_images/logo.png

Welcome to The CIS Windows 10 Implementation Guide!

In this document, guidance is provided on how to apply the security best practices found in CIS Controls Version 7.1 to Windows 10 Pro environments. As a non-profit driven by its volunteers, we are always in the process of looking for new topics and assistance in creating cybersecurity guidance. If you are interested in volunteering and/or have questions, comments, or have identified ways to improve this guide, please write us at controlsinfo@cisecurity.org.

Table of Contents

Introduction

The CIS Controls are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. The CIS Controls are developed by a community of Information Technology (IT) experts who apply their first-hand experience as cyber defenders to create these globally accepted security best practices. The experts who develop the CIS Controls come from a wide range of sectors including, retail, manufacturing, healthcare, education, government, defense, and others. So, while the CIS Controls address the general practices that most organizations should take to secure their systems, some operational environments may present unique requirements not addressed by the CIS Controls.

We are at a fascinating point in the evolution of what we now call cyber defense. To help us understand the cyber threat, we have seen the emergence of threat information feeds, reports, tools, alert services, standards, and threat-sharing frameworks. To top it all off, we are surrounded by security requirements, risk management frameworks, compliance regimes, regulatory mandates, and so forth. There is no shortage of information available to security practitioners on what they should do to secure their infrastructure. But all of this technology, information, and oversight has become a veritable “Fog of More” – competing options, priorities, opinions, and claims that can paralyze or distract an enterprise from vital action. Business complexity is growing, dependencies are expanding, users are becoming more mobile, and the threats are evolving. New technology brings us great benefits, but it also means that our data and applications are distributed across multiple locations, many of which are not within our organization’s infrastructure.

Purpose

Credit card breaches, identity theft, ransomware, theft of intellectual property, loss of privacy, denial of service – these cyber incidents have become everyday news. Victims include some of the largest, best-funded, and most security-savvy enterprises: government agencies, major retailers, financial services companies, even security solution vendors. Many of the victims have millions of dollars to allocate for cybersecurity, yet still fall short in their efforts to defend against common attacks. What is even more disturbing is that many of the attacks could have been prevented by well-known security practices such as regular patching and secure configurations.

What are the rest of us supposed to do? How do organizations with small budgets and limited resources respond to the continuing cyber problem? This guide seeks to empower the owners of small and medium-sized enterprises (SMEs) to protect their businesses with a small number of high priority actions based on the Center for Internet Security’s Critical Security Controls (CIS Controls). Historically the CIS Controls utilized the order of the Controls as a means of focusing an organization’s cybersecurity activities, resulting in a subset of the first six CIS Controls referred to as cyber hygiene. However, many of the practices found within the CIS cyber hygiene control set can be difficult for organizations with limited resources to implement. This highlighted a need for a collection of best practices focused on balancing resource constraints and effective risk mitigation. As a result, CIS is proposing the following guidance to prioritize CIS Control utilization, known as CIS Implementation Groups (IGs).

Group 1

A Group 1 organization is small to medium-sized with limited IT and cybersecurity expertise to dedicate towards protecting IT assets and personnel. The principal concern of these organizations is to keep the business operational as they have a limited tolerance for downtime. The sensitivity of the data that they are trying to protect is low and principally surrounds employee and financial information. However, there may be some small to medium-sized organizations that are responsible for protecting sensitive data and, therefore, will fall into a higher Group. Sub-Controls selected for Group 1 should be implementable with limited cybersecurity expertise and aimed to thwart general, non-targeted attacks. These Sub-Controls will also typical be designed to work in conjunction with small or home office Commercial-off-the-Shelf (COTS) hardware and software.

Group 2

A Group 2 organization employees individuals responsible for managing and protecting IT infrastructure. These organizations support multiple departments with different risk profiles based on job function and mission. Small organizational units may have regular compliance burdens. Group 2 organizations often store and process sensitive client or company information and can withstand short interruptions of service. A major concern is loss of public confidence if a breach occurs. Sub-Controls selected for Group 2 help security teams cope with increased operational complexity. Some Sub-Control will depend on enterprise-grade technology and specialized expertise to properly install and configure.

