CIS Windows Server Level 1 Hardening: What Actually Matters in Production
CIS Windows Server Level 1 hardening in production — what breaks, what to apply first, and how to avoid NTLM lockouts, audit log disk exhaustion, and service account outages.
The Windows Server That Was Hardened Into the Ground
A team applied CIS Windows Server Level 1 via GPO on a Friday afternoon. By Monday morning: three legacy applications had stopped authenticating, the domain controller's system disk was full from audit logs, and helpdesk was flooded with account lockout tickets.
Every control they applied was technically correct. None of it was tested. That is the gap this article fills.
CIS Windows Server Level 1 is the right baseline for production Windows infrastructure. But it is not plug-and-play. This guide covers what actually matters, what silently breaks production, and how to deploy the CIS benchmark for Windows safely.
Production reality: The CIS Windows Server benchmark is not optional. If you are running Windows Server in a SOC 2, PCI-DSS, or HIPAA environment and you do not have a documented hardening baseline, you are already out of compliance — whether or not you have been audited yet.
Quick Summary: What Is CIS Windows Server Level 1?
CIS Windows Server Level 1 is the baseline security profile from the Center for Internet Security Windows Server benchmark. It covers account policies, audit policy, user rights assignments, security options, and Windows Firewall — the controls that address the most commonly exploited Windows Server misconfigurations.
Level 1 controls are designed to have minimal impact on server functionality. In practice, several of them break legacy applications, authentication flows, and storage capacity if applied without environment-specific review.
- A default Windows Server install fails 40–60% of Level 1 checks
- Applying the benchmark correctly takes an afternoon of testing per server role
- Applying it blindly takes a weekend of recovery
Top 5 Quick Wins: Apply in 30 Minutes
Before working through the full benchmark, these five controls are high-impact, low-risk, and take minutes to apply. Start here.
1. Disable LLMNR and NetBIOS over TCP/IP Both are used in LLMNR/NBT-NS poisoning attacks — one of the most common internal network attacks. Neither is needed in a properly configured DNS environment.
# Disable LLMNR via Registry
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" `
-Name "EnableMulticast" -Value 0 -Type DWord
# Disable NetBIOS over TCP/IP on all adapters
$adapters = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "TcpipNetbiosOptions is not null"
$adapters | ForEach-Object { $_.SetTcpipNetbios(2) }
2. Rename the built-in Administrator account
Attackers target the Administrator account by name. Renaming it adds friction at near-zero cost.
wmic useraccount where name='Administrator' rename 'svc_localadm'
3. Enable Windows Firewall logging on all profiles You need baseline visibility before you block anything. Start logging before enforcing.
Set-NetFirewallProfile -Profile Domain,Public,Private `
-LogAllowed True -LogBlocked True `
-LogFileName "%SystemRoot%\System32\LogFiles\Firewall\pfirewall.log" `
-LogMaxSizeKilobytes 32768
4. Set Security event log to 1GB minimum The default 512MB fills in hours on a busy server. Do this before enabling verbose audit policy.
wevtutil sl Security /ms:1073741824
5. Disable anonymous SAM enumeration This prevents unauthenticated attackers from listing user accounts and shares.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
→ Network access: Do not allow anonymous enumeration of SAM accounts = Enabled
→ Network access: Do not allow anonymous enumeration of SAM accounts and shares = Enabled
Why Default Windows Server Is a Security Problem
Microsoft ships Windows Server with defaults tuned for compatibility, not security. Out of the box:
| Default Setting | Security Risk |
|---|---|
| NTLM v1 allowed | Enables pass-the-hash and NTLM relay attacks |
| No account lockout policy | Unlimited password brute-force attempts |
| Minimal audit logging | Zero forensic visibility after compromise |
| RDP enabled with weak ciphers | Exploitable by MITM and known cipher attacks |
| Anonymous enumeration allowed | Attacker can list users, shares, and groups |
Admin shares (C$, ADMIN$) accessible |
Lateral movement made trivial |
| Windows Firewall allows all outbound | No egress filtering |
None of this is accidental. It is compatibility-first design. CIS Windows Server hardening explicitly reverses these defaults — which is why applying it carefully matters.
Windows Server hardening is not a one-time project. It is a baseline you establish, enforce via GPO, and re-audit monthly. Settings drift. Updates change configurations. Service installs add firewall exceptions. Without automated scanning, you will not know until an auditor tells you.
See also: CIS Level 1 Ubuntu Hardening Guide — the same hardening discipline applied to Linux infrastructure.
CIS Windows Server Level 1 vs Level 2
| Criteria | Level 1 | Level 2 |
|---|---|---|
| Target | General production servers | High-security / regulated |
| Legacy app compatibility | Usually fine with exceptions | Often broken |
| Operational impact | Low to moderate | High |
| Compliance coverage | SOC 2, PCI-DSS, HIPAA | NIST 800-53 High, FedRAMP |
| Domain controller safe? | Mostly, with review | Significant testing required |
| Right for most environments? | ✅ Yes | Only if mandated |
Start with Level 1. Get it stable. Then selectively layer Level 2 controls where your risk profile requires it.
Key Areas of CIS Windows Server Level 1 Hardening
Account Policies
This is where most outages happen.
Password policy:
Minimum password length: 14 characters
Password complexity: Enabled
Maximum password age: 60 days
Minimum password age: 1 day
Password history: 24 passwords remembered
Reversible encryption: Disabled
Account lockout policy:
Account lockout threshold: 5 invalid attempts
Account lockout duration: 15 minutes
Reset account lockout counter: 15 minutes
⚠️ Warning — Account lockout causes service outages
What breaks: Any service account with a hardcoded password. When that password expires or is changed, the service keeps retrying the old credential, hits the 5-attempt threshold in under 3 minutes, and locks the account — taking down the service.
Why it breaks: Service accounts are historically set to never expire. When you enforce rotation, they fail silently against the lockout policy. No error. No alert. The service just stops.
Fix: Before enabling lockout policy, audit every service account in AD. Convert them to Group Managed Service Accounts (gMSA) — they handle rotation automatically and never trigger lockouts.
Audit Policy
CIS Level 1 requires detailed logging across all security-relevant events. The ones that matter most:
Account Logon: Success, Failure
Account Management: Success, Failure
Logon/Logoff: Success, Failure
Object Access: Failure
Policy Change: Success
Privilege Use: Failure
System: Success, Failure
Process Creation: Success (not default in CIS — add it anyway, critical for detection)
Configure via auditpol.exe for precision:
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable
:: Verify
auditpol /get /category:*
⚠️ Warning — Audit logs fill system disk and halt servers
What breaks: On a busy domain controller or RDS server, security event logs fill gigabytes per day. When the disk fills, behavior depends on
CrashOnAuditFail. If set to1(required by some CIS controls), the server halts when it cannot write audit events.Why it breaks: The 512MB default Security log size was set in an era of minimal logging. CIS Level 1 generates 10–50x more events. No one changes the log size. Then
CrashOnAuditFail = 1becomes a tripwire.Fix: Set Security log to 2GB minimum. Configure Windows Event Forwarding to a dedicated collector before enabling verbose auditing. Never rely on local disk only.
# Set Security log size to 2GB
wevtutil sl Security /ms:2147483648
# Configure WinRM for log forwarding
winrm quickconfig
# Then configure Windows Event Forwarding subscription on the collector
User Rights Assignments
These control which accounts can perform privileged operations. CIS Level 1 tightens defaults that are far too permissive.
Key assignments to enforce:
Access this computer from the network: Administrators, Authenticated Users
Allow log on locally: Administrators only (servers — not DCs)
Allow log on through RDP: Administrators, Remote Desktop Users
Deny access from network: Guests, Local accounts (on domain members)
Act as part of OS: Empty (no accounts)
Debug programs: Empty (no accounts)
Take ownership of files: Administrators only
Configure via GPO:
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment
⚠️ Warning — "Deny log on locally" breaks console access during domain failure
What breaks: If you add
Local accountsto the deny list and the server loses domain connectivity, you cannot log in via console with local credentials.Fix: Before applying, ensure a local administrator account with a known password exists and is not in the deny list. Store the credential in your password vault. Document it. Test console login before the domain controller goes down, not after.
Security Options
This section breaks more legacy applications than any other. Most of the NTLM-related controls live here.
Critical settings:
Network security: LAN Manager authentication level
→ Send NTLMv2 response only. Refuse LM & NTLM
Network security: Minimum session security for NTLM SSP (servers)
→ Require NTLMv2 session security, 128-bit encryption
Interactive logon: Don't display last signed-in
→ Enabled
Network access: Do not allow anonymous enumeration of SAM accounts
→ Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares
→ Enabled
Accounts: Rename administrator account
→ Rename to something non-obvious
Microsoft network server: Digitally sign communications (always)
→ Enabled
Network security: LDAP client signing requirements
→ Require signing
⚠️ Warning — NTLMv2-only breaks legacy applications silently
What breaks: Any application using LM or NTLMv1 — older ERP systems, NAS devices, scanners and printers authenticating to shares, some RADIUS implementations, monitoring agents built before 2008.
Why it breaks: These systems use hardcoded authentication libraries that predate NTLMv2. They do not log "NTLM version mismatch." They throw generic "access denied" errors or just silently stop working. The connection between the error and the NTLM policy change is non-obvious.
Fix: Before enforcing, run NTLM audit mode across the domain for 2–4 weeks:
Network security: Restrict NTLM: Audit NTLM authentication in this domain → Enable allReview Event ID 4776 in the Security log. Identify every system still using NTLMv1 or LM. Fix or isolate them. Enforce only after remediation is complete.
Windows Firewall
CIS Level 1 requires Windows Firewall enabled on all profiles with default inbound deny.
# Enable firewall with default deny inbound on all profiles
Set-NetFirewallProfile -Profile Domain,Public,Private `
-Enabled True `
-DefaultInboundAction Block `
-DefaultOutboundAction Allow `
-NotifyOnListen True `
-LogAllowed True `
-LogBlocked True `
-LogFileName "%SystemRoot%\System32\LogFiles\Firewall\pfirewall.log" `
-LogMaxSizeKilobytes 32768
# Allow required inbound traffic — example: RDP from management VLAN only
New-NetFirewallRule -DisplayName "RDP - Management VLAN" `
-Direction Inbound -Protocol TCP -LocalPort 3389 `
-RemoteAddress 10.10.1.0/24 -Action Allow
⚠️ Warning — Default deny inbound immediately breaks internal services
What breaks: Monitoring agents being polled (SCOM, Zabbix, Nagios), backup clients (Veeam, CommVault), WMI-based queries, SCCM communications, custom health check endpoints, anything that receives inbound connections.
Why it breaks: Most servers have no documented inbound communication requirements. Nobody knows what is connecting until it stops working.
Fix: Enable firewall logging one week before changing the default action. Review
pfirewall.logfor all inbound allow traffic. Build role-specific GPOs with the required rules. Apply firewall blocking only after the allow rules are in place and tested.
See also: Linux SSH Hardening and Remote Access Security — for comparison with Linux remote access hardening approaches.
Tools for Applying CIS Windows Server Level 1
Group Policy (GPO) — The Standard Method
For domain-joined servers, GPO is the right delivery mechanism.
- Download the CIS Benchmark from cisecurity.org — includes
.infand.admxtemplates - Import via
secedit.exeor Group Policy Management Console - Test with a dedicated OU before domain-wide rollout
- Verify with
gpresult /H report.html
:: Import security template
secedit /configure /db %windir%\security\local.sdb /cfg CIS_Level1_Template.inf /log secedit.log
:: Analyze compliance against template
secedit /analyze /db %windir%\security\local.sdb /cfg CIS_Level1_Template.inf /log analyze.log
LGPO — For Non-Domain Servers
Microsoft's tool for applying GPO settings to standalone servers. Download from the Microsoft Security Compliance Toolkit.
:: Apply CIS policy to local machine
LGPO.exe /g "CIS_Level1_Policy_Backup_Folder\"
:: Backup current settings before applying
LGPO.exe /b "C:\Backup\Pre-CIS-Settings\"
CIS-CAT Pro — Automated Compliance Scanning
Official CIS assessment tool. Produces a scored HTML report per control.
.\CIS-CAT.bat -b benchmarks\CIS_Microsoft_Windows_Server_2022_Benchmark_v1.0.0-xccdf.xml `
-p "Level 1 - Member Server" `
-r C:\Reports\ `
-rd html
Run CIS-CAT before and after hardening. The delta between scans is your audit evidence.
Microsoft Security Compliance Toolkit (SCT)
Free from Microsoft. Includes security baselines for each Windows Server version, Policy Analyzer for GPO comparison, and LGPO.exe. The Microsoft baselines overlap significantly with CIS Level 1 and are a useful cross-reference.
Real-World Lessons from Production Environments
Lesson 1 — NTLM restriction took down a hospital ERP integration.
A hospital applied NTLMv2-only policy across all servers. Three days later, a billing integration stopped. The ERP used a COM-based file transfer component from 2009 — LM auth only. No error message mentioned NTLM. The "access denied" errors looked like a permissions problem.
The fix took two weeks: identify the component, contact the vendor, implement an NTLMv2-capable wrapper.
Lesson: run NTLM audit logging for a full billing cycle before enforcing. Monthly batch jobs surface late.
Lesson 2 — Account lockout took down payment processing at 2am.
A service account password was rotated in a routine change. The Windows service was not updated. It retried on 30-second intervals, hit 5 attempts in 2.5 minutes, locked the account. Auto-unlocked after 15 minutes. Relocked. Cycled for 4 hours before anyone identified Event ID 4740.
The payment processing queue backed up. Recovery took 6 hours including the investigation.
Lesson: monitor Event ID 4740 continuously. Alert on every lockout. Convert service accounts to gMSA before enabling lockout policy.
Lesson 3 — Audit policy halted a domain controller at 3am.
CIS Level 1 audit policy was pushed via GPO to all servers — including a domain controller handling 8,000 logins per hour. Security log was at the 512MB default. CrashOnAuditFail = 1. The log filled in under 2 hours. The DC halted. Authentication across the domain stopped.
The fix was two parts: Security log to 2GB minimum, Windows Event Forwarding to a dedicated collector before re-enabling audit policy.
Lesson: CrashOnAuditFail = 1 is correct for compliance. It is a loaded gun without sized logs and log forwarding.
Implementation Strategy: Deploy Without Breaking Things
Apply in phases. Never in one shot.
Phase 1 — Baseline (Week 1)
- Run CIS-CAT on representative servers per role (DC, member server, web server, DB)
- Document failure rate per category
- Identify conflicts: legacy apps, service accounts, monitoring agents
Phase 2 — Zero-risk controls (Week 2)
- Disable LLMNR and NetBIOS over TCP/IP
- Rename administrator account
- Enable Windows Firewall logging (not enforcement — logging only)
- Set Security log to 2GB
- Apply audit policy to staging — measure log volume
Phase 3 — Account policies (Week 3)
- Audit all service accounts — convert to gMSA
- Apply lockout policy to a test OU with Event ID 4740 monitoring
- Apply to production in a low-traffic window with on-call coverage
Phase 4 — NTLM restrictions (Week 4–6)
- Enable NTLM audit mode domain-wide
- Collect 2–4 weeks of Event ID 4776 data
- Fix or isolate legacy systems
- Enforce NTLMv2-only after remediation
Phase 5 — Firewall hardening (Week 5–7)
- Review firewall logs collected in Phase 2
- Build role-specific firewall GPOs with required allow rules
- Test in staging for 1 week
- Apply to production with rollback plan ready
Phase 6 — Verify and document
- Run CIS-CAT post-hardening
- Document all exceptions with business justification
- Store exception register with compliance evidence
Best Practices
Use GPO for everything. Manual changes drift. GPO enforces on every refresh cycle and reverts tampering. Build your CIS baseline into a dedicated GPO on a hardened servers OU. Never apply by hand.
Separate GPOs by control category. One GPO for account policy, one for audit policy, one for security options. Rollback becomes surgical — disable one GPO without reverting everything else.
Monitor Event ID 4740 before and after lockout policy. This fires on every account lockout. Unexpected alerts mean something is churning through lockout cycles in production right now.
Size your Security log before enabling audit policy. 1GB minimum on member servers. 2GB on domain controllers. Configure Windows Event Forwarding before you need it — not after a disk fills up.
Test NTLM changes for 4 weeks minimum. Not 2. Not 1. Four. Monthly batch jobs, quarterly reports, and annual integrations all use NTLM. They will not fail in your first week of testing.
Frequently Asked Questions
Does CIS Windows Server Level 1 apply to domain controllers? Yes, with significant caution. Domain controllers need their own OU and their own GPO. Some Level 1 controls behave differently on DCs — particularly local logon rights and security options. CIS publishes DC-specific benchmarks. Use those, not the member server benchmark, for DCs.
Does CIS Level 1 break Active Directory replication? It should not — but NTLM restrictions and LDAP signing requirements can affect DC replication in environments with older OS versions. If you have 2012 R2 or older DCs, test LDAP signing requirements carefully before enforcing.
Can I apply CIS Level 1 to Azure VMs? Yes. GPO for domain-joined VMs. LGPO or DSC for standalone. Microsoft Defender for Cloud has CIS benchmark assessment built in — use it for continuous monitoring on Azure.
How often should I re-scan? Monthly minimum. Windows Updates, software installs, and domain policy changes all drift settings. Schedule CIS-CAT as a monthly scheduled task and alert on score drops greater than 5 points.
Conclusion: Engineering Project, Not a GPO Import
CIS Windows Server Level 1 closes the gaps attackers actually exploit: NTLMv1 relay, anonymous enumeration, brute-force through absent lockout policy, lateral movement via default admin shares, and zero forensic capability from absent audit logging.
The controls that matter most are also the ones with the worst failure modes when applied wrong. Account lockout, NTLM restrictions, audit log volume, and firewall default-deny — every one has a documented production incident behind it. Every one is preventable with the right sequence.
Apply the CIS benchmark for Windows in phases. Test NTLM changes for four weeks before enforcing. Convert service accounts to gMSA before enabling lockout. Size your audit logs before turning on verbose logging. Document every exception.
The teams that succeed treat this as an engineering project. The teams that fail treat it as a GPO import.
Related reading: CIS Level 1 Ubuntu Hardening: A Field-Tested Production Guide — the same hardening discipline applied to Linux. For building forensic capability across both platforms: Reading Logs Like a Detective: A Field Guide to Incident Triage.
Alternative Title Suggestions
These are included for the author's reference — remove before publishing.
-
"CIS Windows Server Level 1: The Engineer's Guide to Hardening Without Breaking Production" — Higher CTR, speaks directly to fear of breakage. Slightly long but strong.
-
"CIS Windows Server Level 1 Hardening: NTLM, Audit Logs, and the Mistakes That Cause Outages" — Specific and problem-driven. Engineers searching for why CIS broke something will click this.
-
"Windows Server Security Baseline: What CIS Level 1 Actually Requires and What Breaks" — Targets "Windows security baseline" keyword variant. Good for broader reach.