Product Name
CIS Build Kit & CIS Benchmarks
Product Version
all
Date
Problem
Info |
---|
An example: We currently have a mixture of Microsoft Windows 2012, 2012 R2, 2016, and 2019 Servers plus a mix of Windows 10 Enterprise systems . Any concerns in our environment, is it OK if we deploy the Windows 2019 GPO Benchmark or Build Kit across all of our different Windows' OS’ to avoid having to manage 4+ different GPO’s to cover them all? |
Solution
While it is potentially possible to apply newer GPOs CIS Microsoft Windows Server Benchmarks and Build Kits to older Microsoft Windows Server systems, it is not recommended. This is because Recommendations and GPOs between different operating system versions can vary greatly in what should and should not be applied, and in what configuration settings are recommended for a given hardening.
Note |
---|
Warning |
CIS Product Support will not be able to help or revert any applied changes if problems arise from applying one CIS Benchmarks or Build Kit to the incorrect base Microsoft Windows Server OS. |
Example Recommendation from the CIS Windows Servers Benchmarks over the years:
“18.5.21.1 Minimize the number of simultaneous connections to the Internet or a Windows Domain” is set several different ways depending on the version of operating system that is running.
The setting for Server 2019 is “
ENABLED
" with option "3 = Prevent Wi-Fi when on Ethernet
"The setting for Server 2012 through Server 2016 is "
ENABLED
" with option "1 = Minimize simultaneous connections
"The setting for Server 2008 is not valid and should not be applied to the operating system.
While there are similarities in the Recommended hardening over the years, the settings to defend against cyber threats are very different OS to OS. Applying a CIS Windows Server 2016 Benchmark to a Windows Server 2019 system will not fully protect, or may hinder the functionality of, the Windows Server 2019 system.
Warning |
---|
In addition, reviewing the content within each Benchmark is imperative for an overall successful application of the Build Kit. Applying the Build Kit to a system without proper testing and review may result in a negative impact within your environment. It is acceptable if 100% of the benchmark is not applied, as it is the responsibility and decision of each organization to determine which settings are applicable to your unique needs. We highly recommend creating a restore point or a manual registry backup before applying any part of the CIS Build Kits |
Keywords; Windows Server Build Kit
Content by Label
Filter by label (Content by label) | ||||||
---|---|---|---|---|---|---|
|
Page Properties | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||
|