Endpoint Hardening Guide: CIS Benchmarks, Windows Hardening & Automation for MSPs

Introduction: The Attack Surface You Control

In cybersecurity, there are threats you cannot control — zero-day exploits, sophisticated nation-state actors, supply chain compromises. And there are threats you absolutely can control — the ones that exploit known misconfigurations, default settings, and basic security hygiene failures.

Analysis of incident data consistently shows that 85–90% of successful cyberattacks exploit one of three things:

1. Unpatched vulnerabilities (addressed by patch management)
2. Weak or compromised credentials (addressed by MFA and password policies)
3. Insecure configurations (addressed by endpoint hardening)

Endpoint hardening is the systematic process of reducing the attack surface of every device you manage by eliminating unnecessary services, enforcing secure configurations, applying security policies, and continuously verifying compliance.

The industry standard for endpoint hardening is the CIS (Center for Internet Security) Benchmarks — freely available, vendor-reviewed configuration guides for every major operating system, browser, cloud platform, and application. This guide walks through implementing CIS Benchmarks at scale in an MSP environment.

Understanding CIS Benchmarks

The Center for Internet Security publishes benchmarks for 100+ technology categories. Each benchmark defines two implementation levels:

Level 1 (L1 — Corporate/Enterprise Environment): Baseline security recommendations suitable for any enterprise. These settings should not materially impact functionality. Every managed endpoint should meet Level 1.

Level 2 (L2 — High Security/Sensitive Data): More restrictive settings for environments with heightened security requirements. These may impact usability and should be applied selectively — typically in healthcare, financial services, government, and defense contractor environments.

Benchmarks most relevant for MSPs:

• CIS Microsoft Windows 11 Benchmark
• CIS Microsoft Windows 10 Benchmark
• CIS Windows Server 2022 Benchmark
• CIS Windows Server 2019 Benchmark
• CIS Microsoft Office 365 Benchmark
• CIS Microsoft Azure Foundations Benchmark
• CIS macOS Sonoma Benchmark
• CIS Ubuntu Linux 22.04 LTS Benchmark
• CIS Google Chrome Benchmark
• CIS Microsoft Edge Benchmark

Download all benchmarks for free from CIS website(opens in new tab).

The CIS Control Categories for Windows

Windows benchmarks are organized into control families. Here is a high-level overview with the most impactful items.

1. Account Policies

Password policy (CIS L1 requirements):

• Minimum password length: 14 characters (CIS recommends 14+, NIST recommends even longer passphrases)
• Maximum password age: 365 days (or "not expire" per newer NIST guidance, compensated by breach password checking)
• Password history: 24 passwords remembered
• Account lockout: After 5 invalid attempts, lockout for 15 minutes

PowerShell enforcement:

# Set password policy
net accounts /MINPWLEN:14 /MAXPWAGE:365 /UNIQUEPW:24 /LOCKOUTTHRESHOLD:5 /LOCKOUTDURATION:15 /LOCKOUTWINDOW:15

Local administrator account security:

• Rename the built-in Administrator account (CIS L1: rename away from "Administrator")
• Disable the built-in Guest account
• Implement Local Administrator Password Solution (LAPS) for unique local admin passwords per device

2. Local Policies: User Rights Assignment

CIS Level 1 restricts which users/groups can perform privileged operations. Key restrictions:

• Access this computer from the network: Restrict to Administrators and Authenticated Users (not Everyone)
• Allow log on locally: Restrict to Administrators and specific user groups
• Manage auditing and security log: Administrators only
• Act as part of the operating system: No accounts
• Debug programs: Administrators only (or no accounts in high-security environments)

# Example: Configure User Rights via secedit
# Create a security template (secedit .inf file) and apply via secedit /configure
# This is complex enough to warrant using Group Policy for bulk deployment

3. Security Options

Network security settings (CIS L1):

• Network security: Do not store LAN Manager hash value on next password change: Enabled
• Network security: LAN Manager authentication level: Send NTLMv2 response only. Refuse LM & NTLM
• Network security: Minimum session security for NTLM SSP based clients: Require NTLMv2 and 128-bit encryption
• Network access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled

Audit policies (What to log):

Account Logon: Audit Credential Validation: Success and Failure
Account Management: Audit User Account Management: Success and Failure
DS Access: Audit Directory Service Changes: Success and Failure (on DCs)
Logon/Logoff: Audit Logon: Success and Failure
Logon/Logoff: Audit Special Logon: Success
Object Access: Audit File Share: Failure
Policy Change: Audit Audit Policy Change: Success
Privilege Use: Audit Sensitive Privilege Use: Success and Failure
System: Audit Security System Extension: Success
System: Audit System Integrity: Success and Failure

4. Windows Firewall Configuration

CIS L1 requires the Windows Firewall to be enabled on all profiles (Domain, Private, Public):

# Enable firewall on all profiles
Set-NetFirewallProfile -Profile Domain,Private,Public -Enabled True
Set-NetFirewallProfile -Profile Domain,Private,Public -DefaultInboundAction Block
Set-NetFirewallProfile -Profile Domain,Private,Public -DefaultOutboundAction Allow

# Log dropped packets (useful for incident investigation)
Set-NetFirewallProfile -Profile Domain,Private,Public `
    -LogAllowed False -LogBlocked True `
    -LogFileName '%systemroot%\system32\LogFiles\Firewall\pfirewall.log' `
    -LogMaxSizeKilobytes 16384

Restrict unnecessary remote management ports:

# Block SMBv1 (EternalBlue exploit vector)
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force

# Disable unnecessary Windows features
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
Disable-WindowsOptionalFeature -Online -FeatureName TelnetClient -NoRestart

5. Disable Unnecessary Services

Many Windows services are enabled by default but not needed in most environments. Disabling them reduces attack surface:

$servicesToDisable = @(
    'IISADMIN',         # IIS Admin (if IIS not in use)
    'W3SVC',            # World Wide Web Publishing (if IIS not in use)
    'Telnet',           # Telnet (use SSH instead)
    'RemoteRegistry',   # Remote Registry (enable only when needed)
    'Print Spooler',    # Disable on servers that are not print servers (PrintNightmare)
    'Fax',              # Fax service
    'WMPNetworkSvc',    # Windows Media Player network sharing
    'XblGameSave'       # Xbox Live game save
)

foreach ($svc in $servicesToDisable) {
    $service = Get-Service -Name $svc -ErrorAction SilentlyContinue
    if ($service) {
        Stop-Service $svc -Force -ErrorAction SilentlyContinue
        Set-Service $svc -StartupType Disabled
        Write-Output "Disabled: $svc"
    }
}

Print Spooler special case: PrintNightmare (CVE-2021-34527) made Print Spooler on domain controllers and servers that are not print servers a significant risk. Disable it on all servers except dedicated print servers.

6. Windows Defender Configuration (CIS L1)

CIS benchmarks include extensive guidance on Windows Defender configuration. Key requirements:

# Enable cloud-delivered protection
Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent SendAllSamples

# Enable tamper protection (prevents malware from disabling Defender)
# Note: Tamper protection should be configured via Intune or Registry
$regPath = "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features"
Set-ItemProperty -Path $regPath -Name TamperProtection -Value 5

# Enable real-time protection
Set-MpPreference -DisableRealtimeMonitoring $false

# Enable behavior monitoring
Set-MpPreference -DisableBehaviorMonitoring $false

# Signature update frequency
Set-MpPreference -SignatureUpdateInterval 1

# Attack Surface Reduction (ASR) rules — CIS L1 recommendations
$asrRules = @{
    'BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550' = '1'  # Block executable content from email
    '01443614-CD74-433A-B99E-2ECDC07BFC25' = '1'  # Block untrusted and unsigned processes
    '5BEB7EFE-FD9A-4556-801D-275E5FFC04CC' = '1'  # Block abuse of exploited vulnerable signed drivers
    'D4F940AB-401B-4EFC-AADC-AD5F3C50688A' = '1'  # Block Office applications from creating child processes
    '3B576869-A4EC-4529-8536-B80A7769E899' = '1'  # Block Office applications from creating executable content
    '75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84' = '1'  # Block Office applications from injecting code into other processes
}

Set-MpPreference -AttackSurfaceReductionRules_Ids ($asrRules.Keys -join ',') `
                 -AttackSurfaceReductionRules_Actions ($asrRules.Values -join ',')

7. Credential Protection

LAPS (Local Administrator Password Solution): LAPS automatically manages local administrator passwords, assigning unique, complex, and regularly rotated passwords to each device. Without LAPS, a single compromised local admin password can laterally move to every device with the same password.

Microsoft LAPS v2 (included with Windows Server 2022/2019 with recent updates) stores passwords in Active Directory with access controlled by AD permissions.

# Check LAPS installation status
Get-Module -Name LAPS -ListAvailable

# If LAPS v2 is configured, check backup status
Get-LapsAADPassword -DeviceIds $env:COMPUTERNAME

Credential Guard: Protects NTLM hashes and Kerberos tickets from memory extraction (pass-the-hash attacks):

# Enable Credential Guard via Registry
$credGuardPath = "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard"
Set-ItemProperty -Path $credGuardPath -Name EnableVirtualizationBasedSecurity -Value 1
Set-ItemProperty -Path $credGuardPath -Name RequirePlatformSecurityFeatures -Value 1

Note: Credential Guard requires UEFI firmware, 64-bit CPU, and Hyper-V support.

macOS Hardening

MSP clients increasingly use macOS, particularly in creative, development, and professional services firms. CIS macOS benchmarks are available for current and recent macOS versions.

Key macOS hardening controls:

# Enable FileVault disk encryption
sudo fdesetup enable

# Enable firewall
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setblockall off  # Allow outbound

# Disable remote login (SSH) if not needed
sudo systemsetup -setremotelogin off

# Require password after sleep/screensaver
sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -int 1
sudo defaults write /Library/Preferences/com.apple.screensaver askForPasswordDelay -int 0

# Disable automatic login
sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser 2>/dev/null

# Enable Gatekeeper (only allow apps from App Store and identified developers)
sudo spctl --master-enable

For macOS management at scale, use Jamf or your RMM platform's macOS management capabilities to enforce these settings via configuration profiles.

Automating Hardening at Scale with PowerShell and RMM

Manual hardening is not scalable. At 1,000 endpoints, manual configuration changes are a months-long project. The goal is to automate hardening deployment and continuous compliance verification.

The Hardening Deployment Script

<#
.SYNOPSIS
NinjaIT Endpoint Hardening Script — CIS Benchmarks L1
Version: 2.1 | Last tested: Windows 11 23H2, Windows 10 22H2
#>

param([switch]$WhatIf = $false)

function Invoke-Hardening {
    param([string]$Setting, [scriptblock]$Action)
    Write-Output "Applying: $Setting"
    if (-not $WhatIf) {
        try {
            & $Action
            Write-Output "  OK: $Setting applied"
        } catch {
            Write-Output "  FAILED: $Setting — $($_.Exception.Message)"
        }
    } else {
        Write-Output "  [WhatIf] Would apply: $Setting"
    }
}

# Account Policies
Invoke-Hardening "Minimum password length: 14" {
    net accounts /MINPWLEN:14 | Out-Null
}

Invoke-Hardening "Account lockout threshold: 5" {
    net accounts /LOCKOUTTHRESHOLD:5 /LOCKOUTDURATION:15 /LOCKOUTWINDOW:15 | Out-Null
}

# Disable SMBv1
Invoke-Hardening "Disable SMBv1" {
    Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
}

# Windows Defender
Invoke-Hardening "Enable Defender real-time protection" {
    Set-MpPreference -DisableRealtimeMonitoring $false
}

Invoke-Hardening "Enable Defender cloud protection" {
    Set-MpPreference -MAPSReporting Advanced
    Set-MpPreference -SubmitSamplesConsent SendAllSamples
}

# Firewall
Invoke-Hardening "Enable Windows Firewall — all profiles" {
    Set-NetFirewallProfile -Profile Domain,Private,Public -Enabled True -DefaultInboundAction Block
}

# Disable Print Spooler (on non-print servers)
$isPrintServer = (Get-WmiObject Win32_Service -Filter "Name='Spooler'").StartMode -ne 'Disabled'
if ($isPrintServer -and -not (Get-Printer -ErrorAction SilentlyContinue | Where-Object { $_.ShareName })) {
    Invoke-Hardening "Disable Print Spooler (not a print server)" {
        Stop-Service Spooler -Force
        Set-Service Spooler -StartupType Disabled
    }
}

Write-Output "`nHardening complete."

Deploy via RMM: Add this script to your RMM script library and include it in your standard onboarding automation. Run it against all new devices and periodically against existing devices to detect configuration drift.

Continuous Compliance Verification

Hardening is not a one-time event. Configuration drift occurs:

• Technicians make one-off exceptions ("I'll re-enable that temporarily")
• Software installations change security settings
• Updates change Group Policy behavior
• Users with local admin rights modify settings

Deploy a compliance verification script monthly:

<#
.SYNOPSIS
CIS Benchmark compliance check — reports non-compliant settings.
#>

$issues = @()

# Check SMBv1
$smb1 = Get-SmbServerConfiguration | Select-Object -ExpandProperty EnableSMB1Protocol
if ($smb1) { $issues += "SMBv1 enabled (should be disabled)" }

# Check firewall
$fw = Get-NetFirewallProfile
foreach ($profile in $fw) {
    if ($profile.Enabled -ne $true) {
        $issues += "Firewall disabled: $($profile.Name)"
    }
}

# Check Defender real-time protection
$defender = Get-MpPreference
if ($defender.DisableRealtimeMonitoring) { $issues += "Defender real-time protection disabled" }

# Check for pending reboot (hardening may require reboot)
if (Test-Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending') {
    $issues += "Pending reboot — hardening changes may not be fully applied"
}

# Report
if ($issues.Count -gt 0) {
    Write-Output "NON-COMPLIANT: $($issues.Count) issues found:"
    $issues | ForEach-Object { Write-Output "  - $_" }
    exit 1
} else {
    Write-Output "COMPLIANT: All checked settings meet CIS L1 requirements."
    exit 0
}

Group Policy vs. PowerShell vs. Intune: Choosing Your Deployment Method

Three primary methods for enforcing security configuration at scale:

Group Policy Objects (GPO)

Best for: Traditional on-premises Active Directory environments.

Advantages: Deep integration with Windows; most CIS settings can be applied via GPO; automatic re-application on Group Policy refresh (every 90 minutes by default); granular OU-level targeting.

Limitations: Requires domain membership; no cloud management; complex troubleshooting.

Implementation: Microsoft Security Compliance Toolkit includes ready-to-import GPOs based on CIS and Microsoft security baselines. Download, import into your Group Policy Management Console, and link to appropriate OUs.

Microsoft Intune

Best for: Entra ID (Azure AD) joined endpoints; hybrid environments; remote work environments.

Advantages: Works without domain membership; cloud management; integrates with Microsoft Defender for Endpoint; Compliance Policies enforce settings and report non-compliance.

Implementation: Intune Security Baselines are pre-built configurations aligned to Microsoft's security recommendations (which closely align with CIS L1). Navigate to: Endpoint Security → Security Baselines → Windows Security Baseline.

RMM-Based Script Deployment

Best for: Quick deployment; non-domain environments; environments without Intune.

Advantages: Works in any environment where the agent is present; fast deployment; centralized logging.

Limitations: Configuration drift if compliance is not continuously verified; no native reporting for compliance state.

Best practice: Use GPO or Intune for persistent enforcement + RMM for initial deployment and periodic compliance verification checks.

Hardening High-Value Targets: Domain Controllers

Domain controllers require additional hardening beyond standard workstation/server benchmarks — a compromised DC gives an attacker complete control of the entire Active Directory environment.

DC-specific hardening:

• Tier 0 separation: Domain controllers should be on an isolated network segment, accessible only from management systems. Technicians should not browse the internet from DCs.
• Privileged Access Workstations (PAW): Admin tasks on DCs should only be performed from dedicated, hardened PAW machines.
• Read-Only Domain Controllers (RODC): For branch offices, use RODCs — they hold a read-only copy of AD and cannot make changes.
• Protected Users security group: Add your most privileged accounts to the Protected Users group — this prevents NTLM authentication and reduces Kerberoasting attack surface.
• Audit all DC logins: Every interactive login to a DC should generate an alert.

# Add service accounts to Protected Users group (adjust account names)
Add-ADGroupMember -Identity 'Protected Users' -Members 'svcBackup','svcMonitoring'

Compliance Frameworks and Endpoint Hardening

Endpoint hardening satisfies requirements across multiple compliance frameworks:

Maintaining documented evidence of hardening (script execution logs, compliance check results, GPO configuration exports) provides direct evidence for SOC 2, CMMC, and HIPAA audits.

Frequently Asked Questions

Will CIS Level 1 hardening break any applications? CIS Level 1 is designed to minimize functional impact. However, legacy applications — particularly those that rely on NTLMv1, SMBv1, or older TLS versions — may break. Always test in a representative non-production environment before deploying to all clients. Maintain an exception register for applications that require specific security relaxations.

