CIS Hardening and Configuration Security Guide

By Keren Pollack, on May 25th, 2021

The Center for Internet Security (CIS) published an updated version for the CIS Controls- CIS Controls v8. The CIS Controls are a set of gold standard guidelines for organizations facing data security issues. These controls were developed to simplify and help IT ops and security teams to remain focused on the essentials.

 

The CIS updates its recommendation according to changes and new discoveries in the Information Security field. The 8th version of the CIS Controls was published in May 2021. In this version, the CIS changes a little the perspective around baseline security and system hardening.

 

In this post, we will demonstrate CIS recommendations for baseline security, and what has changed from the previous versions.

 

CIS Control num 4: Secure Configuration of Enterprise Assets and Software

“Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications)”.

 

This Control is all about securing configuration for any configurable component in your system, hardware, and software. Deploying secured configuration settings is extremely complex. It requires multi-disciplined staff that will analyze potentially hundreds or thousands of possibilities to make the right decision. Furthermore, after configuration settings are deployed, they must be continually managed as the system constantly changes and new vulnerabilities emerge.

 

There are few options for hardening tools that can help you achieve a hardened infrastructure, but only a few of them are dedicated only to hardening. We strongly recommend automating system hardening. Using unautomated tools will most likely result in one of two scenarios: 1. Critical machines not configured in the most secure fashion, increasing the organization’s attack surface. 2. Critical machines downtime due to using manual tools in such complex tasks.

 

According to the CIS Controls, there are 12 actions required for achieving a secure baseline:

 

  1. Establish and Maintain a Secure Configuration Process

This refers to all enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications).

 

The process of securing configurations has 3 stages:

1.Building a configuration security policy – each system component type, role, version, and environment should have each own policy. The policies should be updated annually, or when a significant change in the organization occurs. The policies should be based on configuration security best practices such as the CIS Benchmarks.

 

2. Testing and implementing the policy – Once the policy is approved, it must be implemented in its approved version. Any deviations should be handled as an exception. This stage imposes a major technical challenge and can cause severe damage to the organization when not managed correctly. The main danger in this stage is causing production outages as a result of configuration changes. The desired policy will impact your machines, and in order to avoid production outages, you must understand the potential impact of your policy before enforcing it.

Therefore, each policy should be tested before being pushed to production. The test’s goal is to generate an impact analysis report that will indicate each configuration change’s impact on the machine’s functionality. This impact analysis is crucial, or downtime will certainly happen.

 

3. Monitoring the compliance posture – Investing efforts in the proper hardening of servers is not enough. Ongoing monitoring and maintenance are required as the production environment constantly changes and new vulnerabilities are discovered. In addition, you can discover malicious activity by monitoring the compliance posture. Lots of time and money can be saved when adopting healthy habits that will prevent the need to harden your infrastructure from scratch every few years.

 

CIS Control V7.1 appearance:

5.1 Establish Secure Configurations.
5.4 Deploy System Configuration Management Tool.

14.3 Disable workstation-to-workstation communication.

 

  1. Establish and Maintain a Secure Configuration Process for Network Infrastructure

Establish the same process mentioned previously on network devices.

 

CIS Control V7.1 appearance:

11.1 Maintain Standard Security Configurations for Network Devices,
11.3 Use Automated Tools to Verify Standard Device Configurations and Detect Changes

 

  1. Configure Automatic Session Locking on Enterprise Assets

The default value of Automatic Session Locking in most operating systems (OS) is either Disabled or Not Defined.

 

It is recommended to set Locking time to be no more than 15 minutes in general-purpose OS and no more than 2 minutes on an end-user mobile device. This will help to prevent access from unauthorized users when a currently single user leaves without locking the desktop.

 

CIS Control V7.1 appearance:

16.11 Lock Workstation Sessions After Inactivity.

 

  1. Implement and Manage a Firewall on Servers

Firewalls are part of the organization’s cybersecurity foundations. But you should be aware that this tool has its own security weaknesses. Therefore, it is important not to put all your trust in it and to be aware of how it is configured and how it can be maliciously used. Here are some examples of firewalls vulnerabilities:

 

  1. Configuration mistakes – configuring your firewall wrong will make it very easy for an attacker to take this security tool and leverage it for breaching your network. Mistakes such as allowing dynamic routing to be Enabled are common to see.
  2. Missed patches – this is usually a result of bad firewall management. An unpatched firewall is an open gate for attackers to your organization.
  3. Inside threat – firewall won’t be useful for attacking that origin inside your organization unless you have an internal firewall.

 

CIS Controls V7.1 appearance:

9.2 Ensure Only Approved Ports, Protocols, and Services Are Running,
9.4 Apply Host-Based Firewalls or Port-Filtering,
12.4 Deny Communication Over Unauthorized Ports,
11.2 Document Traffic Configuration Rules

 

  1. Implement and Manage a Firewall on End-User Devices

End-user device firewalls are the first line of defense against penetration attacks. Personal firewall’s job is to: 1. screen incoming traffic and block suspicious code. 2. Screen sent messages that can harm the addressee. 3. Prevent attackers from using logical ports.

