Forum Discussion

gregb's avatar
gregb
Copper Contributor
Jul 27, 2023

Windows 11 22H2, Server 2022 Baselines - CIS Level 1

Are the security baselines downloaded in the SCT "CIS Level 1"? I've used the Policy Analyzer to compare the group of baseline GPOs (all the ones in the \GPOs\ folder) to the 'current environment' using a freshly provisioned PC, and a Vm for sever 2022. The 'baseline' vs 'current state' comparison is helpful, but I'm wondering if I was to enable every gpo in the baseline column, does that get you CIS Level 1? MS does not seem to use the CIS terms in the documentation I've found.

3 Replies

  • JimSeaman520's avatar
    JimSeaman520
    Copper Contributor

    gregb, in PCI DSS v4.01, one of the PCI DSS Requirements (2.2.1) requires the assessed entity to have documented configuration standards that are consistent with industry-accepted system hardening standards or vendor hardening recommendations.


    CIS is one hardening standard, Microsoft's are another.


    https://learn.microsoft.com/en-us/compliance/regulatory/offering-CIS-Benchmark

     

    If an entity has used the CIS Benchmarks, it is recommended that the CIS CAT Tools are used to audit the configurations, e.g.,

    • https://www.cisecurity.org/cybersecurity-tools/cis-cat-pro
    • https://learn.cisecurity.org/cis-cat-lite
  • thegreymouser's avatar
    thegreymouser
    Copper Contributor
    I posted a similar question over on the CIS Security forum:
    https://workbench.cisecurity.org/community/2/discussions/9995

    I was going to do the same thing you did - which is to use Policy Analyzer to compare the differences between the baselines and modify the deltas to "convert" to CIS Windows 11 22H2. I know you are referring to server baselines but I wonder if someone has already done the comparison for Windows 11?
  • gregb the MS Security Baseline and the CIS Baseline are different, they do not align fully. We do collaborate with CIS but do not agree on all settings.

Resources