hardening-windows-endpoint-with-cis-benchmark
SKILL.md
Hardening Windows Endpoint with CIS Benchmark
When to Use
Use this skill when:
- Deploying new Windows 10/11 or Server 2019/2022 endpoints that require security hardening
- Establishing organization-wide security baselines using CIS Level 1 or Level 2 profiles
- Remediating findings from compliance audits (PCI DSS, HIPAA, SOC 2) that reference CIS benchmarks
- Validating existing endpoint configurations against current CIS benchmark versions
Do not use this skill for Linux endpoints (use hardening-linux-endpoint-with-cis-benchmark) or for cloud-native workloads that require CIS cloud benchmarks.
Prerequisites
- Windows 10/11 Enterprise or Windows Server 2019/2022 target endpoints
- Active Directory Group Policy Management Console (GPMC) for enterprise deployment
- CIS-CAT Pro Assessor or CIS-CAT Lite for automated benchmark assessment
- Administrative access to target endpoints or domain controller
- Current CIS Benchmark PDF for the target Windows version (download from cisecurity.org)
Workflow
Step 1: Select CIS Benchmark Profile Level
CIS provides two profile levels for Windows endpoints:
Level 1 (L1) - Corporate/Enterprise Environment:
- Practical hardening settings that can be applied to most organizations
- Minimal impact on functionality and user experience
- Covers: password policy, audit policy, user rights, security options, Windows Firewall
Level 2 (L2) - High Security/Sensitive Data:
- Includes all L1 settings plus additional restrictions
- May impact usability (disabling autorun, restricting remote desktop, enhanced audit logging)
- Appropriate for systems handling PII, PHI, PCI data, or classified information
Select profile based on data classification and risk tolerance of the endpoint.
Step 2: Import CIS GPO Baselines
CIS provides pre-built GPO templates (Build Kits) for each benchmark version:
# Download CIS Build Kit from CIS WorkBench (requires CIS SecureSuite membership)
# Extract the GPO backup to a staging directory
# Import the CIS GPO into Active Directory
Import-GPO -BackupGpoName "CIS Microsoft Windows 11 Enterprise v3.0.0 L1" `
-TargetName "CIS-Win11-L1-Baseline" `
-Path "C:\CIS-GPO-Backups\Win11-Enterprise" `
-CreateIfNeeded
# Link GPO to target OU
New-GPLink -Name "CIS-Win11-L1-Baseline" `
-Target "OU=Workstations,DC=corp,DC=example,DC=com" `
-LinkEnabled Yes
Step 3: Apply Key CIS Benchmark Categories
Account Policies (Section 1):
Password Policy:
- Minimum password length: 14 characters (1.1.4)
- Maximum password age: 365 days (1.1.3)
- Password complexity: Enabled (1.1.5)
- Store passwords using reversible encryption: Disabled (1.1.6)
Account Lockout Policy:
- Account lockout threshold: 5 invalid logon attempts (1.2.1)
- Account lockout duration: 15 minutes (1.2.2)
- Reset account lockout counter after: 15 minutes (1.2.3)
Local Policies - Audit Policy (Section 17):
Audit Policy Configuration:
- Audit Credential Validation: Success and Failure (17.1.1)
- Audit Security Group Management: Success (17.2.5)
- Audit Logon: Success and Failure (17.5.1)
- Audit Process Creation: Success (17.6.1)
- Audit Removable Storage: Success and Failure (17.6.4)
Security Options (Section 2.3):
- Interactive logon: Do not display last user name: Enabled (2.3.7.1)
- Interactive logon: Machine inactivity limit: 900 seconds (2.3.7.3)
- Network access: Do not allow anonymous enumeration of SAM accounts: Enabled (2.3.10.2)
- Network security: LAN Manager authentication level: Send NTLMv2 response only (2.3.11.7)
- UAC: Run all administrators in Admin Approval Mode: Enabled (2.3.17.6)
Windows Firewall (Section 9):
- Domain Profile: Firewall state: On (9.1.1)
- Domain Profile: Inbound connections: Block (9.1.2)
- Private Profile: Firewall state: On (9.2.1)
- Public Profile: Firewall state: On (9.3.1)
- Public Profile: Inbound connections: Block (9.3.2)
Step 4: Validate with CIS-CAT Assessment
