SOLVED

MS Security Baselines vs CIS Benchmarks vs DoD STIGs

%3CLINGO-SUB%20id%3D%22lingo-sub-1533918%22%20slang%3D%22en-US%22%3EMS%20Security%20Baselines%20vs%20CIS%20Benchmarks%20vs%20DoD%20STIGs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1533918%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20trying%20to%20understand%20the%20differences%20between%20these%20sources%20for%20secure%20configuration%20of%20a%20Windows%2010%20machine%20and%20why%20someone%20would%20choose%20one%20over%20the%20other.%20I%20figured%20I%20would%20ask%20the%20community%20if%20there%20is%20a%20good%20source%20I%20am%20overlooking%20before%20trying%20to%20sift%20through%20thousands%20of%20settings.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1543626%22%20slang%3D%22en-US%22%3ERe%3A%20MS%20Security%20Baselines%20vs%20CIS%20Benchmarks%20vs%20DoD%20STIGs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1543626%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F734228%22%20target%3D%22_blank%22%3E%40bbmsei%3C%2FA%3E%26nbsp%3Bsome%20of%20it%20is%20due%20to%20regulatory%20reasons.%26nbsp%3B%20For%20instance%20the%20US%20Department%20of%20Defense%20is%20required%20to%20use%20the%20STIG.%26nbsp%3B%20Other%20companies%20%2Forganizations%20follow%20the%20MS%20or%20CIS%20baseline.%26nbsp%3B%20It%20really%20depends%20on%20what%20you%20are%20looking%20for.%26nbsp%3B%20We%20do%20collaborate%20with%20the%20other%20baseline%20owners%20and%20share%20what%20we%20can%20to%20help%20them%20make%20informed%20decisions.%26nbsp%3B%20However%2C%20in%20some%20cases%20though%20the%20baselines%20are%20different.%26nbsp%3B%20While%20we%20wont%20get%20into%20the%20'why'%20they%20differ%20we%20suggest%20you%20evaluate%20whatever%20baseline%20you%20decide%20to%20use%20before%20implementing%20and%20ensure%20the%20cadence%20and%20quality%20match%20what%20you%20are%20looking%20for.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20would%20suggest%20using%20Policy%20Analyzer%20(part%20of%20the%20Microsoft%20SCT)%20to%20help%20you%20make%20an%20informed%20decision.%26nbsp%3B%20First%20step%20would%20be%20to%20download%20the%20MS%20and%20DoD%20GPOs%20and%20if%20you%20can%20get%20your%20hands%20on%20the%20CIS%20baseline%20in%20GPO%20format%20when%20grab%20that%20one%20as%20well.%26nbsp%3B%20Once%20you%20have%20all%203%20sets%20run%20them%20through%20PA%20and%20you%20will%20see%20the%20deltas%20very%20quickly%20and%20easily.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOne%20note%2C%20ensure%20you%20grab%20all%20the%20necessary%20GPOs%20for%20your%20compares%20(i.e.%20Windows%2C%20Office%2C%20Edge%2C%20Antivirus%2C%20Firewall%2C%20etc)%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Visitor

I am trying to understand the differences between these sources for secure configuration of a Windows 10 machine and why someone would choose one over the other. I figured I would ask the community if there is a good source I am overlooking before trying to sift through thousands of settings.

1 Reply
Best Response confirmed by bbmsei (Regular Visitor)
Solution

@bbmsei some of it is due to regulatory reasons.  For instance the US Department of Defense is required to use the STIG.  Other companies /organizations follow the MS or CIS baseline.  It really depends on what you are looking for.  We do collaborate with the other baseline owners and share what we can to help them make informed decisions.  However, in some cases though the baselines are different.  While we wont get into the 'why' they differ we suggest you evaluate whatever baseline you decide to use before implementing and ensure the cadence and quality match what you are looking for.

 

I would suggest using Policy Analyzer (part of the Microsoft SCT) to help you make an informed decision.  First step would be to download the MS and DoD GPOs and if you can get your hands on the CIS baseline in GPO format when grab that one as well.  Once you have all 3 sets run them through PA and you will see the deltas very quickly and easily.

 

One note, ensure you grab all the necessary GPOs for your compares (i.e. Windows, Office, Edge, Antivirus, Firewall, etc)