Limited Time Offer: Save up to 20% on a new CIS SecureSuite Membership | Learn more
Why CIS Solutions Join CIS Resources
CIS WorkBench Sign-in CIS WorkBench Sign In CIS Hardened Images CIS Hardened Images Support CIS Support


Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world

About Us Leadership Principles Testimonials


secure your organization
Secure Your Organization

secure specific platforms
Secure Specific Platforms

cis securesuite CIS SecureSuite® Learn More      Apply Now  
u s state local tribal and territorial governments
U.S. State, Local, Tribal & Territorial Governments

View All Products & Services  

Join CIS

Get Involved

Join CIS as a member, partner, or volunteer - or explore our career opportunities

CIS SecureSuite® Membership Multi-State ISAC (MS-ISAC®) Elections Infrastructure ISAC (EI-ISAC®) CIS CyberMarket® Vendors CIS Communities Careers




filter by topic
Filter by Topic

View All Resources  
CIS Logo Show Search Expand Menu

5 Tips to Harden Your OS On-Prem or in the Cloud

Cloud security is just as vital as on-premises security. Hundreds of security recommendations may exist to harden your Operating Systems (OS). That's why it's important to use industry recognized guidelines to harden your OS. To give you a taste, we pulled five recommendations from the CIS Benchmark for Microsoft Windows Server 2019 – objective, consensus-driven security configuration guidelines.

CIS Benchmarks for Windows Server 2019 350 recommendations

Security Configuration 1: Disconnect After Hours

Your organization’s workforce probably adheres to a specific work schedule. Even though operating cloud-based systems means you can theoretically work from anywhere (and at any time), it’s unlikely most employees would need to log on at 2:00 a.m.

With this in mind, your organization should create settings for automatic log off after a certain time. This setting prevents unnecessary open access when employees are not using their workstations. It's an easy step to hardening your OS.

Specifically, you can configure Microsoft Windows Server 2019 to have set logon hours and automatically force logoff outside those hours. Of course, hours can be adjusted for those who work the night shift.

Security Configuration 2: Firewall

The cybersecurity community knows the benefits of firewalls. Most basically, they prevent unauthorized users from accessing your networks. They also stop malware activity that might attempt to retrieve your organization's data. Because of these reasons, this is another important security configuration in the CIS Benchmarks.

The CIS Benchmark for Microsoft Windows Server 2019 details more than 10 security configurations for firewalls — including connections, display notifications, and logging. Hardening your OS with firewalls is crucial to defend your OS against malware and malicious activity.

Security Configuration 3: Enable Audit Subcategory Policies

Tracking events at a per system or per user level prior to the introduction of auditing subcategories in Windows Vista was difficult. The larger event categories created too many events and the key information for auditing was difficult to find.

The CIS Benchmark for Microsoft Windows Server 2019 includes security configurations to ensure your organization can easily audit and track activity in your systems per system and/or per user. It's vital to apply security configurations to your system, but for a truly hardened OS, your organization must also track and audit activity.

Security Configuration 4: Account Lockout

With today’s increased password requirements, it’s possible for a user to incorrectly attempt their password several times. Unfortunately, it’s not all that simple to tell the difference between a struggling user and a malicious actor. That's where the security configuration for account lockout comes in.

Setting a threshold for the number password attempts in a given time period can help prevent a malicious attempt. One caveat – a longer lockout period doesn’t necessarily mean better security; it could equal more calls to the help desk to unlock a frustrated employee’s account.

Security Configuration 5: Audit Logon

Speaking of account lockouts, it’s important to keep track of them by setting the system to report when a user’s account locks out as a result of too many failed logon attempts. Auditing these events may be useful when investigating a security incident.

In the CIS Benchmark for Microsoft Windows Server 2019, you'll find this security configuration that recommends setting the “Audit Logon” configuration to “Success & Failure.”

Three Ways to Harden Your OS

Hardening your OS protects against remote intrusion, malware, and insufficient authorization. The security configurations above are just a few examples of the recommended security configurations to harden an OS. To develop these recommendations, CIS works with a global community of cybersecurity experts. To help harden your OS on-prem or in the cloud, CIS Benchmarks are available three ways:

  1. Manually apply the security recommendations using free CIS Benchmark PDFs.
  2. Obtain CIS SecureSuite Membership to: leverage CIS-CAT Pro Assessor to assess CIS Benchmark conformance, download CIS Benchmarks in additional formats (i.e., Excel, Word, XML), access build kits to apply security configurations directly to select systems, and reassess to monitor compliance over time.
  3. Deploy a CIS Hardened Image in the cloud. These pre-configured virtual machine images meet CIS Benchmark recommendations and are available in the public cloud. CIS builds and patches these images regularly to help avoid vulnerabilities.


CIS provides 3 ways to harden systems

† Due to cloud provider restrictions, 11 CIS Benchmark recommendations are not applied to the CIS Benchmark Hardened Image for Microsoft Windows Server 2016; the remaining 286 secure configuration settings are applied.