BigFix Compliance: Updated CIS Checklist for Microsoft Windows Server 2016, published 2020-06-01

Release Announcements Compliance (Release Announcements)
1

Product:
BigFix Compliance

Title:
Updated CIS Checklist for Windows Server 2016 with bug fixes.

Security Benchmark:
CIS Microsoft Windows Server 2016 Benchmark, v1.1.0

Published Sites:
CIS Checklist for Windows 2016 DC, site version 7
CIS Checklist for Windows 2016 MS, site version 7
(The site version is provided for air-gap customers.)

Details:
Fixed and improved implementation for the following DC and MS checks:

  • (L1) Ensure ‘Enable screen saver’ is set to ‘Enabled’
  • (L1) Ensure ‘Force specific screen saver: Screen saver executable name’ is set to ‘Enabled: scrnsave.scr’
  • (L1) Ensure ‘Password protect the screen saver’ is set to ‘Enabled’
  • (L1) Ensure ‘Screen saver timeout’ is set to ‘Enabled: 900 seconds or fewer, but not 0’
  • (L1) Ensure ‘Turn off toast notifications on the lock screen’ is set to ‘Enabled’
  • (L1) Ensure ‘Do not preserve zone information in file attachments’ is set to ‘Disabled’
  • (L1) Ensure ‘Notify antivirus programs when opening attachments’ is set to ‘Enabled’
  • (L1) Ensure ‘Configure Windows spotlight on lock screen’ is set to Disabled’
  • (L1) Ensure ‘Do not suggest third-party content in Windows spotlight’ is set to ‘Enabled’
  • (L1) Ensure ‘Prevent users from sharing files within their profile.’ is set to ‘Enabled’
  • (L1) Ensure ‘Always install with elevated privileges’ is set to ‘Disabled’
  • (L2) Ensure ‘Prevent Codec Download’ is set to ‘Enabled’
  • (L2) Ensure ‘Turn off all Windows spotlight features’ is set to ‘Enabled’
  • (L2) Ensure ‘Do not use diagnostic data for tailored experiences’ is set to ‘Enabled’

Actions to take:

More information:
To know more about the BigFix Compliance SCM checklists, please see the following resources:

We hope you find this latest release of SCM content useful and effective. Thank you!

– The BigFix Compliance team