Tier 0: Domain Controller Master Hardening
20 Critical Controls for Identity Isolation & Attack Surface Reduction
| Policy & Source | GPO Configuration Path (Computer Config) | Required Value & Impact |
|---|---|---|
| CIS/MSB 1. Disable Print Spooler | Windows Settings > System Services > Print Spooler | Value: Disabled Impact: Critical. Stops PrintNightmare exploits. |
| CIS 2. LDAP Server Signing | Windows Settings > Local Policies > Security Options > DC: LDAP server signing | Value: Require signing Impact: High. Prevents LDAP Relay/MitM attacks. |
| MSB 3. Disable SMBv1 | Windows Settings > Security Settings > Registry (Disable SMB1) | Value: Disabled Impact: Critical. Prevents legacy protocol exploits. |
| CIS 4. LAN Manager Auth Level | Windows Settings > Local Policies > Security Options > Network security: LAN Manager | Value: NTLMv2 only. Refuse LM/NTLM Impact: Prevents hash cracking of older protocols. |
| MSB 5. Deny Local Logon | Windows Settings > User Rights Assignment > Deny log on locally | Value: All non-admin service accounts Impact: Prevents credential caching in memory. |
| CIS 6. WDigest Auth Disable | Local Policies > Security Options > Network security: Allow LocalSystem NULL session | Value: Disabled Impact: Prevents clear-text passwords in LSASS. |
| MSB 7. Restrict RPC Clients | Local Policies > Security Options > Network access: Restrict unauthenticated RPC | Value: Authenticated Users Impact: Blocks anonymous info gathering of AD. |
| CIS 8. Kerberos TGT Lifetime | Account Policies > Kerberos Policy > Max lifetime for user ticket | Value: 10 Hours Impact: Reduces window for Golden Ticket use. |
| MSB 9. NLA for RDP | Admin Templates > Windows Components > RD Session Host > Security | Value: Require NLA Impact: Protects RDP from pre-auth exploits. |
| CIS 10. Disable LLMNR | Admin Templates > Network > DNS Client > Turn off Multicast | Value: Enabled Impact: Stops Responder-based poisoning. |
| MSB 11. Windows Firewall Profiles | Windows Settings > Security Settings > Firewall > All Profiles | Value: State: ON / Inbound: Block Impact: Essential network perimeter for the OS. |
| CIS 12. DNS Zone Transfers | DNS Manager > Properties (Manual GPO Guidance) | Value: Only to listed IP addresses Impact: Prevents massive data leaks via DNS. |
| CIS 13. Audit Process Creation | Advanced Audit > Detailed Tracking > Audit Process Creation | Value: Success Impact: Forensic visibility of every app run. |
| MSB 14. Command Line Audit | Admin Templates > System > Audit Process Creation | Value: Enabled (Include Command Line) Impact: Critical for catching malicious PS commands. |
| CIS 15. Audit Service Install | Advanced Audit > System Events > Audit Security Extension | Value: Success & Failure Impact: Alerts on new persistence mechanisms. |
| CIS 16. PowerShell Script Logging | Admin Templates > Windows Components > PowerShell | Value: Turn on Script Block Logging Impact: Exposes obfuscated scripts in logs. |
| MSB 17. Safe DLL Search | Admin Templates > System > Scripts > Best Practices | Value: Enabled Impact: Prevents DLL side-loading attacks. |
| CIS 18. No Autoplay | Admin Templates > Windows Components > Autoplay Policies | Value: Enabled (All Drives) Impact: Prevents USB-based auto-execution. |
| MSB 19. Restrict Remote Registry | Windows Settings > Registry > Permissions (winreg) | Value: Restricted to Administrators Impact: Blocks remote registry manipulation. |
| CIS 20. Audit Force Subcategory | Local Policies > Security Options > Audit: Force subcategory | Value: Enabled Impact: Ensures granular rules override categories. |
Tier 1: Member Server & Application Hardening
20 Policies to Prevent Lateral Movement and Protect Enterprise Data
| Control & Source | GPO Configuration Path | Value & Impact |
|---|---|---|
| MSB 1. Restricted Admin RDP | Comp Config > Admin Templates > System > Credentials Delegation > Restrict delegation | Enabled Prevents Tier 0 creds from being cached in Tier 1 memory. |
| CIS 2. Disable WDigest | Comp Config > Local Policies > Security Options > Allow LocalSystem NULL session fallback | Disabled Prevents clear-text password storage in LSASS. |
| MSB 3. LAPS Enabled | Comp Config > Admin Templates > LAPS > Enable Password Management | Enabled Removes static, shared local admin passwords across Tier 1. |
| CIS 4. Untrusted Auth | Comp Config > Local Policies > Security Options > Network access: Do not allow storage of passwords | Enabled Prevents the OS from saving creds for network auth. |
| MSB 5. SMBv1 Client Kill | Comp Config > Windows Settings > Security Settings > Registry | Disabled Removes legacy SMB vulnerabilities (WannaCry). |
| CIS 6. SMB Signing (Req) | Comp Config > Local Policies > Security Options > Microsoft network client: Digitally sign (Always) | Enabled Prevents SMB relay attacks against file servers. |
| MSB 7. Disable LLMNR | Comp Config > Admin Templates > Network > DNS Client > Turn off Multicast Name Resolution | Enabled Stops Responder poisoning on the local subnet. |
| CIS 8. Disable NetBIOS | Comp Config > Windows Settings > Registry (NetBIOS Disable) | Enabled Reduces broadcast traffic and service enumeration. |
| MSB 9. ASR: Block Office Child | Comp Config > Admin Templates > Defender > Attack Surface Reduction | Enabled (Block) Prevents Office apps on servers from spawning malware. |
