Product Name
CIS Build Kit
Product Version
All
Date/
Problem
| Info |
|---|
[Blank] isn’t working after applying a CIS Build Kit |
Solution
Here are some initial tips to help you resolve the issue.
First, it may be helpful to revert back to a working policy in your production environment and continue testing in a test environment.
Secondly, prior to applying a Build Kit, verify that the most recent Microsoft Windows Administrative Templates have been downloaded directly from Microsoft and applied to the system. Applying the Build Kit to a system without proper testing and review will result in a negative impact within your environment. It is a time consuming process to fix.
Lastly, it is important to read the Build Kit README before getting started with Build Kits.
If you have not done so, please read through the BuildKit README that is included with your BuildKit.
If you are still having trouble after following the above tips, keep reading to see how to turn off the recommendation that may be causing the negative impact.
Search through the benchmark for the remediation that is causing the impact
Through searching keywords, you should find which recommendations are causing the issue and then reverse the remediation directions to turn the recommendation off.
For example, if you are using Windows 2016 Server and you are having an issue with the RDP configuration, you should:
Login to CIS WorkBench - https://workbench.cisecurity.org/
Go to Benchmarks on the top Navigation bar
Search for Windows Server 2016 STIG
Download the PDF version of the Benchmark
Search for the word ‘RDP’ or other related words such as 'remote connection' using ctr+f
Go to the recommendations related to RDP and remote connections
Recommendation
18.9.59.3.9.3 (L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL' (Automated)Relates to RDP.Read the recommendation
Under the Remediation section, there is an explanation on of how to enable or disable the recommendation.
Rinse and repeat for each issue you are having.
With all Build Kit applications, we highly suggest not starting in any type of production environment. Rather, make a test OU or use a test system first to harden the individual machine. Once you have verified that the Build Kit is properly applied and has passed an Assessor scan to your satisfaction, you can then add your existing policies to the OU/ system. Once you know that this golden image works as anticipated within all of your organization's GPOs and CIS’s GPOs in one OU, you can then consider rolling it out to production.
We also suggest that for the Windows systems, an experienced SysAdmin or someone with strong working knowledge of Active Directory be the one to begin the initial deployment and testing.
For Windows: They are not, in and of themselves scripts but are collections of GPOs. For Windows, you will import the GPO collections into your Active Directory and use these to harden the system. (So it is a combination of manual and automatic.)
These Windows Build Kits are intended to be used with Active Directory and are not designed for stand-alone or cloud-based systems.
If you navigate to the WorkBench Recorded Webinars page, you can view the following SecureSuite Member® Webinar series exclusively about using our Build Kits and setting up your environment. I have watched and used the information from them myself.
CIS SecureSuite 101: A Step-by-Step Guide to System Hardening – Small Business/Government Training Series:
Session 1: First Steps and Choosing a System to Harden
Session 3: How to Use a CIS-CAT HTML Report
Session 4: Configure Systems with CIS Build Kit
as well as:
Build Kits 101 - Windows 10 Implementation
| Note |
|---|
Highlight important information |
Keywords; BuildKit GPO
Content by Label
| Filter by label (Content by label) | ||||||
|---|---|---|---|---|---|---|
|
| Page Properties | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||
|