# Run CIS-CAT Pro Assessor against target endpoint
# CIS-CAT produces an HTML/XML report with pass/fail per recommendation
.\Assessor-CLI.bat `
-b "benchmarks\CIS_Microsoft_Windows_11_Enterprise_Benchmark_v3.0.0-xccdf.xml" `
-p "Level 1 (L1) - Corporate/Enterprise Environment" `
-rd "C:\CIS-Reports" `
-nts
# Review report for failed controls
# Score target: 95%+ for L1, 90%+ for L2 (due to operational exceptions)
Step 5: Document Exceptions and Compensating Controls
For each CIS recommendation that cannot be applied:
- Document the specific recommendation ID and title
- State the business justification for the exception
- Define the compensating control that addresses the residual risk
- Set a review date (quarterly) to reassess the exception
- Obtain sign-off from the information security officer
Example exception:
Recommendation: 2.3.7.3 - Interactive logon: Machine inactivity limit: 900 seconds
Exception: Kiosk systems in manufacturing floor require 1800 seconds
Compensating Control: Physical badge-access to manufacturing area, CCTV monitoring
Review Date: 2026-06-01
Approved By: CISO
Step 6: Continuous Compliance Monitoring
Configure recurring CIS-CAT scans via scheduled tasks or SCCM:
# Create scheduled task for weekly CIS-CAT assessment
$action = New-ScheduledTaskAction -Execute "C:\CIS-CAT\Assessor-CLI.bat" `
-Argument "-b benchmarks\CIS_Win11_v3.0.0-xccdf.xml -p Level1 -rd C:\CIS-Reports -nts"
$trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Sunday -At 2am
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -RunLevel Highest
Register-ScheduledTask -TaskName "CIS-Benchmark-Scan" -Action $action `
-Trigger $trigger -Principal $principal
Feed results into SIEM for drift detection and dashboard reporting.
Key Concepts
| Term | Definition |
|---|---|
| CIS Benchmark | Consensus-based security configuration guide developed by CIS with input from government, industry, and academia |
| Level 1 Profile | Practical security baseline suitable for most organizations with minimal operational impact |
| Level 2 Profile | Extended security baseline for high-security environments that may reduce functionality |
| CIS-CAT | CIS Configuration Assessment Tool that automates benchmark compliance checking |
| Build Kit | Pre-configured GPO templates provided by CIS that implement benchmark recommendations |
| Scoring | CIS recommendations are either Scored (compliance-measurable) or Not Scored (best-practice guidance) |
Tools & Systems
- CIS-CAT Pro Assessor: Automated benchmark compliance scanner (requires CIS SecureSuite license)
- Microsoft Security Compliance Toolkit (SCT): Microsoft's own GPO baselines (complementary to CIS)
- Group Policy Management Console (GPMC): Enterprise GPO deployment and management
- LGPO.exe: Microsoft tool for applying GPOs to standalone (non-domain) systems
- Nessus/Tenable: Vulnerability scanner with CIS benchmark audit files
Common Pitfalls
- Applying L2 to all endpoints: Level 2 restrictions (disabling Autoplay, restricting Remote Desktop) break workflows on standard workstations. Reserve L2 for endpoints handling sensitive data.
- Not testing GPOs in pilot OU: Deploy CIS GPOs to a test OU with representative hardware/software before organization-wide rollout to avoid breaking line-of-business applications.
- Ignoring CIS benchmark version updates: CIS benchmarks update with each Windows feature release. Running an outdated benchmark misses new security settings and generates false compliance reports.
- Forgetting local admin accounts: CIS benchmarks assume domain-joined endpoints. Standalone systems require LGPO.exe or Microsoft Intune for baseline enforcement.
- No exception process: Applying 100% of CIS recommendations is rarely feasible. Without a formal exception process, teams either ignore hardening or break applications.
Weekly Installs
1
Repository
mukul975/anthro…y-skillsGitHub Stars
1.3K
First Seen
2 days ago
Security Audits
Installed on
amp1
cline1
opencode1
cursor1
kimi-cli1
codex1