Skip to content
February 27, 2026 Senior (5+ years) How-To

CIS Benchmark Hardening for Windows

Apply CIS Microsoft Windows 10/11 Enterprise Benchmark. Secure your Windows devices with proven security settings.

CIS Benchmark Hardening for Windows

CIS Benchmarks are industry-recognized security baselines. Here’s how to apply them to Windows 10/11.

What is CIS?

Center for Internet Security (CIS) Benchmarks are:

  • Vendor-agnostic
  • Community-developed
  • Prioritized controls
  • Free to use

Getting the Benchmarks

  1. Download from: https://www.cisecurity.org/cis-benchmarks/
  2. Look for “CIS Microsoft Windows 10 Enterprise Benchmark”
  3. Get the Excel or PDF version

Key Controls to Implement

Control 1: Account Policies

# Password Policy (via GPO or local)
# Computer Configuration → Windows Settings → Security Settings → Account Policies

# Recommended:
# - Minimum password length: 14
# - Password complexity: Enabled
# - Maximum password age: 60
# - Lockout threshold: 5

Control 2: Local Policies

# Audit Policy
# - Logon events: Success, Failure
# - Object access: Failure
# - Policy change: Success

# User Rights Assignment:
# - Deny log on through Remote Desktop Services: Guests
# - Allow log on locally: Users, Administrators

Control 3: Windows Firewall

# Enable Windows Firewall
# Domain/Private/Public: Enabled

# Default inbound: Block
# Default outbound: Allow

Control 4: Windows Defender

# Enable Defender settings:
# - Real-time protection: Enabled
# - Behavior monitoring: Enabled
# - Script scanning: Enabled
# - Cloud-delivered protection: Enabled

Control 5: Network Security

# Disable SMBv1
Set-SmbServerConfiguration -RequireSecuritySignature 0 -EnableSMB1Protocol 0 -Force

# Disable NetBIOS over TCP/IP
# In network adapter settings

Using CIS-CAT Pro

CIS provides a free scanner:

# Download CIS-CAT Pro
# Run assessment:
# .\CIS-CAT-Pro-Assessor-CLI.bat -assess -profile "CIS Windows 10 Enterprise Benchmark"

Intune Integration

# Import cis-cbl (CIS Configuration Baseline)
# Or use security baselines in Intune:
# Endpoint security → Security baselines → CIS Microsoft Windows

Quick Hardening Script

<#
.SYNOPSIS
    Quick CIS-style hardening
#>

# Disable SMBv1
Set-SmbServerConfiguration -RequireSecuritySignature 0 -EnableSMB1Protocol 0 -Force

# Enable Windows Firewall
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True

# Disable auto-play
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name "NoDriveTypeAutoRun" -Value 255

# Disable remote registry
Set-Service -Name "RemoteRegistry" -StartupType Disabled

# Disable Windows Script Host (if not needed)
# Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Script Host\Settings" -Name "Enabled" -Value 0

Write-Host "Basic hardening complete"

Wrap-Up

CIS benchmarks give you a proven security baseline. Start with the basics and work through the controls methodically.

Questions? Drop them below!

#cis #hardening #security #benchmark #endpoint-security
Was this helpful?

Comments

Comments are coming soon. Have feedback? Reach out via the About page.