Center for Internet Security CIS Compliance Benchmarks and the XIA Configuration Server compliance benchmark tool

We've recently been speaking to our customers about compliance benchmarking and server hardening and whether XIA Configuration Server supports the Center for Internet Security (CIS) Compliance Benchmarks

This article will describe the XIA Configuration Server product, the CIS Compliance Benchmarks and how they relate.


What is XIA Configuration Server?

XIA Configuration Server is a software product created by CENTREL Solutions which is designed to audit, document and track changes to server operating systems such as Windows and Linux, enterprise software such as Microsoft SQL Server and Microsoft Exchange Server as well as network devices and cloud platforms.


What are CIS Compliance Benchmarks?

The Center for Internet Security is a non-profit entity who strive to create security best practices using a consensus based decision-making model. They produce individual benchmark guidelines in PDF format called CIS Benchmarks for a range of technologies and platforms.


Does XIA Configuration Server support CIS Benchmarks?

XIA Configuration Server implements its own security benchmark for Windows workstations and servers which includes over 340 benchmark tests, these tests draw from the best practices defined by Microsoft in guidelines such as the following:

Microsoft password policy guidelines

Microsoft account lockout policy guidelines

Microsoft security options guidelines

Microsoft audit policy recommendations "Stronger Recommendation"

The CIS Benchmarks for Windows operating systems also draw from these original Microsoft guidelines and as such there are synergies between the two benchmarks however XIA Configuration Server does not implement or draw from the CIS Benchmarks themselves.


What are the differences between the CIS Benchmarks and the XIA Configuration Server benchmark?

The following highlights some of the differences between the two benchmarks.


Background Information

The CIS Benchmarks are designed to provide a great deal of background information on the security settings and the rationale of the decisions made in the benchmark. The XIA Configuration Server Compliance Benchmark provides an automated way to test the configuration of a system against a benchmark and relies on the background information provided by the Microsoft security guidelines listed above.


Numbering

The CIS Benchmarks provide high levels of numeric precision - this allows a deep hierarchy in which to provide the detailed background information in the document.

This however does not translate as well into a tabular format, XIA Configuration Server Compliance Benchmark therefore uses a flatter decimal format.



Configuration Options

Typically the CIS Benchmarks provide a single consensus based setting to apply to the server or workstation.

As the XIA Configuration Server Compliance Benchmark is software based the system provides a range of configuration options. Typically these options are set to the recommendation provided by the Microsoft guidelines but can be configured as required to meet the business requirements.

https://www.centrel-solutions.com/media/xiaconfiguration/adminguideweb/WindowsBasicBenchmarkSettings.html



Operating System Versions

The CIS Benchmarks provide a distinct guide and benchmark for each Windows operating system including the security settings and rationale for each specific operating system version.

The XIA Configuration Server Compliance Benchmark is a single benchmark for all Microsoft Windows desktop and server operating systems including

  • Windows 8

  • Windows 8.1

  • Windows 10

  • Windows 11

  • Windows Server 2012

  • Windows Server 2012 R2

  • Windows Server 2016

  • Windows Server 2019

  • Windows Server 2022


Whilst scanning the machine the XIA Configuration Server Compliance Benchmark automatically detects the operating system and applies the appropriate tests for that version.


Functional Equivalence and Explicit Settings

One major distinction between the CIS Benchmarks and the XIA Configuration Server Compliance Benchmark is how they handle settings that can be "Not Defined" or "Not Configured".

For many benchmark tests a setting can be "Not Configured" in Group Policy such as the "Turn off background refresh of Group Policy setting".

As per the description of the Group Policy setting:

If you disable or do not configure this policy setting, updates can be applied while users are working.

 


CIS Benchmarks require that a setting is explicitly set even though the "Not Configured" option is functionally equivalent.

The XIA Configuration Server Compliance Benchmark will typically yield a "Pass" result for a setting such as this regardless of whether it is "Disabled" or "Not Configured". This is because failing "Not Configured" could display to the user a large number of "Fails" where there is no effective security risk and therefore potentially cause a genuine "Fail" which includes a security vulnerability to be missed.


Group Policy vs Locally Configured Settings

The CIS Benchmarks typically refer to the Group Policy setting that is required to apply a certain setting. 

Many settings can be configured using both Group Policy and locally using local registry settings, a Microsoft Management Console (MMC), PowerShell, or other user interface tool.

Where appropriate the XIA Configuration Server Compliance Benchmark will review both the Group Policy settings and the local settings to determine whether the benchmark test should pass or fail.



Summary

In summary both the CIS Benchmarks and the XIA Configuration Server Compliance Benchmark provide a way to help identify security vulnerabilities in your environment. Though they are both created independently from one another they are both firmly rooted in Microsoft best practices and therefore have similarities. The CIS Benchmarks are designed to provide a huge amount of background information and rationale behind the decisions whereas the XIA Configuration Server Compliance Benchmark is designed to provide a fast and reliable way to automatically test your environment against security best practices with little effort or intervention.


Comments

Post a Comment

Popular posts from this blog

Windows Server 2016, 2019, 2022, Windows 10 and Windows 11: Date and time "Some settings are managed by your organization".

Image
When you're using the new "Modern" date and time settings in Windows Server 2016, 2019, 2022, Windows 10 and Windows 11 you may find that you can't set the correct date and time and the value "Some settings are managed by your organization". - While you're here - Why not check out our Windows Server Documentation and Audit Tool? The simplest way around this is to go back to the proper control panel using Start, Run, "Control.exe" and searching for "Set the date".  Within here you can set the date and time manually as required If you try and click the Change time zone button you may again get access denied... To resolve this open an elevated command prompt by right clicking the command prompt and selecting Run as Administrator  From there run the command rundll32.exe shell32.dll,Control_RunDLL timedate.cpl This will open the Data and Time control panel app elevated as an Administrator.
Read more

TFTPD32 or TFTPD64 reports Bind error 10013 An attempt was made to access a socket in a way forbidden by its access permissions.

Image
When you start the trivial FTP (TFTP) server application TFTPD32 or TDTPD64 you may see the following error Bind error 10013 An attempt was made to access a socket in a way forbidden by its access permissions. This can be because another application is using this port. The easiest way to check if (and which) application is using the port is as administrator run an elevated command prompt and enter netstat -anb > ports.txt Then open ports.txt in Notepad and search for :69, you'll quickly be able to see the process using the required port - While you're here - Why not check out our Windows Server Documentation and Audit Tool?
Read more

Enable function lock for F1-F12 on HP ZBook mobile workstations

Image
When you press the function keys on a HP ZBook mobile workstation you may find that they don't operate as expected. This is because of function lock, if you hold the fn key the function keys work as expected. You can lock the function keys on as described in this document. https://support.hp.com/gb-en/document/c02035108 However there are two things to note Firstly following a BIOS upgrade (which occurs automatically if you have the preinstalled HP software still installed) you may lose your locked function keys and have to reapply.   Secondly the HP documentation states you press the fn lock and fn keys at the same time as per the image below from the page.  While you're here - Why not check out our Windows Server Documentation and Audit Tool? This is not the case, you need to press and hold the fn key, and then tap the fn lock key to toggle function lock, not an obvious thing when you start work first thing in the morning and are hammering the function keys try
Read more