Scribd
Upload
268 views39 pages

CIS Benchmark Security Guide

This document contains recommendations for configuration of the CIS Benchmark across multiple sections and subsections. It includes recommendations for account policies like password and lockout policies, local security policies for user rights assignment and security options, and domain configuration for encryption and logon settings. The extensive list of numbered recommendations indicates configuration of a system according to the CIS Benchmark standard.

Uploaded by

Sandjana Nanda
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
268 views39 pages

CIS Benchmark Security Guide

This document contains recommendations for configuration of the CIS Benchmark across multiple sections and subsections. It includes recommendations for account policies like password and lockout policies, local security policies for user rights assignment and security options, and domain configuration for encryption and logon settings. The extensive list of numbered recommendations indicates configuration of a system according to the CIS Benchmark standard.

Uploaded by

Sandjana Nanda
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 39

CIS Benchmark Recommendation

1
1.1
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7

1.2
1.2.1
1.2.2
1.2.3

1.2.4

2
2.1
2.2
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.2.11
2.2.12
2.2.13
2.2.14
2.2.15
2.2.16
2.2.17
2.2.18
2.2.19

2.2.20

2.2.21
2.2.22
2.2.23

2.2.24

2.2.25
2.2.26
2.2.27
2.2.28
2.2.29
2.2.30
2.2.31
2.2.32
2.2.33
2.2.34
2.2.35
2.2.36
2.2.37
2.2.38
2.2.39

2.3
2.3.1
2.3.1.1
2.3.1.2
2.3.1.3
2.3.1.4
2.3.1.5

2.3.3
2.3.4
2.3.4.1
2.3.4.2

2.3.5
2.3.6
2.3.6.1
2.3.6.2
2.3.6.3
2.3.6.4
2.3.6.5
2.3.6.6
2.3.7
2.3.7.1
2.3.7.2
2.3.7.3
2.3.7.4
2.3.7.5
2.3.7.6
2.3.7.7
2.3.7.8
2.3.7.9
2.3.8
2.3.8.1
2.3.8.2
2.3.8.3
2.3.9
2.3.9.1
2.3.9.2

Page 1266
CIS Benchmark Recommendation
Yes
2.3.9.3
2.3.9.4
2.3.9.5
2.3.10
2.3.10.1
2.3.10.2
2.3.10.3
2.3.10.4
2.3.10.5
2.3.11
2.3.11.1
2.3.11.4
2.3.11.5
2.3.11.6

Page 1268
2.3.14
2.3.14.1
2.3.15
2.3.15.1
2.3.15.2
2.3.16
2.3.17

Page 1269
CIS Benchmark Recommendation
Yes
2.3.17.1
2.3.17.2
2.3.17.3
2.3.17.4
2.3.17.5
2.3.17.6
2.3.17.7
2.3.17.8
CIS Benchmark Recommendation
Yes
5.42
5.43
5.44
5.45
17.1
17.1.1
17.2
17.2.1
17.2.2
17.2.3
17.5
17.5.1
17.5.2
17.5.3
17.5.4
17.5.5

Page 1277
CIS Benchmark Recommendation
Yes
17.5.6
17.7
17.7.1
17.7.2
17.7.3
17.7.4
17.7.5
CIS Benchmark Recommendation

Account Policies
Password Policy
Ensure 'Enforce password history' is set to '24 or
more password(s)' (Automated)
Ensure 'Maximum password age' is set to 30
Ensure 'Minimum password age is set to 1 days
Ensure 'Minimum password length' is set to 14 or more character(s)
Ensure 'Password must meet complexity
requirements'
Ensure 'Relax is set to 'Enabled
minimum password length limits' is
set to 'Enabled
Ensure 'Store passwords using reversible
encryption' is set to 'Disabled' (Automated)

Account Lockout Policy


Ensure 'Account lockout duration' is set to '15 or
more minute(s)'
Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0
Ensure 'Allow Administrator account lockout' is set
to 'Enabled' (Manual)
Ensure 'Reset account lockout counter after' is set
to '15 or more minute(s)'

Local Policies
Audit Policy
User Rights Assignment
(L1) Ensure 'Access Credential Manager as a trusted
caller' is set to
(L1) Ensure 'No One'
'Access this computer from the network' is
set to 'Administrators, Remote Desktop Users'
(Automated)
(L1) Ensure 'Act as part of the operating system' is set to
'No
(L1)One
Ensure 'Adjust memory quotas for a process' is set
to 'Administrators, LOCAL SERVICE, NETWORK
SERVICE'
(L1) Ensure(Automated)
'Allow log on locally' is set to 'Administrators,
Users'Ensure
(L1) (Automated)
'Allow log on through Remote Desktop
Services' is set to 'Administrators, Remote Desktop
(L1)
Users'Ensure 'Back up files and directories' is set to
(Automated)
'Administrators'
(L1) Ensure 'Change (Automated)
the system time' is set to
'Administrators,
(L1) Ensure 'ChangeLOCAL SERVICE'
the time zone' is(Automated)
set to
'Administrators,
(L1) Ensure 'CreateLOCAL SERVICE,
a pagefile' Users'
is set to (Automated)
'Administrators'
(Automated)
(L1) Ensure 'Create a token object' is set to 'No One'
(L1) Ensure 'Create global objects' is set to
(Automated)
'Administrators, LOCAL SERVICE, NETWORK
(L1) EnsureSERVICE'
SERVICE, 'Create permanent shared objects' is set to
(Automated)
'No One' (Automated)
(L1) Configure 'Create symbolic links' (Automated)
(L1) Ensure 'Debug programs' is set to 'Administrators'
(Automated)
(L1) Ensure 'Deny access to this computer from the
network'
(L1) Ensureto include 'Guests,
'Deny log on as Local
a batchaccount' (Automated)
job' to include
'Guests'
(L1) (Automated)
Ensure 'Deny log on as a service' to include 'Guests'
(Automated)
(L1) Ensure 'Deny log on locally' to include 'Guests'
(Automated)
(L1) Ensure 'Deny log on through Remote Desktop
Services' to include 'Guests, Local account' (Automated)
(L1) Ensure 'Enable computer and user accounts to be
trusted for delegation'
(L1) Ensure is set tofrom
'Force shutdown 'No One' (Automated)
a remote system' is
set toEnsure
(L1) 'Administrators'
'Generate (Automated)
security audits' is set to 'LOCAL
SERVICE, NETWORK SERVICE' (Automated)
(L1) Ensure 'Impersonate a client after authentication' is
set to 'Administrators, LOCAL SERVICE, NETWORK
SERVICE, SERVICE' (Automated)
(L1) Ensure 'Increase scheduling priority' is set to
'Administrators, Window Manager\Window Manager
(L1)
Group'Ensure 'Load and unload device drivers' is set to
(Automated)
'Administrators'
(L1) Ensure 'Lock (Automated)
pages in memory' is set to 'No One'
(Automated)
(L2) Ensure 'Log on as a batch job' is set to
'Administrators' (Automated)
(L2) Configure 'Log on as a service' (Automated)
(L1) Ensure 'Manage auditing and security log' is set to
'Administrators'
(L1) Ensure 'Modify(Automated)
an object label' is set to 'No One'
(Automated)
(L1) Ensure 'Modify firmware environment values' is set
to 'Administrators'
(L1) Ensure 'Perform(Automated)
volume maintenance tasks' is set
to 'Administrators' (Automated)
(L1) Ensure 'Profile single process' is set to
(L1) Ensure 'Profile
'Administrators' system performance' is set to
(Automated)
'Administrators, NT SERVICE\WdiServiceHost'
(L1) Ensure 'Replace a process level token' is set to
(Automated)
'LOCAL
(L1) SERVICE,
Ensure 'Restore NETWORK SERVICE'
files and directories' (Automated)
is set to
'Administrators' (Automated)
(L1) Ensure 'Shut down the system' is set to
'Administrators,
(L1) Ensure 'Take Users' (Automated)
ownership of files or other objects' is
set to 'Administrators' (Automated)

Security Options
Accounts
(L1) Ensure 'Accounts: Block Microsoft accounts' is set
to 'Users can't add or log on with Microsoft accounts'
(L1) Ensure 'Accounts: Guest account status' is set to
(Automated)
(L1) Ensure
'Disabled' 'Accounts: Limit local account use of blank
(Automated)
passwords to console logon only' is set to 'Enabled'
(L1) Configure 'Accounts: Rename administrator
(Automated)
account'
(L1) (Automated)
Configure 'Accounts: Rename guest account'
(Automated)

DCOM
Devices
(L1) Ensure 'Devices: Allowed to format and eject
removable media' is set to 'Administrators and
(L2) EnsureUsers'
Interactive 'Devices: Prevent users from installing
(Automated)
printer drivers' is set to 'Enabled' (Automated)

Domain controller
Domain
(L1) Ensure member
'Domain member: Digitally encrypt or sign
secure channel
(L1) Ensure 'Domain data (always)'
member:isDigitally
set to 'Enabled'
encrypt secure
(Automated)
channel
(L1) data 'Domain
Ensure (when possible)'
member:isDigitally
set to 'Enabled'
sign secure
(Automated)
channel data (when possible)' is set to 'Enabled'
(L1) Ensure 'Domain member: Disable machine account
(Automated)
(L1) Ensure
password 'Domain
changes' member:
is set Maximum
to 'Disabled' machine
(Automated)
account password age' is set
(L1) Ensure 'Domain member: Require strongto '30 or fewer days, but
(Windows
not 0' (Automated)
2000 or later) session key' is set to 'Enabled'
(Automated)
Interactive logon
(L1) Ensure 'Interactive logon: Do not require
CTRL+ALT+DEL'
(L1) Ensure 'Interactive is setlogon:
to 'Disabled' (Automated)
Don't display last signed
(BL) Ensure 'Interactive
in' is set to 'Enabled' (Automated) logon: Machine account lockout
threshold' is set to '10 or fewer invalid logon attempts,
(L1)
but notEnsure 'Interactive logon: Machine inactivity limit' is
0' (Automated)
set to '900
(L1) Configure or fewer second(s),
'Interactive logon:but not 0' (Automated)
Message text for users
attempting
(L1) Configureto log'Interactive
on' (Automated)
logon: Message title for users
(L2) Ensureto'Interactive
attempting logon: Number of previous
log on' (Automated)
logons
(L1) to cache
Ensure (in case logon:
'Interactive domainPromptcontroller
useristonot
change
available)'
password
(L1) Ensure is set
before to '4 or fewer
expiration'
'Interactive logon: logon(s)'
is set (Automated)
to 'between
Smart 5 and 14
card removal
days' (Automated)
behavior' is set to 'Lock Workstation' or higher
(Automated)
Microsoft network client
(L1) Ensure 'Microsoft network client: Digitally sign
(L1) Ensure 'Microsoft
communications (always)'network
is set client: Digitally
to 'Enabled' sign
(Automated)
communications
(L1) Ensure 'Microsoft (if server agrees)'
network is setSend
client: to 'Enabled'
unencrypted
(Automated)
password to third-party SMB servers' is set to 'Disabled'
(Automated)
Microsoft
(L1) Ensurenetwork'Microsoft server
network server: Amount of idle
time required before suspending session' is set to '15 or
(L1)
fewerEnsure 'Microsoft
minute(s)' network server: Digitally sign
(Automated)
communications (always)' is set to 'Enabled' (Automated)

Set
Correctly
No
(L1) Ensure 'Microsoft network server: Digitally sign
communications (if client agrees)' is set to 'Enabled'
(L1) Ensure 'Microsoft network server: Disconnect clients
(Automated)
(L1)
whenEnsure 'Microsoft
logon hours network
expire' is set toserver: Server
'Enabled' SPN
(Automated)
target name validation level' is set to 'Accept if provided
by client' or
Network higher (Automated)
access
(L1) Ensure 'Network access: Allow anonymous
(L1) Ensuretranslation'
SID/Name 'Network access:
is set toDo not allow
'Disabled' anonymous
(Automated)
enumeration
(L1) of SAM accounts'
Ensure 'Network access: Do is not
set to 'Enabled'
allow anonymous
(Automated)
enumeration of SAM accounts and shares'
(L1) Ensure 'Network access: Do not allow storage is set to of
'Enabled'
passwords
(L1) Ensure (Automated)
and credentials
'Network for Let
access: network authentication'
Everyone permissionsis
set to 'Enabled'
apply (Automated)
to anonymous users' is set to 'Disabled'
(Automated)
Network
(L1) Ensuresecurity
'Network security: Allow Local System to
use computer identity for NTLM' is set to 'Enabled'
(Automated)
types allowed for Kerberos' is set to
(L1) Ensure 'Network security:
'AES128_HMAC_SHA1, Do not store LAN Future
AES256_HMAC_SHA1,
Manager hash value on next password change' is set to
(L1) Ensure
'Enabled' 'Network security: Force logoff when logon
(Automated)
hours expire' is set to 'Enabled' (Manual)

System cryptography
protection for user keys stored on the computer' is set to
'User is prompted when the key is first used' or higher
System
(L1) objects
Ensure 'System objects: Require case insensitivity
for non-Windows
(L1) Ensure 'System subsystems' is set to 'Enabled'
objects: Strengthen default
(Automated)of internal system objects (e.g. Symbolic
permissions
Links)'
Systemissettings
set to 'Enabled' (Automated)
User Account Control

Set
Correctly
No
(L1) Ensure 'User Account Control: Admin Approval
Mode for the Built-in Administrator account' is set to
elevation
'Enabled' prompt for administrators in Admin Approval
(Automated)
(L1) Ensure
Mode' is set to'User Account
'Prompt Control:on
for consent Behavior
the secure of the
elevation
(L1) prompt
Ensure 'Userfor standard
Account users' is
Control: set toapplication
Detect
'Automatically
installations and deny elevation
prompt for requests'
elevation'
(L1) Ensure 'User Account Control: Only is(Automated)
set to 'Enabled'
elevate
(Automated)
UIAccess
(L1) Ensure applications
'User Account that are installed
Control: Runinallsecure
locations'
(L1) is
administrators set
Ensure 'User to 'Enabled'
in Admin
Account (Automated)
Approval
Control:Mode'
Switch is to
setthe
to secure
'Enabled'
desktop
(L1) (Automated)
when'User
Ensure prompting
Account forControl:
elevation' is set to file
Virtualize 'Enabled'
and
(Automated)
registry write failures to per-user locations' is set to
Set
'Enabled' (Automated)
Correctly
No
(L1) Ensure 'Xbox Accessory Management Service
(XboxGipSvc)'
(L1) Ensure 'Xbox is set to 'Disabled'
Live Auth Manager(Automated)
(XblAuthManager)'
is setEnsure
(L1) to 'Disabled'
'Xbox(Automated)
Live Game Save (XblGameSave)' is
set toEnsure
(L1) 'Disabled'
'Xbox (Automated)
Live Networking Service
(XboxNetApiSvc)' is set to 'Disabled' (Automated)
Account Logon
(L1) Ensure 'Audit Credential Validation' is set to
'Success and Failure' (Automated)
Account Management
(L1) Ensure 'Audit Application Group Management' is set
to 'Success
(L1) Ensureand Failure'
'Audit (Automated)
Security Group Management' is set to
include 'Success' (Automated)
(L1) Ensure 'Audit User Account Management' is set to
'Success and Failure' (Automated)
Logon/Logoff
(L1) Ensure 'Audit Account Lockout' is set to include
'Failure' (Automated)
(L1) Ensure 'Audit Group Membership' is set to include
'Success' (Automated)
(L1) Ensure 'Audit Logoff' is set to include 'Success'
(Automated)
(L1) Ensure 'Audit Logon' is set to 'Success and Failure'
(Automated)
(L1) Ensure 'Audit Other Logon/Logoff Events' is set to
'Success and Failure' (Automated)

