Hardens Windows endpoints using CIS (Center for Internet Security) Benchmark recommendations to reduce attack surface, enforce security baselines, and meet compliance requirements. Use when deploying new Windows workstations or servers, remediating audit findings, or establishing organization-wide security baselines. Activates for requests involving Windows hardening, CIS benchmarks, GPO security baselines, or endpoint configuration compliance.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionhardening-windows-endpoint-with-cis-benchmarkExecute the skills CLI command in your project's root directory to begin installation:
Fetches hardening-windows-endpoint-with-cis-benchmark from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate hardening-windows-endpoint-with-cis-benchmark. Access via /hardening-windows-endpoint-with-cis-benchmark in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
4
total installs
4
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
4
installs
4
this week
8.6K
stars
| name | hardening-windows-endpoint-with-cis-benchmark |
| description | 'Hardens Windows endpoints using CIS (Center for Internet Security) Benchmark recommendations to reduce attack surface, enforce security baselines, and meet compliance requirements. Use when deploying new Windows workstations or servers, remediating audit findings, or establishing organization-wide security baselines. Activates for requests involving Windows hardening, CIS benchmarks, GPO security baselines, or endpoint configuration compliance. ' |
| domain | cybersecurity |
| subdomain | endpoint-security |
| tags | - endpoint - hardening - windows-security - CIS-benchmark - GPO - baseline-configuration |
| version | 1.0.0 |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.PS-01 - PR.PS-02 - DE.CM-01 - PR.IR-01 |
Use this skill when:
Do not use this skill for Linux endpoints (use hardening-linux-endpoint-with-cis-benchmark) or for cloud-native workloads that require CIS cloud benchmarks.
CIS provides two profile levels for Windows endpoints:
Level 1 (L1) - Corporate/Enterprise Environment:
Level 2 (L2) - High Security/Sensitive Data:
Select profile based on data classification and risk tolerance of the endpoint.
CIS provides pre-built GPO templates (Build Kits) for each benchmark version:
# Download CIS Build Kit from CIS WorkBench (requires CIS SecureSuite membership)
# Extract the GPO backup to a staging directory
# Import the CIS GPO into Active Directory
Import-GPO -BackupGpoName "CIS Microsoft Windows 11 Enterprise v3.0.0 L1" `
-TargetName "CIS-Win11-L1-Baseline" `
-Path "C:\CIS-GPO-Backups\Win11-Enterprise" `
-CreateIfNeeded
# Link GPO to target OU
New-GPLink -Name "CIS-Win11-L1-Baseline" `
-Target "OU=Workstations,DC=corp,DC=example,DC=com" `
-LinkEnabled Yes
Account Policies (Section 1):
Password Policy:
- Minimum password length: 14 characters (1.1.4)
- Maximum password age: 365 days (1.1.3)
- Password complexity: Enabled (1.1.5)
- Store passwords using reversible encryption: Disabled (1.1.6)
Account Lockout Policy:
- Account lockout threshold: 5 invalid logon attempts (1.2.1)
- Account lockout duration: 15 minutes (1.2.2)
- Reset account lockout counter after: 15 minutes (1.2.3)
Local Policies - Audit Policy (Section 17):
Audit Policy Configuration:
- Audit Credential Validation: Success and Failure (17.1.1)
- Audit Security Group Management: Success (17.2.5)
- Audit Logon: Success and Failure (17.5.1)
- Audit Process Creation: Success (17.6.1)
- Audit Removable Storage: Success and Failure (17.6.4)
Security Options (Section 2.3):
- Interactive logon: Do not display last user name: Enabled (2.3.7.1)
- Interactive logon: Machine inactivity limit: 900 seconds (2.3.7.3)
- Network access: Do not allow anonymous enumeration of SAM accounts: Enabled (2.3.10.2)
- Network security: LAN Manager authentication level: Send NTLMv2 response only (2.3.11.7)
- UAC: Run all administrators in Admin Approval Mode: Enabled (2.3.17.6)
Windows Firewall (Section 9):
- Domain Profile: Firewall state: On (9.1.1)
- Domain Profile: Inbound connections: Block (9.1.2)
- Private Profile: Firewall state: On (9.2.1)
- Public Profile: Firewall state: On (9.3.1)
- Public Profile: Inbound connections: Block (9.3.2)
# Run CIS-CAT Pro Assessor against target endpoint
# CIS-CAT produces an HTML/XML report with pass/fail per recommendation
.\Assessor-CLI.bat `
-b "benchmarks\CIS_Microsoft_Windows_11_Enterprise_Benchmark_v3.0.0-xccdf.xml" `
-p "Level 1 (L1) - Corporate/Enterprise Environment" `
-rd "C:\CIS-Reports" `
-nts
# Review report for failed controls
# Score target: 95%+ for L1, 90%+ for L2 (due to operational exceptions)
For each CIS recommendation that cannot be applied:
Example exception:
Recommendation: 2.3.7.3 - Interactive logon: Machine inactivity limit: 900 seconds
Exception: Kiosk systems in manufacturing floor require 1800 seconds
Compensating Control: Physical badge-access to manufacturing area, CCTV monitoring
Review Date: 2026-06-01
Approved By: CISO
Configure recurring CIS-CAT scans via scheduled tasks or SCCM:
# Create scheduled task for weekly CIS-CAT assessment
$action = New-ScheduledTaskAction -Execute "C:\CIS-CAT\Assessor-CLI.bat" `
-Argument "-b benchmarks\CIS_Win11_v3.0.0-xccdf.xml -p Level1 -rd C:\CIS-Reports -nts"
$trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Sunday -At 2am
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -RunLevel Highest
Register-ScheduledTask -TaskName "CIS-Benchmark-Scan" -Action $action `
-Trigger $trigger -Principal $principal
Feed results into SIEM for drift detection and dashboard reporting.
| Term | Definition |
|---|---|
| CIS Benchmark | Consensus-based security configuration guide developed by CIS with input from government, industry, and academia |
| Level 1 Profile | Practical security baseline suitable for most organizations with minimal operational impact |
| Level 2 Profile | Extended security baseline for high-security environments that may reduce functionality |
| CIS-CAT | CIS Configuration Assessment Tool that automates benchmark compliance checking |
| Build Kit | Pre-configured GPO templates provided by CIS that implement benchmark recommendations |
| Scoring | CIS recommendations are either Scored (compliance-measurable) or Not Scored (best-practice guidance) |
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
Solid pick for teams standardizing on skills: hardening-windows-endpoint-with-cis-benchmark is focused, and the summary matches what you get after install.
I recommend hardening-windows-endpoint-with-cis-benchmark for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Registry listing for hardening-windows-endpoint-with-cis-benchmark matched our evaluation — installs cleanly and behaves as described in the markdown.
hardening-windows-endpoint-with-cis-benchmark reduced setup friction for our internal harness; good balance of opinion and flexibility.
We added hardening-windows-endpoint-with-cis-benchmark from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
hardening-windows-endpoint-with-cis-benchmark has been reliable in day-to-day use. Documentation quality is above average for community skills.
hardening-windows-endpoint-with-cis-benchmark fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Keeps context tight: hardening-windows-endpoint-with-cis-benchmark is the kind of skill you can hand to a new teammate without a long onboarding doc.
hardening-windows-endpoint-with-cis-benchmark fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
hardening-windows-endpoint-with-cis-benchmark has been reliable in day-to-day use. Documentation quality is above average for community skills.
showing 1-10 of 37