12 KiB
12 KiB
| 1 | CIS Ref | Setting Name | OIB Rationale for Non-Implementation | Notes |
|---|---|---|---|---|
| 2 | 3.1.3.1 | (L1) Ensure 'Enable screen saver (User)' is set to 'Enabled' | Default screensaver behaviour. Additional mitigations in place. | Win - OIB - SC - Device Security - U - Power and Device Lock |
| 3 | 3.5.1 | (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled' | Breaks Autopilot. | |
| 4 | 3.5.9 | (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled' | Enforces default behaviour. | |
| 5 | 3.5.13 | (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less' | Auditing configured to rotate logs. | Win - OIB - SC - Device Security - D - Audit and Event Logging |
| 6 | 3.6.4.1 | (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled' | Breaks DNS-SD used in Delivery Optimization. | |
| 7 | 3.6.9.2 | (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' | Alternative mitigation in place. | Win - OIB - SC - Device Security - D - Security Hardening |
| 8 | 3.6.11.1 | (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares' | Not relevant for Entra joined devices. | |
| 9 | 3.9.1.1 | (L1) Ensure 'Turn off toast notifications on the lock screen (User)' is set to 'Enabled' | Alternative mitigation in place. | |
| 10 | 3.10.4.1 | (L1) Ensure 'Include command line in process creation events' is set to 'Enabled' | Sensitive information could be gathered and viewed by standard users, as documented by CIS. | Use an appropriate EDR which would capture this securely. |
| 11 | 3.10.9.2 | (L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled' | Standard users can already not install software that requires elevation. | |
| 12 | 3.10.19.1 | (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' | Not relevant for Entra joined devices. Being removed in next CIS benchmark. | |
| 13 | 3.10.19.2 | (L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE' | Not relevant for Entra joined devices. Being removed in next CIS benchmark. | |
| 14 | 3.10.19.3 | (L1) Ensure 'Configure security policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' | Not relevant for Entra joined devices. Being removed in next CIS benchmark. | |
| 15 | 3.10.19.4 | (L1) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE' | Not relevant for Entra joined devices. Being removed in next CIS benchmark. | |
| 16 | 3.10.19.5 | (L1) Ensure 'Continue experiences on this device' is set to 'Disabled' | Alternative mitigation in place. | |
| 17 | 3.10.25.1 | (L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled' | Significantly impacts WHfB experience. | |
| 18 | 3.10.25.2 | (L1) Ensure 'Do not display network selection UI' is set to 'Enabled' | Potentially impacts user experience. Dubious security value. Requires physical device access. | |
| 19 | 3.10.25.3 | (L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled' | Not relevant for Entra joined devices. | |
| 20 | 3.10.25.4 | (L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' | Not relevant for Entra joined devices. | |
| 21 | 3.10.25.6 | (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled' | Functionality not available by default, superceded by Windows Hello. | |
| 22 | 3.10.25.7 | (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' | Functionality not available by default, superceded by Windows Hello. | |
| 23 | 3.10.28.5.1 | (L1) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled' | Being removed in next CIS benchmark. | |
| 24 | 3.10.28.5.2 | (L1) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled' | Being removed in next CIS benchmark. | |
| 25 | 3.10.42.1.2 | (L1) Ensure 'Enable Windows NTP Server' is set to 'Disabled' | Functionality not available by default. Standard users cannot enable NTP server capabilities. | |
| 26 | 3.11.5.1 | (L1) Ensure 'Do not preserve zone information in file attachments (User)' is set to 'Disabled' | Enforces default behaviour. | |
| 27 | 3.11.5.2 | (L1) Ensure 'Notify antivirus programs when opening attachments (User)' is set to 'Enabled' | Responsibility of AV/EDR Product. | |
