-
Notifications
You must be signed in to change notification settings - Fork 3
Windows
Generally speaking you want to leverage AD GPO's to apply CIS hardening.
If you're a CIS subscriber can import the remediation GPO content to achieve this very very quickly. You Windows systems should hit a > 90% compliance level immediately without any further work.
Go here to read more on this: https://www.cisecurity.org/cis-securesuite/cis-securesuite-remediation-content/
Otherwise create your own GPO's based on the freely available CIS PDF content.
You can use the lgpo.exe commands with the CIS remediation GPO content to achieve this reasonably quickly.
- https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/
- https://blogs.technet.microsoft.com/secguide/2016/09/23/lgpo-exe-v2-0-pre-release-support-for-mlgpo-and-reg_qword/
You can also configure LGPO options via the existing Salt execution and state modules,
- https://docs.saltstack.com/en/latest/ref/states/all/salt.states.win_lgpo.html
- https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.win_lgpo.html
Using the CIS PDF guides you should define what needs to be modified via pillar, then create a state that iterates thru that pillar to apply LGPO options on Windows minions.