Workstation Hardening: The Pragmatic Guide to Securing Windows Without Paralyzing Production

Introduction :

Endpoint hardening consists in reducing the attack surface of an operating system by disabling unnecessary services, reinforcing default configurations and applying strict security policies. On Windows 10/11, it's the difference between a machine compromised in 48 hours by opportunistic malware and an endpoint that resists targeted attacks for weeks, giving detection and response (EDR) time to do its job.

‍
The usual pitch: "Apply CIS Benchmarks Level 2 on all your workstations, it's the norm". The reality on the ground: 847 parameters to configure manually, business applications that crash, users who scream because their printer no longer works, and an IT department that backs away from the scale of the project. Between the default Windows workstation (a security sieve) and the CIS Level 2 fortress (unusable without adaptations), there's an intelligent balance that nobody can explain to you.
‍

This article debunks the myths of hardening, sets out the real priorities (the 20% of configurations that eliminate 80% of risks), compares standards (CIS, ANSSI, Microsoft Security Baselines), presents tools that automate without breaking the bank (Intune, HardeningKitty, GPO), and above all calculates the real ROI. Because hardening 500 workstations manually costs 150 hours of system admin time, whereas an automated strategy takes 20 hours and lasts over time.

Why hardening will be essential in 2025

The attack surface explodes

A standard Windows 11 workstation comes with :

• 200+ Windows services enabled (60% of which are never used in the enterprise)
• SMBv1 enabled by default (critical vulnerability exploited by WannaCry)
• Print Spooler listening (PrintNightmare, Evil Printer, dozens of CVEs)
• PowerShell without constraints (80% of modern malware uses it)
• Local administrator accounts with identical passwords for the entire fleet
• C/ADMIN/ADMIN/ADMIN administrative shares accessible without enhanced authentication

Every service, legacy protocol or permissive configuration = potential entry point. Modern attackers automate detection: a network scan identifies vulnerable workstations in 30 seconds.

Today's threats target endpoints

Ransomwares : LockBit, BlackCat, ALPHV chiffrent les postes en exploitant des comptes admin locaux faibles. Mouvement latéral depuis un poste compromis → domaine entier verrouillé en <2h.

Living-off-the-land: malware-free attacks using PowerShell, WMI, PsExec (legitimate Windows tools). Undetectable by signature-based antivirus. Only defence: execution restrictions (AppLocker, WDAC).

Credential theft: Mimikatz, Rubeus extract NTLM hashes from LSASS memory. An unhardened workstation with Credential Guard disabled = admin credentials exposed.

Supply chain attacks: malware hidden in signed MSI/EXEs. Automatic execution if installation strategies are not hardened.

Mandatory regulatory compliance

NIS2 (European directive 2025): imposes technical IS security measures, including endpoint hardening. Fines of up to 2% of worldwide sales.

RGPD: an unsecured workstation that leaks personal data = demonstrable technical non-compliance = CNIL sanction.

ISO 27001, HDS, PCI-DSS: audits require proof of secure configurations. CIS Benchmarks or equivalent = expected standard.

Cyber-insurance: insurers refuse coverage or increase premiums by 300% without proof of hardening (CIS-CAT scan required).

The cost of non-hardening

Average ransomware incident: 4.5 million euros (Ponemon 2024). Recovery time: 21 days. Loss of sales, potential ransom, forensics costs, reputational impact.

Compromise of an admin workstation: lateral movement, IP exfiltration, persistent backdoor. Average detection: 200 days (too late).

Hardening of 500 workstations: €30,000 one-shot (automated) or €150,000 (manual). Payback: 1 incident avoided every 3 years.

Hardening standards: CIS, ANSSI, Microsoft - which one to choose?

CIS Benchmarks: the international standard

Principle: worldwide expert consensus recommendations, 2 levels of hardening.

Level 1: basic configurations with no impact on productivity. 250-300 parameters. Applicable to 95% of corporate environments.

Level 2: maximum hardening for high-security environments (finance, defense, healthcare). 550-650 parameters. Incompatible with certain business apps without adaptations.

Available versions:

• CIS Windows 11 Benchmark v3.0.0 (January 2025)
• CIS Windows 10 Benchmark v3.0.1 (December 2024)
• CIS Windows Server 2025 Benchmark v1.0.0 (March 2025)
• CIS Windows Server 2022 Benchmark v3.0.0

Advantages:

• Universal recognition (audits, insurance, certification)
• Extensive documentation (1200+ pages) with justifications
• Free (CIS-CAT Lite) and paid (CIS-CAT Pro) auditing tools
• Build Kits GPO for automation (fee-based, SecureSuite membership)

Disadvantages:

• Verbose, intimidating for beginners
• Level 2 breaks all common functionalities (Remote Desktop without adaptations, simplified file sharing)
• Quarterly updates = ongoing maintenance
• Free PDF version, paid for advanced tools (CIS-CAT Pro: ~€3000/year)

ANSSI BP-028: the French standard

Principle: Windows 10/11 secure configuration guide published by the Agence Nationale de la Sécurité des SI. 4 levels (minimal, intermediate, high, reinforced).

Levels:

• Minimal: Internet-exposed workstations with low-sensitivity data
• Intermediate: standard corporate network stations
• High: sensitive data (HR, finance, R&D)
• Reinforced: OIV (Opérateurs d'Importance Vitale), defense

Advantages:

• Free, French-language, French-context oriented (local compliance)
• Pragmatic: less dogmatic than CIS, more options for compromise
• PowerShell scripts provided for auditing and deployment (GitHub)

Disadvantages:

• Less well known internationally (Anglo-Saxon auditors prefer CIS)
• Irregular updates (latest Windows 11 version: June 2024)
• Less coverage of edge cases (VDI, Azure AD Join, etc.)

Microsoft Security Baselines: the manufacturer's approach

Principle: Microsoft-recommended configurations for Windows, Office, Edge, servers. Delivered via Security Compliance Toolkit.

Format: pre-configured GPOs (.pol), PowerShell scripts, Intune profiles.

Versions:

• Windows 11 23H2 Security Baseline (September 2024)
• Windows 10 22H2 Security Baseline (October 2023)
• Windows Server 2025 Security Baseline (preview March 2025)
• Microsoft 365 Apps for Enterprise Baseline

Advantages:

• Zero compatibility issues: Microsoft exhaustively tests its own OS
• Direct import into GPO or Intune (no manual conversion)
• Updates synchronized with Windows feature updates
• Free, officially supported

Disadvantages:

• Less stringent than CIS Level 2 (productivity/safety compromise)
• No third-party certification (audits prefer CIS)
• Covers Microsoft products only (no Linux or macOS guidance)

Comparative table: which reference system for which need?

‍

Pragmatic recommendation:

• PME <200 postes, budget serré : Microsoft Security Baseline + 10-15 durcissements prioritaires manuels
• Company 200-2000 workstations, regulated sector: CIS Level 1 as baseline, Level 2 on critical workstations
• French environment, OIV: ANSSI BP-028 level High
• Multinational, ISO/SOC2 audits: CIS Level 1 (international recognition)

The 15 critical configurations that change everything

Rather than blindly implementing 800 CIS parameters, concentrate on these 15 maximum-impact configurations. They cover 80% of real attack vectors.

1. Disable SMBv1 (critical)

Why: exploited by WannaCry, NotPetya, EternalBlue. 30-year-old protocol, riddled with vulnerabilities.

How to : PowerShell Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol or GPO.

Impact: 0% if no legacy devices (NAS 2010, legacy printers). Test before mass deployment.

2. Local Administrator Password Solution (LAPS)

Why: 90% of companies have the same local admin password on all workstations. Compromise of a workstation = instant lateral movement.

How to use: Microsoft LAPS (free) or Intune LAPS (native Windows LAPS on Windows 11). Automatic 30-day rotation, secure AD/Azure AD storage.

Impact: blocks 70% of ransomware propagation scenarios.

3. Credential Guard (Windows 10 Enterprise/11 Pro)

Why: protects credentials in LSASS memory against Mimikatz, NTLM hash theft.

How to activation via GPO Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security.

Prerequisites: TPM 2.0, UEFI, CPU with virtualization (VT-x/AMD-V). Not compatible with older VMs.

Impact: makes credential theft 100x more difficult (requires kernel exploit).

4. Attack Surface Reduction (ASR) Rules

Why: Block common malicious behaviors (Office macros, obfuscated PowerShell scripts, code injection).

How to: Microsoft Defender / Intune, activate rules :

• Block Office child processes (prevents malicious macros from launching CMD/PowerShell)
• Block credential theft from LSASS
• Block execution of potentially obfuscated scripts

Deployment mode: 30-day audit → log analysis → Enforce on rules without false positives.

Impact: reduces ransomware attack surface by 60% (Microsoft telemetry).

5. Application Control (AppLocker or WDAC)

Why: whitelist of authorized executables. Blocks 100% of unknown malware.

AppLocker (old, simple): rules based on editor/path/hash. Can be bypassed by DLL hijacking.

WDAC (Windows Defender Application Control, modern): kernel-level control, includes drivers. Unbreakable if properly configured.

