Control updates introduced for CIS Microsoft Windows Server 2016 Benchmark v1.4.0

The Compliance Enforcement Module (CEM) for Windows v1.3.0 introduces enforcement for Center for Internet Security (CIS) Microsoft Windows Server 2016 Benchmark v1.4.0. The transition from the previous CIS Benchmark, v1.3.0, to the new benchmark resulted in module updates.

  • Added
    • The following CIS controls are added in this release:
      • Control 5.2, Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (MS only). This control setting disables the print spooler service by default and thus helps to prevent security vulnerabilities.
      • Control 18.3.5, (L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled.' This control setting helps to ensure that only administrators can install printer drivers and thus reduces security risks.
      • Control 18.5.4.1, (L1) Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher. This control helps to protect against Domain Name System (DNS) spoofing and thus can help to prevent man-in-the-middle (MITM) attacks.
      • Control 18.6.2, (L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt.' This policy setting ensures that a warning is displayed when users create a printer connection by using point-and-print functionality.
      • Control 18.6.3, Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt.' This policy setting controls whether a warning is displayed when users update a printer driver for a connection that uses point-and-print functionality. Warnings help to guard against security vulnerabilities.
      • Control 18.8.7.2, (L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled.' The impact of this control is that users without administrator privileges cannot install third-party software for peripheral devices. Instead, authorized system administrators install approved software.
      • Control 18.9.14.1, (L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled.' This control is designed to prevent data leakage by ensuring that state information related to cloud consumer accounts is not available in an enterprise-managed environment.
      • Control 18.9.17.1, (L1) Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not recommended)' or 'Enabled: Send required diagnostic data.' This policy setting controls the amount of diagnostic data reported to Microsoft. The default setting ensures that only minimal data is reported to help keep Microsoft Windows current, secure, and operational.
      • Control 18.9.17.3, (L1) Ensure 'Disable OneSettings Downloads' is set to 'Enabled.' This policy setting controls whether Windows attempts to connect with the OneSettings service to download configuration settings. Because transmission of data to a third-party vendor can present a security risk, the control disables these downloads.
      • Control 18.9.17.5, (L1) Ensure 'Enable OneSettings Auditing' is set to 'Enabled.' This policy setting helps to ensure that the Windows operating system keeps a log of attempts to connect with the OneSettings service. The logs can be useful for troubleshooting and to help prevent unauthorized access to the system.
      • Control 18.9.17.6, (L1) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled.' This policy setting helps to protect security by ensuring that additional diagnostic logs and information about crash dumps are not sent to Microsoft.
      • Control 18.9.17.7, (L1) Ensure 'Limit Dump Collection' is set to 'Enabled.' This policy setting helps to reduce the risk of sending sensitive information to Microsoft.
      • Control 18.9.47.9.4, (L1) Ensure 'Turn on script scanning' is set to 'Enabled.' This policy setting helps to ensure that scripts are scanned before they are run on the system.
      • Control 18.9.108.4.1, (L1) Ensure 'Manage preview builds' is set to 'Disabled.' This policy setting helps to prevent the installation of preview builds, which are more likely to introduce defects and security vulnerabilities.
      • Control 18.9.108.4.2, (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days.' This policy setting helps to ensure that new preview builds and feature updates are received 180 or more days after their release by Microsoft. The purpose of the delay is to ensure that software defects have been detected and fixed.
      • Control 19.7.8.5, (L1) Ensure 'Turn off Spotlight collection on Desktop' is set to 'Enabled.' This policy setting helps to ensure that users cannot select 'Spotlight collection' as a personalization option. As a result, users cannot display and download daily images from Microsoft to the desktop.
  • Changed
    • The following CIS controls were updated with new expected values:
      • The expected value is changed for CIS Control 18.8.3.1, Ensure 'Include command line in process creation events' is set to 'Disabled.' The expected value is now Enabled. The control affects security audit events. When this setting is enabled, any user who has read access to security audit events can read the command-line arguments for any successfully created process.
      • A control was reintroduced with the following new number and new expected value: 18.9.100.1, (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled.' In previous releases, the same control had a different number (18.9.96.1) and the expected value was Disabled. The new policy setting helps to ensure that PowerShell script logs are available and can be used to troubleshoot attack incidents.
