CIS Control 4 establishes secure configurations for enterprise assets and software to reduce vulnerabilities from misconfigurations. Its 12 safeguards cover baselines, firewalls, account management, and mobile device controls, ensuring consistent security across environments. Applying these measures strengthens defenses, prevents drift, and supports compliance with security frameworks.
Maintaining secure configurations across IT assets is essential for cybersecurity, compliance, and business continuity. A single misconfiguration can create vulnerabilities that lead to costly breaches or disruptions.
CIS Control 4 of the CIS Critical Security Controls v8 details best practices for establishing and maintaining secure configurations for enterprise hardware and software. (In version 7, this topic was covered by Control 5 and Control 11.) This article explains the 12 safeguards included in this control and how to implement them effectively.
What are CIS Controls?
The CIS Critical Security Controls are a collection of best practices maintained by the Center for Internet Security (CIS). They provide a prioritized roadmap for organizations to mitigate cyberattacks, prevent data leaks, and strengthen overall security posture. Version 8 defines 18 controls, each covering a critical aspect of cybersecurity.
What is CIS Control 4?
CIS Control 4 focuses on securing enterprise assets, including endpoints, network devices, IoT devices, servers, operating systems, and software applications. It emphasizes replacing weak default settings with hardened configurations and ensuring consistency across environments.
With the growth of BYOD, cloud adoption, and hybrid work, ensuring consistent and secure configuration is critical. Weak configurations give attackers easy entry into systems.
4.1. Establish and maintain a secure configuration process
Define and apply initial secure configurations for all enterprise assets, including laptops, servers, IoT, and network devices. Base them on CIS benchmarks and industry standards. Review and update annually or when significant changes occur.
Keys to success: – Adopt a security framework as your roadmap. – Baseline applications and track all changes. – Continuously scan for vulnerabilities and misconfigurations. – Use tools that distinguish approved vs. risky changes. – Document and audit regularly.
4.2. Establish and maintain secure network infrastructure configurations
Network devices control connectivity and are top targets for adversaries. Harden configurations, segment networks, and monitor for drift.
Keys to success: – Update processes after major changes. – Apply human oversight for approvals. – Routinely review hardware settings. – Maintain configuration histories for audits.
4.3. Configure automatic session locking on enterprise assets
Mitigate risks from unattended devices by locking sessions automatically. Workstations should lock after 15 minutes; mobile devices within 2 minutes.
Keys to success: – Enforce complex passwords. – Adjust lockouts based on sensitivity of the device. – Use pattern-hiding displays or screensavers.
4.4. Implement and manage firewalls on servers
Firewalls protect data from unauthorized access, block malicious traffic, and allow trusted applications only.
Keys to success: – Review firewall rules regularly. – Segment networks to reduce lateral movement. – Audit firewall performance and test with penetration exercises.
4.5. Implement and manage firewalls on end-user devices
Deploy host-based firewalls with default-deny rules on all devices. Test and update configurations regularly.
Keys to success: – Align firewall policies with compliance requirements. – Log and classify network traffic centrally for insights.
4.6. Securely manage enterprise assets and software
Use secure protocols and avoid outdated methods like Telnet or HTTP. Protect interfaces and management tools from exploitation.
Keys to success: – Use infrastructure-as-code for controlled, reviewable changes. – Enforce secure protocols (SSH, HTTPS). – Phase out insecure protocols.
4.7. Manage default accounts
Disable or rename default admin accounts and enforce strong, unique credentials.
Keys to success: – Lock down domain admin accounts with long, secure passwords. – Enforce least privilege for all roles. – Apply granular password policies.
4.8. Uninstall or disable unnecessary services
Remove unused or redundant services to minimize attack surface.
Keys to success: – Scan regularly for new services. – Log service activity for visibility. – Assess compatibility before disabling.
4.9. Configure trusted DNS servers
Use enterprise-controlled or reputable DNS servers to protect communications and apply updates quickly.
