In today's digital world, where cyber attacks are becoming more sophisticated, compliance with security standards is crucial for companies. Two of the most well-known frameworks in this area are CIS Benchmarks (Center for Internet Security) and the Microsoft Security Baselines.
Both security standards serve to harden systems and networks and minimize points of attack. However, they differ in their approach, target audience, and the use cases for which they were developed. While the CIS benchmarks are available for a range of operating systems and platforms from Amazon Web Services to Ubuntu Linux, the Microsoft Security Baselines are verifiably focused exclusively on Microsoft technologies and their ecosystem. Important: The CIS benchmarks are nevertheless also considered the gold standard for system hardening for Microsoft and Windows operating systems.
In this blog post, we compare the two security standards, including their strengths, weaknesses, and optimal areas of application.
The most important things in brief
- CIS Benchmarks and Microsoft Security Baselines are IT security frameworks that close security gaps — with different approaches and areas of application.
- CIS Benchmarks: Available for many platforms, flexible and detailed — considered the gold standard in system hardening for Windows and Microsoft 365, which should be the first choice for all companies that take IT security seriously.
- Microsoft Security Baselines: Easy to implement and a good start for companies with limited resources but little flexibility and limited security.
SOFTTAILOR as a partner: SOFTTAILOR supports companies with tailor-made solutions for System hardeningto meet security requirements and minimize cyber risks.
1. What are CIS benchmarks?
definition
Die CIS Benchmarks are a series of best practices for securely configuring IT systems, known as system hardening, developed by the Center for Internet Security (CIS). These benchmarks are designed to minimize attack vectors and improve overall cybersecurity. They are considered industry-independent and cover a wide range of platforms, including operating systems, cloud services, web browsers, and more. The Center for Internet Security is a community-driven non-profit organization, which develops and regularly updates best practices to help organizations worldwide improve their IT security.
According to CIS, their mission is:
“The development and promotion of best-practice solutions for cyber defense. ”
Design and structure
CIS benchmarks are based on a modular structure that is divided into two levels:
- Level 1: These configurations provide basic security measures that have a minimal impact on functionality.
- Level 2: These settings are more restrictive and are intended for environments that require a higher level of security, such as heavily regulated industries.
In addition, there is a CIS benchmark level that explicitly meets the requirements of the Security Technical Implementation Guide (STIG) of the US Department of Defense (DOD). 99% of this is irrelevant for German companies, as the guides only have to be fulfilled by the DOD itself and DOD suppliers.
In addition, CIS offers so-called Hardened Images, prefabricated virtual machines that are hardened according to benchmarks and in cloud environments such as Microsoft Azure or AWS are available.
Benefits of using CIS Benchmarks
vendor-independent
The CIS benchmarks provide vendor-neutral and independently developed configuration guidelines that are suitable for numerous platforms and manufacturers.
According to CIS, they are:
“The only vendor-neutral, independently developed configuration guidance for both public and private industry offering a built-in, on-demand, and scalable secure computing environment. ”
Although specific benchmarks are required for each platform (e.g. Windows, Linux, macOS), the independence from manufacturers and support for many platforms sets CIS benchmarks apart from other standards.
Security & compliance
CIS benchmarks are considered more secure and comprehensive than many other frameworks, including the Microsoft Security Baselines. They minimize attack vectors and help companies meet security standards and regulatory requirements such as GDPR or HIPAA comply.
The more comprehensive security policies and their higher granularity make them a preferred choice for organizations that have advanced security requirements or belong to strictly regulated industries.
flexibility
CIS Benchmarks provide customizable guidelines that can be adapted to a company's specific requirements. This flexibility is particularly helpful for organizations that want to develop custom security strategies.
Community-driven development
The benchmarks are regularly reviewed and updated by a global community of experts. This collaborative approach ensures that guidelines remain current, relevant, and independent of commercial interests.
Critical aspects
Some challenges in implementing the CIS benchmarks are being discussed in the community:
- complexity: The benchmarks can be complex and require a deep understanding of the systems.
- Resource-intensive: Implementation, particularly at level 2, requires considerable technical and personnel resources.
- over-regulation: In some cases, settings may be too limited and cause unexpected problems, such as reduced system performance. Individual adjustment to company requirements and comprehensive testing help here.
- No official support: Unlike Microsoft, there is no dedicated support structure.
The most important CIS benchmarks
The CIS benchmarks cover a wide range of platforms and technologies. However, the benchmarks for Microsoft Intune and Microsoft 365, as they are often used in modern corporate environments. They provide specific guidance for securely configuring these widely used technologies.
CIS Benchmark: Microsoft Intune for Microsoft Windows
This benchmark focuses on securely managing Windows devices with Microsoft Intune. It contains best practices for configuring Windows systems to work securely, efficiently and in compliance with regulatory requirements. The CIS Benchmarks for Microsoft Intune provide detailed guidelines on how security policies should be configured for Windows 10 and 11 to minimize attack vectors.
CIS Benchmark: Microsoft 365
The CIS Benchmark for Microsoft 365 provides detailed security guidelines that have been developed specifically for the secure use of Office applications, cloud services, and the Microsoft 365 infrastructure. It covers aspects such as authentication, access controls, data management, and permissions.
An important advantage of this benchmark is its timeliness: It is regularly adapted to new threats and changes in the Microsoft 365 architecture, making it particularly reliable. Many experts point out that the CIS benchmarks are considered more secure and reliable than the Microsoft Security Baselines.
2. What are Microsoft Security Baselines?
definition
Die Microsoft Security Baselines are predefined security policies designed specifically for Microsoft products and services. They provide administrators with a consistent basis to harden systems and networks and ensure security within the Microsoft ecosystem.
Integration with the Microsoft ecosystem
The baselines can be Microsoft Intune, Microsoft Configuration Manager (MECM/SCCM), or Group Policies be implemented. Among other things, these are Microsoft Security Baselines available.
- Security Baseline for Windows 10 and Windows 11
- Microsoft Defender for Endpoint Security Baseline
- Microsoft 365 Apps for Enterprise Security Baseline
- Security Baseline for Microsoft Edge
Benefits of using Microsoft Security Baselines
- automation: With tools like Intune, administrators can automatically apply policies to a wide range of devices.
- Product integration: The baselines are specifically designed for compatibility with Microsoft technologies.
- Regular updates: Microsoft regularly updates baselines to include new threats and technologies.
Critical aspects of Microsoft security baselines
Vendor lock-in
The Microsoft Security Baselines are designed exclusively for Microsoft products. This can be problematic in heterogeneous IT environments, as they are less flexible to apply to non-Microsoft platforms.
Less granular and safe
Compared to the CIS benchmarks, the Microsoft security baselines are often regarded as less secure. The reason is, among other things, that Microsoft is trying to ensure the greatest possible compatibility of its products — even in a one-size-fit-all approach. This results in lower granularity and flexibility, as some safety-related settings are deliberately not made too restrictive so as not to impair functionality and compatibility.
Risk due to automatic activation of security policies
One potential problem with the Microsoft Security Baselines is the simple and sometimes automatic activation of settings that cannot easily be undone later — a phenomenon known as “tattooing. Like a tattoo on the skin, these configurations persist and cannot be completely removed even after changes to the baselines.
Although this risk also exists in the CIS benchmarks, it is more consciously perceived there, as all configurations are documented and set up manually. With the Microsoft Security Baselines, on the other hand, it can happen by mistake more quickly, as some settings are adopted without in-depth control. This can be particularly problematic if organizations later adjust their security strategy or want the baselines to be completely removed.
Microsoft is reportedly working on a solution to this issue to enable more flexible handling of baselines in the future. However, there is currently no comprehensive documentation about which guidelines are affected and how the changes actually affect them.