    • CIS Control 18.9.16.1, (L1) Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' or 'Enabled: 1 – Basic,' was replaced by a control with the same number. The new control is (L1) Ensure 'Do not display the password reveal button' is set to 'Enabled.' The change means that a password reveal button will not be available. When a user enters a password, the password will be hidden.
    • For some CIS Controls, only the numbers changed. Previous control numbers are listed first:
      • 18.3.5, (L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended).' The new number is 18.3.6.
      • 18.3.6, Ensure 'WDigest Authentication' is set to 'Disabled.' The new number is 18.3.7.
      • 18.5.4.1, (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled.' The new number is 18.5.4.2.
      • 18.8.47.5.1, Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled.' The new number is 18.8.48.5.1.
      • 18.8.47.11.1, (L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled.' The new number is 18.8.48.11.1.
      • 18.8.49.1, (L2) Ensure 'Turn off the advertising ID' is set to 'Enabled. ' The new number is 18.8.50.1.
      • 18.8.52.1.1, (L2) Ensure 'Enable Windows NTP Client' is set to 'Enabled.' The new number is 18.8.53.1.1.
      • 18.8.52.1.2, (L2) Ensure 'Enable Windows NTP Server' is set to 'Disabled' (MS only). The new number is 18.8.53.1.2.
      • 18.9.13.1, (L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled.' The new number is 18.9.14.2.
      • 18.9.14.1, (L1), Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always.' The new number is 18.9.15.1.
      • 18.9.15.2, (L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled.' The new number is 18.9.16.2.
      • 18.9.16.2 , (L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage.' The new number is 18.9.17.2.
      • 18.9.16.3, (L1) Ensure 'Do not show feedback notifications' is set to 'Enabled.' The new number is 18.9.17.4.
      • 18.9.16.4, (L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled.' The new number is 18.9.17.8.
      • 18.9.26.1.1, (L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled.' The new number is 18.9.27.1.1.
      • 18.9.26.1.2, (L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater.' The new number is 18.9.27.1.2.
      • 18.9.26.2.1, (L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled.' The new number is 18.9.27.2.1.
      • 18.9.26.2.2, (L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater.' The new number is 18.9.27.2.2.
      • 18.9.26.3.1, (L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled.' The new number is 18.9.27.3.1.
      • 18.9.26.3.2, (L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater.' The new number is 18.9.27.3.2.
      • 18.9.26.4.1, (L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled.' The new number is 18.9.27.4.1.
      • 18.9.26.4.2, (L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater.' The new number is 18.9.27.4.2.
      • 18.9.30.2, (L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled.' The new number is 18.9.31.2.
      • 18.9.30.3, (L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled.' The new number is 18.9.31.3.
      • 18.9.30.4, (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled.' The new number is 18.9.31.4.
      • 18.9.39.1, (L2) Ensure 'Turn off location' is set to 'Enabled.' The new number is 18.9.41.1.
      • 18.9.43.1, (L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled.' The new number is 18.9.45.1.
      • 18.9.44.1, (L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled.' The new number is 18.9.46.1.
      • 18.9.45.3.1, (L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled.' The new number is 18.9.47.4.1.
      • 18.9.45.3.2, (L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled.' The new number is 18.9.47.4.2.
      • 18.9.45.4.3.1, (L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block.' The new number is 18.9.47.5.3.1.
      • 18.9.45.5.1, (L2) Ensure 'Enable file hash computation feature' is set to 'Enabled.' The new number is 18.9.47.6.1.
      • 18.9.45.8.1, (L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled.' The new number is 18.9.47.9.1.
      • 18.9.45.8.2, (L1) Ensure 'Turn off real-time protection' is set to 'Disabled.' The new number is 18.9.47.9.2.
      • 18.9.45.8.3, (L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled.' The new number is 18.9.47.9.3.
      • 18.9.45.10.1, (L2) Ensure 'Configure Watson events' is set to 'Disabled.' The new number is 18.9.47.11.1.
      • 18.9.45.11.1, (L1) Ensure 'Scan removable drives' is set to 'Enabled.' The new number is 18.9.47.12.1.
      • 18.9.45.11.2, (L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled.' The new number is 18.9.47.12.2.
      • 18.9.45.14, (L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block.' The new number is 18.9.47.15.
      • 18.9.45.15, (L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled.' The new number is 18.9.47.16.
      • 18.9.56.1, (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled.' The new number is 18.9.58.1.
      • 18.9.62.1, (L2) Ensure 'Turn off Push To Install service' is set to 'Enabled.' The new number is 18.9.64.1.
