SIMP Logo
Sicura Enterprise Edition
  1. Introduction
  2. Licensing
  3. Installing Sicura Enterprise
  4. Server install from RPM
  5. Server install from ISO
  6. Upgrade Sicura Enterprise
  7. Server Installation via Control Repo
  8. Enable SIMP Compliance Engine
  9. Configure SIMP Compliance Engine
  10. Included Compliance Profiles
  11. Console install via Puppet
  12. Agent Install via Puppet
  13. Coverage - CIS, Windows
  14. Coverage - CIS, Linux
  15. Coverage - DISA, Windows
  16. Coverage - DISA, Linux
  17. Linux DISA Module Usage
  18. Windows CIS module usage
  19. Linux CIS Module Usage

Windows CIS module usage

Limitations

This module has been tested and is supported on Domain Controllers, Domain Members, and standalone systems running the following Windows versions:

CIS recommendations in section 19 contain settings that must be enforced per user. These settings are not easily enforced via Puppet at this time. To enforce these recommendations we have provided Group Policy templates with compliant settings in the files folder of the module. These templates will be copied to C:\Windows\Temp\SIMP-GP on all Domain Controllers by default. To modify the destination directory, set the following parameter in Hiera at a higher level than compliance_markup.

simp_enterprise_windows_cis::usergpo_dest_folder: `C:\Windows\Temp\SIMP-GP`

To disable copying the template files to Domain Controllers, set the following parameter in Hiera at a higher level than compliance_markup:

simp_enterprise_windows_cis::add_usergpo_templates: false

To import the template to Active Directory:

  1. Create a new Group Policy Object in Active Directory.
    • Settings can also be imported into existing Group Policy Objects, but this is not recommended.
  2. Right-click the new GPO and select import settings.
  3. Click Next on the initial description screen.
  4. Click Next on the backup screen.
  5. Click Browse on the backup location screen and select either USER-L1 or USER-L2 from C:\Windows\Temp\SIMP-GP. Click OK to return to the import wizard. Click Next to continue.
    • The ‘USER-L1’ folder contains the settings for L1 profiles, and the ‘USER-L2’ folder contains settings for L2 profiles. If you wish to enforce an L2 profile, you will need to import settings for both L1 and L2.
  6. Click the name of the backup in the list if it is not already and click Next.
  7. Click Next on the Scanning Backup screen.
  8. Click Finish on the completion summary screen.
  9. Link the new GPO to Organization Units containing User accounts.