CIS Benchmark Hardening Script for Windows This PowerShell script is designed to help your system achieve 100% compliance with the CIS (Center for Internet Security) Benchmarks for Windows.
Overview The script automates the application of Group Policy settings, registry modifications, and system configurations to align with CIS security recommendations. It is intended for use in environments that leverage Security Configuration Assessment (SCA) tools such as Wazuh, and it can be customized further based on your organization's security policies.
Customization Notice While the script targets full CIS Benchmark compliance, your scan results may still show non-compliant items depending on your specific environment and security stack.
This script was validated using Wazuh SCA scans against a custom benchmark profile.
Some CIS controls may be intentionally modified or excluded due to existing compensating controls or business requirements.
Example: Certain registry keys related to Windows Updates or Administrator privilege restrictions have been adjusted.
You are expected to review scan results (e.g., in Wazuh’s Assessor module) and:
Identify unmet controls
Adjust the script to either:
Implement the missing policy/registry configuration
Document a deviation with justification, if compensating controls exist
SCA Benchmark YAML File If you're using Wazuh SCA scanning, a customized .yml benchmark file is also provided. This file defines the specific CIS rules and checks relevant to your environment.
The provided .yml file is not an official CIS benchmark — it has been modified to align with our organization’s security posture and operational requirements.
This file can serve as a template for defining your own SCA policy.
You must review and modify the .yml to match:
The CIS controls you're enforcing
Any registry paths, file locations, or policy objects specific to your environment
Organizational exceptions or compensating controls
Organizational Notes Redundant or conflicting CIS settings have been selectively excluded (e.g., those affecting Store access, update policies, or role-based admin behaviors).
Windows functionality (e.g., updates, Store access for admins) is preserved without compromising hardening goals.
Important Disclaimer This script and accompanying .yml are provided as templates. Always validate changes in a test environment before production deployment.