Windows 2016 security hardening based on CIS benchmarks

%3CLINGO-SUB%20id%3D%22lingo-sub-377048%22%20slang%3D%22en-US%22%3EWindows%202016%20security%20hardening%20based%20on%20CIS%20benchmarks%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-377048%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20I%20have%20a%20customer%20who%20would%20like%20to%20apply%20Center%20internet%20Security%20(CIS)%20hardening%20benchmarks%20to%20his%20Domain%20Controllers%20and%20member%20servers.%20My%20understanding%20is%20that%20the%20best%20way%20to%20apply%20these%20rules%20is%20by%20applying%20GPOs%20in%20Active%20directory%20(on%20Domain%20controllers%20OU%20for%20DCs%20and%20on%20Domain%20or%20OU%20level%20for%20member%20servers)%20and%20not%20by%20applying%20them%20on%20Win%202016%20local%20GPOs.%20I%20am%20going%20into%20the%20right%20direction%20here%20%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-377048%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1245733%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%202016%20security%20hardening%20based%20on%20CIS%20benchmarks%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1245733%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F303439%22%20target%3D%22_blank%22%3E%40KYoussef_Consultant%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Youssef%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EApplying%20CIS%20benchmark%20hardening%20is%20best%20done%20using%20Domain%20GPO%2C%20segregated%20by%20domain%20controllers%20and%20member%20servers.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThat%20is%20how%20we%20have%20implemented%20CIS%20security%20benchmarks.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20also%20do%20use%20the%20CIS%20benchmarks%20for%20the%20end%20user%20workstations%20to%20make%20them%20more%20secure%20and%20is%20available%20for%20all%20Windows%2010%20%2C%20Windows%208%2C%20Windows%207%20and%20even%20a%20version%20of%20XP%20though%20that%20is%20no%20longer%20in%20mainstream%20support.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20Regards%2C%3C%2FP%3E%3CP%3EPD%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi, I have a customer who would like to apply Center internet Security (CIS) hardening benchmarks to his Domain Controllers and member servers. My understanding is that the best way to apply these rules is by applying GPOs in Active directory (on Domain controllers OU for DCs and on Domain or OU level for member servers) and not by applying them on Win 2016 local GPOs. I am going into the right direction here ? 

1 Reply
Highlighted

@KYoussef_Consultant 

 

Hi Youssef,

 

Applying CIS benchmark hardening is best done using Domain GPO, segregated by domain controllers and member servers.


That is how we have implemented CIS security benchmarks. 

 

We also do use the CIS benchmarks for the end user workstations to make them more secure and is available for all Windows 10 , Windows 8, Windows 7 and even a version of XP though that is no longer in mainstream support.

 

Kind Regards,

PD