Quick Start Guide: CIS Windows Build Kits
This guide will show how to apply the components of the CIS Microsoft Windows Build Kit and provide instruction on how to implement it within your environment. The Build Kit is designed to cover the majority of the benchmark settings, excluding only certain settings that cannot be managed though group policy. These templates are to be modified in alignment with your organization’s defined policies.
Requirements
Prior to applying a Build Kit, verify that the most recent Microsoft Windows Administrative Templates have been downloaded directly from Microsoft and applied to the system.
The Windows Workstation Benchmarks and Build Kits are made for domain-joined systems and not stand-alone/cloud systems
CIS now offers a series of Benchmarks specifically for Stand-Alone systems. This section of the CIS WorkBench’s Downloads section will show available Stand-Alone options.
Please note that you will need to make adjustments for use with stand-alone and cloud versions of Windows.
You will be importing the GPOs contained within the Build Kit into group policy management console (GPMC) on your domain controller.
Implementation Steps
Using, as the example, the most recent CIS Microsoft Windows Server 2019 Benchmark v1.3.0 - Build Kit to apply a Level 1 Domain Controller hardening.
Review the full .Doc/ .PDF Benchmark [downloaded separately] from WorkBench.
Go to the ServerReadMe.txt/ WorkstationReadMe.PDF/ README.docx included in all Windows Build Kits. There is a rubric for which Profiles need to be applied based on the Level and kind of hardening you plan to perform Ex:
For L1 Domain Controller create 3 new Group Policy Objects [GPO].
USER-L1
SERVICES-L1
DC-L1
Right click on the selected Group Policy Object and click on "import settings".
Import those 3 individual profiles from the Build Kit into the individual empty GPO you created.
Note: Two GPOs cannot be imported into the same policy object that is created. Ex: DC and SERVICES cannot be imported in to a single GPO. They need to be imported to separate GPOs.
Having read the Benchmark, decide which settings related to these 3 profiles you would like to use.
Open each imported, unlinked GPO and edit it to remove/ update any settings you do not want to apply or need to update to work in your environment.
Consider adding notes to the GPOs as you edit them for future reference.
Apply the profiles to the appropriate location using a test OU: Default Domain Policy, User, Computer, DC, MS, etc.
Test until you are satisfied that the hardening on the test system, in the Test OU, has been properly implemented.
Incrementally link higher level, non-CIS Build Kit GPOs to the Test OU
Test
When all existing and CIS GPOs are tested and you are satisfied with the test system in the Test OU, then take the machine into production, further testing before applying the GPOs to all production systems.
Troubleshooting Steps
Reviewing the content within the corresponding Benchmark PDF is imperative for an overall successful application of the Build Kit, as there may be some settings that your organization needs to exempt itself from.
Applying the Build Kit to a system without proper testing and review may result in a negative impact within your environment.
If you navigate to the WorkBench Recorded Webinars page, you can view the Build Kits 101 - Windows 10 Implementation Webinar, along with the CIS SecureSuite 101: A Step-by-Step Guide to System Hardening – Small Business/Government Training Series:
Session 1: First Steps and Choosing a System to Harden
Session 2: Run a Scan with CIS-CAT Pro Assessor
Session 3: How to Use a CIS-CAT HTML Report
Session 4: Configure Systems with CIS Build Kit
Copyright © 2022 Center for Internet Security® Privacy Policy