We’re currently exploring using the CIS checklist for Windows provided by BigFix. We have a mix of domain joined and non-domain joined devices so these would definitely help bring everyone in compliance.
I’ve never deployed CIS for Windows or through BigFix. I was hoping someone experienced with this could share their best practices. Also, do fixlets that can undo some of these changes exist? What is best practice if a control needs to be undone/rolled back?
Thanks!
As per my understanding for Linux/unix check itself create roll back just check any linux/unix compliance remediation task you will get the path. For Windows there is no such you have create them.
1st always create custom compliance checklists.
2nd always test any compliance check before pushing to production, we have been and other colleagues also faced many issues if its not tested, you will not going to run them 1 by 1 it will be bundle of it so should be tested because it will create mess.
3rd roll back is must thing to be created before pushing to any machines to mitigate the compliance, believe me we have deployed approx 250 checks which somehow blocked the vpn, disconnected share drives etc. Now think of troubleshooting to identify which one could have done it and rolling back it.
Create custom client setting for exempt and set it within applicability criteria of your custom site to control any exempt requests.
If you have very big infra lets say nearly or more than 100k endpoints, always double check the compliance analysis what they are fetching because it will effect on overall BigFix performance. And if possible disable all analysis (used for measuring the existing values) just figured out your compliance percentage based on applicable compliance checks.
Import should be kept 1 time a day during non peak working hours because this will also effect overall BigFix performance.