| 28 | 3.11.8.3 | (L1) Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled' | The only local account available is managed via LAPS. | |
| 29 | 3.11.18.4 | (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' | Enforces default behaviour. | |
| 30 | 3.11.28.3.1 | (L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' | Enforces default behaviour. | |
| 31 | 3.11.28.11 | (L1) Ensure 'Turn off Microsoft Defender Antivirus' is set to 'Disabled' | Enforces default behaviour. Being removed in next CIS benchmark. | |
| 32 | 3.11.31.1 | (L1) Ensure 'Prevent users from sharing files within their profile. (User)' is set to 'Enabled' | Functionality no longer exists. | |
| 33 | 3.11.36.4.11.1 | (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' | Enforces default behaviour. | |
| 34 | 3.11.42.1 | (L1) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled' | Managed via Autopatch/WUfB rings. | |
| 35 | 3.11.50.1 | (L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled' | Net positive on user experience and benefits patch compliance without user interruption. Only enabled when BitLocker is on and not suspended. | Win - OIB - SC - Device Security - D - Login and Lock Screen |
| 36 | 3.11.54.2 | (L1) Ensure 'Turn on PowerShell Transcription' is set to 'Enabled' | Sensitive information could be gathered and viewed by standard users, as documented by CIS. | |
| 37 | 24.1 | (L1) Ensure 'Alphanumeric Device Password Required' is set to 'Password, Numeric PIN, or Alphanumeric PIN required' | Password policy managed by Entra. Negatively impacts WHfB PIN creation. Being removed in next CIS benchmark. | |
| 38 | 24.2 | (L1) Ensure 'Device Password Expiration' is set to '365 or fewer days, but not 0' | Password policy managed by Entra. Negatively impacts WHfB PIN creation. Being removed in next CIS benchmark. | |
| 39 | 24.3 | (L1) Ensure 'Device Password History' is set to '24 or more password(s)' | Password policy managed by Entra. Negatively impacts WHfB PIN creation. Being removed in next CIS benchmark. | |
| 40 | 24.4 | (L1) Ensure 'Min Device Password Complex Characters' is set to 'Digits lowercase letters and uppercase letters are required' | Password policy managed by Entra. Negatively impacts WHfB PIN creation. Being removed in next CIS benchmark. | |
| 41 | 24.5 | (L1) Ensure 'Min Device Password Length' is set to '14 or more character(s)' | Password policy managed by Entra. Negatively impacts WHfB PIN creation. Being removed in next CIS benchmark. | |
| 42 | 24.6 | (L1) Ensure 'Minimum Password Age' is set to '1 or more day(s)' | Password policy managed by Entra. Negatively impacts WHfB PIN creation. Being removed in next CIS benchmark. | |
| 43 | 30.4 | (L1) Ensure 'Disable Consumer Account State Content' is set to 'Enabled' | Alternative mitigation in place. | |
| 44 | 30.5 | (L1) Ensure 'Do not show feedback notifications' is set to 'Feedback notifications are disabled' | https://learn.microsoft.com/en-gb/microsoft-365/admin/misc/feedback-user-control | |
| 45 | 45.4 | (L1) Configure 'Accounts: Rename administrator account' | Security by obscurity. https://skiptotheendpoint.co.uk/dot-slash-administrator-a-security-risk-analysis/ | |
| 46 | 45.5 | (L1) Configure 'Accounts: Rename guest account' | Guest account is disabled and disallowed for login by policy. | |
| 47 | 45.7 | (L1) Ensure 'Interactive logon: Do not display last signed-in' is set to 'Enabled' | Breaks Windows Hello by causing the user to always have to enter their credentials. | |
| 48 | 45.8 | (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' | Significantly impacts WHfB experience. | |
| 49 | 45.9 | (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' | Setting deprecated. Mitigated elsewhere. | |
| 50 | 45.1 | (L1) Configure 'Interactive logon: Message text for users attempting to log on' | Can break Autopilot and preprovisioning. Unnecessary extra steps for users when they don't read it anyway. | Organisation Acceptable Use Policy signed to get an account. |
| 51 | 45.11 | (L1) Configure 'Interactive logon: Message title for users attempting to log on' | Can break Autopilot and preprovisioning. Unnecessary extra steps for users when they don't read it anyway. | Organisation Acceptable Use Policy signed to get an account. |
| 52 | 45.17 | (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' | LEGACY POLICY | |
| 53 | 45.21 | (L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' | Enforces default behaviour. | |
| 54 | 45.22 | (L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Allow' | Not relevant for Entra joined devices. | |
| 55 | 45.23 | (L1) Ensure 'Network Security: Allow PKU2U authentication requests' is set to 'Block' | Enforces default behaviour. Not relevant for Entra joined devices. | |
| 56 | 45.28 | (L1) Ensure 'Network security: Restrict NTLM: Audit Incoming NTLM Traffic' is set to 'Enable auditing for all accounts' | Not relevant for Entra joined devices. | |
| 57 | 45.3 | (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests' | Negatively impacts most Helpdesk BAU activities and remote support and troubleshooting. | |
| 58 | 48.7 | (L1) Ensure 'Require Private Store Only' is set to 'Only Private store is enabled' | Being removed in next CIS benchmark. | |
| 59 | 58.2 | (L1) Ensure 'Allow Input Personalization' is set to 'Block' | Negatively impacts users with accessibility needs. | |
| 60 | 60.3 | (L1) Ensure 'Allow Search To Use Location' is set to 'Block' | Negatively impacts user experience. Location & Privacy permissions managed separately. | |
| 61 | 67.1 | (L1) Ensure 'Allow Telemetry' is set to 'Basic' | Telemetry is not scary. | |
| 62 | 67.4 | (L1) Ensure 'Enable OneSettings Auditing' is set to 'Enabled' | Enforces default behaviour. | Use an appropriate EDR which would capture this securely. |
| 63 | 67.5 | (L1) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled' | Diagnostics and telemetry already being collected by Intune. | |
| 64 | 67.6 | (L1) Ensure 'Limit Dump Collection' is set to 'Enabled' | Telemetry is not scary. | |
| 65 | 69.8 | (L1) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled' | Service disabling not available via policy. | Win - OIB - SC - Device Security - D - Security Hardening |
| 66 | 69.24 | (L1) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled' | Service disabling not available via policy. | |
| 67 | 69.31 | (L1) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled' | Service disabling not available via policy. | |
| 68 | 69.32 | (L1) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled' | Service disabling not available via policy. | |
| 69 | 69.36 | (L1) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed' | Service disabling not available via policy. | |
| 70 | 69.37 | (L1) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled' | Service disabling not available via policy. | |
| 71 | 75.1 | (L1) Ensure 'Hypervisor Enforced Code Integrity' is set to 'Enabled with UEFI lock' | Enabled Without UEFI Lock which is default behaviour on Win11 22H2 and above. Being changed in next CIS benchmark. | |
| 72 | 78.1 | (L1) Ensure 'Disallow Exploit Protection Override' is set to '(Enable)' | Standard users cannot edit/remove Exploit Protection settings. | |
| 73 | 83.2 | (L1) Ensure 'Defer Feature Updates Period in Days' is set to 'Enabled: 180 or more days' | Managed via Autopatch/WUfB rings. | |
| 74 | 83.3 | (L1) Ensure 'Defer Quality Updates Period (Days)' is set to 'Enabled: 0 days' | Managed via Autopatch/WUfB rings. | |
| 75 | 83.4 | (L1) Ensure 'Manage preview builds' is set to 'Disable Preview builds' | Managed via Autopatch/WUfB rings. | |
| 76 | 83.5 | (L1) Ensure 'Scheduled Install Day' is set to 'Every day' | Managed via Autopatch/WUfB rings. | |
| 77 | 85.3 | (L1) Ensure 'Password Complexity' is set to 'Large letters + small letters + numbers + special characters' | Password policy managed by Entra. Negatively impacts WHfB PIN creation. |