Azure - CIS Microsoft Windows Server 2016 RTM Benchmark Compliance
All virtual machines hosted in Azure should adhere to the campus Departmental IT Security Baseline. Adherence to the Departmental IT Security Baseline is the responsibility of Azure customers.
To make Departmental IT Security Baseline compliance easier, a subset of the Center for Information Security 'CIS Microsoft Windows Server 2016 RTM Benchmark (Level 1)' can be applied to a VM provisioned using Microsoft's Windows Server 2016 RTM templates.
As part of the Windows Server 2016 RTM VM provisioning (recommended):
- Add a Custom Script Extension that uses azure-uwmadison_security_baseline-windows_server_2016_cis.ps1 as the script file. This will configure the VM to meet a subset of the CIS Microsoft Windows Server 2016 RTM Benchmark (Level 1) as part of the provisioning process.
After a Windows Server 2016 RTM VM has been provisioned:
- Download azure-uwmadison_security_baseline-windows_server_2016_cis.ps1 on the new VM, and run .\azure-uwmadison_security_baseline-windows_server_2016_cis.ps1 from Windows PowerShell (Run as Administrator) to configure the VM to meet a subset of the CIS Microsoft Windows Server 2016 RTM Benchmark (Level 1).
A copy of the 'Security Configuration Assessment Report for the Windows Server 2016 RTM template can be found here. In addition to the changes documented in the assessment report, Windows Firewall is configured to only allow incoming Remote Desktop connections from Well-known UW-Madison Campus IP address ranges.
To make changes to this configuration (e.g., updating the Windows Update settings), changes must be made using the Group Policy Object Editor:
- Login to the Windows VM using Remote Desktop
- Open the Microsoft Management Console (mmc.exe)
- File -> Add/Remove Snap In...
- Group Policy Object Editor
- Add >
- Group Policy Object: Local Computer
Microsoft provides additional details on the Windows settings available for configuration via group policy at
Group Policy Settings Reference for Windows and Windows Server
About the Center for Internet Security
"The Center for Internet Security (CIS) is a 501(c)(3) organization dedicated to enhancing the cybersecurity readiness and response among public and private sector entities. Utilizing its strong industry and government partnerships, CIS combats evolving cybersecurity challenges on a global scale and helps organizations adopt key best practices to achieve immediate and effective defenses against cyber attacks. CIS is home to the Multi-State Information Sharing and Analysis Center (MS-ISAC), CIS Security Benchmarks, and CIS Critical Security Controls."
About the CIS Microsoft Windows Server 2016 RTM Benchmark
"[The CIS Microsoft Windows Server 2016 RTM Benchmark] provides prescriptive guidance for establishing a secure configuration posture for CIS Microsoft Windows Server 2016 RTM.
To obtain the latest version of this [benchmark], please visit https://benchmarks.cisecurity.org."