| CIS 10. Block Remote Registry | Comp Config > System Services > Remote Registry | Disabled Prevents remote modification of critical system keys. |
| MSB 11. Exploit Protection | Comp Config > Admin Templates > System > Exploit Guard > Exploit Protection | Enabled (XML Path) Enforces DEP/ASLR for third-party application binaries. |
| CIS 12. No Autoplay | Comp Config > Admin Templates > Windows Components > Autoplay Policies | Enabled (All Drives) Blocks auto-execution from USB/external drives. |
| CIS 13. Audit Account Mgmt | Comp Config > Adv Audit > Account Management > Audit User Account Management | Success Logs when a local user/group is created on the server. |
| MSB 14. Audit Process CLI | Comp Config > Admin Templates > System > Audit Process Creation | Enabled (Include Cmd Line) Allows SOC to see exactly what commands were run. |
| CIS 15. PowerShell Script Log | Comp Config > Admin Templates > PowerShell > Script Block Logging | Enabled Decodes obfuscated malicious PowerShell scripts. |
| MSB 16. WMI Logging | Comp Config > Adv Audit > System Events > Audit Other System Events | Success/Fail Detects persistent WMI-based backdoors. |
| CIS 17. NLA for RDP | Comp Config > Admin Templates > Remote Desktop Services > Host > Security | Enabled Requires auth before a RDP session is fully established. |
| MSB 18. Deny Network Logon | Comp Config > User Rights Assignment > Deny access to this computer from network | Add: Guest/Local Accounts Prevents lateral movement using local credentials. |
| CIS 19. Restrict Anonymous | Comp Config > Security Options > Network access: Restrict anonymous access | Enabled Stops attackers from listing shares without a login. |
| MSB 20. Remote Reg Access | Comp Config > Local Policies > Security Options > Network access: Remotely accessible paths | Null Restricts which registry paths can be accessed via network. |
Tier 2 & 3: Endpoint & Asset Hardening
20 Critical Controls for Workstations, Laptops, and Peripherals
| Control & Source | GPO Technical Path (Computer Config) | Required Value & Impact |
|---|---|---|
| Tier 2 1. LAPS Management | Admin Templates > LAPS > Enable Password Management | Value: Enabled Impact: Essential. Eliminates static local admin passwords. |
| Tier 2 2. ASR: LSASS Theft | Admin Templates > Defender > Attack Surface Reduction | Value: Block Credential Stealing Impact: High. Prevents Mimikatz from dumping memory. |
| Tier 2 3. UAC Secure Desktop | Windows Settings > Local Policies > Security Options | Value: Enabled (Switch to Secure Desktop) Impact: Prevents malware from automating UAC clicks. |
| Tier 2 4. BitLocker Encryption | Admin Templates > Windows Components > BitLocker | Value: Require XTS-AES 256 Impact: Data protection for lost/stolen laptops. |
| Tier 2 5. Kill LLMNR | Admin Templates > Network > DNS Client | Value: Turn off Multicast (Enabled) Impact: Prevents Responder poisoning on public Wi-Fi. |
| Tier 2 6. SMB Client Signing | Security Options > Microsoft network client: Sign (Always) | Value: Enabled Impact: Prevents SMB relay when users connect to shares. |
| Tier 2 7. Disable WDigest | Security Options > Allow LocalSystem NULL session fallback | Value: Disabled Impact: Prevents clear-text passwords in memory. |
| Tier 2 8. Audit Process Creation | Advanced Audit > Detailed Tracking | Value: Success Impact: Forensic trail of all user activity. |
| Tier 2 9. Edge SmartScreen | Admin Templates > Microsoft Edge > Security | Value: Enabled (Force) Impact: Automated blocking of phishing URLs. |
| Tier 2 10. PowerShell Script Block | Admin Templates > Windows Components > PowerShell | Value: Turn on Script Block Logging Impact: Vital for SOC to see encoded user-land scripts. |
| Tier 3 11. Block USB Storage | Admin Templates > System > Removable Storage Access | Value: All Removable Storage: Deny All Impact: Prevents data exfiltration via thumb drives. |
| Tier 3 12. DMA Protection | Admin Templates > Windows Components > Data Protection | Value: Enabled (Block External Devices) Impact: Blocks Thunderbolt/USB-C memory attacks. |
| Tier 3 13. Turn off Autoplay | Admin Templates > Windows Components > Autoplay Policies | Value: Enabled (All Drives) Impact: Stops malicious USB “Rubber Ducky” attacks. |
| Tier 3 14. Disable Bluetooth | Admin Templates > Windows Components > Bluetooth | Value: Disabled Impact: Security vs. Utility. Blocks wireless peripheral attacks. |
| Tier 3 15. Firewall: Public Profile | Security Settings > Firewall > Public Profile | Value: Inbound: Block (Default) Impact: Essential for mobile users on untrusted Wi-Fi. |
| Tier 3 16. Lock Screen Timeout | Admin Templates > Control Panel > Personalization | Value: 900 seconds or less Impact: Prevents unauthorized physical access. |
| Tier 3 17. Block MS Accounts | Security Options > Accounts: Block Microsoft accounts | Value: Users cannot add or log on Impact: Ensures only corporate identity is used. |
| Tier 3 18. Disable Camera | Admin Templates > Windows Components > Camera | Value: Disabled Impact: Used in high-security SCIF-style environments. |
| Tier 3 19. Wi-Fi Sense Disable | Admin Templates > Network > WLAN Service | Value: Disabled Impact: Prevents automatic connection to open/risky hotspots. |
| Tier 3 20. Remote Shell Kill | Admin Templates > Windows Components > Windows Remote Shell | Value: Allow Remote Shell Access (Disabled) Impact: Prevents attackers from using WinRM laterally. |