The Center for Internet Security (CIS) team continuously release updates about cybersecurity best practices for new technologies. As of March 2023 all CIS Windows Server and Windows Workstation Benchmarks will be updated once a year to align with Microsoft's update schedule. Major version updates that CIS will release (i.e., updating from v1.12.0 to v2.0.0) will account for significant changes in the operating system. In this article we will discuss:
- Brief Explanation of Microsoft Windows Server 2019 Benchmark v2.0.0
- Performing a Windows Benchmark Assessment
- CIS Benchmark list
- CIS Hardened Images for Windows Server 2019
- Microsoft Windows Server 2019 Benchmark Profile Applicability
- How to harden Windows Server 2019
- CIS Microsoft Windows Server 2019 Benchmark v2.0.0 updates
Brief Explanation of Microsoft Windows Server 2019 Benchmark v2.0.0
In CIS Microsoft Windows Server 2019 Benchmark v2.0.0 there are over 1000 pages and refers to a set of CIS hardening guidelines and standards developed by Microsoft to assess the security and performance of the Windows Server 2019 operating system. It provides a framework for organizations to evaluate the configuration and operation of their Windows Server 2019 environment to ensure compliance with industry best practices and security requirements.
The benchmark typically includes a comprehensive list of security controls, system settings, and configuration recommendations that should be implemented to enhance the security posture of Windows Server 2019. These recommendations cover various aspects of the operating system, including user authentication, network security, system hardening, access controls, auditing, and more.
Performing a Windows Benchmark Assessment
A benchmark Windows assessment is a process of evaluating the performance, capabilities, or compliance of a system, product, or process against a predefined set of standards or benchmarks. It involves comparing the performance or characteristics of the subject being assessed to established reference points or industry best practices. The purpose of a benchmark assessment can vary depending on the specific context, but it typically aims to:
Measure Performance: Benchmark assessments help determine how well a system, product, or process performs compared to established benchmarks. This allows organizations to identify areas of improvement and set performance goals.
Ensure Compliance: Benchmark assessments are often used to verify if a system or process meets certain regulatory or industry standards. They help organizations ensure that they are operating in accordance with legal requirements or industry best practices.
Identify Weaknesses and Gaps: By conducting benchmark assessments, organizations can identify weaknesses, vulnerabilities, or inefficiencies in their systems or processes. This helps in prioritizing improvements and implementing corrective actions.
Facilitate Decision Making: Benchmark assessments provide objective data and insights that can inform decision-making processes. They help organizations make informed choices about technology investments, process improvements, resource allocation, and other strategic decisions.
Organizations use a cross platform benchmark to assess their Windows Server 2019 configurations, comparing them to prescribed standards. This entails reviewing settings, applying updates, implementing security controls, and conducting audits for ongoing system performance and compliance. The assessment results guide action plans for addressing gaps and enhancing performance or compliance.
CIS Benchmark list
On the CIS website CIS-CAT Pro is their benchmark software and you will also find a CIS Benchmark list that identifies 8 categories the Benchmarks can be categorized in for ease of use. Those categories are:
- Cloud Providers
- Desktop Software
- DevSecOps Tools
- Mobile Devices
- Multi Function Print Devices
- Network Devices
- Operating Systems
- Server Software
Benchmarks are compiled on an individual basis to facilitate the identification of specific software, device types, and operating systems for optimal utilization, subsequently being segregated into distinct versions
CIS Hardened Images for Windows Server 2019
After the new CIS Benchmark for Windows Server 2019 is released, CIS begin working on Hardened Image for the same technology. CIS Hardened Images are virtual machine images preconfigured to the security recommendations found in the CIS Benchmarks. They are an "actualization" of the CIS Benchmark for the cloud.
The CIS Hardened Image for Windows Server 2019 is available in the AWS Marketplace, Microsoft Azure Marketplace, and Google Cloud Platform Marketplace.
Microsoft Windows Server 2019 Benchmark Profile Applicability
The Microsoft Windows Server 2019 Benchmark Profile Applicability refers to the assessment of how applicable a specific benchmark profile is to the Windows Server 2019 operating system. In the context of benchmarking, a benchmark profile is a set of criteria, tests, and configurations designed to evaluate the performance, security, or other aspects of a software or hardware system.
Below is the CIS Microsoft Windows Server 2019 Benchmark Profile Applicability:
CIS Microsoft Windows Server 2019 Benchmark – Level 1
The following configuration profiles are defined by this Benchmark:
Level 1 – Domain Controller
Items in this profile apply to Domain Controllers and intend to:
- be practical and prudent;
- provide a clear security benefit; and
- not inhibit the utility of the technology beyond acceptable means.