How do I handle third-party security software conflicting with Defender? If you deploy a third-party EDR (CrowdStrike, SentinelOne, etc.), Defender's antivirus component is automatically disabled when a compatible third-party AV is installed. Defender's firewall, AMSI, and other components remain active. This is the expected behavior — do not try to run two antivirus engines simultaneously.

How often should I re-run hardening verification? Monthly verification is the minimum. For compliance-regulated clients, weekly verification and monthly compliance reports provide the audit evidence needed. Configuration drift from monthly to monthly should be investigated — systematic drift often indicates someone (or something) is actively undoing your hardening.

What about Linux servers? CIS publishes Linux benchmarks for major distributions (Ubuntu, RHEL, Debian). Key Linux hardening items: disable root SSH login, require key-based SSH authentication, configure UFW/iptables, disable unnecessary services (telnet, rsh, xinetd), configure sysctl security parameters, enable auditd logging.

Conclusion

Endpoint hardening is the most efficient security investment available to MSPs. Unlike threat hunting or incident response — which address threats that have already infiltrated — hardening prevents most attacks from succeeding in the first place by eliminating the misconfigurations that attackers exploit.

CIS Benchmarks give you a proven, free, and comprehensive framework. PowerShell and your RMM give you the automation to apply it at scale. And continuous compliance verification ensures that hardening settings do not drift back to insecure defaults over time.

Start with Windows Firewall, Defender configuration, SMBv1 disablement, and password policy — these address the highest-risk, highest-impact misconfigurations with minimal operational disruption. Then work through the full CIS Level 1 benchmark systematically.

Related guides: patch management for MSPs, cybersecurity compliance guide, and PowerShell automation scripts. Start your NinjaIT trial — our compliance reporting features help you demonstrate hardening compliance to clients and auditors.

Advanced Hardening: Server-Specific Configurations

While the CIS benchmarks cover both workstations and servers, servers require additional hardening attention due to their critical role, internet exposure, and the elevated value of the data they host.

Domain Controller Hardening

Domain Controllers are the most critical Windows servers in any environment — they authenticate every user, enforce group policy, and control access to every resource. A compromised DC is a complete environment compromise.

Beyond the standard CIS benchmark, apply to DCs:

# Enforce SMB signing (prevents SMB relay attacks)
Set-SmbServerConfiguration -RequireSecuritySignature $true -EnableSecuritySignature $true -Force

# Disable NTLM authentication (use Kerberos only where possible)
# This is a significant change - test thoroughly before production deployment
# Set via GPO: Security Settings > Local Policies > Security Options
# "Network security: Restrict NTLM: NTLM authentication in this domain" = Deny all

# Enable Protected Users security group for all admin accounts
# Members of Protected Users group:
# - Cannot use NTLM authentication
# - Cannot use DES or RC4 in Kerberos pre-authentication
# - Cannot be delegated with Kerberos unconstrained delegation
# - Cannot renew tickets beyond 4 hours
# All privileged accounts (Domain Admins, Enterprise Admins) should be members

# Configure Credential Guard (Windows Server 2016+)
# Credential Guard virtualizes LSASS to prevent credential theft via Mimikatz
# Enable via GPO: Computer Configuration > Administrative Templates >
#   System > Device Guard > Turn On Virtualization Based Security
#   Platform Security Level: Secure Boot and DMA Protection
#   Credential Guard Configuration: Enabled with UEFI lock

Active Directory tiering model: Implement a three-tier administrative model:

• Tier 0: Domain controllers and AD infrastructure. Admin credentials for Tier 0 assets are NEVER used on Tier 1 or Tier 2 assets.
• Tier 1: Servers. Admin credentials for servers are never used on workstations.
• Tier 2: Workstations. Helpdesk and standard admin credentials.

This prevents pass-the-hash and pass-the-ticket attacks from propagating across tiers. A compromised workstation cannot be used to extract credentials that allow domain-level compromise.

