To what extent, if any, have the SCM Windows 7 EC desktop baseline (and others) been based upon the CIS Benchmarks? RRS feed

  • Question

  • Hi

    I'm looking at both of these at the moment and many of the settings in SCM are similar to the recommendations found in the CIS Benchmarks document (see Microsoft Windows 7 Benchmarks in https://benchmarks.cisecurity.org/en-us/?route=downloads.multiform).

    Can you tell me if you used this as a resource when creating the tool and to what extent these recommendations were applied?


    Monday, December 12, 2011 11:09 AM

All replies

  • Bondy;

    Its complex and my response may be a little longer then you were expecting. We don't use the CIS benchmarks as a primary resource; however we are aware of them, we do participate in CIS' community as contributors to benchmarks of Microsoft products, and many active members of CIS's community are also keen participants in Beta reviews of our baselines. So, of course there are similarities between our recommendations and thiers. In fact, starting about 7 years ago I was tasked with urging CIS, NIST, the NSA, and DISA to adjust their guidance to align more closely with Microsoft's and each of those organizations pursuaded Microsoft to make changes to the Microsoft guidance and even the out-of-the-box settings for Windows. I worked on that for about 2 years, and made great progress. There was movement in both directions, i.e. it wasn't just Microsoft telling the other organizations's which settings they were recommending that were unsupportable but rather that those organizations also opened Microsoft's collective eyes to various settings and the potential consequences of leaving them at the default values they had back in Windows 2000 or Windows XP SP1.

    There are a lot of similarities across the guidance from all of these organizations now, however there are differences and this is to be expected. Each organization targets a different audience with unique environments and capabilities, additionallly each starts with different assumptions and goals. In other words, one size doesn't fit all when it comes to security. NIST's philosophy with the USGCB baselines for the FDCC program is to establish a minimal security baseline that every federal agency can implement while DISA's philosophy with their STIGs and checklists is the highest level of security that is feasible, even if it means significant extra time for soldiers to implement and maintain computers.

    I still participate in CIS's discussions on benchmarks for Windows, IE, and other Microsoft products, and I know other people who are still active in both CIS's community and Beta reviews for SCM and our baselines. Feel free to sign up for our Beta reviews by joining our group on Microsoft Connect, we're at https://connect.microsoft.com/site715.


    Kurt Dillard http://www.kurtdillard.com
    • Proposed as answer by Kurt Dillard Tuesday, December 13, 2011 7:23 PM
    Monday, December 12, 2011 4:55 PM