CIS Benchmark Hardening Issue on Windows Server 2022

Shi Hao 1 Reputation point
2022-10-31T07:47:34.42+00:00

Hi,

I'm having some issue on hardening the Windows Server 2022.

We are actually performing hardening based on CIS Benchmark . However, after we changed those group policy value, some of the policy value will revert after certain time or some of it will have different value. FYI, this is a standalone server.

Related Hardening Item:

  1. 2.3.11.4 Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'
    CIS Benchmark Value: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types
    Actual Value: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types (will revert back to default value or auto change value after certain time)
  2. 18.5.21.1 Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet'
    CIS Benchmark Value: Enabled: 3 = Prevent Wi-Fi when on Ethernet (Regedit Value = 3)
    Actual Value: Enabled (Regedit Value = 1)
    *The actual value did not reflect on regedit and it might revert to default value after certain time or period after manually change the value in regedit.
  3. 18.9.100.1 Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'
    CIS Benchmark Value: Enabled (Regedit Value = 1)
    Actual Value: Enabled (Regedit Value = 0)
    *The actual value did not reflect on regedit and it might revert to default value after certain time or period after manually change the value in regedit.

Appreciate if someone could let us know what is the root cause or is there anyone have face this issue before?

Thanks in advance.

Best Regards,
Shi Hao

Windows for business | Windows Server | User experience | Other
{count} votes

3 answers

Sort by: Most helpful
  1. Michael Durkan 12,241 Reputation points MVP
    2022-10-31T08:15:13.343+00:00

    Hi @Shi Hao

    when does the revert of values happen? Randomly while the device is on, or after restart/reboot?

    The changes really depend on what you are using the server for. In most cases the SYSTEM built-in user has Full Control rights to update registry entries based on what applications, devices or other conditions or requirements it sees on the system.

    Your options here is to deny the SYSTEM account access to the registry entries that you want to keep (not an option I would take and if you choose to do this, ensure you have a backup of your server including the registry in case of issues), or else run a regular Scheduled Task on your server to run LGPO to apply the CIS Hardening Template to maintain the hardening standards you wish to maintain.

    Hope this helps,

    Thanks

    Michael Durkan

    • If the reply was helpful please upvote and/or accept as answer as this helps others in the community with similar questions. Thanks!
    0 comments No comments

  2. Shi Hao 1 Reputation point
    2022-11-01T09:54:49.24+00:00

    Hi @Michael Durkan

    The issues happens very randomly and these are just one of the few policy that is being reverted.

    0 comments No comments

  3. Bret Staton 0 Reputation points
    2023-05-04T14:34:46.64+00:00

    Hello,

    It kinda sounds like you are updating one server's local GPO setting, and domain GPOs are overwriting them later. Have you tried making the GPO policy in AD and applying the policy to just one server?

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.