In February 2022, Center for Internet Security (CIS) released the CIS Microsoft Windows Server 2022 Benchmark v1.0.0 provides security best practices for establishing a secure configuration posture and hardening guide for Microsoft Windows.
CIS have said about the benchmark, “This secure configuration guide is based on Microsoft Windows Server 2022 security baseline (Release 21H2) and is intended for all versions of Microsoft Windows Server 2022 operating system, including older Windows Server versions. This secure configuration guide was tested against Microsoft Windows Server 2022 Datacenter”
After CIS released the 2022 Windows server 2022 CIS hardening script, they updated the new recommendations all the way back to 2008 Operating Systems where it was relevant. If you would like to discuss further CalCom’s automated hardening recommended settings based on years of experience of implementation and understanding of what will break your servers, Request a Demo today. While there are more updated Windows Server 2022 hardening settings, below we discuss the features in Windows Server we feel are critical:
Legend
* MS is Microsoft
* DCs is Domain Controllers
Password Policy
Setting Name: Maximum password age
Description: This policy setting defines how long a user can use their password before it expires.
CIS Microsoft 2012: 365 or fewer days, but not 0
CIS Microsoft 2016: 365 or fewer days, but not 0
CIS Microsoft 2019: 365 or fewer days, but not 0
CIS Microsoft 2022: 365 or fewer days, but not 0
Experts Recommend: 365 or fewer days, but not 0
Setting name: Account lockout threshold
Description: This policy setting determines the number of failed logon attempts before the account is locked. Setting this policy to 0 does not conform to the benchmark as doing so disables the account lockout threshold.
CIS Microsoft 2012: 5 or fewer invalid logon attempt(s), but not 0
CIS Microsoft 2016: 5 or fewer invalid logon attempt(s), but not 0
CIS Microsoft 2019: 5 or fewer invalid logon attempt(s), but not 0
CIS Microsoft 2022: 5 or fewer invalid logon attempt(s), but not 0
Experts Recommend: 5 or fewer invalid logon attempt(s), but not 0
Setting name: Relax minimum password length limits
Description: This policy setting determines whether the minimum password length setting can be increased beyond the legacy limit of 14 characters.
CIS Microsoft 2019 recommend: Enabled
CIS Microsoft 2022 recommend: Enabled
Experts Recommend: Microsoft 2019 – 2022: Enabled
System Services
Setting name: Print Spooler
Description: This service spools print jobs and handles interaction with printers.
CIS Microsoft 2022
DCs: Disabled
MS: Disabled
CIS Microsoft 2022
DCs: Disabled
MS: Disabled
Experts Recommend: Disabled
Citrix, Cockpit, and print servers, RDS: Not Defined
2008-2019 – Defender & Firewall
Setting name: Enable file hash computation feature
Description: This setting determines whether hash values are computed for files scanned by Microsoft
Defender.
CIS Microsoft 2019 recommend: Enabled
CIS Microsoft 2022 recommend: Enabled
Experts Recommend: Not defined
Setting name: Turn off real-time protection
Description: This policy setting configures real-time protection prompts for known malware detection. Microsoft Defender Antivirus alerts you when malware or potentially unwanted software tempts to install itself or to run on your computer.
CIS Microsoft 2019 recommend: Disabled
CIS Microsoft 2022 recommend: Disabled
Experts Recommend: Not defined
Setting name: Turn on script scanning
Description: This policy setting allows script scanning to be turned on/off. Script scanning intercepts scripts then scans them before they are executed on the system
CIS Microsoft 2019 recommend: Enabled
CIS Microsoft 2022 recommend: Enabled
Experts Recommend: Not defined
Remote Desktop Services (RDS)
Setting name: Allow UI Automation redirection
Description: This policy setting determines whether User Interface (UI) Automation client applications running on the local computer can access UI elements on the server.
UI Automation gives programs access to most UI elements, which allows use of assistive technology products like Magnifier and Narrator that need to interact with the UI in order to work properly. UI information also allows automated test scripts to interact with the UI. For example, the local computer´s Narrator and Magnifier clients can be used to interact with UI on a web page opened in a remote session.
CIS 2022 recommend: Disabled
Experts Recommend: Disabled
Setting name: Do not allow location redirection
Description: This policy setting controls the redirection of location data to the remote computer in a Remote Desktop Services session.
CIS 2022 recommend: Enabled
Experts Recommend: Enabled
Windows Components 2008-2022
Setting name: Include command line in process creation events
Description: This policy setting controls whether the process creation command line text is logged in security audit events when a new process has been created.
