LazyHackers.in — Checklist
🔐 Secure Configuration and Hardening Review Checklist
CIS / STIG hardening, item by item: how to check · the finding · the fix
☰ How to use this guide
A hardening review compares a system's actual configuration against a secure baseline — CIS Benchmarks, DISA STIGs or an internal standard — and reports the gaps. It's a credentialed, mostly read-only audit: pull the config, score it against the benchmark, then verify and prioritise the high-impact deviations (default creds, weak auth, exposed services, missing logging) over cosmetic ones. This guide turns the core review areas into how-to-check, with Windows and Linux specifics.
Automated benchmark tools do the breadth; you triage and prioritise. Map every finding to a control (CIS control #, STIG ID, or NIST 800-53 family). Each section ends with a coverage table.
⚠ Run as an authorised, credentialed config review. Tools read configuration; don't apply remediation on production during the assessment — report and let change-management remediate.
# Benchmark scanners (pick per platform)
# CIS-CAT Pro -> Windows/Linux CIS scoring
# Lynis -> lynis audit system (Linux)
# OpenSCAP / oscap -> oscap xccdf eval --profile cis ds.xml (Linux/STIG)
# HardeningKitty -> Invoke-HardeningKitty -Mode Audit (Windows)
# Microsoft SCT / PingCastle / Nipper (devices)0 Approach & benchmarking
Pick the right baseline for each system role and OS version, gather configs, and score against it.
⚑ Report as: “No secure-configuration baseline / systems not benchmarked”
🛡 Fix: Adopt a documented baseline per OS/role (CIS Benchmark level 1/2 or STIG); enforce it via golden images / config management (GPO, Ansible, DSC); scan regularly and track drift; remediate by risk.
Approach & benchmarking — full coverage
| Checklist item | How to check | Report as |
|---|---|---|
| Baseline chosen per OS/role | select CIS/STIG profile | Baseline selected |
| Config gathered (credentialed) | collect config | Config collected |
| Benchmark scan run | CIS-CAT/Lynis/oscap | Benchmark scored |
| Drift from baseline tracked | compare to standard | Configuration drift |
| Findings mapped to controls | map CIS/STIG/NIST | Findings mapped |
1 Accounts & authentication
Default/unused accounts, weak password policy, no MFA, shared admin and excessive privileges are the highest-impact config gaps.
# Windows
net accounts ; net user ; net localgroup administrators
secedit /export /cfg secpol.cfg # review password/lockout policy
# Linux
awk -F: '($3>=1000){print}' /etc/passwd # user accounts ; chage -l <user> for aging
grep -E 'PASS_(MAX|MIN)_DAYS|PASS_MIN_LEN' /etc/login.defs⚑ Report as: “Weak password/lockout policy / default or unused privileged accounts”
🛡 Fix: Enforce strong password + lockout policy; remove/disable default and unused accounts; MFA on all admin/remote access; unique per-admin accounts (no shared); least privilege; rename/secure built-in admin; restrict who's in privileged groups.
Accounts & authentication — full coverage
| Checklist item | How to check | Report as |
|---|---|---|
| Weak password policy | secedit / login.defs | Weak password policy |
| No account lockout | review policy | No lockout policy |
| Default/built-in accounts enabled | enumerate accounts | Default account enabled |
| Unused/stale accounts | review last-logon | Stale account |
| No MFA on admin/remote | check MFA | No MFA |
| Shared admin accounts | review accounts | Shared admin account |
| Excessive privileged group membership | review groups | Excessive privilege |
| Passwords stored reversibly | check storage | Reversible password storage |
2 Patch management & services
Two of the biggest attack-surface levers: missing patches and unnecessary running services/ports.