How to start with AppLocker in Audit mode on C:\Program Files, C:\Windows. Whitelist signed editors (Microsoft, Adobe, etc.). Block %TEMP%, %APPDATA% (95% of malware runs from these folders).

Complexity: high. Requires complete app inventory, exception handling.

Impact: absolute protection if well implemented, but heavy operational cost.

6. BitLocker with TPM + PIN

Why: Full disk encryption. Physical theft of laptop = unreadable data.

Standard configuration: BitLocker with TPM only = auto-decryption at boot (weak protection against physical attacks).

Reinforced configuration: TPM + user PIN. Attacker must know PIN (4-8 digits) in addition to stealing machine.

Key storage: mandatory in Azure AD or AD (recovery key backup).

Impact: immediate RGPD compliance on theft/loss of equipment.

7. Disable PowerShell v2

Why: PowerShell 2.0 bypasses all modern logs and protections (ScriptBlock logging, AMSI). Used by 90% of PowerShell malware.

How to : Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root

Impact: eliminates a major attack vector without breaking compatibility (PS 5.1+ is sufficient for all legitimate uses).

8. Enhanced audit logging

Why: post-incident detection impossible without logs. By default, Windows logs too little.

Critical configurations:

• Process Creation (4688) with command line
• PowerShell ScriptBlock Logging (4104)
• Logon events (4624/4625) with NTLMv2
• Object Access on sensitive files

Storage: forward to SIEM or Azure Sentinel (min. 90-day retention).

Volume: ~50-100 MB/workstation/day. 500 workstations = 2.5 TB/month. Budget storage.

9. User Account Control (UAC) forcé

Why: prevents silent elevation of privileges. Pop-up UAC = friction required.

Configuration : AlwaysNotify (max level), no auto-rise for admins.

User resistance: high ("it's boring"). Risk education.

Impact: drastically reduces drive-by infections.

10. Print Spooler disabled (except print servers)

Why: Print Spooler = CVE factory. PrintNightmare (CVE-2021-34527), dozens of others.

User workstations: 95% do not require active service (printing via network server).

How to : GPO, stop and disable service Spooler.

Exception: print servers, workstations with local USB printers (rare).

Impact: removes an entire class of critical vulnerabilities.

11. Network-Level Authentication (NLA) for RDP

Why: RDP without NLA = attacker can attempt login before encryption. Bruteforce easy.

Configuration : force NLA via GPO Require user authentication for remote connections by using Network Level Authentication.

Impact: reduces bruteforce RDP attacks by 95%.

12. Disable Remote Registry

Why: Remote Registry service enables remote access to the Windows registry. Used for recognition and lateral movement.

Legitimate use: virtually nil by 2025 (replaced by centralized management).

How to stop and deactivate service RemoteRegistry.

Impact: reduced info disclosure, slower network recognition.

13. Windows Firewall enabled on all profiles

Why: common default = firewall disabled on "Domain" profile because "we're in a secure network". Not true.

Configuration: activate on Domain, Private, Public. Block all inbound by default, with business exceptions (SMB to file servers, RDP to jump hosts).

Outbound filtering: advanced level, block outbound except whitelist. Prevents data exfiltration, C2 malware.

Outbound complexity: very high. For high-security environments only.

14. Disable LLMNR and NetBIOS

Why: legacy name resolution protocols. Exploited for MITM and credential theft (Responder, LLMNR poisoning).

How: GPO disable LLMNR, disable NetBIOS over TCP/IP on all interfaces.

Compatibility: 0 impact if DNS is correctly configured (the case for 99% of modern networks).

Impact: removes the attack vector used in the initial reconnaissance phase.

15. Endpoint Privilege Management (EPM)

Why: contextual elevation of privileges (approve specific app, not all user). Replaces "make everyone a local admin".

Solutions: Intune EPM (preview 2025), BeyondTrust, CyberArk.

Principle standard user can launch app-metier.exe with admin rights via policy, without knowing admin password.

Impact: drastically reduces the need for permanent local admins.

Automation tools: Intune, GPO, HardeningKitty

Microsoft Intune: the cloud-native approach

For whom: cloud-first enterprises, Azure AD, mobile workstations, Zero Trust.

