In today’s environments, more and more users are accessing the work environment remotely. This has lead to an increase in the different types of security and access concerns. This places even more importance on keeping your servers up to date and following security best practices. The Center for Internet Security (CIS) has always been an excellent resource for security baselines for each operating system (Linux, Windows, Mac), networks, cloud providers, and firewalls. By going to https://downloads.cisecurity.org/#/ you are able to download the recommended security baseline for each of the systems you run in your environment. These lists are what security experts would use to lock down and secure your chosen operating system. The PDF can be overwhelming , for example the windows server is 993 pages long, but as a shortcut you can go to the end of the document and use the appendix table as a checklist. You can then use the checklist as your “how to” guide to make your environment more secure.
The actual implementation of these policies for windows servers and desktops can all be found and set in the Active Directory Group policy. As you go through the checklist each control has a location entry such as 1.1 or 1.2. If you are unsure of what the policy does or affects, you can then find that location in the document and it will tell you the exact GPO setting and path, as well as what each setting will do. This appendix allows you to pick and choose, as well as explain, what options are needed to make your servers meet the high standard set by CIS. Of course meeting all of these settings would be overwhelming and potentially could cause application or environment issues. It is recommended to pick the ones applicable to your environment and slowly implement them over time. By keeping the appendix and noting when you implemented each GPO security change, you also have a master document list to use for troubleshooting future potential issues.