From 0560715a2a43360eda88c25d00449cf5813ac47d Mon Sep 17 00:00:00 2001 From: Jake Stenger Date: Wed, 7 Jan 2026 10:00:40 -0800 Subject: [PATCH] Adding new Windows 11 Intune CIS benchmark policy import files (#37881) https://github.com/fleetdm/fleet/issues/34684 --- ee/cis/win-11-intune/bl_win11_intune.yaml | 374 + ee/cis/win-11-intune/l1_win11_intune.yaml | 10664 ++++++++++++++++++++ ee/cis/win-11-intune/l2_win11_intune.yaml | 946 ++ 3 files changed, 11984 insertions(+) create mode 100644 ee/cis/win-11-intune/bl_win11_intune.yaml create mode 100644 ee/cis/win-11-intune/l1_win11_intune.yaml create mode 100644 ee/cis/win-11-intune/l2_win11_intune.yaml diff --git a/ee/cis/win-11-intune/bl_win11_intune.yaml b/ee/cis/win-11-intune/bl_win11_intune.yaml new file mode 100644 index 0000000000..2999d0be41 --- /dev/null +++ b/ee/cis/win-11-intune/bl_win11_intune.yaml @@ -0,0 +1,374 @@ +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Device Enumeration Policy' is set to 'Block all (most restrictive)' + platform: windows + description: 'This policy is intended to provide additional security against external DMA-capable devices. It allows for more control over the enumeration of external DMA-capable devices that are not compatible with DMA Remapping/device memory isolation and sandboxing. The recommended state for this setting is: Block all (most restrictive). Note: This policy does not apply to 1394, PCMCIA or ExpressCard devices. The protection also only applies to Windows 10 R1803 or higher and requires a UEFI BIOS to function.' + resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Block all (most restrictive). Dma Guard\Device Enumeration Policy + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Settings\DeviceEnumerationPolicy' AND data = '0'; + tags: framework:CISv8.1, benchmark:win11, level:BL, platform:windows, category:dma-guard, requirement:standard, critical:false, control:device-enumeration-policy-is-block-all, cis_safeguard_ids:CIS28.1 + purpose: Enforcement +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled' + platform: windows + description: 'This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. The recommended state for this setting is: Enabled.' + resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\System\Device Installation\Device Installation Restrictions\Prevent installation of devices using drivers that match these device setup classes + query: SELECT 1 WHERE EXISTS (SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses' AND mdm_command_output LIKE '%%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:prevent-enabling-lock-screen-slide-show-is-enabled, cis_safeguard_ids:CIS4.1.3.2 + description: 'Disables the lock screen slide show settings in PC Settings and prevents a slide show + + from playing on the lock screen. + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled. + + Administrative Templates\Control Panel\Personalization\Prevent enabling lock + + screen slide show' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy' AND data = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:apply-uac-restrictions-to-local-accounts-on-network-logons-is-enabled, cis_safeguard_ids:CIS4.4.1 + description: 'This setting controls whether local accounts can be used for remote administration via + + network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk + + for credential theft when the same account and password is configured on multiple + + systems. Enabling this policy significantly reduces that risk. + + Enabled: Applies UAC token-filtering to local accounts on network logons. Membership + + in powerful group such as Administrators is disabled and powerful privileges are + + removed from the resulting access token. This configures the + + LocalAccountTokenFilterPolicy registry value to 0. This is the default behavior for + + Windows. + + Disabled: Allows local accounts to have full administrative rights when authenticating + + via network logon, by configuring the LocalAccountTokenFilterPolicy registry value + + to 1. + + For more information about local accounts and credential theft, review the "Mitigating + + Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques" documents. + + For more information about LocalAccountTokenFilterPolicy, see Microsoft + + Knowledge Base article 951016: Description of User Account Control and remote + + restrictions in Windows Vista. + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled. + + Administrative Templates\MS Security Guide\Apply UAC restrictions to local + + accounts on network logons' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Configure SMB v1 client driver'' is set to ''Enabled: Disable driver (recommended)''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10\Start' AND data = '4'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:configure-smb-v1-client-driver-is-enabled-disable-driver-recommended, cis_safeguard_ids:CIS4.4.2 + description: 'This setting configures the start type for the Server Message Block version 1 (SMBv1) + + client driver service (MRxSmb10), which is recommended to be disabled. + + The recommended state for this setting is: Enabled: Disable driver + + (recommended). + + Note: Do not, under any circumstances, configure this overall setting as Disabled, as + + doing so will delete the underlying registry entry altogether, which will cause serious + + problems.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: Disable driver (recommended). + + Administrative Templates\MS Security Guide\Configure SMB v1 client driver' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Configure SMB v1 server' is set to 'Disabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1' AND data = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:configure-smb-v1-server-is-disabled, cis_safeguard_ids:CIS4.4.3 + description: 'This setting configures the server-side processing of the Server Message Block version + + 1 (SMBv1) protocol. + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled. + + Administrative Templates\MS Security Guide\Configure SMB v1 server' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\DisableExceptionChainValidation' AND data = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-structured-exception-handling-overwrite-protection-sehop-is-enabled, cis_safeguard_ids:CIS4.4.4 + description: 'Windows includes support for Structured Exception Handling Overwrite Protection + + (SEHOP). We recommend enabling this feature to improve the security profile of the + + computer. + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled. + + Administrative Templates\MS Security Guide\Enable Structured Exception + + Handling Overwrite Protection (SEHOP) + + + More information is available at MSKB 956607: How to enable Structured Exception + + Handling Overwrite Protection (SEHOP) in Windows operating systems' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'WDigest Authentication' is set to 'Disabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential' AND data = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:wdigest-authentication-is-disabled, cis_safeguard_ids:CIS4.4.5 + description: 'When WDigest authentication is enabled, Lsass.exe retains a copy of the user''s + + plaintext password in memory, where it can be at risk of theft. If this setting is not + + configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server + + 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server. + + For more information about local accounts and credential theft, review the "Mitigating + + Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques" documents. + + For more information about UseLogonCredential, see Microsoft Knowledge Base + + article 2871997: Microsoft Security Advisory Update to improve credentials protection + + and management May 13, 2014. + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled. + + Administrative Templates\MS Security Guide\WDigest Authentication (disabling + + may require KB2871997)' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)'' is set to ''Disabled''' + query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon' AND data = '1'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:mss-autoadminlogon-enable-automatic-logon-not-recommended-is-disabled, cis_safeguard_ids:CIS4.5.1 + description: 'This setting is separate from the Welcome screen feature in Windows XP and Windows + + Vista; if that feature is disabled, this setting is not disabled. If you configure a computer + + for automatic logon, anyone who can physically gain access to the computer can also + + gain access to everything that is on the computer, including any network or networks to + + which the computer is connected. Also, if you enable automatic logon, the password is + + stored in the registry in plaintext, and the specific registry key that stores this value is + + remotely readable by the Authenticated Users group. + + For additional information, see Microsoft Knowledge Base article 324737: How to turn + + on automatic logon in Windows. + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to `Disabled. + + Administrative Templates\MSS (Legacy)\MSS: (AutoAdminLogon) Enable Automatic + + Logon (not recommended)' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)'' is set to ''Enabled: Highest protection, source routing is completely disabled''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting' AND data = '2'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:mss-disableipsourcerouting-ipv6-ip-source-routing-protection-level-protects-against-packet-spoofing-is-enabled-highest-p, cis_safeguard_ids:CIS4.5.2 + description: 'IP source routing is a mechanism that allows the sender to determine the IP route that a + + datagram should follow through the network. + + The recommended state for this setting is: Enabled: Highest protection, source + + routing is completely disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: Highest protection, source routing is + + completely disabled. + + Administrative Templates\MSS (Legacy)\MSS: (DisableIPSourceRouting IPv6) IP + + source routing protection level (protects against packet spoofing)' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)'' is set to ''Enabled: Highest protection, source routing is completely disabled''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting' AND data = '2'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:mss-disableipsourcerouting-ip-source-routing-protection-level-protects-against-packet-spoofing-is-enabled-highest-protec, cis_safeguard_ids:CIS4.5.3 + description: 'IP source routing is a mechanism that allows the sender to determine the IP route that a + + datagram should take through the network. It is recommended to configure this setting + + to Not Defined for enterprise environments and to Highest Protection for high security + + environments to completely disable source routing. + + The recommended state for this setting is: Enabled: Highest protection, source + + routing is completely disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: Highest protection, source routing is + + completely disabled. + + Administrative Templates\MSS (Legacy)\MSS: (DisableIPSourceRouting) IP source + + routing protection level (protects against packet spoofing)' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes'' is set to ''Disabled''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect' AND data = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:mss-enableicmpredirect-allow-icmp-redirects-to-override-ospf-generated-routes-is-disabled, cis_safeguard_ids:CIS4.5.5 + description: 'Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host + + routes. These routes override the Open Shortest Path First (OSPF) generated routes. + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled. + + Administrative Templates\MSS (Legacy)\MSS: (EnableICMPRedirect) Allow ICMP + + redirects to override OSPF generated routes' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers'' is set to ''Enabled''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\NoNameReleaseOnDemand' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:mss-nonamereleaseondemand-allow-the-computer-to-ignore-netbios-name-release-requests-except-from-wins-servers-is-enabled, cis_safeguard_ids:CIS4.5.7 + description: 'NetBIOS over TCP/IP is a network protocol that among other things provides a way to + + easily resolve NetBIOS names that are registered on Windows-based systems to the IP + + addresses that are configured on those systems. This setting determines whether the + + computer releases its NetBIOS name when it receives a name-release request. + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled. + + Administrative Templates\MSS (Legacy)\MSS: (NoNameReleaseOnDemand) Allow the + + computer to ignore NetBIOS name release requests except from WINS servers' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)'' is set to ''Enabled''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:mss-safedllsearchmode-enable-safe-dll-search-mode-recommended-is-enabled, cis_safeguard_ids:CIS4.5.9 + description: 'The DLL search order can be configured to search for DLLs that are requested by + + running processes in one of two ways: + + • + + • + + + Search folders specified in the system path first, and then search the current + + working folder. + + Search current working folder first, and then search the folders specified in the + + system path. + + + When enabled, the registry value is set to 1. With a setting of 1, the system first + + searches the folders that are specified in the system path and then searches the current + + working folder. When disabled the registry value is set to 0 and the system first + + searches the current working folder and then searches the folders that are specified in + + the system path. + + Applications will be forced to search for DLLs in the system path first. For applications + + that require unique versions of these DLLs that are included with the application, this + + entry could cause performance or stability problems. + + The recommended state for this setting is: Enabled. + + Note: More information on how Safe DLL search mode works is available at this link: + + Dynamic-Link Library Search Order - Windows applications | Microsoft Docs' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled. + + Administrative Templates\MSS (Legacy)\MSS: (SafeDllSearchMode) Enable Safe + + DLL search mode (recommended)' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)'' is set to ''Enabled: 5 or fewer seconds''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod' AND CAST(data AS INTEGER) <= 5; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:mss-screensavergraceperiod-the-time-in-seconds-before-the-screen-saver-grace-period-expires-0-recommended-is-enabled-5-o, cis_safeguard_ids:CIS4.5.10 + description: 'Windows includes a grace period between when the screen saver is launched and + + when the console is actually locked automatically when screen saver locking is enabled. + + The recommended state for this setting is: Enabled: 5 or fewer seconds.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: 5 or fewer seconds. + + Administrative Templates\MSS (Legacy)\MSS: (ScreenSaverGracePeriod) The time + + in seconds before the screen saver grace period expires (0 recommended)' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning'' is set to ''Enabled: 90% or less''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel' AND CAST(data AS INTEGER) <= 90; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:mss-warninglevel-percentage-threshold-for-the-security-event-log-at-which-the-system-will-generate-a-warning-is-enabled-, cis_safeguard_ids:CIS4.5.13 + description: 'This setting can generate a security audit in the Security event log when the log reaches + + a user-defined threshold. + + The recommended state for this setting is: Enabled: 90% or less. + + Note: If log settings are configured to Overwrite events as needed or Overwrite events + + older than x days, this event will not be generated.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: 90% or less. + + Administrative Templates\MSS (Legacy)\MSS: (WarningLevel) Percentage + + threshold for the security event log at which the system will generate a + + warning' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Turn off multicast name resolution' is set to 'Enabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast' AND data = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:turn-off-multicast-name-resolution-is-enabled, cis_safeguard_ids:CIS4.6.4.1 + description: 'Link-Local Multicast Name Resolution (LLMNR) is a secondary name resolution + + protocol. With LLMNR, queries are sent using multicast over a local network link on a + + single subnet from a client computer to another client computer on the same subnet that + + also has LLMNR enabled. LLMNR does not require a DNS server or DNS client + + configuration and provides name resolution in scenarios in which conventional DNS + + name resolution is not possible. + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled. + + Administrative Templates\Network\DNS Client\Turn off multicast name + + resolution' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge' AND mdm_command_output LIKE '%%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:printing, requirement:standard, critical:false, control:limits-print-driver-installation-to-administrators-is-enabled, cis_safeguard_ids:CIS4.7.8 + description: 'This policy setting controls whether users who aren''t Administrators can install print + + drivers on the system. + + The recommended state for this setting is: Enabled. + + Note: On August 10, 2021, Microsoft announced a Point and Print Default Behavior + + Change which modifies the default Point and Print driver installation and update + + behavior to require Administrator privileges. This is documented in KB5005652— + + Manage new Point and Print default driver installation behavior (CVE-2021-34481).' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled. + + Administrative Templates\Printers\Limits print driver installation to + + Administrators' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Manage processing of Queue-specific files: Manage processing of Queue-Specific files'' is set to ''Enabled: Limit Queue-specific files to Color profiles''' + query: SELECT 1 WHERE EXISTS (SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/ADMX_Printing/ManageProcessingOfQueueSpecificFiles' AND mdm_command_output LIKE '%%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:include-command-line-in-process-creation-events-is-enabled, cis_safeguard_ids:CIS4.10.4.1 + description: 'This policy setting controls whether the process creation command line text is logged in + + security audit events when a new process has been created. + + The recommended state for this setting is: Enabled. + + Note: This feature that this setting controls was not originally supported in workstation + + OSes older than Windows 8.1. However, in February 2015 Microsoft added support for + + the feature to Windows 7 and Windows 8.0 via an update - KB3004375. Therefore, this + + setting is also important to set on those older OSes.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled. + + Administrative Templates\System\Audit Process Creation\Include command line + + in process creation events' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Encryption Oracle Remediation'' is set to ''Enabled: Force Updated Clients''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/ADMX_CredSsp/AllowEncryptionOracle' AND mdm_command_output LIKE '%%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:encryption-oracle-remediation-is-enabled-force-updated-clients, cis_safeguard_ids:CIS4.10.5.1 + description: 'Some versions of the CredSSP protocol that is used by some applications (such as + + Remote Desktop Connection) are vulnerable to an encryption oracle attack against the + + client. This policy controls compatibility with vulnerable clients and servers and allows + + you to set the level of protection desired for the encryption oracle vulnerability. + + The recommended state for this setting is: Enabled: Force Updated Clients.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: Force Updated Clients. + + Administrative Templates\System\Credentials Delegation\Encryption Oracle + + Remediation' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Remote host allows delegation of nonexportable credentials' is set to 'Enabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials' AND mdm_command_output LIKE '%%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.10.5.2 + description: 'Remote host allows delegation of non-exportable credentials. When using credential + + delegation, devices provide an exportable version of credentials to the remote host. This + + exposes users to the risk of credential theft from attackers on the remote host. The + + Restricted Admin Mode and Windows Defender Remote Credential Guard features are + + two options to help protect against this risk. + + The recommended state for this setting is: Enabled. + + Note: More detailed information on Windows Defender Remote Credential Guard and + + how it compares to Restricted Admin Mode can be found at this link: Protect Remote + + Desktop credentials with Windows Defender Remote Credential Guard (Windows 10) | + + Microsoft Docs' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled. + + Administrative Templates\System\Credentials Delegation\Remote host allows + + delegation of non-exportable credentials' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata\PreventDeviceMetadataFromNetwork' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:prevent-device-metadata-retrieval-from-the-internet-is-enabled, cis_safeguard_ids:CIS4.10.9.2 + description: 'This policy setting allows you to prevent Windows from retrieving device metadata from + + the Internet. + + The recommended state for this setting is: Enabled. + + Note: This will not prevent the installation of basic hardware drivers, but does prevent + + associated third-party utility software from automatically being installed under the + + context of the SYSTEM account.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled. + + Administrative Templates\System\Device Installation\Prevent device metadata + + retrieval from the Internet' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Boot-Start Driver Initialization Policy'' is set to ''Enabled: Good, unknown and bad but critical''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/System/BootStartDriverInitialization' AND mdm_command_output LIKE '%value="3"%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:boot-start-driver-initialization-policy-is-enabled-good-unknown-and-bad-but-critical, cis_safeguard_ids:CIS4.10.13.1 + description: 'This policy setting allows you to specify which boot-start drivers are initialized based on + + a classification determined by an Early Launch Antimalware boot-start driver. The Early + + Launch Antimalware boot-start driver can return the following classifications for each + + boot-start driver: + + • + + • + + • + + • + + + Good: The driver has been signed and has not been tampered with. + + Bad: The driver has been identified as malware. It is recommended that you do + + not allow known bad drivers to be initialized. + + Bad, but required for boot: The driver has been identified as malware, but + + the computer cannot successfully boot without loading this driver. + + Unknown: This driver has not been attested to by your malware detection + + application and has not been classified by the Early Launch Antimalware bootstart driver. + + + If you enable this policy setting you will be able to choose which boot-start drivers to + + initialize the next time the computer is started. + + If your malware detection application does not include an Early Launch Antimalware + + boot-start driver or if your Early Launch Antimalware boot-start driver has been + + disabled, this setting has no effect and all boot-start drivers are initialized. + + The recommended state for this setting is: Enabled: Good, unknown and bad but + + critical.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: `Good, unknown and bad but critical. + + Administrative Templates\System\Early Launch Antimalware\Boot-Start Driver + + Initialization Policy' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Continue experiences on this device' is set to 'Disabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\EnableCdp' AND data = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:continue-experiences-on-this-device-is-disabled, cis_safeguard_ids:CIS4.10.19.1 + description: 'This policy setting determines whether the Windows device is allowed to participate in + + cross-device experiences (continue experiences). + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled. + + Administrative Templates\System\Group Policy\Continue experiences on this + + device' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' + query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableBkGndGroupPolicy' AND data = '1'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:turn-off-background-refresh-of-group-policy-is-disabled, cis_safeguard_ids:CIS4.10.19.2 + description: 'This policy setting prevents Group Policy from being updated while the computer is in + + use. This policy setting applies to Group Policy for computers, users and Domain + + Controllers. + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled. + + Administrative Templates\System\Group Policy\Turn off background refresh of + + Group' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Connectivity/DisableDownloadingOfPrintDriversOverHTTP' AND mdm_command_output LIKE '%%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:block-user-from-showing-account-details-on-sign-in-is-enabled, cis_safeguard_ids:CIS4.10.26.1 + description: 'This policy prevents the user from showing account details (email address or user + + name) on the sign-in screen. + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled. + + Administrative Templates\System\Logon\Block user from showing account details + + on sign-in' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Do not display network selection UI' is set to 'Enabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/WindowsLogon/DontDisplayNetworkSelectionUI' AND mdm_command_output LIKE '%%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:do-not-display-network-selection-ui-is-enabled, cis_safeguard_ids:CIS4.10.26.2 + description: 'This policy setting allows you to control whether anyone can interact with available + + networks UI on the logon screen. + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled. + + Administrative Templates\System\Logon\Do not display network selection UI' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\DontEnumerateConnectedUsers' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:do-not-enumerate-connected-users-on-domain-joined-computers-is-enabled, cis_safeguard_ids:CIS4.10.26.3 + description: 'This policy setting prevents connected users from being enumerated on domain-joined + + computers. + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled. + + Administrative Templates\System\Logon\Do not enumerate connected users on + + domain-joined computers' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\EnumerateLocalUsers' AND data = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enumerate-local-users-on-domain-joined-computers-is-disabled, cis_safeguard_ids:CIS4.10.26.4 + description: 'This policy setting allows local users to be enumerated on domain-joined computers. + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled. + + Administrative Templates\System\Logon\Enumerate local users on domain-joined + + computers' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/AboveLock/AllowToasts' AND mdm_command_output = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:turn-off-app-notifications-on-the-lock-screen-is-enabled, cis_safeguard_ids:CIS4.10.26.5 + description: 'This policy setting allows you to prevent app notifications from appearing on the lock + + screen. + + The recommended state for this setting is: Enabled. + + Warning: If the Self Service Password Reset (SSPR) feature is used in Microsoft Entra + + ID, an exception to this recommendation is needed as it''s known to interfere with SSPR.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled. + + Administrative Templates\System\Logon\Turn off app notifications on the lock + + screen' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Turn off picture password sign-in' is set to 'Enabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/CredentialProviders/BlockPicturePassword' AND mdm_command_output LIKE '%%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:turn-off-picture-password-sign-in-is-enabled, cis_safeguard_ids:CIS4.10.26.6 + description: 'This policy setting allows you to control whether a domain user can sign in using a + + picture password. + + The recommended state for this setting is: Enabled. + + Note: If the picture password feature is permitted, the user''s domain password is + + cached in the system vault when using it.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled. + + Administrative Templates\System\Logon\Turn off picture password sign-in' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/CredentialProviders/AllowPINLogon' AND mdm_command_output LIKE '%%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:turn-on-convenience-pin-sign-in-is-disabled, cis_safeguard_ids:CIS4.10.26.7 + description: 'This policy setting allows you to control whether a user can sign in using a convenience + + PIN. + + Note: The user''s password will be cached in the system vault when using this feature. + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled. + + Administrative Templates\System\Logon\Turn on convenience PIN sign-in' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Power/RequirePasswordWhenComputerWakesOnBattery' AND mdm_command_output LIKE '%%' AND mdm_command_output LIKE '%value="1"%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:set-the-default-behavior-for-autorun-is-enabled-do-not-execute-any-autorun-commands, cis_safeguard_ids:CIS4.11.6.2 + description: 'This policy setting sets the default behavior for Autorun commands. Autorun commands + + are generally stored in autorun.inf files. They often launch the installation program or + + other routines. + + The recommended state for this setting is: Enabled: Do not execute any autorun + + commands.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: Do not execute any autorun commands. + + Administrative Templates\Windows Components\AutoPlay Policies\Set the default + + behavior for AutoRun' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Turn off Autoplay'' is set to ''Enabled: All drives''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Autoplay/TurnOffAutoPlay' AND mdm_command_output LIKE '%%' AND mdm_command_output LIKE '%value="255"%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:turn-off-autoplay-is-enabled-all-drives, cis_safeguard_ids:CIS4.11.6.3 + description: 'Autoplay starts to read from a drive as soon as you insert media in the drive, which + + causes the setup file for programs or audio media to start immediately. An attacker + + could use this feature to launch a program to damage the computer or data on the + + computer. Autoplay is disabled by default on some removable drive types, such as + + floppy disk and network drives, but not on CD-ROM drives. + + Note: You cannot use this policy setting to enable Autoplay on computer drives in which + + it is disabled by default, such as floppy disk and network drives. + + The recommended state for this setting is: Enabled: All drives.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: All drives. + + Administrative Templates\Windows Components\AutoPlay Policies\Turn off + + Autoplay' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Do not display the password reveal button' is set to 'Enabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/CredentialsUI/DisablePasswordReveal' AND mdm_command_output LIKE '%enabled%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:do-not-display-the-password-reveal-button-is-enabled, cis_safeguard_ids:CIS4.11.8.1 + description: 'This policy setting allows you to configure the display of the password reveal button in + + password entry user experiences. + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled. + + Administrative Templates\Windows Components\Credential User Interface\Do not + + display the password reveal button' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/CredentialsUI/EnumerateAdministrators' AND mdm_command_output LIKE '%disabled%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enumerate-administrator-accounts-on-elevation-is-disabled, cis_safeguard_ids:CIS4.11.8.2 + description: 'This policy setting controls whether administrator accounts are displayed when a user + + attempts to elevate a running application. + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled. + + Administrative Templates\Windows Components\Credential User + + Interface\Enumerate administrator accounts on elevation' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/ADMX_CredUI/NoLocalPasswordResetQuestions' AND mdm_command_output LIKE '%%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:prevent-the-use-of-security-questions-for-local-accounts-is-enabled, cis_safeguard_ids:CIS4.11.8.3 + description: 'This policy setting controls whether security questions can be used to reset local + + account passwords. The security question feature does not apply to domain accounts, + + only local accounts on the workstation. + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled. + + Administrative Templates\Windows Components\Credential User Interface\Prevent + + the use of security questions for local accounts' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Enable App Installer Experimental Features' is set to 'Disabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller\EnableExperimentalFeatures' AND data = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-app-installer-experimental-features-is-disabled, cis_safeguard_ids:CIS4.11.10.1 + description: 'This policy setting controls whether users can enable experimental features in the + + Windows Package Manager. + + The recommended state for this setting is Disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled: + + Administrative Templates\Windows Components\Desktop App Installer\Enable App + + Installer Experimental Features' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Enable App Installer Hash Override' is set to 'Disabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller\EnableHashOverride' AND data = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-app-installer-hash-override-is-disabled, cis_safeguard_ids:CIS4.11.10.2 + description: 'This policy setting controls whether or not users can override the SHA256 security + + validation in the Windows Package Manager settings. + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled: + + Administrative Templates\Windows Components\Desktop App Installer\Enable App + + Installer Hash Override' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Enable App Installer ms-appinstaller protocol' is set to 'Disabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller\EnableMSAppInstallerProtocol' AND data = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-app-installer-ms-appinstaller-protocol-is-disabled, cis_safeguard_ids:CIS4.11.10.3 + description: 'This policy setting controls whether users can install packages from a website that is + + using the ms-appinstaller protocol. The ms-appinstaller protocol allows users to + + install an application by clicking a link on a website. + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled: + + Administrative Templates\Windows Components\Desktop App Installer\Enable App + + Installer ms-appinstaller protocol' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\Retention' AND data = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:control-event-log-behavior-when-the-log-file-reaches-its-maximum-size-is-disabled, cis_safeguard_ids:CIS4.11.15.1.1;CIS4.11.15.2.1;CIS4.11.15.3.1;CIS4.11.15.4.1 + description: '[4.11.15.1.1] + + This policy setting controls Event Log behavior when the log file reaches its maximum + + size. + + The recommended state for this setting is: Disabled. + + Note: Old events may or may not be retained according to the Backup log automatically + + when full policy setting. + + + [4.11.15.2.1] + + This policy setting controls Event Log behavior when the log file reaches its maximum + + size. + + The recommended state for this setting is: Disabled. + + Note: Old events may or may not be retained according to the Backup log automatically + + when full policy setting. + + + [4.11.15.3.1] + + This policy setting controls Event Log behavior when the log file reaches its maximum + + size. + + The recommended state for this setting is: Disabled. + + Note: Old events may or may not be retained according to the Backup log automatically + + when full policy setting. + + + [4.11.15.4.1] + + This policy setting controls Event Log behavior when the log file reaches its maximum + + size. + + The recommended state for this setting is: Disabled. + + Note: Old events may or may not be retained according to the Backup log automatically + + when full policy setting.' + resolution: '[4.11.15.1.1] + + To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled. + + Administrative Templates\Windows Components\Event Log + + Service\Application\Control Event Log behavior when the log file reaches its + + maximum size + + + [4.11.15.2.1] + + To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled. + + Administrative Templates\Windows Components\Event Log + + Service\Security\Control Event Log behavior when the log file reaches its + + maximum size + + + [4.11.15.3.1] + + To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled. + + Administrative Templates\Windows Components\Event Log Service\Setup\Control + + Event Log behavior when the log file reaches its maximum size + + + [4.11.15.4.1] + + To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled. + + Administrative Templates\Windows Components\Event Log Service\System\Control + + Event Log behavior when the log file reaches its maximum size' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Specify the maximum log file size (KB)'' is set to ''Enabled: 32,768 or greater''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\MaxSize' AND CAST(data AS INTEGER) >= 32768; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:specify-the-maximum-log-file-size-kb-is-enabled-32768-or-greater, cis_safeguard_ids:CIS4.11.15.1.2;CIS4.11.15.3.2;CIS4.11.15.4.2 + description: '[4.11.15.1.2] + + This policy setting specifies the maximum size of the log file in kilobytes. The maximum + + log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes + + (4,194,240 kilobytes) in kilobyte increments. + + The recommended state for this setting is: Enabled: 32,768 or greater. + + + [4.11.15.3.2] + + This policy setting specifies the maximum size of the log file in kilobytes. The maximum + + log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes + + (4,194,240 kilobytes) in kilobyte increments. + + The recommended state for this setting is: Enabled: 32,768 or greater. + + + [4.11.15.4.2] + + This policy setting specifies the maximum size of the log file in kilobytes. The maximum + + log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes + + (4,194,240 kilobytes) in kilobyte increments. + + The recommended state for this setting is: Enabled: 32,768 or greater.' + resolution: '[4.11.15.1.2] + + To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: 32,768 or greater. + + Administrative Templates\Windows Components\Event Log + + Service\Application\Specify the maximum log file size (KB) + + + [4.11.15.3.2] + + To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: 32,768 or greater. + + Administrative Templates\Windows Components\Event Log Service\Setup\Specify + + the maximum log file size (KB) + + + [4.11.15.4.2] + + To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: 32,768 or greater. + + Administrative Templates\Windows Components\Event Log Service\System\Specify + + the maximum log file size (KB)' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Specify the maximum log file size (KB)'' is set to ''Enabled: 196,608 or greater''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\MaxSize' AND CAST(data AS INTEGER) >= 196608; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:specify-the-maximum-log-file-size-kb-is-enabled-196608-or-greater, cis_safeguard_ids:CIS4.11.15.2.2 + description: 'This policy setting specifies the maximum size of the log file in kilobytes. The maximum + + log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes + + (4,194,240 kilobytes) in kilobyte increments. + + The recommended state for this setting is: Enabled: 196,608 or greater.