CIS Benchmark Scanning

Utilize CIS Benchmark Scanning to verify your compliance with industry standard security best practices.

What is CIS Benchmark Scanning?

According to CIS Security, CIS Benchmarks are best practices for the secure configuration of a target system.

We support the following CIS Benchmarks:

Windows 7	Windows Server 2008 Domain Controller	Oracle Enterprise Linux 7 Server Level 1
Windows 7 with BitLocker	Windows Server 2008 Member Server	Oracle Enterprise Linux 7 Server Level 2
Windows 8.1	Windows Server 2008 R2 Domain Controller	Oracle Enterprise Linux 7 Workstation Level 1
Windows 8.1 with BitLocker	Windows Server 2008 R2 Member Server	Oracle Enterprise Linux 7 Workstation Level 2
Windows 10	Windows Server 2012 Domain Controller
Windows 10 with BitLocker	Windows Server 2012 Member Server
Windows 10 Enterprise v1511	Windows Server 2016 Domain Controller Level 1
Windows 10 Enterprise v1511 with BitLocker	Windows Server 2016 Domain Controller Level 2
Windows 10 Enterprise v1703	Windows Server 2016 Member Server Level 1
Windows 10 Enterprise v1703 with BitLocker	Windows Server 2016 Member Server Level 2
Windows 10 Enterprise v1709	CIS Windows Server 2019 Domain Controller
Windows 10 Enterprise v1803 with BitLocker and NextGen	CIS Windows Server 2019 Member Server
Windows 10 Enterprise v1809 with BitLocker and NextGen
Windows 10 Enterprise v1903
Windows 10 Enterprise v1909
Windows 11 Enterprise
Windows 11 Enterprise with BitLocker
Windows 11 Enterprise with BitLocker and NextGen

NOTE: The Oracle Enterprise Linux benchmarks require a set of SSH credentials, either password or key authentication. The Oracle Enterprise Linux 7 benchmarks require the "root" user to be used for scanning. All of the Windows benchmarks will require a set of Windows credentials. The user /credential / access requirements for CIS scanning are the same as Patch (authenticated) scanning.

You can run a scan against multiple types of hosts, such as a mix of various Windows clients and servers. However, for reporting, you can only report on one benchmark at a time. For example, only Windows 7 hosts.

Create a CIS Scan

There are a couple of ways to access and use CIS Benchmark Scans. If auto-enabled credentials are being used for the CIS Benchmark scanning, the default ‘CIS Benchmark Scan’ profile can be used.

Create a new scan policy or copy an already existing one. For more information on creating and running scans, read: Create and Run Scans.
From the navigation menu, select Scans > Scan Policies.
Look for CIS Benchmark Scan. Select the Copy & edit button, found on the right-hand side.
A new window opens. Rename the Scan Policy to something unique.
Choose Credentials from the top tab.
Toggle Compliance Scanning to ON.
Under Select Credentials choose the credentials to be added.

NOTE: Manage Scan Credentials (Authenticated Scanning) provides more information on Credentials.

If needed, add credentials by choosing + Add Credential.
Continue to fill the other fields as needed.
Click Save, or Add Another if required.

Run a CIS Scan

From the top toolbar select + New.
Select Scan.

The Create New Scan window opens.

Under Policy Options select Scan Policy.
From the drop-down choose the previously named CIS Compliance scan.

Complete the rest of the settings as needed.
Select Create and run.

The new Scan will be added to the Upcoming Scheduled Scans list. From this screen you can edit or delete the Scan.

Copyright © Fortra, LLC and its group of companies.
All trademarks and registered trademarks are the property of their respective owners.
Product Version | | June 2024