A Case Study to Implement Windows System Hardening using CIS Controls

© 2022 by IJCTT Journal
Volume-70 Issue-7
Year of Publication : 2022
Authors : Rajeshkumar Sasidharan
DOI :  10.14445/22312803/IJCTT-V70I7P101

How to Cite?

Rajeshkumar Sasidharan, "A Case Study to Implement Windows System Hardening using CIS Controls," International Journal of Computer Trends and Technology, vol. 70, no. 7, pp. 1-7, 2022. Crossref, https://doi.org/10.14445/22312803/IJCTT-V70I7P101

Cyber threats and attacks increasingly target today`s IT infrastructure worldwide. Organizations are constantly pressured to secure their infrastructure, data, and services from external attacks. As a result, security and systems engineers continually focus on securing their infrastructure from the edge level (firewall, router, and switches) to the end-user component (server, systems, and storage) level using various security technologies, including system hardening at the component level. This case study focuses on hardening Windows systems with industry-standard Center for Internet Security (CIS) controls, security tools, a remediation tool kit, and frameworks. It helps to safeguard Windows servers from external and internal threats and provides comfort to the information technology and security teams in evaluating and maintaining the IT infrastructure`s security baseline. Finally, this case study assists the client in safely and securely running thousands of Windows servers worldwide and generating security reports against the vulnerability and security baseline established by CIS Benchmarks and Controls. Applying any controls or adjustments to the new implementation would be simpler. However, the focus of this case study was on implementing CIS Windows system hardening on existing complex production Windows infrastructure, which is usually a difficult issue for chief information security officer (CISO) and chief information officer (CIO) organizations.

Operating system auditing, Compliance, CIS benchmarks, Vulnerability, Windows security.


[1] The Cisecurity website, 2022. [Online]. Available: https://www.cisecurity.org/cis_securesuite
[2] The Cisecurity website, 2022. [Online]. Available: https://www.cisecurity.org/controls/v7
[3] S. Gros, “A Critical View on CIS Controls,” in Proc. 16th Int. Conf. Telecommun. ConTEL 2021, pp. 122–128, 2021.
[4] The Cisecurity website, 2022. [Online]. Available: https://www.cisecurity.org/cis-benchmarks/cis-benchmarks-faq
[5] The Cisecurity website, 2022. [Online]. Available: https://www.cisecurity.org/cis-securesuite/cis-securesuite-build-kit-content/build-kits-faq
[6] The Cisecurity website, 2022. [Online]. Available: https://ccpa-docs.readthedocs.io/en/latest/Configuration%20Guide/#cis-cat-pro-dashboard-integration
[7] The Cisecurity website, 2022. [Online]. Available: https://www.cisecurity.org/insights/blog/remote-assessment-comes-to-cis-cat-pro-v4
[8] R. McCool, 1995. Apache HTTP Server. [Computer software]. Available: https://httpd.apache.org/docs/
[9] J. Letkowski, “Doing Database Design with MySQL,” J. Technol. Res., vol. 6, pp. 1, 2015.
[10] The Cisecurity website, 2022. [Online]. Available: https://www.cisecurity.org/insights/case-study/washington-state-auditors-office-uses-cis-controls-to-perform-effective-security-audits
[11] The Cisecurity website, 2022. [Online]. Available: https://www.cisecurity.org/insights/case-study/bank-relies-on-industry-recommended-cybersecurity-best-practices
[12] The Cisecurity website, 2020. [Online]. Available: https://www.cisecurity.org/insights/white-papers/2020-nationwide-cybersecurity-review
[13] A. Echeverría, C. Cevallos, I. Ortiz-Garces, and R. O. Andrade, “Cybersecurity Model Based on Hardening for Secure Internet of Things Implementation,” Appl. Sci., vol. 11, no. 7, p. 3260, 2021.
[14] The Cisecurity website, 2020. [Online]. Available: https://www.cisecurity.org/insights/case-study/tackling-audits-and-cloud-security-efficiently-and-at-scale
[15] The Cisecurity website, 2019. [Online]. Available: https://www.cisecurity.org/insights/case-study/cis-hardened-images-help-anitian-automate-fedramp-compliance
[16] The Cisecurity website, 2018. [Online]. Available: https://www.cisecurity.org/insights/case-study/infralert-uses-the-cis-controls-for-remediation-and-planning
[17] The Cisecurity website, 2018. [Online]. Available: https://www.cisecurity.org/insights/case-study/oklahoma-city-and-the-cis-controls
[18] The Cisecurity website, 2018. [Online]. Available: https://www.cisecurity.org/insights/case-study/cis-controls-inspire-law-graduate
[19] The Rapid7 website, 2022. [Online]. Available: https://www.rapid7.com/fundamentals/cis-critical-security-controls/
[20] The Netwrix website, 2022. [Online]. Available: https://blog.netwrix.com/category/cybersecurity-standards/
[21] The Cybersaint website, 2022. [Online]. Available: https://www.cybersaint.io/blog/cis-controls-list
[22] The UC Berkely website, 2022. [Online]. Available: https://security.berkeley.edu/education-awareness/center-internet-security
[23] The Microsoft website, 2022. [Online]. Available: https://docs.microsoft.com/en-us/compliance/regulatory/offering-cis-benchmark
[24] The Amazon website, 2022. [Online]. Available: https://docs.aws.amazon.com/inspector/v1/userguide/inspector_cis.html
[25] The Tripwire website, 2022. [Online]. Available: https://www.tripwire.com/state-of-security/controls/center-for-internet-security-ciscontrols-v8-your-complete-guide-to-the-top-18/
[26] The Diligent website, 2020. [Online]. Available: https://www.diligent.com/insights/compliance/what-is-cis-compliance/
[27] The Cisecurity website, 2022. [Online]. Available: https://www.cisecurity.org/cis-benchmarks/#microsoft_windows_server.