cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

MS Security Baselines vs CIS Benchmarks vs DoD STIGs

bbmsei
Copper Contributor

‎Jul 20 2020 12:13 PM

‎Jul 20 2020 12:13 PM

MS Security Baselines vs CIS Benchmarks vs DoD STIGs

I am trying to understand the differences between these sources for secure configuration of a Windows 10 machine and why someone would choose one over the other. I figured I would ask the community if there is a good source I am overlooking before trying to sift through thousands of settings.

15.9K Views
1 Like
1 Reply
Reply
1 Reply
best response confirmed by bbmsei (Copper Contributor)
Rick_Munck

‎Jul 24 2020 05:53 AM

‎Jul 24 2020 05:53 AM

Solution

Re: MS Security Baselines vs CIS Benchmarks vs DoD STIGs

@bbmsei some of it is due to regulatory reasons.  For instance the US Department of Defense is required to use the STIG.  Other companies /organizations follow the MS or CIS baseline.  It really depends on what you are looking for.  We do collaborate with the other baseline owners and share what we can to help them make informed decisions.  However, in some cases though the baselines are different.  While we wont get into the 'why' they differ we suggest you evaluate whatever baseline you decide to use before implementing and ensure the cadence and quality match what you are looking for.

 

I would suggest using Policy Analyzer (part of the Microsoft SCT) to help you make an informed decision.  First step would be to download the MS and DoD GPOs and if you can get your hands on the CIS baseline in GPO format when grab that one as well.  Once you have all 3 sets run them through PA and you will see the deltas very quickly and easily.

 

One note, ensure you grab all the necessary GPOs for your compares (i.e. Windows, Office, Edge, Antivirus, Firewall, etc)

2 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by bbmsei (Copper Contributor)
Rick_Munck

‎Jul 24 2020 05:53 AM

‎Jul 24 2020 05:53 AM

Solution

Re: MS Security Baselines vs CIS Benchmarks vs DoD STIGs

@bbmsei some of it is due to regulatory reasons.  For instance the US Department of Defense is required to use the STIG.  Other companies /organizations follow the MS or CIS baseline.  It really depends on what you are looking for.  We do collaborate with the other baseline owners and share what we can to help them make informed decisions.  However, in some cases though the baselines are different.  While we wont get into the 'why' they differ we suggest you evaluate whatever baseline you decide to use before implementing and ensure the cadence and quality match what you are looking for.

 

I would suggest using Policy Analyzer (part of the Microsoft SCT) to help you make an informed decision.  First step would be to download the MS and DoD GPOs and if you can get your hands on the CIS baseline in GPO format when grab that one as well.  Once you have all 3 sets run them through PA and you will see the deltas very quickly and easily.

 

One note, ensure you grab all the necessary GPOs for your compares (i.e. Windows, Office, Edge, Antivirus, Firewall, etc)

View solution in original post

2 Likes
Reply