Hi, I have a customer who would like to apply Center internet Security (CIS) hardening benchmarks to his Domain Controllers and member servers. My understanding is that the best way to apply these rules is by applying GPOs in Active directory (on Domain controllers OU for DCs and on Domain or OU level for member servers) and not by applying them on Win 2016 local GPOs. I am going into the right direction here ?
Applying CIS benchmark hardening is best done using Domain GPO, segregated by domain controllers and member servers.
That is how we have implemented CIS security benchmarks.
We also do use the CIS benchmarks for the end user workstations to make them more secure and is available for all Windows 10 , Windows 8, Windows 7 and even a version of XP though that is no longer in mainstream support.