Hello @BertrandFR!

Here on a big customer, we use CIS solution: https://www.cisecurity.org/

It has images to Windows/Linux with a variety of versions OS systems.

Sometimes that VM ‘’is born’’ hardened. It means that hardening is done soon after operating system installation.

In other times hardening is done only when all Veeam applications was configured. Yeah, on the firsts hardened VM I have some troubles, now it's everything ok.

I’d like to add my experience of CIS. At my previous job we tried to use Level 1 as a baseline for our infrastructure and we had difficulties working with our CRM vendor trying to operate their code on such a platform. It can be taken one of two ways, either that their code was doing something less secure that could’ve caused compromise to the server, or that the baseline isn’t tested with anything other than core Windows roles and your mileage will definitely vary.

We had zero interest from the CRM provider to investigate the issues and unfortunately depending on your vendor you may have the same issues.

Regular updates and patches.

No superfluous services.

Less privileges users.

Security endpoint solutions with relative agents.

Logging. Logging. Logging. (with his voice)