Windows Server IIS Hardening

Web servers face the internet (or are accessible from it) and require specific hardening:

# Remove default IIS features that are rarely needed and create risk
Import-Module WebAdministration

# Disable directory browsing (prevents enumeration of web directories)
Set-WebConfigurationProperty -Filter "system.webServer/directoryBrowse" -Name enabled -Value false

# Disable HTTP trace method (prevents cross-site tracing attacks)
# Add to web.config:
# <system.webServer>
#   <security>
#     <requestFiltering>
#       <verbs>
#         <add verb="TRACE" allowed="false" />
#         <add verb="OPTIONS" allowed="false" />
#       </verbs>
#     </requestFiltering>
#   </security>
# </system.webServer>

# Set security headers (add to IIS HTTP Response Headers)
# X-Content-Type-Options: nosniff
# X-Frame-Options: SAMEORIGIN  
# X-XSS-Protection: 1; mode=block
# Strict-Transport-Security: max-age=31536000; includeSubDomains
# Referrer-Policy: no-referrer-when-downgrade

# Ensure only TLS 1.2 and 1.3 are enabled (via registry)
$protocols = @("TLS 1.0", "TLS 1.1", "SSL 2.0", "SSL 3.0")
foreach ($protocol in $protocols) {
    $serverKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server"
    New-Item -Path $serverKey -Force | Out-Null
    Set-ItemProperty -Path $serverKey -Name Enabled -Value 0 -Type DWord
    Set-ItemProperty -Path $serverKey -Name DisabledByDefault -Value 1 -Type DWord
}

SQL Server Hardening

SQL Server databases contain the most sensitive data in most environments. Key hardening steps:

# SQL Server hardening via T-SQL
# Run against each SQL instance

-- Disable SQL Server Browser service (port enumeration)
-- (Disable in Windows Services if not needed for named instances)

-- Disable xp_cmdshell (prevents OS command execution from SQL)
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 0; RECONFIGURE;

-- Disable OLE Automation procedures  
EXEC sp_configure 'Ole Automation Procedures', 0; RECONFIGURE;

-- Disable Ad Hoc Distributed Queries (OPENROWSET/OPENDATASOURCE)
EXEC sp_configure 'Ad Hoc Distributed Queries', 0; RECONFIGURE;

-- Change SA account name and disable it (if not using SQL auth)
ALTER LOGIN [sa] WITH NAME = [sa_disabled];
ALTER LOGIN [sa_disabled] DISABLE;

-- Enable SQL Server auditing
-- Minimum audit events: Failed logins, successful logins to sensitive databases,
-- privilege escalation, schema changes

-- Ensure SQL Server is not running as Local System (use a dedicated service account)
-- Check: SELECT service_account FROM sys.dm_server_services

macOS Endpoint Hardening

MSPs increasingly manage macOS endpoints, particularly in creative, legal, and technology firms. macOS has its own hardening framework.

CIS macOS Benchmark Key Controls

CIS publishes macOS benchmarks that mirror the Windows structure. Key controls for macOS Sonoma (14.x) and Sequoia (15.x):

System Integrity Protection (SIP): SIP prevents modification of system files even by root. It should never be disabled in production environments. Verify with:

csrutil status
# Expected output: System Integrity Protection status: enabled.

Gatekeeper:

# Verify Gatekeeper is enabled
spctl --status
# Expected: assessments enabled

# Ensure only signed applications from App Store and identified developers are allowed
sudo spctl --master-enable
defaults write /Library/Preferences/com.apple.security GKAutoRearm -bool true

FileVault (Disk Encryption):

# Check FileVault status
fdesetup status
# Should report: FileVault is On.

# If not enabled, enable via MDM policy (Jamf, Mosyle, Kandji)
# or command line for unmanaged:
sudo fdesetup enable

Firewall:

# Enable macOS Application Layer Firewall
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on

macOS MDM for MSPs

Managing macOS at scale requires Mobile Device Management. Popular MDM platforms for MSPs:

• Jamf Pro/Jamf Now: The enterprise standard for macOS. Expensive but comprehensive.
• Kandji: Modern, streamlined macOS management with pre-built security blueprints aligned to CIS benchmarks.
• Mosyle: Good value MDM for smaller MSPs, includes MDM + endpoint security in one platform.
• Microsoft Intune: For MSPs heavily invested in the Microsoft stack, Intune's macOS support has improved significantly.

Zero Trust Architecture and Endpoint Hardening

Endpoint hardening is a key component of Zero Trust Architecture (ZTA), the security model that has largely replaced perimeter-based security thinking.

Zero Trust Principles Applied to Endpoints

Never trust, always verify: Zero trust means the network location of a device does not determine its trust level. A device on the corporate network gets no more inherent trust than a device connecting from a coffee shop. Every access request must be verified.