Keys to success: – Deploy multiple internal DNS servers for redundancy. – Log queries for audits and anomaly detection. – Restrict access to administrators only.
4.10. Enforce device lockout on portable endpoints
Block brute-force attacks by enforcing lockouts after failed login (20 for laptops, 10 or fewer for mobile).
Keys to success: – Apply lockouts across all devices. – Educate employees on policies. – Use MFA for unlocks.
4.11. Enforce remote wipe on portable devices
Enable remote wipe for lost or stolen devices to prevent data loss and compliance violations.
Keys to success: – Define clear wipe triggers. – Test functionality regularly.
4.12. Separate enterprise workspaces on mobile devices
Partition enterprise data from personal apps on mobile devices.
Keys to success: – Provide self-service portals for device management. – Ensure remote patching and updates.
How Netwrix Helps You Meet CIS Control 4 Safeguards
Implementing CIS Control 4 means putting secure configurations in place and keeping them consistent over time. Netwrix solutions map directly to these safeguards.
Establishing and maintaining secure baselines: Netwrix Change Tracker continuously monitors configurations across servers, databases, and endpoints. It detects unauthorized or risky changes in real time, highlights drift from approved baselines and generates CIS-certified reports to simplify audits. This ensures you can prove compliance while reducing opportunities for attackers to exploit misconfigurations.
Enforcing least privilege and Group Policy compliance: Netwrix Endpoint Policy Manager removes local admin rights without disrupting productivity. It validates that Group Policy settings are applied correctly across Windows endpoints, consolidates GPO sprawl, and blocks unauthorized changes. These capabilities directly support safeguards for secure account management, firewall rules, and device lockouts.
Preventing data loss at the endpoint: Netwrix Endpoint Protector stops sensitive data from leaving through USB drives, printers, or other exit points. With content-aware protection and enforced encryption, you can align with CIS recommendations to control removable media and reduce exfiltration risks.
Together, these tools help organizations address the most challenging parts of CIS Control 4, from securing initial configurations to ensuring they remain locked down in hybrid and remote environments.
CIS Control 4 FAQs
What are CIS Controls?
A prioritized security framework developed by the Center for Internet Security that helps organizations prevent cyberattacks. It includes 18 controls covering all areas of enterprise security.
What is CIS Control 4?
CIS Control 4 is a cybersecurity best practice from CIS Critical Security Controls that focuses on secure configuration of enterprise assets and software. It ensures systems are hardened against attacks by replacing default settings with secure baselines and regularly maintaining those configurations.
How can companies implement secure configuration processes?
Companies can implement secure configuration by first creating a full inventory of assets, then establishing hardened baselines with CIS Benchmarks. Security policies should be enforced across all systems, and continuous monitoring with tools like Netwrix Change Tracker helps detect configuration drift and streamline audit preparation.
Is CIS Controls a standard?
CIS Critical Security Controls (CIS Controls) is not a formal standard but has become a widely accepted de facto global cybersecurity framework. Developed by the nonprofit Center for Internet Security (CIS), the controls provide a prioritized, community-driven set of best practices for operational security.
They offer a practical roadmap for defending against modern cyber threats and are strengthened by broad adoption and regular updates.
Why use CIS Controls?
Organizations adopt CIS Controls because they provide:
- High-impact, prioritized guidance. They focus on the most effective actions to reduce attack surfaces and stop common attack techniques.
- Practical, scalable implementation. Implementation Groups (IGs) allow organizations of all sizes to begin with core protections and expand over time.
- Compliance alignment. The controls map directly to widely used frameworks such as NIST CSF, ISO 27001, PCI DSS, and HIPAA, serving as a strong starting point for regulatory alignment.
- Simplified, actionable steps. CIS Controls deliver practical safeguards that IT teams can implement quickly, unlike more abstract frameworks.
- Proven effectiveness. Version 8 of the CIS Controls mitigates approximately 86% of MITRE ATT&CK techniques (or 74% at the basic IG1 level).