# Patch status
wmic qfe list brief # Windows hotfixes (or Get-HotFix)
apt list --upgradable ; yum check-update # Linux
# Listening services / open ports
netstat -anob (Windows) ; ss -tulpn (Linux)
systemctl list-unit-files --state=enabled # enabled services (Linux)⚑ Report as: “Missing security patches / unnecessary exposed services”
🛡 Fix: Keep OS and software patched (managed patch cycle, track EoL); disable/remove unneeded services, roles and features; close unused ports; minimal install; review listening services against need.
Patch & services — full coverage
| Checklist item | How to check | Report as |
|---|---|---|
| Missing security patches | qfe/apt/yum | Missing patch |
| EoL / unsupported software | version check | Unsupported software |
| Unnecessary services enabled | list services | Unnecessary service |
| Unneeded open ports | ss/netstat | Exposed port |
| Unused roles/features installed | review install | Excessive attack surface |
| No patch-management process | review process | No patch management |
3 Logging & audit
Can the system evidence an incident? Audit policy on, logs sized and shipped off-box, key events captured.
# Windows audit policy
auditpol /get /category:*
# Linux auditd + log config
systemctl is-active auditd ; auditctl -l ; ls -l /var/log/{auth.log,secure}⚑ Report as: “Insufficient audit logging / logs not forwarded off-host”
🛡 Fix: Enable an audit policy that captures logon, privilege use, account/policy changes and process creation; size logs adequately; forward to a central SIEM (immutable, retained); protect logs from local tampering; sync time.
Logging & audit — full coverage
| Checklist item | How to check | Report as |
|---|---|---|
| Audit policy not configured | auditpol / auditctl | Insufficient audit policy |
| Key events not logged | review policy | Missing event logging |
| Logs not forwarded (SIEM) | check forwarding | No central logging |
| Insufficient log size/retention | check config | Inadequate retention |
| Logs locally tamperable | check ACLs | Tamperable logs |
| Command/process logging off | check config | No process logging |
4 Network, time, malware & encryption
Host network config (firewall on, weak protocols off), time sync, endpoint protection, and encryption at rest.
⚑ Report as: “Host firewall disabled / weak protocols enabled / disk not encrypted”
🛡 Fix: Host firewall on with least-privilege rules; disable legacy/weak protocols (SMBv1, TLS 1.0/1.1, LLMNR/NBT-NS); NTP from a trusted source; endpoint protection enabled and updated; full-disk encryption (BitLocker/LUKS); secure boot.
Network, time, malware & encryption — full coverage
| Checklist item | How to check | Report as |
|---|---|---|
| Host firewall disabled | check firewall state | Host firewall disabled |
| Weak/legacy protocols enabled | check SMBv1/TLS/LLMNR | Weak protocol enabled |
| No/incorrect time sync | check NTP | No time synchronisation |
| Endpoint protection off/outdated | check AV/EDR | Endpoint protection gap |
| Disk not encrypted | check BitLocker/LUKS | No disk encryption |
| Secure boot disabled | check secure boot | Secure boot disabled |
| Insecure remote access (RDP/SSH) config | review config | Insecure remote access |
Windows-specific
W Windows-specific
Windows hardening hotspots: SMB signing, NTLM/LSASS protection, UAC, PowerShell logging, ASR rules and BitLocker — mostly GPO-driven.
# SMB signing + protocol
Get-SmbServerConfiguration | select RequireSecuritySigning, EnableSMB1Protocol
# Credential protection
Get-CimInstance Win32_DeviceGuard # Credential Guard state
# PowerShell logging + ASR
Get-MpPreference | select AttackSurfaceReductionRules_Ids
Invoke-HardeningKitty -Mode Audit # full CIS-style audit⚑ Report as: “Windows: SMB signing not required / SMBv1 enabled / Credential Guard off”
🛡 Fix: Require SMB signing + disable SMBv1; enable Credential Guard / LSASS protection (RunAsPPL); UAC at highest; PowerShell script-block + module logging + constrained language; enable ASR rules; BitLocker; LAPS for local admin; apply the CIS GPO baseline (Microsoft SCT).
