Sample Assessment Report
Redacted for confidentiality
CIS Hardening
CIS Benchmark Implementation
Confidential Client — Retail Enterprise
150 Windows Server 2022 instances, 40 Ubuntu 22.04 LTS servers, AWS account (CIS AWS Foundations Benchmark), 25 Windows 11 workstations
8 business days
CIS Benchmark v2.0 (Windows Server 2022)
Executive Summary
UnlockSec performed a CIS Benchmark gap analysis and implemented Level 1 and Level 2 controls across the client's Windows, Linux, and cloud infrastructure. Pre-engagement compliance stood at 34% (Level 1) and 18% (Level 2). Post-implementation compliance reached 91% (Level 1) and 74% (Level 2). Key remediation areas included password policy enforcement, audit logging configuration, and unnecessary service disablement.
Methodology
Sample Findings
CIS Control 1.1 — Password Policy Non-Compliant Domain-Wide
Description
The Active Directory Fine-Grained Password Policy does not meet CIS Level 1 requirements: minimum password length is 8 characters (CIS requires 14+), complexity is disabled for the default domain policy, and account lockout threshold is set to 0 (unlimited attempts).
Recommendation
Configure Fine-Grained Password Policy: minimum length 14 characters, complexity enabled, lockout threshold 5 attempts, lockout duration 15 minutes. Apply CIS GPO baseline templates for password policies.
CIS Control 9.3.1 — Windows Firewall Disabled on All Profiles
Description
Windows Defender Firewall is disabled on the Domain, Private, and Public network profiles across all 150 Windows Server instances via a legacy Group Policy object that was applied during a 2019 infrastructure migration and never reversed.
Recommendation
Re-enable Windows Defender Firewall on all profiles. Apply the CIS Windows Server 2022 firewall GPO baseline. Review and document required firewall exceptions before re-enabling to avoid operational disruption.
CIS Control 4.6 — SSH Root Login Permitted on Linux Servers
Description
All 40 Ubuntu servers permit direct root SSH login (PermitRootLogin yes in sshd_config). CIS Level 1 requires PermitRootLogin prohibit-password as minimum, Level 2 requires PermitRootLogin no. This allows direct root access without audit trail of which user account was used.
Recommendation
Set PermitRootLogin no on all Linux servers. Ensure all administrators have named user accounts with sudo access. Configure sudoers to log all sudo command executions to the centralised syslog server.
CIS Control 3.5 — Audit Policy Not Configured
Description
Advanced Audit Policy is not configured on Windows servers. Required CIS audit categories (Logon/Logoff, Object Access, Privilege Use, Account Management) are not being logged, resulting in 0% coverage for forensic investigation and regulatory compliance requirements.
Recommendation
Deploy the CIS Advanced Audit Policy GPO baseline. Configure event log sizes per CIS guidance (Security log: 196608 KB minimum). Forward all audit events to the centralised SIEM.
* Showing 4 of 72 total findings. Full report provided upon engagement.
Risk Summary
Deliverables Included
- Pre and post-implementation CIS compliance scorecards
- Control-by-control gap analysis with evidence
- Hardening scripts (PowerShell/Ansible) for all implemented controls
- GPO baseline export for Windows environments
- Ongoing monitoring recommendations to maintain compliance
Ready for a real assessment?
Get a tailored CIS Hardening engagement led by certified operators with unlimited retests.
Request AssessmentView All Services