PRACTITIONER GUIDE
Practitioner Guide13 min read

Windows Server 2022 CIS Benchmark Hardening: Applying Controls to Production Systems

300+
controls in the CIS Windows Server 2022 Benchmark; applying all at once to production without testing will break something
SMBv1 off
single highest-impact, lowest-risk CIS control: eliminates the EternalBlue exploit path used by WannaCry and NotPetya ransomware
Event 4688
Windows process creation event ID; command-line logging must be enabled separately for it to show what PowerShell actually ran
25 free
maximum CIS-CAT Lite assessments per year at no cost, covering full Windows Server 2022 benchmark compliance scoring

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

The CIS Windows Server 2022 Benchmark is a 300-page document of configuration controls. Applied wholesale to a production server, some controls will break something — an application that depends on NTLM authentication, a monitoring agent that runs as SYSTEM, or a backup product that requires specific permissions that the benchmark restricts. The organizations that successfully apply CIS hardening do it in stages, with testing, and with a clear understanding of which controls deliver the highest security value relative to the disruption risk.

This guide covers the implementation workflow that makes CIS hardening practical for production Windows Server environments: the high-value controls that are safe to apply broadly, the controls that require environment-specific testing, and the tooling that measures your compliance state continuously rather than at a point in time.

Immediate high-value controls: apply these first

Not all 300-plus CIS controls carry equal risk or equal reward. A small set of network protocol and audit policy controls addresses the attack vectors that appear most frequently in real Windows Server compromises: SMBv1 exploitation, LLMNR and NetBIOS credential capture, and incomplete event logging that leaves SIEM systems blind. These controls are safe to apply to standard production server workloads because they disable legacy protocols with no modern legitimate use and enable logging features that carry no functional impact. The two items below are the starting point for every Windows Server hardening engagement.

Disable SMBv1, LLMNR, and NetBIOS: three lines, major impact

SMBv1: Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force. Eliminates the EternalBlue exploit path used by WannaCry, NotPetya, and ongoing ransomware campaigns. Safe to apply universally — no modern application requires SMBv1. LLMNR: via Group Policy: Computer Configuration > Administrative Templates > Network > DNS Client > Turn Off Multicast Name Resolution = Enabled. Prevents Responder-based LLMNR poisoning attacks where an attacker responds to broadcast name resolution requests with their IP to capture NetNTLM hashes. NetBIOS over TCP/IP: via DHCP option 001 = 0x2 (disable NetBIOS) or via NIC properties > WINS > Disable NetBIOS over TCP/IP. These three together eliminate the most common Windows credential capture vectors used in internal network attacks.

Enable Windows Advanced Audit Policy and process creation logging

Default Windows audit policy settings are insufficient for security monitoring. Apply via GPO (Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration): enable Account Logon > Credential Validation (Success, Failure), Account Management > All (Success, Failure), Logon/Logoff > Logon and Logoff (Success, Failure), Detailed Tracking > Process Creation (Success), and Privilege Use > Sensitive Privilege Use (Success, Failure). Additionally enable command-line logging: Computer Configuration > Administrative Templates > System > Audit Process Creation > Include command line in process creation events = Enabled. Without command-line logging, Event ID 4688 shows that powershell.exe ran but not what it ran — with it, you see the full command that enables detection of encoded commands and malicious scripts.

Test-first controls: apply after validation in non-production

A second tier of CIS controls delivers meaningful hardening but requires environment-specific testing before production rollout because their impact depends on which applications and protocols your workloads rely on. NTLM restriction is the most common control that breaks something: older IIS applications, some backup agents, and certain database connection strings still authenticate via NTLM, and restricting it without an audit phase will cause application failures. Windows Firewall in blocking mode carries similar risk. The workflow for both controls is the same: enable audit logging first, observe for 30 days, remediate any dependent applications found, then enforce the restriction.

NTLM audit before restriction

Before restricting NTLM (CIS requires network security: restrict NTLM: NTLM authentication in this domain = Deny all), first audit all NTLM usage in your environment. Enable NTLM audit: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network Security: Restrict NTLM: Audit NTLM authentication in this domain = Enable All. After 30 days: review Event IDs 8001/8002/8003/8004 in the Applications and Services Logs > Microsoft > Windows > NTLM > Operational log. Any application appearing in these logs will fail when NTLM is restricted — remediate those applications to use Kerberos before enabling the restriction.

Windows Firewall in blocking mode with application exceptions

Enabling Windows Defender Firewall in blocking mode for all profiles (CIS recommends this) will block all inbound connections unless explicitly allowed by a rule. Before enabling: run netstat -an on each server to see all listening ports, then build firewall rules allowing only the ports that are legitimately needed for that server's role (RDP on 3389 from jump server IPs only, WinRM on 5985 from management network only, application-specific ports from application network segments). Apply the block-mode policy first in audit mode (Windows Firewall audit mode logs what would be blocked), verify no unexpected blocked connections appear, then switch to enforcing mode.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

The bottom line

CIS Windows Server 2022 hardening delivers the most security value when applied systematically rather than comprehensively in one change. Start with the five highest-impact, lowest-disruption controls: disable SMBv1, disable LLMNR and NetBIOS, enable LAPS, configure advanced audit policy with command-line logging, and enable Microsoft Defender. These five changes address the most commonly exploited Windows Server attack vectors and can be applied to most production servers with minimal testing. Then move to higher-risk controls (NTLM restrictions, firewall blocking mode) with explicit testing cycles and rollback plans. Run CIS-CAT after each phase to measure compliance score improvement and identify remaining gaps. The goal is not a 100% compliance score in one week — it is a sustainably increasing score with no production incidents caused by the hardening process.

Frequently asked questions

What is the difference between CIS Benchmark Level 1 and Level 2 for Windows Server 2022?

CIS Benchmark Level 1 defines settings that are 'prudent security' — reasonable protections for most environments that should not cause significant functionality impact. Examples: disabling SMBv1, configuring password complexity, enabling Windows Defender, and setting audit policies. Level 2 is 'defense-in-depth' — more restrictive settings intended for high-security environments (government, finance, healthcare) that may impact functionality in standard deployments. Examples: disabling NTLM authentication entirely (can break applications that have not been updated to Kerberos), setting very short session idle timeouts, and restricting Remote Desktop access. Start with Level 1 for all production servers. Apply Level 2 only to servers in your highest-sensitivity tiers after testing in a non-production environment.

What are the highest-impact CIS Windows Server 2022 controls to apply first?

High-impact controls in order of security value and implementation safety: (1) Disable SMBv1: Set-SmbServerConfiguration -EnableSMB1Protocol $false — eliminates EternalBlue/WannaCry attack vector, safe to apply universally. (2) Enable LAPS: randomizes local admin passwords per machine, eliminates pass-the-hash lateral movement via shared local admin passwords. (3) Windows Defender settings: ensure real-time protection, cloud-delivered protection, and automatic sample submission are enabled — CIS Section 18. (4) Audit policy: configure advanced audit policy to capture account logon events (success and failure), process creation (with command line), privilege use, and object access — CIS Section 17. (5) Network hardening: disable LLMNR and NetBIOS over TCP/IP to prevent poisoning attacks — done via Group Policy and registry settings. These five areas address the most exploited Windows Server attack vectors.

How do I apply CIS Windows Server 2022 benchmark controls via Group Policy?

Microsoft's Security Compliance Toolkit (downloadable from Microsoft Download Center) includes pre-built Group Policy Objects (GPOs) based on Microsoft's Security Baseline, which aligns closely with CIS Level 1. Download the toolkit, import the included ADMX templates to your Group Policy central store, and import the included GPO backups using Group Policy Management Console (GPMC) > right-click the domain > Import Settings. Apply the imported GPO to an OU containing your test servers first. Verify using GPRESULT /R on a target server that the GPO is applied and settings are taking effect. Test for 7-14 days on representative non-production servers before deploying to production. For CIS-specific controls not in the Microsoft baseline: apply them as additional settings in a supplemental GPO rather than modifying the Microsoft baseline GPO, to make troubleshooting easier.

How do I verify that CIS hardening controls have been applied correctly?

CIS-CAT (CIS Configuration Assessment Tool) is the official assessment tool that tests a system against CIS benchmarks and produces a scored compliance report. CIS-CAT Lite is free for up to 25 assessments per year and covers the full CIS Windows Server 2022 benchmark. Run it on a target server: download CIS-CAT Lite, run the assessor against Windows_Server_2022_Benchmark.xml, and review the HTML report showing pass/fail for each control with the current and expected configuration values. For ongoing compliance monitoring: configure CIS-CAT to run on a schedule and alert on compliance score drops, or use Microsoft Defender for Cloud (if using Azure) which maps to CIS benchmark controls in its regulatory compliance dashboard. PowerShell DSC (Desired State Configuration) can enforce specific settings and report drift.

Which CIS controls are most likely to break production functionality and require testing?

Controls with the highest risk of breaking production functionality: (1) NTLM restriction settings: CIS recommends restricting or disabling NTLM in various contexts — applications that use NTLM for authentication (older IIS apps, some backup software, legacy database connections) will fail. Test by enabling NTLM audit logging before restricting: Event ID 4776 (NTLM authentication attempt) appears in Security log — identify all NTLM authentications in your environment before restricting. (2) NTLMv1 disable: safer than full NTLM restriction, but still breaks some legacy applications. (3) LAN Manager hash storage disable: safe for Windows Vista and later clients, but breaks some very old systems. (4) Remote Desktop encryption level: setting to High may break RDP from older clients. (5) Windows Firewall in block mode for all inbound connections: must be tested with your applications' network communication patterns before deployment.

How do I apply CIS hardening to Windows Server 2022 that is already in production?

Hardening an existing production server requires staged rollout to minimize risk. Workflow: (1) Run CIS-CAT against the production server in read-only assessment mode to baseline current compliance score and identify all failing controls. (2) Group failing controls into: immediate (SMBv1, LAPS, basic audit policy — low disruption risk), test-first (NTLM restrictions, firewall settings, service configurations — moderate risk), and defer (Level 2 controls, workload-specific settings). (3) Apply immediate controls via GPO in a test OU, verify for 48 hours on representative servers, then promote to production via GPO scope expansion. (4) Apply test-first controls in a maintenance window with a rollback plan (GPO can be unlinked immediately if issues appear). (5) Run CIS-CAT again after each batch to verify the score improved and no new failures appeared from unintended GPO interactions. Never apply all 300+ controls in a single change — the blast radius of unknown interactions is too high.

How is the CIS Windows Server 2022 benchmark different from the DISA STIG?

Both the CIS benchmark and DISA STIG are security configuration standards for Windows Server, but with different scope and audiences. CIS benchmark: developed for commercial organizations, two levels (1 and 2), community-developed and updated, focuses on the highest-value security controls. DISA STIG: required for US government and DoD contractors, more extensive (500+ controls in some versions), more prescriptive, includes controls specific to classified environment requirements. Compliance: CIS benchmark satisfaction is commonly requested in commercial security assessments and many compliance frameworks (SOC 2, PCI DSS). DISA STIG is required for federal systems and DoD contractors. If you need to satisfy both: the CIS benchmark Level 2 covers a majority of STIG controls, but STIG has additional controls for classified environments that CIS does not include.

Sources & references

  1. CIS Windows Server 2022 Benchmark
  2. Microsoft Security Compliance Toolkit
  3. DISA Windows Server 2022 STIG
  4. CIS-CAT Pro Assessor

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.