![]() 3/ Using Policy Analyzer to review conflictsĪt this point you’re ready to compare the incoming CIS controls against your existing GPOs and check for any conflicts. Templates: ADML and ADMX files used by the CIS GPO’s. Local_Script: Powershell scripts that apply the CIS controls to the local policy of a machine, useful if you want to test the settings in isolation (and not use group policy). GPO’s: the CIS controls as GPO’s, ready for importing into GPMC. GP Reports: *useful* HTML reports of the CIS security controls. The only tool I had use for was Policy Analyzer.ĭocumentation: Contains Excel reports covering release notes and change records for the controls. SCT contains the CIS benchmarks for all supported OS’s as well as several tools for helping you implement them. In production, we’ll need to identify the problematic setting and remediate via group policy or local registry if necessary.Ģ/ Download the Microsoft SCT and CIS benchmarks If there is risk, how can we mitigate it and what is the rollback plan? Remove the GPO links and rebuild the test virtual server. ![]() Can we feasibly introduce the new security controls without any risk to production operations? Yes, create a new group policy OU structure with a test OU and a test virtual server.Do we want to deploy CIS controls to harden servers, desktops, domain controllers or all endpoints? We want to harden the DC’s and Servers only, no client devices.It’s important to know whether you’re working on Domain Member or Domain Controller because server-specific CIS controls are separated by server role. What OS’s are in circulation within the environment? Windows Server 2019 (2x Domain controllers and 12 member servers) Wind(5 client devices).Your audit report may guide you here, but remember – any introduction of new security settings is likely to cause some disruption at some point in time, so you should have a good awareness of where you are introducing the change and what services may be affected. It’s important to know these boundaries so don’t accidentally deploy controls that aren’t required. Below are some questions myself and the client discussed to understand what we needed to do (example answers in green). The below guide explains how to deploy the CIS benchmarks via group policy for an on-premise AD domain, how to validate you’re deployment using Policy Analyzer and some tips if you’ve never done this type of work and want to introduce some level of CIS compliance into your environment.ĭefine the scope for your deployment. I’d never heard of these before read about CIS controls here but they provide industry-tested security settings which can be deployed via GPO or MDM for all major Microsoft OS’s, O365 and Azure environments. Their annual IT security audit flagged some gaps in their security posture and the recommendation was to implement CIS controls to help them on their road to reach ISO 2700 compliance. ![]() I do a bit of ad-hoc work for a small recruitment marketing agency and they asked if I could assist them with implementing CIS security controls against their Win 2019 web servers and Win 10 clients.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |