The application hardening guidelines provide security hardening for application-level components, including Microsoft SQL Server and Microsoft IIS 10. Each application supports auditing, remediation, and baseline comparison.
Adding Hardening Package
To add the CIS package, see Adding Commvault Software to a Server.
Supported Applications
The following applications are applicable for hardening guidelines.
| Application Key | Name | Platform |
|---|---|---|
| SQL_SERVER | Microsoft SQL Server 2022 | Linux & Windows |
| IIS | Microsoft IIS 10 | Windows |
Operations
The following operations are permitted on the supported applications.
| Operation | SQL Server | IIS |
|---|---|---|
| audit | ✔ | ✔ |
| remediate | ✔ | ✔ |
| compare_with_baseline | ✔ | ✔ |
| rollback | — | ✔ |
| list_snapshots | — | ✔ |
Execution
To run operations on supported applications, follow these steps:
-
Navigate to the CIS directory:
- For Linux: Change to
/opt/commvault/CIS - For Windows: Change directory to
C:\Program Files\Commvault\ContentStore\CIS
- For Linux: Change to
-
To execute the command on the CIS directory, run the following:
python application_hardening.py -a <Application> -o <operation>
Argument reference
| Argument | Flag | Required | Description |
|---|---|---|---|
| --Application | -a | Yes | Application to harden: SQL_SERVER or IIS |
| --operation | -o | Yes | audit, remediate, compare_with_baseline, rollback, or list_snapshots |
| --report_path | -rp | No | Custom reports / backup output directory |
| --username | -u | SQL Server only | Database username |
| --password | -p | SQL Server only | Database password |
SQL Server
Benchmark: CIS Microsoft SQL Server Benchmark Platforms: Linux and Windows Requires: valid SQL credentials (username and password)
Command Examples:
Audit:
python application_hardening.py -a SQL_SERVER -o audit
Remediate:
python application_hardening.py -a SQL_SERVER -o remediate -u <username> -p <password>
Compare with baseline:
python application_hardening.py -a SQL_SERVER -o compare_with_baseline
Note
Username and password are required only in remediate operation for SQL_SERVER.
Username: 1–128 chars, alphanumeric + underscore/hyphen. Password: min 8 chars, must contain at least 3 of: lowercase, uppercase, numbers, special characters.
IIS (Internet Information Services)
Benchmark: CIS Microsoft IIS 10.0 Benchmark Platform: Windows only (requires Administrator)
A full backup of IIS configuration is taken automatically before any remediation. Use the rollback operation to restore to a previous state.
Command Examples:
Audit:
python application_hardening.py -a IIS -o audit
Remediate:
python application_hardening.py -a IIS -o remediate
Compare with baseline:
python application_hardening.py -a IIS -o compare_with_baseline
Rollback (latest snapshot):
python application_hardening.py -a IIS -o rollback
Rollback (specific snapshot):
-
Use the below command to list snapshots:
python application_hardening.py -a IIS -o list_snapshots -
Use the below command to rollback to specific snapshot:
python application_hardening.py -a IIS -o rollback --snapshot iis_20250219_143022
Warning
The Rollback operation restores only IIS config files (applicationHost.config, administration.config, redirection.config). It does not revert registry changes, machine.config, or Windows feature uninstalls. Revert those manually if needed.