Updating CIS for Windows Server 2016 to newer benchmarks
This document provides information about the hotfix containing Center for Internet Security (CIS) templates for Windows Server 2016, with implementation for 396 rules that can be installed on TrueSight Server Automation 8.9.00 or later versions. This template is created based on the recommended settings defined by Microsoft Windows Server 2016 RTM (Release 1607) Security Configuration Benchmark Version 1.2.0, published on May 27, 2020.
Before you begin
Before you install this hotfix, ensure that all compliance content provided by BMC in your environment is at least updated to version 8.9.
Step 1: Downloading and installing the files
Login to ftp.bmc.com host using SFTP protocol. Download the CIS - Windows Server 2016.zip package from the following location:
Click here to expand checksum related infromation
Verify the downloaded content by using the following check sums.
CIS - Windows Server 2016.zip
- Move the CIS - Windows Server 2016.zip package to your RCP client server.
Step 2: Importing the Compliance Content
- Log on to the Console.
- Right-click Component Templates and select Import.
The Import Wizard starts.
- Select the Import (Version-neutral) option.
- Select the CIS - Windows Server 2016.zip package from the temporary location and click Next.
The CIS template for CIS - Windows Server 2016 is available in the CIS - Windows Server 2016.zip package. To import the templates, select the zip file and click Next.
Ensure that you select the Update objects according to the imported package and Preserve template group path options before you click Next.
Navigate to the last screen of the wizard and then click Finish.
The templates are imported successfully.
Rules within the templates
The following are the details of the 396 rules provided in the zip package. It contains the following types of rules:
- Rules that check for compliance and provides remediation - 374
- Rules that check for compliance but do not provide remediation - 22
The following are the details of the rules that are divided into parts:
Rules not divided into parts – 371
Rules divided into two parts (Rule ID 126.96.36.199.13, 188.8.131.52, 184.108.40.206.1, 220.127.116.11.1, 18.104.22.168.3) - (5 * 2) = 10
Rules divided into three parts (Rule ID 22.214.171.124.2, 126.96.36.199) - (2 * 3) = 6
Rules divided into four parts (Rule ID: 188.8.131.52) - (1 * 4) = 4
Rules divided into five parts (Rule ID: 184.108.40.206) - (1 * 5) = 5
So, the current rule count according to CIS Windows 2016 template after running the compliance job is 396 (371 + 10 + 6 + 4 + 5).
Ensure that you have gone through the following points before you run the compliance checks or perform remediation:
- While running compliance jobs on domain controller targets, set the target server's DOMAIN property to DC.
- Leave DOMAIN property blank for member servers and standalone systems. Ensure that the value for the DOMAIN property is set to DC on all the domain controllers targets and on all non-domain systems (Member Servers). This property can either be BLANK or can be any string other than DC.
Rule IDs Without Remediation and Undo
No remediation is provided as both GPO's Reset account lockout Counter after(Rule ID 1.2.3) and Account lockout duration (Rule ID 1.2.1) have dependency and it should be resolved manually in case of non compliant.
220.127.116.11 , 18.104.22.168
The remediation requires user input which has to be maintained by the organization.
Section 19 Rules (22.214.171.124 , 126.96.36.199 , 188.8.131.52 , 184.108.40.206 , 220.127.116.11 , 18.104.22.168.1 , 22.214.171.124 , 126.96.36.199 , 188.8.131.52 , 184.108.40.206 , 220.127.116.11 , 18.104.22.168 , 22.214.171.124 , 126.96.36.199 , 188.8.131.52.1)
RULE IS WHICH PROPERTY IS USED