Level 1 – Member Server
Items in this profile apply to Member Servers and intend to:
- be practical and prudent;
- provide a clear security benefit; and
- not inhibit the utility of the technology beyond acceptable mean
Items in this profile also apply to Member Servers that have the following Roles
enabled:
- AD Certificate Services
- DHCP Server
- DNS Server
- File Server
- Hyper-V
- Network Policy and Access Services
- Print Server
- Remote Access Services
- Remote Desktop Services
- Web Server
CIS Microsoft Windows Server 2019 Benchmark – Level 2
Level 2 – Domain Controller
This profile extends the “Level 1 – Domain Controller” profile. Items in this profile
exhibit one or more of the following characteristics:
- are intended for environments or use cases where security is paramount
- acts as defense in depth measure
- may negatively inhibit the utility or performance of the technology
Level 2 – Member Server
This profile extends the “Level 1 – Member Server” profile. Items in this profile
exhibit one or more of the following characteristics:
- are intended for environments or use cases where security is paramount
- acts as defense in depth measure
- may negatively inhibit the utility or performance of the technology
Next Generation Windows Security – Domain Controller
This profile contains advanced Windows security features that have specific configuration dependencies, and may not be compatible with all systems. It therefore requires special attention to detail and testing before implementation. If your environment supports these features, they are highly recommended as they have tangible security benefits. This profile is intended to be an optional “add-on” to the Level 1 or Level 2 profiles.
Next Generation Windows Security – Member Server
This profile contains advanced Windows security features that have specific configuration dependencies, and may not be compatible with all systems. It therefore requires special attention to detail and testing before implementation. If your environment supports these features, they are highly recommended as they have tangible security benefits. This profile is intended to be an optional “add-on” to the Level 1 or Level 2 profiles.
How to harden Windows Server 2019
Many CIS benchmarks, such as the Windows Server 2019 benchmark, span over 1,000 pages, containing various recommendations. Machine learning aids in tracking and approving configuration updates via a workflow to ensure compliance, support audits, and incident response.
Achieving real world compliance requires tight cooperation between operations and security teams, with the challenge of balancing server uptime and compliance being paramount.
CalCom Hardening Automation Suite (CHS) is an automation platform that enhances infrastructure security and compliance while minimizing operational costs. CHS maintains a hardened and secure posture for servers, ensuring availability and significantly reducing time spent by security operations administrators. You can watch our webinar on: Windows 2019 hardening webinar: Ensuring CIS compliance while avoiding production outages
CIS Microsoft Windows Server 2019 Benchmark v2.0.0 updates
The most recent CIS Microsoft Windows Server 2019 Benchmark v2.0.0 has been updated from the v1.3.0. Here are the following benchmark updates:
REMOVE – 18.5.4 (L1) Ensure ‘Configure DNS over
HTTPS (DoH) name resolution’ is set to ‘Enabled: Allow
DoH’ or higher
UPDATE – 18.9.89 ‘Allow Windows Ink Workspace’ TO
‘Enabled: On, but disallow access above lock’ OR
‘Enabled: Disabled’
UPDATE – Section changes from Windows 11 Release
22H2 Administrative Templates
UPDATE - 18.10.87 (L1) ‘Turn on PowerShell
Transcription’ is set to ‘Disabled’ TO ‘Enabled’
ADD – 1.2 (L1) Ensure ‘Allow Administrator account
lockout’ is set to ‘Enabled’
REMOVE – 2.3.1 (L1) Ensure ‘Accounts: Administrator
account status’ is set to ‘Disabled’
ADD – 18.4 (L1) Ensure ‘Configure RPC packet level
privacy setting for incoming connections’ is set to
‘Enabled’
MOVE – 18.4 (L1) Ensure ‘Limits print driver installation
to Administrators’ is set to ‘Enabled’ TO 18.7
ADD – 18.4 (L1) Ensure ‘LSA Protection’ is set to
‘Enabled’
ADD – 18.6.4 (L1) Ensure ‘Configure NetBIOS settings’ is
set to ‘Enabled: Disable NetBIOS name resolution on
public networks’
ADD – 18.7 (L1) Ensure ‘Configure Redirection Guard’ is
set to ‘Enabled: Redirection Guard Enabled’
ADD – 18.7 (L1) Ensure ‘Configure RPC connection
settings: Protocol to use for outgoing RPC connections’
is set to ‘Enabled: RPC over TCP’
ADD – 18.7 (L1) Ensure ‘Configure RPC connection
settings: Use authentication for outgoing RPC
connections’ is set to ‘Enabled: Default’
ADD – 18.7 (L1) Ensure ‘Configure RPC listener settings:
Protocols to allow for incoming RPC connections’ is set
to ‘Enabled: RPC over TCP’
ADD – 18.7 (L1) Ensure ‘Configure RPC listener settings:
Authentication protocol to use for incoming RPC
connections’ is set to ‘Enabled: Negotiate’ or higher
ADD – 18.7 (L1) Ensure ‘Manage processing of Queue-specific files’ is set to ‘Enabled: Limit Queue-specific files
to Color profiles’
ADD – 18.10.17 (L1) Ensure ‘Enable App Installer’ is set
to ‘Disabled’
ADD – 18.10.17 (L1) Ensure ‘Enable App Installer
Experimental Features’ is set to ‘Disabled’
ADD – 18.10.17 (L1) Ensure ‘Enable App Installer Hash
Override’ is set to ‘Disabled’
ADD – 18.10.17 (L1) Ensure ‘Enable App Installer msappinstaller protocol’ is set to ‘Disabled’
UPDATE – 18.10.43.6.1 (L1) Ensure ‘Configure Attack
Surface Reduction rules’ with additional ASR rule for
“Block abuse of exploited vulnerable signed drivers”
ADD – 18.10.59 (L2) Ensure ‘Allow search highlights’ is
set to ‘Disabled’
ADD – 18.7 (L1) Ensure ‘Configure RPC over TCP port’ is
set to ‘Enabled: 0’