Set
Correctly
No
(L1) Ensure 'Audit Special Logon' is set to include
'Success' (Automated)
Policy Change
(L1) Ensure 'Audit Audit Policy Change' is set to include
'Success'
(L1) (Automated)
Ensure 'Audit Authentication Policy Change' is set to
include
(L1) 'Success'
Ensure 'Audit(Automated)
Authorization Policy Change' is set to
include 'Success' (Automated)
(L1) Ensure 'Audit MPSSVC Rule-Level Policy Change'
is setEnsure
(L1) to 'Success
'Auditand Failure'
Other (Automated)
Policy Change Events' is set to
include 'Failure' (Automated)
Set
Correctly
Yes No

 
 
 
 
 
 
 

 
 
 

 

Set
Correctly
Yes No
 
 
 
 
 
 RDP is dissabled
 NVT
 
 
 
 
 
 
 
 
 Fortiienpoint blokkeerd het
 
 
 

 Fortiienpoint blokkeerd het in swift envoriment en buiten scope kan er allee

 
 
 

 

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Set
Correctly
Yes No
 
 
 
 
 
 
 

 
 
 
 
 
 

 
 
 
 
 
 
 
 
 

 
 
 

 
 

 
 
 

 
 
 
 
 

 
 
 
 

 

 
 

 
 
 
 
 
 
 
 

 
 
 
 

 

 
 
 

 
 
 
 
 
 

 
 
 
 
 
Non-applicable

Test

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally

Computer Configuration\Policies\Windows Settings\Security Settings\LocalPolicies\User Rights Assignment\Change the system


Computer Configuration\Policies\Windows Settings\Security Settings\LocalPolicies\User Rights Assignment\Change the time z
Computer Configuration\Policies\Windows Settings\Security Settings\LocalPolicies\User Rights Assignment\Create a pagefile
Computer Configuration\Policies\Windows Settings\Security Settings\LocalPolicies\User Rights Assignment\Create a token ob

user account dissabled on client alleen local administrator account wordt gebruikt
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create permanent shared obje
Computer Configuration\Policies\Windows Settings\Security Settings\LocalPolicies\User Rights Assignment\Create symbolic li
Computer Configuration\Policies\Windows Settings\Security Settings\LocalPolicies\User Rights Assignment\Debug programs
Computer Configuration\Policies\Windows Settings\Security Settings\LocalPolicies\User Rights Assignment\Deny access to thi
Computer Configuration\Policies\Windows Settings\Security Settings\LocalPolicies\User Rights Assignment\Deny log on as a b
Computer Configuration\Policies\Windows Settings\Security Settings\LocalPolicies\User Rights Assignment\Deny log on as a s

in swift envoriment en buiten scope kan er alleen worden ingelogd vanuit snydesk

Computer Configuration\Policies\Windows Settings\Security Settings\LocalPolicies\User Rights Assignment\Enable computer


Computer Configuration\Policies\Windows Settings\Security Settings\LocalPolicies\User Rights Assignment\Force shutdown fr

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Generate security audits


Computer Configuration\Policies\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\Increase scheduling priority
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Load and unload device drive

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Lock pages in memory


Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a batch job
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a service
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Manage auditing
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Modify an object
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Modify firmware
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Perform volume m
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Profile single proc
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Profile system pe
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Replace a process
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Restore files and
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the sy
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Take ownership o

Computer Configuration\Policies\Windows Settings\Security Settings\LocalPolicies\Security Options\Accounts: Block Microsoft


es\User Rights Assignment\Allow log on locally

alPolicies\User Rights Assignment\Change the system time


alPolicies\User Rights Assignment\Change the time zone
alPolicies\User Rights Assignment\Create a pagefile
alPolicies\User Rights Assignment\Create a token object

es\User Rights Assignment\Create permanent shared objects


alPolicies\User Rights Assignment\Create symbolic links
alPolicies\User Rights Assignment\Debug programs
alPolicies\User Rights Assignment\Deny access to this computer from the network
alPolicies\User Rights Assignment\Deny log on as a batch job
alPolicies\User Rights Assignment\Deny log on as a service

alPolicies\User Rights Assignment\Enable computer and user accounts to betrusted for delegation
alPolicies\User Rights Assignment\Force shutdown from a remote system

es\User Rights Assignment\Generate security audits

es\User Rights Assignment\Load and unload device drivers

es\User Rights Assignment\Lock pages in memory


s\User Rights Assignment\Log on as a batch job
s\User Rights Assignment\Log on as a service
al Policies\User Rights Assignment\Manage auditing and security log
al Policies\User Rights Assignment\Modify an object label
al Policies\User Rights Assignment\Modify firmware environment values
al Policies\User Rights Assignment\Perform volume maintenance tasks
al Policies\User Rights Assignment\Profile single process
al Policies\User Rights Assignment\Profile system performance
al Policies\User Rights Assignment\Replace a process level token
al Policies\User Rights Assignment\Restore files and directories
al Policies\User Rights Assignment\Shut down the system
al Policies\User Rights Assignment\Take ownership of files or other objects

alPolicies\Security Options\Accounts: Block Microsoft accounts


r delegation
CIS Benchmark Recommendation

1
1.1

1.1.1

1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7

1.2

1.2.1

1.2.2

1.2.3

1.2.4

2
2.1
2.2

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.2.11
2.2.12
2.2.13
2.2.14
2.2.15
2.2.16
2.2.17
2.2.18
2.2.19

