Introduction to the CIS Benchmark for Windows Server 2022

The Center for Internet Security (CIS) publishes benchmark documents that define a set of security configuration guidelines for operating systems, cloud platforms, and applications. The CIS Benchmark for Windows Server 2022 is one of the most widely adopted hardening frameworks in enterprise environments, providing prescriptive guidance that reduces the attack surface of a default Windows Server installation. CIS benchmarks are developed through a consensus-based process involving security professionals, government agencies, and industry experts, making them a trusted baseline for both compliance programs and practical hardening projects.

The Windows Server 2022 benchmark is organized into two profile levels. Level 1 contains recommendations that can be applied to most production environments without significantly impacting functionality or performance. These settings address the most critical security gaps — weak passwords, excessive user rights, unneeded services, and inadequate auditing — while remaining practical for organizations that need their servers to remain operational and accessible. Level 2 extends Level 1 with more restrictive settings that are more appropriate for high-security environments, such as government systems, financial infrastructure, or healthcare networks. Level 2 settings may break certain workflows or require additional configuration to compensate, so they should be tested carefully before deployment.

This guide walks through the major hardening categories defined by the CIS benchmark, explains the rationale behind key settings, and shows how to apply them using Group Policy, the command line, and compliance scanning tools.

Account Policies: Password and Lockout Configuration

The CIS benchmark begins with account policies because weak or improperly configured credentials remain one of the primary vectors for unauthorized access. Account policies are configured in Group Policy under Computer Configuration > Windows Settings > Security Settings > Account Policies.

For password policy, the benchmark recommends the following minimum settings:

Enforce password history: 24 or more passwords remembered
Maximum password age: 365 days or fewer (Level 1), 60 days or fewer (Level 2)
Minimum password age: 1 or more days
Minimum password length: 14 or more characters
Password must meet complexity requirements: Enabled
Store passwords using reversible encryption: Disabled

The 24-password history requirement prevents users from cycling through passwords rapidly to reuse a favourite. The minimum password age of 1 day prevents immediate circumvention of the history policy. Complexity requirements enforce that passwords include uppercase letters, lowercase letters, digits, and special characters.

For account lockout policy, the recommended settings are:

Account lockout duration: 15 or more minutes
Account lockout threshold: 5 or fewer invalid logon attempts
Reset account lockout counter after: 15 or more minutes

Locking an account after 5 failed attempts defeats online brute-force attacks against local and domain accounts. A 15-minute lockout duration forces an attacker to either wait or trigger repeated lockouts, generating audit events that detection tools can act upon.

Local Policies: Audit Policy Configuration

The audit policy section of the CIS benchmark ensures that security-relevant events are recorded in the Windows Security event log. Without adequate auditing, incident responders have no visibility into what occurred before, during, or after a breach. The benchmark specifies audit settings under Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy for basic audit policy, and under Advanced Audit Policy Configuration for granular control.

Key audit settings recommended by CIS Level 1 include:

Audit account logon events: Success and Failure
Audit account management: Success and Failure
Audit logon events: Success and Failure
Audit object access: Failure
Audit policy change: Success and Failure
Audit privilege use: Failure
Audit process tracking: No Auditing (Level 1) / Success and Failure (Level 2)
Audit system events: Success and Failure

Auditing both success and failure for logon events enables detection of both unauthorized access (successful logins from unexpected sources) and brute-force attempts (repeated failures). Auditing policy changes captures modifications to audit policy itself, which is a common attacker technique to cover tracks.

User Rights Assignment

User rights control which accounts can perform privileged actions on the system. Overly permissive user rights are a significant risk, as they allow standard user accounts or service accounts to escalate privileges or perform sensitive operations. The CIS benchmark defines a conservative set of assignments for each right.

Important settings include:

Access this computer from the network: Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS
Allow log on locally: Administrators
Allow log on through Remote Desktop Services: Administrators, Remote Desktop Users
Deny access to this computer from the network: Guests, Local account
Deny log on as a batch job: Guests
Deny log on as a service: Guests
Deny log on locally: Guests
Deny log on through Remote Desktop Services: Guests, Local account
Enable computer and user accounts to be trusted for delegation: No one
Force shutdown from a remote system: Administrators
Manage auditing and security log: Administrators
Take ownership of files or other objects: Administrators

The entry “Deny access to this computer from the network: Local account” is particularly important in modern environments. This prevents local administrator accounts (including those shared across servers with the same password) from being used for lateral movement via network logons — a common technique in pass-the-hash attacks.

Security Options

Security options are registry-backed settings configured in Group Policy under Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. The CIS benchmark covers dozens of these settings. Key recommendations include:

Accounts: Administrator account status: Disabled (Level 1)
Accounts: Guest account status: Disabled
Accounts: Limit local account use of blank passwords to console logon only: Enabled
Accounts: Rename administrator account: (a non-default name)
Accounts: Rename guest account: (a non-default name)
Devices: Allowed to format and eject removable media: Administrators
Interactive logon: Do not require CTRL+ALT+DEL: Disabled
Interactive logon: Machine inactivity limit: 900 or fewer seconds
Interactive logon: Number of previous logons to cache: 4 or fewer logons
Microsoft network client: Digitally sign communications (always): Enabled
Microsoft network server: Digitally sign communications (always): Enabled
Network access: Do not allow anonymous enumeration of SAM accounts: Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled
Network security: LAN Manager authentication level: Send NTLMv2 response only. Refuse LM & NTLM
Network security: Minimum session security for NTLM SSP: Require NTLMv2 session security, Require 128-bit encryption
Shutdown: Allow system to be shut down without having to log on: Disabled
User Account Control: Admin Approval Mode for the Built-in Administrator account: Enabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode: Prompt for credentials on the secure desktop
User Account Control: Run all administrators in Admin Approval Mode: Enabled

The NTLMv2-only setting prevents downgrade attacks that exploit the weak LM and NTLMv1 authentication protocols. SMB signing prevents man-in-the-middle attacks against file share traffic. Disabling anonymous SAM enumeration prevents unauthenticated reconnaissance of local accounts and groups.

Windows Firewall Configuration

The CIS benchmark specifies that Windows Defender Firewall should be enabled on all profiles (Domain, Private, Public) with inbound connections blocked by default and outbound connections allowed by default. The relevant Group Policy path is Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security.

Windows Firewall: Domain: Firewall state: On
Windows Firewall: Domain: Inbound connections: Block
Windows Firewall: Domain: Outbound connections: Allow
Windows Firewall: Domain: Apply local firewall rules: No
Windows Firewall: Private: Firewall state: On
Windows Firewall: Private: Inbound connections: Block
Windows Firewall: Private: Outbound connections: Allow
Windows Firewall: Public: Firewall state: On
Windows Firewall: Public: Inbound connections: Block
Windows Firewall: Public: Outbound connections: Allow
Windows Firewall: Public: Apply local connection security rules: No

Setting “Apply local firewall rules: No” on the Domain profile ensures that locally configured rules cannot override centrally managed policy — this prevents administrators or installed software from inadvertently opening ports that the security team has not approved.

Event Log Size Configuration

The benchmark specifies minimum event log sizes to ensure that historical events are retained long enough for forensic investigation. Small log sizes allow audit trails to be overwritten quickly, limiting incident response capability. Recommended minimum sizes are:

Application log maximum size: 32768 KB (32 MB) or greater
Security log maximum size: 196608 KB (192 MB) or greater
Setup log maximum size: 32768 KB (32 MB) or greater
System log maximum size: 32768 KB (32 MB) or greater

For SIEM-forwarded environments the local log size is less critical, but it remains important as a buffer in case the forwarding pipeline is interrupted. The Security log in particular should be sized generously on domain controllers, where high volumes of authentication and privilege events are generated.

Disabling Unnecessary System Services

The CIS benchmark identifies services that are not required on a hardened server and recommends disabling them to reduce the attack surface. Services that are not running cannot be exploited. The following services should be set to Disabled:

Bluetooth Support Service (bthserv)
Computer Browser (browser)
Downloaded Maps Manager (MapsBroker)
Geolocation Service (lfsvc)
IIS Admin Service (iisadmin) — unless IIS is required
Internet Connection Sharing (SharedAccess)
Link-Layer Topology Discovery Mapper (lltdsvc)
Peer Name Resolution Protocol (PNRPsvc)
Peer Networking Grouping (p2psvc)
Remote Registry (RemoteRegistry)
Routing and Remote Access (RemoteAccess)
Simple TCP/IP Services (simptcp)
Special Administration Console Helper (sacsvr)
UPnP Device Host (upnphost)
Web Client (WebClient)
Windows Media Player Network Sharing Service (WMPNetworkSvc)
Xbox Accessories Management Service (XboxGipSvc)
Xbox Live Auth Manager (XblAuthManager)
Xbox Live Game Save (XblGameSave)
Xbox Live Networking Service (XboxNetApiSvc)

These can be configured via Group Policy under Computer Configuration > Windows Settings > Security Settings > System Services, or via PowerShell:

Set-Service -Name "RemoteRegistry" -StartupType Disabled
Stop-Service -Name "RemoteRegistry" -Force

Applying the Benchmark via Group Policy

The most efficient way to apply CIS benchmark settings across multiple servers is through Group Policy Objects (GPOs) in an Active Directory environment. CIS provides a companion GPO backup package with its benchmark that can be imported directly into Group Policy Management Console (GPMC).

# Import CIS GPO backup using PowerShell
Import-Module GroupPolicy

# Create a new GPO
New-GPO -Name "CIS WS2022 Level 1 - Member Server"

# Import settings from a CIS-provided backup folder
Import-GPO -BackupGpoName "CIS WS2022 Level 1" `
           -TargetName "CIS WS2022 Level 1 - Member Server" `
           -Path "C:CISGPO_Backups"

# Link the GPO to an OU
New-GPLink -Name "CIS WS2022 Level 1 - Member Server" `
           -Target "OU=Servers,DC=corp,DC=example,DC=com"

For standalone servers or workgroup environments, LGPO.exe from the Microsoft Security Compliance Toolkit can apply the same settings locally without requiring Active Directory.

Using CIS-CAT for Compliance Scanning

CIS provides CIS-CAT (CIS Configuration Assessment Tool) to assess a system’s current configuration against the benchmark and generate a compliance report. CIS-CAT Pro is available to CIS SecureSuite members; CIS-CAT Lite is a free version covering a subset of benchmarks.

# Run CIS-CAT Lite from an elevated command prompt
cd C:CIS-CAT-Lite
.Assessor-CLI.bat -b benchmarksCIS_Microsoft_Windows_Server_2022_Benchmark_v2.0.0-xccdf.xml `
                   -p "Level 1 - Member Server" `
                   -r C:Reportsws2022-ciscat-report

The report shows each benchmark recommendation, whether the system passes or fails the check, and the expected versus actual values. Scores are expressed as a percentage of applicable recommendations that pass. A freshly installed Windows Server 2022 without any hardening typically scores around 40–50% against the Level 1 profile; a properly hardened server should reach 90% or higher.

Microsoft Security Compliance Toolkit

Microsoft’s Security Compliance Toolkit (SCT) is a companion resource to the CIS benchmark. It contains security baseline GPO backups, Policy Analyzer for comparing policy configurations, and LGPO.exe for applying baselines to standalone machines. The Windows Server 2022 security baseline from Microsoft aligns closely with many CIS Level 1 recommendations but is produced and maintained independently. The two baselines are compatible and can be merged, with the CIS benchmark generally being more prescriptive in areas like service disablement and registry settings.

CIS vs STIG: Which to Use?

Security Technical Implementation Guides (STIGs) are produced by the Defense Information Systems Agency (DISA) and are mandatory for US Department of Defense systems. STIGs and CIS benchmarks cover similar ground but differ in scope and strictness. STIG settings are generally more aggressive — for example, STIG may disable SMBv1 and require CAC/PIV authentication, while CIS Level 1 focuses on settings applicable to commercial environments. For non-DoD organizations, CIS benchmarks are typically easier to implement and maintain. For government contractors or organizations seeking to align with federal requirements, STIGs may be required. Both frameworks are widely respected and often used together: CIS Level 1 as a foundation, with STIG overlays applied where contractual requirements demand them.

Regardless of which framework you choose, the process is the same: establish a baseline, scan for compliance, remediate gaps, document exceptions, and re-scan regularly. Integrating CIS benchmark compliance into your patch management and configuration management workflows ensures that newly provisioned servers meet the baseline before they enter production, and that configuration drift is detected and corrected promptly.