SECURITYSQUAD
Back to the blog

System hardening with CIS Benchmarks: factory settings are open doors

2026-07-16 · by SECURITYSQUAD

System hardening with CIS Benchmarks: factory settings are open doors

Many successful attacks need no sophisticated zero-day. A server in its shipping state, a default password or a service listening openly that nobody uses is enough. Factory settings are optimised for quick setup, not for security – and attackers exploit exactly that convenience. System hardening closes these doors before anyone finds them.

Why default configurations are a risk

A freshly installed operating system, a new database or a cloud service ships with settings that enable as much as possible: active sample services, generous permissions, outdated protocols, verbose error messages. That is comfortable for operations and a map for attackers. Automated scanners search for exactly these patterns around the clock. Running systems in production unchanged relies on nobody looking – not a viable security strategy.

CIS Benchmarks: hardening that fits

The CIS Benchmarks from the Center for Internet Security are a globally established, vendor-neutral catalogue of concrete hardening requirements – for Windows and Linux, for Microsoft 365 and Azure, for databases, containers and network components. Instead of vague advice, they provide checkable individual measures: which service to disable, which policy to set, which protocol to switch off.

The benchmarks deliberately distinguish two levels: Level 1 covers measures that can be implemented with reasonable effort and without noticeable impact on operations. Level 2 targets environments with elevated protection needs and accepts restrictions in return. This lets you match hardening to a system's actual protection requirement, rather than locking everything down across the board.

From benchmark to operations

A benchmark is not a switch you flip once. The path runs through four steps: measure how far a system is from the target state; prioritise which deviations carry the greatest risk; roll out, ideally automated via configuration management; and document why a requirement is deliberately not met when an application does not allow it. Tools like CIS-CAT or the audit profiles of common hardening frameworks provide a reproducible target-versus-actual comparison for this.

The practical test matters: not every requirement fits every application. Hardening that breaks core functions gets worked around in daily use – and then does more harm than good. Hardening means weighing trade-offs, not maximising blindly.

Hardening needs maintenance

The most dangerous fallacy is to treat hardening as a one-off project. Systems change: updates reset settings, new software brings its own defaults, administrators open a port to troubleshoot and forget to close it. This creeping configuration drift eats up the security gain if nobody re-measures. That is why system hardening belongs in a continuous cycle and in a management system – the BSI's IT-Grundschutz and ISO 27001 anchor exactly this recurring review.

System hardening is unspectacular, but it is among the most effective and cheapest measures there are: it reduces the attack surface before a single euro goes into elaborate detection technology.

Read more: Expertise & Services · Cyber Risk Check · Penetration testing