CIS 2012 recommend: Enabled
Experts Recommend: 2008R2 – 2022: Enabled
Note: The feature that this settings controls is not normally supported in certain operating systems.
Setting name: Manage preview builds
Description: This policy setting manage which updates that are receive prior to the update being released.
CIS Recommend: Disabled
Experts Recommend:2016 – 2022:Disabled
Setting name: Allow Diagnostic Data
Description: This policy setting determines the amount of diagnostic and usage data reported to Microsoft.
CIS Recommend: Enabled
Experts Recommend: 2016-2022: ”Enabled: Diagnostic data off (not recommended)’
Setting name: Turn on PowerShell Script Block Logging
Description: This policy setting enables logging of all PowerShell script input to the Applications and Services Logs\Microsoft\Windows\PowerShell\Operational Event Log channel.
CIS Recommend: Enabled
Experts Recommend: Enabled
Setting name: Limits print driver installation to Administrators
Description: This policy setting controls whether users that aren’t Administrators can install print drivers on the system.
CIS Recommend: Enabled
Experts Recommend: 2012 – 2022: Enabled
Setting name: Configure DNS over HTTPS (DoH) name resolution
Description: This setting determines if DNS over HTTPS (DoH) is used by the system. DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution over the Hypertext Transfer Protocol Secure (HTTPS).
CIS Recommend: Enabled
Experts Recommend: 2012 – 2022:’Enabled: Allow DoH’
Setting name: Allow Print Spooler to accept client connections
Description: This policy setting controls whether the Print Spooler service will accept client connections.
CIS Recommend: Disabled
Experts Recommend: Print Server: Not defined
MS 2012R2 – 2022:Disabled
Note: The Print Spooler service must be restarted for changes to this policy to take effect.
Setting name: Point and Print Restrictions: When installing drivers for a new connection
Description: This policy setting controls whether computers will show a warning and a security elevation prompt when users create a new printer connection using Point and Print.
CIS Recommend: Enabled
Experts Recommend: 2012R2 – 2022:Enabled: Show warning and elevation prompt
Setting name: Point and Print Restrictions: When updating drivers for an existing connection
Description: This policy setting controls whether computers will show a warning and a security elevation prompt when users are updating drivers for an existing connection using Point and Print.
CIS Recommend: Enabled
Experts Recommend: 2012R2 – 2022:Enabled: Show warning and elevation prompt
Setting name: Prevent device metadata retrieval from the Internet
Description: This policy setting allows you to prevent Windows from retrieving device metadata from the Internet.
CIS Recommend: Enabled
Experts Recommend: 2012 – 2022:Enabled (not on print server)
Setting name: Configure validation of ROCA-vulnerable WHfB keys during authentication
Description: This policy setting allows you to configure how Domain Controllers handle Windows Hello for Business (WHfB) keys that are vulnerable to the “Return of Coppersmith´s attack” (ROCA) vulnerability.
CIS Recommend: Enabled
Experts Recommend: 2012 – 2022 DC: Enabled: Audit
Setting name: Turn off cloud consumer account state content
Description: This policy setting determines whether cloud consumer account state content is allowed in all Windows experiences
CIS Recommend: Enabled
Experts Recommend: 2016-2022:Enabled
Setting name: Disable OneSettings Downloads
Description: This policy setting controls whether Windows attempts to connect with the OneSettings service to download configuration settings.
CIS Recommend: Enabled
Experts Recommend: 2016-2022: Enabled
Setting name: Enable OneSettings Auditing
Description: This policy setting controls whether Windows records attempts to connect with the OneSettings service to the Operational EventLog.
CIS Recommend: Enabled
Experts Recommend: 2016-2022: Enabled
Setting name: Limit Diagnostic Log Collection
Description: This policy setting controls whether additional diagnostic logs are collected when more information is needed to troubleshoot a problem on the device.
CIS Recommend: Enabled
Experts Recommend: 2016-2022: Enabled
Setting name: Limit Dump Collection
Description: This policy setting limits the type of dumps that can be collected when more information is needed to troubleshoot a problem.
CIS Recommend: Enabled
Experts Recommend: 2016-2022: Enabled
Setting name: Turn off Push To Install service
Description: This policy setting controls whether users can push Apps to the device from the Microsoft Store App running on other devices or the web.
CIS Recommend: Enabled
Experts Recommend: 2016-2022: Enabled
Setting name: Turn off Spotlight collection on Desktop
Description: This policy setting removes the Spotlight collection setting in Personalization, rendering the user unable to select and subsequently download daily images from Microsoft to the system desktop.
CIS Recommend: Enabled
Experts Recommend: 2016-2022: Enabled