Implementing CIS Benchmarks on a Windows Server Domain Controller using a build kit

./chrisrpetrie
4 min readJun 21, 2023

Secure Configuration for AD and Windows Server

The CIS Benchmarks are configuration recommendations for more than 25+ vendor product families. They help protect systems against threats by assisting with security hardening. The benchmarks are free for anyone to use and consist of configuration guides and checklists.

CIS also offer build kits for each benchmark, which give system admins a convenient way of implementing benchmarks without too much effort.

In this tutorial we will look at how to implement a CIS L1 build kit on a Server 2019 domain.

Download the CIS Build Kit

Download the applicable benchmark build kit from CIS (You’ll need to be a CIS member) https://workbench.cisecurity.org/

In this tutorial we are using the CIS Microsoft Windows Server 2019 Benchmark v1.3.0 — Build Kit. The build kit is packaged into a .zip file for download. Below is the contents of the build kit.

Each build kit comes with a readme file. It is strongly recommended to read this before implementation as there is important information to familiarise yourself with.

The readme file has a handy matrix to guide you which GPOs to implement.

The build kit comes with many different GPOs and profiles. We will be using the Level 1 (L1) profiles as a starting point. For added security the L2 profiles can be implemented. You can read more about CIS profiles here — https://www.cisecurity.org/cis-benchmarks/cis-benchmarks-faq

Importing the CIS Benchmark GPOs

There are 3 GPOs that we will use:
User-L1
DC-L1
DC-L1 Services

On our Server 2019 system. Open Group Policy Management console (GPMC), and create a new Group Policy Object. We are going to give it the same name as the CIS benchmark, but you can call it whatever you like.

Then, right-click the newly created GPO and select Import Settings, this will launch the Import Settings Wizard.

You will be asked to back up the existing GPO, this can be skipped since it’s a new GPO. but if it was an existing GPO it’s a good idea to perform the backup as all settings will be overwritten.

Next you will be asked to specify the path of the “backup” folder to import the settings. This step can seem a bit misleading at first glance, since the previous screen was about backups.

This is actually the CIS build kit GPO path that we need to specify to import into our new GPO. Below we choose our USER-L1 path.

On the next screen you will get a confirmation of the GPO it has found:

Next, the summary screen to confirm all of our settings.

And then once imported, you should get this message indicating the import was successful.

Linking the GPOs

Currently the imported GPOs are not linked to any OUs within Active Directory, and therefore are not active.

To link the GPOs, right-click on the domain OU (or whatever OU you want to link), and select Link an existing GPO.

Select the GPO(s) to link and click OK

Those GPOs will then appear under the OU you selected earlier.

The GPOs are now active and should be propagating to all systems on your Active Directory domain.

Testing

On a test domain-joined workstation, run gpresult to check the GPOs are applying.

Review the html file and ensure that your GPOs are applied (Winning GPO column).

You can also check Local Group Policy Editor (gpedit.msc) to manually verify settings:

Tailoring GPO settings

CIS recommend that the benchmark GPOs are fully reviewed and tested prior to implementation. Some settings may need to be added, removed, or modified depending on your specific needs.

Test using an offline environment or using test OUs and GPOs on a select number of systems before deploying organisation-wide.

--

--

./chrisrpetrie

Cybersecurity Engineer. CISSP | GICSP | CEH | Systems Integration. Aberdeen, UK