Product:
BigFix Compliance
Title:
Updated CIS Checklist for Windows 2025.
Security Benchmark:
CIS Microsoft Windows Server 2025 Benchmark, V2.0.0
Published Sites:
CIS Checklist for Windows 2025 DC, site version 5.
CIS Checklist for Windows 2025 MS, site version 7.
(The site version is provided for air-gap customers.)
Details: CIS Checklist for Windows 2022 MS
● Total New Fixlets: 8
● Total Updated Fixlets:16
● Total Deleted Fixlets: 17
● Total Fixlets in Site: 421
ADDED
● Ensure 'Disable HTTP proxy features: Disable proxy authentication' is set to 'Enabled: Disable authentication over loopback interfaces'
● Ensure 'Disable HTTP proxy features: Disable WPAD' is set to 'Enabled: Checked'
● Ensure 'Require IPPS for IPP printers' is set to 'Enabled'
● Ensure 'Set TLS/SSL security policy for IPP printers: Disallow invalid certificate authority' is set to 'Enabled: Checked'
● Ensure 'Set TLS/SSL security policy for IPP printers: Disallow invalid certificate common name' is set to 'Enabled: Checked'
● 18.7 Ensure 'Set TLS/SSL security policy for IPP printers: Disallow invalid certificate date' is set to 'Enabled: Checked'
● Ensure 'Set TLS/SSL security policy for IPP printers: Disallow non-server certificates' is set to 'Enabled: Checked'
● Ensure 'Enable / disable CLFS logfile authentication' is set to 'Enabled'
UPDATED
· (L1) Ensure 'Prevent device metadata retrieval from the Internet'
· (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and
· Failure' TO 'Success'
· Ensure 'Enable OneSettings Auditing' is set to 'Enabled'
· Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled' TO
· L1->L2
· Ensure 'Limit Dump Collection' is set to 'Enabled' TO L1->L2
· (L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled' TO 'L2->L1'
· and 'Disabled->Enabled'
· (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' TO include Passphrases
· Ensure 'Post-authentication actions: Actions' is set to 'Enabled:
· Reset the password and logoff the managed account' or higher
· Ensure 'Configure validation of ROCA-vulnerable WHfB keys during
· authentication' is set to 'Enabled: Audit' or higher (DC only) TO 'Block'
· (L1) Ensure 'Impersonate a client after authentication' is set to
· 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' and (when the Web Server (IIS) Role with Web Services Role Service is installed) 'IIS_IUSRS' (MS only) TO include RESTRICTED SERVICES\PrintSpoolerService
· Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' TO include RESTRICTED SERVICES\PrintSpoolerService
· (L1) Ensure 'Network access: Allow anonymous SID/Name translation'
· is set to 'Disabled'
· Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is
· set to 'Disabled'
· Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log' TO is configured
· \ Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log' TO is configured
· Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log' TO is configured
● DELETED
● (L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'
● (L1) Ensure 'Disable OneSettings Downloads' is set to 'Enabled'
● (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'
● Ensure 'Turn on Basic feed authentication over HTTP' is set to'Disabled'
● (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days'
● (L1) Ensure 'WDigest Authentication' is set to 'Disabled'
● Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires' is set to 'Enabled: 5 or fewer seconds'
● (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'
● (L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'
● Ensure 'Allow Custom SSPs and APs to be loaded into LSASS' is set to 'Disabled'
● (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'
● (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'
● (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'
● Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)
● (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'
● (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'
● (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'
● Both analysis and remediation checks are included
● Some of the checks allow you to use the parameterized setting to enable customization for compliance evaluation. Note that parameterization and remediation actions require the creation of a custom site.
Actions to take:
● To subscribe to the above site, you can use the License Overview Dashboard to enable and gather the site. Note that you must be entitled to the BigFix Compliance product, and you must be using BigFix version 11.0.3 and later.
● If you use custom sites, update your custom sites accordingly to use the latest content. You can synchronize your content by using the Synchronize Custom Checks wizard. For more information, see Using the Synchronize Custom Checks wizard
More information:
To know more about the BigFix Compliance SCM checklists, please see the following resources:
● BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance
● BigFix Compliance SCM Checklists:
Welcome to Wikis
We hope you find this latest release of SCM content useful and effective. Thank you!
– The BigFix Compliance team.