Assume breach: Design security assuming that attackers are already inside the environment. Hardened endpoints limit what an attacker can do after they gain a foothold.

Least privilege access: Users get the minimum access required for their role. This principle extends to endpoints: endpoints should only be able to communicate with the services they need, on the ports they need, to the specific destinations required.

Implementing Zero Trust on Endpoints

Identity verification: Every endpoint must authenticate via Azure AD (Entra) or equivalent before accessing corporate resources. Conditional Access policies enforce compliance requirements (the device must be managed, the OS must be current, EDR must be installed) as a condition of access.

Device compliance policies: In Intune/Jamf/your MDM, define compliance policies that endpoints must meet. Non-compliant devices are blocked from accessing Microsoft 365, VPN, and internal applications:

Compliance policy requirements (example for Intune):
  - Device must be Intune-enrolled
  - OS version: Windows 10 22H2 or later, Windows 11 22H2 or later
  - BitLocker: Required
  - Secure Boot: Required  
  - Microsoft Defender: Real-time protection On, signatures current
  - Defender ATP risk level: Low or Clear (no threats detected)
  - Password required: Yes
  - Minimum password length: 12 characters

Micro-segmentation: Windows Defender Firewall with Advanced Security (WFAS) enables host-based micro-segmentation — defining exactly which IP addresses and ports each endpoint can communicate with. This limits lateral movement if one endpoint is compromised.

# Example: Block workstations from connecting to other workstations
# (prevents lateral movement in most attack scenarios)
New-NetFirewallRule -DisplayName "Block Lateral Movement - Workstations" `
  -Direction Outbound `
  -Protocol TCP `
  -RemotePort 135,445,3389,5985,5986 `
  -Action Block `
  -Profile Domain,Private `
  -Enabled True
# IMPORTANT: Test this carefully - may block some legitimate management traffic
# Apply to workstations only, not servers

Hardening in the Context of Managed Detection and Response

Endpoint hardening and EDR are complementary, not alternatives. Understanding how they interact improves your security architecture:

Hardening reduces the attack surface: CIS benchmarks eliminate the misconfigurations that most attackers exploit. This means fewer attacks succeed in the first place.

EDR detects what gets through: Even perfectly hardened endpoints can be compromised through zero-days, social engineering, or sufficiently sophisticated attacks. EDR detects these post-exploitation behaviors.

Hardened + EDR = defense in depth: The combination is far more effective than either alone. A hardened endpoint generates fewer alerts in EDR (because there are fewer attack attempts succeeding) while still catching the attacks that hardening does not prevent.

For MSPs building managed security services, the recommended stack:

1. Foundation: CIS Level 1 hardening on all managed endpoints
2. Endpoint protection: EDR (SentinelOne, CrowdStrike, Microsoft Defender for Endpoint)
3. Vulnerability management: Continuous scanning and remediation of new vulnerabilities
4. Monitoring: SIEM/SOAR integration for correlation across endpoints
5. Testing: Annual penetration testing to validate the hardening controls are working

CyberXper(opens in new tab) provides managed detection and response services that complement endpoint hardening — their security operations team monitors EDR alerts and provides expert triage and response capabilities. CyberMammoth(opens in new tab) specializes in security hardening assessments and can provide independent validation of your hardening program effectiveness.

Building a Client Hardening Program: From Assessment to Maintenance

Phase 1: Baseline Assessment

Before hardening, understand the starting point:

# Generate a CIS compliance baseline report
# Using Microsoft Security Compliance Toolkit (SCT) Baseline Analyzer
# or a commercial tool (Tenable, Qualys, Rapid7 - all have CIS benchmark scan profiles)

# Quick manual baseline check - key high-risk items:
$report = @{}

# Check SMBv1
$report['SMBv1'] = (Get-SmbServerConfiguration).EnableSMB1Protocol

# Check RDP settings  
$rdpEnabled = (Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name fDenyTSConnections).fDenyTSConnections
$report['RDP_Enabled'] = ($rdpEnabled -eq 0)
$nlaEnabled = (Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name UserAuthentication).UserAuthentication
$report['NLA_Enabled'] = ($nlaEnabled -eq 1)

# Check Defender status
$defenderStatus = Get-MpComputerStatus
$report['Defender_RealTime'] = $defenderStatus.RealTimeProtectionEnabled
$report['Defender_Signatures_Updated'] = ($defenderStatus.AntivirusSignatureAge -lt 2)