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: 196,608 or greater. + + Administrative Templates\Windows Components\Event Log + + Service\Security\Specify the maximum log file size (KB)' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Configure Windows Defender SmartScreen'' is set to ''Enabled: Warn and prevent bypass''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\EnableSmartScreen' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:configure-windows-defender-smartscreen-is-enabled-warn-and-prevent-bypass, cis_safeguard_ids:CIS4.11.18.1 + description: 'This policy setting allows you to manage the behavior of Windows Defender + + SmartScreen. Windows Defender SmartScreen helps keep PCs safer by warning users + + before running unrecognized programs downloaded from the Internet. Some information + + is sent to Microsoft about files and programs run on PCs with this feature enabled. + + The recommended state for this setting is: Enabled: Warn and prevent bypass.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: Warn and prevent bypass. + + Administrative Templates\Windows Components\File Explorer\Configure Windows + + Defender SmartScreen' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' + query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer\NoDataExecutionPrevention' AND data = '1'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:turn-off-data-execution-prevention-for-explorer-is-disabled, cis_safeguard_ids:CIS4.11.18.2 + description: 'Disabling Data Execution Prevention can allow certain legacy plug-in applications to + + function without terminating Explorer. + + The recommended state for this setting is: Disabled. + + Note: Some legacy plug-in applications and other software may not function with Data + + Execution Prevention and will require an exception to be defined for that specific plugin/software.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled. + + Administrative Templates\Windows Components\File Explorer\Turn off Data + + Execution Prevention for Explorer' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Turn off heap termination on corruption' is set to 'Disabled' + query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer\DisableHeapTerminationOnCorruption' AND data = '1'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:turn-off-heap-termination-on-corruption-is-disabled, cis_safeguard_ids:CIS4.11.18.3 + description: 'Without heap termination on corruption, legacy plug-in applications may continue to + + function when a File Explorer session has become corrupt. Ensuring that heap + + termination on corruption is active will prevent this. + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled. + + Administrative Templates\Windows Components\File Explorer\Turn off heap + + termination on corruption' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' + query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer\PreXPSP2ShellProtocolBehavior' AND data = '1'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:turn-off-shell-protocol-protected-mode-is-disabled, cis_safeguard_ids:CIS4.11.18.4 + description: 'This policy setting allows you to configure the amount of functionality that the shell + + protocol can have. When using the full functionality of this protocol, applications can + + open folders and launch files. The protected mode reduces the functionality of this + + protocol allowing applications to only open a limited set of folders. Applications are not + + able to open files with this protocol when it is in the protected mode. It is recommended + + to leave this protocol in the protected mode to increase the security of Windows. + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled. + + Administrative Templates\Windows Components\File Explorer\Turn off shell + + protocol protected mode' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount\DisableUserAuth' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:accounts, requirement:standard, critical:false, control:block-all-consumer-microsoft-account-user-authentication-is-enabled, cis_safeguard_ids:CIS4.11.27.1 + description: 'This setting determines whether applications and services on the device can utilize new + + consumer Microsoft account authentication via the Windows OnlineID and + + WebAccountManager APIs. + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled. + + Administrative Templates\Windows Components\Microsoft accounts\Block all + + consumer Microsoft account user authentication' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\LocalSettingOverrideSpynetReporting' AND data = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:configure-local-setting-override-for-reporting-to-microsoft-maps-is-disabled, cis_safeguard_ids:CIS4.11.28.3.1 + description: 'This policy setting configures a local override for the configuration to join Microsoft + + Active Protection Service (MAPS), which Microsoft renamed to Windows Defender + + Antivirus Cloud Protection Service and then Microsoft Defender Antivirus Cloud + + Protection Service. + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled. + + Administrative Templates\Windows Components\Microsoft Defender + + Antivirus\MAPS\Configure local setting override for reporting to Microsoft + + MAPS' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Prevent users from sharing files within their profile. (User)' is set to 'Enabled' + query: SELECT 1 FROM registry WHERE path LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInplaceSharing' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:network, requirement:standard, critical:false, control:prevent-users-from-sharing-files-within-their-profile-user-is-enabled, cis_safeguard_ids:CIS4.11.31.1 + description: 'This policy setting determines whether users can share files within their profile. By + + default, users are allowed to share files within their profile to other users on their + + network after an administrator opts in the computer. An administrator can opt in the + + computer by using the sharing wizard to share a file within their profile. + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled. + + Administrative Templates\Windows Components\Network Sharing\Prevent users + + from sharing files within their profile. (User)' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Do not allow passwords to be saved' is set to 'Enabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\DisablePasswordSaving' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:remote, requirement:standard, critical:false, control:do-not-allow-passwords-to-be-saved-is-enabled, cis_safeguard_ids:CIS4.11.36.3.2 + description: 'This policy setting helps prevent Remote Desktop clients from saving passwords on a + + computer. + + The recommended state for this setting is: Enabled. + + Note: If this policy setting was previously configured as Disabled or Not configured, any + + previously saved passwords will be deleted the first time a Remote Desktop client + + disconnects from any server.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled. + + Administrative Templates\Windows Components\Remote Desktop Services\Remote + + Desktop Connection Client\Do not allow passwords to be saved' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Do not allow drive redirection' is set to 'Enabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDisableCdm' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:do-not-allow-drive-redirection-is-enabled, cis_safeguard_ids:CIS4.11.36.4.3.2 + description: 'This policy setting prevents users from sharing the local drives on their client computers + + to Remote Desktop Servers that they access. Mapped drives appear in the session + + folder tree in Windows Explorer in the following format: + + \\TSClient\$ + + If local drives are shared they are left vulnerable to intruders who want to exploit the + + data that is stored on them. + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled. + + Administrative Templates\Windows Components\Remote Desktop Services\Remote + + Desktop Session Host\Device and Resource Redirection\Do not allow drive + + redirection' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Always prompt for password upon connection' is set to 'Enabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:always-prompt-for-password-upon-connection-is-enabled, cis_safeguard_ids:CIS4.11.36.4.9.1 + description: 'This policy setting specifies whether Remote Desktop Services always prompts the + + client computer for a password upon connection. You can use this policy setting to + + enforce a password prompt for users who log on to Remote Desktop Services, even if + + they already provided the password in the Remote Desktop Connection client. + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled. + + Administrative Templates\Windows Components\Remote Desktop Services\Remote + + Desktop Session Host\Security\Always prompt for password upon connection' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Require secure RPC communication' is set to 'Enabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/RemoteDesktopServices/RequireSecureRPCCommunication' AND mdm_command_output LIKE '%%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-mpr-notifications-for-the-system-is-disabled, cis_safeguard_ids:CIS4.11.50.1 + description: 'This policy setting controls whether winlogon sends Multiple Provider Router (MPR) + + notifications. MPR handles communication between the Windows operating system and + + the installed network providers. MPR checks the registry to determine which providers + + are installed on the system and the order they are cycled through. + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled: + + Administrative Templates\Windows Components\Windows Logon Options\Enable MPR + + notifications for the system' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/WindowsLogon/AllowAutomaticRestartSignOn' AND mdm_command_output LIKE '%%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:sign-in-and-lock-last-interactive-user-automatically-after-a-restart-is-disabled, cis_safeguard_ids:CIS4.11.50.2 + description: 'This policy setting controls whether a device will automatically sign-in the last interactive + + user after Windows Update restarts the system. + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled. + + Administrative Templates\Windows Components\Windows Logon Options\Sign-in and + + lock last interactive user automatically after a restart' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Allow Basic authentication' is set to 'Disabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\AllowBasic' AND data = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-basic-authentication-is-disabled, cis_safeguard_ids:CIS4.11.55.1.1;CIS4.11.55.2.1 + description: '[4.11.55.1.1] + + This policy setting allows you to manage whether the Windows Remote Management + + (WinRM) client uses Basic authentication. + + The recommended state for this setting is: Disabled. + + Note: Clients that use Microsoft''s Exchange Online service (Office 365) will require an + + exception to this recommendation, to instead have this setting set to Enabled. + + Exchange Online uses Basic authentication over HTTPS, and so the Exchange Online + + authentication traffic will still be safely encrypted. + + + [4.11.55.2.1] + + This policy setting allows you to manage whether the Windows Remote Management + + (WinRM) service accepts Basic authentication from a remote client. + + The recommended state for this setting is: Disabled.' + resolution: '[4.11.55.1.1] + + To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled. + + Administrative Templates\Windows Components\Windows Remote Management + + (WinRM)\WinRM Client\Allow Basic authentication + + + [4.11.55.2.1] + + To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled. + + Administrative Templates\Windows Components\Windows Remote Management + + (WinRM)\WinRM Service\Allow Basic authentication' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Allow unencrypted traffic' is set to 'Disabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\AllowUnencryptedTraffic' AND data = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-unencrypted-traffic-is-disabled, cis_safeguard_ids:CIS4.11.55.1.2;CIS4.11.55.2.3 + description: '[4.11.55.1.2] + + This policy setting allows you to manage whether the Windows Remote Management + + (WinRM) client sends and receives unencrypted messages over the network. + + The recommended state for this setting is: Disabled. + + + [4.11.55.2.3] + + This policy setting allows you to manage whether the Windows Remote Management + + (WinRM) service sends and receives unencrypted messages over the network. + + The recommended state for this setting is: Disabled.' + resolution: '[4.11.55.1.2] + + To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled. + + Administrative Templates\Windows Components\Windows Remote Management + + (WinRM)\WinRM Client\Allow unencrypted traffic + + + [4.11.55.2.3] + + To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled. + + Administrative Templates\Windows Components\Windows Remote Management + + (WinRM)\WinRM Service\Allow unencrypted traffic' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Disallow Digest authentication' is set to 'Enabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\AllowDigest' AND data = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:disallow-digest-authentication-is-enabled, cis_safeguard_ids:CIS4.11.55.1.3 + description: 'This policy setting allows you to manage whether the Windows Remote Management + + (WinRM) client will not use Digest authentication. + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled. + + Administrative Templates\Windows Components\Windows Remote Management + + (WinRM)\WinRM Client\Disallow Digest authentication' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\DisableRunAs' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:disallow-winrm-from-storing-runas-credentials-is-enabled, cis_safeguard_ids:CIS4.11.55.2.4 + description: 'This policy setting allows you to manage whether the Windows Remote Management + + (WinRM) service will allow RunAs credentials to be stored for any plug-ins. + + The recommended state for this setting is: Enabled. + + Note: If you enable and then disable this policy setting, any values that were previously + + configured for RunAsPassword will need to be reset.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled. + + Administrative Templates\Windows Components\Windows Remote Management + + (WinRM)\WinRM Service\Disallow WinRM from storing RunAs credentials' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Account Logon Audit Credential Validation' is set to 'Success and Failure' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Audit/AccountLogon_AuditCredentialValidation' AND mdm_command_output = '3'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:account-logon-audit-credential-validation-is-success-and-failure, cis_safeguard_ids:CIS6.1 + description: 'This subcategory reports the results of validation tests on credentials submitted for a + + user account logon request. These events occur on the computer that is authoritative for + + the credentials. For domain accounts, the Domain Controller is authoritative, whereas + + for local accounts, the local computer is authoritative. In domain environments, most of + + the Account Logon events occur in the Security log of the Domain Controllers that are + + authoritative for the domain accounts. However, these events can occur on other + + computers in the organization when local accounts are used to log on. Events for this + + subcategory include: + + • + + • + + • + + • + + + 4774: An account was mapped for logon. + + 4775: An account could not be mapped for logon. + + 4776: The Domain Controller attempted to validate the credentials for an + + account. + + 4777: The Domain Controller failed to validate the credentials for an account. + + + The recommended state for this setting is: Success and Failure.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Success and Failure. + + Auditing\Account Logon Audit Credential Validation' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Account Logon Logoff Audit Account Lockout' is set to include 'Failure' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Audit/AccountLogonLogoff_AuditAccountLockout' AND (mdm_command_output = '2' OR mdm_command_output = '3'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS6.2 + description: 'This subcategory reports when a user''s account is locked out as a result of too many + + failed logon attempts. Events for this subcategory include: + + • + + + 4625: An account failed to log on. + + + The recommended state for this setting is to include: Failure.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Failure. + + Auditing\Account Logon Logoff Audit Account Lockout' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Account Logon Logoff Audit Group Membership' is set to include 'Success' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Audit/AccountLogonLogoff_AuditGroupMembership' AND (mdm_command_output = '1' OR mdm_command_output = '3'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS6.3 + description: 'This policy allows you to audit the group membership information in the user’s logon + + token. Events in this subcategory are generated on the computer on which a logon + + session is created. For an interactive logon, the security audit event is generated on the + + computer that the user logged on to. For a network logon, such as accessing a shared + + folder on the network, the security audit event is generated on the computer hosting the + + resource. + + The recommended state for this setting is to include: Success. + + Note: A Windows 10, Server 2016 or newer OS is required to access and set this value + + in Group Policy.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Success. + + Auditing\Account Logon Logoff Audit Group Membership' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Account Logon Logoff Audit Logoff' is set to include 'Success' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Audit/AccountLogonLogoff_AuditLogoff' AND (mdm_command_output = '1' OR mdm_command_output = '3'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS6.4 + description: 'This subcategory reports when a user logs off from the system. These events occur on + + the accessed computer. For interactive logons, the generation of these events occurs + + on the computer that is logged on to. If a network logon takes place to access a share, + + these events generate on the computer that hosts the accessed resource. If you + + configure this setting to No auditing, it is difficult or impossible to determine which user + + has accessed or attempted to access organization computers. Events for this + + subcategory include: + + • + + • + + + 4634: An account was logged off. + + 4647: User initiated logoff. + + + The recommended state for this setting is to include: Success.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Success. + + Auditing\Account Logon Logoff Audit Logoff' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Account Logon Logoff Audit Logon' is set to 'Success and Failure' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Audit/AccountLogonLogoff_AuditLogon' AND mdm_command_output = '3'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:account-logon-logoff-audit-logon-is-success-and-failure, cis_safeguard_ids:CIS6.5 + description: 'This subcategory reports when a user attempts to log on to the system. These events + + occur on the accessed computer. For interactive logons, the generation of these events + + occurs on the computer that is logged on to. If a network logon takes place to access a + + share, these events generate on the computer that hosts the accessed resource. If you + + configure this setting to No auditing, it is difficult or impossible to determine which user + + has accessed or attempted to access organization computers. Events for this + + subcategory include: + + • + + • + + • + + • + + + 4624: An account was successfully logged on. + + 4625: An account failed to log on. + + 4648: A logon was attempted using explicit credentials. + + 4675: SIDs were filtered. + + + The recommended state for this setting is: Success and Failure.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Success and Failure. + + Auditing\Account Logon Logoff Audit Logon' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Account Management Audit Application Group Management' is set to 'Success and Failure' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Audit/AccountManagement_AuditApplicationGroupManagement' AND mdm_command_output = '3'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:accounts, requirement:standard, critical:false, control:account-management-audit-application-group-management-is-success-and-failure, cis_safeguard_ids:CIS6.6 + description: 'This policy setting allows you to audit events generated by changes to application + + groups such as the following: + + • + + • + + + Application group is created, changed, or deleted. + + Member is added or removed from an application group. + + + Application groups are utilized by Windows Authorization Manager, which is a flexible + + framework created by Microsoft for integrating role-based access control (RBAC) into + + applications. More information on Windows Authorization Manager is available at MSDN + + - Windows Authorization Manager. + + The recommended state for this setting is: Success and Failure. + + Note: Although Microsoft "Deprecated" Windows Authorization Manager (AzMan) in + + Windows Server 2012 and 2012 R2, this feature still exists in the OS (unimproved), and + + therefore should still be audited.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Success and Failure. + + Auditing\Account Management Audit Application Group Management' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Audit Authentication Policy Change' is set to include 'Success' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Audit/PolicyChange_AuditAuthenticationPolicyChange' AND (mdm_command_output = '1' OR mdm_command_output = '3'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS6.7 + description: 'This subcategory reports changes in authentication policy. Events for this subcategory + + include: + + • + + • + + • + + • + + • + + • + + • + + • + + • + + • + + • + + + 4706: A new trust was created to a domain. + + 4707: A trust to a domain was removed. + + 4713: Kerberos policy was changed. + + 4716: Trusted domain information was modified. + + 4717: System security access was granted to an account. + + 4718: System security access was removed from an account. + + 4739: Domain Policy was changed. + + 4864: A namespace collision was detected. + + 4865: A trusted forest information entry was added. + + 4866: A trusted forest information entry was removed. + + 4867: A trusted forest information entry was modified. + + + The recommended state for this setting is to include: Success.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Success. + + Auditing\Audit Authentication Policy Change' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Audit Authorization Policy Change' is set to include 'Success' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Audit/PolicyChange_AuditAuthorizationPolicyChange' AND (mdm_command_output = '1' OR mdm_command_output = '3'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS6.8 + description: 'This subcategory reports changes in authorization policy. Events for this subcategory + + include: + + • + + • + + • + + • + + • + + • + + + 4703: A user right was adjusted. + + 4704: A user right was assigned. + + 4705: A user right was removed. + + 4670: Permissions on an object were changed. + + 4911: Resource attributes of the object were changed. + + 4913: Central Access Policy on the object was changed. + + + The recommended state for this setting is to include: Success.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Success. + + Auditing\Audit Authorization Policy Change' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Audit Changes to Audit Policy' is set to include 'Success' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Audit/PolicyChange_AuditPolicyChange' AND (mdm_command_output = '1' OR mdm_command_output = '3'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS6.9 + description: 'This subcategory reports changes in audit policy including SACL changes. Events for + + this subcategory include: + + • + + • + + • + + • + + • + + • + + • + + • + + • + + + 4715: The audit policy (SACL) on an object was changed. + + 4719: System audit policy was changed. + + 4902: The Per-user audit policy table was created. + + 4904: An attempt was made to register a security event source. + + 4905: An attempt was made to unregister a security event source. + + 4906: The CrashOnAuditFail value has changed. + + 4907: Auditing settings on object were changed. + + 4908: Special Groups Logon table modified. + + 4912: Per User Audit Policy was changed. + + + The recommended state for this setting is to include: Success.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Success. + + Auditing\Audit Changes to Audit Policy' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Audit File Share Access' is set to 'Success and Failure' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Audit/ObjectAccess_AuditFileShare' AND mdm_command_output = '3'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:audit-file-share-access-is-success-and-failure, cis_safeguard_ids:CIS6.10 + description: 'This policy setting allows you to audit attempts to access a shared folder. + + The recommended state for this setting is: Success and Failure. + + Note: There are no system access control lists (SACLs) for shared folders. If this policy + + setting is enabled, access to all shared folders on the system is audited.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Success and Failure. + + Auditing\Audit File Share Access' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Audit Other Logon Logoff Events' is set to 'Success and Failure' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Audit/AccountLogonLogoff_AuditOtherLogonLogoffEvents' AND mdm_command_output = '3'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:audit-other-logon-logoff-events-is-success-and-failure, cis_safeguard_ids:CIS6.11 + description: 'This subcategory reports other logon/logoff-related events, such as Remote Desktop + + Services session disconnects and reconnects, using RunAs to run processes under a + + different account, and locking and unlocking a workstation. Events for this subcategory + + include: + + • + + • + + • + + • + + • + + • + + • + + • + + • + + • + + + 4649: A replay attack was detected. + + 4778: A session was reconnected to a Window Station. + + 4779: A session was disconnected from a Window Station. + + 4800: The workstation was locked. + + 4801: The workstation was unlocked. + + 4802: The screen saver was invoked. + + 4803: The screen saver was dismissed. + + 5378: The requested credentials delegation was disallowed by policy. + + 5632: A request was made to authenticate to a wireless network. + + 5633: A request was made to authenticate to a wired network. + + + The recommended state for this setting is: Success and Failure.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Success and Failure. + + Auditing\Audit Other Logon Logoff Events' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Audit Security Group Management' is set to include 'Success' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Audit/AccountManagement_AuditSecurityGroupManagement' AND (mdm_command_output = '1' OR mdm_command_output = '3'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS6.12 + description: 'This subcategory reports each event of security group management, such as when a + + security group is created, changed, or deleted or when a member is added to or + + removed from a security group. If you enable this Audit policy setting, administrators + + can track events to detect malicious, accidental, and authorized creation of security + + group accounts. Events for this subcategory include: + + • + + • + + • + + • + + • + + • + + • + + • + + • + + • + + • + + • + + • + + • + + • + + • + + + 4727: A security-enabled global group was created. + + 4728: A member was added to a security-enabled global group. + + 4729: A member was removed from a security-enabled global group. + + 4730: A security-enabled global group was deleted. + + 4731: A security-enabled local group was created. + + 4732: A member was added to a security-enabled local group. + + 4733: A member was removed from a security-enabled local group. + + 4734: A security-enabled local group was deleted. + + 4735: A security-enabled local group was changed. + + 4737: A security-enabled global group was changed. + + 4754: A security-enabled universal group was created. + + 4755: A security-enabled universal group was changed. + + 4756: A member was added to a security-enabled universal group. + + 4757: A member was removed from a security-enabled universal group. + + 4758: A security-enabled universal group was deleted. + + 4764: A group''s type was changed. + + + The recommended state for this setting is to include: Success.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Success. + + Auditing\Audit Security Group Management' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Audit Security System Extension' is set to include 'Success' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Audit/System_AuditSecuritySystemExtension' AND (mdm_command_output = '1' OR mdm_command_output = '3'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS6.13 + description: 'This subcategory reports the loading of extension code such as authentication + + packages by the security subsystem. Events for this subcategory include: + + • + + • + + • + + • + + • + + + 4610: An authentication package has been loaded by the Local Security + + Authority. + + 4611: A trusted logon process has been registered with the Local Security + + Authority. + + 4614: A notification package has been loaded by the Security Account Manager. + + 4622: A security package has been loaded by the Local Security Authority. + + 4697: A service was installed in the system. + + + The recommended state for this setting is to include: Success.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Success. + + Auditing\Audit Security System Extension' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Audit Special Logon' is set to include 'Success' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Audit/AccountLogonLogoff_AuditSpecialLogon' AND (mdm_command_output = '1' OR mdm_command_output = '3'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS6.14 + description: 'This subcategory reports when a special logon is used. A special logon is a logon that + + has administrator-equivalent privileges and can be used to elevate a process to a higher + + level. Events for this subcategory include: + + • + + + 4964: Special groups have been assigned to a new logon. + + + The recommended state for this setting is to include: Success.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Success. + + Auditing\Audit Special Logon' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Audit User Account Management' is set to 'Success and Failure' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Audit/AccountManagement_AuditUserAccountManagement' AND mdm_command_output = '3'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:audit-user-account-management-is-success-and-failure, cis_safeguard_ids:CIS6.15 + description: 'This subcategory reports each event of user account management, such as when a + + user account is created, changed, or deleted; a user account is renamed, disabled, or + + enabled; or a password is set or changed. If you enable this Audit policy setting, + + administrators can track events to detect malicious, accidental, and authorized creation + + of user accounts. Events for this subcategory include: + + • + + • + + • + + • + + • + + • + + • + + • + + • + + • + + • + + • + + • + + • + + • + + • + + + 4720: A user account was created. + + 4722: A user account was enabled. + + 4723: An attempt was made to change an account''s password. + + 4724: An attempt was made to reset an account''s password. + + 4725: A user account was disabled. + + 4726: A user account was deleted. + + 4738: A user account was changed. + + 4740: A user account was locked out. + + 4765: SID History was added to an account. + + 4766: An attempt to add SID History to an account failed. + + 4767: A user account was unlocked. + + 4780: The ACL was set on accounts which are members of administrators + + groups. + + 4781: The name of an account was changed: + + 4794: An attempt was made to set the Directory Services Restore Mode. + + 5376: Credential Manager credentials were backed up. + + 5377: Credential Manager credentials were restored from a backup. + + + The recommended state for this setting is: Success and Failure.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Success and Failure. + + Auditing\Audit User Account Management' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Detailed Tracking Audit PNP Activity' is set to include 'Success' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Audit/DetailedTracking_AuditPNPActivity' AND (mdm_command_output = '1' OR mdm_command_output = '3'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS6.16 + description: 'This policy setting allows you to audit when plug and play detects an external device. + + The recommended state for this setting is to include: Success. + + Note: A Windows 10, Server 2016 or newer OS is required to access and set this value + + in Group Policy.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Success. + + Auditing\Detailed Tracking Audit PNP Activity' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Detailed Tracking Audit Process Creation' is set to include 'Success' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Audit/DetailedTracking_AuditProcessCreation' AND (mdm_command_output = '1' OR mdm_command_output = '3'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS6.17 + description: 'This subcategory reports the creation of a process and the name of the program or user + + that created it. Events for this subcategory include: + + • + + • + + + 4688: A new process has been created. + + 4696: A primary token was assigned to process. + + + Refer to Microsoft Knowledge Base article 947226: Description of security events in + + Windows Vista and in Windows Server 2008 for the most recent information about this + + setting. + + The recommended state for this setting is to include: Success.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Success. + + Auditing\Detailed Tracking Audit Process Creation' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Object Access Audit Detailed File Share' is set to include 'Failure' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Audit/ObjectAccess_AuditDetailedFileShare' AND (mdm_command_output = '2' OR mdm_command_output = '3'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS6.18 + description: 'This subcategory allows you to audit attempts to access files and folders on a shared + + folder. Events for this subcategory include: + + • + + + 5145: network share object was checked to see whether client can be granted + + desired access. + + + The recommended state for this setting is to include: Failure.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Failure. + + Auditing\Object Access Audit Detailed File Share' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Object Access Audit Other Object Access Events' is set to 'Success and Failure' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Audit/ObjectAccess_AuditOtherObjectAccessEvents' AND mdm_command_output = '3'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:network, requirement:standard, critical:false, control:object-access-audit-other-object-access-events-is-success-and-failure, cis_safeguard_ids:CIS6.19 + description: 'This policy setting allows you to audit events generated by the management of task + + scheduler jobs or COM+ objects. + + For scheduler jobs, the following are audited: + + • + + • + + • + + • + + • + + + Job created. + + Job deleted. + + Job enabled. + + Job disabled. + + Job updated. + + + For COM+ objects, the following are audited: + + • + + • + + • + + + Catalog object added. + + Catalog object updated. + + Catalog object deleted. + + + The recommended state for this setting is: Success and Failure.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Success and Failure. + + Auditing\Object Access Audit Other Object Access Events' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Object Access Audit Removable Storage' is set to 'Success and Failure' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Audit/ObjectAccess_AuditRemovableStorage' AND mdm_command_output = '3'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:object-access-audit-removable-storage-is-success-and-failure, cis_safeguard_ids:CIS6.20 + description: 'This policy setting allows you to audit user attempts to access file system objects on a + + removable storage device. A security audit event is generated only for all objects for all + + types of access requested. If you configure this policy setting, an audit event is + + generated each time an account accesses a file system object on a removable storage. + + Success audits record successful attempts and Failure audits record unsuccessful + + attempts. If you do not configure this policy setting, no audit event is generated when an + + account accesses a file system object on a removable storage. + + The recommended state for this setting is: Success and Failure. + + Note: A Windows 8.0, Server 2012 (non-R2) or newer OS is required to access and set + + this value in Group Policy.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Success and Failure. + + Auditing\Object Access Audit Removable Storage' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Policy Change Audit MPSSVC Rule Level Policy Change' is set to 'Success and Failure' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Audit/PolicyChange_AuditMPSSVCRuleLevelPolicyChange' AND mdm_command_output = '3'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:policy-change-audit-mpssvc-rule-level-policy-change-is-success-and-failure, cis_safeguard_ids:CIS6.21 + description: 'This subcategory determines whether the operating system generates audit events + + when changes are made to policy rules for the Microsoft Protection Service + + (MPSSVC.exe). Events for this subcategory include: + + • + + • + + • + + • + + • + + • + + • + + • + + • + + • + + • + + • + + • + + • + + + 4944: The following policy was active when the Windows Firewall started. + + 4945: A rule was listed when the Windows Firewall started. + + 4946: A change has been made to Windows Firewall exception list. A rule was + + added. + + 4947: A change has been made to Windows Firewall exception list. A rule was + + modified. + + 4948: A change has been made to Windows Firewall exception list. A rule was + + deleted. + + 4949: Windows Firewall settings were restored to the default values. + + 4950: A Windows Firewall setting has changed. + + 4951: A rule has been ignored because its major version number was not + + recognized by Windows Firewall. + + 4952: Parts of a rule have been ignored because its minor version number was + + not recognized by Windows Firewall. The other parts of the rule will be enforced. + + 4953: A rule has been ignored by Windows Firewall because it could not parse + + the rule. + + 4954: Windows Firewall Group Policy settings have changed. The new settings + + have been applied. + + 4956: Windows Firewall has changed the active profile. + + 4957: Windows Firewall did not apply the following rule. + + 4958: Windows Firewall did not apply the following rule because the rule referred + + to items not configured on this computer. + + + The recommended state for this setting is: Success and Failure' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Success and Failure. + + Auditing\Policy Change Audit MPSSVC Rule Level Policy Change' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Policy Change Audit Other Policy Change Events' is set to include 'Failure' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Audit/PolicyChange_AuditOtherPolicyChangeEvents' AND (mdm_command_output = '2' OR mdm_command_output = '3'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS6.22 + description: 'This subcategory contains events about EFS Data Recovery Agent policy changes, + + changes in Windows Filtering Platform filter, status on Security policy settings updates + + for local Group Policy settings, Central Access Policy changes, and detailed + + troubleshooting events for Cryptographic Next Generation (CNG) operations. Events for + + this subcategory include: + + • + + • + + • + + • + + • + + • + + • + + • + + • + + + 5063: A cryptographic provider operation was attempted. + + 5064: A cryptographic context operation was attempted. + + 5065: A cryptographic context modification was attempted. + + 5066: A cryptographic function operation was attempted. + + 5067: A cryptographic function modification was attempted. + + 5068: A cryptographic function provider operation was attempted. + + 5069: A cryptographic function property operation was attempted. + + 5070: A cryptographic function property modification was attempted. + + 6145: One or more errors occurred while processing security policy in the group + + policy objects. + + + The recommended state for this setting is to include: Failure.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Failure. + + Auditing\Policy Change Audit Other Policy Change Events' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Privilege Use Audit Sensitive Privilege Use' is set to 'Success and Failure' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Audit/PrivilegeUse_AuditSensitivePrivilegeUse' AND mdm_command_output = '3'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:privilege-use-audit-sensitive-privilege-use-is-success-and-failure, cis_safeguard_ids:CIS6.23 + description: 'This subcategory reports when a user account or service uses a sensitive privilege. A + + sensitive privilege includes the following user rights: + + • + + • + + • + + • + + • + + • + + • + + • + + • + + • + + • + + • + + • + + + Act as part of the operating system + + Back up files and directories + + Create a token object + + Debug programs + + Enable computer and user accounts to be trusted for delegation + + Generate security audits + + Impersonate a client after authentication + + Load and unload device drivers + + Manage auditing and security log + + Modify firmware environment values + + Replace a process-level token + + Restore files and directories + + Take ownership of files or other objects + + + Auditing this subcategory will create a high volume of events. Events for this + + subcategory include: + + • + + • + + • + + + 4672: Special privileges assigned to new logon. + + 4673: A privileged service was called. + + 4674: An operation was attempted on a privileged object. + + + The recommended state for this setting is: Success and Failure.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Success and Failure. + + Auditing\Privilege Use Audit Sensitive Privilege Use' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'System Audit I Psec Driver' is set to 'Success and Failure' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Audit/System_AuditIPsecDriver' AND mdm_command_output = '3'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:system-audit-i-psec-driver-is-success-and-failure, cis_safeguard_ids:CIS6.24 + description: 'This subcategory reports on the activities of the Internet Protocol security (IPsec) driver. + + Events for this subcategory include: + + • + + + • + + • + + • + + + • + + + • + + • + + + • + + + • + + + 4960: IPsec dropped an inbound packet that failed an integrity check. If this + + problem persists, it could indicate a network issue or that packets are being + + modified in transit to this computer. Verify that the packets sent from the remote + + computer are the same as those received by this computer. This error might also + + indicate interoperability problems with other IPsec implementations. + + 4961: IPsec dropped an inbound packet that failed a replay check. If this problem + + persists, it could indicate a replay attack against this computer. + + 4962: IPsec dropped an inbound packet that failed a replay check. The inbound + + packet had too low a sequence number to ensure it was not a replay. + + 4963: IPsec dropped an inbound clear text packet that should have been + + secured. This is usually due to the remote computer changing its IPsec policy + + without informing this computer. This could also be a spoofing attack attempt. + + 4965: IPsec received a packet from a remote computer with an incorrect Security + + Parameter Index (SPI). This is usually caused by malfunctioning hardware that is + + corrupting packets. If these errors persist, verify that the packets sent from the + + remote computer are the same as those received by this computer. This error + + may also indicate interoperability problems with other IPsec implementations. In + + that case, if connectivity is not impeded, then these events can be ignored. + + 5478: IPsec Services has started successfully. + + 5479: IPsec Services has been shut down successfully. The shutdown of IPsec + + Services can put the computer at greater risk of network attack or expose the + + computer to potential security risks. + + 5480: IPsec Services failed to get the complete list of network interfaces on the + + computer. This poses a potential security risk because some of the network + + interfaces may not get the protection provided by the applied IPsec filters. Use + + the IP Security Monitor snap-in to diagnose the problem. + + 5483: IPsec Services failed to initialize RPC server. IPsec Services could not be + + started. + + • + + + • + + + 5484: IPsec Services has experienced a critical failure and has been shut down. + + The shutdown of IPsec Services can put the computer at greater risk of network + + attack or expose the computer to potential security risks. + + 5485: IPsec Services failed to process some IPsec filters on a plug-and-play + + event for network interfaces. This poses a potential security risk because some + + of the network interfaces may not get the protection provided by the applied + + IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. + + + The recommended state for this setting is: Success and Failure.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Success and Failure. + + Auditing\System Audit I Psec Driver' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'System Audit Other System Events' is set to 'Success and Failure' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Audit/System_AuditOtherSystemEvents' AND mdm_command_output = '3'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:system-audit-other-system-events-is-success-and-failure, cis_safeguard_ids:CIS6.25 + description: 'This subcategory reports on other system events. Events for this subcategory include: + + • + + • + + • + + • + + • + + • + + • + + • + + • + + • + + • + + • + + • + + + 5024: The Windows Firewall Service has started successfully. + + 5025: The Windows Firewall Service has been stopped. + + 5027: The Windows Firewall Service was unable to retrieve the security policy + + from the local storage. The service will continue enforcing the current policy. + + 5028: The Windows Firewall Service was unable to parse the new security + + policy. The service will continue with currently enforced policy. + + 5029: The Windows Firewall Service failed to initialize the driver. The service will + + continue to enforce the current policy. + + 5030: The Windows Firewall Service failed to start. + + 5032: Windows Firewall was unable to notify the user that it blocked an + + application from accepting incoming connections on the network. + + 5033: The Windows Firewall Driver has started successfully. + + 5034: The Windows Firewall Driver has been stopped. + + 5035: The Windows Firewall Driver failed to start. + + 5037: The Windows Firewall Driver detected critical runtime error. Terminating. + + 5058: Key file operation. + + 5059: Key migration operation. + + + The recommended state for this setting is: Success and Failure.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Success and Failure. + + Auditing\System Audit Other System Events' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'System Audit Security State Change' is set to include 'Success' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Audit/System_AuditSecurityStateChange' AND (mdm_command_output = '1' OR mdm_command_output = '3'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS6.26 + description: 'This subcategory reports changes in security state of the system, such as when the + + security subsystem starts and stops. Events for this subcategory include: + + • + + • + + • + + • + + + 4608: Windows is starting up. + + 4609: Windows is shutting down. + + 4616: The system time was changed. + + 4621: Administrator recovered system from CrashOnAuditFail. Users who are not + + administrators will now be allowed to log on. Some audit-able activity might not + + have been recorded. + + + The recommended state for this setting is to include: Success.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Success. + + Auditing\System Audit Security State Change' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'System Audit System Integrity' is set to 'Success and Failure' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Audit/System_AuditSystemIntegrity' AND mdm_command_output = '3'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:system-audit-system-integrity-is-success-and-failure, cis_safeguard_ids:CIS6.27 + description: 'This subcategory reports on violations of integrity of the security subsystem. Events for + + this subcategory include: + + • + + • + + • + + • + + • + + + • + + • + + • + + • + + • + + + 4612: Internal resources allocated for the queuing of audit messages have been + + exhausted, leading to the loss of some audits. + + 4615: Invalid use of LPC port. + + 4618: A monitored security event pattern has occurred. + + 4816: RPC detected an integrity violation while decrypting an incoming message. + + 5038: Code integrity determined that the image hash of a file is not valid. The file + + could be corrupt due to unauthorized modification or the invalid hash could + + indicate a potential disk device error. + + 5056: A cryptographic self test was performed. + + 5057: A cryptographic primitive operation failed. + + 5060: Verification operation failed. + + 5061: Cryptographic operation. + + 5062: A kernel-mode cryptographic self test was performed. + + + The recommended state for this setting is: Success and Failure.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Success and Failure. + + Auditing\System Audit System Integrity' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Config refresh' is set to 'Enabled' + query: SELECT 1 FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\%\ConfigRefresh\Enabled' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:config-refresh-is-enabled, cis_safeguard_ids:CIS15.1 + description: 'This policy setting determines whether or not MDM policies are refreshed on the + + system. + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled. + + Config Refresh\Config refresh' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Refresh cadence' is set to '90' (or less) + query: SELECT 1 WHERE EXISTS (SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/ADMX_GroupPolicy/CSE_NOBACKGROUND' AND mdm_command_output LIKE '%90%') OR EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GroupPolicyRefreshTime' AND data = '90'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS15.2 + description: 'This policy setting determines how often MDM policies are refreshed on the system. + + The recommended state for this setting is: 90 (or less).' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to 90 (or less). + + Config Refresh\Refresh cadence + + + Note: The shortest configurable refresh interval is 30 minutes.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Allow Behavior Monitoring' is set to 'Allowed' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Defender/AllowBehaviorMonitoring' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-behavior-monitoring-is-allowed, cis_safeguard_ids:CIS22.1 + description: 'This policy setting allows you to configure behavior monitoring for Microsoft Defender + + Antivirus. + + The recommended state for this setting is: Allowed.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Allowed. + + Defender\Allow Behavior Monitoring' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Allow Email Scanning' is set to 'Allowed' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Defender/AllowEmailScanning' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-email-scanning-is-allowed, cis_safeguard_ids:CIS22.2 + description: 'This policy setting allows you to configure e-mail scanning. When e-mail scanning is + + enabled, the engine will parse the mailbox and mail files, according to their specific + + format, in order to analyze the mail bodies and attachments. Several e-mail formats are + + currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), + + binhex (Mac). + + The recommended state for this setting is: Allowed.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Allowed. + + Defender\Allow Email Scanning' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Allow Full Scan Removable Drive Scanning' is set to 'Allowed' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Defender/AllowFullScanRemovableDriveScanning' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-full-scan-removable-drive-scanning-is-allowed, cis_safeguard_ids:CIS22.3 + description: 'This policy setting allows you to manage whether or not to scan for malicious software + + and unwanted software in the contents of removable drives, such as USB flash drives, + + when running a full scan. + + The recommended state for this setting is: Allowed.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Allowed. + + Defender Antivirus\Allow Full Scan Removable Drive Scanning' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Allow Realtime Monitoring' is set to 'Allowed' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Defender/AllowRealtimeMonitoring' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-realtime-monitoring-is-allowed, cis_safeguard_ids:CIS22.4 + description: 'This policy setting configures real-time protection prompts for known malware detection. + + Microsoft Defender Antivirus alerts you when malware or potentially unwanted software + + attempts to install itself or to run on your computer. + + The recommended state for this setting is: Allowed.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Allowed. + + Defender\Allow Realtime Monitoring' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Allow scanning of all downloaded files and attachments' is set to 'Allowed' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Defender/AllowIOAVProtection' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-scanning-of-all-downloaded-files-and-attachments-is-allowed, cis_safeguard_ids:CIS22.5 + description: 'This policy setting configures scanning for all downloaded files and attachments. + + The recommended state for this setting is: Allowed.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Allowed. + + Defender\Allow scanning of all downloaded files and attachments' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Allow Script Scanning' is set to 'Allowed' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Defender/AllowScriptScanning' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-script-scanning-is-allowed, cis_safeguard_ids:CIS22.6 + description: 'This policy setting allows script scanning to be turned on/off. Script scanning intercepts + + scripts then scans them before they are executed on the system. + + The recommended state for this setting is: Allowed.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Allowed. + + Defender\Allow Script Scanning' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''ASR: Block abuse of exploited vulnerable signed drivers'' is set to ''Block`' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules' AND (mdm_command_output LIKE '%56A863A9-875E-4185-98A7-B882C64B5CE5=1%' OR mdm_command_output LIKE '%56A863A9-875E-4185-98A7-B882C64B5CE5=2%'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS22.7 + description: 'This rule prevents an application from writing a vulnerable signed driver to disk. + + The recommended state for this setting is: Block. + + Note: The Block abuse of exploited vulnerable signed drivers rule does not block a + + driver that already exists on the system from being loaded.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Block. + + Defender\Block abuse of exploited vulnerable signed drivers (Device)' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''ASR: Block Adobe Reader from creating child processes'' is set to ''Block''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules' AND (mdm_command_output LIKE '%7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C=1%' OR mdm_command_output LIKE '%7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C=2%'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:asr-block-adobe-reader-from-creating-child-processes-is-block, cis_safeguard_ids:CIS22.8 + description: 'This rule prevents attacks by blocking Adobe Reader from creating processes. + + Malware can download and launch payloads and break out of Adobe Reader through + + social engineering or exploits. By blocking child processes from being generated by + + Adobe Reader, malware attempting to use Adobe Reader as an attack vector are + + prevented from spreading. + + The recommended state for this setting is: Block.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Block. + + Defender\Block Adobe Reader from creating child processes' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''ASR: Block all Office applications from creating child processes'' is set to ''Audit'' or higher' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules' AND (mdm_command_output LIKE '%D4F940AB-401B-4EFC-AADC-AD5F3C50688A=1%' OR mdm_command_output LIKE '%D4F940AB-401B-4EFC-AADC-AD5F3C50688A=2%'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS22.9 + description: 'This rule blocks Office apps from creating child processes. Office apps include Word, + + Excel, PowerPoint, OneNote, and Access. + + Creating malicious child processes is a common malware strategy. Malware that + + abuses Office as a vector often runs VBA macros and exploit code to download and + + attempt to run more payloads. However, some legitimate line-of-business applications + + might also generate child processes for benign purposes; such as spawning a + + command prompt or using PowerShell to configure registry settings. + + The recommended state for this setting is: Audit. Configuring this setting to Block also + + conforms to the benchmark.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Audit or Block. + + Defender\Block all Office applications from creating child processes' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''ASR: Block credential stealing from the Windows local security authority subsystem'' is set to ''Block''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules' AND (mdm_command_output LIKE '%9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2=1%' OR mdm_command_output LIKE '%9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2=2%'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:asr-block-credential-stealing-from-the-windows-local-security-authority-subsystem-is-block, cis_safeguard_ids:CIS22.10 + description: 'This rule helps prevent credential stealing by locking down Local Security Authority + + Subsystem Service (LSASS). + + LSASS authenticates users who sign in on a Windows computer. Microsoft Defender + + Credential Guard in Windows normally prevents attempts to extract credentials from + + LSASS. Some organizations can''t enable Credential Guard on all of their computers + + because of compatibility issues with custom smartcard drivers or other programs that + + load into the Local Security Authority (LSA). In these cases, attackers can use tools like + + Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. + + Note: Enabling this rule doesn''t provide additional protection if you have LSA protection + + enabled since the ASR rule and LSA protection work similarly. However, when LSA + + protection cannot be enabled, this rule can be configured to provide equivalent + + protection against malware that target lsass.exe. + + The recommended state for this setting is: Block.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Block. + + Defender\Block credential stealing from the Windows local security authority + + subsystem' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''ASR: Block executable content from email client and webmail'' is set to ''Block''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules' AND (mdm_command_output LIKE '%BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550=1%' OR mdm_command_output LIKE '%BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550=2%'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:asr-block-executable-content-from-email-client-and-webmail-is-block, cis_safeguard_ids:CIS22.11 + description: 'This rule blocks email opened within the Microsoft Outlook application, or Outlook.com + + and other popular webmail providers from propagating the following file types: + + • + + • + + + Executable files (such as .exe, .dll, or .scr) + + Script files (such as a PowerShell .ps1, Visual Basic .vbs, or JavaScript .js file) + + + The recommended state for this setting is: Block.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Block. + + Defender\Block executable content from email client and webmail' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion'' is set to ''Audit'' or higher' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules' AND (mdm_command_output LIKE '%01443614-CD74-433A-B99E-2ECDC07BFC25=1%' OR mdm_command_output LIKE '%01443614-CD74-433A-B99E-2ECDC07BFC25=2%'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS22.12 + description: 'This rule blocks executable files, such as .exe, .dll, or .scr, from launching. Thus, + + launching untrusted or unknown executable files can be risky, as it might not be initially + + clear if the files are malicious. + + The recommended state for this setting is: Audit. Configuring this setting to Block also + + conforms to the benchmark. + + Note: Cloud-delivered protection must be enabled to use this rule.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Audit or Block. + + Defender\Block executable files from running unless they meet a prevalence, + + age, or trusted list criterion' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''ASR: Block execution of potentially obfuscated scripts'' is set to ''Audit'' or higher' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules' AND (mdm_command_output LIKE '%5BEB7EFE-FD9A-4556-801D-275E5FFC04CC=1%' OR mdm_command_output LIKE '%5BEB7EFE-FD9A-4556-801D-275E5FFC04CC=2%'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS22.13 + description: 'This rule blocks Office apps from creating child processes. Office apps include Word, + + Excel, PowerPoint, OneNote, and Access. + + Creating malicious child processes is a common malware strategy. Malware that + + abuses Office as a vector often runs VBA macros and exploit code to download and + + attempt to run more payloads. However, some legitimate line-of-business applications + + might also generate child processes for benign purposes; such as spawning a + + command prompt or using PowerShell to configure registry settings. + + The recommended state for this setting is: Audit. Configuring this setting to Block also + + conforms to the benchmark.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Audit or Block. + + Defender\Block execution of potentially obfuscated scripts' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''ASR: Block JavaScript or VBScript from launching downloaded executable content'' is set to ''Block''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules' AND (mdm_command_output LIKE '%D3E037E1-3EB8-44C8-A917-57927947596D=1%' OR mdm_command_output LIKE '%D3E037E1-3EB8-44C8-A917-57927947596D=2%'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:asr-block-javascript-or-vbscript-from-launching-downloaded-executable-content-is-block, cis_safeguard_ids:CIS22.14 + description: 'This rule prevents scripts from launching potentially malicious downloaded content. + + Malware written in JavaScript or VBScript often acts as a downloader to fetch and + + launch other malware from the Internet. Although not common, line-of-business + + applications sometimes use scripts to download and launch installers. + + The recommended state for this setting is: Block.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Block. + + Defender\Block JavaScript or VBScript from launching downloaded executable + + content' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''ASR: Block Office applications from creating executable content'' is set to ''Block''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules' AND (mdm_command_output LIKE '%3B576869-A4EC-4529-8536-B80A7769E899=1%' OR mdm_command_output LIKE '%3B576869-A4EC-4529-8536-B80A7769E899=2%'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:asr-block-office-applications-from-creating-executable-content-is-block, cis_safeguard_ids:CIS22.15 + description: 'This rule prevents scripts from launching potentially malicious downloaded content. + + Malware written in JavaScript or VBScript often acts as a downloader to fetch and + + launch other malware from the Internet. Although not common, line-of-business + + applications sometimes use scripts to download and launch installers. + + The recommended state for this setting is: Block.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Block. + + Defender\Block Office applications from creating executable content' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''ASR: Block Office applications from injecting code into other processes'' is set to ''Block''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules' AND (mdm_command_output LIKE '%75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84=1%' OR mdm_command_output LIKE '%75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84=2%'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:asr-block-office-applications-from-injecting-code-into-other-processes-is-block, cis_safeguard_ids:CIS22.16 + description: 'Attackers might attempt to use Office apps to migrate malicious code into other + + processes through code injection, so the code can masquerade as a clean process. + + There are no known legitimate business purposes for using code injection. + + This rule applies to Word, Excel, OneNote, and PowerPoint. + + The recommended state for this setting is: Block.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Block. + + Defender\Block Office applications from injecting code into other processes' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''ASR: Block Office communication application from creating child processes'' is set to ''Audit'' or higher' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules' AND (mdm_command_output LIKE '%26190899-1602-49E8-8B27-EB1D0A1CE869=1%' OR mdm_command_output LIKE '%26190899-1602-49E8-8B27-EB1D0A1CE869=2%'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS22.17 + description: 'This rule prevents Outlook from creating child processes, while still allowing legitimate + + Outlook functions. + + The recommended state for this setting is: Audit. Configuring this setting to Block also + + conforms to the benchmark.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Audit or Block. + + Defender\Block Office communication application from creating child processes' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''ASR: Block persistence through WMI event subscription'' is set to ''Block''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules' AND (mdm_command_output LIKE '%E6DB77E5-3DF2-4CF1-B95A-636979351E5B=1%' OR mdm_command_output LIKE '%E6DB77E5-3DF2-4CF1-B95A-636979351E5B=2%'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:asr-block-persistence-through-wmi-event-subscription-is-block, cis_safeguard_ids:CIS22.18 + description: 'This rule prevents malware from abusing WMI to attain persistence on a device. + + Note: If CcmExec.exe (SCCM Agent) is detected on the device, the ASR rule is + + classified as "not applicable" in Defender for Endpoint settings in the Microsoft Defender + + portal. + + The recommended state for this setting is: Block.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Block. + + Defender\Block persistence through WMI event subscription' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''ASR: Block process creations originating from PSExec and WMI commands'' is set to ''Audit'' or higher' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules' AND (mdm_command_output LIKE '%D1E49AAC-8F56-4280-B9BA-993A6D77406C=1%' OR mdm_command_output LIKE '%D1E49AAC-8F56-4280-B9BA-993A6D77406C=2%'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS22.19 + description: 'This rule blocks processes created through PsExec and WMI from running. Both + + PsExec and WMI can remotely execute code. + + The recommended state for this setting is: Audit. Configuring this setting to Block also + + conforms to the benchmark.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Audit or Block. + + Defender\Block process creations originating from PSExec and WMI commands' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''ASR: Block untrusted and unsigned processes that run from USB'' is set to ''Block''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules' AND (mdm_command_output LIKE '%B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4=1%' OR mdm_command_output LIKE '%B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4=2%'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:asr-block-untrusted-and-unsigned-processes-that-run-from-usb-is-block, cis_safeguard_ids:CIS22.20 + description: 'With this rule, admins can prevent unsigned or untrusted executable files from running + + from USB removable drives, including SD cards. Blocked file types include executable + + files (such as .exe, .dll, or .scr) + + The recommended state for this setting is: Block.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Block. + + Defender\Block untrusted and unsigned processes that run from USB' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''ASR: Block Win32 API calls from Office macros'' is set to ''Block''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules' AND (mdm_command_output LIKE '%92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B=1%' OR mdm_command_output LIKE '%92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B=2%'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:asr-block-win32-api-calls-from-office-macros-is-block, cis_safeguard_ids:CIS22.21 + description: 'This rule prevents VBA macros from calling Win32 APIs. Office VBA enables Win32 API + + calls. + + The recommended state for this setting is: Block.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Block. + + Defender\Block Win32 API calls from Office macros' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''ASR: Use advanced protection against ransomware'' is set to ''Audit'' or higher' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Defender/AttackSurfaceReductionRules' AND (mdm_command_output LIKE '%C1DB55AB-C21A-4637-BB3F-A12568109D35=1%' OR mdm_command_output LIKE '%C1DB55AB-C21A-4637-BB3F-A12568109D35=2%'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS22.22 + description: 'This rule provides an extra layer of protection against ransomware. It uses both client + + and cloud heuristics to determine whether a file resembles ransomware. This rule + + doesn''t block files that have one or more of the following characteristics: + + The file has already been found to be unharmful in the Microsoft cloud. The file is a valid + + signed file. The file is prevalent enough to not be considered as ransomware. The rule + + tends to err on the side of caution to prevent ransomware. + + The recommended state for this setting is: Audit. Configuring this setting to Block also + + conforms to the benchmark. + + Note: Cloud-delivered protection must be enabled to use this rule.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Audit or Block. + + Defender\Use advanced protection against ransomware' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Days Until Aggressive Catchup Quick Scan' is set to '7 days' or fewer + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan\DaysUntilAggressiveCatchupQuickScan' AND data = '7'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS22.23 + description: 'This policy setting configures the number of days after the last scan (of any type) before + + an aggressive Quick Scan is automatically triggered. + + The recommended state for this setting is: 7 days or fewer.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to 7 days or fewer. + + Defender\Days Until Aggressive Catchup Quick Scan' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Enable Network Protection' is set to 'Enabled (block mode)' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Defender/EnableNetworkProtection' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-network-protection-is-enabled-block-mode, cis_safeguard_ids:CIS22.26 + description: 'This policy setting controls Microsoft Defender Exploit Guard network protection. + + The recommended state for this setting is: Enabled (block mode).' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled (block mode): + + Defender\Enable Network Protection' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Hide Exclusions From Local Users' is set to 'Enabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Defender/Configuration/HideExclusionsFromLocalUsers' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:hide-exclusions-from-local-users-is-enabled, cis_safeguard_ids:CIS22.27 + description: 'This policy setting controls whether Microsoft Defender Antivirus exclusions are visible + + to local users on the system. + + The recommended state for this setting is: If you enable this setting, local + + users will no longer be able to see the exclusion list in Windows + + Security App or via PowerShell.. + + Note: As of the publication of this Benchmark, the setting configuration state in Intune is + + the sentence above after The recommended state for this setting is: and not Enabled as + + the title states. This was done to keep title length to a minimum.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to If you enable this setting, local users will no + + longer be able to see the exclusion list in Windows Security App or + + via PowerShell.. + + Defender\Hide Exclusions From Local Users' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Oobe Enable Rtp And Sig Update' is set to 'Enabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Defender/Configuration/OobeEnableRtpAndSigUpdate' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:oobe-enable-rtp-and-sig-update-is-enabled, cis_safeguard_ids:CIS22.28 + description: 'This policy setting configures whether Real-time Protection and Security Intelligence + + Updates are enabled during the Out of Box experience (OOBE). + + The recommended state for this setting is: If you enable this setting, realtime protection and Security Intelligence Updates are enabled during + + OOBE.. + + Note: As of the publication of this Benchmark, the setting configuration state in Intune is + + the sentence above after The recommended state for this setting is: and not Enabled as + + the title states. This was done to keep title length to a minimum.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to If you enable this setting, real-time protection + + and Security Intelligence Updates are enabled during OOBE.. + + Defender\Oobe Enable Rtp And Sig Update' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'PUA Protection' is set to 'PUA Protection on' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Defender/PUAProtection' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:pua-protection-is-pua-protection-on, cis_safeguard_ids:CIS22.29 + description: 'This policy setting controls detection and action for Potentially Unwanted Applications + + (PUA), which are sneaky unwanted application bundlers or their bundled applications, + + that can deliver adware or malware. + + The recommended state for this setting is: PUA Protection on. + + For more information, see this link: Block potentially unwanted applications with + + Microsoft Defender Antivirus | Microsoft Docs' + resolution: 'To establish the recommended configuration via GP, set the following UI path to PUA + + Protection on: + + Defender\PUA Protection' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Quick Scan Include Exclusions' is set to '1' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Defender/Configuration/QuickScanIncludeExclusions' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:quick-scan-include-exclusions-is-1, cis_safeguard_ids:CIS22.30 + description: 'This policy setting manages whether or not Microsoft Defender Antivirus scans + + excluded files and directories when running a Quick Scan. + + The recommended state for this setting is: If you set this setting to 1, all + + files and directories that are excluded from real-time protection + + using contextual exclusions are scanned during a quick scan. + + Note: As of the publication of this Benchmark, the setting configuration state in Intune is + + the sentence above after The recommended state for this setting is: and not 1 as the + + title states. This was done to keep title length to a minimum.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to If you set this setting to 1, all files and + + directories that are excluded from real-time protection using + + contextual exclusions are scanned during a quick scan. + + Defender\Quick Scan Include Exclusions' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Remote Encryption Protection Configured State'' is set to ''Audit: Generate EDR detections without blocking'' or higher' + query: SELECT 1 WHERE EXISTS (SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Defender/Configuration/RemoteEncryptionProtectionConfiguredState' AND mdm_command_output = '2') OR EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Configuration\\BehavioralNetworkBlocks\\RemoteEncryptionProtection\\RemoteEncryptionProtectionConfiguredState' AND data = '2'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS22.32 + description: 'This policy setting configures the Brute-Force Protection feature in Microsoft Defender + + Antivirus. Brute-Force Protection can detect and block attempts to forcibly initiate signins and sessions. + + The recommended state for this setting is: Audit: Generate EDR detections + + without blocking. Configuring this setting to Block: Prevent suspicious and + + malicious behaviors also conforms to the benchmark. + + Note: Configuring the value to either Default or Off does not conform to this + + benchmark.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Audit: Generate EDR detections without blocking or + + Block: Prevent suspicious and malicious behaviors. + + Defender\Remote Encryption Protection Configured State' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'DO Download Mode' is NOT set to 'HTTP blended with Internet Peering' + query: SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization\\DODownloadMode' AND data = 3); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS23.1 + description: 'This policy setting specifies the download method that Delivery Optimization can use in + + downloads of Windows Updates, Apps and App updates. The following methods are + + supported: + + • + + • + + • + + + • + + • + + + • + + + 0 = HTTP only, no peering. + + 1 = HTTP blended with peering behind the same NAT. + + 2 = HTTP blended with peering across a private group. Peering occurs on + + devices in the same Active Directory Site (if exist) or the same domain by default. + + When this option is selected, peering will cross NATs. To create a custom group + + use Group ID in combination with Mode 2. + + 3 = HTTP blended with Internet Peering. + + 99 = Simple download mode with no peering. Delivery Optimization downloads + + using HTTP only and does not attempt to contact the Delivery Optimization cloud + + services. + + 100 = Bypass mode. Do not use Delivery Optimization and use BITS instead. + + + The recommended state for this setting is any value EXCEPT: Enabled: Internet + + (3). + + Note: The default on all SKUs other than Enterprise, Enterprise LTSB or Education is + + Enabled: Internet (3), so on other SKUs, be sure to set this to a different value.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to any value other than HTTP blended with Internet + + Peering: + + Delivery Optimization\DO Download Mode' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Configure System Guard Launch' is set to 'Unmanaged Enables Secure Launch if supported by hardware' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/DeviceGuard/ConfigureSystemGuardLaunch' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:configure-system-guard-launch-is-unmanaged-enables-secure-launch-if-supported-by-hardware, cis_safeguard_ids:CIS24.1 + description: 'Secure Launch protects the Virtualization Based Security environment from exploited + + vulnerabilities in device firmware. + + The recommended state for this setting is: Unmanaged Enables Secure Launch if + + supported by hardware. + + Note: Credential Guard and Device Guard are not currently supported when using + + Azure IaaS VMs.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Unmanaged Enables Secure Launch if supported by + + hardware: + + Device Guard\Configure System Guard Launch' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Credential Guard' is set to 'Enabled with UEFI lock' + query: SELECT 1 WHERE EXISTS (SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/DeviceGuard/EnableVirtualizationBasedSecurity' AND mdm_command_output = '1') OR EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\\LsaCfgFlags' AND data = '1'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:credential-guard-is-enabled-with-uefi-lock, cis_safeguard_ids:CIS24.2 + description: 'This setting lets users turn on Credential Guard with virtualization-based security to help + + protect credentials. The "Enabled with UEFI lock" option ensures that Credential Guard + + cannot be disabled remotely. In order to disable the feature, you must set the Group + + Policy to "Disabled" as well as remove the security functionality from each computer, + + with a physically present user, in order to clear configuration persisted in UEFI. + + The recommended state for this setting is: Enabled with UEFI lock. + + Note: Virtualization Based Security requires a 64-bit version of Windows with Secure + + Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS + + configuration, not a Legacy BIOS configuration. In addition, if running Windows on a + + virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) + + must be exposed by the host to the guest VM. + + More information on system requirements for this feature can be found at Windows + + Defender Credential Guard Requirements (Windows 10) | Microsoft Docs + + Note #2: Credential Guard and Device Guard are not currently supported when using + + Azure IaaS VMs.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled with UEFI lock: + + Device Guard\Credential Guard' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Enable Virtualization Based Security' is set to 'Enable virtualization based security' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\EnableVirtualizationBasedSecurity' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-virtualization-based-security-is-enable-virtualization-based-security, cis_safeguard_ids:CIS24.3 + description: 'This policy setting specifies whether Virtualization Based Security is enabled. + + Virtualization Based Security uses the Windows Hypervisor to provide support for + + security services. + + The recommended state for this setting is: Enable virtualization based security. + + Note: Virtualization Based Security requires a 64-bit version of Windows with Secure + + Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS + + configuration, not a Legacy BIOS configuration. In addition, if running Windows on a + + virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) + + must be exposed by the host to the guest VM. + + More information on system requirements for this feature can be found at Windows + + Defender Credential Guard Requirements (Windows 10) | Microsoft Docs + + Note #2: Credential Guard and Device Guard are not currently supported when using + + Azure IaaS VMs.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enable virtualization based security: + + Device Guard\Enable Virtualization Based Security' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Require Platform Security Features' is set to 'Turns on VBS with Secure Boot' or higher + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/DeviceGuard/RequirePlatformSecurityFeatures' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS24.4 + description: 'This policy setting specifies whether Virtualization Based Security (VBS) is enabled. + + VBS uses the Windows Hypervisor to provide support for security services. + + The recommended state for this setting is: Turns on VBS with Secure Boot or + + Turns on VBS with Secure Boot and direct memory access (DMA). DMA + + requires hardware support. + + Note: VBS requires a 64-bit version of Windows with Secure Boot enabled, which in + + turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy + + BIOS configuration. In addition, if running Windows on a virtual machine, the hardwareassisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host + + to the guest VM. + + More information on system requirements for this feature can be found at Windows + + Defender Credential Guard Requirements (Windows 10) | Microsoft Docs + + Note #2: Credential Guard and Device Guard are not currently supported when using + + Azure IaaS VMs.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Turns on VBS with Secure Boot or Turns on VBS with + + Secure Boot and direct memory access (DMA). DMA requires hardware + + support: + + Device Guard\Require Platform Security Features' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Device Password Enabled' is set to 'Enabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock\DevicePasswordEnabled' AND data = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:session, requirement:standard, critical:false, control:device-password-enabled-is-enabled, cis_safeguard_ids:CIS26.1 + description: 'This policy setting specifics whether device lock is enabled. when enabled, the following + + policy settings take effect on the system which are included in the Device Lock Section: + + • + + • + + • + + • + + • + + • + + + AllowSimpleDevicePassword + + MinDevicePasswordLength + + AlphanumericDevicePasswordRequired + + MaxDevicePasswordFailedAttempts + + MaxInactivityTimeDeviceLock + + MinDevicePasswordComplexCharacters + + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to `3Enabled: + + Device Lock\Device Password Enabled' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Device Password Enabled: Alphanumeric Device Password Required'' is set to ''Password or Alphanumeric PIN required''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock\AlphanumericDevicePasswordRequired' AND data = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:authn, requirement:standard, critical:false, control:device-password-enabled-alphanumeric-device-password-required-is-password-or-alphanumeric-pin-required, cis_safeguard_ids:CIS26.2 + description: 'This policy setting determines the type of PIN or password this is required on a system. + + The recommended state for this setting is: Password or Alphanumeric PIN + + required. + + Note: This policy only applies if the DevicePasswordEnabled policy is set to 1. This is a + + pre-requisite for Alphanumeric Device Password Required in the settings catalog.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Password or Alphanumeric PIN required: + + Device Lock\Device Password Enabled: Alphanumeric Device Password Required' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Device Password Enabled: Min Device Password Complex Characters'' is set to ''Digits and lowercase letters are required''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock\MinDevicePasswordComplexCharacters' AND data LIKE '%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:accounts, requirement:standard, critical:false, control:device-password-enabled-min-device-password-complex-characters-is-digits-and-lowercase-letters-are-required, cis_safeguard_ids:CIS26.3 + description: 'This policy setting configures the number of complex element types (uppercase and + + lowercase letters, numbers, and punctuation) required for PIN or password. + + The recommended state for this setting is: Digits and lowercase letters are + + required + + Note: The enforcement of policies for Microsoft accounts happens on the server, and + + the server requires a password length of 8 and a complexity of 2. A complexity value of + + 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts + + non-compliant. However, configuring this setting to 2 will force the value of 3 for + + Local accounts.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Digits lowercase letters and uppercase letters are + + required: + + Device Lock\Device Password Enabled: Alphanumeric Device Password Required: + + Min Device Password Complex Characters + + + Note: As of March 20, 2025, this setting is nested under Alphanumeric Device + + Password Required and may not fully appear in Settings Catalog unless unchecked and + + re-checked in the settings picker.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Device Password Enabled: Device Password Expiration'' is set to ''365 or fewer days, but not 0''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock\DevicePasswordExpiration' AND CAST(data AS INTEGER) BETWEEN 1 AND 365; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:accounts, requirement:standard, critical:false, control:device-password-enabled-device-password-expiration-is-365-or-fewer-days-but-not-0, cis_safeguard_ids:CIS26.4 + description: 'This policy setting defines how long a user can use their password before it expires. + + The recommended state for this setting is 365 or fewer days, but not 0. + + Note: Values for this policy setting range from 0 to 730 days. If this policy is set to the + + value 0, the password will never expire.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to 365 or fewer days, but not 0: + + Device Lock\Device Password Enabled: Device Password Expiration' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Device Password Enabled: Device Password History'' is set to ''24 or more password(s)''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock\DevicePasswordHistory' AND data = '24'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:authn, requirement:standard, critical:false, control:device-password-enabled-device-password-history-is-24-or-more-passwords, cis_safeguard_ids:CIS26.5 + description: 'This policy setting determines the number of renewed, unique passwords that have to + + be associated with a user account before you can reuse an old password. In an Intune + + managed environment this setting applies to local user accounts and not Entra ID + + accounts. + + The value includes the user''s current password. This value denotes that with a setting of + + 1, the user can''t reuse their current password when choosing a new password, while a + + setting of 5 means that a user can''t set their new password to their current password or + + any of their previous four passwords. + + The recommended state for this setting is: 24 or more password(s).' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to 24 or more password(s): + + Device Lock\Device Password Enabled: Device Password History' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Device Password Enabled: Max Device Password Failed Attempts'' is set to ''5 or fewer failed attempt(s), but not 0''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock\MaxDevicePasswordFailedAttempts' AND data = '5'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:accounts, requirement:standard, critical:false, control:device-password-enabled-max-device-password-failed-attempts-is-5-or-fewer-failed-attempts-but-not-0, cis_safeguard_ids:CIS26.6 + description: 'This policy setting determines the number of failed logon attempts before the account is + + locked. Setting this policy to 0 does not conform to the benchmark as doing so disables + + the account lockout threshold. + + The recommended state for this setting is: 5 or fewer invalid logon attempt(s), + + but not 0. + + Note: When a user reaches the value set by this policy, the system is not wiped, + + instead the system will be in BitLocker recovery mode, which makes data inaccessible + + but recoverable. If BitLocker is not enabled, then this policy will not be enforced.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to 5 or fewer invalid logon attempt(s), but not 0: + + Device Lock\Device Password Enabled: Max Device Password Failed Attempts' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Device Password Enabled: Max Inactivity Time Device Lock'' is set to ''15 or fewer minutes, but not 0''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock\MaxInactivityTimeDeviceLock' AND data = '15'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:session, requirement:standard, critical:false, control:device-password-enabled-max-inactivity-time-device-lock-is-15-or-fewer-minutes-but-not-0, cis_safeguard_ids:CIS26.7 + description: 'Windows notices inactivity of a logon session, and if the amount of inactive time + + exceeds the inactivity limit, then the screen saver will run, locking the session. + + The recommended state for this setting is: 15 or fewer minutes, but not 0. + + Note: A value of 0 does not conform to the benchmark as it disables the machine + + inactivity limit.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to 15 or fewer minutes, but not 0: + + Device Lock\Device Password Enabled: Max Inactivity Time Device Lock' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Device Password Enabled: Min Device Password Length'' is set to ''14 or more character(s)''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceLock\MinDevicePasswordLength' AND data = '14'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:session, requirement:standard, critical:false, control:device-password-enabled-min-device-password-length-is-14-or-more-characters, cis_safeguard_ids:CIS26.8 + description: 'This policy setting determines the least number of characters that make up a password + + for a local user account. There are many different theories about how to determine the + + best password length for an organization, but perhaps "passphrase" is a better term + + than "password." In Microsoft Windows 2000 or newer, passphrases can be quite long + + and can include spaces. Therefore, a phrase such as "I want to drink a $5 milkshake" is + + a valid passphrase; it is a considerably stronger password than an 8 or 10 character + + string of random numbers and letters, and yet is easier to remember. Users must be + + educated about the proper selection and maintenance of passwords, especially around + + password length. In enterprise environments, the ideal value for the Minimum password + + length setting is 14 characters, however you should adjust this value to meet your + + organization''s business requirements. + + The recommended state for this setting is: 14 or more character(s).' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to 14 or more character(s): + + Device Lock\Device Password Enabled: Min Device Password Length' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Minimum Password Age' is set to '1 or more day(s)' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/DeviceLock/MinimumPasswordAge' AND CAST(mdm_command_output AS INTEGER) >= 1; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:session, requirement:standard, critical:false, control:minimum-password-age-is-1-or-more-days, cis_safeguard_ids:CIS26.9 + description: 'This security setting determines the period of time (in days) that a password must be + + used before the user can change it. You can set a value between 1 and 998 days, or + + you can allow changes immediately by setting the number of days to 0. + + The recommended state for this setting is: 1 or more day(s)).' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to 1 (or more day(s)): + + Device Lock\Minimum Password Age' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Allow Cortana' is set to 'Block' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Experience/AllowCortana' AND mdm_command_output = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-cortana-is-block, cis_safeguard_ids:CIS34.1 + description: 'This policy setting specifies whether Cortana is allowed on the device. + + The recommended state for this setting is: Block.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Block: + + Experience\Allow Cortana' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Allow Spotlight Collection (User)' is set to '0' + query: SELECT 1 FROM registry WHERE path LIKE 'HKEY_USERS\S-1-%\SOFTWARE\Policies\Microsoft\Windows\CloudContent\DisableWindowsSpotlightFeatures' AND data = '1' LIMIT 1; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-spotlight-collection-user-is-0, cis_safeguard_ids:CIS34.2 + description: 'This policy setting removes the Spotlight collection setting in Personalization, rendering + + the user unable to select and subsequently download daily images from Microsoft to the + + system desktop. + + The recommended state for this setting is: 0.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to 0: + + Experience\Allow Spotlight Collection (User)' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Disable Consumer Account State Content' is set to 'Enabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Experience/DisableConsumerAccountStateContent' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:disable-consumer-account-state-content-is-enabled, cis_safeguard_ids:CIS34.4 + description: 'This policy setting determines whether cloud consumer account state content is allowed + + in all Windows experiences. + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: + + Experience\Disable Consumer Account State Content' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Do not show feedback notifications' is set to 'Feedback notifications are disabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Experience\DoNotShowFeedbackNotifications' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:accounts, requirement:standard, critical:false, control:do-not-show-feedback-notifications-is-feedback-notifications-are-disabled, cis_safeguard_ids:CIS34.5 + description: 'This policy setting allows an organization to prevent its devices from showing feedback + + questions from Microsoft. + + The recommended state for this setting is: Feedback notifications are disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Feedback notifications are disabled: + + Experience\Do not show feedback notifications' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Enable Domain Network Firewall' is set to 'True' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-domain-network-firewall-is-true, cis_safeguard_ids:CIS38.1 + description: 'Select True (recommended) to have Windows Firewall with Advanced Security use the + + settings for this profile to filter network traffic. If you select False, Windows Firewall with + + Advanced Security will not use any of the firewall rules or connection security rules for + + this profile. + + The recommended state for this setting is: True.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to True: + + Firewall\Enable Domain Network Firewall' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Enable Domain Network Firewall: Default Inbound Action for Domain Profile'' is set to ''Block''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Firewall/MdmStore/DomainProfile/DefaultInboundAction' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-domain-network-firewall-default-inbound-action-for-domain-profile-is-block, cis_safeguard_ids:CIS38.2 + description: 'This setting determines the behavior for inbound connections that do not match an + + inbound firewall rule. + + The recommended state for this setting is: Block.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Block: + + Firewall\Enable Domain Network Firewall: Default Inbound Action for Domain + + Profile' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Enable Domain Network Firewall: Disable Inbound Notifications'' is set to ''True''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-domain-network-firewall-disable-inbound-notifications-is-true, cis_safeguard_ids:CIS38.3 + description: 'Select this option to have Windows Firewall with Advanced Security display notifications + + to the user when a program is blocked from receiving inbound connections. + + The recommended state for this setting is: True. + + Note: When the Apply local firewall rules setting is configured to No, it''s + + recommended to also configure the Display a notification setting to No. + + Otherwise, users will continue to receive messages that ask if they want to unblock a + + restricted inbound connection, but the user''s response will be ignored.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to True: + + Firewall\Enable Domain Network Firewall: Disable Inbound Notifications' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Enable Domain Network Firewall: Enable Log Dropped Packets'' is set to ''Yes: Enable Logging Of Dropped Packets''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableLogDroppedPackets' AND mdm_command_output = 'true'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-domain-network-firewall-enable-log-dropped-packets-is-yes-enable-logging-of-dropped-packets, cis_safeguard_ids:CIS38.4 + description: 'Use this option to log when Windows Firewall with Advanced Security discards an + + inbound packet for any reason. The log records why and when the packet was dropped. + + Look for entries with the word DROP in the action column of the log. + + The recommended state for this setting is: Enable Logging Of Dropped Packets.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enable Logging Of Dropped Packets: + + Firewall\Enable Domain Network Firewall: Enable Log Dropped Packets' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Enable Domain Network Firewall: Enable Log Success Connections'' is set to ''Enable Logging Of Successful Connections''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-domain-network-firewall-enable-log-success-connections-is-enable-logging-of-successful-connections, cis_safeguard_ids:CIS38.5 + description: 'Use this option to log when Windows Firewall with Advanced Security allows an + + inbound connection. The log records why and when the connection was formed. Look + + for entries with the word ALLOW in the action column of the log. + + The recommended state for this setting is: Enable Logging Of Successful + + Connections.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enable Logging Of Successful Connections: + + Firewall\Enable Domain Network Firewall: Enable Log Success Connections' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Enable Domain Network Firewall: Log File Path'' is set to ''%SystemRoot%\System32\logfiles\firewall\domainfw.log''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Firewall/MdmStore/DomainProfile/LogFilePath' AND mdm_command_output LIKE '%domainfw.log'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-domain-network-firewall-log-file-path-is-systemroot-system32-logfiles-firewall-domainfw-log, cis_safeguard_ids:CIS38.6 + description: 'Use this option to specify the path and name of the file in which Windows Firewall will + + write its log information. + + The recommended state for this setting is: + + %SystemRoot%\System32\logfiles\firewall\domainfw.log.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to + + %SystemRoot%\System32\logfiles\firewall\domainfw.log: + + Firewall\Enable Domain Network Firewall: Log File Path' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Enable Domain Network Firewall: Log Max File Size'' is set to ''16,384 KB or greater''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Firewall/MdmStore/DomainProfile/LogMaxFileSize' AND CAST(mdm_command_output AS INTEGER) >= 16384; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-domain-network-firewall-log-max-file-size-is-16384-kb-or-greater, cis_safeguard_ids:CIS38.7 + description: 'Use this option to specify the size limit of the file in which Windows Firewall will write its + + log information. + + The recommended state for this setting is: 16,384 KB or greater.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to 16,384 KB or greater: + + Firewall\Enable Domain Network Firewall: Log Max File Size (KB)' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Enable Private Network Firewall' is set to 'True' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-private-network-firewall-is-true, cis_safeguard_ids:CIS38.8 + description: 'Select True (recommended) to have Windows Firewall with Advanced Security use the + + settings for this profile to filter network traffic. If you select False, Windows Firewall with + + Advanced Security will not use any of the firewall rules or connection security rules for + + this profile. + + The recommended state for this setting is: True (recommended).' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to True (recommended): + + Firewall\Enable Private Network Firewall' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Enable Private Network Firewall: Default Inbound Action for Private Profile'' is set to ''Block''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Firewall/MdmStore/PrivateProfile/DefaultInboundAction' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-private-network-firewall-default-inbound-action-for-private-profile-is-block, cis_safeguard_ids:CIS38.9 + description: 'This setting determines the behavior for inbound connections that do not match an + + inbound firewall rule. + + The recommended state for this setting is: Block.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Block: + + Firewall\Enable Private Network Firewall: Default Inbound Action for Private + + Profile' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Enable Private Network Firewall: Disable Inbound Notifications'' is set to ''True''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-private-network-firewall-disable-inbound-notifications-is-true, cis_safeguard_ids:CIS38.10 + description: 'Select this option to have Windows Firewall with Advanced Security display notifications + + to the user when a program is blocked from receiving inbound connections. + + The recommended state for this setting is: True. + + Note: When the Apply local firewall rules setting is configured to No, it''s + + recommended to also configure the Display a notification setting to No. + + Otherwise, users will continue to receive messages that ask if they want to unblock a + + restricted inbound connection, but the user''s response will be ignored.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to True: + + Firewall\Enable Private Network Firewall: Disable Inbound Notifications' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Enable Private Network Firewall: Enable Log Success Connections'' is set to ''Enable Logging Of Successful Connections''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-private-network-firewall-enable-log-success-connections-is-enable-logging-of-successful-connections, cis_safeguard_ids:CIS38.11 + description: 'Use this option to log when Windows Firewall with Advanced Security allows an + + inbound connection. The log records why and when the connection was formed. Look + + for entries with the word ALLOW in the action column of the log. + + The recommended state for this setting is: Enable Logging Of Successful + + Connections.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enable Logging Of Successful Connections: + + Firewall\Enable Private Network Firewall: Enable Log Success Connections' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Enable Private Network Firewall: Enable Log Dropped Packets'' is set to ''Yes: Enable Logging Of Dropped Packets''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableLogDroppedPackets' AND mdm_command_output = 'true'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-private-network-firewall-enable-log-dropped-packets-is-yes-enable-logging-of-dropped-packets, cis_safeguard_ids:CIS38.12 + description: 'Use this option to log when Windows Firewall with Advanced Security discards an + + inbound packet for any reason. The log records why and when the packet was dropped. + + Look for entries with the word DROP in the action column of the log. + + The recommended state for this setting is: Enable Logging Of Dropped Packets.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enable Logging Of Dropped Packets: + + Firewall\Enable Private Network Firewall: Enable Log Dropped Packets' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Enable Private Network Firewall: Log File Path'' is set to ''%SystemRoot%\System32\logfiles\firewall\privatefw.log''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Firewall/MdmStore/PrivateProfile/LogFilePath' AND mdm_command_output LIKE '%privatefw.log'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-private-network-firewall-log-file-path-is-systemroot-system32-logfiles-firewall-privatefw-log, cis_safeguard_ids:CIS38.13 + description: 'Use this option to specify the path and name of the file in which Windows Firewall will + + write its log information. + + The recommended state for this setting is: + + %SystemRoot%\System32\logfiles\firewall\privatefw.log.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to + + %SystemRoot%\System32\logfiles\firewall\privatefw.log: + + Firewall\Enable Private Network Firewall: Log File Path' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Enable Private Network Firewall: Log Max File Size'' is set to ''16,384 KB or greater''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Firewall/MdmStore/PrivateProfile/LogMaxFileSize' AND CAST(mdm_command_output AS INTEGER) >= 16384; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-private-network-firewall-log-max-file-size-is-16384-kb-or-greater, cis_safeguard_ids:CIS38.14 + description: 'Use this option to specify the size limit of the file in which Windows Firewall will write its + + log information. + + The recommended state for this setting is: 16,384 KB or greater.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to 16,384 KB or greater: + + Firewall\Enable Private Network Firewall: Log Max File Size (KB)' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Enable Public Network Firewall' is set to 'True' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-public-network-firewall-is-true, cis_safeguard_ids:CIS38.15 + description: 'Select True (recommended) to have Windows Firewall with Advanced Security use the + + settings for this profile to filter network traffic. If you select False, Windows Firewall with + + Advanced Security will not use any of the firewall rules or connection security rules for + + this profile. + + The recommended state for this setting is: True (recommended).' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to True (recommended): + + Firewall\Enable Public Network Firewall' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Enable Public Network Firewall: Allow Local Ipsec Policy Merge'' is set to ''False''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Firewall/MdmStore/PublicProfile/AllowLocalIpsecPolicyMerge' AND mdm_command_output = 'false'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-public-network-firewall-allow-local-ipsec-policy-merge-is-false, cis_safeguard_ids:CIS38.16 + description: 'This setting controls whether local administrators are allowed to create connection + + security rules that apply together with connection security rules configured by Group + + Policy. + + The recommended state for this setting is: False.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to False: + + Firewall\Enable Public Network Firewall: Allow Local Ipsec Policy Merge' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Enable Public Network Firewall: Allow Local Policy Merge'' is set to ''False''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Firewall/MdmStore/PublicProfile/AllowLocalPolicyMerge' AND mdm_command_output = 'false'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-public-network-firewall-allow-local-policy-merge-is-false, cis_safeguard_ids:CIS38.17 + description: 'This setting controls whether local administrators are allowed to create local firewall + + rules that apply together with firewall rules configured by Group Policy. + + The recommended state for this setting is: False. + + Note: When the Allow Local Policy Merge setting is configured to False, it''s + + recommended to also configure the Disable Inbound Notifications setting to True. + + Otherwise, users will continue to receive messages that ask if they want to unblock a + + restricted inbound connection, but the user''s response will be ignored.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to False: + + Firewall\Enable Public Network Firewall: Allow Local Policy Merge' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Enable Public Network Firewall: Default Inbound Action for Public Profile'' is set to ''Block''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Firewall/MdmStore/PublicProfile/DefaultInboundAction' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-public-network-firewall-default-inbound-action-for-public-profile-is-block, cis_safeguard_ids:CIS38.18 + description: 'This setting determines the behavior for inbound connections that do not match an + + inbound firewall rule. + + The recommended state for this setting is: Block.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Block: + + Firewall\Enable Public Network Firewall: Default Inbound Action for Public + + Profile' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Enable Public Network Firewall: Disable Inbound Notifications'' is set to ''True''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-public-network-firewall-disable-inbound-notifications-is-true, cis_safeguard_ids:CIS38.19 + description: 'Select this option to have Windows Firewall with Advanced Security display notifications + + to the user when a program is blocked from receiving inbound connections. + + The recommended state for this setting is: True.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to ''True'': + + Firewall\Enable Public Network Firewall: Disable Inbound Notifications' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Enable Public Network Firewall: Enable Log Dropped Packets'' is set to ''Yes: Enable Logging Of Dropped Packets''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableLogDroppedPackets' AND mdm_command_output = 'true'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-public-network-firewall-enable-log-dropped-packets-is-yes-enable-logging-of-dropped-packets, cis_safeguard_ids:CIS38.20 + description: 'Use this option to log when Windows Firewall with Advanced Security discards an + + inbound packet for any reason. The log records why and when the packet was dropped. + + Look for entries with the word DROP in the action column of the log. + + The recommended state for this setting is: Enable Logging Of Dropped Packets.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enable Logging Of Dropped Packets: + + Firewall\Enable Public Network Firewall: Enable Log Dropped Packets' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Enable Public Network Firewall: Enable Log Success Connections'' is set to ''Enable Logging Of Successful Connections''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-public-network-firewall-enable-log-success-connections-is-enable-logging-of-successful-connections, cis_safeguard_ids:CIS38.21 + description: 'Use this option to log when Windows Firewall with Advanced Security allows an + + inbound connection. The log records why and when the connection was formed. Look + + for entries with the word ALLOW in the action column of the log. + + The recommended state for this setting is: Enable Logging Of Successful + + Connections.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enable Logging Of Successful Connections. + + Firewall\Enable Public Network Firewall: Enable Log success connections' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Enable Public Network Firewall: Log File Path'' is set to ''%SystemRoot%\System32\logfiles\firewall\publicfw.log''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Firewall/MdmStore/PublicProfile/LogFilePath' AND mdm_command_output LIKE '%publicfw.log'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-public-network-firewall-log-file-path-is-systemroot-system32-logfiles-firewall-publicfw-log, cis_safeguard_ids:CIS38.22 + description: 'Use this option to specify the path and name of the file in which Windows Firewall will + + write its log information. + + The recommended state for this setting is: + + %SystemRoot%\System32\logfiles\firewall\publicfw.log.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to + + %SystemRoot%\System32\logfiles\firewall\publicfw.log: + + Firewall\Enable Public Network Firewall: Log File Path' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Enable Public Network Firewall: Log Max File Size'' is set to ''16,384 KB or greater''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Firewall/MdmStore/PublicProfile/LogMaxFileSize' AND CAST(mdm_command_output AS INTEGER) >= 16384; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-public-network-firewall-log-max-file-size-is-16384-kb-or-greater, cis_safeguard_ids:CIS38.23 + description: 'Use this option to specify the size limit of the file in which Windows Firewall will write its + + log information. + + The recommended state for this setting is: 16,384 KB or greater.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to 16,384 KB or greater: + + Firewall\Enable Public Network Firewall: Log Max File Size (KB)' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Enable insecure guest logons' is set to 'Disabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/LanmanWorkstation/EnableInsecureGuestLogons' AND mdm_command_output = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-insecure-guest-logons-is-disabled, cis_safeguard_ids:CIS46.1 + description: 'This policy setting determines if the SMB client will allow insecure guest logons to an + + SMB server. + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled: + + Lanman Workstation\Enable insecure guest logons' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Accounts: Enable Guest account status'' is set to ''Disabled''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus' AND mdm_command_output = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:accounts-enable-guest-account-status-is-disabled, cis_safeguard_ids:CIS49.1 + description: 'This policy setting determines whether the Guest account is enabled or disabled. The + + Guest account allows unauthenticated network users to gain access to the system. + + The recommended state for this setting is: Disabled. + + Note: This setting will have no impact when applied to the Domain Controllers + + organizational unit via group policy because Domain Controllers have no local account + + database. It can be configured at the domain level via group policy, similar to account + + lockout and password policy settings.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled: + + Local Policies Security Options\Accounts: Guest account status' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Accounts: Limit local account use of blank passwords to console logon only'' is set to ''Enabled''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:accounts, requirement:standard, critical:false, control:accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only-is-enabled, cis_safeguard_ids:CIS49.2 + description: 'This policy setting determines whether local accounts that are not password protected + + can be used to log on from locations other than the physical computer console. If you + + enable this policy setting, local accounts that have blank passwords will not be able to + + log on to the network from remote client computers. Such accounts will only be able to + + log on at the keyboard of the computer. + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: + + Local Policies Security Options\Accounts: Limit local account use of blank + + passwords to console logon only' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Interactive logon: Do not display last signed-in'' is set to ''Enabled''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:interactive-logon-do-not-display-last-signed-in-is-enabled, cis_safeguard_ids:CIS49.6 + description: 'This policy setting determines whether the account name of the last user to log on to the + + client computers in your organization will be displayed in each computer''s respective + + Windows logon screen. Enable this policy setting to prevent intruders from collecting + + account names visually from the screens of desktop or laptop computers in your + + organization. + + The recommended state for this setting is: Enabled. + + Warning: If the Self Service Password Reset (SSPR) feature is used in Microsoft Entra + + ID, an exception to this recommendation is needed as it''s known to interfere with SSPR. + + Warning #2: If the Windows passwordless experience feature is used, an exception to + + this recommendation is needed as it prevents this feature from working.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: + + Local Policies Security Options\Interactive logon: Don''t display last signedin + + + Note: In older versions of Microsoft Windows, this setting was named Interactive logon: + + Do not display last user name, but it was renamed starting with Windows 10 Release + + 1703.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Interactive logon: Do not require CTRL+ALT+DEL'' is set to ''Disabled''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL' AND mdm_command_output = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:interactive-logon-do-not-require-ctrl-alt-del-is-disabled, cis_safeguard_ids:CIS49.7 + description: 'This policy setting determines whether users must press CTRL+ALT+DEL before they + + log on. + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled: + + Local Policies Security Options\Interactive logon: Do not require + + CTRL+ALT+DEL' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Interactive logon: Machine inactivity limit'' is set to ''900 or fewer second(s), but not 0''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit' AND CAST(mdm_command_output AS INTEGER) > 0 AND CAST(mdm_command_output AS INTEGER) <= 900; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:interactive-logon-machine-inactivity-limit-is-900-or-fewer-seconds-but-not-0, cis_safeguard_ids:CIS49.8 + description: 'Windows notices inactivity of a logon session, and if the amount of inactive time + + exceeds the inactivity limit, then the screen saver will run, locking the session. + + The recommended state for this setting is: 900 or fewer second(s), but not 0. + + Note: A value of 0 does not conform to the benchmark as it disables the machine + + inactivity limit.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to 900 or fewer seconds, but not 0: + + Local Policies Security Options\Interactive logon: Machine inactivity limit' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Interactive logon: Smart card removal behavior'' is set to ''Lock Workstation'' or higher' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS49.11 + description: 'This policy setting determines what happens when the smart card for a logged-on user + + is removed from the smart card reader. + + The recommended state for this setting is: Lock Workstation. Configuring this setting + + to Force Logoff or Disconnect if a Remote Desktop Services session also + + conforms to the benchmark.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Lock Workstation (or, if applicable for your environment, + + Force Logoff or Disconnect if a Remote Desktop Services session): + + Local Policies Security Options\Interactive logon: Smart card removal + + behavior' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Microsoft network client: Digitally sign communications (always)'' is set to ''Enabled''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:session, requirement:standard, critical:false, control:microsoft-network-client-digitally-sign-communications-always-is-enabled, cis_safeguard_ids:CIS49.12 + description: 'This policy setting determines whether packet signing is required by the SMB client + + component. + + Note: When Windows Vista-based computers have this policy setting enabled and they + + connect to file or print shares on remote servers, it is important that the setting is + + synchronized with its companion setting, Microsoft network server: Digitally sign + + communications (always), on those servers. For more information about these + + settings, see the "Microsoft network client and server: Digitally sign communications + + (four related settings)" section in Chapter 5 of the Threats and Countermeasures guide. + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: + + Local Policies Security Options\Microsoft network client: Digitally sign + + communications (always)' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Microsoft network client: Digitally sign communications (if server agrees)'' is set to ''Enabled''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:microsoft-network-client-digitally-sign-communications-if-server-agrees-is-enabled, cis_safeguard_ids:CIS49.13 + description: 'This policy setting determines whether the SMB client will attempt to negotiate SMB + + packet signing. + + Note: Enabling this policy setting on SMB clients on your network makes them fully + + effective for packet signing with all clients and servers in your environment. + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: + + Local Policies Security Options\Microsoft network client: Digitally sign + + communications (if server agrees)' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Microsoft network client: Send unencrypted password to third-party SMB servers'' is set to ''Disabled''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword' AND data = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers-is-disabled, cis_safeguard_ids:CIS49.14 + description: 'This policy setting determines whether the SMB redirector will send plaintext passwords + + during authentication to third-party SMB servers that do not support password + + encryption. + + It is recommended that you disable this policy setting unless there is a strong business + + case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed + + across the network. + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled: + + Local Policies Security Options\Microsoft network client: Send unencrypted + + password to third-party SMB servers' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Microsoft network server: Digitally sign communications (always)'' is set to ''Enabled''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:microsoft-network-server-digitally-sign-communications-always-is-enabled, cis_safeguard_ids:CIS49.15 + description: 'This policy setting determines whether packet signing is required by the SMB server + + component. Enable this policy setting in a mixed environment to prevent downstream + + clients from using the workstation as a network server. + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: + + Local Policies Security Options\Microsoft network server: Digitally sign + + communications (always)' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Microsoft network server: Digitally sign communications (if client agrees)'' is set to ''Enabled''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:microsoft-network-server-digitally-sign-communications-if-client-agrees-is-enabled, cis_safeguard_ids:CIS49.16 + description: 'This policy setting determines whether the SMB server will negotiate SMB packet + + signing with clients that request it. If no signing request comes from the client, a + + connection will be allowed without a signature if the Microsoft network server: + + Digitally sign communications (always) setting is not enabled. + + Note: Enable this policy setting on SMB clients on your network to make them fully + + effective for packet signing with all clients and servers in your environment. + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: + + Local Policies Security Options\Microsoft network server: Digitally sign + + communications (if client agrees)' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Network access: Do not allow anonymous enumeration of SAM accounts'' is set to ''Enabled''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-is-enabled, cis_safeguard_ids:CIS49.17 + description: 'This policy setting controls the ability of anonymous users to enumerate the accounts in + + the Security Accounts Manager (SAM). If you enable this policy setting, users with + + anonymous connections will not be able to enumerate domain account user names on + + the systems in your environment. This policy setting also allows additional restrictions + + on anonymous connections. + + The recommended state for this setting is: Enabled. + + Note: This policy has no effect on Domain Controllers.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: + + Local Policies Security Options\Network access: Do not allow anonymous + + enumeration of SAM accounts' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Network access: Do not allow anonymous enumeration of SAM accounts and shares'' is set to ''Enabled''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares-is-enabled, cis_safeguard_ids:CIS49.18 + description: 'This policy setting controls the ability of anonymous users to enumerate SAM accounts + + as well as shares. If you enable this policy setting, anonymous users will not be able to + + enumerate domain account user names and network share names on the systems in + + your environment. + + The recommended state for this setting is: Enabled. + + Note: This policy has no effect on Domain Controllers.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: + + Local Policies Security Options\Network access: Do not allow anonymous + + enumeration of SAM accounts and shares' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Network access: Restrict anonymous access to Named Pipes and Shares'' is set to ''Enabled''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:network-access-restrict-anonymous-access-to-named-pipes-and-shares-is-enabled, cis_safeguard_ids:CIS49.19 + description: 'When enabled, this policy setting restricts anonymous access to only those shares and + + pipes that are named in the Network access: Named pipes that can be accessed + + anonymously and Network access: Shares that can be accessed anonymously + + settings. This policy setting controls null session access to shares on your computers by + + adding RestrictNullSessAccess with the value 1 in the + + HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters + + registry key. This registry value toggles null session shares on or off to control whether + + the server service restricts unauthenticated clients'' access to named resources. + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: + + Local Policies Security Options\Network access: Restrict anonymous access to + + Named Pipes and Shares' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Network access: Restrict clients allowed to make remote calls to SAM'' is set to ''Administrators: Remote Access: Allow''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM' AND mdm_command_output LIKE '%BA%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:network-access-restrict-clients-allowed-to-make-remote-calls-to-sam-is-administrators-remote-access-allow, cis_safeguard_ids:CIS49.20 + description: 'This policy setting allows you to restrict remote RPC connections to SAM. + + The recommended state for this setting is: Administrators: Remote Access: Allow. + + Note: A Windows 10 R1607, Server 2016 or newer OS is required to access and set + + this value in Group Policy. + + Note #2: This setting was originally only supported on Windows 10 R1607 or newer, + + then support for it was added to Windows 7 or newer via the March 2017 security + + patches. + + Note #3: If your organization is using Microsoft Defender for Identity (formerly Azure + + Advanced Threat Protection (Azure ATP)), the (organization-named) Defender for + + Identity Directory Service Account (DSA), will also need to be granted the same Remote + + Access: Allow permission. For more information on adding the service account please + + see Configure SAM-R to enable lateral movement path detection in Microsoft Defender + + for Identity | Microsoft Docs.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Administrators: Remote Access: Allow: + + Local Policies Security Options\Network access: Restrict clients allowed to + + make remote calls to SAM' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Network security: Allow Local System to use computer identity for NTLM'' is set to ''Allow''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:network-security-allow-local-system-to-use-computer-identity-for-ntlm-is-allow, cis_safeguard_ids:CIS49.21 + description: 'This policy setting determines whether Local System services that use Negotiate when + + reverting to NTLM authentication can use the computer identity. This policy is supported + + on at least Windows 7 or Windows Server 2008 R2. + + The recommended state for this setting is: Allow.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Allow: + + Local Policies Security Options\Network security: Allow Local System to use + + computer identity for NTLM' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Network Security: Allow PKU2U authentication requests'' is set to ''Block''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests' AND mdm_command_output = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:network-security-allow-pku2u-authentication-requests-is-block, cis_safeguard_ids:CIS49.22 + description: 'This setting determines if online identities are able to authenticate to this computer. + + The Public Key Cryptography Based User-to-User (PKU2U) protocol introduced in + + Windows 7 and Windows Server 2008 R2 is implemented as a security support provider + + (SSP). The SSP enables peer-to-peer authentication, particularly through the Windows + + 7 media and file sharing feature called HomeGroup, which permits sharing between + + computers that are not members of a domain. + + With PKU2U, a new extension was introduced to the Negotiate authentication package, + + Spnego.dll. In previous versions of Windows, Negotiate decided whether to use + + Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts.dll, + + which is treated as an authentication protocol by Windows, supports Microsoft SSPs + + including PKU2U. + + When computers are configured to accept authentication requests by using online IDs, + + Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The + + PKU2U SSP obtains a local certificate and exchanges the policy between the peer + + computers. When validated on the peer computer, the certificate within the metadata is + + sent to the logon peer for validation and associates the user''s certificate to a security + + token and the logon process completes. + + The recommended state for this setting is: Block.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Block: + + Local Policies Security Options\Network Security: Allow PKU2U authentication + + requests to this computer' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Network security: Do not store LAN Manager hash value on next password change'' is set to ''Enabled''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:network-security-do-not-store-lan-manager-hash-value-on-next-password-change-is-enabled, cis_safeguard_ids:CIS49.23 + description: 'This policy setting determines whether the LAN Manager (LM) hash value for the new + + password is stored when the password is changed. The LM hash is relatively weak and + + prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. + + Since LM hashes are stored on the local computer in the security database, passwords + + can then be easily compromised if the database is attacked. + + Note: Older operating systems and some third-party applications may fail when this + + policy setting is enabled. Also, note that the password will need to be changed on all + + accounts after you enable this setting to gain the proper benefit. + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: + + Local Policies Security Options\Network security: Do not store LAN Manager + + hash value on next password change' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Network security: LAN Manager authentication level'' is set to ''Send LM and NTLMv2 responses only. Refuse LM and NTLM''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel' AND mdm_command_output = '5'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:network-security-lan-manager-authentication-level-is-send-lm-and-ntlmv2-responses-only-refuse-lm-and-ntlm, cis_safeguard_ids:CIS49.24 + description: 'LAN Manager (LM) was a family of early Microsoft client/server software (predating + + Windows NT) that allowed users to link personal computers together on a single + + network. LM network capabilities included transparent file and print sharing, user + + security features, and network administration tools. In Active Directory domains, the + + Kerberos protocol is the default authentication protocol. However, if the Kerberos + + protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or + + NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 + + (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients + + when they perform the following operations: + + • + + • + + • + + • + + • + + + Join a domain + + Authenticate between Active Directory forests + + Authenticate to down-level domains + + Authenticate to computers that do not run Windows 2000, Windows Server 2003, + + or Windows XP + + Authenticate to computers that are not in the domain + + + The Network security: LAN Manager authentication level setting determines which + + challenge/response authentication protocol is used for network logons. This choice + + affects the level of authentication protocol used by clients, the level of session security + + negotiated, and the level of authentication accepted by servers. + + The recommended state for this setting is: Send LM and NTLMv2 responses only. + + Refuse LM and NTLM.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to: Send LM and NTLMv2 responses only. Refuse LM and + + NTLM: + + Local Policies Security Options\Network security: LAN Manager authentication + + level' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Network Security Minimum Session Security For NTLMSSP Based Clients' is set to 'Require NTLM and 128-bit encryption' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients' AND mdm_command_output = '537395200'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:network-security-minimum-session-security-for-ntlmssp-based-clients-is-require-ntlm-and-128-bit-encryption, cis_safeguard_ids:CIS49.25 + description: 'This policy setting determines which behaviors are allowed by clients for applications + + using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by + + applications that need authentication services. The setting does not modify how the + + authentication sequence works but instead require certain behaviors in applications that + + use the SSPI. + + The recommended state for this setting is: Require NTLM and 128-bit encryption. + + Note: These values are dependent on the Network security: LAN Manager + + Authentication Level security setting value.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Require NTLM and 128-bit encryption: + + Local Policies Security Options\Network security: Minimum session security + + for NTLM SSP based (including secure RPC) clients' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Network Security Minimum Session Security For NTLMSSP Based Servers' is set to 'Require NTLM and 128bit encryption' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers' AND mdm_command_output = '537395200'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS49.26 + description: 'This policy setting determines which behaviors are allowed by servers for applications + + using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by + + applications that need authentication services. The setting does not modify how the + + authentication sequence works but instead require certain behaviors in applications that + + use the SSPI. + + The recommended state for this setting is: Require NTLM and 128-bit encryption. + + Note: These values are dependent on the Network security: LAN Manager + + Authentication Level security setting value.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Require NTLM and 128-bit encryption: + + Local Policies Security Options\Network security: Minimum session security + + for NTLM SSP based (including secure RPC) servers' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Network security: Restrict NTLM: Audit Incoming NTLM Traffic'' is set to ''Enable auditing for all accounts''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic' AND mdm_command_output = '2'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:network, requirement:standard, critical:false, control:network-security-restrict-ntlm-audit-incoming-ntlm-traffic-is-enable-auditing-for-all-accounts, cis_safeguard_ids:CIS49.27 + description: 'This policy setting allows the auditing of incoming NTLM traffic. Events for this setting + + are recorded in the operational event log (e.g. Applications and Services + + Log\Microsoft\Windows\NTLM). + + The recommended state for this setting is: Enable auditing for all accounts.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enable auditing for all accounts: + + Local Policies Security Options\Network security: Restrict NTLM: Audit + + Incoming NTLM Traffic' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''User Account Control: Behavior of the elevation prompt for administrators'' is set to ''Prompt for consent on the secure desktop'' or higher' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators' AND mdm_command_output = '2'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS49.28 + description: 'This policy setting controls the behavior of the elevation prompt for administrators. + + The recommended state for this setting is: Prompt for consent on the secure + + desktop. Configuring this setting to Prompt for credentials on the secure + + desktop also conforms to the benchmark.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Prompt for consent on the secure desktop or Prompt + + for credentials on the secure desktop: + + Local Policies Security Options\User Account Control: Behavior of the + + elevation prompt for administrators' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''User Account Control: Behavior of the elevation prompt for standard users'' is set to ''Automatically deny elevation requests''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers' AND mdm_command_output = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:user-account-control-behavior-of-the-elevation-prompt-for-standard-users-is-automatically-deny-elevation-requests, cis_safeguard_ids:CIS49.29 + description: 'This policy setting controls the behavior of the elevation prompt for standard users. + + The recommended state for this setting is: Automatically deny elevation + + requests.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Automatically deny elevation requests: + + Local Policies Security Options\User Account Control: Behavior of the + + elevation prompt for standard users' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''User Account Control: Detect application installations and prompt for elevation'' is set to ''Enabled''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:user-account-control-detect-application-installations-and-prompt-for-elevation-is-enabled, cis_safeguard_ids:CIS49.30 + description: 'This policy setting controls the behavior of application installation detection for the + + computer. + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: + + Local Policies Security Options\User Account Control: Detect application + + installations and prompt for elevation' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''User Account Control: Only elevate UIAccess applications that are installed in secure locations'' is set to ''Enabled''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations-is-enabled, cis_safeguard_ids:CIS49.31 + description: 'This policy setting controls whether applications that request to run with a User Interface + + Accessibility (UIAccess) integrity level must reside in a secure location in the file + + system. Secure locations are limited to the following: + + • + + • + + • + + + …\Program Files\, including subfolders + + …\Windows\System32\ + + …\Program Files (x86)\, including subfolders (for 64-bit versions of Windows) + + + Note: Windows enforces a public key infrastructure (PKI) signature check on any + + interactive application that requests to run with a UIAccess integrity level regardless of + + the state of this security setting. + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: + + Local Policies Security Options\User Account Control: Only elevate UIAccess + + applications that are installed in secure locations' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''User Account Control: Use Admin Approval Mode'' is set to ''Enabled''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:user-account-control-use-admin-approval-mode-is-enabled, cis_safeguard_ids:CIS49.32 + description: 'This policy setting controls the behavior of Admin Approval Mode for the built-in + + Administrator account. + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: + + Local Policies Security Options\User Account Control: Use Admin Approval Mode' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''User Account Control: Switch to the secure desktop when prompting for elevation'' is set to ''Enabled''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:authn, requirement:standard, critical:false, control:user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation-is-enabled, cis_safeguard_ids:CIS49.33 + description: 'This policy setting controls whether the elevation request prompt is displayed on the + + interactive user''s desktop or the secure desktop. + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: + + Local Policies Security Options\User Account Control: Switch to the secure + + desktop when prompting for elevation' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''User Account Control: Run all administrators in Admin Approval Mode'' is set to ''Enabled''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:user-account-control-run-all-administrators-in-admin-approval-mode-is-enabled, cis_safeguard_ids:CIS49.34 + description: 'This policy setting controls the behavior of all User Account Control (UAC) policy + + settings for the computer. If you change this policy setting, you must restart your + + computer. + + The recommended state for this setting is: Enabled. + + Note: If this policy setting is disabled, the Security Center notifies you that the overall + + security of the operating system has been reduced.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: + + Local Policies Security Options\User Account Control: Run all administrators + + in Admin Approval Mode' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''User Account Control: Virtualize file and registry write failures to per-user locations'' is set to ''Enabled''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations-is-enabled, cis_safeguard_ids:CIS49.35 + description: 'This policy setting controls whether application write failures are redirected to defined + + registry and file system locations. This policy setting mitigates applications that run as + + administrator and write run-time application data to: + + • + + • + + • + + • + + + %ProgramFiles% + + %windir% + + %windir%\System32 + + HKLM\SOFTWARE + + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: + + Local Policies Security Options\User Account Control: Virtualize file and + + registry write failures to per-user locations' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Configure Lsa Protected Process is set to 'Enabled with UEFI Lock...' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\RunAsPPL' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS50.1 + description: 'This policy setting controls whether the Local Security Authority Subservice Service + + (LSASS) runs in protected mode and also has the option to lock in protected mode with + + Unified Extensible Firmware Interface (UEFI). The Local Security Authority (LSA), which + + includes the LSASS process, validates users for local and remote sign-ins and enforces + + local security policies. + + The recommended state for this setting is: Enabled with UEFI lock. LSA will run + + as protected process and this configuration is UEFI locked.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled with UEFI lock.... + + Local Security Authority\Configure Lsa Protected Process' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Allow apps from the Microsoft app store to auto update' is set to 'Allowed' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/ApplicationManagement/AllowAppStoreAutoUpdate' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-apps-from-the-microsoft-app-store-to-auto-update-is-allowed, cis_safeguard_ids:CIS55.1 + description: 'This setting enables or disables the automatic download and installation of Microsoft + + Store app updates. + + The recommended state for this setting is: Allowed.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Allowed: + + Microsoft App Store\Allow apps from the Microsoft app store to auto update' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Allow Game DVR' is set to 'Block' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/ApplicationManagement/AllowGameDVR' AND mdm_command_output = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-game-dvr-is-block, cis_safeguard_ids:CIS55.2 + description: 'This setting enables or disables the Windows Game Recording and Broadcasting + + features. + + The recommended state for this setting is: Block.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Block: + + Microsoft App Store\Allow Game DVR' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Block Non Admin User Install' is set to 'Allow' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\DisableMSI' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:network, requirement:standard, critical:false, control:block-non-admin-user-install-is-allow, cis_safeguard_ids:CIS55.4 + description: 'This setting manages non-Administrator users'' ability to install Windows app packages. + + The recommended state for this setting is: Allow. + + Warning: If the Self Service Password Reset (SSPR) feature is used in Microsoft Entra + + ID, an exception to this recommendation is needed as it''s known to interfere with SSPR.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Allow. + + Microsoft App Store\Block Non Admin User Install' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'MSI Allow user control over installs' is set to 'Disabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/ApplicationManagement/MSIAllowUserControlOverInstall' AND mdm_command_output = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:msi-allow-user-control-over-installs-is-disabled, cis_safeguard_ids:CIS55.6 + description: 'This setting controls whether users are permitted to change installation options that + + typically are available only to system administrators. The security features of Windows + + Installer normally prevent users from changing installation options that are typically + + reserved for system administrators, such as specifying the directory to which files are + + installed. If Windows Installer detects that an installation package has permitted the + + user to change a protected option, it stops the installation and displays a message. + + These security features operate only when the installation program is running in a + + privileged security context in which it has access to directories denied to the user. + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled: + + Microsoft App Store\MSI Allow user control over installs' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'MSI Always install with elevated privileges' is set to 'Disabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges' AND mdm_command_output = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:msi-always-install-with-elevated-privileges-is-disabled, cis_safeguard_ids:CIS55.7 + description: 'This setting controls whether or not Windows Installer should use system permissions + + when it installs any program on the system. + + Note: This setting appears both in the Computer Configuration and User Configuration + + folders. To make this setting effective, you must enable the setting in both folders. + + Caution: If enabled, skilled users can take advantage of the permissions this setting + + grants to change their privileges and gain permanent access to restricted files and + + folders. Note that the User Configuration version of this setting is not guaranteed to be + + secure. + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled: + + Microsoft App Store\MSI Always install with elevated privileges' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'MSI Always install with elevated privileges (User)' is set to 'Disabled' + query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM registry WHERE path LIKE 'HKEY_USERS\S-1-%\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated' AND data = '1'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:msi-always-install-with-elevated-privileges-user-is-disabled, cis_safeguard_ids:CIS55.8 + description: 'This setting controls whether or not Windows Installer should use system permissions + + when it installs any program on the system. + + Note: This setting appears both in the Computer Configuration and User Configuration + + folders. To make this setting effective, you must enable the setting in both folders. + + Caution: If enabled, skilled users can take advantage of the permissions this setting + + grants to change their privileges and gain permanent access to restricted files and + + folders. Note that the User Configuration version of this setting is not guaranteed to be + + secure. + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled: + + Microsoft App Store\MSI Always install with elevated privileges (User)' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Allow Input Personalization' is set to 'Block' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Privacy/AllowInputPersonalization' AND mdm_command_output = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-input-personalization-is-block, cis_safeguard_ids:CIS68.2 + description: 'This policy enables the automatic learning component of input personalization that + + includes speech, inking, and typing. Automatic learning enables the collection of speech + + and handwriting patterns, typing history, contacts, and recent calendar information. It is + + required for the use of Cortana. Some of this collected information may be stored on the + + user''s OneDrive, in the case of inking and typing; some of the information will be + + uploaded to Microsoft to personalize speech. + + The recommended state for this setting is: Block.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Block: + + Privacy\Allow Input Personalization' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Let Apps Activate With Voice Above Lock'' is set to ''Enabled: Force Deny''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Privacy/LetAppsActivateWithVoiceAboveLock' AND mdm_command_output = '2'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:let-apps-activate-with-voice-above-lock-is-enabled-force-deny, cis_safeguard_ids:CIS68.4 + description: 'This policy setting specifies whether Windows apps can be activated by voice (apps and + + Cortana) while the system is locked. + + The recommended state for this setting is: Enabled: Force Deny.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: Force Deny: + + Privacy\Let Apps Activate With Voice Above Lock' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Allow Indexing Encrypted Stores Or Items' is set to 'Block' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Search/AllowIndexingEncryptedStoresOrItems' AND mdm_command_output = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-indexing-encrypted-stores-or-items-is-block, cis_safeguard_ids:CIS72.2 + description: 'This policy setting controls whether encrypted items are allowed to be indexed. When + + this setting is changed, the index is rebuilt completely. Full volume encryption (such as + + BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of + + the index to maintain security for encrypted files. + + The recommended state for this setting is: Block.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Block: + + Search\Allow Indexing Encrypted Stores Or Items' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Allow Search To Use Location' is set to 'Block' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Search/AllowSearchToUseLocation' AND mdm_command_output = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-search-to-use-location-is-block, cis_safeguard_ids:CIS72.3 + description: 'This policy setting specifies whether search and Cortana can provide location aware + + search and Cortana results. + + The recommended state for this setting is: Block.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Block: + + Search\Allow search to use location' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Notify Malicious' is set to 'Enabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/WebThreatDefense/NotifyMalicious' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:notify-malicious-is-enabled, cis_safeguard_ids:CIS76.1.1 + description: 'This policy setting determines whether Enhanced Phishing Protection in Microsoft + + Defender SmartScreen warns users if they type their work or school password into one + + of the following malicious scenarios: into a reported phishing site, into a Microsoft login + + URL with an invalid certificate, or into an application connecting to either a reported + + phishing site or a Microsoft login URL with an invalid certificate. + + The recommended state for this setting is: Enabled. + + Note: This setting only applies to Microsoft Accounts (computer or browser login) while + + using Microsoft Windows 11 and not on-prem domain-joined accounts.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: + + Smart Screen\Enhanced Phishing Protection\Notify Malicious' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Notify Password Reuse' is set to 'Enabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/WebThreatDefense/NotifyPasswordReuse' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:notify-password-reuse-is-enabled, cis_safeguard_ids:CIS76.1.2 + description: 'This policy setting determines whether Enhanced Phishing Protection in Microsoft + + Defender SmartScreen warns users if they reuse their work or school password. + + The recommended state for this setting is: Enabled. + + Note: This setting only applies to Microsoft Accounts (computer or browser login) while + + using Microsoft Windows 11 and not on prem domain-joined accounts.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: + + Smart Screen\Enhanced Phishing Protection\Notify Password Reuse' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Notify Unsafe App' is set to 'Enabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/WebThreatDefense/NotifyUnsafeApp' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:notify-unsafe-app-is-enabled, cis_safeguard_ids:CIS76.1.3 + description: 'This policy setting determines whether Enhanced Phishing Protection in Microsoft + + Defender SmartScreen warns users if they type their work or school passwords in + + Notepad, WordPad, or M365 Office apps like OneNote, Word, Excel, etc. + + The recommended state for this setting is: Enabled. + + Note: This setting only applies to Microsoft Accounts (computer or browser login) while + + using Microsoft Windows 11 and not on prem domain-joined accounts.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: + + Smart Screen\Enhanced Phishing Protection\Notify Unsafe App' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Service Enabled' is set to 'Enabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WTDS\Components\ServiceEnabled' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS76.1.4 + description: 'This policy setting determines whether Enhanced Phishing Protection is in audit mode. + + This allows notifications to be sent to users regarding unsafe password events. + + Additionally, Enhanced Phishing Protection captures unsafe password entry events and + + sends diagnostic data through Microsoft Defender. + + The recommended state for this setting is: Enabled. + + Note: This setting only applies to Microsoft accounts (computer or browser login) while + + using Microsoft Windows 11 and not on-prem domain-joined accounts.