Cybersecurity threats are always evolving, so Managed Service Providers (MSPs) and IT administrators must keep their endpoints secure to protect their clients and operations. In response, the Center for Internet Security (CIS) developed the CIS Benchmarks, which set the standards for stronger cybersecurity. However, applying their configuration recommendations can be time-consuming and error-prone.
To make this task of endpoint hardening a lot easier, consider the automated approach. Keep reading to learn how to use PowerShell scripts with supplemental registry edits, CMD scripts, and Group Policy deployments to secure devices across your systems.
How to automate CIS Benchmarks to harden MSP endpoints
For Windows environments, MSPs and IT professionals will have to enforce hundreds of configuration settings to meet industry standards set by CIS Benchmarks, so manually applying each one is not recommended. Here are some examples of how you can use PowerShell to automate these CIS-aligned configurations, including other workarounds for different needs and environments.
📌 Prerequisites:
- Windows 10 or 11 with Pro or Enterprise edition
- Administrator privileges
- Knowledge of CIS Benchmarks (Level 1 or 2)
- Optional: Access to Active Directory, Intune, or NinjaOne
💡Tip: Check Things to look out for before proceeding.
📌 Recommended deployment strategies:
Click to Choose a Method | 💻 Best for Individual Users | 💻💻💻 Best for Enterprises |
| Method 1: Using PowerShell to apply CIS Benchmark settings | ✓ | ✓ |
| Method 2: Using Registry Editor for configuration enforcement | ✓ | |
| Method 3: Using CMD for system tweaks and validation | ✓ | |
| Method 4: Using Group Policy (GPO) to centralize enforcement | ✓ |
Method 1: Using PowerShell to apply CIS Benchmark settings
PowerShell can directly automate local security policies, services, audit settings, and system configurations via script. Therefore, it can easily enforce hundreds of CIS controls and create repeatable modules for bulk deployment. Below are a few CIS Benchmark PowerShell scripts you can combine into modules or use DSC (Desired State Configuration) for repeatable deployment.
📌 Use Cases:
- Automating hardening for new device onboarding
- Quickly deploying security controls to endpoints in non-domain environments
📌 Prerequisites:
- PowerShell 5.1 or later (Verify Your PowerShell Version)
- Administrator privileges
Sample scripts:
- Disable legacy SMBv1 protocol (prevent exploitation of legacy SMB vulnerabilities)
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
- Disable guest account (reduce risk of unauthorized access)
Set-LocalUser -Name “Guest” -Enabled $false
- Enforce password complexity (modify and reapply local security policy)
secedit /export /cfg c:\secpol.cfg (gc c:\secpol.cfg).replace
(“PasswordComplexity = 0″,”PasswordComplexity = 1”) | Set-Content c:\secpol.cfg
secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY
- Enable audit logging (ensure both successful and failed logon attempts are tracked)
auditpol /set /subcategory:”Logon” /success:enable /failure:enable
Method 2: Using Registry Editor for configuration enforcement
For more precise hardening, you can directly edit the Windows Registry. Many CIS controls map directly to specific registry keys, so automating registry modifications is also viable. Below are registry edits that you can apply via .reg files or PowerShell (Set-ItemProperty), or deploy via NinjaOne or GPO.
📌 Use Cases:
- Applying settings not exposed in Group Policy
- Backstopping GPO-based hardening with local enforcements
📌 Prerequisite: Administrator access to target endpoints
Sample registry modifications:
- Disable Windows AutoRun (mitigate USB-based malware execution)
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer] “NoDriveTypeAutoRun”=dword:000000ff
- Restrict anonymous SID enumeration (prevent user account probing)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Lsa] “RestrictAnonymousSAM”=dword:00000001
Method 3: Using CMD for system tweaks and validation
CMD scripting is ideal for legacy systems and quick system changes. It is also useful in validating configurations in older environments that may lack PowerShell or modern tools. Here are some CMD scripts you can chain with taskkill, net stop, or sc config commands to further harden services.
📌 Use Cases:
- Hardening offline systems
- Running quick remediation tasks during support calls or remote sessions
📌 Prerequisite:
- CMD access
- Administrator privileges
Sample commands:
- Disable remote assistance (reduce remote support attack surface)
reg add “HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance” /v fAllowToGetHelp /t REG_DWORD /d 0 /f
- Disable NetBIOS over TCP/IP (mitigate lateral movement risks)
wmic nicconfig where “IPEnabled=true” call SetTcpipNetbios 2
- Export current security configuration for review or backup
secedit /export /cfg C:\cfg.txt
Method 4: Using Group Policy (GPO) to centralize enforcement
MSPs can also use GPO to centralize the configuration of hundreds of CIS settings across domain-joined systems. It’s the most scalable approach in Active Directory environments.
📌 Use Cases:
- Maintaining a secure baseline across client networks
- Enforcing high-security CIS Level 2 controls
- Managing hybrid environments alongside Intune/NinjaOne
📌 Prerequisites:
- Group Policy Management Console (GPMC) access
- An Active Directory environment
- Administrative privileges
Steps:
- Open the Group Policy Management Console (GPMC) on a domain controller or management system. Press Windows key + R, type “gpmc.msc,” and press Enter.
- Create or edit a GPO targeting your security baseline.
- Configure the policies under: Computer Configuration > Windows Settings > Security Settings
- Some CIS-relevant policies to configure:
- Password Policy (under Account Policies): Enforce complexity, expiration, and history
- User Rights Assignment (under Local Policies): Restrict “Log on locally” and deny access
- Security Options: Disable LM responses and anonymous access
- Audit policies: Enable advanced logging
- Windows Defender & firewall settings: Standardize protection
- Run gpupdate /force in an elevated Command Prompt on client machines to apply the policy.
- Optional: Use Microsoft Security Compliance Toolkit or CIS GPO import files to jump-start configuration.
⚠️ Things to look out for
| Risks | Potential Consequences | Reversals |
| Unintended script effects due to typos or logic errors |
|
|
| Over-hardening via GPO or PowerShell (e.g., disabling necessary services) | Breakage of business-critical applications or remote tools |
|
| Locking out legitimate users via restrictive login policies | User accounts and admins may be locked out due to failed login attempts or overly strict password rules |
|
What is a CIS benchmark?
CIS Benchmarks are a set of prescriptive best practices for securing IT systems and data. They offer guidance on reducing vulnerabilities and hardening system configurations. Additionally, these standards are:
- Developed by experts, from cybersecurity professionals to vendors and subject matter experts
- Applicable to a wide range of systems, including Windows, Linux, macOS, network devices, browsers, and cloud platforms
- Listed as detailed configuration settings with recommended values, rationales, and remediation steps
- Commonly addresses:
- Divided into two levels:
- Level 1: Basic security suitable for general-purpose systems and focuses on minimal user impact.
- Level 2: Advanced hardening for high-security environments, which may impact usability or functionality
- Aligned with standards like HIPAA, NIST, PCI-DSS, and ISO 27001
- Regularly revised to reflect current threats, vulnerabilities, and platform updates
- Publicly accessible at www.cisecurity.org/cis-benchmarks
Adopting these recommendations can help to set security baselines, minimize risk, and demonstrate due diligence to all parties involved.
Additional considerations for MSPs when implementing CIS Benchmarks
CIS Benchmark automation goes beyond simply running scripts or applying GPOs. If MSPs and IT teams want to successfully harden endpoint security, they must consider a few environment, compliance, and operational factors to prevent issues.
- Testing before deployment: CIS Benchmarks can significantly alter system behavior. Untested scripts may disable needed services or restrict valid user activity, so always test them in non-production environments.
- Benchmark level selection: Understand that Level 1 focuses on essential hardening without affecting usability, so it’s suitable for most business environments. On the other hand, Level 2 is intended for high-security systems. As such, stricter enforcement may impair user experience or app functionality.
- Baseline templates: Microsoft provides security baseline GPOs that may overlap with CIS Benchmarks. While they may be helpful, these templates are not full substitutes. Always opt for CIS as the primary standard when strict compliance is required.
- Audit trail: Logging all changes ensures traceability and compliance when auditors or security teams request evidence of applied scripts and modified registry entries.
Quick-Start Guide
NinjaOne provides robust scripting capabilities for endpoint hardening, particularly using PowerShell. The platform offers several key features that support CIS Benchmark-style hardening:
1. Extensive Script Library: NinjaOne has a comprehensive Automation Library with numerous scripts for security and system hardening, including:
– Set Password Policy– Disable Weak TLS and SSL Protocols– Enable/Disable Windows Firewall– Audit Firewall Status– Set Minimum Password Requirements– Disable Local Admin Tools
2. PowerShell Scripting Support: The platform natively supports PowerShell scripting, allowing MSPs to create custom scripts for CIS Benchmark implementation.
3. Vulnerability Management: NinjaOne includes a Vulnerability Importer script that can help import and manage security-related data.
4. Custom Script Capabilities: You can create and deploy custom PowerShell scripts across multiple endpoints to implement specific CIS Benchmark recommendations.
Troubleshooting issues
PowerShell script failures
The execution policy may be too restrictive, or scripts may be blocked by system or antivirus settings. Check your current execution policy with this command:
Get-ExecutionPolicy -List
If needed, set it to RemoteSigned using this command:
Set-ExecutionPolicy RemoteSigned -Scope LocalMachine
This will allow local scripts while requiring signatures for remote ones. You should also check for AV or endpoint protection solutions that can block script execution, such as Defender or CrowdStrike.
GPO settings not applying
This may happen if the endpoint is not part of the correct Organizational Unit (OU), or WMI or security filters prevent policy application. Confirm that the setting applies to the device’s OU placement in Active Directory Users and Computers. You should also validate WMI filters on the GPO to ensure the system qualifies.
Conflicting settings
Group Policy may overwrite local settings enforced via PowerShell or registry on the next refresh cycle. Make sure to define your configuration hierarchy. Use PowerShell or the registry for first-time deployment, then switch to GPO for persistent enforcement.
Security log errors
Audit log settings may flood logs if they are too verbose. You can fine-tune logs to focus on critical categories, such as logon events, privilege use, system integrity, and account management. It may also be beneficial to set retention and size limits.
NinjaOne services that can help strengthen CIS Benchmark enforcement
NinjaOne can enhance the scalability and effectiveness of CIS Benchmark implementation by giving MSPs powerful automation, monitoring, and reporting capabilities.
| NinjaOne service | How it can help | Ideal use case |
| Script deployment | Remotely run PowerShell or CMD scripts across multiple devices for automated hardening | Initial deployment of CIS controls, like disabling SMBv1 or setting audit policies |
| Policy templates | Deploy reusable configuration templates that include registry edits and service settings | Standardizing security baselines across multiple clients or device types |
| Audit reporting | Generate compliance and configuration reports that show which devices are aligned | Proving CIS adherence during audits or client reviews |
| Automation engine | Schedule scripts and policies to run automatically during onboarding or periodically | Applying CIS controls to new or reimaged endpoints without manual effort |
| Alerting | Get notified when CIS-related settings are missing, misconfigured, or changed | Monitoring for configuration drift or unauthorized changes |
Simplifying hardening via smart automation
Implementing CIS Benchmarks can be a lengthy process for MSPs and IT professionals when done manually. Therefore, automation using PowerShell scripting, registry modifications, command-line tools, and Group Policy should help ensure enforcement consistency. These should improve endpoint security while reducing misconfiguration risks.
Related topics:
