Do I have to use OS specific Build Kits and Benchmarks or can I apply any CIS Windows Server Build Kit or Benchmark to any Microsoft Windows Server version?

Owned by
Amanda McGown
, created
Last updated: Jun 20, 2023
2 min read

Product Name

CIS Build Kit & CIS Benchmarks

Product Version

all

Date

Jun 14, 2023

 

Problem

An example:

We currently have a mixture of Microsoft Windows 2012, 2012 R2, 2016, and 2019 Servers in our environment, is it OK if we deploy the Windows 2019 Benchmark or Build Kit across all of our different Windows' OS’ to avoid having to manage 4+ different GPO’s to cover them all?

 

Solution

While it is potentially possible to apply newer CIS Microsoft Windows Server Benchmarks and Build Kits to older Microsoft Windows Server systems, it is not recommended. This is because Recommendations and GPOs between different operating system versions can vary greatly in what should and should not be applied, and in what configuration settings are recommended for a given hardening.

CIS Product Support will not be able to help or revert any applied changes if problems arise from applying one CIS Benchmarks or Build Kit to the incorrect base Microsoft Windows Server OS.

Example Recommendation from the CIS Windows Servers Benchmarks over the years:

18.5.21.1 Minimize the number of simultaneous connections to the Internet or a Windows Domain” is set several different ways depending on the version of operating system that is running.

  • The setting for Server 2019 is “ENABLED" with option "3 = Prevent Wi-Fi when on Ethernet"

  • The setting for Server 2012 through Server 2016 is "ENABLED" with option "1 = Minimize simultaneous connections"

  • The setting for Server 2008 is not valid and should not be applied to the operating system.

While there are similarities in the Recommended hardening over the years, the settings to defend against cyber threats are very different OS to OS. Applying a CIS Windows Server 2016 Benchmark to a Windows Server 2019 system will not fully protect, or may hinder the functionality of, the Windows Server 2019 system.

 

In addition, reviewing the content within each Benchmark is imperative for an overall successful application of the Build Kit.

Applying the Build Kit to a system without proper testing and review may result in a negative impact within your environment. It is acceptable if 100% of the benchmark is not applied, as it is the responsibility and decision of each organization to determine which settings are applicable to your unique needs.

We highly recommend creating a restore point or a manual registry backup before applying any part of the CIS Build Kits

 

 

Keywords; Windows Server Build Kit

Content by Label

Copyright © 2023

Center for Internet Security®