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: + + Smart Screen\Enhanced Phishing Protection\Service Enabled' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Enable Sudo' is set to 'Sudo is disabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Sudo/EnableSudo' AND mdm_command_output = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-sudo-is-sudo-is-disabled, cis_safeguard_ids:CIS79.1 + description: 'This policy setting configures the use of the sudo.exe command line tool. The sudo + + feature in Windows allows users to run elevated commands (as an administrator) + + directly from an unelevated console session. + + The recommended state for this setting is: Sudo is disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Sudo is disabled. + + Sudo\Enable Sudo' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Allow Telemetry' is set to 'Basic' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/System/AllowTelemetry' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-telemetry-is-basic, cis_safeguard_ids:CIS80.3 + description: 'This policy setting determines the amount of diagnostic and usage data reported to + + Microsoft: + + The recommended state for this setting is: Basic or Security. + + Note: If your organization relies on Windows Update, the minimum recommended + + setting is Required diagnostic data. Because no Windows Update information is + + collected when diagnostic data is off, important information about update failures is not + + sent. Microsoft uses this information to fix the causes of those failures and improve the + + quality of updates. + + Note #2: The Configure diagnostic data opt-in settings user interface group policy can + + be used to prevent end users from changing their data collection settings. + + Note #3: Enhanced diagnostic data setting is not available on Windows 11 and + + Windows Server 2022 and has been replaced with policies that can control the amount + + of optional diagnostic data that is sent. For more information on these settings visit + + Manage diagnostic data using Group Policy and MDM' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Basic or Security: + + System\Allow Telemetry' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Enable OneSettings Auditing' is set to 'Enabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection\EnableOneSettingsAuditing' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-onesettings-auditing-is-enabled, cis_safeguard_ids:CIS80.6 + description: 'This policy setting controls whether Windows records attempts to connect with the + + OneSettings service to the Event Log. + + The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: + + System\Enable OneSettings Auditing' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/System/LimitDiagnosticLogCollection' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:limit-diagnostic-log-collection-is-enabled, cis_safeguard_ids:CIS80.7 + description: 'This policy setting controls whether additional diagnostic logs are collected when more + + information is needed to troubleshoot a problem on the device. + + The recommended state for this setting is: Enabled. + + Note: Diagnostic logs are only sent when the device has been configured to send + + optional diagnostic data. Diagnostic data is limited when recommendation Allow + + Diagnostic Data is set to Enabled: Diagnostic data off (not recommended) or + + Enabled: Send required diagnostic data to send only basic information.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: + + System\Limit Diagnostic Log Collection' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Limit Dump Collection' is set to 'Enabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/System/LimitDumpCollection' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:limit-dump-collection-is-enabled, cis_safeguard_ids:CIS80.8 + description: 'This policy setting limits the type of memory dumps that can be collected when more + + information is needed to troubleshoot a problem. + + The recommended state for this setting is: Enabled. + + Note: Memory dumps are only sent when the device has been configured to send + + optional diagnostic data. Diagnostic data is limited when recommendation Allow + + Diagnostic Data is set to Enabled: Diagnostic data off (not recommended) or + + Enabled: Send required diagnostic data to send only basic information.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled. + + System\Limit Dump Collection' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed' + query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'Browser'), 'DISABLED') = 'DISABLED'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS81.3 + description: 'Maintains an updated list of computers on the network and supplies this list to + + computers designated as browsers. + + The recommended state for this setting is: Disabled or Not Installed. + + Note: In Windows 8.1 and Windows 10, this service is bundled with the SMB 1.0/CIFS + + File Sharing Support optional feature. As a result, removing that feature (highly + + recommended unless backward compatibility is needed to XP/2003 and older Windows + + OSes - see Stop using SMB1 | Storage at Microsoft) will also remediate this + + recommendation. The feature is not installed by default starting with Windows 10 + + R1709.' + resolution: 'To establish the recommended configuration, set the following Custom Configuration + + Policy to 4 or confirm that the service is Not installed: + + Name: + + + + Description: + + OMA-URI: + + ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureComputerBrowserSer + + viceStartupMode + + Data Type: + + Integer + + Value: + + 4 + + + Note: As of January 2024, despite its inclusion in Microsoft’s official documentation, + + using an OMI-URI to configure a Windows Service Startup Mode via a custom profile + + will lead to an error in Intune. This error will be logged in the local event log as “The + + system cannot find the file specified.” Currently, the most reliable method for + + remediation is through PowerShell. + + The recommended configuration can also be established via PowerShell, by running the + + following cmdlet: + + if(Test-Path -LiteralPath "HKLM:\SYSTEM\CurrentControlSet\Services\Browser") + + { + + Set-ItemProperty -LiteralPath + + ''HKLM:\SYSTEM\CurrentControlSet\Services\Browser'' -Name ''Start'' -Value 4 Verbose + + } + + + Note: This service is not installed in Windows 10 R1709 and newer. Running the cmdlet + + Set-Service or Get-Service aganist ''Browser'' will cause a inadvertent match + + against a similarly named service called bowser which also has the DisplayName of + + Browser which will then throw an error. bowser is actually the NT Lan Manager + + Datagram Receiver Driver. Using the literal registry path above avoids that error.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed' + query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM services WHERE name = 'IISADMIN') OR EXISTS (SELECT 1 FROM services WHERE name = 'IISADMIN' AND start_type = 'DISABLED'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS81.7 + description: 'Enables the server to administer the IIS metabase. The IIS metabase stores + + configuration for the SMTP and FTP services. + + The recommended state for this setting is: Disabled or Not Installed. + + Note: This service is not installed by default. It is supplied with Windows, but is installed + + by enabling an optional Windows feature (Internet Information Services). + + Note #2: An organization may choose to selectively grant exceptions to web developers + + to allow IIS (or another web server) on their workstation, in order for them to locally test + + & develop web pages. However, the organization should track those machines and + + ensure the security controls and mitigations are kept up to date, to reduce risk of + + compromise.' + resolution: 'To establish the recommended configuration, set the following Custom Configuration + + Policy to 4 or confirm that the service is Not installed: + + Name: + + + + Description: + + OMA-URI: + + ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureIISAdminServiceSta + + rtupMode + + Data Type: + + Integer + + Value: + + 4 + + + Note: As of January 2024, despite its inclusion in Microsoft’s official documentation, + + using an OMI-URI to configure a Windows Service Startup Mode via a custom profile + + will lead to an error in Intune. This error will be logged in the local event log as “The + + system cannot find the file specified.” Currently, the most reliable method for + + remediation is through PowerShell. + + The recommended configuration can also be established via PowerShell by running the + + following cmdlet: + + Set-Service -Name IISADMIN -StartupType Disabled' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed' + query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'irmon'), 'DISABLED') = 'DISABLED'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS81.8 + description: 'Detects other Infrared devices that are in range and launches the file transfer + + application. + + The recommended state for this setting is: Disabled or Not Installed.' + resolution: 'To establish the recommended configuration, set the following Custom Configuration + + Policy to 4 or confirm that the service is Not installed: + + Name: + + + + Description: + + OMA-URI: + + ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureInfraredMonitorSer + + viceStartupMode + + Data Type: + + Integer + + Value: + + 4 + + + Note: As of January 2024, despite its inclusion in Microsoft’s official documentation, + + using an OMI-URI to configure a Windows Service Startup Mode via a custom profile + + will lead to an error in Intune. This error will be logged in the local event log as “The + + system cannot find the file specified.” Currently, the most reliable method for + + remediation is through PowerShell. + + The recommended configuration can also be established via PowerShell by running the + + following cmdlet: + + Set-Service -Name irmon -StartupType Disabled' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed' + query: SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM services WHERE name = 'LxssManager') OR EXISTS (SELECT 1 FROM services WHERE name = 'LxssManager' AND start_type = 'DISABLED'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS81.10 + description: 'The LXSS Manager service supports running native ELF binaries. The service provides + + the infrastructure necessary for ELF binaries to run on Windows. + + The recommended state for this setting is: Disabled or Not Installed. + + Note: This service is not installed by default. It is supplied with Windows, but is installed + + by enabling an optional Windows feature (Windows Subsystem for Linux).' + resolution: 'To establish the recommended configuration, set the following Custom Configuration + + Policy to 4 or confirm that the service is Not installed: + + Name: + + + + Description: + + OMA-URI: + + ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureLxssManagerService + + StartupMode + + Data Type: + + Integer + + Value: + + 4 + + + Note: As of January 2024, despite its inclusion in Microsoft’s official documentation, + + using an OMI-URI to configure a Windows Service Startup Mode via a custom profile + + will lead to an error in Intune. This error will be logged in the local event log as “The + + system cannot find the file specified.” Currently, the most reliable method for + + remediation is through PowerShell. + + The recommended configuration can also be established via PowerShell by running the + + following cmdlet: + + Set-Service -Name LxssManager -StartupType Disabled' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed' + query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'FTPSVC'), 'DISABLED') = 'DISABLED'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS81.11 + description: 'Enables the server to be a File Transfer Protocol (FTP) server. + + The recommended state for this setting is: Disabled or Not Installed. + + Note: This service is not installed by default. It is supplied with Windows, but is installed + + by enabling an optional Windows feature (Internet Information Services - FTP Server).' + resolution: 'To establish the recommended configuration, set the following Custom Configuration + + Policy to 4 or confirm that the service is Not installed: + + Name: + + + + Description: + + OMA-URI: + + ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureMicrosoftFTPServic + + eStartupMode + + Data Type: + + Integer + + Value: + + 4 + + + Note: As of January 2024, despite its inclusion in Microsoft’s official documentation, + + using an OMI-URI to configure a Windows Service Startup Mode via a custom profile + + will lead to an error in Intune. This error will be logged in the local event log as “The + + system cannot find the file specified.” Currently, the most reliable method for + + remediation is through PowerShell. + + The recommended configuration can also be established via PowerShell by running the + + following cmdlet: + + Set-Service -Name FTPSVC -StartupType Disabled' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed' + query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'sshd'), 'DISABLED') = 'DISABLED'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS81.13 + description: 'SSH protocol based service to provide secure encrypted communications between two + + untrusted hosts over an insecure network. + + The recommended state for this setting is: Disabled or Not Installed. + + Note: This service is not installed by default. It is supplied with Windows, but it is + + installed by enabling an optional Windows feature (OpenSSH Server).' + resolution: 'Remediation of this service is currently not possible through Settings Catalog or a + + custom profile OMA-URI. Instead, it can be scripted and deployed through the Intune + + Scripts or Remediations blade or by other means. + + To establish the recommended configuration via PowerShell, run the following cmdlet: + + Set-Service -Name sshd -StartupType Disabled' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled' + query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'RpcLocator'), 'DISABLED') = 'DISABLED'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:remote-procedure-call-rpc-locator-rpclocator-is-disabled, cis_safeguard_ids:CIS81.20 + description: 'In Windows 2003 and older versions of Windows, the Remote Procedure Call (RPC) + + Locator service manages the RPC name service database. In Windows Vista or newer + + versions of Windows, this service does not provide any functionality and is present for + + application compatibility. + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration, set the following Custom Configuration + + Policy to 4: + + Name: + + + + Description: + + OMA-URI: + + ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureRemoteProcedureCal + + lLocatorServiceStartupMode + + Data Type: + + Integer + + Value: + + 4 + + + Note: As of January 2024, despite its inclusion in Microsoft’s official documentation, + + using an OMI-URI to configure a Windows Service Startup Mode via a custom profile + + will lead to an error in Intune. This error will be logged in the local event log as “The + + system cannot find the file specified.” Currently, the most reliable method for + + remediation is through PowerShell. + + The recommended configuration can also be established via PowerShell by running the + + following cmdlet: + + Set-Service -Name RpcLocator -StartupType Disabled' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled' + query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'RemoteAccess'), 'DISABLED') = 'DISABLED'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:routing-and-remote-access-remoteaccess-is-disabled, cis_safeguard_ids:CIS81.22 + description: 'Offers routing services to businesses in local area and wide area network environments. + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration, set the following Custom Configuration + + Policy to 4: + + Name: + + + + Description: + + OMA-URI: + + ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureRoutingAndRemoteAc + + cessServiceStartupMode + + Data Type: + + Integer + + Value: + + 4 + + + Note: As of January 2024, despite its inclusion in Microsoft’s official documentation, + + using an OMI-URI to configure a Windows Service Startup Mode via a custom profile + + will lead to an error in Intune. This error will be logged in the local event log as “The + + system cannot find the file specified.” Currently, the most reliable method for + + remediation is through PowerShell. + + The recommended configuration can also be established via PowerShell by running the + + following cmdlet: + + Set-Service -Name RemoteAccess -StartupType Disabled' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed' + query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'simptcp'), 'DISABLED') = 'DISABLED'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS81.24 + description: 'Supports the following TCP/IP services: Character Generator, Daytime, Discard, Echo, + + and Quote of the Day. + + The recommended state for this setting is: Disabled or Not Installed. + + Note: This service is not installed by default. It is supplied with Windows, but is installed + + by enabling an optional Windows feature (Simple TCPIP services (i.e. echo, daytime + + etc)).' + resolution: 'To establish the recommended configuration, set the following Custom Configuration + + Policy to 4 or confirm that the service is Not installed: + + Name: + + + + Description: + + OMA-URI: + + ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureSimpleTCPIPService + + sStartupMode + + Data Type: + + Integer + + Value: + + 4 + + + Note: As of January 2024, despite its inclusion in Microsoft’s official documentation, + + using an OMI-URI to configure a Windows Service Startup Mode via a custom profile + + will lead to an error in Intune. This error will be logged in the local event log as “The + + system cannot find the file specified.” Currently, the most reliable method for + + remediation is through PowerShell. + + The recommended configuration can also be established via PowerShell by running the + + following cmdlet: + + Set-Service -Name simptcp -StartupType Disabled' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Special Administration Console Helper (sacsvr)' is set to 'Disabled' or 'Not Installed' + query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'sacsvr'), 'DISABLED') = 'DISABLED'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS81.26 + description: 'This service allows administrators to remotely access a command prompt using + + Emergency Management Services. + + The recommended state for this setting is: Disabled or Not Installed. + + Note: This service is not installed by default. It is supplied with Windows, but it is + + installed by enabling an optional Windows capability (Windows Emergency + + Management Services and Serial Console).' + resolution: 'To establish the recommended configuration, set the following Custom Configuration + + Policy to 4 or confirm that the service is Not installed: + + Name: + + + + Description: + + OMA-URI: + + ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureSpecialAdministrat + + ionConsoleHelperServiceStartupMode + + Data Type: + + Integer + + Value: + + 4 + + + Note: As of January 2024, despite its inclusion in Microsoft’s official documentation, + + using an OMI-URI to configure a Windows Service Startup Mode via a custom profile + + will lead to an error in Intune. This error will be logged in the local event log as “The + + system cannot find the file specified.” Currently, the most reliable method for + + remediation is through PowerShell. + + The recommended configuration can also be established via PowerShell by running the + + following cmdlet: + + Set-Service -Name sacsvr -StartupType Disabled' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled' + query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'SSDPSRV'), 'DISABLED') = 'DISABLED'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:ssdp-discovery-ssdpsrv-is-disabled, cis_safeguard_ids:CIS81.27 + description: 'Discovers networked devices and services that use the SSDP discovery protocol, such + + as UPnP devices. Also announces SSDP devices and services running on the local + + computer. + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration, set the following Custom Configuration + + Policy to 4: + + Name: + + + + Description: + + OMA-URI: + + ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureSSDPDiscoveryServi + + ceStartupMode + + Data Type: + + Integer + + Value: + + 4 + + + Note: As of January 2024, despite its inclusion in Microsoft’s official documentation, + + using an OMI-URI to configure a Windows Service Startup Mode via a custom profile + + will lead to an error in Intune. This error will be logged in the local event log as “The + + system cannot find the file specified.” Currently, the most reliable method for + + remediation is through PowerShell. + + The recommended configuration can also be established via PowerShell by running the + + following cmdlet: + + Set-Service -Name SSDPSRV -StartupType Disabled' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled' + query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'upnphost'), 'DISABLED') = 'DISABLED'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:upnp-device-host-upnphost-is-disabled, cis_safeguard_ids:CIS81.28 + description: 'Allows UPnP devices to be hosted on this computer. + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration, set the following Custom Configuration + + Policy to 4: + + Name: + + + + Description: + + OMA-URI: + + ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureUPnPDeviceHostServ + + iceStartupMode + + Data Type: + + Integer + + Value: + + 4 + + + Note: As of January 2024, despite its inclusion in Microsoft’s official documentation, + + using an OMI-URI to configure a Windows Service Startup Mode via a custom profile + + will lead to an error in Intune. This error will be logged in the local event log as “The + + system cannot find the file specified.” Currently, the most reliable method for + + remediation is through PowerShell. + + The recommended configuration can also be established via PowerShell by running the + + following cmdlet: + + Set-Service -Name upnphost -StartupType Disabled' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed' + query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'WMSvc'), 'DISABLED') = 'DISABLED'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS81.29 + description: 'The Web Management Service enables remote and delegated management capabilities + + for administrators to manage for the Web server, sites and applications present on the + + machine. + + The recommended state for this setting is: Disabled or Not Installed. + + Note: This service is not installed by default. It is supplied with Windows, but is installed + + by enabling an optional Windows feature (Internet Information Services - Web + + Management Tools - IIS Management Service).' + resolution: 'To establish the recommended configuration, set the following Custom Configuration + + Policy to 4 or confirm that the service is Not installed: + + Name: + + + + Description: + + OMA-URI: + + ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWebManagementServi + + ceStartupMode + + Data Type: + + Integer + + Value: + + 4 + + + Note: As of January 2024, despite its inclusion in Microsoft’s official documentation, + + using an OMI-URI to configure a Windows Service Startup Mode via a custom profile + + will lead to an error in Intune. This error will be logged in the local event log as “The + + system cannot find the file specified.” Currently, the most reliable method for + + remediation is through PowerShell. + + The recommended configuration can also be established via PowerShell by running the + + following cmdlet: + + Set-Service -Name WMSvc -StartupType Disabled' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed' + query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'WMPNetworkSvc'), 'DISABLED') = 'DISABLED'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS81.32 + description: 'Shares Windows Media Player libraries to other networked players and media devices + + using Universal Plug and Play. + + The recommended state for this setting is: Disabled or Not Installed.' + resolution: 'To establish the recommended configuration, set the following Custom Configuration + + Policy to 4 or confirm that the service is Not installed: + + Name: + + + + Description: + + OMA-URI: + + ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWindowsMediaPlayer + + NetworkSharingServiceStartupMode + + Data Type: + + Integer + + Value: + + 4 + + + Note: As of January 2024, despite its inclusion in Microsoft’s official documentation, + + using an OMI-URI to configure a Windows Service Startup Mode via a custom profile + + will lead to an error in Intune. This error will be logged in the local event log as “The + + system cannot find the file specified.” Currently, the most reliable method for + + remediation is through PowerShell. + + The recommended configuration can also be established via PowerShell by running the + + following cmdlet: + + Set-Service -Name WMPNetworkSvc -StartupType Disabled' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled' + query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'icssvc'), 'DISABLED') = 'DISABLED'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:windows-mobile-hotspot-service-icssvc-is-disabled, cis_safeguard_ids:CIS81.33 + description: 'Provides the ability to share a cellular data connection with another device. + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration, set the following Custom Configuration + + Policy to 4 or confirm that the service is Not installed: + + Name: + + + + Description: + + OMA-URI: + + ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWindowsMobileHotsp + + otServiceStartupMode + + Data Type: + + Integer + + Value: + + 4 + + + Note: As of January 2024, despite its inclusion in Microsoft’s official documentation, + + using an OMI-URI to configure a Windows Service Startup Mode via a custom profile + + will lead to an error in Intune. This error will be logged in the local event log as “The + + system cannot find the file specified.” Currently, the most reliable method for + + remediation is through PowerShell. + + The recommended configuration can also be established via PowerShell by running the + + following cmdlet: + + Set-Service -Name icssvc -StartupType Disabled' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed' + query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'W3SVC'), 'DISABLED') = 'DISABLED'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS81.38 + description: 'Provides Web connectivity and administration through the Internet Information Services + + Manager. + + The recommended state for this setting is: Disabled or Not Installed. + + Note: This service is not installed by default. It is supplied with Windows, but is installed + + by enabling an optional Windows feature (Internet Information Services - World Wide + + Web Services). + + Note #2: An organization may choose to selectively grant exceptions to web developers + + to allow IIS (or another web server) on their workstation, in order for them to locally test + + & develop web pages. However, the organization should track those machines and + + ensure the security controls and mitigations are kept up to date, to reduce risk of + + compromise.' + resolution: 'To establish the recommended configuration, set the following Custom Configuration + + Policy to 4 or confirm that the service is Not installed: + + Name: + + + + Description: + + OMA-URI: + + ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWorldWideWebPublis + + hingServiceStartupMode + + Data Type: + + Integer + + Value: + + 4 + + + Note: As of January 2024, despite its inclusion in Microsoft’s official documentation, + + using an OMI-URI to configure a Windows Service Startup Mode via a custom profile + + will lead to an error in Intune. This error will be logged in the local event log as “The + + system cannot find the file specified.” Currently, the most reliable method for + + remediation is through PowerShell. + + The recommended configuration can also be established via PowerShell by running the + + following cmdlet: + + Set-Service -Name W3SVC -StartupType Disabled' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled' + query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'XboxGipSvc'), 'DISABLED') = 'DISABLED'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:xbox-accessory-management-service-xboxgipsvc-is-disabled, cis_safeguard_ids:CIS81.39 + description: 'This service manages connected Xbox Accessories. + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled. + + System Services\Xbox Accessory Management Service' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled' + query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'XblAuthManager'), 'DISABLED') = 'DISABLED'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:xbox-live-auth-manager-xblauthmanager-is-disabled, cis_safeguard_ids:CIS81.40 + description: 'Provides authentication and authorization services for interacting with Xbox Live. + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled. + + System Services\Xbox Live Auth Manager' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled' + query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'XblGameSave'), 'DISABLED') = 'DISABLED'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:xbox-live-game-save-xblgamesave-is-disabled, cis_safeguard_ids:CIS81.41 + description: 'This service syncs save data for Xbox Live save enabled games. + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled. + + System Services\Xbox Live Game Save' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled' + query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'XboxNetApiSvc'), 'DISABLED') = 'DISABLED'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:xbox-live-networking-service-xboxnetapisvc-is-disabled, cis_safeguard_ids:CIS81.42 + description: 'This service supports the Windows.Networking.XboxLive application programming + + interface. + + The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disabled. + + System Services\Xbox Live Networking Service' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Access Credential Manager As Trusted Caller' is set to 'No One' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/AccessCredentialManagerAsTrustedCaller' AND mdm_command_output = ''; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.1 + description: 'This security setting is used by Credential Manager during Backup and Restore. No + + accounts should have this user right, as it is only assigned to Winlogon. Users'' saved + + credentials might be compromised if this user right is assigned to other entities. + + The recommended state for this setting is: No One.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to () which represents No One. + + User Rights\Access Credential Manager As Trusted Caller + + + Note: Using () to represent a blank value or No One is recommended + + by Microsoft. However, there is a known issue where an error occurs in Endpoint + + Manger (Intune) but this does not affect the policy setting from being applied properly to + + the system.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Access From Network' is set to 'Administrators, Remote Desktop Users' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/AccessFromNetwork' AND (mdm_command_output LIKE '%Administrators%' AND mdm_command_output LIKE '%Remote Desktop Users%'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.2 + description: 'This policy setting allows other users on the network to connect to the computer and is + + required by various network protocols that include Server Message Block (SMB)-based + + protocols, NetBIOS, Common Internet File System (CIFS), and Component Object + + Model Plus (COM+). + + The recommended state for this setting is: *S-1-5-32-544 and *S-1-5-32-555 + + (Administrators, Remote Desktop Users). + + Note: If your organization is using Microsoft Defender for Identity (formerly Azure + + Advanced Threat Protection (Azure ATP)), the (organization-named) Defender for + + Identity Directory Service Account (DSA), will also need to be granted the same Access + + from network User Right Assignment. For more information on adding the service + + account please see Make sure the DSA is allowed to access computers from the + + network in Microsoft Defender for Identity | Microsoft Docs.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to *S-1-5-32-544 and *S-1-5-32-555 (Administrators, Remote + + Desktop Users). + + User Rights\Access From Network + + + Note: Include only one User or Group per line in the Settings Catalog configuration + + screen.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Act As Part Of The Operating System' is set to 'No One' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/ActAsPartOfTheOperatingSystem' AND mdm_command_output = ''; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.3 + description: 'This policy setting allows a process to assume the identity of any user and thus gain + + access to the resources that the user is authorized to access. + + The recommended state for this setting is: No One. + + Note: This user right is considered a "sensitive privilege" for the purposes of auditing.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to () which equals No One. + + User Rights\Act As Part Of The Operating System + + + Note: Using () to represent a blank value or No One is recommended + + by Microsoft. However, there is a known issue where an error occurs in Endpoint + + Manger (Intune) but does not affect the policy setting from being applied to the system + + properly.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Allow Local Log On' is set to 'Administrators, Users' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/AllowLocalLogOn' AND (mdm_command_output LIKE '%Administrators%' AND mdm_command_output LIKE '%Users%'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.4 + description: 'This policy setting determines which users can interactively log on to computers in your + + environment. Logons that are initiated by pressing the CTRL+ALT+DEL key sequence + + on the client computer keyboard require this user right. Users who attempt to log on + + through Terminal Services / Remote Desktop Services or IIS also require this user right. + + The recommended state for this setting is: *S-1-5-32-544, *S-1-5-32-545 + + (Administrators, Users). + + Note: The Guest account is also assigned this user right by default. Although this + + account is disabled by default, it''s recommended that you configure this setting through + + Group Policy. However, this user right should generally be restricted to the + + Administrators and Users groups. Assign this user right to the Backup Operators + + group if your organization requires that they have this capability.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to *S-1-5-32-544, *S-1-5-32-545 (Administrators, Users). + + User Rights\Allow Local Log On + + + Note: Include only one User or Group per line in the Settings Catalog configuration + + screen.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Backup Files And Directories' is set to 'Administrators' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/BackupFilesAndDirectories' AND mdm_command_output LIKE '%Administrators%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.5 + description: 'This policy setting allows users to circumvent file and directory permissions to back up + + the system. This user right is enabled only when an application (such as NTBACKUP) + + attempts to access a file or directory through the NTFS file system backup application + + programming interface (API). Otherwise, the assigned file and directory permissions + + apply. + + The recommended state for this setting is: *S-1-5-32-544 (Administrators). + + Note: This user right is considered a "sensitive privilege" for the purposes of auditing.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to *S-1-5-32-544 (Administrators). + + User Rights\Backup Files And Directories + + + Note: Include only one User or Group per line in the Settings Catalog configuration + + screen.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Change System Time' is set to 'Administrators, LOCAL SERVICE' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/ChangeSystemTime' AND (mdm_command_output LIKE '%Administrators%' AND mdm_command_output LIKE '%LOCAL SERVICE%'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.6 + description: 'This policy setting determines which users and groups can change the time and date on + + the internal clock of the computers in your environment. Users who are assigned this + + user right can affect the appearance of event logs. When a computer''s time setting is + + changed, logged events reflect the new time, not the actual time that the events + + occurred. + + The recommended state for this setting is: *S-1-5-32-544 and *S-1-5-19 + + (Administrators, LOCAL SERVICE). + + Note: Discrepancies between the time on the local computer and on the Domain + + Controllers in your environment may cause problems for the Kerberos authentication + + protocol, which could make it impossible for users to log on to the domain or obtain + + authorization to access domain resources after they are logged on. Also, problems will + + occur when Group Policy is applied to client computers if the system time is not + + synchronized with the Domain Controllers.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to *S-1-5-32-544 and *S-1-5-19 (Administrators, LOCAL + + SERVICE). + + User Rights\Change System Time + + + Note: Include only one User or Group per line in the Settings Catalog configuration + + screen.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Create Global Objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/CreateGlobalObjects' AND (mdm_command_output LIKE '%Administrators%' AND mdm_command_output LIKE '%LOCAL SERVICE%' AND mdm_command_output LIKE '%NETWORK SERVICE%' AND mdm_command_output LIKE '%SERVICE%'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.7 + description: 'This policy setting determines whether users can create global objects that are available + + to all sessions. Users can still create objects that are specific to their own session if they + + do not have this user right. + + Users who can create global objects could affect processes that run under other users'' + + sessions. This capability could lead to a variety of problems, such as application failure + + or data corruption. + + The recommended state for this setting is: *S-1-5-32-544, *S-1-5-19, *S-1-5-20 and + + *S-1-5-6 (Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE).' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to *S-1-5-32-544, *S-1-5-19, *S-1-5-20 and *S-1-5-6 + + (Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE). + + User Rights\Create Global Objects + + + Note: Include only one User or Group per line in the Settings Catalog configuration + + screen.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Create Page File' is set to 'Administrators' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/CreatePageFile' AND mdm_command_output LIKE '%Administrators%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.8 + description: 'This policy setting allows users to change the size of the pagefile. By making the + + pagefile extremely large or extremely small, an attacker could easily affect the + + performance of a compromised computer. + + The recommended state for this setting is: *S-1-5-32-544 (Administrators).' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to *S-1-5-32-544 (Administrators). + + User Rights\Create Page File + + + Note: Include only one User or Group per line in the Settings Catalog configuration + + screen.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Create Permanent Shared Objects' is set to 'No One' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/CreatePermanentSharedObjects' AND mdm_command_output = ''; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.9 + description: 'This user right is useful to kernel-mode components that extend the object namespace. + + However, components that run in kernel mode have this user right inherently. Therefore, + + it is typically not necessary to specifically assign this user right. + + The recommended state for this setting is: No One.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to () which equals No One. + + User Rights\Create Permanent Shared Objects + + + Note: Using () to represent a blank value or No One is recommended + + by Microsoft. However, there is a known issue where an error occurs in Endpoint + + Manger (Intune) but does not affect the policy setting from being applied to the system + + properly.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Create Symbolic Links' is set to 'Administrators' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/CreateSymbolicLinks' AND mdm_command_output LIKE '%Administrators%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.10 + description: 'This policy setting determines which users can create symbolic links. In Windows Vista, + + existing NTFS file system objects, such as files and folders, can be accessed by + + referring to a new kind of file system object called a symbolic link. A symbolic link is a + + pointer (much like a shortcut or .lnk file) to another file system object, which can be a + + file, folder, shortcut or another symbolic link. The difference between a shortcut and a + + symbolic link is that a shortcut only works from within the Windows shell. To other + + programs and applications, shortcuts are just another file, whereas with symbolic links, + + the concept of a shortcut is implemented as a feature of the NTFS file system. + + Symbolic links can potentially expose security vulnerabilities in applications that are not + + designed to use them. For this reason, the privilege for creating symbolic links should + + only be assigned to trusted users. By default, only Administrators can create + + symbolic links. + + The recommended state for this setting is: *S-1-5-32-544 (Administrators) and (when + + the Hyper-V feature is installed) *S-1-5-83-0 (NT VIRTUAL MACHINE\Virtual + + Machines).' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to *S-1-5-32-544 (Administrators) and optionally *S-1-5-83-0 + + (NT VIRTUAL MACHINE\Virtual Machines) + + User Rights\Create Symbolic Links + + + Note: Include only one User or Group per line in the Settings Catalog configuration + + screen.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Create Token' is set to 'No One' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/CreateToken' AND mdm_command_output = ''; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.11 + description: 'This policy setting allows a process to create an access token, which may provide + + elevated rights to access sensitive data. + + The recommended state for this setting is: No One. + + Note: This user right is considered a "sensitive privilege" for the purposes of auditing.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to () which equals No One. + + User Rights\Create Token + + + Note: Using () to represent a blank value or No One is recommended + + by Microsoft. However, there is a known issue where an error occurs in Endpoint + + Manger (Intune) but does not affect the policy setting from being applied to the system + + properly.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Debug Programs' is set to 'Administrators' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/DebugPrograms' AND mdm_command_output LIKE '%Administrators%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.12 + description: 'This policy setting determines which user accounts will have the right to attach a + + debugger to any process or to the kernel, which provides complete access to sensitive + + and critical operating system components. Developers who are debugging their own + + applications do not need to be assigned this user right; however, developers who are + + debugging new system components will need it. + + The recommended state for this setting is: *S-1-5-32-544 (Administrators). + + Note: This user right is considered a "sensitive privilege" for the purposes of auditing.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to *S-1-5-32-544 (Administrators). + + User Rights\Debug Programs + + + Note: Include only one User or Group per line in the Settings Catalog configuration + + screen.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Deny Access From Network' to include 'Guests, Local account' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/DenyAccessFromNetwork' AND (mdm_command_output LIKE '%Guests%' AND mdm_command_output LIKE '%Local account%'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.13 + description: 'This policy setting prohibits users from connecting to a computer from across the + + network, which would allow users to access and potentially modify data remotely. In + + high security environments, there should be no need for remote users to access data on + + a computer. Instead, file sharing should be accomplished through the use of network + + servers. This user right supersedes the Access Computer From Network user right if + + an account is subject to both policies. + + The recommended state for this setting is to include: *S-1-5-32-546 and *S-1-5-113 + + (Guests, Local account). + + Caution: Configuring a standalone (non-domain-joined) workstation as described above + + may result in an inability to remotely administer the workstation. + + Note: The security identifier Local account is not available in Windows 7 and + + Windows 8.0 unless MSKB 2871997 has been installed.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to *S-1-5-32-546 and *S-1-5-113 (Guests, Local account). + + User Rights\Deny Access From Network + + + Note: Include only one User or Group per line in the Settings Catalog configuration + + screen.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Deny Local Log On' to include 'Guests' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/DenyLocalLogOn' AND mdm_command_output LIKE '%Guests%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.14 + description: 'This security setting determines which users are prevented from logging on at the + + computer. This policy setting supersedes the Allow log on locally policy setting if an + + account is subject to both policies. + + The recommended state for this setting is to include: *S-1-5-32-546 (Guests). + + Important: If you apply this security policy to the Everyone group, no one will be able to + + log on locally. + + Warning: The help text in Intune associated with this recommendation is for the setting, + + Deny log on as a service and not this setting.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to *S-1-5-32-546 (Guests). + + User Rights\Deny Local Log On + + + Note: Include only one User or Group per line in the Settings Catalog configuration + + screen.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Deny Log On As Batch Job' to include 'Guests' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/DenyLogOnAsBatchJob' AND mdm_command_output LIKE '%Guests%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.15 + description: 'This policy setting determines which accounts will not be able to log on to the computer + + as a batch job. A batch job is not a batch (.bat) file, but rather a batch-queue facility. + + Accounts that use the Task Scheduler to schedule jobs need this user right. + + This user right supersedes the Log on as a batch job user right, which could be used + + to allow accounts to schedule jobs that consume excessive system resources. Such an + + occurrence could cause a DoS condition. Failure to assign this user right to the + + recommended accounts can be a security risk. + + The recommended state for this setting is to include: *S-1-5-32-546 (Guests).' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to *S-1-5-32-546 (Guests). + + User Rights\Deny Log On As Batch Job' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Deny Log On As Service Job' to include 'Guests' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/DenyLogOnAsService' AND mdm_command_output LIKE '%Guests%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.16 + description: 'This security setting determines which service accounts are prevented from registering + + a process as a service. This user right supersedes the Log on as a service user right if + + an account is subject to both policies. + + The recommended state for this setting is to include: *S-1-5-32-546 (Guests). + + Note: This security setting does not apply to the System, Local Service, or Network + + Service accounts.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to *S-1-5-32-546 (Guests). + + User Rights\Deny Log On As Service Job' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Deny Remote Desktop Services Log On' to include 'Guests, Local account' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/DenyRemoteDesktopServicesLogOn' AND (mdm_command_output LIKE '%Guests%' AND mdm_command_output LIKE '%Local account%'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.17 + description: 'This policy setting determines whether users can log on as Remote Desktop clients. + + After the baseline workstation is joined to a domain environment, there is no need to + + use local accounts to access the workstation from the network. Domain accounts can + + access the workstation for administration and end-user processing. This user right + + supersedes the Allow log on through Remote Desktop Services user right if an + + account is subject to both policies. + + The recommended state for this setting is to include: *S-1-5-32-546 and *S-1-5-113 + + (Guests, Local account). + + Caution: Configuring a standalone (non-domain-joined) workstation as described above + + may result in an inability to remotely administer the workstation. + + Caution #2: Configuring a cloud system workstation as described above may result in + + an inability log on to the workstation. In this case, Local Accounts need this ability for + + the log on to succeed. + + Note: The security identifier Local account is not available in Windows 7 and + + Windows 8.0 unless MSKB 2871997 has been installed. + + Note #2: In all versions of Windows prior to Windows 7, Remote Desktop Services + + was known as Terminal Services, so you should substitute the older term if comparing + + against an older OS.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to *S-1-5-32-546 and *S-1-5-113 (Guests, Local account). + + User Rights\Deny Remote Desktop Services Log On + + + Note: Include only one User or Group per line in the Settings Catalog configuration + + screen.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Enable Delegation' is set to 'No One' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/EnableDelegation' AND mdm_command_output = ''; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.18 + description: 'This policy setting allows users to change the Trusted for Delegation setting on a + + computer object in Active Directory. Abuse of this privilege could allow unauthorized + + users to impersonate other users on the network. + + The recommended state for this setting is: No One. + + Note: This user right is considered a "sensitive privilege" for the purposes of auditing.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to () which equals No One. + + User Rights\Enable Delegation + + + Note: Using () to represent a blank value or No One is recommended + + by Microsoft. However, there is a known issue where an error occurs in Endpoint + + Manger (Intune) but does not affect the policy setting from being applied to the system + + properly.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Generate Security Audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/GenerateSecurityAudits' AND (mdm_command_output LIKE '%LOCAL SERVICE%' AND mdm_command_output LIKE '%NETWORK SERVICE%'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.19 + description: 'This policy setting determines which users or processes can generate audit records in + + the Security log. + + The recommended state for this setting is: *S-1-5-19 and *S-1-5-20 (LOCAL + + SERVICE, NETWORK SERVICE). + + Note: This user right is considered a "sensitive privilege" for the purposes of auditing.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to *S-1-5-19 and *S-1-5-20 (LOCAL SERVICE, NETWORK + + SERVICE). + + User Rights\Generate security audits + + + Note: Include only one User or Group per line in the Settings Catalog configuration + + screen.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Impersonate Client' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/ImpersonateClient' AND (mdm_command_output LIKE '%Administrators%' AND mdm_command_output LIKE '%LOCAL SERVICE%' AND mdm_command_output LIKE '%NETWORK SERVICE%' AND mdm_command_output LIKE '%SERVICE%'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.20 + description: 'The policy setting allows programs that run on behalf of a user to impersonate that user + + (or another specified account) so that they can act on behalf of the user. If this user right + + is required for this kind of impersonation, an unauthorized user will not be able to + + convince a client to connect—for example, by remote procedure call (RPC) or named + + pipes—to a service that they have created to impersonate that client, which could + + elevate the unauthorized user''s permissions to administrative or system levels. + + Services that are started by the Service Control Manager have the built-in Service group + + added by default to their access tokens. COM servers that are started by the COM + + infrastructure and configured to run under a specific account also have the Service + + group added to their access tokens. As a result, these processes are assigned this user + + right when they are started. + + Also, a user can impersonate an access token if any of the following conditions exist: + + • + + • + + • + + + The access token that is being impersonated is for this user. + + The user, in this logon session, logged on to the network with explicit credentials + + to create the access token. + + The requested level is less than Impersonate, such as Anonymous or Identify. + + + An attacker with the Impersonate a client after authentication user right could create + + a service, trick a client to make them connect to the service, and then impersonate that + + client to elevate the attacker''s level of access to that of the client. + + The recommended state for this setting is: *S-1-5-32-544, *S-1-5-19, *S-1-5-20 and + + *S-1-5-6 (Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE). + + Note: This user right is considered a "sensitive privilege" for the purposes of auditing.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to *S-1-5-32-544, *S-1-5-19, *S-1-5-20 and *S-1-5-6 + + (Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE). + + User Rights\Impersonate Client + + + Note: Include only one User or Group per line in the Settings Catalog configuration + + screen.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Increase Scheduling Priority' is set to 'Administrators, Window Manager\Window Manager Group' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/IncreaseSchedulingPriority' AND mdm_command_output LIKE '%Administrators%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.21 + description: 'This policy setting determines whether users can increase the base priority class of a + + process. (It is not a privileged operation to increase relative priority within a priority + + class.) This user right is not required by administrative tools that are supplied with the + + operating system but might be required by software development tools. + + The recommended state for this setting is: *S-1-5-32-544 and *S-1-5-90-0 + + (Administrators, Window Manager\Window Manager Group).' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to *S-1-5-32-544 and *S-1-5-90-0 (Administrators, Window + + Manager\Window Manager Group). + + User Rights\Increase scheduling priority + + + Note: Include only one User or Group per line in the Settings Catalog configuration + + screen.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Load Unload Device Drivers' is set to 'Administrators' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/LoadUnloadDeviceDrivers' AND mdm_command_output LIKE '%Administrators%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.22 + description: 'This policy setting allows users to dynamically load a new device driver on a system. An + + attacker could potentially use this capability to install malicious code that appears to be + + a device driver. This user right is required for users to add local printers or printer + + drivers in Windows Vista. + + The recommended state for this setting is: *S-1-5-32-544 (Administrators). + + Note: This user right is considered a "sensitive privilege" for the purposes of auditing.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to *S-1-5-32-544 (Administrators). + + User Rights\Load Unload Device Drivers + + + Note: Include only one User or Group per line in the Settings Catalog configuration + + screen.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Lock Memory' is set to 'No One' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/LockMemory' AND mdm_command_output = ''; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.23 + description: 'This policy setting allows a process to keep data in physical memory, which prevents + + the system from paging the data to virtual memory on disk. If this user right is assigned, + + significant degradation of system performance can occur. + + The recommended state for this setting is: No One.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to () which equals No One. + + User Rights\Lock Memory + + + Note: Using () to represent a blank value or No One is recommended + + by Microsoft. However, there is a known issue where an error occurs in Endpoint + + Manger (Intune) but does not affect the policy setting from being applied to the system + + properly.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Manage auditing and security log' is set to 'Administrators' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/ManageAuditingAndSecurityLog' AND mdm_command_output LIKE '%Administrators%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.25 + description: 'This policy setting determines which users can change the auditing options for files and + + directories and clear the Security log. + + The recommended state for this setting is: *S-1-5-32-544 (Administrators). + + Note: This user right is considered a "sensitive privilege" for the purposes of auditing.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to *S-1-5-32-544 (Administrators). + + User Rights\Manage auditing and security log + + + Note: Include only one User or Group per line in the Settings Catalog configuration + + screen.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Manage Volume' is set to 'Administrators' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/ManageVolume' AND mdm_command_output LIKE '%Administrators%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.26 + description: 'This policy setting allows users to manage the system''s volume or disk configuration, + + which could allow a user to delete a volume and cause data loss as well as a denial-ofservice condition. + + The recommended state for this setting is: *S-1-5-32-544 (Administrators). + + Note: A workstation with Microsoft SQL Server installed will require a special exception + + to this recommendation for the account that runs the SQL Server service to be granted + + this user right.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to *S-1-5-32-544 (Administrators). + + User Rights\Manage Volume + + + Note: Include only one User or Group per line in the Settings Catalog configuration + + screen. + + \' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Modify Firmware Environment' is set to 'Administrators' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/ModifyFirmwareEnvironment' AND mdm_command_output LIKE '%Administrators%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.27 + description: 'This policy setting allows users to configure the system-wide environment variables that + + affect hardware configuration. This information is typically stored in the Last Known + + Good Configuration. Modification of these values and could lead to a hardware failure + + that would result in a denial of service condition. + + The recommended state for this setting is: *S-1-5-32-544 (Administrators). + + Note: This user right is considered a "sensitive privilege" for the purposes of auditing.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to *S-1-5-32-544 (Administrators). + + User Rights\Modify Firmware Environment + + + Note: Include only one User or Group per line in the Settings Catalog configuration + + screen.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Modify Object Label' is set to 'No One' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/ModifyObjectLabel' AND mdm_command_output = ''; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.28 + description: 'This privilege determines which user accounts can modify the integrity label of objects, + + such as files, registry keys, or processes owned by other users. Processes running + + under a user account can modify the label of an object owned by that user to a lower + + level without this privilege. + + The recommended state for this setting is: No One.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to () which equals No One. + + User Rights\Modify Object Label + + + Note: Using () to represent a blank value or No One is recommended + + by Microsoft. However, there is a known issue where an error occurs in Endpoint + + Manger (Intune) but does not affect the policy setting from being applied to the system + + properly.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Profile Single Process' is set to 'Administrators' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/ProfileSingleProcess' AND mdm_command_output LIKE '%Administrators%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.29 + description: 'This policy setting determines which users can use tools to monitor the performance of + + non-system processes. Typically, you do not need to configure this user right to use the + + Microsoft Management Console (MMC) Performance snap-in. However, you do need + + this user right if System Monitor is configured to collect data using Windows + + Management Instrumentation (WMI). Restricting the Profile single process user right + + prevents intruders from gaining additional information that could be used to mount an + + attack on the system. + + The recommended state for this setting is: *S-1-5-32-544 (Administrators).' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to *S-1-5-32-544 (Administrators). + + User Rights\Profile single process + + + Note: Include only one User or Group per line in the Settings Catalog configuration + + screen.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Profile System Performance' is set to 'Administrators, NT SERVICE\WdiServiceHost' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/ProfileSystemPerformance' AND mdm_command_output LIKE '%Administrators%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.30 + description: 'This policy setting allows users to use tools to view the performance of different system + + processes, which could be abused to allow attackers to determine a system''s active + + processes and provide insight into the potential attack surface of the computer. + + The recommended state for this setting is: *S-1-5-32-544, *S-1-5-80 + + (Administrators, NT SERVICE\WdiServiceHost).' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to *S-1-5-32-544, *S-1-5-80 (Administrators, NT + + SERVICE\WdiServiceHost). + + User Rights\Profile System Performance' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Remote Shutdown' is set to 'Administrators' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/RemoteShutdown' AND mdm_command_output LIKE '%Administrators%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.31 + description: 'This policy setting allows users to shut down Windows Vista-based or newer computers + + from remote locations on the network. Anyone who has been assigned this user right + + can cause a denial of service (DoS) condition, which would make the computer + + unavailable to service user requests. Therefore, it is recommended that only highly + + trusted administrators be assigned this user right. + + The recommended state for this setting is: *S-1-5-32-544 (Administrators).' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to *S-1-5-32-544 (Administrators). + + User Rights\Remote Shutdown + + + Note: Include only one User or Group per line in the Settings Catalog configuration + + screen.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Replace Process Level Token' is set to 'LOCAL SERVICE, NETWORK SERVICE' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/ReplaceProcessLevelToken' AND (mdm_command_output LIKE '%LOCAL SERVICE%' AND mdm_command_output LIKE '%NETWORK SERVICE%'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.32 + description: 'This policy setting allows one process or service to start another service or process with + + a different security access token, which can be used to modify the security access token + + of that sub-process and result in the escalation of privileges. + + The recommended state for this setting is: *S-1-5-19, *S-1-5-20 (LOCAL SERVICE, + + NETWORK SERVICE). + + Note: This user right is considered a "sensitive privilege" for the purposes of auditing.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to *S-1-5-19, *S-1-5-20 (LOCAL SERVICE, NETWORK + + SERVICE). + + User Rights\Replace Process Level Token' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Restore Files And Directories' is set to 'Administrators' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/RestoreFilesAndDirectories' AND mdm_command_output LIKE '%Administrators%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.33 + description: 'This policy setting determines which users can bypass file, directory, registry, and other + + persistent object permissions when restoring backed up files and directories on + + computers that run Windows Vista (or newer) in your environment. This user right also + + determines which users can set valid security principals as object owners; it is similar to + + the Back up files and directories user right. + + The recommended state for this setting is: *S-1-5-32-544 (Administrators). + + Note: This user right is considered a "sensitive privilege" for the purposes of auditing.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to *S-1-5-32-544 (Administrators). + + User Rights\Restore files and directories + + + Note: Include only one User or Group per line in the Settings Catalog configuration + + screen.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Shut Down The System' is set to 'Administrators, Users' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/ShutDownTheSystem' AND (mdm_command_output LIKE '%Administrators%' AND mdm_command_output LIKE '%Users%'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.34 + description: 'This policy setting determines which users who are logged on locally to the computers + + in your environment can shut down the operating system with the Shut Down command. + + Misuse of this user right can result in a denial of service condition. + + The recommended state for this setting is: *S-1-5-32-544, *S-1-5-32-545 + + (Administrators, Users).' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to *S-1-5-32-544, *S-1-5-32-545 (Administrators, Users). + + User Rights\Shut Down The System' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Take Ownership' is set to 'Administrators' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/UserRights/TakeOwnership' AND mdm_command_output LIKE '%Administrators%'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS89.35 + description: 'This policy setting allows users to take ownership of files, folders, registry keys, + + processes, or threads. This user right bypasses any permissions that are in place to + + protect objects to give ownership to the specified user. + + The recommended state for this setting is: *S-1-5-32-544 (Administrators). + + Note: This user right is considered a "sensitive privilege" for the purposes of auditing.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to *S-1-5-32-544 (Administrators). + + User Rights\Take Ownership + + + Note: Include only one User or Group per line in the Settings Catalog configuration + + screen.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Hypervisor Enforced Code Integrity' is set to 'Enabled with UEFI lock' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/VirtualizationBasedTechnology/HypervisorEnforcedCodeIntegrity' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:hypervisor-enforced-code-integrity-is-enabled-with-uefi-lock, cis_safeguard_ids:CIS90.1 + description: 'This setting enables virtualization based protection of Kernel Mode Code Integrity. + + When this is enabled, kernel mode memory protections are enforced and the Code + + Integrity validation path is protected by the Virtualization Based Security feature. + + The recommended state for this setting is: Enabled with UEFI lock. + + Note: Virtualization Based Security requires a 64-bit version of Windows with Secure + + Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS + + configuration, not a Legacy BIOS configuration. In addition, if running Windows on a + + virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) + + must be exposed by the host to the guest VM. + + More information on system requirements for this feature can be found at Windows + + Defender Credential Guard Requirements (Windows 10) | Microsoft Docs + + Note #2: Credential Guard and Device Guard are not currently supported when using + + Azure IaaS VMs.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled with UEFI lock. + + Virtualization Based Technology\Hypervisor Enforced Code Integrity' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Require UEFI Memory Attributes Table' is set to 'Require UEFI Memory Attributes Table' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/VirtualizationBasedTechnology/RequireUEFIMemoryAttributesTable' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:require-uefi-memory-attributes-table-is-require-uefi-memory-attributes-table, cis_safeguard_ids:CIS90.2 + description: 'This option will only enable Virtualization Based Protection of Code Integrity on devices + + with UEFI firmware support for the Memory Attributes Table. Devices without the UEFI + + Memory Attributes Table may have firmware that is incompatible with Virtualization + + Based Protection of Code Integrity which in some cases can lead to crashes or data + + loss or incompatibility with certain plug-in cards. If not setting this option the targeted + + devices should be tested to ensure compatibility. + + The recommended state for this setting is: Require UEFI Memory Attributes Table. + + Note: Virtualization Based Security requires a 64-bit version of Windows with Secure + + Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS + + configuration, not a Legacy BIOS configuration. In addition, if running Windows on a + + virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) + + must be exposed by the host to the guest VM. + + More information on system requirements for this feature can be found at Windows + + Defender Credential Guard Requirements (Windows 10) | Microsoft Docs + + Note #2: Credential Guard and Device Guard are not currently supported when using + + Azure IaaS VMs.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Require UEFI Memory Attributes Table. + + Virtualization Based Technology\Require UEFI Memory Attributes Table' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Allow Auto Connect To Wi Fi Sense Hotspots' is set to 'Block' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Wifi/AllowAutoConnectToWiFiSenseHotspots' AND mdm_command_output = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-auto-connect-to-wi-fi-sense-hotspots-is-block, cis_safeguard_ids:CIS93.1 + description: 'This policy setting determines whether users can enable the following WLAN settings: + + "Connect to suggested open hotspots," "Connect to networks shared by my contacts," + + and "Enable paid services". + + • + + + • + + + • + + + "Connect to suggested open hotspots" enables Windows to automatically + + connect users to open hotspots it knows about by crowdsourcing networks that + + other people using Windows have connected to. + + "Connect to networks shared by my contacts" enables Windows to automatically + + connect to networks that the user''s contacts have shared with them, and enables + + users on this device to share networks with their contacts. + + "Enable paid services" enables Windows to temporarily connect to open hotspots + + to determine if paid services are available. + + + The recommended state for this setting is: Block. + + Note: These features are also known by the name "Wi-Fi Sense".' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Block. + + Wi-Fi Settings\Allow Auto Connect To Wi Fi Sense Hotspots' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Allow widgets' is set to 'Not allowed' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/NewsAndInterests/AllowNewsAndInterests' AND mdm_command_output = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-widgets-is-not-allowed, cis_safeguard_ids:CIS94.1 + description: 'This policy setting specifies whether the Widgets feature is allowed on the device. The + + Widgets feature provides information such as, weather, news, sports, stocks, traffic, and + + entertainment (not an inclusive list). + + The recommended state for this setting is: Not allowed.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Not Allowed. + + Widgets\Allow widgets' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Disallow Exploit Protection Override' is set to '(Enable)' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride' AND mdm_command_output = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:disallow-exploit-protection-override-is-enable, cis_safeguard_ids:CIS96.1 + description: 'This policy setting prevent users from making changes to the Exploit protection settings + + area in the Windows Security settings. + + The recommended state for this setting is: (Enable).' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to (Enable). + + Windows Defender Security Center\Disallow Exploit Protection Override' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Enable ESS with Supported Peripherals' is set to 'Enhanced sign-in security will be enabled…' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\Biometrics\EnableESSwithSupportedPeripherals' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:enable-ess-with-supported-peripherals-is-enhanced-sign-in-security-will-be-enabled, cis_safeguard_ids:CIS97.1 + description: 'Enhanced Sign-in Security isolates Windows Hello biometric (face and fingerprint) + + template data and matching operations to trusted hardware or specified memory + + regions. + + The recommended state for this setting is: ESS will be enabled on systems with + + capable software and hardware, following the existing default behavior + + in Windows. Authentication operations of any peripheral biometric + + device will be blocked and not available for Windows Hello. (default + + and recommended for highest security)..' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enhanced sign-in security will be enabled…: + + Windows Hello For Business\Enable ESS with Supported Peripherals' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Facial Features Use Enhanced Anti Spoofing' is set to 'true' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/PassportForWork/Biometrics/FacialFeaturesUseEnhancedAntiSpoofing' AND mdm_command_output = 'true'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:facial-features-use-enhanced-anti-spoofing-is-true, cis_safeguard_ids:CIS97.2 + description: 'This policy setting determines whether enhanced anti-spoofing is configured for devices + + which support it. + + The recommended state for this setting is: true.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to true. + + Windows Hello For Business\Facial Features Use Enhanced Anti Spoofing' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Minimum PIN Length' is set to '6 more character(s)' + query: SELECT 1 FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\%\Device\Policies\PINComplexity\MinimumPINLength' AND CAST(data AS INTEGER) >= 6; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:minimum-pin-length-is-6-more-characters, cis_safeguard_ids:CIS97.3 + description: 'Minimum PIN length configures the minimum number of characters required for the PIN. + + The lowest number you can configure for this policy setting is 4. The largest number you + + can configure must be less than the number configured in the Maximum PIN length + + policy setting or the number 127, whichever is the lowest. + + The recommended state for this setting is: 6 more character(s).' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to 6 (or more character(s)): + + Windows Hello For Business\Minimum PIN Length' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Require Security Device' is set to 'true' + query: SELECT 1 FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\%\Device\Policies\RequireSecurityDevice' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:require-security-device-is-true, cis_safeguard_ids:CIS97.4 + description: 'This policy controls whether a Trusted Platform Module (TPM) is required to provision + + Windows Hello for Business. + + • + + • + + + If you enable this policy setting, only devices with a usable TPM provision + + Windows Hello for Business. + + If you disable or don''t configure this policy setting, the TPM is still preferred, but + + all devices provision Windows Hello for Business using software if the TPM is + + non-functional or unavailable. + + + The recommended state for this setting is: true.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to true: + + Windows Hello For Business\Require Security Device' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Allow Windows Ink Workspace'' is set to ''Enabled: but the user can''t access it above the lock screen'' OR ''Disabled''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\WindowsInkWorkspace\AllowWindowsInkWorkspace' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS98.2 + description: 'This policy setting determines whether Windows Ink items are allowed above the lock + + screen. + + The recommended state for this setting is: Ink workspace is enabled (feature is + + turned on), but the user can''t access it above the lock screen OR + + Access to ink workspace is disabled. The feature is turned off.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Ink workspace is enabled (feature is turned on), + + but the user can''t access it above the lock screen OR Access to ink + + workspace is disabled. The feature is turned off. + + Windows Ink Workspace\Allow Windows Ink Workspace' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Allow Clipboard Redirection' is set to 'Not allowed' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDisableClip' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-clipboard-redirection-is-not-allowed, cis_safeguard_ids:CIS101.1 + description: 'This policy setting enables or disables clipboard sharing with the Windows Sandbox. + + The recommended state for this setting is: Not allowed. + + Note: The Windows Sandbox feature was first introduced in Windows 10 R1903, and + + allows a temporary "clean install" virtual instance of Windows to be run inside the host, + + for the ostensible purpose of testing applications without making changes to the host.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Not allowed. + + Windows Sandbox\Allow Clipboard Redirection' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Allow Networking' is set to 'Not allowed' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\WindowsSandbox\AllowNetworking' AND data = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-networking-is-not-allowed, cis_safeguard_ids:CIS101.2 + description: 'This policy setting enables or disables networking in the Windows Sandbox. Networking + + is achieved by creating a virtual switch on the host, and connecting the Windows + + Sandbox to it via a virtual Network Interface Card (NIC). + + The recommended state for this setting is: Not allowed. + + Note: The Windows Sandbox feature was first introduced in Windows 10 R1903, and + + allows a temporary "clean install" virtual instance of Windows to be run inside the host, + + for the ostensible purpose of testing applications without making changes to the host.