What it costs you today
In an operation that brings up 8 to 25 servers per month, between 60% and 80% are provisioned with the default Windows Server configuration: SMBv1 enabled, NTLM without restriction, RDP without NLA, firewall with Domain profile with permissive rules, minimal audit policy, unnecessary services active. The exposure window between provisioning and first secure configuration is typically 4 to 9 days, during which an external scan finds the server with 12 to 18 unnecessary ports exposed. The automated external pentest detects the pattern and documents "inconsistent baseline across servers" as a major finding. In case of incident, insufficient audit policy prevents reconstructing what happened; the IR team ends up inferring instead of reading logs. "The last server I provisioned has SMBv1 open and I did not know until the auditor asked" is the typical engineer wake-up. How many servers do we have today outside the baseline and we do not know?
What changes when you have it
On day one the new server boots, runs the "Once" Scheduled Task as SYSTEM, applies the baseline: SMBv1 off, NTLM minimum 537395200, RDP with NLA, firewall on all profiles, detailed audit policy, unnecessary services disabled, signed log in C:ProgramDataharden.log. The owner of compliance is the security team, which now has binary evidence per server; the owner of provisioning is the infrastructure team, which reduces time-to-secure to minutes. The visible output is the auditable log, the per-host last-boot consolidated report and the Power BI compliance dashboard. A financial firm with 320 servers went from 47% outside the baseline to 3% in a quarter of continuous provisioning. The investment pays back in the first external pentest cycle with no findings, typically 4 to 6 months.
Baseline applied on first boot, auditable log
I want to implement this
Let's talk 20 minutes about your environment and review scope, architecture and the work plan together. No commitment.
Related projects
Installed software inventory + license reconciliation
Weekly CSV with all software installed across the fleet, compared against the authorized software list.
Pull-based task orchestrator
Each host runs an agent that pulls "jobs" from an endpoint and reports results. Foundation of any SCCM-less fleet.
Morning Active Directory health check
One daily email with the real state of your AD: replication, lockouts, expired passwords, new GPOs.