logo

CIS Control 4: Secure Configuration of Enterprise Assets & Software

Maintaining secure configurations on all your IT assets is critical for cybersecurity, compliance and business continuity. Indeed, even a single configuration error can lead to security incidents and business disruptions.

Control 4 of CIS Critical Security Controls version 8 details cyber defense best practices that can help you establish and maintain proper configurations for both software and hardware assets. (In version 7, this topic was covered by Control 5 and Control 11.) This article explains the 12 safeguards in this critical control.

4.1. Establish and maintain a secure configuration process.

CIS configuration standards involve the development and application of a strong initial configuration, followed by continuous management of your enterprise assets and tools. These assets include:

  • Laptops, workstations and other user devices
  • Firewalls, routers, switches and other network devices
  • Servers
  • IoT devices
  • Non-computing devices
  • Operating systems
  • Software applications

Develop your configuration standards based on best practice guidelines and CIS benchmarks. Once you have established a secure configuration process, be sure to review and update it each year or whenever significant enterprise changes occur.

Keys to success

  • Adopt an IT framework. Find a trusted security framework that can act as a roadmap for implementing appropriate controls.
  • Get to know your applications. Start by getting a baseline of all your systems, record changes as you make them, frequently monitor and review activity, and be sure to document everything.
  • Implement vulnerability and configuration scanning: Your security products should perform continuous vulnerability scanning and monitoring of your configuration settings.
  • Choose a system that can differentiate between good and bad changes: Pick a tool that alerts you to dangerous and unwanted changes without flooding you with notifications about approved changes.
  • Be systematic. Create procedures for regularly auditing your systems, and ensure the process is repeatable by thoroughly documenting it.

4.2. Establish and maintain a secure configuration process for network infrastructure.

Because network devices provide connectivity and communication and control the flow of information in an organization, they are top targets for malicious actors.  Therefore, it’s vital to avoid vulnerabilities by using a secure configuration process.

You should establish standard security settings for different devices and promptly identify any deviation or drift from that baseline so you can manage remediation efforts. To improve the security of your network infrastructure devices, limit unnecessary lateral communications, segment your networks, segregate functionality where possible and harden all devices. In addition, conduct employee training sessions to minimize the risk of a team member unwittingly exposing your network to a data breach or cyberattack.

CIS recommends reviewing and updating your configuration process annually and whenever your enterprise undergoes significant changes, as well as implementing a standard procedure that includes:

  • Designating someone to approve all secure configurations
  • Reviewing the baseline configurations for all types of network devices
  • Tracking each device’s configuration state over time, including any variations

4.3. Configure automatic session locking on enterprise assets.

To mitigate the risk of malicious actors gaining unauthorized access to workstations, servers and mobile devices if the authorized user steps away without securing them, you should implement automatic session locking. For general-purpose operating systems, the period of inactivity must not exceed 15 minutes. For mobile devices, this period must not exceed two minutes.

4.4. Implement and manage a firewall on servers

Firewalls are essential for the protection of sensitive data. Implementing a firewall on your servers protect it against unauthorized users, block certain types of traffic, and run programs only from trusted platforms and other sources.

The top three risks associated with not having a firewall in place are:

  • Unauthorized access to your network. Without a firewall, your server is open to malicious actors who can use the vulnerabilities on your network for their gain.
  • Data loss or destruction. Cybercriminals who have access to your data can corrupt it, delete it, steal it, hold it for ransom or leak it to the public. Data breach recovery is a tedious, expensive process.
  • Network downtime. If your network is compromised and experiences unplanned downtime, your organization will lose business, productivity, morale, customer and public trust, and profits.

Therefore, it’s important to implement and manage a firewall on your servers. There are different firewall implementations, including virtual firewalls, operating system firewalls and third-party firewalls.

4.5. Implement and manage a firewall on end-user devices.

You should implement firewalls on end-user devices and well as your enterprise servers.  Add a host-based firewall or port-filtering tool on all end-user devices in your inventory, with a default-deny rule that prohibits all traffic except a predetermined list of services and ports that have explicit permissions.

Firewalls should be tested and updated regularly to ensure that they are appropriately configured and operating effectively. You should test your firewalls at least once a year and whenever your environment or security needs change significantly.

Keep in mind that while firewalls are vital, they do little to address threats from malware or social engineering attacks, so other protection strategies are also needed protect end-user devices from penetration by malicious actors.

4.6. Securely manage enterprise assets and software.

Securely managing enterprise assets and software is a long-term process that requires constant vigilance and attention. Organizations should be aware of the potential risks that come with new devices, applications and virtual environments, and take steps to mitigate these risks.

CIS controls recommend implementing the following measures to secure your critical enterprise assets and software:

  • Manage your configuration through version-controlled infrastructure-as-code. Infrastructure-as-code help you ensure that changes are reviewed by someone on your team before being implemented into production to reduce the risk of mistakes or vulnerabilities from being introduced into the system. It also enables you to track changes in real time and to roll back to a previous version to maintain the integrity of the system.
  • Access administrative interfaces over secure network protocols, such as SSH and HTTPS. SSH and HTTPS offer strong authentication mechanisms that help ensure that only authorized users can access the administrative interfaces. Additionally, these protocols encrypt data during transfer so that even if an unauthorized user is able to access the system, they will be unable to read it. As a result, this best practice helps guard against several kinds of attacks, including man-in-the-middle attacks (which attempt to intercept messages in transit between two systems) and brute-force attacks (which attempt to guess a password by repeatedly entering different passwords until the correct one is found).
  • Avoid using insecure management protocols like Telnet or HTTP. These protocols do not have adequate encryption support and are therefore vulnerable to interception and eavesdropping attacks.

4.7. Manage default accounts on enterprise assets and software.

Enterprise assets and software typically come preconfigured with default accounts such as root or administrator — which are easy targets for attackers and can give them extensive rights in the environment.

Accordingly, it’s a best practice for every company to disable all default accounts immediately after the asset is installed and create new accounts with custom names that aren’t well known. This makes it harder for attackers to guess the name of your admin account. Make sure to choose strong passwords, as defined by a standards body like NIST, and change them frequently — at least every 90 days.

Make sure the individuals with access to these privileged accounts understand they are reserved for situations when they are required; they should use their regular user account for all other tasks.

4.8. Uninstall or disable unnecessary services on enterprise assets and software.

When you’re configuring your enterprise assets and software, it’s important to disable or uninstall any unnecessary services. Examples include unused file-sharing services, unneeded web application modules and extraneous service functions.

These services expand your attack surface area and can include vulnerabilities that an attacker could exploit, so it’s best practice to keep things as lean and clean as possible, leaving only what you absolutely need.

4.9. Configure trusted DNS servers on enterprise assets.

Your assets should use enterprise-controlled DNS servers or reputable, externally-accessible DNS servers.

Because malware is often distributed via DNS servers, ensure that you promptly apply the latest security updates to help prevent infections. If hackers compromise a DNS server, they could use it to host malicious code.

4.10 Enforce automatic device lockout on portable end-user devices.

In addition to the automatic session locking recommended in Control 4.3, you should establish automatic lockout on portable end-user devices after a defined number of failed authentication attempts. Laptops should be locked after 20 failed attempts, or a lower number if needed based on your organization’s risk profile. For smartphones and tablets, the threshold should be lowered to no more than 10 failed attempts.

4.11. Enforce remote wipe capability on portable end-user device.

If a user misplaces or loses their portable device, an unauthorized party could access the sensitive data it stores. To prevent such breaches (and possible compliance penalties), you should configuring remote wipe capabilities that enable you to delete sensitive data from portable devices without having to physically access them. Be sure to test this capability frequently to ensure that it is working correctly.

4.12. Separate enterprise workspaces on mobile end-user devices.

You should create a separate enterprise workspace on user’s mobile devices, specifically with regard to contacts, network settings, emails and webcams. This will help prevent attackers who gain access to a user’s personal applications from accessing your corporate files or proprietary data.

How Netwrix can help

When it comes to the security of your enterprise assets and software, you can’t afford to leave anything to chance. Netwrix Change Tracker scans your network for devices and helps you harden their configuration with CIS-certified build templates. Then it monitors all changes to system configuration in real time and immediately alerts you to any unplanned modifications.

With Netwrix Change Tracker, you can:

  • Establish strong configurations faster.
  • Quickly spot and correct any configuration drift.
  • Avoid security incidents and business downtime.
  • Increase confidence in your security posture with comprehensive information on security status.
  • Pass compliance audits with ease using 250+ CIS?certified reports covering NIST, PCI DSS, CMMC, STIG and NERC CIP.
Dirk Schrader is a Resident CISO (EMEA) and VP of Security Research at Netwrix. A 25-year veteran in IT security with certifications as CISSP (ISC²) and CISM (ISACA), he works to advance cyber resilience as a modern approach to tackling cyber threats. Dirk has worked on cybersecurity projects around the globe, starting in technical and support roles at the beginning of his career and then moving into sales, marketing and product management positions at both large multinational corporations and small startups. He has published numerous articles about the need to address change and vulnerability management to achieve cyber resilience.