      • 18.9.63.2.2, (L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled.' The new number is 18.9.65.2.2.
      • 18.9.63.3.2.1, (L2) Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled.' The new number is 18.9.65.3.2.1.
      • 18.9.63.3.3.1, (L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled.' The new number is 18.9.65.3.3.1.
      • 18.9.63.3.3.2, (L1) Ensure 'Do not allow drive redirection' is set to 'Enabled.' The new number is 18.9.65.3.3.2.
      • 18.9.63.3.3.3, (L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled.' The new number is 18.9.65.3.3.3.
      • 18.9.63.3.3.4, (L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled.' The new number is 18.9.65.3.3.4.
      • 18.9.63.3.9.1, (L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled.' The new number is 18.9.65.3.9.1.
      • 18.9.63.3.9.2, (L1) Ensure 'Require secure RPC communication' is set to 'Enabled.' The new number is 18.9.65.3.9.2.
      • 18.9.63.3.9.3, (L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL.' The new number is 18.9.65.3.9.3.
      • 18.9.63.3.9.4, (L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled.' The new number is 18.9.65.3.9.4.
      • 18.9.63.3.9.5, (L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level.' The new number is 18.9.65.3.9.5.
      • 18.9.63.3.10.1, (L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0).' The new number is 18.9.65.3.10.1.
      • 18.9.63.3.10.2, (L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute.' The new number is 18.9.65.3.10.2.
      • 18.9.63.3.11.1, (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled.' The new number is 18.9.65.3.11.1.
      • 18.9.63.3.11.2, (L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled.' The new number is 18.9.65.3.11.2.
      • 18.9.64.1, (L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled.' The new number is 18.9.66.1.
      • 18.9.65.2, (L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search.' The new number is 18.9.67.2.
      • 18.9.65.3, (L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled.' The new number is 18.9.67.3.
      • 18.9.70.1, (L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled.' The new number is 18.9.72.1.
      • 18.9.81.1.1, (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass.' The new number is 18.9.85.1.1.
      • 18.9.85.1, (L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled.' The new number is 18.9.89.1.
      • 18.9.85.2, (L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On.' The new number is 18.9.89.2.
      • 18.9.86.1, (L1) Ensure 'Allow user control over installs' is set to 'Disabled.' The new number is 18.9.90.1.
      • 18.9.86.2, (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled.' The new number is 19.7.43.1.
      • 18.9.86.3, (L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled.' The new number is 18.9.90.3.
      • 18.9.87.1, (L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled.' The new number is 18.9.91.1.
      • 18.9.96.2, (L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled.' The new number is 18.9.100.2.
      • 18.9.98.1.1, (L1) Ensure 'Allow Basic authentication' is set to 'Disabled.' The new number is 18.9.102.2.1.
      • 18.9.98.1.2, (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled.' The new number is 18.9.102.2.3.
      • 18.9.98.1.3, (L1) Ensure 'Disallow Digest authentication' is set to 'Enabled.' The new number is 18.9.102.1.3.
      • 18.9.98.2.1, (L1) Ensure 'Allow Basic authentication' is set to 'Disabled.' The new number is 18.9.102.2.1.
      • 18.9.98.2.2, (L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled.' The new number is 18.9.102.2.2.
      • 18.9.98.2.3, (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled.' The new number is 18.9.102.2.3.
      • 18.9.98.2.4, (L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled.' The new number is 18.9.102.2.4.
      • 18.9.99.1, (L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled.' The new number is 18.9.103.1.
      • 18.9.100.2.1, (L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled.' The new number is 18.9.105.2.1.
      • 18.9.103.1.3, (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days.' The new number is 18.9.108.4.3.
      • 18.9.103.2, (L1) Ensure 'Configure Automatic Updates' is set to 'Enabled.' The new number is 18.9.108.2.1.
      • 18.9.103.3, (L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day.' The new number is 18.9.108.2.2.
      • 18.9.103.4, (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled.' The new number is 18.9.108.1.1.
      • 19.7.43.1, (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled.' The new number is 18.9.90.2.
  • Removed
    • The following CIS controls are no longer available:
      • Control 18.9.96.1 was removed and replaced by 18.9.100.1, (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled.'
      • Control 18.9.103.1.1 was deprecated and is now removed.
      • Control 18.9.103.1.2 was deprecated and is now removed.