This post explains how small businesses can implement practical, verifiable hardening measures on Windows and Linux systems to satisfy NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 Control CM.L2-3.4.6 (establishing and enforcing secure configuration settings), providing a hands-on checklist, commands, automation examples and evidence collection tips aligned to the Compliance Framework.
What CM.L2-3.4.6 requires (practical interpretation)
At Level 2 the Compliance Framework expects organizations to define, implement, and maintain secure configuration baselines and ensure systems adhere to those baselines. Practically, that means documented security configurations (benchmarks), automated enforcement (where possible), monitoring for drift, and an auditable record of changes and exceptions for both Windows and Linux endpoints hosting Controlled Unclassified Information (CUI).
High-level implementation checklist
Start by selecting an authoritative baseline (CIS Benchmarks, Microsoft Security Baselines, or DISA STIG where applicable), record your baseline in policy, deploy baseline configurations to devices, automate continuous enforcement, monitor and alert on configuration drift, document authorized deviations and change approvals, and capture evidence (GPO backups, automation runbooks, audit logs) for compliance assessment.
Windows: concrete steps, commands and examples
For Windows endpoints and servers: (1) Adopt the Microsoft Security Baseline or CIS Windows Benchmark; (2) Deploy via Group Policy, Intune (MDM) or SCCM—example Group Policy settings: Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options: set "Network security: LAN Manager authentication level" to "Send NTLMv2 response only & refuse LM"; (3) Disable legacy protocols: use PowerShell to disable SMBv1 and TLS1.0: Set-SmbServerConfiguration -EnableSMB1Protocol $false; New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Name 'Enabled' -Value 0 -PropertyType DWORD -Force; (4) Enforce disk encryption and local account protections: enable BitLocker via MBAM/Intune and deploy LAPS for local admin password management; (5) Harden execution: use Application Control (AppLocker or Windows Defender Application Control) and enable Windows Defender Exploit Guard. Automate verification: use PowerShell scripts that run Get-GPOReport, Test-Path against registry keys, and return a compliance pass/fail; store results centrally (SIEM or file share) for audit. Example PowerShell check to ensure SMBv1 is off: (Get-SmbServerConfiguration).EnableSMB1Protocol
Linux: concrete steps, commands and examples
For Linux systems: (1) Adopt CIS Benchmarks for your distribution (RHEL, Ubuntu, etc.); (2) Harden SSH: in /etc/ssh/sshd_config set PermitRootLogin no, PasswordAuthentication no (use keys), and configure ClientAliveInterval/ClientAliveCountMax to drop dead sessions; (3) Kernel and network hardening: add to /etc/sysctl.d/99-hardening.conf net.ipv4.ip_forward=0, net.ipv4.conf.all.rp_filter=1, net.ipv4.conf.default.rp_filter=1; run sysctl --system to apply; (4) Limit services: use systemctl disable --now
Operationalize enforcement and evidence collection
Automation prevents drift—use Group Policy/Intune/SCCM/DSC for Windows and Ansible/Chef/Puppet for Linux. Implement daily or weekly configuration scans (e.g., CIS-CAT Pro, OpenSCAP, Nessus configuration audits) and centralize logs in a SIEM or log server. Maintain a change-control log that ties configuration changes to approved tickets, keep baseline artifacts in version control (GPO backups, DSC MOF files, Ansible playbooks), and collect periodic compliance reports (GPO reports, SCAP results, Ansible run outputs) as evidence for assessments.
Small-business real-world scenarios and tips
Scenario A: Small contractor with 30 devices—use Intune to push Microsoft security baselines, enable BitLocker, and enforce LAPS; schedule weekly compliance PowerShell scripts to post JSON results to an Azure Storage account. Scenario B: Linux-heavy shop hosting CI—use Ansible to enforce CIS settings, run weekly OpenSCAP scans in CI pipeline, and block outward access for build agents via nftables to limit lateral risk. Practical tips: prioritize systems handling CUI, enforce least privilege on admin accounts, and document every baseline exception with risk acceptance and re-review dates.
Compliance tips, best practices and common pitfalls
Document your baseline (reference the exact CIS/SCAP/STIG version), automate enforcement and validation, and integrate configuration hardening into onboarding/offboarding and patch cycles. Avoid undocumented manual changes—they break auditability. Use layered controls (baseline + app control + EDR) rather than relying on a single setting. Keep exception handling formal: temporary exceptions require a ticket, compensating controls, and an expiration. Common pitfalls: failing to version baselines, not collecting automated evidence, and excluding servers from scans because of perceived operational risk—these all undermine compliance.
Risk of not implementing CM.L2-3.4.6
Without enforced secure configurations you increase the attack surface—legacy protocols, weak crypto, or misconfigured services can allow credential theft, lateral movement, ransomware, and CUI exfiltration. For contractors handling DoD or government data, noncompliance risks contract penalties, lost business, and reputational damage; technically, undetected drift often precedes compromise, so lack of enforcement is a high-impact, high-likelihood risk.
Summary: To meet CM.L2-3.4.6, select an authoritative baseline, document it, enforce it via Group Policy/MDM/SCCM for Windows and Ansible/chef/puppet for Linux, automate continuous validation (OpenSCAP, CIS-CAT, custom scripts), maintain change-control and evidence stores, and treat configuration hardening as a continuous operational program—not a one-time project. Following the checklist and the practical commands and examples above will give a small business a repeatable, auditable path to satisfy the Compliance Framework.
