This is not a full CIS benchmark, but a small set of checks to demonstrate hardening work in the lab.
- Enforce strong password policies on all Windows systems.
- Configure account lockout (threshold + duration).
- Disable SMBv1 on servers and clients.
- Enable Windows Firewall and restrict inbound rules.
- Restrict local Administrator account usage.
- Disable or remove unnecessary services and features.
- Ensure all critical and security updates are installed.