Table of contents


The Center for Internet Security (CIS) team continuously release updates about cybersecurity best practices for new technologies. As of March 2023 all CIS Windows Server and Windows Workstation Benchmarks will be updated once a year to align with Microsoft's update schedule. Major version updates that CIS will release (i.e., updating from v1.12.0 to v2.0.0) will account for significant changes in the operating system. In this article we will discuss:

 

 

Brief Explanation of Microsoft Windows Server 2019 Benchmark v2.0.0

 

In CIS Microsoft Windows Server 2019 Benchmark v2.0.0 there are over 1000 pages and refers to a set of CIS hardening guidelines and standards developed by Microsoft to assess the security and performance of the Windows Server 2019 operating system. It provides a framework for organizations to evaluate the configuration and operation of their Windows Server 2019 environment to ensure compliance with industry best practices and security requirements.

 

The benchmark typically includes a comprehensive list of security controls, system settings, and configuration recommendations that should be implemented to enhance the security posture of Windows Server 2019. These recommendations cover various aspects of the operating system, including user authentication, network security, system hardening, access controls, auditing, and more.

 

Performing a Windows Benchmark Assessment

 

A benchmark Windows assessment is a process of evaluating the performance, capabilities, or compliance of a system, product, or process against a predefined set of standards or benchmarks. It involves comparing the performance or characteristics of the subject being assessed to established reference points or industry best practices. The purpose of a benchmark assessment can vary depending on the specific context, but it typically aims to:

 

Measure Performance: Benchmark assessments help determine how well a system, product, or process performs compared to established benchmarks. This allows organizations to identify areas of improvement and set performance goals.

 

Ensure Compliance: Benchmark assessments are often used to verify if a system or process meets certain regulatory or industry standards. They help organizations ensure that they are operating in accordance with legal requirements or industry best practices.

 

Identify Weaknesses and Gaps: By conducting benchmark assessments, organizations can identify weaknesses, vulnerabilities, or inefficiencies in their systems or processes. This helps in prioritizing improvements and implementing corrective actions.

 

Facilitate Decision Making: Benchmark assessments provide objective data and insights that can inform decision-making processes. They help organizations make informed choices about technology investments, process improvements, resource allocation, and other strategic decisions.

 

Organizations use a cross platform benchmark to assess their Windows Server 2019 configurations, comparing them to prescribed standards. This entails reviewing settings, applying updates, implementing security controls, and conducting audits for ongoing system performance and compliance. The assessment results guide action plans for addressing gaps and enhancing performance or compliance.

 

CIS Benchmark list

 

On the CIS website CIS-CAT Pro is their benchmark software and you will also find a CIS Benchmark list that identifies 8 categories the Benchmarks can be categorized in for ease of use. Those categories are:

  1. Cloud Providers
  2. Desktop Software
  3. DevSecOps Tools
  4. Mobile Devices
  5. Multi Function Print Devices
  6. Network Devices
  7. Operating Systems
  8. Server Software

 

Benchmarks are compiled on an individual basis to facilitate the identification of specific software, device types, and operating systems for optimal utilization, subsequently being segregated into distinct versions

 

CIS Hardened Images for Windows Server 2019

 

After the new CIS Benchmark for Windows Server 2019 is released, CIS begin working on Hardened Image for the same technology. CIS Hardened Images are virtual machine images preconfigured to the security recommendations found in the CIS Benchmarks. They are an "actualization" of the CIS Benchmark for the cloud.

 

The CIS Hardened Image for Windows Server 2019 is available in the AWS Marketplace, Microsoft Azure Marketplace, and Google Cloud Platform Marketplace.

 

Microsoft Windows Server 2019 Benchmark Profile Applicability

 

The Microsoft Windows Server 2019 Benchmark Profile Applicability refers to the assessment of how applicable a specific benchmark profile is to the Windows Server 2019 operating system. In the context of benchmarking, a benchmark profile is a set of criteria, tests, and configurations designed to evaluate the performance, security, or other aspects of a software or hardware system.

 

Below is the CIS Microsoft Windows Server 2019 Benchmark Profile Applicability:

CIS Microsoft Windows Server 2019 Benchmark – Level 1

 

The following configuration profiles are defined by this Benchmark:

Level 1 – Domain Controller

Items in this profile apply to Domain Controllers and intend to:

  • be practical and prudent;
  • provide a clear security benefit; and
  • not inhibit the utility of the technology beyond acceptable means.

 Level 1 – Member Server

Items in this profile apply to Member Servers and intend to:

  • be practical and prudent;
  • provide a clear security benefit; and
  • not inhibit the utility of the technology beyond acceptable mean

Items in this profile also apply to Member Servers that have the following Roles

enabled:

  • AD Certificate Services
  • DHCP Server
  • DNS Server
  • File Server
  • Hyper-V
  • Network Policy and Access Services
  • Print Server
  • Remote Access Services
  • Remote Desktop Services
  • Web Server

 

CIS Microsoft Windows Server 2019 Benchmark – Level 2

Level 2 – Domain Controller

This profile extends the “Level 1 – Domain Controller” profile. Items in this profile

exhibit one or more of the following characteristics:

  • are intended for environments or use cases where security is paramount
  • acts as defense in depth measure
  • may negatively inhibit the utility or performance of the technology

Level 2 – Member Server

This profile extends the “Level 1 – Member Server” profile. Items in this profile

exhibit one or more of the following characteristics:

  • are intended for environments or use cases where security is paramount
  • acts as defense in depth measure
  • may negatively inhibit the utility or performance of the technology

 

Next Generation Windows Security – Domain Controller

This profile contains advanced Windows security features that have specific configuration dependencies, and may not be compatible with all systems. It therefore requires special attention to detail and testing before implementation. If your environment supports these features, they are highly recommended as they have tangible security benefits. This profile is intended to be an optional “add-on” to the Level 1 or Level 2 profiles.

 

Next Generation Windows Security – Member Server

This profile contains advanced Windows security features that have specific configuration dependencies, and may not be compatible with all systems. It therefore requires special attention to detail and testing before implementation. If your environment supports these features, they are highly recommended as they have tangible security benefits. This profile is intended to be an optional “add-on” to the Level 1 or Level 2 profiles.

 

How to harden Windows Server 2019

 

Many CIS benchmarks, such as the Windows Server 2019 benchmark, span over 1,000 pages, containing various recommendations. Machine learning aids in tracking and approving configuration updates via a workflow to ensure compliance, support audits, and incident response.

 

Achieving real world compliance requires tight cooperation between operations and security teams, with the challenge of balancing server uptime and compliance being paramount.

 

CalCom Hardening Automation Suite (CHS) is an automation platform that enhances infrastructure security and compliance while minimizing operational costs. CHS maintains a hardened and secure posture for servers, ensuring availability and significantly reducing time spent by security operations administrators. You can watch our webinar on: Windows 2019 hardening webinar: Ensuring CIS compliance while avoiding production outages

 

CIS Microsoft Windows Server 2019 Benchmark v2.0.0 updates

 

The most recent CIS Microsoft Windows Server 2019 Benchmark v2.0.0 has been updated from the v1.3.0. Here are the following benchmark updates:

 

REMOVE – 18.5.4 (L1) Ensure ‘Configure DNS over

HTTPS (DoH) name resolution’ is set to ‘Enabled: Allow

DoH’ or higher

 

UPDATE – 18.9.89 ‘Allow Windows Ink Workspace’ TO

‘Enabled: On, but disallow access above lock’ OR

‘Enabled: Disabled’

 

UPDATE – Section changes from Windows 11 Release

22H2 Administrative Templates

 

UPDATE - 18.10.87 (L1) ‘Turn on PowerShell

Transcription’ is set to ‘Disabled’ TO ‘Enabled’

 

ADD – 1.2 (L1) Ensure ‘Allow Administrator account

lockout’ is set to ‘Enabled’

 

REMOVE – 2.3.1 (L1) Ensure ‘Accounts: Administrator

account status’ is set to ‘Disabled’

 

ADD – 18.4 (L1) Ensure ‘Configure RPC packet level

privacy setting for incoming connections’ is set to

‘Enabled’

 

MOVE – 18.4 (L1) Ensure ‘Limits print driver installation

to Administrators’ is set to ‘Enabled’ TO 18.7

 

ADD – 18.4 (L1) Ensure ‘LSA Protection’ is set to

‘Enabled’

 

ADD – 18.6.4 (L1) Ensure ‘Configure NetBIOS settings’ is

set to ‘Enabled: Disable NetBIOS name resolution on

public networks’

 

ADD – 18.7 (L1) Ensure ‘Configure Redirection Guard’ is

set to ‘Enabled: Redirection Guard Enabled’

 

ADD – 18.7 (L1) Ensure ‘Configure RPC connection

settings: Protocol to use for outgoing RPC connections’

is set to ‘Enabled: RPC over TCP’

 

ADD – 18.7 (L1) Ensure ‘Configure RPC connection

settings: Use authentication for outgoing RPC

connections’ is set to ‘Enabled: Default’

 

ADD – 18.7 (L1) Ensure ‘Configure RPC listener settings:

Protocols to allow for incoming RPC connections’ is set

to ‘Enabled: RPC over TCP’

 

ADD – 18.7 (L1) Ensure ‘Configure RPC listener settings:

Authentication protocol to use for incoming RPC

connections’ is set to ‘Enabled: Negotiate’ or higher

 

ADD – 18.7 (L1) Ensure ‘Manage processing of Queue-specific files’ is set to ‘Enabled: Limit Queue-specific files

to Color profiles’

 

ADD – 18.10.17 (L1) Ensure ‘Enable App Installer’ is set

to ‘Disabled’

 

ADD – 18.10.17 (L1) Ensure ‘Enable App Installer

Experimental Features’ is set to ‘Disabled’

 

ADD – 18.10.17 (L1) Ensure ‘Enable App Installer Hash

Override’ is set to ‘Disabled’

 

ADD – 18.10.17 (L1) Ensure ‘Enable App Installer msappinstaller protocol’ is set to ‘Disabled’

 

UPDATE – 18.10.43.6.1 (L1) Ensure ‘Configure Attack

Surface Reduction rules’ with additional ASR rule for

“Block abuse of exploited vulnerable signed drivers”

 

ADD – 18.10.59 (L2) Ensure ‘Allow search highlights’ is

set to ‘Disabled’

 

ADD – 18.7 (L1) Ensure ‘Configure RPC over TCP port’ is

set to ‘Enabled: 0’

Subscribe to Email Updates

You might be interested

AutoAdminLogon
April 1, 2024
AutoAdminLogon, worth the extra risk?
Windows SAM & AD SAM Security
March 29, 2024
Windows SAM & AD SAM Security – Essential Guide 2023
Kerberos v5 authentication
March 29, 2024
Kerberos v5 Authentication