Group 3

A Group 3 organization employees security experts that specialize in the difference facts of cybersecurity (e.g., risk management, penetration testing, application security). Group 3 systems and data contain sensitive information or functions that are subject to regulatory and compliance oversight. A Group 3 organization must address availability of services and the confidentiality and integrity of sensitive data. Successful attacks can cause significant harm to the public welfare. Sub-Controls selected for Group 3 must abate targeted attacks from a sophisticated adversary and reduce the impact of zero-day attacks.

While this approach provides generalized guidance for prioritizing usage of the CIS Controls, this should not replace an organization’s need to understand their own organizational risk posture. Organizations should still seek to conduct their own duty of care analysis and tailor their implementation of the CIS controls based on what is appropriate and reasonable given their resources, mission, and risks. Using these types of methods, such as those described in CIS RAM, organizations of different Implementation Groups can make risk-information decisions about which Sub-Controls in their Group they may not want to implement and which higher Group’s they should strive for. The intention is to help organization focus their efforts based on the resources they have available and integrate into any pre-existing risk management process.

_images/IG-1.png

The IGs are self-assessed organizational categories based on relevant cybersecurity attributes. Each IG identifies a subset of the CIS Controls that the community has broadly assessed to be reasonable for an organization with a similar risk profile and resources to strive to implement. These IGs represent a horizontal cut across the CIS Controls tailored to that type of enterprise, where each IG builds upon the previous one. Accordingly, an organization implementing the Sub-Controls defined for their IG is moving towards a standard duty of care as described in the CIS Risk Assessment Method (CIS RAM).

This guide provides detailed information on how to accomplish each of the Sub-Controls within IG1. This guide builds upon the best practices established via the CIS Controls V7.1. Where possible, the document provides step-by-step guidance on how organizations utilizing the Microsoft Windows operating system and supporting platforms can meet applicable Sub-Controls.

Audience

As this document is meant to help individuals and organizations comply with the set of cybersecurity protections detailed within the first IG1. The primary audience for this guide is IT contractors for small- to medium-sized businesses, although it is beneficial to anyone concerned about the following security threats:

_images/threats.png

Assumption

A set of assumptions were identified when developing this guidance:

  • Individuals and organizations using this guidance lack large cybersecurity-focused professionals within their organizations.
  • The systems being safeguarded may not be domain-joined, meaning that there is not a central location from which to deploy policy.
  • The organization likely has few to zero servers.
  • The organization likely uses some cloud services to provide key pieces of infrastructure, such as email.
  • The IT environment is fairly static, and does not change much over time.

Document Structure

The presentation of each Sub-Control in this document includes the following elements:

  • Category: Some Sub-Controls require the implementation or configuration of technology, and are labeled as Technical. Other Sub-Controls can be implemented via procedural or manual means and are labeled as Procedural. Depending on how they are implemented, some Sub-Controls can be both.
  • Purpose: A description of the importance of the Sub-Control in blocking or identifying presence of attacks and an explanation of how attackers actively exploit the absence of this control. It helps to answer the question of Why is this important? Purpose also describes the types of threats that can be mitigated by implementing this Sub-Control. Phishing, ransomware, or cybersecurity accidents are examples of threats that would be included within this element.
  • Automation: When Sub-Controls are automated, they are implemented in a more consistent manner without the introduction of human error. The degree of difficulty of implementation is often a factor discussed here.
  • Guidance and Tools: This section provides additional information for implementing the Sub-Control, alongside pointers to external guidance documents. Free and open source tools for accomplishing a given Sub-Control can also be found here.

The Appendix of this document includes the following sections.

  • Acronyms and References: This section contains commonly used acronyms and abbreviations alongside references mentioned throughout the document.
  • Step-by-Step Instructions: Many of the Sub-Controls contain step-by-step instructions for putting the cybersecurity control in place.

Relevant Microsoft Products

This guide is focused on implementing Windows products for the applicable Sub-Controls. Microsoft creates a variety of products such as:

  • Microsoft Windows 10 Home
  • Microsoft Windows 10 Pro
  • