Hardening Linux and Windows servers according to CIS and STIG

IT administrators, security specialists, DevOps/SecOps engineers.

• Understand the principles of CIS and STIG, their differences, and practical application.
• Gain the ability to manually and automatically harden Linux and Windows servers.
• Develop skills in using audit tools (OpenSCAP, CIS-CAT, STIG Viewer / SCAP).
• You will have a ready-made Ansible playbook for hardening and reporting scripts.

Basic Linux and Windows administration (working with the command line, basic GPO/AD knowledge).

Presentations, PDF outlines, VM images/virtual machines, sample scripts and playbooks, participation certificate.

1. Introduction + CIS for Linux & Windows
• Introduction to hardening: principles (attack surface minimization, least privilege), common threats and regulations (PCI DSS, NIST).
• Overview of CIS Benchmarks: structure, Level 1 vs Level 2, how to obtain and read the benchmark.
• Examples of CIS recommendations for Linux and Windows (accounts, services, logging, network).
• Practical exercise: analysis of CIS Benchmark (e.g., Ubuntu and Windows Server) and demo scanning (CIS-CAT Lite/Pro).
2. STIG, comparison of STIG vs CIS + tools
• Introduction to STIG (DISA, CAT I-III), SCAP, differences compared to CIS, and when to use each standard.
• Working with STIG Viewer and SCAP tools, demo SCAP/OSCAP scanning.
• Group activity: comparing a specific rule (e.g., password policy) in CIS vs STIG.
3. Hands-on: Hardening Linux
• Kernel & sysctl, systemd services, firewall (firewalld/ufw), file permission management, SELinux/AppArmor.
• Examples of CIS and STIG rules for Linux (explanation and impact).
• Practical lab: manual hardening of Ubuntu/RHEL according to CIS Level 1; implementation of selected STIG CAT I rules.
• Compliance verification: OpenSCAP / CIS-CAT scanning and result interpretation.
4. Hands-on: Windows Hardening + Ansible Automation
• Hardening Windows Server (Group Policy, registry, firewall, Windows Defender), CIS and STIG examples (SMBv1, audit, ACL).
• Introduction to Ansible (inventory, playbooks) + overview of CIS/STIG roles and WinRM for Windows.
• Workshop: creating and running Ansible playbooks — Linux and Windows hardening.
• Final project: deploy the playbook and verify compliance (CIS-CAT / OpenSCAP).