Windows Server 2025 CIS Hardening Consultant / Security Build Engineer

• Develop, validate, and document a CIS-hardened Windows Server 2025 golden image that can be used as the organization's standard server build image.
• Review existing Windows Server build standards.
• Identify applicable CIS benchmark profile, such as Level 1 Member Server.
• Build or update Windows Server 2025 baseline image.
• Apply CIS hardening settings through GPO, local policy, PowerShell, or build automation.
• Run Tenable CIS benchmark scans against the image.
• Remediate failed controls where technically feasible.
• Document exceptions where controls cannot be applied due to operational impact.
• Validate core functionality after hardening.
• Create final golden image or VM template.
• Provide implementation guide for future server builds.
• Provide handoff documentation for Cybersecurity and Infrastructure teams.
• Expected Deliverables:

• CIS-hardened Windows Server 2025 golden image or VM template.
• GPO / local policy configuration package.
• Tenable CIS benchmark scan results before and after remediation.
• Remediation tracker with pass / fail status.
• Exception / risk acceptance register.
• Build and deployment guide.
• Rollback or troubleshooting notes.
• Recommended patching and maintenance process.
• Final handoff session with Cybersecurity, Systems, and NetOps teams.

• Success Criteria:

• Windows Server 2025 image is hardened against the agreed CIS benchmark profile.
• Tenable compliance scan results are reviewed and documented
• Exceptions are clearly justified and approved.
• Image is operationally usable by Infrastructure teams.
• Cybersecurity can approve the image as the organization's standard Windows Server 2025 baseline.

• Strong Windows Server 2022 / 2025 administration experience.
• CIS Benchmark implementation experience for Windows Server.
• Group Policy Object design and hardening.
• Tenable / Nessus compliance scanning experience, including CIS benchmark scans.
• PowerShell scripting for configuration validation and remediation.
• Active Directory, DNS, local security policy, Windows Firewall, audit policy, and service hardening.
• Experience with Microsoft security baselines.
• Vulnerability remediation and exception documentation.
• Golden image creation, Sysprep, VM templates, or image deployment process.
• Security logging and Windows event forwarding / SIEM integration.
• Ability to balance security hardening with operational compatibility.
• The consultant should be able to work independently with Cybersecurity and Infrastructure
• teams and should have hands-on experience implementing hardening controls, not just reviewing scan results.

Preferred Skills:

• Experience with VMware, Hyper-V, Azure, or enterprise server image pipelines.
• Experience with Defender for Endpoint or similar EDR.
• Experience with STIG, NIST, or enterprise configuration compliance.
• Experience creating build documentation and operational runbooks.

ECLARO's client is a leading technology solutions provider, collaborating with customers to manage their needs and achieve success in their business goals. If you're up to the challenge, then take a chance at this rewarding opportunity!