Control updates introduced for CIS Microsoft Windows Server 2019 Benchmark v2.0.0

The Compliance Enforcement Module (CEM) for Windows v1.5.0 introduces enforcement for Center for Internet Security (CIS) Microsoft Windows Server 2019 Benchmark v2.0.0. The transition from the previous CIS Benchmark, v1.3.0, to the new benchmark resulted in module updates.

  • Added
    • The following CIS controls are added in this release:
      • 1.2.3 (L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'
      • 18.4.2 (L1) Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'
      • 18.4.6 (L1) Ensure 'LSA Protection' is set to 'Enabled'
      • 18.6.4.1 (L1) Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'
      • 18.7.4 (L1) Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'
      • 18.7.5 (L1) Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'
      • 18.7.7 (L1) Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0'
      • 18.7.9 (L1) Ensure 'Manage processing of Queuespecific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'
      • 18.10.17.1 (L1) Ensure 'Enable App Installer' is set to 'Disabled'
      • 18.10.17.2 (L1) Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'
      • 18.10.17.3 (L1) Ensure 'Enable App Installer Hash Override' is set to 'Disabled'
      • 18.10.17.4 (L1) Ensure 'Enable App Installer msappinstaller protocol' is set to 'Disabled'
  • Changed
    • The following CIS controls were updated:
      • 18.3.5 (L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' has a new number: 18.7.8.
      • 18.9.89 'Allow Windows Ink Workspace' now has expected values of 'Enabled: On, but disallow access above lock' or 'Enabled: Disabled'.
      • 18.10.87 (L1) 'Turn on PowerShell Transcription' was set to 'Disabled' but now has an expected value of 'Enabled'.
  • Removed
    • The following CIS controls were removed:
      • 2.3.1 (L1) Ensure 'Accounts: Administrator account status' is set to 'Disabled'
      • 18.5.4 (L1) Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher