Device Hardening with CIS Level 1 Benchmarks
This is a comprehensive guide to device hardening using the CIS Level 1 Benchmarks. It includes compliance settings for account and account logout settings. minimum password length. This guide helps you start your CIS Compliance journey.
This is the device hardening techniques we will cover:
- What is Device Hardening?
- Run a CIS Compliance Check
- How to Apply CIS Benchmarks on Windows 10 and Windows 11 Devices
- Test Your CIS Compliance after Changing the Settings
- CIS Compliance Tools that Make Your Life Easier
What is Device Hardening?
Device hardening is the process of making a device harder to hack by reducing its attack surface. CIS level 1 Benchmarks lists hundreds of settings that need to be configured correctly for compliance. From setting minimum password length to account logoff policies.
Run a CIS Compliance Check
A CIS Compliance Check tells you how compliant your device is to CIS Level 1 Standards. It gives you a score from 0% to 100% compliant. It checks every setting on your device and compares it to the CIS Benchmarks.
A good software to use to run a CIS Compliance Check is Secure My Desktop. you can use the CIS Level 1 Benchmark score. You can use this score to fix the hundreds of compliance issues yourself or have the software do it for you in seconds. Use Secure My Desktop’s free CIS Compliance Check.
How to Apply CIS Benchmarks on Windows 10 and Windows 11 Devices
There are hundreds of settings that the Center for Internet Security has in their CIS Level 1 Benchmarks that apply to Windows 10 and 11 machines. Learn how to apply the cis benchmarks.
Organizations have account policies. User accounts are vulnerable without a solid account policy. Account policies protect and secure user accounts from these cyber threats. The CIS Level 1 Benchmarks sets a standard for configuring those account policies. The two general categories of account policies are for passwords and account lockouts.
For this section you will be using a few Windows programs to set these up on your local device.
Note: the device hardening steps are for a single device and not for a device joined to a domain.
Your password policy defines what a users password can be.
Account lockout policy sets how many attempts, how long until the next attempt, and how long a lockout is after retry.
First go to the search bar on your taskbar. Type “run” into the taskbar.
Click “Run” to open the Run Windows application. Type in gpedit.msc as shown below.
The Group Policy editor is where you will change the account policies for your device.
Password policy sets a minimum and maximum password age, password length, etc. The Center for Internet Security outlined some essential password policy settings. These device hardening settings can be changed in the Group Policy manager shown below.
CIS Level 1 Benchmarks mandates changes to the following settings to be compliant. Password history settings needs to be changed to 24 or more passwords. Make sure the maximum password age is set to 365 days or fewer, but not 0. Minimum password age set to 1 or more days. Set minimum password length set to 14 or more characters or more. Enable the Password must meet complexity requirements setting. After that, enable relax minimum password length limits. Finally, disable store passwords using reversible encryption.
Account Lockout Policy
Account lockout policy sets how many attempts, how long until the next attempt, and how long a lockout is after retry. Change these device hardening settings by navigating to the adjacent Group Policy module Account Lockout Policy.
The CIS Benchmarks mandate changes to the following Account lockout settings. You should set Account lockout duration to 15 or more minutes. Account lockout threshold must be set to 5 or fewer invalid logon attempts but not 0. Reset account lockout counter after setting must be set to 15 or more minutes.
Testing Your CIS Compliance after Making Settings Changes
After you have made the recommended changes, run another CIS Compliance Check. You should see the changes show up in the CIS Compliance tool. For example, the image below could be your CIS compliance check before changing the settings above. To get CIS Benchmark Compliant in seconds look at 2 different software options below.
CIS Compliance Tools that Make Your Life Easier
Compliance tools make it hundreds of times easier to reach CIS Level 1 Compliance. Some cost a lot more than others. Some are simple to setup and others require time and a lot of onboarding support to use. Choosing a CIS Compliance software that makes it easy, affordable, and fast to get you CIS compliant is hard. Here are a few solutions to consider.
Rapid 7 – InsightVM
InsightVM is a tool for Enterprise organizations that need help becoming CIS compliant. InsightVM is meant for large organizations with big budgets for compliance. The tool requires hours of support for onboarding and integration into their suite of other products and services. You can read about their product on their website here.
Secure My Desktop
We developed Secure My Desktop as a solution for small to medium sized businesses that need help becoming CIS compliant. Secure My Desktop is meant for businesses who want big budget security without having one. It is a one time purchase of $29.95 per device to run. It gets you CIS Complaint in seconds. You can check your compliance score at any time to see where your device and change the settings at any time. For instance, one of the great benefits this software is the system restore it creates before applying the settings. In other words, you can restore the original settings to the way it was.
There are many ways to do CIS Level 1 Hardening. Most of them require a lot of time and effort. You can start by following the steps above or run a CIS Compliance Check for free. Making the best decision is easy once you have the right information.
Learn more about how Secure My Desktop solves the issues around becoming CIS Level 1 Compliant.