Conflicts between CIS Windows hardening and Workspaces

0

I've been trying unsuccessfully to apply CIS hardening to Workspaces. There is limited documentation of what's know to break Workspaces in terms of GPOs, it doesn't appear to cover the issues we've had, and support doesn't appear to be familiar with CIS, although they are a well-established authority. Windows on Workspaces needs hardening, this falls on the CSC side of shared responsibility, but it's a struggle given what documentation I've been able to find thus far.

Does anyone have documentation on exceptions required for Workspaces when running Windows Server 2019?

2 Answers
0

I would recommend installing the inspector agent on your workspace machines and leveraging the "CIS AWS Foundations" benchmark with inspector to find vulnerabilities and hardening recommendations to meet the CIS standards.

Cloud_G
answered a year ago
0

Thank you for contacting Amazon Web Services.

I would like to inform you that as per the AWS Shared Responsibility Model [1] for AWS Services such as Workspaces, AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud to provide you with services that you can use securely [1]. As such, Third-party auditors regularly test and verify the effectiveness of our security as part of the AWS compliance programs.

This request is firmly on the size of "Security In the Cloud" which is on the customer's side of the Shared Responsibility Model [1], and this type of hardening is a System Administration task, which is beyond Scope of Support [2]. More information about Security in AWS Workspace can be found at our documentation [3].

At this time, we do not have a marketplace for WorkSpaces images (only applications) and as such do not have a "pre-made" CIS hardened image for WorkSpaces. However, you can create custom images [4]. What your team can do is to follow the CIS Hardening guidelines on a base Workspace, and attempt to create an image from it. I will caution your team that CIS hardening has been known to interfere with application functionality due to the OS restrictions it imposes. As a result, I cannot guarantee full Workspace functionality from a fully CIS hardened Workspace image. Once you have deployed your WorkSpace and made the necessary changes, you can create your own workspace image to deploy.

We cannot provide guidance on which settings may or may not break a Workspace, however the user is encouraged to review and understand each setting, and attempt to configure them to get a working Workspace.

Please review and compare the AWS Workspace CIS benchmark for End User compute [5] rather than the Server 2019 benchmark, and test that. Having said this , I have found the CIS guidelines[5] that you could reference to help realise the use case specific to AWS.

Additionally, In order to make sure the WorkSpaces client access and functionality is working fine, I would suggest to ensure that the workspaces endpoints and ports are accessible. Please refer to the [6] for more information. And in order to make sure that WorkSpaces security hardening is in place please refer to [7] to get more information to manage WorkSpaces through group policy. This document also contains the policy which you shouldn't apply on workspace as it breaks the functionality so kindly be cautious while applying the GPO's to the workspace.

I hope this information helps. If you have any other concern or query, please feel free to reach out to us.

Reference:

[1]Shared Responsibility Model: https://aws.amazon.com/compliance/shared-responsibility-model/
[2] https://aws.amazon.com/premiumsupport/#Scope_of_AWS_Support
[3] Security in Amazon WorkSpace: https://docs.aws.amazon.com/workspaces/latest/adminguide/security.html
[4]WorkSpace bundles and images: http://docs.aws.amazon.com/workspaces/latest/adminguide/images.html
[5]CIS Benchmarks-AWS: https://www.cisecurity.org/benchmark/amazon_web_services/
[6]IP address and port requirements for WorkSpaces: https://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-port-requirements.html
[7]Manage your Windows WorkSpaces: https://docs.aws.amazon.com/workspaces/latest/adminguide/group_policy.html

AWS
SUPPORT ENGINEER
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions