Harden a Windows 10 VM Against CIS Level 1

#Put It All Together: Hands-On CIS Baseline Hardening for Windows 10#link

This capstone lab integrates everything you've learned: you'll take a stock Windows 10 VM and apply the CIS Level 1 benchmark. You'll configure local policies, disable unnecessary services, set NTFS permissions, and harden the registry. At the end, you'll run a compliance scan to verify your work. This is the practical exam you can show to an employer.

Lab Objectives

Your goal: achieve at least 90% compliance against the CIS Microsoft Windows 10 Enterprise Benchmark, Level 1. You'll use the Security Compliance Toolkit, LGPO, PowerShell, and manual checks. You must document every change and justify any deviation.

# Step 2: Disable unnecessary services (Print Spooler, XblGameSave)
$services = "Spooler", "XblGameSave", "RemoteRegistry"
foreach ($svc in $services) {
    Stop-Service $svc -Force
    Set-Service $svc -StartupType Disabled
}

Specific Hardening Tasks

Enable UAC with secure desktop; set password policy to 14-character minimum; configure Windows Defender Firewall to block all inbound by default; set BitLocker encryption (if VM supports TPM) or implement a workaround; harden registry keys for LSA protection and AutoRun; and set a restrictive NTFS permission on sensitive user directories.

Deliverables

At the end of the lab, you'll produce: a screenshot of the CIS-CAT scan showing >90% compliance, a list of deviations with risk justifications, and a PowerShell script that applies your hardening changes (for repeatability). This demonstrates your ability to operationalize benchmarks.

• ▪Apply the CIS baseline GPO backup as a starting point.
• ▪Manually address any remaining settings that GPO didn't cover.
• ▪Run a compliance scan and iterate until you reach 90%+.
• ▪Document your deviations with business justification.