Skip to content
#12 Server hardening

Automated server hardening (CIS baseline-ish)

Applies a security baseline (SMBv1 off, NLA RDP, firewall, audit policy) on first boot.

Implementation: 1 day + maintenance 4 technologies
The pain

What it costs you today

In an operation that brings up 8 to 25 servers per month, between 60% and 80% are provisioned with the default Windows Server configuration: SMBv1 enabled, NTLM without restriction, RDP without NLA, firewall with Domain profile with permissive rules, minimal audit policy, unnecessary services active. The exposure window between provisioning and first secure configuration is typically 4 to 9 days, during which an external scan finds the server with 12 to 18 unnecessary ports exposed. The automated external pentest detects the pattern and documents "inconsistent baseline across servers" as a major finding. In case of incident, insufficient audit policy prevents reconstructing what happened; the IR team ends up inferring instead of reading logs. "The last server I provisioned has SMBv1 open and I did not know until the auditor asked" is the typical engineer wake-up. How many servers do we have today outside the baseline and we do not know?

The value

What changes when you have it

On day one the new server boots, runs the "Once" Scheduled Task as SYSTEM, applies the baseline: SMBv1 off, NTLM minimum 537395200, RDP with NLA, firewall on all profiles, detailed audit policy, unnecessary services disabled, signed log in C:ProgramDataharden.log. The owner of compliance is the security team, which now has binary evidence per server; the owner of provisioning is the infrastructure team, which reduces time-to-secure to minutes. The visible output is the auditable log, the per-host last-boot consolidated report and the Power BI compliance dashboard. A financial firm with 320 servers went from 47% outside the baseline to 3% in a quarter of continuous provisioning. The investment pays back in the first external pentest cycle with no findings, typically 4 to 6 months.

Stack
Technologies we touch in the implementation
PowerShell 7auditpolpowercfgScheduled Task
Automated server hardening (CIS baseline-ish)
#12 · Server hardening

Baseline applied on first boot, auditable log

Technical references
Server hardening

I want to implement this

Let's talk 20 minutes about your environment and review scope, architecture and the work plan together. No commitment.