Advantages:

• Configuration deployment via profiles (Configuration Profiles, Settings Catalog)
• Integrated Microsoft Security Baselines (1-click import)
• Compliance policies conditioning access to resources
• Remediation automatic scripts (PowerShell execute if non-compliant)
• Unified management Windows/macOS/iOS/Android

Workflow hardening Intune:

1. Import Microsoft Security Baseline (Windows 11, Edge, Defender)
2. Create additional profiles (disable SMBv1, LAPS, ASR rules)
3. Deploy in Audit mode on a pilot group (50 workstations)
4. Analyze compliance reports 30 days
5. Adjust rules (business app exceptions)
6. Progressive rollout (10% users/week)

Limitations:

• Intune licenses required (included M365 E3/E5 or standalone ~€5/user/month)
• Workstations must be online to retrieve policies (OK for nomads, problem if network is isolated)
• No conventional GPOs (migration learning curve)

Cost of hardening 500 stations: 0€ if existing licenses, 20h engineer = ~2000€.

Group Policy Objects (GPO): the on-premise approach

For whom: Existing Active Directory, domain workstations, internal network, total control.

Advantages:

• Free (included in Windows Server)
• Granular control (thousands of settings)
• Forced application at boot/login (offline-first)
• Reverse engineering possible (GPO backups)

Workflow hardening GPO:

1. Download CIS Build Kit GPO or Microsoft Security Baseline GPO
2. Import into AD test environment (lab)
3. Apply to OU test, reboot 10 machines
4. Test critical apps (ERP, CRM, Office suite)
5. Document incompatibilities (e.g. CIS blocks Office macros by default)
6. Create exceptions (GPO override or WMI filtering)
7. Deploy in production by OU (IT, Finance, Sales...) progressively

GPO traps:

• Complex application order (Local > Site > Domain > OU, Last Writer Wins)
• Troubleshooting difficult (gpresult /h report.html required)
• No native compliance reporting (requires SCCM or custom scripts)

Cost of hardening 500 workstations: 40h admin (tests + deployment + doc) = ~4000€.

HardeningKitty: the open-source Swiss Army knife

Principle: PowerShell script that audits and applies CIS/Microsoft Baseline/ANSSI configurations.

GitHub: github.com/0x6d69636b/windows_hardening

Features:

• Audit: scan workstation, generate CSV report with compliance score
• Hardening: applies recommendations automatically (HailMary mode)
• Backup: config backup before modifications (rollback possible)
• Support multiple finding lists (CIS, Microsoft, BSI, DoD STIG)

How to use:

powershell

# Audit
Invoke-HardeningKitty -Mode Audit -Log -Report -FileFindingList .\finding_list_cis_win11.csv

# Automatic hardening
Invoke-HardeningKitty -Mode HailMary -Log -Report -FileFindingList .\finding_list_msft_baseline_win11.csv -BackupFile backup.csv

# Rollback
Invoke-HardeningKitty -Mode HailMary -FileFindingList .\backup.csv -SkipRestorePoint

Advantages:

• Free, open-source
• Local execution (no AD/Intune dependency)
• Ideal for master image (golden image hardening)
• Export reports for audits

Limitations:

• Machine-by-machine execution (no native centralized deployment)
• No continuous monitoring (one-shot)
• Requires PowerShell expertise for customization

Best use: harden VDI/MDT master image before cloning. 1 HardeningKitty run = 1000 identically hardened stations.

Fatal errors and hardening myths

Error 1: Applying CIS Level 2 without testing

Consequence: 40% of business apps break. Users can no longer work. Emergency rollback = loss of IT credibility.

Real-life example: CIS Level 2 blocks remote assistance (Quick Assist, TeamViewer). IT support paralyzed.

Best practice: start Level 1, test for 60 days, upgrade Level 2 only on critical positions (finance, HR).

Error 2: Hardening without application inventory

Consequence: app legacy business uses SMBv1 → case hardening → business process blocked.

Best practice: complete inventory beforehand (SCCM, Intune, scripts), identify dependencies (protocols, services, ports).

Error 3: No rollback plan

Consequence: configuration applied = unexpected performance regression. No backup = impossible to roll back cleanly.

Best practice: systematically backup beforehand (HardeningKitty backup, GPO export, Intune policy versioning).

Error 4: Big-bang deployment

Consequence: 500 workstations hardened overnight → flood helpdesk (200 tickets/day), IT department overwhelmed.

Good practice: progressive rollout. 5% → 10% → 25% → 50% → 100%. 2 weeks between each wave. Stabilize before next phase.

Error 5: Hardening = set and forget

Consequence: workstations compliant Month 1. Month 12: configuration drift (new software installed, local admin users added, services reactivated).

Best practice: continuous monitoring. Intune compliance reports, monthly CIS-CAT scripts, deviation alerts.

Myth 1: "Hardening breaks productivity".

Reality: intelligent hardening (Level 1, Microsoft Baseline) = 0 measurable productivity impact. Level 2 = requires adaptations but no blockage if well tested.

Études : Microsoft telemetry montre <2% tickets support supplémentaires post-hardening bien planifié.

Myth 2: "Antivirus is enough".

Reality: antivirus detects known malware. Does not protect against exploitation of bad configurations (weak admin accounts, vulnerable services). Hardening = additional defense in depth.

Myth 3: "It's too complex for us".

Reality: Microsoft Security Baseline = 5-minute import into Intune/GPO. 80% of work done. Advanced customization optional.

Measure ROI and justify investment

Hardening cost calculation

500-station scenario, automated Intune approach:

• Licenses: 0€ (including existing M365 E3)
• Engineering time: 30h (policy design, testing, rollout) x €100/h = €3000
• Total: €3,000

500 workstations scenario, GPO approach + CIS Build Kit:

• CIS SecureSuite membership (optional, Build Kits): €3,500/year
• Admin time: 50h (GPO import, OU tests, exceptions, doc) x 80€/h = 4000€.
• Total: 7500€ year 1, then 1000€/year (maintenance)

500-station scenario, manual without tools:

• Admin time: 200h (manual configuration workstation by workstation) x €80/h = €16,000
• Total: €16,000 (to be avoided at all costs)

Measurable gains

Reduced security incidents: hardening CIS Level 1 reduces malware infections by 60-70% (Verizon DBIR). 500 workstations = 10 incidents/year → 3 incidents/year. Average incident cost: €15k (forensics, downtime, remediation). Savings: 105k€/year.

Regulatory compliance: avoids RGPD fines (max. 4% of sales), facilitates ISO 27001 audits (savings of 20-30h audit/year = €5k).

Cyber-insurance: premiums reduced by 15-25% with hardening proof (CIS-CAT scan supplied). 500 positions, premium €50k/year → savings €7.5k/year.

IT productivity: fewer incidents = fewer support tickets. 7h/week saved = €30k/year.

Consolidated ROI

Year 1 investment: €7.5k (GPO + CIS) or €3k (Intune)

Annual savings: 105k€ (incidents avoided) + 7.5k€ (insurance) + 30k€ (productivity) = 142.5k€/year

ROI : 1800% sur 3 ans (approche Intune). Payback : <1 mois.

Without hardening: risk of major incident (ransomware) = 500k€-2M€. Probability over 3 years: 30-40% (private sector).

Conclusion: intelligent, not dogmatic hardening

The hardening of workstations is not a checklist to be applied blindly, it's a risk reduction strategy tailored to your business context. Between the default vulnerable Windows workstation and the inoperable CIS Level 2 fortress, there's an optimal balance that no one can give you off the shelf.

The real priorities:

1. Disable dangerous legacy services (SMBv1, PowerShell v2, Print Spooler not required)
2. Implement LAPS (stop lateral movement)
3. Activate Credential Guard
4. Deploy Attack Surface Reduction rules in targeted mode
5. Auditing and logging (detecting abnormalities)

These 5 measures cover 80% of real attack vectors and can be deployed in 2 weeks on 500 workstations using Intune or GPO. The remainder (650 CIS Level 2 parameters) = incremental improvements to be prioritized according to your risk profile.

Don't make mistakes:

• Deploy without testing (broken business apps = humiliating rollback)
• Hardening big-bang (guaranteed operational chaos)
• Forget the rollback plan (no backup = no net)
• Set and forget (config drift in 6 months)

The winning strategy 2025:

• Baseline: Microsoft Security Baseline (0 incompatibilities, free, supported)
• Enrichment: 15-20 additional critical configurations (list above)
• Sensitive positions: full CIS Level 1 (finance, HR, management)
• Regulated environments: CIS Level 2 or ANSSI High (banking, healthcare, OIV)
• Automation: Intune (cloud) or GPO (on-prem), never manual
• Monitoring: monthly compliance, deviation alerts, automatic re-hardening

The ROI is indisputable: €3k-€7.5k invested = €142k/year saved + incident protection at €500k. But the real gain is peace of mind: your workstations resist the opportunistic attacks that compromise 70% of non-hardened businesses.

Hardening is not an option in 2025, it's basic hygiene. Just as washing your hands reduces infections, hardening your workstations reduces compromises. Simple, measurable, indispensable.

Next steps:

1. Flash audit: scan 10 workstations with CIS-CAT Lite (free) → measure compliance gap
2. Choose baseline: Microsoft (simplicity) or CIS Level 1 (recognition)
3. Deploy 50 workstations on a pilot basis (1 week)
4. Measure before/after incidents (3 months)
5. Industrialize if ROI is positive (spoiler: it will be)

Don't leave your workstations in factory configuration. Every day without hardening = day when a trivial vulnerability can cost your company €500k.

‍