![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 21%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL7%3C/text%3E%3C/svg%3E)
CIS Benchmarks, including Level 2, are defined as baseline configuration guidance and not as a complete or universally appropriate hardening standard for every environment. They are explicitly positioned as a starting point that must be tailored to each organization’s workloads, architecture, and operational needs.
Key points that can be used with central IT:
- CIS Benchmarks are baselines, not exhaustive or universally prescriptive
- CIS Benchmarks are described as “configuration baselines and best practices for securely configuring a system,” not as a complete or final security configuration.
- Guidance explicitly states they “establish the basic level of security” and “should not be considered an exhaustive list of all possible security configurations and architecture.”
- Each organization “must still evaluate its specific situation, workloads, and compliance requirements and tailor its environment accordingly.”
- This means blindly enforcing all Level 2 settings via an automation tool, without validation against Azure Local/Entra ID design and application requirements, is contrary to how CIS intends the benchmarks to be used.
- CIS provides multiple security levels with different impact profiles
- CIS Benchmarks define:
- Level 1: “essential basic security requirements … should cause little or no interruption of service or reduced functionality.”
- Level 2: “security settings for environments requiring greater security that could result in some reduced functionality.”
- By design, Level 2 explicitly accepts the risk of reduced functionality. In a modern, integrated Azure/Entra environment, aggressive Level 2 settings enforced uniformly can therefore be expected to be potentially disruptive unless carefully tested and scoped.
- CIS Benchmarks define:
- CIS and Microsoft emphasize environment-specific implementation
- Microsoft’s CIS-related guidance points to prescriptive documents such as the CIS Benchmark for Azure and Windows security baselines as starting points for establishing a secure baseline.
- These baselines are intended to be evaluated and adapted, not applied identically across all tenants and architectures.
- For Azure, Microsoft publishes a CIS-aligned Azure Policy initiative (CIS Microsoft Azure Foundations Benchmark 1.3.0). Many of the controls in that initiative are:
- Marked as “Manual, Disabled” in the built-in policies.
- Intended for review, monitoring, or manual processes (for example, “Review malware detections report weekly,” “Review threat protection status weekly,” “Detect network services that have not been authorized or approved,” “Manage gateways”).
- The fact that these CIS-related policies are shipped disabled and often manual indicates that Microsoft does not assume they should all be automatically enforced in every environment. Instead, they are provided as guidance to be selectively enabled and implemented.
- CIS Hardened Images illustrate the need for scoped, tested hardening
- CIS Hardened Images are VM images “hardened to either a Level 1 or Level 2 CIS benchmark profile.”
- Hardening is described as limiting potential weaknesses but is scoped to specific images and profiles, not to every system and workload indiscriminately.
- This model supports the argument that any Level 2 enforcement (including via SteelCloud) should be applied where appropriate, validated, and tested, rather than pushed uniformly across heterogeneous Azure Local/Entra-based workloads.
- Ongoing change and updates require careful management of automated enforcement
- CIS Benchmarks are updated over time based on technology changes and community feedback.
- CIS distributes monthly reports announcing new and updated benchmarks, and there is a formal feedback and revision process.
- Automated enforcement tools must therefore be managed so that changes in benchmarks and platform behavior do not introduce unexpected disruptions when new or modified controls are pushed into production.
These points collectively support the position that:
- CIS Level 2 controls are intentionally more aggressive and can reduce functionality.
- CIS and Microsoft both position benchmarks and baselines as starting points that must be tailored.
- Microsoft’s own CIS-aligned Azure policies are not all enforced by default and many are manual, reinforcing that automatic, blanket enforcement is not assumed to be safe.
- Any tool that enforces Level 2 settings across a modern Azure Local/Entra ID environment should be used with a design, testing, and exception process, rather than as a simple “turn on everything” mechanism.
References: