Securing your operating system is no longer optional—it’s a necessity in today’s threat landscape. The operating system (OS) acts as the backbone of your IT environment, connecting hardware and software, and controlling access to critical resources. A single misconfiguration or outdated setting can expose your entire organization to malware, ransomware, and unauthorized access.

Benchmarks – the theory

CIS Benchmarks: These are comprehensive, community-driven best practices for securely configuring a wide range of IT systems, including Windows Server. Each recommendation is accompanied by a rationale and step-by-step implementation guidance.

Microsoft Security Benchmark: Microsoft’s own framework provides detailed controls and baselines.

In real live we usually starting with not theory, but practice and the fastest way is starting from reporting.

Reporting and Compliance

Microsoft Guest Configuration Extension: This Azure tool allows you to audit and enforce configuration policies on your virtual machines, ensuring they remain compliant with your chosen security baseline.

Microsoft Defender: With Defender Vulnerability Management, you can continuously assess your endpoints against CIS and STIG benchmarks, receive real-time compliance reports, and quickly identify drift or misconfigurations.

But in that case we see only reporting, but lets start implementation the best practices.

Implementation

CIS Paid Version: Effective, but limited to GPO-based environments and often requires a license

HardeningKitty: Flexible and scriptable, but requires manual customization and ongoing maintenance to keep up with evolving best practices.

Windows Server 2025 Security Baseline: While designed for Windows Server 2025, the baseline is also applicable to Windows Server 2022 and 2019, and potentially even 2016 (with minimal tuning).

Real-World Results: Why the 2025 Security Baseline Wins

In recent tests, the effectiveness of different hardening approaches was measured by the number of unresolved recommendations after implementation:

• Windows Server 2025 Security Baseline (Preview): Only 5 recommendations left (more info: https://techcommunity.microsoft.com/discussions/windowsserverinsiders/announcing-windows-server-2025-security-baseline-preview/4257686)

• Pure HardeningKitty: 11 recommendations left (more info: https://github.com/scipag/HardeningKitty)

• HardeningKitty + Custom Script: 7 recommendations left

The results are clear: the Windows Server 2025 Security Baseline not only reduces your attack surface more effectively but also streamlines the hardening process, making it the superior choice for modern Windows Server environments.

Would you like to repeat the tests?

HardeningKitty + Custom Script – just execute: 

1. https://github.com/MariuszFerdyn/AzureSecurityCenterOSRemediations/blob/main/CIS/Windows/2022/100-CIS-Azure.ps1
2. https://github.com/MariuszFerdyn/AzureSecurityCenterOSRemediations/blob/main/CIS/Windows/2022/101-STIG-Firewall.ps1
3. https://github.com/MariuszFerdyn/AzureSecurityCenterOSRemediations/blob/main/CIS/Windows/2022/102-MSFTT_SecurityBaseline.ps1
4. https://github.com/MariuszFerdyn/AzureSecurityCenterOSRemediations/blob/main/CIS/Windows/2022/103-VulnerabilitiesInSecurityConfigurationOnYourWindowsMachinesShouldBeRemediated(PoweredByGuestConfiguration).ps1

Windows Server 2025 Security Baseline:

Install-PackageProvider NuGet, PowerShellGet -Force
Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
Install-Module -Name Microsoft.OSConfig -Scope AllUsers -Repository PSGallery -Force
Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\WorkgroupMember -Default
Set-OSConfigDesiredConfiguration -Scenario SecuredCore -Default
Set-OSConfigDesiredConfiguration -Scenario Defender\Antivirus -Default

You can also watch Video on this topic: