Implement CIS v2.0.0 Policy

[eneerge]

Policy here: https://workbench.cisecurity.org/benchmarks/14355

[eneerge]

• [x] REMOVE - 2.3.4.1 (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users' Ticket # 15199
• [x] ADD - 18.10.35.1 (L1) 'Disable Internet Explorer 11 as a standalone browser' is set to 'Enabled: Always' 16403
• [x] UPDATE - Section changes from Windows 11 Release 22H2 Administrative Templates Ticket# 17124
• [x] UPDATE – 18.10.87 (L1) 'Turn on PowerShell Transcription' is set to 'Disabled' TO 'Enabled' Ticket# 17516
• [x] UPDATE - 18.10.43.6.1 (L1) Ensure 'Configure Attack Surface Reduction rules' with additional ASR rule for "Block abuse of exploited vulnerable signed drivers" Ticket # 17588
• [x] ADD - 2.2 (L1) Ensure 'Deny log on as a service' to include 'Guests' Ticket # 19376
• [x] ADD - 9.3 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No' Ticket # 19377
• [x] ADD - 18.10.33 (L1) Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled' Ticket # 19379
• [x] ADD - 18.10.67 (L1) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled' Ticket # 19380
• [x] REMOVE - 19.7.7 (L1) Ensure 'Configure Windows spotlight on lock screen' is set to 'Disabled' Ticket #20127
• [x] REMOVE - 19.7.7 (L1) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled' Ticket #20128
• [x] REMOVE - 19.7.7 (L2) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled' Ticket #20129
• [x] REMOVE - 19.7.7. (L2) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled' Ticket #20130
• [x] REMOVE 19.1.3 (L1) Ensure 'Enable screen saver' is set to 'Enabled' Ticket #20131
• [x] REMOVE 19.1.3 (L1) Ensure 'Password protect the screen saver' is set to 'Enabled' Ticket #20132
• [x] REMOVE 19.1.3 (L1) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0' Ticket #20133
• [ ] REMOVE - 2.3.1 (L1) Ensure 'Accounts: Administrator account status' is set to 'Disabled' Ticket# 17565
• [ ] REMOVE - 18.10 (L1) Ensure 'Download Mode' is NOT set to 'Enabled: Internet' Ticket #20134

[eneerge]

Opposing removal of 2.3.1 (L1) Ensure 'Accounts: Administrator account status' is set to 'Disabled' Ticket# 17565

Built in admin accounts does not run in admin approval mode (unless set to). Built in admin also has well known security identifier. Remote access to this account SHOULD be disabled, but I prefer the entire account being disabled. There shouldn't be any reason to have it available. CIS discussion here: https://workbench.cisecurity.org/community/2/tickets/16339

In my environment, we create a new admin account and it's managed by LAPs. Per previous guidelines (disable unused accounts), I will leave this built-in account disabled.

[eneerge]

Opposing removal of 18.10 (L1) Ensure 'Download Mode' is NOT set to 'Enabled: Internet' Ticket #20134

Per the CIS ticket (https://workbench.cisecurity.org/tickets/20134). They removed it because they claim it's no longer available in Intune. The setting may have have been removed from a built in configuration profile, but it still shows up in the CSP documentation (https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization#dodownloadmode). I prefer to always pull from HTTP and have kept this setting in place.

[eneerge]

Other notes:

For 18.10.43.4.1.1 and 18.10.43.4.1.2 (Attack Surface Reduction):

• Security Enhancements: Blocking of files unless they meet a prevalence has been added in addition to CIS recommendations. See https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion
• Opposed: Block Office communication application from creating child processes. I found that this setting prevented some apps from functioning properly.

9.3.5 has a duplicate entry because in the CSP policy documentation, there exists 2 seperate settings:

• https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofileallowlocalipsecpolicymerge
• https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstoredomainprofileallowlocalpolicymerge