Enable CIS hardened images and CIS Intune policies

Avatar
Nerdio Support

Enable CIS hardened images and CIS Intune policies

This article discusses how Nerdio Manager supports Center for Internet Security (CIS) hardened images and Intune policies.

CIS Hardened Images are pre-configured virtual machine (VM) images that are hardened according to the security recommendations of the Center for Internet Security (CIS) Benchmarks, a set of internationally recognized secure configuration guidelines, to enhance security and reduce vulnerabilities.

CIS hardended images

CIS hardened images are images that come pre-hardened in accordance with the CIS benchmarks. They have increased security settings and increased cost.

Note: CIS images requires an administrator with Contributor or Owner permissions on the target Azure subscription to approve the use of this Marketplace image. Please ensure you understand the additional costs associated with the use of these images.

CIS hardened images help you achieve compliance with the following standards:

  • DoD Cloud Computing Security Recommendation Guide (SRG)

  • Payment Card Industry Data Security Standard (PCI DSS)

  • Federal Information Security Management Act (FISMA)

  • Federal Risk and Authorization Management Program (FedRAMP)

  • National Institute of Standards and Technology (NIST)

See the CIS website for additional information.

Nerdio Manager allows you to enable the use of CIS hardened images when creating desktop images, host pools, or hosts. The CIS hardened images are not available until you agree to the Marketplace terms, as described later in this topic.

Once enabled, CIS hardened images are available, for example, when creating a desktop image:

Note:

  • Nerdio Manager provides CIS Level 1 configuration profile benchmark. It is suitable for most environments and ensures baseline protection against common threats without heavily impacting the user experience or operational functionality.

  • CIS hardened images do not support Unified Application Management.

  • The following resources help you verify that your image has been hardened:

    • Base CIT CAT Report: This report outlines the status of unhardened images as provided by Microsoft.

    • CIS CAT Report: This report outlines the status of hardened images provided by CIS.

    • Exceptions: This report notes any items in the CIS hardened images that fall outside of CIS's recommended controls.

    You can access the most recent versions of these resources on the C:\ drive of your hardened image.

Accept the CIS legal terms

When a CIS image is selected, you may be prompted to accept the legal terms.

Note: Ensure you are logged on as an administrator with Contributor or Owner permissions on the target Azure subscription.

CIS Intune policies

Nerdio Manager implements CIS level 1 policies within your Intune environment. This enables you to achieve consistent compliance, minimize the risks associated with misconfigurations, and protect device from common threats.

CIS Intune policies are policies created by CIS to conform with the CIS controls and benchmarks. Enabling this feature will sync the CIS Intune policies with your Nerdio Manager installation.

Note: Not all recommendations from the CIS Benchmarks are included in this tool. See the CIS benchmarks list for manual remediation instructions.

To enable CIS Intune policies

  1. Navigate to Settings > Integrations.

    • Classic UI: In the Center for Internet Security tile, select Disabled.

    • New UI: Scroll to the Center for Internet Security section, select the down-arrow to expand the section, and select Disabled.

  3. Select the toggle to enable CIS policies

  4. Select Save.

  5. Select the refresh icon to synchronize the repository files with the CIS templates.

To create a CIS Intune policy

  1. Navigate to Endpoints> Policy Management.

  2. Select the Configuration Profilestab and then select Create.

  3. Select Base Info from the left hand side, and enter the following information:

    • Policy type: From the drop-down list, select Configuration

    • Policy template or backup: From the drop-down list, select the CIS template.

      Note: The Policy name and Description fields are automatically populated.

  4. Select Assignments From the left hand side, and enter the following information:

    • Included Groups: Start typing the name of the group until the correct group is listed.

      • Optionally, select All users or All devices.

    • Excluded Groups: Start typing the name of the group until the correct group is listed.

  5. Select Content: The JSON file containing the policy configuration detail is displayed.

    Note: This is an original CIS policy template. It is available in preview mode only and cannot be edited.

  6. Select Finish.

  7. Select Create.

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Related articles

Comments (0 comments)

Article is closed for comments.