Center for Internet Security CIS Compliance Benchmarks and the XIA Configuration Server compliance benchmark tool

We've recently been speaking to our customers about compliance benchmarking and server hardening and whether XIA Configuration Server supports the Center for Internet Security (CIS) Compliance Benchmarks

This article will describe the XIA Configuration Server product, the CIS Compliance Benchmarks and how they relate.


What is XIA Configuration Server?

XIA Configuration Server is a software product created by CENTREL Solutions which is designed to audit, document and track changes to server operating systems such as Windows and Linux, enterprise software such as Microsoft SQL Server and Microsoft Exchange Server as well as network devices and cloud platforms.


What are CIS Compliance Benchmarks?

The Center for Internet Security is a non-profit entity who strive to create security best practices using a consensus based decision-making model. They produce individual benchmark guidelines in PDF format called CIS Benchmarks for a range of technologies and platforms.


Does XIA Configuration Server support CIS Benchmarks?

XIA Configuration Server implements its own security benchmark for Windows workstations and servers which includes over 340 benchmark tests, these tests draw from the best practices defined by Microsoft in guidelines such as the following:

Microsoft password policy guidelines

Microsoft account lockout policy guidelines

Microsoft security options guidelines

Microsoft audit policy recommendations "Stronger Recommendation"

The CIS Benchmarks for Windows operating systems also draw from these original Microsoft guidelines and as such there are synergies between the two benchmarks however XIA Configuration Server does not implement or draw from the CIS Benchmarks themselves.


What are the differences between the CIS Benchmarks and the XIA Configuration Server benchmark?

The following highlights some of the differences between the two benchmarks.


Background Information

The CIS Benchmarks are designed to provide a great deal of background information on the security settings and the rationale of the decisions made in the benchmark. The XIA Configuration Server Compliance Benchmark provides an automated way to test the configuration of a system against a benchmark and relies on the background information provided by the Microsoft security guidelines listed above.


Numbering

The CIS Benchmarks provide high levels of numeric precision - this allows a deep hierarchy in which to provide the detailed background information in the document.

This however does not translate as well into a tabular format, XIA Configuration Server Compliance Benchmark therefore uses a flatter decimal format.



Configuration Options

Typically the CIS Benchmarks provide a single consensus based setting to apply to the server or workstation.

As the XIA Configuration Server Compliance Benchmark is software based the system provides a range of configuration options. Typically these options are set to the recommendation provided by the Microsoft guidelines but can be configured as required to meet the business requirements.

https://www.centrel-solutions.com/media/xiaconfiguration/adminguideweb/WindowsBasicBenchmarkSettings.html



Operating System Versions

The CIS Benchmarks provide a distinct guide and benchmark for each Windows operating system including the security settings and rationale for each specific operating system version.

The XIA Configuration Server Compliance Benchmark is a single benchmark for all Microsoft Windows desktop and server operating systems including

  • Windows 8

  • Windows 8.1

  • Windows 10

  • Windows 11

  • Windows Server 2012

  • Windows Server 2012 R2

  • Windows Server 2016

  • Windows Server 2019

  • Windows Server 2022


Whilst scanning the machine the XIA Configuration Server Compliance Benchmark automatically detects the operating system and applies the appropriate tests for that version.


Functional Equivalence and Explicit Settings

One major distinction between the CIS Benchmarks and the XIA Configuration Server Compliance Benchmark is how they handle settings that can be "Not Defined" or "Not Configured".

For many benchmark tests a setting can be "Not Configured" in Group Policy such as the "Turn off background refresh of Group Policy setting".

As per the description of the Group Policy setting:

If you disable or do not configure this policy setting, updates can be applied while users are working.

 


CIS Benchmarks require that a setting is explicitly set even though the "Not Configured" option is functionally equivalent.

The XIA Configuration Server Compliance Benchmark will typically yield a "Pass" result for a setting such as this regardless of whether it is "Disabled" or "Not Configured". This is because failing "Not Configured" could display to the user a large number of "Fails" where there is no effective security risk and therefore potentially cause a genuine "Fail" which includes a security vulnerability to be missed.


Group Policy vs Locally Configured Settings

The CIS Benchmarks typically refer to the Group Policy setting that is required to apply a certain setting. 

Many settings can be configured using both Group Policy and locally using local registry settings, a Microsoft Management Console (MMC), PowerShell, or other user interface tool.

Where appropriate the XIA Configuration Server Compliance Benchmark will review both the Group Policy settings and the local settings to determine whether the benchmark test should pass or fail.



Summary

In summary both the CIS Benchmarks and the XIA Configuration Server Compliance Benchmark provide a way to help identify security vulnerabilities in your environment. Though they are both created independently from one another they are both firmly rooted in Microsoft best practices and therefore have similarities. The CIS Benchmarks are designed to provide a huge amount of background information and rationale behind the decisions whereas the XIA Configuration Server Compliance Benchmark is designed to provide a fast and reliable way to automatically test your environment against security best practices with little effort or intervention.


Comments

Popular posts from this blog

Windows Server 2016, 2019, 2022, Windows 10 and Windows 11: Date and time "Some settings are managed by your organization".

TFTPD32 or TFTPD64 reports Bind error 10013 An attempt was made to access a socket in a way forbidden by its access permissions.

Windows Server 2019 desktop icons such as My Computer, Windows cannot access the specified device, path, or file.