2.2.20

2.2.21
2.2.22
2.2.23

2.2.24

2.2.25
2.2.26
2.2.27
2.2.28
2.2.29
2.2.30
2.2.31
2.2.32
2.2.33
2.2.34
2.2.35
2.2.36
2.2.37
2.2.38
2.2.39

2.3
2.3.1
2.3.1.1
2.3.1.2
2.3.1.3
2.3.1.4
2.3.1.5
2.3.3
2.3.4
2.3.4.1
2.3.4.2

2.3.5
2.3.6
2.3.6.1
2.3.6.2
2.3.6.3
2.3.6.4
2.3.6.5
2.3.6.6
2.3.7
2.3.7.1
2.3.7.2
2.3.7.3
2.3.7.4
2.3.7.5
2.3.7.6
2.3.7.7
2.3.7.8
2.3.7.9
2.3.8
2.3.8.1
2.3.8.2
2.3.8.3
2.3.9
2.3.9.1
2.3.9.2

CIS Benchmark Recommendation


Yes
2.3.9.3
2.3.9.4
2.3.9.5
2.3.10
2.3.10.1
2.3.10.2
2.3.10.3
2.3.10.4
2.3.10.5
2.3.11
2.3.11.1
2.3.11.4
2.3.11.5
2.3.11.6

Page 1268
2.3.14
2.3.14.1
2.3.15
2.3.15.1
2.3.15.2
2.3.16
2.3.17

Page 1269
CIS Benchmark Recommendation
Yes
2.3.17.1
2.3.17.2
2.3.17.3
2.3.17.4
2.3.17.5
2.3.17.6
2.3.17.7
2.3.17.8
CIS Benchmark Recommendation
Yes
5.42
5.43
5.44
5.45
17.1
17.1.1
17.2
17.2.1
17.2.2
17.2.3
17.5
17.5.1
17.5.2
17.5.3
17.5.4
17.5.5

Page 1277
CIS Benchmark Recommendation
Yes
17.5.6
17.7
17.7.1
17.7.2
17.7.3
17.7.4
17.7.5
CIS Benchmark Recommendation

Account Policies
Password Policy
Ensure 'Enforce password history' is set to '24 or
more password(s)' (Automated)
Ensure 'Maximum password age' is set to 30
Ensure 'Minimum password age is set to 1 days
Ensure 'Minimum password length' is set to 14 or more character(s)
Ensure 'Password must meet complexity
requirements'
Ensure 'Relax is set to 'Enabled
minimum password length limits' is
set to 'Enabled
Ensure 'Store passwords using reversible
encryption' is set to 'Disabled' (Automated)

Account Lockout Policy


Ensure 'Account lockout duration' is set to '15 or
more minute(s)'
Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0
Ensure 'Allow Administrator account lockout' is set
to 'Enabled' (Manual)
Ensure 'Reset account lockout counter after' is set
to '15 or more minute(s)'

Local Policies
Audit Policy
User Rights Assignment
(L1) Ensure 'Access Credential Manager as a trusted
caller' is set to
(L1) Ensure 'No One'
'Access this computer from the network' is
set to 'Administrators, Remote Desktop Users'
(Automated)
(L1) Ensure 'Act as part of the operating system' is set to
'No
(L1)One
Ensure 'Adjust memory quotas for a process' is set
to 'Administrators, LOCAL SERVICE, NETWORK
SERVICE'
(L1) Ensure(Automated)
'Allow log on locally' is set to 'Administrators,
Users' (Automated)
(L1) Ensure 'Allow log on through Remote Desktop
Services' is set to 'Administrators, Remote Desktop
(L1)
Users'Ensure 'Back up files and directories' is set to
(Automated)
'Administrators'
(L1) (Automated)
Ensure 'Change the system time' is set to
'Administrators, LOCAL
(L1) Ensure 'Change the timeSERVICE'
zone' is(Automated)
set to
'Administrators, LOCAL SERVICE, Users' (Automated)
(L1) Ensure 'Create a pagefile' is set to 'Administrators'
(Automated)
(L1) Ensure 'Create a token object' is set to 'No One'
(Automated)
(L1) Ensure 'Create global objects' is set to
'Administrators, LOCAL SERVICE, NETWORK
(L1) EnsureSERVICE'
SERVICE, 'Create permanent shared objects' is set to
(Automated)
'No One' (Automated)
(L1) Configure 'Create symbolic links' (Automated)
(L1) Ensure 'Debug programs' is set to 'Administrators'
(Automated)
(L1) Ensure 'Deny access to this computer from the
network'
(L1) to include
Ensure 'Guests,
'Deny log on as Local
a batchaccount' (Automated)
job' to include
'Guests' (Automated)
(L1) Ensure 'Deny log on as a service' to include 'Guests'
(Automated)
(L1) Ensure 'Deny log on locally' to include 'Guests'
(Automated)
(L1) Ensure 'Deny log on through Remote Desktop
Services' to include 'Guests, Local account' (Automated)
(L1) Ensure 'Enable computer and user accounts to be
trusted
(L1) for delegation'
Ensure is set tofrom
'Force shutdown 'No One' (Automated)
a remote system' is
set to 'Administrators' (Automated)
(L1) Ensure 'Generate security audits' is set to 'LOCAL
SERVICE, NETWORK SERVICE' (Automated)
(L1) Ensure 'Impersonate a client after authentication' is
set to 'Administrators, LOCAL SERVICE, NETWORK
SERVICE, SERVICE' (Automated)
(L1) Ensure 'Increase scheduling priority' is set to
'Administrators, Window Manager\Window Manager
(L1)
Group'Ensure 'Load and unload device drivers' is set to
(Automated)
'Administrators'
(L1) Ensure 'Lock (Automated)
pages in memory' is set to 'No One'
(Automated)
(L2) Ensure 'Log on as a batch job' is set to
'Administrators' (Automated)
(L2) Configure 'Log on as a service' (Automated)
(L1) Ensure 'Manage auditing and security log' is set to
'Administrators'
(L1) (Automated)
Ensure 'Modify an object label' is set to 'No One'
(Automated)
(L1) Ensure 'Modify firmware environment values' is set
to 'Administrators'
(L1) Ensure 'Perform (Automated)
volume maintenance tasks' is set
to 'Administrators' (Automated)
(L1) Ensure 'Profile single process' is set to
(L1) Ensure 'Profile
'Administrators' system performance' is set to
(Automated)
'Administrators, NT SERVICE\WdiServiceHost'
(L1) Ensure 'Replace a process level token' is set to
(Automated)
'LOCAL
(L1) EnsureSERVICE,
'Restore NETWORK SERVICE'
files and directories' (Automated)
is set to
'Administrators'
(L1) Ensure 'Shut(Automated)
down the system' is set to
'Administrators,
(L1) Ensure 'Take Users' (Automated)
ownership of files or other objects' is
set to 'Administrators' (Automated)

Security Options
Accounts
(L1) Ensure 'Accounts: Block Microsoft accounts' is set
to 'Users can't add or log on with Microsoft accounts'
(L1) Ensure 'Accounts: Guest account status' is set to
(Automated)
(L1) Ensure
'Disabled' 'Accounts: Limit local account use of blank
(Automated)
passwords to console logon only' is set to 'Enabled'
(L1) Configure 'Accounts: Rename administrator
(Automated)
account'
(L1) (Automated)
Configure 'Accounts: Rename guest account'
(Automated)
DCOM
Devices
(L1) Ensure 'Devices: Allowed to format and eject
removable media' is set to 'Administrators and
(L2) EnsureUsers'
Interactive 'Devices: Prevent users from installing
(Automated)
printer drivers' is set to 'Enabled' (Automated)

