FRAMEWORKS AND STANDARDS
Control 04: Secure Configuration of Enterprise Assets and Software
A summary about establishing and maintaining secure configuration for assets
Published Date: October 7th, 2024
Product Line: CIS Controls
Audience: Executives, Security Administrators, Data Management Personnel
Get your copy of the CIS Controls V8.1 here.
Overview
Why is this control critical?
The default security settings of software and hardware are inherently vulnerable to cyber intrusion. Manufacturers and resellers configure devices for ease-of-use by default to provide their customers with a wide range of flexibility when implementing a new system. Unfortunately, this introduces a wide range of vulnerabilities that can be easily exploited by malicious cyber actors. It is critical to ensure that new and recently updated devices and services are configured properly to secure your system.
CIS Benchmark Services
The Center for Internet Security (CIS) has established a service to help facilitate the configuration of devices that may be in use within your facility. There are over 100 different tutorials dedicated to helping you change the default settings on important devices from operating systems to network devices. You can view the entire list of benchmark tutorials HERE. Here is a step-by-step guide to downloading and installing each of these benchmark tests. 11 Save this base image in a secure location.
Safeguards
Establishing and Maintaining a Secure Configuration Process. Establish and maintain a software and hardware onboarding protocol that ensures that each new device is configured during installation.
Establish and Maintain a Secure Configuration Process for Network Infrastructure. Establishing a configuration process for network devices will help secure devices during implementation.
Configure Automatic Session Locking on Enterprise Assets. Creating a system that automatically ends a session following inactivity can assist in securing your systems. This period should not exceed 15 minutes for general-use operating systems, it should not exceed 2 minutes for mobile devices.
Implement and Manage a Firewall on Servers. Implementing firewalls on servers on installation (when possible) is critical to effective security practices.
Implement and Manage a Firewall on End-User Devices. Implementing and managing a host-based firewall or port-filtering tool should be configured to have a default-deny for all services, except those explicitly allowed.
Securely Manage Enterprise Assets and Software. Utilizing secure network protocols including HTTPS and SSH over insecure protocols such as Telnet and HTTP is crucial to securing your systems.
Manage Default Accounts on Enterprise Assets and Software. Disabling default accounts such as root, administrator, or other pre-configured accounts will decrease access points to your system. Strategies include disabling these users or making them unusable.
Uninstall or Disable Unnecessary Services on Enterprise Assets and Software. Removing any unnecessary files or protocols on a system can decrease the risk of infiltration.
Configure Trusted DNS Servers on Enterprise Assets. Transferring default DNS settings to trusted services helps protect your systems from attacks.
Enforce Automatic Device Lockout Following Failed Login Attempts. For laptops, do not allow more than 20 failed authentication attempts for tablets and smartphones, no more than 10 failed authentication attempts.
Enforce Remote Wipe Capability on Portable End-User Devices. Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise.
Separate Enterprise Workspaces From Personal Applications and Data on Mobile End-User Devices. Ensure separate enterprise workspaces are used on mobile end-user devices, where supported.