Control updates introduced for CIS Microsoft Windows 10 Enterprise Benchmark v3.0.0

SCE for Windows v2.1.0 introduced enforcement for Center for Internet Security (CIS) Microsoft Windows Enterprise 10 Benchmark v3.0.0. The transition from the previous CIS Benchmark, v2.0.0, to the new benchmark resulted in module updates.

  • Added
    • The following CIS controls are added in this release:

      • 2.3.11.11 (L1) Ensure 'Network security: Restrict NTLM: Audit Incoming NTLM Traffic' is set to 'Enable auditing for all accounts'

      • 2.3.11.12 (L1) Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' is set to 'Audit all' or higher

      • 18.4.4 (L1) Ensure 'Enable Certificate Padding' is set to 'Enabled'

      • 18.9.51.1.1 Ensure 'Enable Windows NTP Client' is set to 'Enabled'

      • 18.10.42.7 Ensure 'Enable file hash computation feature' is set to 'Enabled'

      • 18.10.42.13.1 (L1) Ensure 'Scan packed executables' is set to 'Enabled'

  • Changed
    • For the following CIS controls, the control name changed:

      • 18.5.1 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is changed to 'MSS: (AutoAdminLogon) Enable Automatic Logon'

      • 18.5.2 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is changed to 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level'

      • 18.5.3 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is changed to 'MSS: (DisableIPSourceRouting) IP source routing protection level'

      • 18.5.6 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'' is changed to 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes''

      • 18.5.8 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is changed to 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses'

      • 18.5.9 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is changed to 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode'

      • 18.5.10 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is changed to 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires'

      • 18.6.14.1 (L1) 'Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" for all NETLOGON and SYSVOL shares' is updated with a privacy requirement: 'Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication", "Require Integrity", and "Require Privacy" set for all NETLOGON and SYSVOL shares'

  • Removed
    • The following CIS controls were removed:

      • 9.2.3 (L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'

      • 9.3.3 (L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'

      • 18.10.33.1 (L1) Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'

      • 18.10.76.3.1 Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'

      • 18.10.76.3.2 Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'

      • 19.1.3.1 Ensure 'Password protect the screen saver' is set to 'Enabled'

      • 19.1.3.2 (L1) Ensure 'Enable screen saver' is set to 'Enabled'

      • 19.1.3.3 (L1) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'