CIS: Windows Server 2019

This document provides information about the hotfix containing Center for Internet Security (CIS) templates for Windows Server 2019 with implementation for 413 rules that can be installed on  TrueSight Server Automation 20.x or later. This template is created based on the recommended settings defined by Microsoft Windows Server 2019 Security Configuration Benchmark Version 1.3.0, published on Mar 18, 2022.

Important

  • On the file server, check the value of the featureCisWin19Template key in the content.version file, located in the %FILESERVER%\BladeLogic\storage\Content directory. Depending on the value, do one of the following:
    • If the value is 23.1.00.000, you don’t need to perform the steps mentioned in this topic, as these templates are deployed as part of the 23.1 installation process.
    • If the value is lower than 23.1.00.000, perform the steps mentioned in this topic to deploy these templates.
  • Ensure that the default values for the template's local and global properties meet the organization standards.

Before you begin

  • Before you install this hotfix, ensure that all compliance content provided by BMC in your environment is at least updated to 20.02.x or later version.
  • If the existing template is customized, make sure to rename it before importing new one and performing the following steps.
  • Ensure you have reviewed the default values for the Template's local and global properties to match the organization standards.

Step 1: Downloading and installing the files

  1. Download the CIS - Windows Server 2019 package from the below location.

    You must log in or register to view this page

    Click here to expand checksum related infromation

     Verify the downloaded content by using the following check sums.

    S.No

    File Name

    MD5SUM

    1

    CIS - Windows Server 2019.zip

    a1ff42b174acecafa49292d49afa68bb

    Important

    There is no change in the extended_objects package for CIS - Windows Server 2019 version 1.3.0.

  2. Move the CIS - Windows Server 2019 package to your RCP client server.

Step 2: Importing the compliance content

  1. Log on to the console.
  2. Right-click Component Templates and select Import
    cis 2019 import.png

  3. In the Import Wizard window, select Import (Version-neutral).
    cis 2019 version neutral.png

  4. Select the CIS - Windows Server 2019.zip package that you downloaded and click Next.

    Note

    The CIS templates for CIS - Windows Server 2019 is available in the CIS - Windows Server 2019.zip package. 

    cis 2019 zip package.png

  5. To import the templates, select the CIS - Windows Server 2019.zip file and click Next.

    Note

    Ensure that you select the Use existing objects and Preserve template group path options before you click Next.

    cis 2019 use existing objects.png

  6. Navigate to the last screen of the wizard and click Finish.
    cis 2019 finish.png

  7. The templates are imported successfully. Click OK.

    Note

    The imported templates are shown under CIS Compliance Content > CIS.

    cis 2019 success.png

Rules within the templates

The following are the details of the 413 rules provided in the zip package. It contains the following types of rules:

  • Rules that check for compliance (audit) and provides remediation - 388
  • Rules that check for compliance (audit) but do not provide remediation - 24
  • Rules that do not check for compliance and do not provide remediation - 1

The following are the details of the rules that are divided into parts:

  • Rules not divided into parts - 388
  • Rules divided into two parts (6 Rules) so (6* 2) = 12
  • Rules divided into four parts (2 Rules) so (2 * 4) = 8
  • Rules divided into five parts (1 Rule) so (1 * 5) = 5

So, the current rule count according to CIS Windows 2019 template after running the compliance job is 413 (388+ 12+8+5).

Note

Before you run the compliance checks or perform remediation, ensure that you perform the following tasks: 

  • While running compliance jobs on domain controller targets, set the DOMAIN property of the target server to DC
  • Leave the DOMAIN property blank for member servers and standalone systems. Ensure that the value for the DOMAIN property is set to DC on all the domain controllers targets and on all non-domain systems (Member Servers). This property can either be blank or can be any string other than DC for member servers.
  • Ensure that you copy the required admx/adml files specified in the CIS benchmark to the policy definition location. Remediation occurs only when these files are available. For more details, see section 18 of the CIS benchmark. By default, the policy definitions are located at:
    MS : %systemroot%\PolicyDefinitions
    DC: %SYSTEMROOT%\SYSVOL\sysvol\!USERDNSDOMAIN!\Policies\PolicyDefinitions

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*