CIS · DISA STIG · Microsoft Baselines · IaC · Drift monitoring
Systems hardening
Verifiable secure configuration across Windows Server, Linux, virtualisation, Kubernetes, cloud, M365, databases and networks. CIS Benchmarks or DISA STIG by requirement, applied as code, rolled out in phases and continuously monitored against drift. The layer that reduces paths before the EDR ever sees them.
Executive summary
Hardening is not something you do once and forget, nor is it replaced by an EDR or a firewall. It is the configuration layer that reduces the number of paths an attacker can traverse before any reactive detection comes into play. Most breaches do not start with a zero-day or a sophisticated exploit: they start with an unnecessary exposed service, a reused local password, a broad cloud permission or a legacy protocol no one disabled.
The service covers the platforms the client uses, follows recognised guides (CIS, DISA STIG, Microsoft Baselines, Well-Architected) and delivers configuration as reproducible code. What the business cannot absorb is documented as a justified exception. What does get applied is rolled out in phases with a rollback plan. And, above all, it is monitored over time: well-done hardening includes continuous drift monitoring, because configurations always tend to relax if no one watches them.
Reduces paths before EDR detects
EDR sees what happens afterwards; hardening reduces what can happen. Both layers, in this order.
Configuration as code
Ansible, DSC, Terraform, versioned scripts. Idempotent, auditable, reversible. No manual clicks no one remembers.
Continuous drift monitoring
Automatic detection of baseline deviations. Hardening degrades if no one watches; we watch it.
Hardening maturity model
Four levels. Useful to place where the client is today and where they want to be. Almost no mid-sized organisation lives sustainably above level 2; reaching level 3 requires sustained operational commitment, not just an initial project.
Default configuration
Common starting point
Systems installed with vendor default configuration. No conscious baseline. Security decisions case by case, ad-hoc, undocumented. External audits identify dozens of predictable findings every time.
Informal in-house baseline
Early maturity
There is an internal checklist used when building new systems. It is not applied retroactively, compliance is not measured, it is not updated. Old systems live at level 0; new ones live "more or less" at level 1.
CIS L1 applied as code
Realistic target state
CIS Level 1 baseline (or equivalent Microsoft Security Baseline) applied across the whole fleet via versioned Ansible/DSC/Terraform. Exceptions documented with owner and deadline. Compliance measured. Drift monitoring active. Suitable for an ENS Medium and ISO 27001:2022 auditor.
CIS L2 / STIG with operational context
Advanced maturity
CIS Level 2 or DISA STIG applied where sensitivity warrants it (systems in ENS High scope, defence, critical infrastructure). Every control with business justification or reasoned exclusion. Drift detected in minutes and automatically blocked where viable. External audits reduce findings to genuinely exceptional cases.
Platforms we harden
Inventory with the reference guide we apply, indicative time per system and typical criticality. Not exhaustive: if you work with a specific vertical platform, it is assessed in the walkthrough.
| Platform | Reference guide | Time / system | Typical criticality |
|---|---|---|---|
| Windows Server 2016/2019/2022 | CIS L1/L2 + Microsoft Security Baseline | 4-8 h | High |
| Linux (RHEL · Ubuntu · Debian · SUSE) | CIS L1/L2 + distro recommendations | 3-6 h | High |
| Windows 10/11 client | CIS L1 + Microsoft Security Baseline | 2-4 h | Medium |
| VMware vSphere/ESXi | CIS + VMware Hardening Guide | 6-10 h per cluster | High |
| Kubernetes (EKS · AKS · GKE · kubeadm) | CIS Kubernetes Benchmark + best practices | 8-16 h per cluster | High |
| AWS · Azure · GCP — account + IAM | CIS Cloud + Well-Architected | 16-40 h per environment | Critical |
| Microsoft 365 (Entra · Defender · Purview) | Microsoft Security Baseline + CIS M365 | 20-40 h | Critical |
| Google Workspace | CIS Google Workspace Benchmark | 12-24 h | High |
| SQL Server / Oracle / PostgreSQL / MySQL | CIS per engine | 4-8 h | High |
| MongoDB · Redis · Elasticsearch | CIS + vendor guide | 3-6 h | Medium-High |
| Cisco IOS · NX-OS · Juniper | CIS Cisco IOS + optional DISA STIG | 2-4 h per device | High |
| Fortinet · Palo Alto · F5 · Aruba | Vendor recommendations + best practice | 3-6 h | High |
| Active Directory · Entra ID | Microsoft + tier model best practice | 30-60 h | Critical |
| Docker · containerd | CIS Docker Benchmark | 2-4 h per node | Medium-High |
Indicative times for systems already in inventory, not counting change-approval windows. Heavily outdated legacy systems may require double the time due to prior analysis and more careful validation.
Controls with the highest impact per effort
Fifteen configurations that, when applied, neutralise paths that appear over and over in real findings. Not the full CIS list: the selection with the most impact on attack surface per hour invested.
SMBv1 disabled across the fleet
Obsolete protocol, exploited by EternalBlue/WannaCry. No legitimate use in a modern infrastructure.
NTLMv1 disabled · audit to NTLMv2
Migration plan to Kerberos. NTLMv1 makes credential capture trivial with responder/inveigh.
TLS 1.0/1.1 off. TLS 1.2 minimum, 1.3 preferred
Server and client. Modern cipher lists. No RC4, no 3DES.
RDP with NLA only, exposed only via bastion/PAM
RDP exposed on the internet without NLA is one of the main ransomware vectors. Bastion + MFA.
LAPS for local Windows passwords
Each machine with a random local password, rotated, stored in AD. Stops lateral movement by reuse.
AppLocker · WDAC · Defender Application Control
Allowlist of executables. Blocks unknown binaries without touching antivirus. Reasonable adoption curve.
Tier model in AD (tier 0/1/2)
Privileged accounts do not authenticate on user workstations. Stops typical escalation from endpoint to DC.
SSH key only · MFA on bastion · sudo audited
Linux: PasswordAuthentication=no, explicit AllowUsers, sudo logged to syslog/SIEM.
Unused local accounts removed · Guest off
Inventory and decommissioning of inherited local accounts. Guest disabled on Windows, root with no direct login on Linux.
Full logging to SIEM (Sysmon + advanced auditing)
Sysmon with SwiftOnSecurity template or equivalent. Windows advanced auditing. auditd configured on Linux.
Unsigned macros blocked in Office
Internet macros blocked by default, only signed macros trusted. Reduces the main vector of advanced phishing.
Cloud buckets/blobs without public permissions
Account-level public access block. Documented exceptions. Automatic detection of any new public resource.
Cloud RBAC by team, not by person
Removal of ad-hoc inherited permissions. Every function with its role. Temporary access via PIM/Access Packages.
DB with whitelisted IPs only · encryption at rest and in transit
No public access to databases. TLS enforced. Storage encryption. Audit of privileged queries.
VLAN/firewall per environment: prod ≠ non-prod ≠ admin
Logical separation of planes. Traffic denied by default between levels. Explicit rules with documented justification.
Before and after · real technical examples
Configurations that typically change in a hardening project. Anonymised but technically faithful to what a typical project delivers.
| Control | Before (found) | After (applied) |
|---|---|---|
| SMB | SMBv1 enabled on 38 servers | SMBv1 disabled · GPO + DSC blocking reactivation |
| LDAP | LDAP simple bind without TLS · auditing off | LDAPS enforced · Channel Binding · simple bind audited |
| NTLM | NTLMv1 allowed · LM Hash stored | NTLMv1 denied · LM Hash off · audit to NTLMv2 with plan to Kerberos |
| RDP | RDP exposed on the internet without NLA on 4 servers | RDP only accessible via bastion + MFA · NLA enforced |
| Local passwords | Same local password on 800+ machines | LAPS deployed · unique passwords rotated in AD |
| TLS | TLS 1.0 + RC4 active on 12 internal web services | TLS 1.2+ enforced · modern ciphers only · HSTS where applicable |
| SSH (Linux) | PasswordAuthentication=yes · root login active | SSH key only · root login=no · sudo logged to SIEM · MFA on bastion |
| Windows logs | Basic auditing · Sysmon absent | Advanced auditing · Sysmon SwiftOnSecurity · forwarded to SIEM |
| S3 bucket | 12 buckets with public read by historical mistake | Block public access at account + bucket · automatic alert on reactivation |
| Cloud IAM | Users with permanent AdministratorAccess | SSO federation · JIT access via Access Packages · root account not used operationally |
| Office macros | Internet macros executable by default | Internet macro block · only signed macros · origin allowlist |
| Kubernetes | Pods with privileged=true by default · no NetworkPolicy | PodSecurityStandards restricted · NetworkPolicy per namespace · OPA Gatekeeper |
Service models
Three ways to engage. The difference is not in technical quality but in who operates afterwards and at what cadence.
Model 1
One-off project
Complete hardening of the agreed scope, delivery as code, training for the operations team, closing session. No subsequent operation on our side. Designed for clients with a strong internal IT/SecOps team able to take on drift monitoring and apply new benchmark versions.
Fits when
Strong internal team · one-off compliance · first baseline ahead of audit.
Model 2
Continuous hardening programme
Model 1 + continuous operation: drift monitoring with remediation, onboarding of new systems to the baseline, upgrade to new CIS versions, monthly executive reporting and quarterly steering review. Hardening treated as a permanent practice, not a closed deliverable.
Fits when
Sustained compliance · regulated sector · IT team not specialised in security.
Model 3
Transition with mentoring
Initial project + 3-6 months of mentoring for the internal team to take over operations: practical training with real cases, joint incident review, support for complex decisions. Closure with formal handover and option of annual review.
Fits when
IT team willing to take over but without prior experience · budget for internal operation.
When it fits and when it does not
Fits very well
When it is worth it
- ENS, ISO 27001:2022, NIS2 or DORA compliance with a strict auditor
- After an audit or pentest with many configuration findings
- After an incident with a weak-configuration vector (SMBv1, exposed RDP, NTLMv1)
- Infrastructure modernisation: cloud migration, K8s, M365
- M&A: integrating heterogeneous tenants and fleets under a common baseline
- IT team without formal configuration-as-code practice
- As a prior layer to IAM, NHI or advanced EDR rollout
Fits less well
When it is not the first move
- Infrastructure in major refactor: any baseline changes within weeks
- No baseline telemetry and no patch management: those need ordering first
- No clear functional owners: exceptions will stay unsigned and accumulate
- After an active unresolved incident: incident response first
- If the real priority is up-to-date patches and that is not in place yet: different logical order
Adaptation by sector
Public sector and government services
ENS by categorisation. Focus on mp.eq.4 (equipment protection), op.pl.2 (secure configuration), mp.s.2 (services). Suitable for ENS Medium/High audits. STIG optional where the body requires it.
Healthcare
GDPR art. 9. Focus on hardening systems with access to clinical records, separation of administrative and clinical planes, strict control of medical devices connected to the corporate network.
Financial services
DORA art. 9 + RTS. Focus on hardening systems that touch payments or core banking, separation of production and management planes, continuous configuration evidence for the supervisor.
Industry and OT
IT hardening with careful coordination with the OT platform. Segregated IT/OT, monitored jump servers, restricted and monitored SCADA integrations.
Education and research
High heterogeneity (BYOD academic, legacy research systems). Focus on network segmentation, hardening of central critical services and gradual upgrade campaigns.
B2B SaaS and software factory
Intensive focus on cloud and Kubernetes, mandatory IaC, hardening integrated into the client's CI/CD. Reporting to their own enterprise clients as a commercial differentiator.
Regulatory fit
| Framework | Reference | What it requires and how we cover it |
|---|---|---|
| ENS | op.pl.2 / op.pl.5 / mp.s.2 / mp.eq.4 | Documented and verifiable security configuration. Applicable to Medium and High categories. |
| ISO 27001:2022 | A.8.9 Configuration management | Secure configuration management as an explicit control. Evidence for certification. |
| NIS2 | Art. 21.2.e (hygiene + configuration) | Cyber hygiene and secure configuration measures. Documentation and periodic review. |
| DORA | Art. 9 + RTS on ICT risk management | Technical configuration controls for financial entities. Traceability for the supervisor. |
| PCI DSS v4.0.1 | Req. 2 (default secure configurations) | Default secure configuration on systems touching the CDE. Suitable for QSA. |
| NIST CSF 2.0 | PR.IP / PR.PT | Information protection processes + protective technology. Hardening is the natural category. |
| CIS Controls v8 | Control 4 (Secure Configuration) | CIS operational framework where hardening is one of the 18 base controls. |
Drift and post-hardening monitoring
Hardening degrades on its own: urgent operational changes that stay, new software versions with different default configurations, different sysadmins applying different criteria. Without continuous monitoring, in 6-12 months a hardened fleet returns to ~30% baseline deviation.
How we measure it
Drift detection tooling
- SCAP/OpenSCAP for on-prem Linux and Windows
- AWS Config + Conformance Packs for AWS accounts
- Azure Policy + Azure Security Center for Azure
- GCP Security Command Center + Forseti for GCP
- Kubernetes Gatekeeper / OPA for clusters
- Microsoft Defender for Cloud where applicable
- Custom rules in the client's SIEM for cases not covered by the above
How we govern it
Continuous cycle
- Drift detection in minutes where viable, in hours for the rest
- Automated remediation for trivial and reversible deviations
- Notification to the functional owner for the rest
- Exceptions formalised with owner, reason, compensating control and deadline
- Monthly executive reporting: % compliance per platform, open drift, active exceptions
- Quarterly client review: baseline tuning, new systems, CIS evolution
- Mandatory onboarding of new systems to the baseline before production
Objections we hear and how we answer
«We already have EDR / antivirus / firewall, why anything more?»
EDR and firewalls are detection and containment layers. Hardening reduces paths before those layers ever need to act. Most breaches do not come from an exotic zero-day but from an unnecessary service or a legacy protocol: things the EDR does not see until the attacker uses them, and the firewall does not block if they are already inside the perimeter.
«We are afraid of breaking production systems»
It is the right concern. That is why the process always includes testing in a replica environment, an approved change window, a documented rollback plan and a phased rollout (5% → 25% → 100%). What the business cannot absorb gets documented as a justified exception with a deadline and a compensating control. We do not apply controls dogmatically.
«Our team does not use configuration as code»
We start with whatever your team can maintain: if it is Ansible, Ansible; if it is DSC, DSC; if nothing, the closest thing to your stack. And we deliver hands-on training so the team feels ownership. If you decide to outsource operations, that is also valid: there is a continuous service model.
«We already run CIS-CAT/Nessus/Tenable and we see the controls»
Running the scanner shows you the problem. Applying and maintaining the solution is another project. The scanner returns the list; we deliver the applied configuration, managed as code, with drift monitoring and formalised exceptions.
«Do we have to pay for CIS or STIG licences?»
CIS Benchmarks are free for internal use; CIS official tooling (CIS-CAT Pro) requires membership but is not mandatory: OpenSCAP, in-house scripts and Ansible Lockdown are alternatives we use when there is no membership. STIG is free, being a DoD publication. We do not impose unnecessary licences.
«It is recurring cost without visible return»
The return shows up in findings that do not appear in the next audit, in the difference between 'we contained the incident' and 'it paralysed operations', and in IT team time not lost firefighting configuration issues. It is invisible when it works well — exactly like fire insurance — and that is why it should be measured and reported.
How we measure hardening health
Six indicators reported in monthly review. They show whether the programme is advancing, holding steady or degrading.
% baseline compliance per platform
Master indicator. Realistic target in the initial project: 85-95% in 90 days. Sustained drop = operational issue, not technical.
Open exceptions with deadline
Each control not applied has owner, reason and deadline. Target: no exception without a deadline. Downward trend.
Mean time to remediate drift
Hours from deviation detection to return to baseline. Target: <24 h for critical, <72 h for high, <2 weeks for the rest.
% new systems with baseline at deployment
Systems that reach production with the baseline applied from the start. Target: 100%. Indicator of process maturity.
Configuration findings in external audit
Trend of findings from external audits (annual, semi-annual). Target: sustained year-on-year decrease.
Inventory coverage
Percentage of inventory systems actually managed under the baseline. Target: 100% for critical.
Quick glossary of hardening jargon
Hardening
Process of reducing a system's attack surface through configuration: disabling the unnecessary, restricting privileges, enabling logs, separating planes.
CIS Benchmarks
Secure configuration guides maintained by the Center for Internet Security. Broad coverage, continuous updates, L1 and L2 levels.
DISA STIG
Security Technical Implementation Guides from the US Department of Defense. Stricter than CIS, required in defence, critical public sector and government contracts.
Microsoft Security Baseline
Security configuration recommended by Microsoft for Windows, Office, Edge, M365. Usually a reasonable starting point for Microsoft environments.
Drift
Deviation from the baseline after applying it. Any manual or automated change that pulls the actual configuration away from the documented state.
Baseline
Documented reference configuration that defines the desired secure state of a system or category of systems.
IaC (Infrastructure as Code)
Terraform, Ansible, DSC, Bicep, Pulumi: defining and applying configuration through versioned, idempotent and auditable code.
SCAP / OpenSCAP
Security Content Automation Protocol. NIST standard to automate configuration verification. OpenSCAP is the dominant free implementation on Linux.
Tier model (AD)
Separation model by levels (tier 0: domain · tier 1: servers · tier 2: workstations) that prevents privileged credentials from authenticating on lower tiers.
LAPS
Local Administrator Password Solution. Assigns a unique random local password to each Windows machine and rotates it from AD. Stops lateral movement by reuse.
AppLocker / WDAC
Windows application-control mechanisms by allowlist. They block unauthorised executables without depending on antivirus.
PIM / JIT
Privileged Identity Management / Just-In-Time access. Privileged accounts inactive by default, elevated temporarily with approval and logging.
Related services at Hard2bit
Integrated audit
Hardening usually comes in as remediation after an audit identifies configuration debt.
View →
Vulnerability management
Hardening + patches are two sides of the same problem. Regular coordination.
View →
Microsoft 365 security
Hardening M365 is its own domain: Entra, Defender, Purview, Conditional Access, etc.
View →
Cloud security
Hardening AWS/Azure/GCP is the base of the cloud security programme.
View →
IAM
Hardening AD/Entra is part of the identity foundation. Usually run in parallel.
View →
Non-human identities
Hardening covers local service accounts; the NHI programme extends to cloud and SaaS.
View →
Industrial OT
IT hardening ends at the OT boundary. In OT it applies with different criteria.
View →
Pentesting
Pentesting validates what hardening has managed to close and uncovers what is missing.
View →
Incident response
After an incident, reactive hardening on the identified attack line. Routine.
View →
Frequently asked questions
What exactly is systems hardening?
It is the process of reducing the attack surface of a system through configuration: disabling unnecessary services and protocols, applying robust authentication policies, restricting privileges to the minimum necessary, enabling logs that allow incident investigation, separating management planes from production planes, and verifying everything against a recognised guide (CIS Benchmarks, DISA STIG or vendor equivalent). It is not patching vulnerabilities — that is patch management — nor installing antivirus. It is making sure that, even with patches up to date and EDR on top, the system does not expose weak, exploitable configurations.
Which reference guides do you follow? CIS, DISA STIG, vendor?
We combine several by platform. As a baseline we use CIS Benchmarks (Center for Internet Security) because they cover the broadest catalogue and stay continuously updated. For defence, government and critical environments we add DISA STIG where the client requires it by contract. Microsoft Security Baselines for anything Microsoft 365 and Windows Server. Vendor recommendations for vSphere, NetApp, Cisco, F5, Palo Alto and similar. For cloud, the Well-Architected Framework (AWS/Azure/GCP) cross-referenced with CIS Cloud. The criterion: the strictest guide the business can absorb without breaking operations.
Is it not enough to have antivirus, EDR and firewalls? Why hardening on top?
Because EDR and firewalls are reactive detection and containment layers. Hardening reduces the number and severity of paths an attacker can traverse before the EDR sees anything. Typical cases: SMBv1 enabled, NTLMv1 allowed, LM Hash stored, local passwords reused across hundreds of machines, RDP exposed without NLA, weak TLS configuration, S3 bucket permissions too broad, privileged accounts used for routine tasks. None of those is fixed by a patch nor automatically flagged by an EDR as active issue. And all of them are what an attacker exploits before touching anything that would trigger an alert.
Which platforms do you harden?
Whatever the client uses. Operating systems: Windows Server 2016/2019/2022, Windows 10/11 client, Linux (RHEL, Ubuntu Server, Debian, SUSE, Amazon Linux). Virtualisation: VMware vSphere/ESXi, Hyper-V, Proxmox, Nutanix. Containers: Docker, Kubernetes (kubeadm, EKS, AKS, GKE, Rancher), containerd/CRI-O runtime. Cloud: AWS, Azure, GCP — account, IAM, network, storage, compute, management. Productivity: Microsoft 365, Google Workspace. Databases: SQL Server, Oracle, PostgreSQL, MySQL, MongoDB, Redis. Network: Cisco IOS/NX-OS, Juniper, Fortinet, Palo Alto, F5, Aruba. Identity: Active Directory, Entra ID, Okta, Keycloak. If the client works with very vertical platforms, we assess them in the walkthrough.
How long does a project take and how much does it cost?
It depends on scope. Hardening a fleet of 30-80 Windows Servers or equivalent: 3-6 weeks with 1-2 engineers, indicative cost €14-32k. Multi-platform project for a mid-sized organisation (servers + virtualisation + cloud + M365 + network): 8-16 weeks, 1-3 engineers, €40-110k. Before quoting we run a technical walkthrough to understand the real inventory, operational dependencies and appetite for disruptive change. Without it, any figure is a guess. Subsequent operation (drift monitoring, onboarding new systems, benchmark updates) is delivered as a monthly subscription.
Are you going to break production systems by making changes?
That is the right question, and the reason the process always includes testing in a replica environment before touching production, scheduled maintenance window, documented rollback plan, and gradual rollout (canary deployment: 5% → 25% → 100% with validation windows). Every change is documented as code (Ansible, DSC, Terraform, scripts) so it is reproducible, auditable and reversible. Controls the business cannot absorb get documented as justified exceptions with deadline and compensating control; we do not apply controls dogmatically.
How is hardening maintained over time? Does it not degrade again?
Yes, it degrades again — it is called drift — and that is why hardening is not a one-off project but a continuous practice. After the initial phase we deliver: configuration as code (idempotent, in a versioned repository), drift detection rules in SCAP/OpenSCAP, AWS Config, Azure Policy, GCP Forseti, Kubernetes Gatekeeper or whatever applies per platform, a compliance dashboard per system, operational alerts in the SIEM when a critical control changes. If continuous operation is contracted, we take over monitoring with monthly reporting cadence and quarterly client review.
How does it fit ENS, ISO 27001, NIS2 and DORA compliance?
ENS requires documented and verifiable security configuration (op.pl.2, op.pl.5, mp.s.2 mp.eq.4 among others) and hardening is the natural mechanism to deliver it. ISO 27001:2022 (A.8.9 Configuration management) explicitly covers secure configuration management. NIS2 art. 21.2.e requires cyber hygiene and secure configuration measures. DORA art. 9 + RTS on ICT management cover this under technical controls. The documentation package we deliver — baseline, evidence of application, exception management, review plan, drift monitoring — is designed to support external audit without additional client effort.
Do you work on our existing infrastructure code or create it from scratch?
Whatever fits best. If you already have Ansible, Puppet, Chef, Terraform or DSC modules, we work on what is in place: we add new roles/modules, extend the current ones, integrate into your CI/CD. If there is nothing, we build it as a deliverable — preferably Ansible for operating systems and Terraform or Bicep/ARM for cloud — in the client's repository, with documentation, validation pipeline and training for the operations team. We do not impose tooling: we adapt to what the team will maintain without friction.
How do we start a project with Hard2bit?
A 30-minute call to understand the approximate inventory (how many systems, what platforms, where they run), the reason (compliance, post-incident, modernisation, client requirement) and the appetite for disruptive change. If it fits, a 1-3 hour technical walkthrough with a sysadmin or platform engineer. From there we issue a firm proposal in 48-72 hours: scope, window, team, deliverables and fixed price. No commitments until signature. If we see the project should be split into phases or combined with vulnerability management, we will say so honestly.
Which maturity level is your infrastructure at?
30-minute call to place the current state and the target. Technical walkthrough if it fits. Firm proposal in 48-72 hours. No commitments until signature. Standard NDA before any first inventory access.