Ensure ‘Configure SMB v1 server’ is set to ‘Disabled’
  • 18.3 (L1) Ensure ‘Enable Structured Exception Handling Overwrite Protection (SEHOP)’ is set to ‘Enabled’
  • 18.3 (L1) Ensure ‘Turn on Windows Defender protection against Potentially Unwanted Applications’ is set to ‘Enabled’
  • 18.8.4 (L1) Ensure ‘Remote host allows delegation of non-exportable credentials’ is set to ‘Enabled’
  • 18.9.11 (BL) Ensure ‘Disable new DMA devices when this computer is locked’ is set to ‘Enabled’
  • 18.9.16 (L2) Ensure ‘Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service’ is set to ‘Enabled:Disable Authenticated Proxy usage’
  • 18.9.42 (L1) Ensure ‘Block all consumer Microsoft account user authentication’ is set to ‘Enabled’
  • 18.9.43 (L2) Ensure ‘Allow Address bar drop-down list suggestions’ is set to ‘Disabled’
  • 19.7.7 (L2) Ensure ‘Do not use diagnostic data for tailored experiences’ is set to ‘Enabled’
  • 5 (L1) Ensure ‘Xbox Accessory Management Service (XboxGipSvc)’ is set to ‘Disabled’
  • 5 (L1) Ensure ‘Xbox Game Monitoring (xbgm)’ is set to ‘Disabled’
  • 18.9.43 (L2) Ensure ‘Allow Adobe Flash’ is set to ‘Disabled’
  • 18.9.43 (L1) Ensure ‘Configure the Adobe Flash Click-to-Run setting’ is set to ‘Enabled’
  • New sections from Windows 10 Release 1703 Administrative Templates

Removed

  • 18.9.5 All ‘Let Windows apps access’ recommendations
  • 9.1.5 (L1) Ensure ‘Windows Firewall: Domain: Settings: Apply local firewall rules’ is set to ‘Yes (default)’
  • 9.1.6 (L1) Ensure ‘Windows Firewall: Domain: Settings: Apply local connection security rules’ is set to ‘Yes (default)’
  • 9.2.6 (L1) Ensure ‘Windows Firewall: Private: Settings: Apply local connection security rules’ is set to ‘Yes (default)’
  • 9.2.5 (L1) Ensure ‘Windows Firewall: Private: Settings: Apply local firewall rules’ is set to ‘Yes (default)’

Special thanks to the Windows Editor Team (Haemish Edgerton and Kevin Zhang) and the CIS Windows Community for all of the hard work and feedback during the development of this benchmark.

Looking ahead

We are now working on R1709, which was just released and hope to be on track for quicker releases going forward.