Control updates introduced for CIS Microsoft Windows Server 2016 Benchmark v2.0.0
The Compliance Enforcement Module (CEM) for Windows v1.5.0 introduces enforcement for Center for Internet Security (CIS) Microsoft Windows Server 2016 Benchmark v2.0.0. The transition from the previous CIS Benchmark, v1.4.0, to the new benchmark resulted in module updates.
-
Added
- The following CIS controls are added in this release:
- 1.2.3 (L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'
- 18.4.2 (L1) Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'
- 18.4.6 (L1) Ensure 'LSA Protection' is set to 'Enabled'
- 18.6.4.1 (L1) Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'
- 18.7.2 (L1) Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'
- 18.7.3 (L1) Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP
- 18.7.4 (L1) Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'
- 18.7.5 (L1) Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'
- 18.7.6 (L1) Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections' is set to 'Enabled: Negotiate' or higher
- 18.7.7 (L1) Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0'
- 18.7.9 (L1) Ensure 'Manage processing of Queuespecific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'
- 18.9.47.5.1 'Configure Attack Surface Reduction rules' is set to 'Enable
- 18.10.59.4 (L2) Ensure 'Allow search highlights' is set to 'Disabled'
- The following CIS controls are added in this release:
-
Changed
- The following CIS controls were updated:
- 18.3.5 (L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' has a new number: 18.7.8.
- 18.9.89 'Allow Windows Ink Workspace' has new expected values: 'Enabled: On, but disallow access above lock' or 'Enabled: Disabled'.
- The following CIS controls were updated:
-
Removed
- The following CIS controls were removed:
- 2.3.1 (L1) Ensure 'Accounts: Administrator account status' is set to 'Disabled'
- 18.5.4 (L1) Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher
- The following CIS controls were removed: