I'm currently working on implementing the CIS benchmark for Windows 11 across about 200,000 devices. We do have a CIS benchmark set up in a Group Policy Object (GPO) from a few years back, but there's not a lot of documentation, and I'm unsure which version of the benchmark it corresponds to for Windows 11.
I've seen some webinars, and I've got the necessary resources, such as the security compliance toolkit and policy analyzer. I've run the assessor on a machine, and it flagged around 75% compliance which still leaves over 100 settings failing. I'm looking for advice from anyone with experience on how to effectively manage this process.
When faced with the failed settings, do you check each one to understand it better, or do you create the GPO with everything applied just to see what issues arise? Additionally, what's the best way to organize the GPO? Should I keep the original benchmark GPO and make another one for the settings I choose not to implement? I'm aiming for a manageable way to handle updates for new benchmark releases. What type of documentation do you usually keep?
4 Answers
Honestly, I prefer DISA STIGs over CIS. They provide much more detail and allow for a bit more flexibility depending on your environment. The key is to implement as much as possible but also document your rationale for any controls you choose not to apply, as some settings can cause unexpected issues. Take your time and do extensive testing.
Implementing CIS is all about finding the right balance with your security model. Remember, there's no one-size-fits-all path to compliance. You really shouldn't just aim for a perfect score with the CIS assessor. Instead, focus on what each setting means and decide if it aligns with your organization's needs. Many organizations have found that overly aggressive settings can create more problems than they solve.
Exactly! And that's so true with historical practices. For instance, CIS used to push 60-day password expirations, which are now seen as outdated.
Achieving 75% compliance is actually a solid start! Many baseline installs only hit around 25-35% by default. Just remember that getting to 100% might make systems unusable. So, it's okay to prioritize functionality alongside security.
Are you working with Level 1 or Level 2 controls? If you're unsure, try using the assessor to generate an HTML report. It'll clearly mark the settings with their pass or fail statuses and usually explains what adjustments you might need to make. You can go through the fails one by one to see what you're willing to accept.
Good tip! Just make sure your GPOs are structured per their recommendations. You can download GPO templates that are already aligned with the benchmark. Don't forget to get the latest administrative templates from Microsoft to avoid confusion with Windows 10 and 11 settings!
Absolutely, and never just drop a machine into an OU with a pre-made STIG GPO applied. Controls need to be evaluated and tailored to your specific needs, so ensure to document everything. It's a slow process, but knowing the settings inside and out will help you troubleshoot when things go sideways.