# Check BitLocker
$bitlockerStatus = Get-BitLockerVolume -MountPoint "C:" | Select-Object -ExpandProperty ProtectionStatus
$report['BitLocker'] = ($bitlockerStatus -eq 'On')

# Check Windows Firewall  
$fwStatus = Get-NetFirewallProfile
$report['Firewall_Domain'] = ($fwStatus | Where-Object Name -eq 'Domain').Enabled
$report['Firewall_Private'] = ($fwStatus | Where-Object Name -eq 'Private').Enabled
$report['Firewall_Public'] = ($fwStatus | Where-Object Name -eq 'Public').Enabled

$report | Format-Table -AutoSize

This baseline reveals the biggest gaps quickly. Address the most critical misconfigurations first (SMBv1 enabled, RDP without NLA, Defender disabled, no BitLocker, firewall disabled) before working through the full benchmark.

Phase 2: Remediation by Risk Priority

Prioritize hardening by risk impact, not alphabetical order:

Immediate (week 1):

• Enable and configure Windows Defender (if using native AV)
• Enable Windows Firewall on all profiles
• Disable SMBv1
• Ensure RDP requires NLA (or disable RDP if not needed)
• Ensure BitLocker is enabled on all laptops

High priority (month 1):

• Apply CIS Level 1 via Group Policy or RMM scripts
• Configure password policy
• Disable Guest account and rename Administrator
• Enable PowerShell logging
• Configure event log sizes

Ongoing (quarterly):

• Run CIS compliance check
• Remediate new findings
• Review and update hardening scripts as CIS benchmarks are updated

Phase 3: Continuous Compliance Monitoring

Hardening is not a one-time project. Configuration drift — the gradual return of insecure settings through OS updates, application installations, user behavior, and misconfiguration — requires ongoing monitoring.

Configure your RMM to run weekly compliance checks. NinjaIT's policy-based management allows you to define desired system states and automatically report on or remediate deviations. ConnectWise Automate and Datto RMM provide similar capabilities.

For compliance-intensive clients (CMMC, HIPAA, SOC 2), generate monthly compliance reports documenting hardening status across all managed endpoints. These reports serve as audit evidence and demonstrate the ongoing value of your managed services engagement.

Frequently Asked Questions About Endpoint Hardening

How does endpoint hardening interact with application allow-listing?

Application allow-listing (Microsoft AppLocker, Windows Defender Application Control, Carbon Black App Control) is complementary to CIS hardening and provides the strongest possible protection against malware execution. CIS hardening closes configuration vulnerabilities; allow-listing prevents unauthorized executables from running even if hardening is bypassed. Implement both for maximum defense-in-depth. Note: allow-listing requires careful maintenance — every new application needs an allow-list rule, which creates operational overhead. Start with audit mode (logging violations without blocking) before enabling enforcement mode.

Does hardening affect performance?

CIS Level 1 hardening has minimal performance impact on modern hardware. The settings primarily change Windows policies and security configurations, not resource consumption. The main performance-adjacent impact: forcing NTLMv2 (disabling NTLMv1) and requiring SMB signing can add minor latency on file server operations — typically < 5% and imperceptible to users. The only hardening setting with measurable performance impact is LSASS protection (Credential Guard), which adds ~3–5% overhead on systems with heavy authentication loads. Accept this overhead — the security benefit is substantial.

How do I handle hardening for legacy applications that require old protocols?

Document the exception: what application requires it, why, who approved the exception, and what compensating controls exist. For SMBv1 requirements (only ancient NAS devices and legacy ERP systems should require this in 2026): isolate the device on a dedicated VLAN with no access to the broader corporate network. For NTLMv1 requirements: same isolation approach. These protocols are not just undesirable — they are actively exploited by current threat actors. If an application requires SMBv1 or NTLMv1, that application is a security liability, and migrating off it should be on the technology roadmap.

How should I prioritize hardening across a mixed environment with servers and workstations?

Priority order: (1) Servers that host sensitive data or provide authentication services (domain controllers, file servers, application servers) — highest risk, highest impact if compromised. (2) Workstations — the most common entry point for phishing and malware. (3) Network devices — important but typically already hardened by vendor defaults if firmware is current. (4) Servers in lower-risk roles (development, test environments). Within workstations: prioritize devices used by privileged users (IT admins, finance, executives) — their compromise is higher-risk than a standard employee.