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Not allowed. + + Windows Sandbox\Allow Networking' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Allow Auto Update' is set to 'Enabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Update\AllowAutoUpdate' AND data IN ('1', '2', '3', '4'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:allow-auto-update-is-enabled, cis_safeguard_ids:CIS103.1 + description: 'This policy setting specifies whether computers in your environment will receive security + + updates from Windows Update or WSUS. If you configure this policy setting to Enabled, + + the operating system will recognize when a network connection is available and then + + use the network connection to search Windows Update or your designated intranet site + + for updates that apply to them. + + After this this policy setting is set to Enabled, select one of the following options in the + + Configure Automatic Updates Properties dialog box to specify how the service will work: + + • + + • + + • + + + 2 - Auto install and restart. + + 3 - Auto install and restart at a specified time. (Default) + + 4 - Auto install and restart without end-user control. + + + The recommended state for this setting is: Enabled and never "Turn off automatic + + updates" + + Note: The sub-setting "Allow Auto Update:" has 6 possible values – not all of them are + + valid depending on specific organizational needs, however if feasible we suggest using + + a value of 2, 3, or 4. The only scored requirement is to not turn off automatic + + updates (5). + + Note #2: Organizations that utilize a third--party solution for patching may choose to + + exempt themselves from this recommendation, and instead configure it to Disabled so + + that the native Windows Update mechanism does not interfere with the third--party + + patching process. + + Warning: If option 3 or 4 is not selected, then the ScheduledInstallDay + + recommendation will not take effect and an exception to that recommendation will be + + needed.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to anything other than "Turn off automatic updates". + + Windows Update For Business\Allow Auto Update' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Defer Feature Updates Period in Days'' is set to ''Enabled: 180 or more days''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Update/DeferFeatureUpdatesPeriodInDays' AND CAST(mdm_command_output AS INTEGER) >= 180; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:defer-feature-updates-period-in-days-is-enabled-180-or-more-days, cis_safeguard_ids:CIS103.2 + description: 'This policy setting determines when Preview Build or Feature Updates are received. + + Defer Updates This enables devices to defer taking the next Feature Update available + + to your channel for up to 14 days for all the pre-release channels and up to 365 days for + + the Semi-Annual Channel. Or, if the device is updating from the Semi-Annual Channel, + + a version for the device to move to and/or stay on until the policy is updated or the + + device reaches end of service can be specified. Note: If you set both policies, the + + version specified will take precedence and the deferrals will not be in effect. Please see + + the Windows Release Information page for OS version information. + + Pause Updates To prevent Feature Updates from being received on their scheduled + + time, you can temporarily pause Feature Updates. The pause will remain in effect for 35 + + days from the specified start date or until the field is cleared (Quality Updates will still be + + offered). + + Note: If the "Allow Diagnostic Data" (formerly "Allow Telemetry") policy is set to 0, this + + policy will have no effect. + + Note #2: Starting with Windows 10 R1607, Microsoft introduced a new Windows + + Update (WU) client behavior called Dual Scan, with an eye to cloud-based update + + management. In some cases, this Dual Scan feature can interfere with Windows + + Updates from Windows Server Update Services (WSUS) and/or manual WU updates. If + + you are using WSUS in your environment, you may need to set the above setting to Not + + Configured or configure the setting Do not allow update deferral policies to cause + + scans against Windows Update (added in the Windows 10 Release 1709 Administrative + + Templates) in order to prevent the Dual Scan feature from interfering. More information + + on Dual Scan is available at these links: + + • + + • + + + Demystifying “Dual Scan” – WSUS Product Team Blog + + Improving Dual Scan on 1607 – WSUS Product Team Blog + + + Note #3: Prior to Windows 10 R1703, values above 180 days are not recognized by the + + OS. Starting with Windows 10 R1703, the maximum number of days you can defer is + + 365 days.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: 180 or more days. + + Windows Update for Business\Defer Feature Updates Period in Days' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Defer Quality Updates Period (Days)'' is set to ''Enabled: 0 days''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Update/DeferQualityUpdatesPeriodInDays' AND mdm_command_output = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:defer-quality-updates-period-days-is-enabled-0-days, cis_safeguard_ids:CIS103.3 + description: 'This policy settings controls when Quality Updates are received. + + The recommended state for this setting is: Enabled: 0 days. + + Note: If the "Allow Telemetry" policy is set to 0, this policy will have no effect. + + Note #2: Starting with Windows 10 R1607, Microsoft introduced a new Windows + + Update (WU) client behavior called Dual Scan, with an eye to cloud-based update + + management. In some cases, this Dual Scan feature can interfere with Windows + + Updates from Windows Server Update Services (WSUS) and/or manual WU updates. If + + you are using WSUS in your environment, you may need to set the above setting to Not + + Configured or configure the setting Do not allow update deferral policies to cause + + scans against Windows Update (added in the Windows 10 Release 1709 Administrative + + Templates) in order to prevent the Dual Scan feature from interfering. More information + + on Dual Scan is available at these links: + + • + + • + + + Demystifying “Dual Scan” – WSUS Product Team Blog + + Improving Dual Scan on 1607 – WSUS Product Team Blog' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled:0 days. + + Windows Update for Business\Defer Quality Updates Period (Days)' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Manage preview builds' is set to 'Disable Preview builds' + query: SELECT 1 WHERE EXISTS (SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Update/ManagePreviewBuilds' AND mdm_command_output IN ('1', '3')) OR EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ManagePreviewBuilds' AND data = '1'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:manage-preview-builds-is-disable-preview-builds, cis_safeguard_ids:CIS103.4 + description: 'This policy setting manages which updates that are received prior to the update being + + released. + + Dev Channel: Ideal for highly technical users. Insiders in the Dev Channel will receive + + builds from our active development branch that is earliest in a development cycle. + + These builds are not matched to a specific Windows 10 release. + + Beta Channel: Ideal for feature explorers who want to see upcoming Windows 10 + + features. Your feedback will be especially important here as it will help our engineers + + ensure key issues are fixed before a major release. + + Release Preview Channel (default): Insiders in the Release Preview Channel will + + have access to the upcoming release of Windows 10 prior to it being released to the + + world. These builds are supported by Microsoft. The Release Preview Channel is where + + we recommend companies preview and validate upcoming Windows 10 releases before + + broad deployment within their organization. + + The recommended state for this setting is: Disable Preview builds. + + Note: Preview Build enrollment requires a telemetry level setting of 2 or higher and your + + domain registered on insider.windows.com. For additional information on Preview + + Builds, see: Managing preview builds across your organization - Windows Insider + + Program | Microsoft Learn.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Disable Preview builds. + + Windows Update For Business\Manage preview builds' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Scheduled Install Day' is set to 'Every day' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Update/ScheduledInstallDay' AND mdm_command_output = '0'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:scheduled-install-day-is-every-day, cis_safeguard_ids:CIS103.5 + description: 'This policy setting specifies when computers in your environment will receive security + + updates from Windows Update or WSUS. + + The recommended state for this setting is: Every day. + + Note: This setting is only applicable if the option of 3 or 4 is selected in the + + recommendation ''Allow Auto Update''. It will have no impact if any other option is + + selected.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Every day. + + Windows Update For Business\Scheduled Install Day' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Block "Pause Updates" ability' is set to 'Block' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Update\SetDisablePauseUXAccess' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:block-pause-updates-ability-is-block, cis_safeguard_ids:CIS103.6 + description: 'This policy removes access to "Pause updates" feature. + + The recommended state for this setting is: Block.' + resolution: 'To establish the recommended configuration via GP, set the following UI path to Block: + + Windows Update For Business\Block "Pause Updates" ability' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Require PIN For Pairing'' is set to ''Enabled: Pairing ceremony for new devices will always require a PIN'' OR ''All pairings will require PIN''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/WirelessDisplay/RequirePinForPairing' AND mdm_command_output IN ('1', '2'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS104.1 + description: 'This policy setting controls whether or not a PIN is required for pairing to a wireless + + display device. + + The recommended state for this setting is: Enabled: Pairing ceremony for new + + devices will always require a PIN'' OR All pairings will require PIN.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following + + Settings Catalog path to Enabled: Pairing ceremony for new devices will + + always require a PIN'' OR All pairings will require PIN. + + Administrative Templates\Network\Wireless Display\Require pin pairing' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Backup Directory' is set to 'Backup the password to Azure AD only' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\LAPS\Config\BackupDirectory' AND data = '1'; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:configuration, requirement:standard, critical:false, control:backup-directory-is-backup-the-password-to-azure-ad-only, cis_safeguard_ids:CIS105.1 + description: 'This policy setting configures which directory Windows LAPS will use to back up the + + local admin account password. + + The recommended state for this setting is: Backup the password to Azure AD only. + + Note: Organizations that utilize third-party commercial software to manage unique & + + complex local Administrator passwords on domain members may opt to disregard these + + LAPS recommendations. + + • + + • + + • + + + Windows LAPS does not support standalone computers - they must be joined to + + an Active Directory domain or Entra ID (formerly Azure Active Directory). + + Windows LAPS does not support simultaneous storage of the local admin + + password in both directory types. + + If the setting is configured and the managed device is not joined to the configured + + directory type, the local administrator password will not be managed by Windows + + LAPS. + + + Important: An organization wishing to use Active Directory to backup the LAPS + + password may make an exception for this recommendation. To implement Active + + Directory backup see the latest on-premises CIS Benchmark for Windows 10/11. When + + backing up with Active Directory there are 2 additional security controls to be + + considered in the benchmark which are not available when using Azure AD for backup. + + These were excluded from the Intune benchmark as they cannot be selected unless + + Active Directory is selected as the backup location.' + resolution: 'To establish the recommended configuration from Microsoft Intune Admin Center: + + 1. Navigate to Endpoint security > Account protection. + + 2. Create or edit a LAPS policy of the type Local admin password solution + + (Windows LAPS). + + 3. Set Backup Directory to Backup the password to Azure AD only.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Password Age Days'' is set to ''Configured: 30 or fewer''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/ADMX_AdmPwd/POL_AdmPwd' AND mdm_command_output LIKE '% Account protection. + + 2. Create or edit a LAPS policy type Local admin password solution (Windows + + LAPS). + + 3. Set Password Complexity to Large letters + small letters + numbers + + + special characters.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Password Length'' is set to ''Configured: 15 or more''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/ADMX_AdmPwd/POL_AdmPwd' AND mdm_command_output LIKE '% Account protection. + + 2. Create or edit a LAPS policy type Local admin password solution (Windows + + LAPS). + + 3. Set Password Length to Configured: 15 (or more).' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Post-authentication actions' is set to 'Reset the password and logoff the managed account' or higher + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\LAPS\Config\PostAuthenticationActions' AND data IN ('3', '5'); + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS105.5 + description: 'This policy settings configures post-authentication actions which will be executed after + + detecting an authentication by the LAPS managed account. The Action refers to + + actions to take upon expiry of the grace period before executing the specified postauthentication actions. + + Post-authentication actions: + + • + + • + + + • + + + Reset password: upon expiry of the grace period, the managed account + + password will be reset. + + Reset the password and logoff the managed account: upon expiry of the + + grace period, the managed account password will be reset and any interactive + + logon sessions using the managed account will terminated. + + Reset the password and reboot the device: upon expiry of the grace + + period, the managed account password will be reset and the managed device will + + be immediately rebooted. + + + Warning: After an interactive logon session is terminated, other authenticated sessions + + using the Windows LAPS managed account may still be active. The only way to ensure + + that the previous password is no longer in use is to reboot the OS. + + The recommended state for this setting is: Reset the password and logoff the + + managed account or higher. + + Note: Organizations that utilize third-party commercial software to manage unique & + + complex local Administrator passwords on domain members may opt to disregard these + + LAPS recommendations. + + Note #2: Windows LAPS does not support standalone computers - they must be joined + + to an Active Directory domain or Entra ID (formerly Azure Active Directory).' + resolution: 'To establish the recommended configuration from Microsoft Intune Admin Center: + + 1. Navigate to Endpoint security > Account protection. + + 2. Create or edit a LAPS policy type Local admin password solution (Windows + + LAPS). + + 3. Set Post Authentication Actions to Reset the password and logoff + + the managed account (or higher). + + Note: Both Reset the password and logoff the managed account and Reset + + the password and reboot are considered passing states.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Post Authentication Reset Delay'' is set to ''Configured: 8 or fewer hours, but not 0''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\LAPS\Config\PostAuthenticationResetDelay' AND CAST(data AS INTEGER) BETWEEN 1 AND 8; + purpose: Informational + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS105.6 + description: 'This policy settings configures post-authentication actions which will be executed after + + detecting an authentication by the Windows LAPS managed account. The Grace + + period refers to the amount of time (hours) to wait after an authentication before + + executing the specified post-authentication actions. + + The recommended state for this setting is: Configured: 8 or fewer hours, but + + not 0. + + Note: Organizations that utilize third-party commercial software to manage unique & + + complex local Administrator passwords on domain members may opt to disregard these + + LAPS recommendations. + + Note #2: Windows LAPS does not support standalone computers - they must be joined + + to an Active Directory domain or Entra ID (formerly Azure Active Directory). + + Note #3: If this policy is set to 0 it prevents all post-authentication actions from + + occurring.' + resolution: 'To establish the recommended configuration from Microsoft Intune Admin Center: + + 1. Navigate to Endpoint security > Account protection. + + 2. Create or edit a LAPS policy type Local admin password solution (Windows + + LAPS). + + 3. Set Post Authentication Reset Delay to Configured: 8 (or fewer + + hours, but not 0).' +--- +apiVersion: v1 +kind: policy +spec: + name: 'CIS - Ensure ''Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup'' is set to ''IEEE 1394 device setup classes''' + platform: windows + description: 'Policy checks the configuration for: CIS - Ensure ''Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup'' is set to ''IEEE 1394 device setup classes''. Expected state per CIS Intune benchmark: IEEE 1394 device setup classes.' + resolution: "Automatic method: To establish the recommended configuration via configuration profiles, set the following \nSettings Catalog path to Enabled, and add {d48179be-ec20-11d1-b6b8-\n00c04fa372a7}, {7ebefbc0-3200-11d2-b4c2-00a0C9697d07}, {c06ff265-ae09-\n48f0-812c-16753d7cba83}, and {6bdd1fc1-810f-11d0-bec7-08002be2092f} to the \ndevice setup classes list. \nAdministrative Templates\\System\\Device Installation\\Device Installation \nRestrictions\\Prevent installation of devices using drivers that match these \ndevice setup classes" + query: SELECT 1 WHERE EXISTS (SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses' AND mdm_command_output LIKE '%6bdd1fc1-810f-11d0-bec7-08002be2092f%') OR EXISTS (SELECT 1 FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses\%' AND data LIKE '%d48179be-ec20-11d1-b6b8-00c04fa372a7%'); + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:prevent-installation-of-devices-using-drivers-that + purpose: Enforcement +--- +apiVersion: v1 +kind: policy +spec: + name: 'CIS - Ensure ''Windows Firewall: Public: Settings: Apply local connection security rules'' is set to ''No''' + platform: windows + description: 'Policy checks the configuration for: CIS - Ensure ''Windows Firewall: Public: Settings: Apply local connection security rules'' is set to ''No''. Expected state per CIS Intune benchmark: No.' + resolution: "Automatic method: To establish the recommended configuration via configuration profiles, set the following \nSettings Catalog path to True (recommended): \nFirewall\\Enable Public Network Firewall" + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Vendor/MSFT/Firewall/MdmStore/PublicProfile/AllowLocalIpsecPolicyMerge' AND mdm_command_output = 'false'; + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:windows-firewall-public-settings-apply-local-conne + purpose: Enforcement +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Configure ''Accounts: Rename administrator account''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount' AND mdm_command_output NOT LIKE '%Administrator%'; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:configure-accounts-rename-administrator-account + description: The built-in local administrator account is a well-known account name that attackers will target. It is recommended to choose another name for this account, and to avoid names that denote administrative or elevated access accounts. Be sure to also change the default description for the local administrator (through the Computer Management console). + resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path: Local Policies Security Options\Accounts: Rename administrator account' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Configure ''Accounts: Rename guest account''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount' AND mdm_command_output NOT LIKE '%Guest%'; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:configure-accounts-rename-guest-account + description: The built-in local guest account is another well-known name to attackers. It is recommended to rename this account to something that does not indicate its purpose. Even if you disable this account, which is recommended, ensure that you rename it for added security. + resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path: Local Policies Security Options\Accounts: Rename guest account' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Configure ''Interactive logon: Message text for users attempting to log on''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn' AND mdm_command_output != '' AND mdm_command_output NOT LIKE '%404%'; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:configure-interactive-logon-message-text-for-users-attemptin + description: This policy setting specifies a text message that displays to users when they log on. Set the following group policy to a value that is consistent with the security and operational requirements of your organization. + resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to a value that is consistent with the security and operational requirements of your organization: Local Policies Security Options\Interactive logon: Message text for users attempting to log on' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Configure ''Interactive logon: Message title for users attempting to log on''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn' AND mdm_command_output != '' AND mdm_command_output NOT LIKE '%404%'; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:1, platform:windows, category:security, requirement:standard, critical:false, control:configure-interactive-logon-message-title-for-users-attempti + description: This policy setting specifies the text displayed in the title bar of the window that users see when they log on to the system. Configure this setting in a manner that is consistent with the security and operational requirements of your organization. + resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to a value that is consistent with the security and operational requirements of your organization: Local Policies Security Options\Interactive logon: Message title for users attempting to log on' diff --git a/ee/cis/win-11-intune/l2_win11_intune.yaml b/ee/cis/win-11-intune/l2_win11_intune.yaml new file mode 100644 index 0000000000..7e6ef32fe0 --- /dev/null +++ b/ee/cis/win-11-intune/l2_win11_intune.yaml @@ -0,0 +1,946 @@ +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''MSS: (DisableSavePassword) Prevent the dialup password from being saved (recommended)'' is set to ''Enabled''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\DisableSavePassword' AND data = '1'; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.5.4 + description: 'When you dial a phonebook or VPN entry in Dial-Up Networking, you can use the "Save Password" option so that your Dial-Up Networking password is cached and you will not need to enter it on successive dial attempts. For security, administrators may want to prevent users from caching passwords. The recommended state for this setting is: Enabled.' + resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\MSS (Legacy)\MSS:(DisableSavePassword) Prevent the dial-up password from being saved (recommended) +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds'' is set to ''Enabled: 300,000 or 5 minutes (recommended)''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime' AND CAST(data AS INTEGER) <= 300000; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.5.6 + description: 'This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. The recommended state for this setting is: Enabled: 300,000 or 5 minutes (recommended).' + resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: 300,000 or 5 minutes (recommended). Administrative Templates\MSS (Legacy)\MSS: (KeepAliveTime) How often keepalive packets are sent in milliseconds' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)'' is set to ''Disabled''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery' AND data = '0'; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.5.8 + description: 'This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis. The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Disabled. Administrative Templates\MSS (Legacy)\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted'' is set to ''Enabled: 3''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters\TcpMaxDataRetransmissions' AND CAST(data AS INTEGER) <= 3; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.5.11 + description: 'This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: 3. Administrative Templates\MSS (Legacy)\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted'' is set to ''Enabled: 3''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions' AND CAST(data AS INTEGER) <= 3; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.5.12 + description: 'This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: 3. Administrative Templates\MSS (Legacy)\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' + query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'LLTDIO'), 'DISABLED') = 'DISABLED'; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.6.8.1 + description: 'This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it''s connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled.' + resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Disabled. Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Mapper I/O (LLTDIO) driver +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' + query: SELECT 1 WHERE COALESCE((SELECT UPPER(start_type) FROM services WHERE name = 'RSPNDR'), 'DISABLED') = 'DISABLED'; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.6.8.2 + description: 'This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled.' + resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Disabled. Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Responder +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/ADMX_WindowsConnectNow/WCN_EnableRegistrar' AND mdm_command_output LIKE '%Disabled%'; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.6.17.1 + description: 'This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP) over in-band 802.11 Wi-Fi through the Windows Portable Device API (WPD) and via USB Flash drives. Additional options are available to allow discovery and configuration over a specific medium. The recommended state for this setting is: Disabled.' + resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Disabled. Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/ADMX_WindowsConnectNow/WCN_DisableWcnUi_2' AND mdm_command_output LIKE '%%'; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.6.17.2 + description: 'This policy setting prohibits access to Windows Connect Now (WCN) wizards. The recommended state for this setting is: Enabled.' + resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\Network\Windows Connect Now\Prohibit access of the Windows Connect Now wizards +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Turn off access to the Store' is set to 'Enabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\ApplicationManagement\DisableStoreOriginatedApps' AND data = '1'; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.10.20.1.1 + description: 'This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. The recommended state for this setting is: Enabled.' + resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off access to the Store +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Turn off Help Experience Improvement Program (User)' is set to 'Enabled' + query: SELECT 1 FROM registry WHERE path LIKE 'HKEY_USERS\%\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0\NoImplicitFeedback' AND data = '1'; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.10.20.1.3 + description: 'This policy setting specifies whether users can participate in the Help Experience Improvement program. The Help Experience Improvement program collects information about how customers use Windows Help so that Microsoft can improve it. The recommended state for this setting is: Enabled.' + resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\System\Internet Communication Management\Internet Communication Settings\Turn off Help Experience Improvement Program +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/ADMX_ICM/NC_ExitOnISP' AND mdm_command_output LIKE '%%'; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.10.20.1.4 + description: 'This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). The recommended state for this setting is: Enabled.' + resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Turn off printing over HTTP' is set to 'Enabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/Connectivity/DiablePrintingOverHTTP' AND mdm_command_output LIKE '%%'; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.10.20.1.7 + description: 'This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. The recommended state for this setting is: Enabled.' + resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Registration if URL connection is referring to Microsoft.com +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Turn off Search Companion content file updates' is set to 'Enabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/ADMX_ICM/SearchCompanion_DisableFileUpdates' AND mdm_command_output LIKE '%%'; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.10.20.1.9 + description: 'This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. The recommended state for this setting is: Enabled.' + resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off the "Order Prints" picture task +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/ADMX_ICM/ShellRemovePublishToWeb_2' AND mdm_command_output LIKE '%%'; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.10.20.1.10 + description: 'This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web. The recommended state for this setting is: Enabled.' + resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off the "Publish to Web" task for files and folders +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/ADMX_ICM/WinMSG_NoInstrumentation_2' AND mdm_command_output LIKE '%%'; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.10.20.1.11 + description: 'This policy setting specifies whether the Windows Customer Experience Improvement Program can collect anonymous information about how Windows is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to improve features that are most used and to detect flaws so that they can be corrected more quickly. Enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled.' + resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off the Windows Messenger Customer Experience Improvement Program +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/ADMX_ICM/CEIPEnable' AND mdm_command_output LIKE '%%'; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.10.40.5.1 + description: 'This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. The recommended state for this setting is: Disabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Disabled. Administrative Templates\System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/ADMX_AppxRuntime/AppxRuntimeBlockHostedAppAccessWinRT' AND mdm_command_output LIKE '%Enabled%'; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.11.3.2 + description: 'This policy setting controls whether Microsoft Store apps with Windows Runtime API access directly from web content can be launched. The recommended state for this setting is: Enabled.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\Windows Components\App runtime\Block launching Universal Windows apps with Windows Runtime API access from hosted content. Note: A reboot may be required after the setting is applied.' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Join Microsoft MAPS' is set to 'Disabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/ADMX_MicrosoftDefenderAntivirus/SpynetReporting' AND mdm_command_output LIKE '%%'; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.11.28.3.2 + description: 'This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft renamed to Windows Defender Antivirus Cloud Protection Service and then Microsoft Defender Antivirus Cloud Protection Service. Microsoft MAPS / Microsoft Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are: • • • (0x0) Disabled (default) (0x1) Basic membership (0x2) Advanced membership Basic membership will send basic information to Microsoft about software that has been detected including where the software came from the actions that you apply or that are applied automatically and whether the actions were successful. Advanced + membership in addition to basic information will send more information to Microsoft about malicious software spyware and potentially unwanted software including the location of the software file names how the software operates and how it has impacted your computer. The recommended state for this setting is: Disabled. Note: In Windows 10 and above, Basic membership is no longer available, so setting the value to 1 Basic, or 2 Advanced, enrolls the device into Advanced membership. For more information, please visit: Turn on cloud protection in Microsoft Defender Antivirus Microsoft Defender for Endpoint | Microsoft Learn.' + resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Disabled. Administrative Templates\Windows Components\Microsoft Defender Antivirus\MAPS\Join Microsoft MAPS +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Configure Watson events' is set to 'Disabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Disabled' AND data = '1'; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.11.28.10.1 + description: 'This policy setting allows you to configure whether or not Watson events are sent. The recommended state for this setting is: Disabled.' + resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Disabled. Administrative Templates\Windows Components\Microsoft Defender Antivirus\Reporting\Configure Watson events +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Turn off Push To Install service' is set to 'Enabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/ApplicationManagement/DisableStoreOriginatedApps' AND mdm_command_output = '1'; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.11.35.1 + description: 'This policy setting controls whether users can push Apps to the device from the Microsoft Store App running on other devices or the web. The recommended state for this setting is: Enabled.' + resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\Windows Components\Push to Install\Turn off Push To Install service +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections' AND data = '1'; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.11.36.4.2.1 + description: 'This policy setting allows you to configure remote access to computers by using Remote Desktop Services. The recommended state for this setting is: Disabled.' + resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Disabled. Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Allow users to connect remotely by using Remote Desktop Services +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Do not allow COM port redirection' is set to 'Enabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDisableCcm' AND data = '1'; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.11.36.4.3.1 + description: 'This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled.' + resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow COM port redirection +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Do not allow LPT port redirection' is set to 'Enabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDisableLPT' AND data = '1'; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.11.36.4.3.3 + description: 'This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. The recommended state for this setting is: Enabled.' + resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow LPT port redirection +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDisablePNPRedir' AND data = '1'; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.11.36.4.3.4 + description: 'This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled.' + resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow supported Plug and Play device redirection +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Restrict clipboard transfer from server to client'' is set to ''Enabled: Disable clipboard transfers from server to client''' + query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDisableClip' AND data = '1'; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.11.36.4.3.5 + description: 'This policy setting controls whether the clipboard can be used to transfer data from the Remote Desktop session to the client. The recommended state for this setting is: Enabled: Disable clipboard transfers from server to client.' + resolution: 'To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: Disable clipboard transfers from server to client. Administrative Templates\Windows Components\Remote Desktop Session Host\Device and Resource Redirection\Restrict clipboard transfer from server to client' +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: 'CIS - Ensure ''Set time limit for active but idle Remote Desktop Services sessions'' is set to ''Enabled: 15 minutes or less, but not Never (0)''' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2' AND mdm_command_output LIKE '%%'; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.11.42.2 + description: 'This setting denies or allows access to the Store application. The recommended state for this setting is: Enabled. Note: Per Microsoft TechNet and MSKB 3135657, this policy setting does not apply to any Windows 10 editions other than Enterprise and Education.' + resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\Windows Components\Store\Turn off the Store application +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled' + query: SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/ADMX_MSI/SafeForScripting' AND mdm_command_output LIKE '%%'; + purpose: Enforcement + tags: framework:CISv8.1, benchmark:win11, level:2, platform:windows, category:unknown, requirement:standard, critical:false, cis_safeguard_ids:CIS4.11.54.1 + description: 'This policy setting enables logging of all PowerShell script input to the Applications and Services Logs\Microsoft\Windows\PowerShell\Operational Event Log channel. The recommended state for this setting is: Enabled. Note: If logging of Script Block Invocation Start/Stop Events is enabled (option box checked), PowerShell will log additional events when invocation of a command, script block, function, or script starts or stops. Enabling this option generates a high volume of event logs. CIS has intentionally chosen not to make a recommendation for this option, since it generates a large volume of events. If an organization chooses to enable the optional setting (checked), this also conforms to the benchmark.' + resolution: To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled. Administrative Templates\Windows Components\Windows PowerShell\Turn on PowerShell Script Block Logging +--- +apiVersion: v1 +kind: policy +spec: + platform: windows + name: CIS - Ensure 'Turn on PowerShell Transcription' is set to 'Enabled' + query: SELECT 1 WHERE EXISTS (SELECT 1 FROM mdm_bridge WHERE mdm_command_input = '1./Device/Vendor/MSFT/Policy/Result/WindowsPowerShell/TurnOnPowerShellTranscription' AND mdm_command_output LIKE '%