Product:
BigFix Compliance
Title:
Updated CIS Checklist for Windows Server 2019 to support a more recent version of the benchmark.
Security Benchmark:
CIS Microsoft Windows Server 2019 Benchmark, V4.0.0
Published Sites:
CIS Checklist for Windows Server 2019 DC, site version 26
CIS Checklist for Windows Server 2019 MS, site version 22
(The site version is provided for air-gap customers.)
Details: CIS Checklist for Windows Server 2019 DC
Total New Fixlets: 22
Total Updated Fixlets:23
Total Deleted Fixlets: 3
Total Fixlets in Site: 402
Details: CIS Checklist for Windows Server 2019 MS
Total New Fixlets: 22
Total Updated Fixlets:23
Total Deleted Fixlets: 3
Total Fixlets in Site: 408
ADDED
(L1) Ensure ‘Turn on Basic feed authentication over HTTP’ is set to ‘Disabled’
(L1) Ensure ‘Configure multicast DNS (mDNS) protocol’ is set to ‘Disabled’
(L2) Ensure ‘Turn off default IPv6 DNS Servers’ is set to ‘Enabled’
(L1) Ensure ‘Enable App Installer Local Archive Malware Scan Override’ is set to ‘Disabled’
(L1) Ensure ‘Enable App Installer Microsoft Store Source Certificate Validation Bypass’ is set to ‘Disabled’
(L2) Ensure ‘Enable Windows Package Manager command line interfaces’ is set to ‘Disabled’
(L1) Ensure ‘Do not apply the Mark of the Web tag to files copied from insecure sources’ is set to ‘Disabled’
(L1) Ensure ‘Control whether exclusions are visible to local users’ is set to ‘Enabled’
(L1) Ensure ‘Enable EDR in block mode’ is set to ‘Enabled’
(L2) Ensure ‘Convert warn verdict to block’ is set to ‘Enabled’
(L1) Ensure ‘Configure real-time protection and Security Intelligence Updates during OOBE’ is set to ‘Enabled’
(L2) Ensure ‘Configure Brute-Force Protection aggressiveness’ is set to ‘Enabled: Medium’ or higher
(L1) Ensure ‘Configure Remote Encryption Protection Mode’ is set to ‘Enabled: Audit’ or higher
(L2) Ensure ‘Configure how aggressively Remote Encryption Protection blocks threats’ is set to ‘Enabled: Medium’ or higher
(L1) Ensure ‘Scan excluded files and directories during quick scans’ is set to ‘Enabled: 1’
(L1) Ensure ‘Trigger a quick scan after X days without any scans’ is set to ‘Enabled: 7’
(NG) Ensure ‘Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity’ is set to ‘Enabled with UEFI lock’
(NG) Ensure ‘Turn On Virtualization Based Security: Select Platform Security Level’ is set to ‘Secure Boot’ or higher
(NG) Ensure ‘Turn On Virtualization Based Security: Secure Launch Configuration’ is set to ‘Enabled’
(NG) Ensure ‘Turn On Virtualization Based Security: Require UEFI Memory Attributes Table’ is set to ‘True (checked)’
(NG) Ensure ‘Turn On Virtualization Based Security: Credential Guard Configuration’ is set to ‘Disabled’ (DC Only)
(NG) Ensure ‘Turn On Virtualization Based Security: Credential Guard Configuration’ is set to ‘Enabled with UEFI lock’ (MS Only)
(NG) Ensure ‘Turn On Virtualization Based Security’ is set to ‘Enabled’
UPDATED
(L1) Ensure ‘Enable Certificate Padding’ is set to ‘Enabled’
(L1 → L2) Ensure ‘Enable App Installer’ is set to ‘Disabled’
(L1) Ensure ‘Configure Attack Surface Reduction rules: Set the state for each ASR rule’ is configured
(L1) Ensure ‘Network access: Remotely accessible registry paths and sub-paths’ is configured
L1) Ensure ‘Network access: Remotely accessible registry paths’ is configured
(L1) Ensure ‘Network access: Named Pipes that can be accessed anonymously’ is configured (DC only)
(L1) Ensure ‘Network access: Named Pipes that can be accessed anonymously’ is configured (MS only)
(L1) Ensure ‘Replace a process level token’ is set to ‘LOCAL SERVICE, NETWORK SERVICE’
(L1) Ensure ‘Adjust memory quotas for a process’ is set to ‘Administrators, LOCAL SERVICE, NETWORK SERVICE’
(L1) Ensure ‘Generate security audits’ is set to ‘LOCAL SERVICE, NETWORK SERVICE’
(L1) Ensure ‘Turn off toast notifications on the lock screen’ is set to ‘Enabled’
(L2) Ensure ‘Turn off Help Experience Improvement Program’ is set to ‘Enabled’
(L1) Ensure ‘Do not preserve zone information in file attachments’ is set to ‘Disabled’
(L1) Ensure ‘Notify antivirus programs when opening attachments’ is set to ‘Enabled’
(L1) Ensure ‘Configure Windows spotlight on lock screen’ is set to ‘Disabled’
(L1) Ensure ‘Do not suggest third-party content in Windows spotlight’ is set to ‘Enabled’
(L2) Ensure ‘Do not use diagnostic data for tailored experiences’ is set to ‘Enabled’
(L2) Ensure ‘Turn off all Windows spotlight features’ is set to ‘Enabled’
(L1) Ensure ‘Turn off Spotlight collection on Desktop’ is set to ‘Enabled’
(L1) Ensure ‘Prevent users from sharing files within their profile.’ is set to ‘Enabled’
(L1) Ensure ‘Always install with elevated privileges’ is set to ‘Disabled’
(L2) Ensure ‘Prevent Codec Download’ is set to ‘Enabled’
(L1) Ensure ‘Enable password encryption’ is set to ‘Enabled’
DELETED
(L1) Ensure ‘Toggle user control over Insider builds’ is set to ‘Disabled’
(L1) Ensure ‘Accounts: Block Microsoft accounts’ is set to ‘Users can’t add or log on with Microsoft accounts’
(L1)Ensure ‘Turn off Microsoft Defender AntiVirus’ is set to ‘Disabled’
Both analysis and remediation checks are included
Some of the checks allow you to use the parameterized setting to enable customization for compliance evaluation. Note that parameterization and remediation actions require the creation of a custom site.
Actions to take:
To subscribe to the above site, you can use the License Overview Dashboard to enable and gather the site. Note that you must be entitled to the BigFix Compliance product, and you must be using BigFix version 10 and later.
If you use custom sites, update your custom sites accordingly to use the latest content. You can synchronize your content by using the Synchronize Custom Checks wizard. For more information, see
More information:
To know more about the BigFix Compliance SCM checklists, please see the following resources:
BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance
BigFix Compliance SCM Checklists:
https://bigfix-wiki.hcltechsw.com/wikis/home?lang=enus#!/wiki/BigFix%20Wiki/page/SCM%20Checklists
We hope you find this latest release of SCM content useful and effective. Thank you!
– The BigFix Compliance team