Control updates introduced for CIS Microsoft Windows Server 2019 Benchmark v3.0.0

SCE for Windows v2.1.0 introduced enforcement for Center for Internet Security (CIS) Microsoft Windows Server 2019 Benchmark v3.0.0. The transition from the previous CIS Benchmark, v2.0.0, to the new benchmark resulted in module updates.

The CIS Microsoft Windows Server 2019 Benchmark v3.0.0 incorporates updates in the Microsoft Local Administrator Password Solution (LAPS). Deprecated LAPS controls are removed from the benchmark, and controls for the updated version of LAPS are added. In SCE for Windows v2.1.0, legacy LAPS controls are removed, and no Microsoft LAPS controls are included. For more information about LAPS, see What is Windows LAPS?

  • Added
    • The following CIS controls are added in this release:
      • 2.3.11.11 Ensure 'Network security: Restrict NTLM: Audit Incoming NTLM Traffic' is set to 'Enable auditing for all accounts'

      • 2.3.11.13 Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' is set to 'Audit all' or higher

      • 18.4.5 Ensure 'Enable Certificate Padding' is set to 'Enabled'

      • 18.9.19.4 Configure security policy processing: Do not apply during periodic background processing' is set to 'False'

      • 18.9.19.5 Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'True'

      • 18.9.51.1.1 (L1) Ensure 'Enable Windows NTP Client.' By default, this control enables the Windows time server client. If no Network Time Protocol (NTP) servers are explicitly configured, the default value is applied: time.microsoft.com. You can configure the control as shown in the following example:

        Copy
         
        sce_windows::config: 

          control_configs: 

            ensure_enable_windows_ntp_client_is_set_to_enabled: 

              enabled: true 

              ntp_servers: 

                - '1.2.3.4' 

                - '5.6.7.8' 
      • 18.10.42.13.1 Ensure 'Scan packed executables' is set to 'Enabled'

  • Changed
    • For the following CIS controls, names are changed:
      • 18.5.1 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' was changed to 18.5.1 'MSS: (AutoAdminLogon) Enable Automatic Logon'

      • 18.5.2 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' was changed to 18.5.2 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level'

      • 18.5.3 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' was changed to 18.5.3 'MSS: (DisableIPSourceRouting) IP source routing protection level'

      • 18.5.5 'MSS: (KeepAliveTime) How often keepalive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)' was changed to 18.5.5 'MSS: (KeepAliveTime) How often keepalive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'

      • 18.5.7 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' was changed to 18.5.7 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses'

      • 18.5.8 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' was changed to 18.5.8 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode'

      • 18.5.9 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' was changed to 18.5.9 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires'

      • 18.6.14.1 'Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" for all NETLOGON and SYSVOL shares' was updated with a privacy requirement: 18.6.14.1 '(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication", "Require Integrity", and “Require Privacy” set for all NETLOGON and SYSVOL shares'

    • The following CIS controls are now enforced at Level 1:

      • 18.9.51.1.1 Ensure 'Enable Windows NTP Client' is set to 'Enabled'

      • 18.9.51.1.2 Ensure 'Enable Windows NTP Server' is set to 'Disabled'

      • 18.10.42.7.1 Ensure 'Enable file hash computation feature' is set to 'Enabled'

  • Removed
    • The following CIS controls were removed:
      • 2.3.4.1 Ensure 'Devices: Allowed to format and eject removable media' is set

      • 9.1.3 Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'

      • 9.2.3 Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'

      • 9.3.3 Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'

      • 18.3.1 Ensure LAPS AdmPwd GPO Extension / CSE is installed

      • 18.3.2 Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'

      • 18.3.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled'

      • 18.3.4 Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'

      • 18.3.5 Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'

      • 18.3.6 Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'

      • 19.1.3.1 Ensure 'Enable screen saver' is set to 'Enabled'

      • 19.1.3.2 Ensure 'Password protect the screen saver' is set to 'Enabled'

      • 19.1.3.3 Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'