3. Comparison: CIS Benchmarks vs. Microsoft Security Baselines
Die CIS Benchmarks And the Microsoft Security Baselines take different approaches to define safety standards. However, both frameworks are designed to help organizations secure their IT systems, but differ in their focus and application.
4. Use cases and recommendations
The choice between CIS Benchmarks and Microsoft Security Baselines depends on a company's specific requirements, existing IT infrastructure and available resources. However, there are clear scenarios where one of the two frameworks is preferred or a combination makes sense.
When CIS benchmarks should be preferred
Heterogeneous IT environments
Companies that use multiple operating systems and platforms (e.g. Windows, Linux, macOS, cloud services such as AWS or Google Cloud) benefit from the cross-platform nature of CIS benchmarks. These can be implemented independently of a specific technology.
Regulatory requirements
Industries with strict regulatory requirements, such as banks, healthcare or public administrations, can benefit from the CIS benchmarks. They provide comprehensive security guidelines based on standards such as PCI DSS, HIPAA, ISO 27001 or NIST CSF orient.
Specialized security resources
Organizations that have dedicated IT and cybersecurity resources can make the most of the granularity and adaptability of CIS benchmarks. With experienced teams, the benchmarks can be adapted to the specific needs of the company.
Expanded security requirements
Companies that need a detailed security strategy find the necessary depth and precision in the CIS benchmarks. They provide configuration guidelines that go far beyond standard security requirements.
When Microsoft security baselines are the better choice
Microsoft-centric IT environments
Organizations that rely primarily on Microsoft products such as Windows 10/11, Office 365 or Azure benefit from the specific orientation of the Microsoft security baselines. These are fully integrated into the Microsoft ecosystem and provide seamless support.
Limited IT resources
For companies with smaller IT teams or less technical expertise, the ready-made guidelines of the Microsoft Security Baselines are an ideal choice. They are easier to implement and require fewer adjustments.
Quick implementation
When a quick security solution is needed, the Microsoft Security Baselines provide an efficient way to implement basic security policies in the shortest possible time.
Combined use: Does it make sense?
The combination of CIS benchmarks and Microsoft security baselines is not the rule, but rather the exception. In certain scenarios, however, it may be useful to use both frameworks in parallel to cover specific requirements.
Use in hybrid environments
The CIS benchmarks provide detailed security guidelines for various platforms and environments. In companies that use both Microsoft technologies and other systems, they can serve as an overarching security policy and provide additional protections that go beyond standard Microsoft settings.
Quick fix and staged hardening
Microsoft security baselines enable rapid deployment and automation, while the CIS benchmarks support long-term optimization and adjustment of the security strategy to meet growing requirements.
{{cta-box=” /dev/components "}}
5. conclusion
Die CIS Benchmarks are the preferred choice for companies that pursue a detailed and vendor-independent security strategy and want to meet high security requirements. They provide a comprehensive basis for system hardening and support compliance with regulatory requirements and industry-specific standards. They represent the gold standard, particularly in complex and highly regulated environments.
Die Microsoft Security Baselines provide a quick, easier solution for organizations that rely on Microsoft products. They are ideal for companies with limited IT resources, but offer less flexibility and security compared to the CIS benchmarks.
Our conclusion: The CIS Benchmarks provide a deeper, more comprehensive security solution that is the better choice for companies with complex requirements and long-term security strategies.
Since 2011, Thore has focused exclusively on endpoint management and endpoint security topics. Initially focused on software packaging and software distribution with Microsoft MECM/SCCM and Ivanti DSM, he is now a sought-after interlocutor when it comes to unified endpoint management, system hardening, patch management and endpoint protection. The focus is in particular on the Microsoft technologies Intune, Configuration Manager, Entra and Defender. Thore is co-founder of the “Endpoint Management” expert group at IAMCP e.V.
Jahre Erfarung
Verwaltete Endgeräte
