Best Practices

In the “Best Practices” menu item, you get an overview of how your internal targets line up with CIS Benchmarks. Here, you can see your CIS Benchmark compliance rate, take a look at detailed descriptions, check out the impact of each Benchmark Control, and download them.

CIS Benchmarks

The CIS Benchmarks are best practices for IT systems security configuration, developed by the Center for Internet Security (CIS). Best Practices aim to proactively harden and protect your IT infrastructure.

Unlike vulnerabilities, which can be actively exploited and have a direct impact on your rating, low compliance with the CIS Benchmarks doesn't affect your rating.

By implementing CIS Benchmarks, you lower the risk of security incidents and make sure you meet security standards and legal requirements, especially during compliance checks.

Supported operating systems

Best Practices checks are carried out by the Agent. The following operating systems support these compliance checks according to CIS Benchmark Controls:

• Windows 7

• Windows 8.1

• Windows 10

• Windows 11

For Windows Server systems the following versions are supported:

• Windows Server 2012 R2

• Windows Server 2016

• Windows Server 2019

• Windows Server 2022

For the mentioned server versions, only systems that have joined a domain are supported.

Please note that the Best Practices Checks on Windows Server 2025 systems for technical reasons are currently not supported.

Structure

Filter

You have the option to filter the Best Practices by the following criteria:

• Target type (Client & Server devices) and specific target(s)

• Compliance (less than or equal to 10%, more than 10 & less than 100%, 100%)

• Benchmark (e.g. CIS Microsoft Windows 11 Enterprise Benchmark)

• and Relevance (Relevant, Partially relevant, Ignored)

CIS Benchmark Controls

The table shows the following info in the header:

• the compliance, meaning the percentage of targets that are compliant

• the control title and the benchmark name

• the control ID & relevance

Details

When you expand a control, you'll see a detailed description and the reason why it's needed. It also describes the possible impact on the targets or users and the solution. Optionally you get further links.

On the right side, you'll find a breakdown of the targets. You can also see which benchmark was checked, the Control ID, version, and the level. Level 1 (L1) means: Basic security that all organizations can implement with minimal risk and effort.

Further down, you'll see the targets that are non-compliant. It's possible to ignore the control for individual targets – then the target will show up as “manually compliant” and can be hidden using the "Hide compliant targets" switch.

Download

Using the three-dot menu in the table header, you can export the best practices data – either filtered or all – as a CSV file.