1

Hi folks,

I have been assigned an task for hardening of windows server based on CIS benchmark.

fyi - existing production environment running on AWS.

As per my understanding CIS benchmark have levels i.e 1 and 2. Depending on your environment and how much your can restrict your environment.

Steps should be :

  • Run CIS benchmark auditing tool or script against one or 2 production server.

  • Identify gaps and what is missing.

  • Apply gpo that follows CIS benchmark. to Test server or clone of existing production server. See the impact on production envrionment operations and share with business.?

ref: Windows Server 2016 Hardening Checklist | UT Austin Information Security Office

https://www.powershellgallery.com/packages?q=Tags%3A"cis"

If anyone has done this before, please share some pointers or links.

Thanks

Atul

10 Spice ups
2

Only apply a few GPO’s at a time to see what they break, there are hundreds of CIS benchmark policy recommendations if you apply them all at once you wont be able to track down what broke something.

Make sure to read the policies thoroughly and what they do, one of the policies prevents any that is not a domain admin from accessing the server, if you have delegated security based on IT department ex. help desk, applications team, system team then this will prevent users from doing their work.

For the most part many of them can be applied without issues and you should tailor towards your environment i.e if you don’t use bitlocker on your servers than you shouldn’t setup the bitlocker gpo’s.

2 Spice ups
3

Is there any CIS benchmark auditing script that i can run against servers. I didn’t find useful. thanks in advance

4

Can you spin up one if the CIS VMs—that is, if you’re referring to Center for Internet Security.

I scanned the UT Controls list; there really don’t appear to be any settings I wouldn’t implement in a domain.

1 Spice up