Product Name
CIS Build Kit
Product Version
All
Date/
Problem
| Info |
|---|
[Blank] isn’t working after applying a CIS Build Kit |
Solution
Search through the benchmark for the remediation that is causing the impact
Have a general statement, then a specific example
Through searching keywords, you should find which recommendations are causing the issue and then reverse the remediation directions to turn the recommendation off.
For example, if you are using Windows 2016 Server and you are having an issue with the RDP configuration, you should:
Login to CIS WorkBench - https://workbench.cisecurity.org/
Go to Benchmarks on the top Navigation bar
Search for Windows Server 2016 STIG
Download the PDF version of the Benchmark
Search for the word ‘RDP’ or other related words such as 'remote connection' using ctr+f
Go to the recommendations related to RDP and remote connections
Recommendation
18.9.59.3.9.3 (L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL' (Automated)Relates to RDP.Read the recommendation
Under the Remediation section, there is an explanation on of how to enable or disable the recommendation.
Rinse and repeat for each issue you are having.
With all Build Kit applications, we highly suggest not starting in any type of production environment. Rather, make a test OU or use a test system first to harden the individual machine. Once you have verified that the Build Kit is properly applied and has passed an Assessor scan to your satisfaction, you can then add your existing policies to the OU/ system. Once you know that this golden image works as anticipated within all of your organization's GPOs and CIS’s GPOs in one OU, you can then consider rolling it out to production.
We also suggest that for the Windows systems, an experienced SysAdmin or someone with strong working knowledge of Active Directory be the one to begin the initial deployment and testing.
For Windows: They are not, in and of themselves scripts but are collections of GPOs. For Windows, you will import the GPO collections into your Active Directory and use these to harden the system. (So it is a combination of manual and automatic.)
These Windows Build Kits are intended to be used with Active Directory and are not designed for stand-alone or cloud-based systems.
If you navigate to the WorkBench Recorded Webinars page, you can view the following SecureSuite Member® Webinar series exclusively about using our Build Kits and setting up your environment. I have watched and used the information from them myself.
CIS SecureSuite 101: A Step-by-Step Guide to System Hardening – Small Business/Government Training Series:
Session 1: First Steps and Choosing a System to Harden
Session 2: Run a Scan with CIS-CAT Pro Assessor
Session 3: How to Use a CIS-CAT HTML Report
Session 4: Configure Systems with CIS Build Kit
as well as:
Build Kits 101 - Windows 10 Implementation
| Note |
|---|
Highlight important information |
| Note |
|---|
For more information on Build Kits please see the following support articles: |
Keywords;
Content by Label
| Filter by label (Content by label) | ||||||
|---|---|---|---|---|---|---|
|
| Page Properties | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||
|