Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Product Name

CIS Build Kit & CIS Benchmarks

Product Version

all

Date

Problem

We currently have a mixture of Windows 2012, 2016, and 2019 Servers plus a mix of Windows 10 Enterprise systems . Any concerns if we deploy the Windows 2019 GPO across all of our different Windows' OS’ to avoid having to manage 4+ different GPO’s to cover them all?

Solution

While it is possible to apply newer GPOs to older systems, it is not recommended. This is because Recommendations and GPOs between different operating system versions can vary greatly in what should and should not be applied, and in what configuration settings are recommended for a given hardening.

 

With the exception of The CIS Windows Workstation 10 Benchmarks, as all updates made to the Windows 10 Enterprise Benchmarks are cumulative. However, it is always recommended, and is a security best practice to keep operating systems hardened to the most recently available version of any CIS Benchmark.

Example: A Microsoft Windows 10 22H2 Benchmark or Build Kit can be applied to a Microsoft Windows 10 21H1 system, but cannot be applied to any version of a Microsoft Windows Server.

Example Recommendation from the CIS Windows Servers Benchmarks over the years:

18.5.21.1 Minimize the number of simultaneous connections to the Internet or a Windows Domain” is set several different ways depending on the version of operating system that is running.

  • The setting for Server 2019 is “ENABLED" with option "3 = Prevent Wi-Fi when on Ethernet"

  • The setting for Server 2012 through Server 2016 is "ENABLED" with option "1 = Minimize simultaneous connections"

  • The setting for Server 2008 is not valid and should not be applied to the operating system.

While there are similarities in the Recommended hardening over the years, the settings to defend against cyber threats are very different OS to OS. Applying a CIS Windows Server 2016 Benchmark to a Windows Server 2019 system will not fully protect, or may hinder the functionality of, the Windows Server 2019 system.

In addition, reviewing the content within each Benchmark is imperative for an overall successful application of the Build Kit.

Applying the Build Kit to a system without proper testing and review may result in a negative impact within your environment. It is acceptable if 100% of the benchmark is not applied, as it is the responsibility and decision of each organization to determine which settings are applicable to your unique needs.

We highly recommend creating a restore point or a manual registry backup before applying any part of the CIS Build Kits

 

Keywords; Windows Server Build Kit

Content by Label

Copyright © 2023

Center for Internet Security®

Privacy Policy

  • No labels