Domain controller
Domain
(L1) Ensuremember
'Domain member: Digitally encrypt or sign
secure channel
(L1) Ensure 'Domain data (always)'
member:isDigitally
set to 'Enabled'
encrypt secure
(Automated)
channel data (when possible)' is set
(L1) Ensure 'Domain member: Digitally sign secure to 'Enabled'
(Automated)
channel data (when possible)' is set to 'Enabled'
(L1) Ensure 'Domain member: Disable machine account
(Automated)
(L1) Ensure
password 'Domain
changes' member:
is set Maximum
to 'Disabled' machine
(Automated)
account password age' is set to
(L1) Ensure 'Domain member: Require strong '30 or fewer days, but
(Windows
not 0' or
2000 (Automated)
later) session key' is set to 'Enabled'
(Automated)
Interactive logon
(L1) Ensure 'Interactive logon: Do not require
CTRL+ALT+DEL'
(L1) Ensure 'Interactive is setlogon:
to 'Disabled' (Automated)
Don't display last signed
(BL) Ensure 'Interactive
in' is set to 'Enabled' (Automated)logon: Machine account lockout
threshold' is set to '10 or fewer invalid logon attempts,
(L1)
but notEnsure 'Interactive logon: Machine inactivity limit' is
0' (Automated)
set toConfigure
(L1) '900 or fewer second(s),
'Interactive but not
logon: 0' (Automated)
Message text for users
attempting to log on' (Automated)
(L1) Configure 'Interactive logon: Message title for users
(L2) Ensureto'Interactive
attempting logon: Number of previous
log on' (Automated)
logons to cache (in case
(L1) Ensure 'Interactive logon: domainPrompt controlleruseristonot
change
available)'
password
(L1) Ensure is'Interactive
set to
before '4 or fewer
expiration'
logon:is logon(s)'
set (Automated)
to 'between
Smart card 5 and 14
removal
days' (Automated)
behavior' is set to 'Lock Workstation' or higher
(Automated)
Microsoft network client
(L1) Ensure 'Microsoft network client: Digitally sign
(L1) Ensure 'Microsoft
communications (always)'network
is set client: Digitally
to 'Enabled' sign
(Automated)
communications (if server agrees)' is set
(L1) Ensure 'Microsoft network client: Send unencrypted to 'Enabled'
(Automated)
password to third-party SMB servers' is set to 'Disabled'
(Automated)
Microsoft
(L1) Ensurenetwork
'Microsoft server
network server: Amount of idle
time required before suspending session' is set to '15 or
(L1)
fewerEnsure 'Microsoft
minute(s)' network server: Digitally sign
(Automated)
communications (always)' is set to 'Enabled' (Automated)
Set
Correctly
No Ensure 'Microsoft network server: Digitally sign
(L1)
communications (if client agrees)' is set to 'Enabled'
(L1) Ensure 'Microsoft network server: Disconnect clients
(Automated)
(L1)
whenEnsure 'Microsoft
logon hours expire'network
is set toserver: Server
'Enabled' SPN
(Automated)
target name validation level' is set to 'Accept if provided
by client' or
Network higher (Automated)
access
(L1) Ensure 'Network access: Allow anonymous
(L1) Ensuretranslation'
SID/Name 'Network access:
is set toDo not allow
'Disabled' anonymous
(Automated)
enumeration of SAM accounts' is set
(L1) Ensure 'Network access: Do not allow anonymous to 'Enabled'
(Automated)
enumeration
(L1) of SAM accounts
Ensure 'Network access: Do andnotshares'
allowisstorage
set to of
'Enabled'
passwords
(L1) (Automated)
Ensureand credentials
'Network for Let
access: network authentication'
Everyone permissionsis
set to 'Enabled' (Automated)
apply to anonymous users' is set to 'Disabled'
(Automated)
Network security
(L1) Ensure 'Network security: Allow Local System to
use computer identity for NTLM' is set to 'Enabled'
types allowed for Kerberos' is set to
(Automated)
(L1) Ensure 'Network security:
'AES128_HMAC_SHA1, Do not store LAN Future
AES256_HMAC_SHA1,
Manager hash value on next password change' is set to
(L1) Ensure
'Enabled' 'Network security: Force logoff when logon
(Automated)
hours expire' is set to 'Enabled' (Manual)

System cryptography
protection for user keys stored on the computer' is set to
'User is prompted when the key is first used' or higher
System
(L1) objects
Ensure 'System objects: Require case insensitivity
for non-Windows
(L1) Ensure 'System subsystems' is set to 'Enabled'
objects: Strengthen default
(Automated)
permissions of internal system objects (e.g. Symbolic
Links)'
Systemissettings
set to 'Enabled' (Automated)
User Account Control

Set
Correctly
No
(L1) Ensure 'User Account Control: Admin Approval
Mode for the Built-in Administrator account' is set to
elevation
'Enabled' prompt for administrators in Admin Approval
(Automated)
(L1) Ensure
Mode' is set to 'User Account
'Prompt Control:on
for consent Behavior
the secure of the
elevation
(L1) Ensure prompt
'Userfor standard
Account users' is
Control: set toapplication
Detect
'Automatically
installations and deny elevation
prompt for requests'
elevation'
(L1) Ensure 'User Account Control: Only is(Automated)
set to 'Enabled'
elevate
(Automated)
UIAccess
(L1) Ensure applications
'User Account that are installed
Control: Runinallsecure
locations'
administrators
(L1) is set
Ensure 'User to 'Enabled'
in Admin
Account (Automated)
Approval
Control:Mode'
Switch is to
setthe
to secure
'Enabled'
desktop
(L1) Ensure (Automated)
when'User
prompting
Account forControl:
elevation' is set to file
Virtualize 'Enabled'
and
(Automated)
registry write failures to per-user locations' is set to
Set
'Enabled' (Automated)
Correctly
No
(L1) Ensure 'Xbox Accessory Management Service
(XboxGipSvc)'
(L1) Ensure 'Xbox is set to 'Disabled'
Live Auth Manager(Automated)
(XblAuthManager)'
is set to 'Disabled' (Automated)
(L1) Ensure 'Xbox Live Game Save (XblGameSave)' is
set toEnsure
(L1) 'Disabled''Xbox (Automated)
Live Networking Service
(XboxNetApiSvc)' is set to 'Disabled' (Automated)
Account Logon
(L1) Ensure 'Audit Credential Validation' is set to
'Success and Failure' (Automated)
Account Management
(L1) Ensure 'Audit Application Group Management' is set
to 'Success
(L1) Ensureand Failure'
'Audit (Automated)
Security Group Management' is set to
include
(L1) 'Success'
Ensure 'Audit (Automated)
User Account Management' is set to
'Success and Failure' (Automated)
Logon/Logoff
(L1) Ensure 'Audit Account Lockout' is set to include
'Failure'
(L1) Ensure (Automated)
'Audit Group Membership' is set to include
'Success'
(L1) Ensure (Automated)
'Audit Logoff' is set to include 'Success'
(Automated)
(L1) Ensure 'Audit Logon' is set to 'Success and Failure'
(Automated)
(L1) Ensure 'Audit Other Logon/Logoff Events' is set to
'Success and Failure' (Automated)
Set
Correctly
No
(L1) Ensure 'Audit Special Logon' is set to include
'Success' (Automated)
Policy Change
(L1) Ensure 'Audit Audit Policy Change' is set to include
'Success'
(L1) (Automated)
Ensure 'Audit Authentication Policy Change' is set to
include
(L1) 'Success'
Ensure 'Audit(Automated)
Authorization Policy Change' is set to
include 'Success' (Automated)
(L1) Ensure 'Audit MPSSVC Rule-Level Policy Change'
is setEnsure
(L1) to 'Success
'Auditand Failure'
Other (Automated)
Policy Change Events' is set to
include 'Failure' (Automated)

\
Set
Correctly
Yes No

 

 
 
 
 
 
 

 

 

 
Non-applicable

 

Set
Correctly
Yes No

 

 

 
Test
 

 
Computer Configuration\Policies\Windows S
 RDP is dissabled
 NVT
  Computer Configuration\Policies\Windo
  Computer Configuration\Policies\Windo
  Computer Configuration\Policies\Windo
  Computer Configuration\Policies\Windo
 
  user account dissabled on client alleen l
  Computer Configuration\Policies\Windows S
  Computer Configuration\Policies\Windo
 Fortiienpoint blokkeerd het Computer Configuration\Policies\Windo
  Computer Configuration\Policies\Windo
  Computer Configuration\Policies\Windo
  Computer Configuration\Policies\Windo

 Fortiienpoint blokkeerd het in swift envoriment en buiten scope kan er allee

  Computer Configuration\Policies\Windo
  Computer Configuration\Policies\Windo
 

 
Computer Configuration\Policies\Windows S
Computer Configuration\Policies\Windows S
  Policies\User Rights Assignment\Increase sc
  Computer Configuration\Policies\Windows S
  Computer Configuration\Policies\Windows S
  Computer Configuration\Windows Setti
  Computer Configuration\Windows Setti
  Computer Configuration\Policies\Windo
  Computer Configuration\Policies\Windo
  Computer Configuration\Policies\Windo
  Computer Configuration\Policies\Windo
  Computer Configuration\Policies\Windo
  Computer Configuration\Policies\Windo
  Computer Configuration\Policies\Windo
  Computer Configuration\Policies\Windo
  Computer Configuration\Policies\Windo
  Computer Configuration\Policies\Windo

Set
Correctly
Yes No Computer Configuration\Policies\Windo
 
 
 
 
 
 
 

 
 
 
 
 
 

 
 
 
 
 
 
 
 
 

 
 
 

 
 

 
 
 

 
 
 
 
 
 
 
 
 

 

 
 

 
 
 
 
 
 
 
 

 
 
 
 

 

 
 
 

 
 
 
 
 
 

 
 
 
 
 
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally

r Configuration\Policies\Windows Settings\Security Settings\LocalPolicies\User Rights Assignment\Change the system time


r Configuration\Policies\Windows Settings\Security Settings\LocalPolicies\User Rights Assignment\Change the time zone
r Configuration\Policies\Windows Settings\Security Settings\LocalPolicies\User Rights Assignment\Create a pagefile
r Configuration\Policies\Windows Settings\Security Settings\LocalPolicies\User Rights Assignment\Create a token object
unt dissabled on client alleen local administrator account wordt gebruikt
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create permanent shared objects
r Configuration\Policies\Windows Settings\Security Settings\LocalPolicies\User Rights Assignment\Create symbolic links
r Configuration\Policies\Windows Settings\Security Settings\LocalPolicies\User Rights Assignment\Debug programs
r Configuration\Policies\Windows Settings\Security Settings\LocalPolicies\User Rights Assignment\Deny access to this computer from the
r Configuration\Policies\Windows Settings\Security Settings\LocalPolicies\User Rights Assignment\Deny log on as a batch job
r Configuration\Policies\Windows Settings\Security Settings\LocalPolicies\User Rights Assignment\Deny log on as a service

t en buiten scope kan er alleen worden ingelogd vanuit snydesk

r Configuration\Policies\Windows Settings\Security Settings\LocalPolicies\User Rights Assignment\Enable computer and user accounts to b


r Configuration\Policies\Windows Settings\Security Settings\LocalPolicies\User Rights Assignment\Force shutdown from a remote system

Configuration\Policies\Windows Settings\Security
Configuration\Policies\Windows Settings\Security Settings\Local
Settings\Local Policies\User Rights Assignment\Generate security audits
ser Rights Assignment\Increase scheduling priority
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Load and unload device drivers
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Lock pages in memory
r Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a batch job
r Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a service
r Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Manage auditing and security log
r Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Modify an object label
r Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Modify firmware environment values
r Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Perform volume maintenance tasks
r Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Profile single process
r Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Profile system performance
r Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Replace a process level token
r Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Restore files and directories
r Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the system
r Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Take ownership of files or other object

r Configuration\Policies\Windows Settings\Security Settings\LocalPolicies\Security Options\Accounts: Block Microsoft accounts


he system time
he time zone

oken object
mbolic links

ess to this computer from the network


on as a batch job
on as a service

mputer and user accounts to betrusted for delegation


tdown from a remote system

auditing and security log


n object label
rmware environment values
volume maintenance tasks
ngle process
stem performance
a process level token
files and directories
wn the system
nership of files or other objects

Microsoft accounts

You might also like