 

CIS Controls V7.1 appearance:

9.2 Ensure Only Approved Ports, Protocols, and Services Are Running
9.4 Apply Host-Based Firewalls or Port-Filtering
12.4 Deny Communication Over Unauthorized Ports
11.2 Document Traffic Configuration Rules

 

  1. Securely Manage Enterprise Assets and Software

Examples for best practices for this section will be:

  1. Set a hardening policy that will be specific not only to the type of infrastructure but also specific to its version. Meaning that for example, Windows Server 2016 hardening policy should be different from than Windows Server 2019 hardening policy.
  2. Use only secure network protocols. For example, try to neglect using HTTP where possible.
  3. Try to avoid using insecure protocols (Telnet for instance).

 

CIS Controls V7.1 appearance:

This section is new. Similar recommendations were not published in CIS Controls V7.

 

 

  1. Manage Default Accounts on Enterprise Assets and Software

Default accounts have standard build scripts that set their password. This results in having all systems in the environments using the same password.

 

Let’s take for example Administrator default accounts. The reason why your assets hold this option is for you to use it as a setup or as a disaster recovery account. When not used for these purposes, it should be disabled. If you will need to use it for recovery or for booting into safe mode, the account will automatically be re-enabled for use in troubleshooting tools.

 

By letting people use default account, you will lose your ability to audit their actions. This will make the task of finding the source in case of an attack, to be impossible.

 

CIS Controls V7.1 appearance:

4.2 Change Default Passwords

 

  1. Uninstall or Disable Unnecessary Services on Enterprise Assets and Software

Not all system components require all functionalities. While it is the manufacturer’s interest to allow as many functionalities possible, it is often doesn’t come in one hand with security. Many services expose the organization to vulnerabilities. For example, RDP is one most prevalent tools for attackers to leverage these days. Although there are ways to configure RDP in a more secure fashion, the best practice will be to disable it where it is not needed.

 

The main challenge in applying this recommendation is to generate an impact analysis report to understand which service is needed where. In this case, you have two options:

  1. Use automation tools that will learn your network and automatically report to you what will be the impact of each change.
  2. Start testing manually each change’s impact on your production. This will require you to simulate all types of system components and environments and start testing each change. It will take you long hours, and usually result in human errors that will lead to downtime.

You can find here all the tools, paid and free, available for this task.

 

CIS Controls V7.1 appearance:

Some of the recommendations in this section are new. The rest appears here:
9.2 Ensure Only Approved Ports, Protocols, and Services Are Running.
15.6 Disable Peer-to-Peer Wireless Network Capabilities on Wireless Clients.
15.9 Disable Wireless Peripheral Access of Devices.
15.4 Disable Wireless Access on Devices if Not Required.

 

  1. Configure Trusted DNS Servers on Enterprise Assets

The Domain Name Server is a key component of an organization’s interface with the Internet and IP networks. The following are recommendations published by SANS Institute for DNS defense:

  1. Stay up to date with the latest patches and builds being released.
  2. Separate between internal and external DNS servers.
  3. Disable recursion.
  4. Try to run DNS servers that are only dedicated to a single purpose.
  5. Diverse in the locations of your DNS servers to help to prevent DoS attacks.
  6. Restrict zone transfer.
  7. Authenticate zone transfer.
  8. Restrict dynamic updates.
  9. Hide the BIND version of the server.
  10. Restrict external access to the DNS servers by using queries for clients with public IP addresses.

 

CIS Controls V7.1 appearance:

This section is new. Similar recommendations were not published in CIS Controls V7.

 

  1. Enforce Automatic Device Lockout on Portable End-User Devices

Recommended number of failed attempts diverse according to the type of device. For laptops limit number of failed attempts should not accede to 20. For tablets and smartphones, the number of failed attempts should not accede 10.

You can use tools such as InTune Device Lock for Microsoft devices and Apple® Configuration Profile maxFailedAttempts for Apple®.

 

CIS Controls V7.1 appearance:

This section is new. Similar recommendations were not published in CIS Controls V7.

 

  1. Enforce Remote Wipe Capability on Portable End-User Devices

This is especially important in cases of lost or stolen devices. It is also a good practice for handling a device of a former employee that you want to ban from accessing the organization’s data.

 

CIS Controls V7.1 appearance:

This section is new. Similar recommendations were not published in CIS Controls V7.

 

  1. Separate Enterprise Workspaces on Mobile End-User Devices

Aspire to isolate as much as possible between your employee’s mobile workspace and personal usage. This will lower the risk of employees’ personal activities being leveraged by attackers for accessing your network.

 

CIS Controls V7.1 appearance:

This section is new. Similar recommendations were not published in CIS Controls V7.