Windows — full coverage
| Checklist item | How to check | Report as |
|---|---|---|
| SMB signing not required | Get-SmbServerConfiguration | SMB signing not enforced |
| SMBv1 enabled | check protocol | SMBv1 enabled |
| Credential Guard / RunAsPPL off | DeviceGuard / reg | LSASS not protected |
| UAC weak/disabled | check UAC policy | Weak UAC |
| PowerShell logging off | check policy | No PowerShell logging |
| ASR rules not enabled | Get-MpPreference | ASR not configured |
| BitLocker off | manage-bde -status | No disk encryption |
| No LAPS (local-admin reuse) | check LAPS | Local-admin password reuse |
| LLMNR/NBT-NS enabled | check policy | LLMNR/NBT-NS enabled |
| AutoRun/AutoPlay enabled | check policy | AutoRun enabled |
| Not on CIS GPO baseline | HardeningKitty/SCT | Baseline deviations |
Linux-specific
L Linux-specific
Linux hardening hotspots: SSH config, sudo, file/permission hygiene, kernel sysctl, and auditd — Lynis and OpenSCAP cover most.
lynis audit system # full hardening audit + score
# SSH hardening
grep -Ei '^(PermitRootLogin|PasswordAuthentication|Protocol|PermitEmptyPasswords)' /etc/ssh/sshd_config
sudo -l ; cat /etc/sudoers /etc/sudoers.d/* # sudo misconfig / NOPASSWD
# Dangerous file perms
find / -perm -4000 -type f 2>/dev/null # SUID ; find / -perm -2 -type f world-writable⚑ Report as: “Linux: SSH permits root/password login / world-writable or excess SUID binaries”
🛡 Fix: SSH: disable root login + password auth (keys only), no empty passwords; least-privilege sudo (no broad NOPASSWD); remove world-writable files and unnecessary SUID; harden sysctl (ASLR, disable IP forwarding/redirects); enable auditd; minimal packages; firewall on; apply the CIS/OpenSCAP profile.
Linux — full coverage
| Checklist item | How to check | Report as |
|---|---|---|
| SSH root login permitted | sshd_config | SSH root login enabled |
| SSH password auth (key-only expected) | sshd_config | SSH password auth |
| Empty passwords permitted | sshd_config / shadow | Empty password allowed |
| sudo NOPASSWD / misconfig | sudo -l / sudoers | Sudo misconfiguration |
| World-writable files | find -perm -2 | World-writable file |
| Excess SUID/SGID binaries | find -perm -4000 | Excessive SUID binary |
| Weak kernel sysctl (ASLR/forwarding) | sysctl -a | Weak kernel parameters |
| auditd not running | systemctl is-active auditd | No host auditing |
| No host firewall (iptables/ufw) | check firewall | No host firewall |
| Unnecessary packages/services | review installed | Excessive packages |
| Not on CIS/OpenSCAP profile | lynis/oscap | Baseline deviations |
✓ Coverage map & how to run it
Run the universal areas on every system, then the OS-specific band. Prioritise gaps by exploitability: default creds, weak auth, exposed services and missing logging first.
| Section | Run on | Focus |
|---|---|---|
| Universal 0–4 | Every system | Baseline, accounts, patch/services, logging, network/crypto |
| Windows | Windows hosts | SMB signing, Credential Guard, ASR, BitLocker, GPO baseline, LAPS |
| Linux | Linux hosts | SSH, sudo, file perms, sysctl, auditd, CIS/OpenSCAP |
Core principle: a hardening review measures the gap between the running config and a secure baseline — so anchor to a real benchmark (CIS / STIG / NIST 800-53) and map every finding to a control. Automated scanners give breadth (CIS-CAT, Lynis, OpenSCAP, HardeningKitty); your job is to prioritise the deviations that actually move risk and recommend enforcement via golden images / config management so the hardening doesn't drift back. Tick a box only when you've verified it.