Device Hardening with CIS Level 1 Benchmarks

Device Hardening with CIS Level 1 Benchmarks

This is a comprehensive guide to device hardening using the CIS Level 1 Benchmarks. It includes compliance settings for account and account logout settings. minimum password length. This guide helps you start your CIS Compliance journey.

This is the device hardening techniques we will cover:

  • What is Device Hardening?
  • Run a CIS Compliance Check 
  • How to Apply CIS Benchmarks on Windows 10 and Windows 11 Devices
  • Test Your CIS Compliance after Changing the Settings
  • CIS Compliance Tools that Make Your Life Easier


What is Device Hardening?

Device hardening is the process of making a device harder to hack by reducing its attack surface. CIS level 1 Benchmarks lists hundreds of settings that need to be configured correctly for compliance. From setting minimum password length to account logoff policies. 


Device hardening from minimum password length to account lockout policies. This shows how to apply cis benchmarks and run a cis compliance check.


Run a CIS Compliance Check

A CIS Compliance Check tells you how compliant your device is to CIS Level 1 Standards. It gives you a score from 0% to 100% compliant. It checks every setting on your device and compares it to the CIS Benchmarks. 

Run a cis compliance check using Secure My Desktop. It changes password policies and account lockout policies like the ones shown in group policy. This device hardening tool is the perfect fit for any small and medium sized businesses.

A good software to use to run a CIS Compliance Check is Secure My Desktop. you can use the CIS Level 1 Benchmark score. You can use this score to fix the hundreds of compliance issues yourself or have the software do it for you in seconds. Use Secure My Desktop’s free CIS Compliance Check.


How to Apply CIS Benchmarks on Windows 10 and Windows 11 Devices

There are hundreds of settings that the Center for Internet Security has in their CIS Level 1 Benchmarks that apply to Windows 10 and 11 machines. Learn how to apply the cis benchmarks.

Account Policies

Organizations have account policies. User accounts are vulnerable without a solid account policy. Account policies protect and secure user accounts from these cyber threats. The CIS Level 1 Benchmarks sets a standard for configuring those account policies. The two general categories of account policies are for passwords and account lockouts. 

For this section you will be using a few Windows programs to set these up on your local device.

Note: the device hardening steps are for a single device and not for a device joined to a domain.

Your password policy defines what a users password can be. 

Account lockout policy sets how many attempts, how long until the next attempt, and how long a lockout is after retry. 

First go to the search bar on your taskbar. Type “run” into the taskbar.

Small but mighty is the search bar. You can use this to reach the device hardening tools you need to become compliant to the cis benchmarks. Run a CIS compliance check to set the correct password settings.

Click “Run” to open the Run Windows application. Type in gpedit.msc as shown below.

Use the Run tool to open gpedit.msc, a local version of group policy. It changes passwords and settings that effect CIS Level 1 Compliance. Get a CIS Compliance Check as sson as possible.

The Group Policy editor is where you will change the account policies for your device. 


Password Policy

Password policy sets a minimum and maximum password age, password length, etc. The Center for Internet Security outlined some essential password policy settings. These device hardening settings can be changed in the Group Policy manager shown below. 

CIS Level 1 Benchmarks mandates changes to the following settings to be compliant. Password history settings needs to be changed to 24 or more passwords. Make sure the maximum password age is set to 365 days or fewer, but not 0. Minimum password age set to 1 or more days. Set minimum password length set to 14 or more characters or more. Enable the Password must meet complexity requirements setting. After that, enable relax minimum password length limits. Finally, disable store passwords using reversible encryption. 


Account Lockout Policy

Account lockout policy sets how many attempts, how long until the next attempt, and how long a lockout is after retry. Change these device hardening settings by navigating to the adjacent Group Policy module Account Lockout Policy. 

The CIS Benchmarks mandate changes to the following Account lockout settings. You should set Account lockout duration to 15 or more minutes. Account lockout threshold must be set to 5 or fewer invalid logon attempts but not 0. Reset account lockout counter after setting must be set to 15 or more minutes. 


Testing Your CIS Compliance after Making Settings Changes

After you have made the recommended changes, run another CIS Compliance Check. You should see the changes show up in the CIS Compliance tool. For example, the image below could be your CIS compliance check before changing the settings above. To get CIS Benchmark Compliant in seconds look at 2 different software options below.

CIS Compliance Tools that Make Your Life Easier

Compliance tools make it hundreds of times easier to reach CIS Level 1 Compliance. Some cost a lot more than others. Some are simple to setup and others require time and a lot of onboarding support to use. Choosing a CIS Compliance software that makes it easy, affordable, and fast to get you CIS compliant is hard. Here are a few solutions to consider. 

Rapid 7 – InsightVM

InsightVM is a tool for Enterprise organizations that need help becoming CIS compliant. InsightVM is meant for large organizations with big budgets for compliance. The tool requires hours of support for onboarding and integration into their suite of other products and services. You can read about their product on their website here.

Secure My Desktop

We developed Secure My Desktop as a solution for small to medium sized businesses that need help becoming CIS compliant. Secure My Desktop is meant for businesses who want big budget security without having one. It is a one time purchase of $29.95 per device to run. It gets you  CIS Complaint in seconds. You can check your compliance score at any time to see where your device and change the settings at any time. For instance, one of the great benefits this software is the system restore it creates before applying the settings. In other words, you can restore the original settings to the way it was.



There are many ways to do CIS Level 1 Hardening. Most of them require a lot of time and effort. You can start by following the steps above or run a CIS Compliance Check for free. Making the best decision is easy once you have the right information. 

Learn more about how Secure My Desktop solves the issues around becoming CIS Level 1 Compliant.