How to Harden Windows Server 2012 R2 with CIS Benchmark Guidelines

How to Harden Windows Server 2012 R2 with CIS Benchmark Guidelines

The Center for Internet Security (CIS) publishes detailed hardening benchmarks for every major operating system, including Windows Server 2012 R2. Implementing the CIS Benchmark reduces your attack surface by disabling unnecessary services, tightening authentication policies, restricting dangerous protocols, and ensuring audit logging captures security-relevant events. This guide covers the most impactful CIS Level 1 controls and how to apply them via Group Policy and PowerShell on a Windows Server 2012 R2 domain member or standalone server.

Prerequisites

• Windows Server 2012 R2 fully patched with the latest updates
• Local Administrator or Domain Admin access
• GPMC installed (for domain deployments)
• The CIS Windows Server 2012 R2 Benchmark PDF (available free at cisecurity.org after registration)
• Optional: Microsoft Security Compliance Toolkit for pre-built baseline GPOs

Step 1: Apply Account Policy Hardening

CIS recommends enforcing strong password policies and account lockout. Configure through secpol.msc or Group Policy under Computer Configuration → Windows Settings → Security Settings → Account Policies:

# Configure via net accounts command (local policy)
net accounts /minpwlen:14 /maxpwage:60 /minpwage:1 /uniquepw:24 /lockoutthreshold:5 /lockoutwindow:15 /lockoutduration:0

For domain GPO, the equivalent settings are:

• Minimum password length: 14 characters
• Maximum password age: 60 days
• Minimum password age: 1 day
• Password history: 24 passwords remembered
• Account lockout threshold: 5 invalid attempts
• Lockout duration: 0 (admin must unlock)
• Reset lockout counter after: 15 minutes

Step 2: Rename and Disable Default Accounts

CIS requires renaming the built-in Administrator and Guest accounts and disabling Guest:

# Rename Administrator account
wmic useraccount where name="Administrator" rename "SrvAdmin"

# Disable Guest account
net user Guest /active:no

# Verify
net user Guest

Via Group Policy navigate to Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options and set:

• Accounts: Rename administrator account → your chosen name
• Accounts: Rename guest account → a non-obvious name
• Accounts: Guest account status → Disabled

Step 3: Configure User Rights Assignments

User Rights Assignments control which accounts can perform privileged operations. CIS specifies tight restrictions. Navigate to Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment and apply:

# These are applied via GPO in production; shown here for documentation

# Access this computer from the network: Administrators, Authenticated Users only
# Allow log on locally: Administrators only on servers
# Deny log on through Remote Desktop Services: Guests, Local account (for non-jump-server machines)
# Allow log on through Remote Desktop Services: Administrators only

# Check current assignments via secedit:
secedit /export /cfg C:CISSecurityPolicy.cfg /areas USER_RIGHTS
notepad C:CISSecurityPolicy.cfg

Step 4: Disable Unnecessary Services

CIS recommends disabling services that increase attack surface when not required. The following services should be disabled on servers that do not require them:

$servicesToDisable = @(
    "Browser",           # Computer Browser
    "lmhosts",           # TCP/IP NetBIOS Helper
    "IISADMIN",          # IIS Admin (if IIS not installed)
    "SharedAccess",      # Internet Connection Sharing
    "SSDPSRV",           # SSDP Discovery
    "upnphost",          # UPnP Device Host
    "WMPNetworkSvc",     # Windows Media Player Network Sharing
    "XblAuthManager",    # Xbox Live Auth Manager
    "XblGameSave"        # Xbox Live Game Save
)

foreach ($svc in $servicesToDisable) {
    if (Get-Service -Name $svc -ErrorAction SilentlyContinue) {
        Set-Service -Name $svc -StartupType Disabled
        Stop-Service -Name $svc -Force -ErrorAction SilentlyContinue
        Write-Host "Disabled: $svc"
    }
}

Step 5: Harden Network Settings

Disable NetBIOS over TCP/IP on all network adapters to reduce lateral movement risk:

$adapters = Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter "TcpipNetbiosOptions IS NOT NULL"
foreach ($adapter in $adapters) {
    $adapter.SetTcpipNetbios(2)  # 2 = Disable NetBIOS over TCP/IP
}
Write-Host "NetBIOS disabled on all adapters"

Disable LLMNR (Link-Local Multicast Name Resolution) via Group Policy:

Navigate to Computer Configuration → Administrative Templates → Network → DNS Client and set Turn off multicast name resolution to Enabled.

Disable IPv6 if not required in your environment:

# Disable IPv6 via registry
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesTcpip6Parameters" `
    -Name "DisabledComponents" -Value 0xFF -Type DWord

Step 6: Harden Windows Remote Management and Registry

Restrict anonymous access to named pipes and shares, which are common attack vectors for lateral movement:

In Group Policy: Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options

# Verify anonymous share access restrictions via registry:
Get-ItemProperty "HKLM:SYSTEMCurrentControlSetServicesLanManServerParameters" | Select-Object RestrictNullSessAccess

# Should be 1 (enabled)
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesLanManServerParameters" `
    -Name "RestrictNullSessAccess" -Value 1 -Type DWord

# Prevent enumeration of accounts and shares by anonymous users:
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlLsa" `
    -Name "RestrictAnonymous" -Value 1 -Type DWord

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlLsa" `
    -Name "RestrictAnonymousSAM" -Value 1 -Type DWord

Step 7: Configure Audit Policy per CIS

CIS specifies detailed audit subcategories. Use the Advanced Audit Policy Configuration rather than the legacy basic audit settings:

# Configure audit subcategories
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Logoff" /success:enable
auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
auditpol /set /subcategory:"Special Logon" /success:enable
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"Privilege Use" /failure:enable
auditpol /set /subcategory:"Process Creation" /success:enable

# Verify
auditpol /get /category:*

Step 8: Apply Windows Firewall Hardening

CIS requires the Windows Firewall to be enabled on all profiles and set to block inbound connections by default:

# Enable firewall on all profiles
Set-NetFirewallProfile -Profile Domain,Private,Public -Enabled True
Set-NetFirewallProfile -Profile Domain,Private,Public -DefaultInboundAction Block
Set-NetFirewallProfile -Profile Domain,Private,Public -DefaultOutboundAction Allow
Set-NetFirewallProfile -Profile Domain,Private,Public -NotifyOnListen False

# Verify
Get-NetFirewallProfile | Select-Object Name, Enabled, DefaultInboundAction, DefaultOutboundAction

Step 9: Enable Screen Lock and Interactive Session Policies

# Interactive logon: Machine inactivity limit (900 seconds = 15 minutes)
Set-ItemProperty -Path "HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem" `
    -Name "InactivityTimeoutSecs" -Value 900 -Type DWord

# Interactive logon: Do not display last user name
Set-ItemProperty -Path "HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem" `
    -Name "DontDisplayLastUserName" -Value 1 -Type DWord

# Interactive logon: Message title and text for users attempting to log on
Set-ItemProperty -Path "HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem" `
    -Name "LegalNoticeCaption" -Value "Authorized Use Only" -Type String

Set-ItemProperty -Path "HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem" `
    -Name "LegalNoticeText" -Value "This system is for authorized users only. Unauthorized access is prohibited and may result in legal action." -Type String

Step 10: Export and Document the Baseline

After applying all settings, export the security policy for documentation and future comparison:

mkdir C:CIS-Baseline
secedit /export /cfg C:CIS-BaselineSecurityPolicy.cfg /areas SECURITYPOLICY USER_RIGHTS REGKEYS
Get-NetFirewallRule | Export-Csv C:CIS-BaselineFirewallRules.csv -NoTypeInformation
auditpol /get /category:* > C:CIS-BaselineAuditPolicy.txt
Write-Host "Baseline exported to C:CIS-Baseline"

Summary

Applying CIS Benchmark guidelines to Windows Server 2012 R2 significantly reduces your exposure to common attack techniques. The controls covered here—account policy hardening, service reduction, network protocol restrictions, audit policy configuration, and firewall defaults—address the most critical CIS Level 1 requirements. Use the exported baseline files to validate compliance during audits, detect configuration drift with tools like Microsoft’s Security Compliance Toolkit, and restore settings quickly if a misconfiguration or unauthorized change is discovered.