Control updates introduced for CIS Microsoft Windows Server 2016 Benchmark v3.0.0

SCE for Windows v2.1.0 introduced enforcement for Center for Internet Security (CIS) Microsoft Windows Server 2016 Benchmark v3.0.0. The transition from the previous CIS Benchmark, v2.0.0, to the new benchmark resulted in module updates.

  • Added
    • The following CIS controls are added in this release:

      • 2.3.11.11 Ensure 'Network security: Restrict NTLM: Audit Incoming NTLM Traffic' is set to 'Enable auditing for all accounts'

      • 2.3.11.13 Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' is set to 'Audit all' or higher

      • 18.4.5 Ensure 'Enable Certificate Padding' is set to 'Enabled'

      • 18.9.19.3 Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'True'

      • 18.9.19.4 Configure security policy processing: Do not apply during periodic background processing' is set to 'False'

      • 18.10.42.13.1 Ensure 'Scan packed executables' is set to 'Enabled'

  • Changed
    • For the following CIS controls, the name changed:

      • 18.5.1 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' was changed to 18.5.1 'MSS: (AutoAdminLogon) Enable Automatic Logon'

      • 18.5.2 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' was changed to 18.5.2 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level'

      • 18.5.3 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' was changed to 18.5.3 'MSS: (DisableIPSourceRouting) IP source routing protection level'

      • 18.5.5 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'' was changed to 18.5.5 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to Enabled: 300,000 or 5 minutes''

      • 18.5.7 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' was changed to 18.5.7 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses'

      • 18.5.8 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' was changed to 18.5.8 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode'

      • 18.5.9 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' was changed to 18.5.9 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires'

      • 18.6.14.1 Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" for all NETLOGON and SYSVOL shares' was updated with a privacy requirement: 18.6.14.1 Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication", "Require Integrity", and "Require Privacy" set for all NETLOGON and SYSVOL shares'

  • Removed
    • The following CIS controls are removed:

      • 2.3.4.1 Ensure 'Devices: Allowed to format and eject removable media' is set

      • 9.1.3 Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'

      • 9.2.3 Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'

      • 9.3.3 Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'

      • 19.1.3.1 Ensure 'Enable screen saver' is set to 'Enabled'

      • 19.1.3.2 Ensure 'Password protect the screen saver' is set to 'Enabled'

      • 19.1.3.3 Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'