Forum Discussion
Windows 11 22H2, Server 2022 Baselines - CIS Level 1
Are the security baselines downloaded in the SCT "CIS Level 1"? I've used the Policy Analyzer to compare the group of baseline GPOs (all the ones in the \GPOs\ folder) to the 'current environment' using a freshly provisioned PC, and a Vm for sever 2022. The 'baseline' vs 'current state' comparison is helpful, but I'm wondering if I was to enable every gpo in the baseline column, does that get you CIS Level 1? MS does not seem to use the CIS terms in the documentation I've found.
3 Replies
gregb, in PCI DSS v4.01, one of the PCI DSS Requirements (2.2.1) requires the assessed entity to have documented configuration standards that are consistent with industry-accepted system hardening standards or vendor hardening recommendations.
CIS is one hardening standard, Microsoft's are another.
https://learn.microsoft.com/en-us/compliance/regulatory/offering-CIS-BenchmarkIf an entity has used the CIS Benchmarks, it is recommended that the CIS CAT Tools are used to audit the configurations, e.g.,
- https://www.cisecurity.org/cybersecurity-tools/cis-cat-pro
- https://learn.cisecurity.org/cis-cat-lite
- I posted a similar question over on the CIS Security forum:
https://workbench.cisecurity.org/community/2/discussions/9995
I was going to do the same thing you did - which is to use Policy Analyzer to compare the differences between the baselines and modify the deltas to "convert" to CIS Windows 11 22H2. I know you are referring to server baselines but I wonder if someone has already done the comparison for Windows 11? - Rick_Munck
Microsoft
gregb the MS Security Baseline and the CIS Baseline are different, they do not align fully. We do collaborate with CIS but do not agree on all settings.
