February 27, 2026 • Senior (5+ years) How-To
CIS Benchmark Hardening for Windows
Apply CIS Microsoft Windows 10/11 Enterprise Benchmark. Secure your Windows devices with proven security settings.
CIS Benchmark Hardening for Windows
CIS Benchmarks are industry-recognized security baselines. Here’s how to apply them to Windows 10/11.
What is CIS?
Center for Internet Security (CIS) Benchmarks are:
- Vendor-agnostic
- Community-developed
- Prioritized controls
- Free to use
Getting the Benchmarks
- Download from: https://www.cisecurity.org/cis-benchmarks/
- Look for “CIS Microsoft Windows 10 Enterprise Benchmark”
- Get the Excel or PDF version
Key Controls to Implement
Control 1: Account Policies
# Password Policy (via GPO or local)
# Computer Configuration → Windows Settings → Security Settings → Account Policies
# Recommended:
# - Minimum password length: 14
# - Password complexity: Enabled
# - Maximum password age: 60
# - Lockout threshold: 5Control 2: Local Policies
# Audit Policy
# - Logon events: Success, Failure
# - Object access: Failure
# - Policy change: Success
# User Rights Assignment:
# - Deny log on through Remote Desktop Services: Guests
# - Allow log on locally: Users, AdministratorsControl 3: Windows Firewall
# Enable Windows Firewall
# Domain/Private/Public: Enabled
# Default inbound: Block
# Default outbound: AllowControl 4: Windows Defender
# Enable Defender settings:
# - Real-time protection: Enabled
# - Behavior monitoring: Enabled
# - Script scanning: Enabled
# - Cloud-delivered protection: EnabledControl 5: Network Security
# Disable SMBv1
Set-SmbServerConfiguration -RequireSecuritySignature 0 -EnableSMB1Protocol 0 -Force
# Disable NetBIOS over TCP/IP
# In network adapter settingsUsing CIS-CAT Pro
CIS provides a free scanner:
# Download CIS-CAT Pro
# Run assessment:
# .\CIS-CAT-Pro-Assessor-CLI.bat -assess -profile "CIS Windows 10 Enterprise Benchmark"Intune Integration
# Import cis-cbl (CIS Configuration Baseline)
# Or use security baselines in Intune:
# Endpoint security → Security baselines → CIS Microsoft WindowsQuick Hardening Script
<#
.SYNOPSIS
Quick CIS-style hardening
#>
# Disable SMBv1
Set-SmbServerConfiguration -RequireSecuritySignature 0 -EnableSMB1Protocol 0 -Force
# Enable Windows Firewall
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
# Disable auto-play
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name "NoDriveTypeAutoRun" -Value 255
# Disable remote registry
Set-Service -Name "RemoteRegistry" -StartupType Disabled
# Disable Windows Script Host (if not needed)
# Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Script Host\Settings" -Name "Enabled" -Value 0
Write-Host "Basic hardening complete"Wrap-Up
CIS benchmarks give you a proven security baseline. Start with the basics and work through the controls methodically.
Questions? Drop them below!
Was this helpful?