// Level 3 · Controls
Windows Server
CIS Microsoft Windows Server Benchmark
1.1.1Medium
Ensure 'Enforce password history' is set to '24 or more password(s)'
Prevent password reuse.
1.1.2Medium
Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'
Force rotation.
1.1.4High
Ensure 'Minimum password length' is set to '14 or more characters'
Strong passwords.
1.1.5High
Ensure 'Password must meet complexity requirements' is set to 'Enabled'
Complex passwords.
1.2.1Medium
Ensure 'Account lockout duration' is set to '15 or more minutes'
Slow brute force.
2.2.1High
Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'
Reduce credential theft.
2.3.1.1Medium
Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'
Org-managed identities only.
2.3.7.1Medium
Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'
Anti-spoofing.
9.1.1High
Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On'
Host firewall on domain.
9.2.1High
Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'
Host firewall on private nets.
17.1.1Medium
Ensure 'Audit Credential Validation' is set to 'Success and Failure'
Audit auth events.
18.9.4.1Low
Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security'
Minimum telemetry.