Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »


Product Name

CIS Build Kit

Product Version

All

Date/



Problem

[Blank] isn’t working after applying a CIS Build Kit

Solution

Through searching keywords, you should find which recommendations are causing the issue and then reverse the remediation directions to turn the recommendation off.

For example, if you are using Windows 2016 Server and you are having an issue with the RDP configuration, you should:

  1. Login to CIS WorkBench - https://workbench.cisecurity.org/

  2. Go to Benchmarks on the top Navigation bar

  3. Search for Windows Server 2016 STIG

  4. Download the PDF version of the Benchmark

  5. Search for the word ‘RDP’ or other related words such as 'remote connection' using ctr+f

  6. Go to the recommendations related to RDP and remote connections

  7. Recommendation 18.9.59.3.9.3 (L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL' (Automated) Relates to RDP.

  8. Read the recommendation

  9. Under the Remediation section, there is an explanation on how to enable or disable the recommendation.

  10. Rinse and repeat for each issue you are having.

With all Build Kit applications, we highly suggest not starting in any type of production environment. Rather, make a test OU or use a test system first to harden the individual machine. Once you have verified that the Build Kit is properly applied and has passed an Assessor scan to your satisfaction, you can then add your existing policies to the OU/ system. Once you know that this golden image works as anticipated within all of your organization's GPOs and CIS’s GPOs in one OU, you can then consider rolling it out to production.

We also suggest that for the Windows systems, an experienced SysAdmin or someone with strong working knowledge of Active Directory be the one to begin the initial deployment and testing.

For Windows: They are not, in and of themselves scripts but are collections of GPOs. For Windows, you will import the GPO collections into your Active Directory and use these to harden the system. (So it is a combination of manual and automatic.)

These Windows Build Kits are intended to be used with Active Directory and are not designed for stand-alone or cloud-based systems.

If you navigate to the WorkBench Recorded Webinars page, you can view the following SecureSuite Member® Webinar series exclusively about using our Build Kits and setting up your environment. I have watched and used the information from them myself.
CIS SecureSuite 101: A Step-by-Step Guide to System Hardening – Small Business/Government Training Series:

  • Session 1: First Steps and Choosing a System to Harden

  • Session 2: Run a Scan with CIS-CAT Pro Assessor

  • Session 3: How to Use a CIS-CAT HTML Report

  • Session 4: Configure Systems with CIS Build Kit

as well as:

  • Build Kits 101 - Windows 10 Implementation

Highlight important information

Keywords;

Content by Label


Copyright © 2020

Center for Internet Security®


  • No labels