CIS Control 4: Secure Configuration of Enterprise Assets and Software

Key Takeaways for Control 4

Most fresh installs of operating systems or applications come with pre-configured settings that are usually insecure or not properly configured with security in mind. Use the leverage provided by multiple frameworks such as CIS Benchmarks or NIST NCP to find out if your organization needs to augment or adjust any baselines to become better aligned with policies your organization is trying to adhere to.

Throughout the CIS Controls, many Controls will play off one another, or some may need data from previous Controls to get a better understanding of what is secure and what is not. An example is Control 4. This measure deals with secure configuration of those enterprise assets and software identified by Controls 1 and 2.

Remember to go with a layered approach to cybersecurity. Implementing and managing firewalls is a cornerstone of cybersecurity, but putting all your eggs in one basket and hoping you can catch or stop every threat is not realistic. Having multiple layers of security can improve your effectiveness at slowing, delaying, or hindering a threat until it can be completely neutralized.

Safeguards for Control 4

4.1) Establish and Maintain a Secure Configuration Process

Description: Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). Review and update documentation annually or when significant enterprise changes occur that could impact this Safeguard.

Notes: The security function associated with this safeguard is Protect. This safeguard can be implemented by leveraging other benchmarks and checklists such as CIS Benchmarks or NIST NCP (National Checklist Program). With CIS benchmarks and NIST NCP, you can augment or adjust the baselines that satisfy your enterprise security policy.

4.2) Establish and Maintain a Secure Configuration Process for Network Infrastructure

Description: Establish and maintain a secure configuration process for network devices. Review and update documentation annually or when significant enterprise changes occur that could impact this Safeguard.

Notes: The security function associated with this safeguard is Protect. As with safeguard 4.1, network devices are also in need of hardening. The benchmarks and tools mentioned earlier can be augmented and adjusted to fit this field, as well.

4.3) Configure Automatic Session Locking on Enterprise Assets

Description: Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.

Notes: The security function associated with this safeguard is Protect. Enabling automatic session lockouts helps prevent unauthorized access to devices. I reiterate this because most operating systems have this policy disabled or not defined.

4.4) Implement and Manage a Firewall on Servers

Description: Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.

Notes: The security function associated with this safeguard is Protect. Firewalls are a cybersecurity foundation for many enterprises. With that said, it’s never a good idea to put all your eggs in one basket when dealing with cybersecurity. A good analogy is to look at how you defend a castle. You have a mote, high walls, and an inner wall. This represents layers. Good cybersecurity practice is to layer your security, so if one instance of security is breached, you have several other layers to fall back on as protection.

4.5) Implement and Manage a Firewall on End-User Devices

Description: Implement and manage a host-based firewall or port-filtering tool on end-user devices with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed

Notes: The security function associated with this safeguard is Protect. As stated above in Safeguard 4.4, firewalls can be the first line of defense against penetration attacks, but it is also good to implement several other cybersecurity defenses on top of an End-Users firewall.

4.6) Securely Manage Enterprise Assets and Software

Description: Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols such as Telnet (Teletype Network) and HTTP unless operationally essential.

Notes: The security function associated with this safeguard is Protect. It is important to be using secure and encrypted protocols when managing assets and software. You should also be having your software on the latest patches for security benefits, as well. It doesn’t matter how secure you think your endpoints are with outdated software. It can leave the door open for potential attacks.

4.7) Manage Default Accounts on Enterprise Assets and Software

Description: Manage default accounts on enterprise assets and software such as root, administrator, and other pre-configured vendor accounts. Example implementations can include disabling default accounts or making them unusable.

Notes: The security function associated with this safeguard is Protect. There is no need for an administrator or root account to be active unless the need for recovery. Administrative accounts are highly privileged, and if an attacker has access to them, they are now able to create other users. This is why it’s important to have them deactivated or have a strong unique password attached, if needed.

 4.8) Uninstall or Disable Unnecessary Services on Enterprise Assets and Software

Description: Uninstall or disable unnecessary services on enterprise assets and software such as an unused file sharing service, web application module, or service function

Notes: The security function associated with this safeguard is Protect. Not all system components and services are needed for functionality. For example, many vulnerabilities have been linked to RDP in its default configuration. There are several improvements that can be made to make RDP more secure. Alternatively, you can just disable the service.

4.9) Configure Trusted DNS Servers on Enterprise Assets

Description: Configure trusted DNS servers on enterprise assets. Example implementations include configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers. 

Notes: The security function associated with this safeguard is Protect. A key component of the internet, DNS has vast importance, and it should be properly secured. There are several frameworks that implement this. One such framework is by SANS Institute for DNS defense. They recommend:

1. Patches and Latest Builds
2. Split internal and External DNS
3. Disable Recursion
4. Single-Purpose DNS Server
5. Diverse Location of DNS Servers
6. Restrict Zone Transfers
7. Authenticate Zone Transfers
8. Restrict Dynamic Updates
9. Restrict Access
10. Restrict external access to the DNS servers by using queries for clients with public IP address.

4.10) Enforce Automatic Device Lockout on Portable End-User Devices

Description: Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts. For tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.

Notes: The security function associated with this safeguard is Respond. Similar to safeguard 4.3, having a threshold for attempts on local devices is important in helping to prevent unauthorized access.  

4.11) Enforce Remote Wipe Capability on Portable End-User Devices

Description: Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices or when an individual no longer supports the enterprise.

Notes: The security function associated with this safeguard is Protect. This safeguard I feel has been more prominent as of late. Remote wiping of end-user devices has always been around, but with the state of employment, many companies are switching to remote work. Therefore, company devices are being moved more often. Having the capability to remote wipe a device if it becomes lost or stolen will keep your companies data more secure.

4.12) Separate Enterprise Workspaces on Mobile End-User Devices

Description: Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple® Configuration Profile or Android™ Work Profile to separate enterprise applications and data from personal applications and data.

Notes: The security function associated with this safeguard is Protect. Keeping your personal workspace and enterprise workspace separated on your platforms is important because it lowers the risk of attackers being able to leverage what you do with personal usage to access the enterprises network.

Read more about the 18 CIS Controls here:

CIS Control 1: Inventory and Control of Enterprise Assets

CIS Control 2: Inventory and Control of Software Assets

CIS Control 3: Data Protection

CIS Control 4: Secure Configuration of Enterprise Assets and Software