Windows Server 2022 CIS Hardening Script Recommendations

Understanding CIS Hardening Script

In February 2022, the Center for Internet Security (CIS) released the CIS Microsoft Windows Server 2022 Benchmark v1.0.0, providing security best practices for establishing a secure configuration and hardening guide for Microsoft Windows 2022. CIS hardening script help secure systems by applying standardized settings, reducing vulnerabilities, and ensuring compliance with recognized security standards.

Following this release, CIS updated their recommendations for older operating systems, extending back to Windows Server 2008 where applicable. The article discusses CIS Windows server 2022 hardening scripts we feel are critical.

Prerequisites for Running CIS Hardening Script

Windows Server 2022 hardening script is designed for this specific operating system. You might need to adjust the PowerShell execution policy (PowerShellExecutionPolicy.admx/adml) to allow running unsigned scripts if downloaded from the internet. Steps you should take before you begin to run the CIS hardening script:

• Review the script and understand what settings the script modifies and how to achieve hardening.
• Backing up your current server configuration or system state is critical before running any hardening script.
• It is recommended to test the script in a non-production environment that mirrors your target system. This identifies any potential conflicts or unintended consequences before applying it to your critical servers.
• You might have specific server configurations or software dependencies of local exceptions requiring to be exempt from some hardening recommendations.

Hardening Script for CIS Windows Server 2022 Benchmark

Hardening a system involves configuring it to reduce vulnerabilities and improve security. CIS provides benchmarks, which are consensus-based best practices for the secure configuration of systems. The CIS Windows Server 2022 Benchmark provides guidelines to secure a Windows Server 2022 installation.

Logs of PowerShell script input can be invaluable during forensic investigations of PowerShell attack incidents, as they help determine what actions were taken. However, there are potential risks of capturing credentials and sensitive information in PowerShell logs, which could be exposed to users with read access to those logs. To mitigate this, Microsoft offers a feature called “Protected Event Logging” to enhance the security of event log data. For guidance on protecting event logging, visit: About Logging Windows – PowerShell | Microsoft Docs.

Configuration Setting: Turn on PowerShell Script Block Logging is set to Enabled

This policy setting enables logging of all PowerShell script input to the Applications and Services Logs\Microsoft\Windows\PowerShell\Operational Event Log channel.

Note: If logging of Script Block Invocation Start/Stop Events is enabled (option box checked), PowerShell will log additional events when the invocation of a command, script block, function, or script starts or stops. Enabling this option generates a high volume of event logs. CIS has intentionally chosen not to make a recommendation for this option since it generates a large volume of events. If an organization chooses to enable the optional setting (checked), this also conforms to the benchmark.

Remediation

To establish the recommended configuration via GP, set the following UI path to Enabled:

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)

Configuration Setting: Turn on PowerShell Transcription is set to Disabled

This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file.

Remediation

To establish the recommended configuration via GP, set the following UI path to Disabled:

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).

Hardening Script Maintenance

To keep your Windows Server secure after using a hardening script, you need to stay alert and maintain it regularly. Make sure to frequently update the operating system and any installed applications. Use network segmentation to separate important systems and minimize potential attack points. Additionally, set up regular, automated backups for critical data and system configurations.

Failing to regularly update, segment networks, and automate backups for your Windows Server makes it vulnerable to attacks, data breaches, and data loss. This can lead to increased downtime, non-compliance with regulations, and significant operational disruptions.

Benefits of Automated Configuration

Both hardening scripts and hardening configuration tools have their place in securing systems. Scripts offer flexibility and control, suitable for specific or custom environments. Configuration tools provide ease of use, ongoing management, and broader application, making them suitable for larger or more dynamic environments. The choice between the two depends on the specific needs, scale, and expertise of the administrators managing the systems.

The sheer volume of security recommendations can be overwhelming. Manually applying each recommendation is not only time-consuming but also increases the risk of mistakes and missed configurations. Keeping track of numerous security settings and ensuring they are consistently implemented across all systems can be challenging. Automated hardening addresses these issues by streamlining the process, ensuring all recommendations are applied correctly and consistently, and significantly reducing the workload on IT staff making it ideal for enterprises with extensive IT infrastructures.