CIS Benchmark Scanning

Utilize CIS Benchmark Scanning to verify your compliance with industry standard security best practices.

What is CIS Benchmark Scanning?

According to CIS Security, CIS Benchmarks are best practices for the secure configuration of a target system.

We support the following CIS Benchmarks:

Windows 7

Windows Server 2008 Domain Controller

Oracle Enterprise Linux 7 Server Level 1

Windows 7 with BitLocker

Windows Server 2008 Member Server

Oracle Enterprise Linux 7 Server Level 2

Windows 8.1

Windows Server 2008 R2 Domain Controller

Oracle Enterprise Linux 7 Workstation Level 1

Windows 8.1 with BitLocker

Windows Server 2008 R2 Member Server

Oracle Enterprise Linux 7 Workstation Level 2

Windows 10

Windows Server 2012 Domain Controller

 

Windows 10 with BitLocker

Windows Server 2012 Member Server

 

Windows 10 Enterprise v1511

Windows Server 2016 Domain Controller Level 1

 

Windows 10 Enterprise v1511 with BitLocker

Windows Server 2016 Domain Controller Level 2

 

Windows 10 Enterprise v1703

Windows Server 2016 Member Server Level 1

 

Windows 10 Enterprise v1703 with BitLocker

Windows Server 2016 Member Server Level 2

 

Windows 10 Enterprise v1709

CIS Windows Server 2019 Domain Controller

 

Windows 10 Enterprise v1803 with BitLocker and NextGen

CIS Windows Server 2019 Member Server

 

Windows 10 Enterprise v1809 with BitLocker and NextGen

 

 

Windows 10 Enterprise v1903

 

 

Windows 10 Enterprise v1909

 

 

Windows 11 Enterprise

 

 

Windows 11 Enterprise with BitLocker

 

 

Windows 11 Enterprise with BitLocker and NextGen

 

 

NOTE: The Oracle Enterprise Linux benchmarks require a set of SSH credentials, either password or key authentication. The Oracle Enterprise Linux 7 benchmarks require the “root” user to be used for scanning. All of the Windows benchmarks will require a set of Windows credentials. The user /credential / access requirements for CIS scanning are the same as Patch (authenticated) scanning.

You can run a scan against multiple types of hosts, such as a mix of various Windows clients and servers. However, for reporting, you can only report on one benchmark at a time. For example, only Windows 7 hosts.

Create a CIS Scan

There are a couple of ways to access and use CIS Benchmark Scans. If auto-enabled credentials are being used for the CIS Benchmark scanning, the default ‘CIS Benchmark Scan’ profile can be used.

  1. Create a new scan policy or copy an already existing one. For more information on creating and running scans, read: Create and Run Scans.
  2. From the navigation menu, select Scans > Scan Policies.
  3. Look for CIS Benchmark Scan. Select the Copy & edit button, found on the right-hand side.
  4. A new window opens. Rename the Scan Policy to something unique.
  5. Choose Credentials from the top tab.
  6. Toggle Compliance Scanning to ON.
  7. Under Select Credentials choose the credentials to be added.
  8. NOTE: Manage Scan Credentials (Authenticated Scanning) provides more information on Credentials.
  9. If needed, add credentials by choosing + Add Credential.
  10. Continue to fill the other fields as needed.
  11. Click Save, or Add Another if required.

Run a CIS Scan

  1. From the top toolbar select + New.
  2. Select Scan.

The Create New Scan window opens.

  1. Under Policy Options select Scan Policy.
  2. From the drop-down choose the previously named CIS Compliance scan.
  1. Complete the rest of the settings as needed.
  2. Select Create and run.

The new Scan will be added to the Upcoming Scheduled Scans list. From this screen you can edit or delete the Scan.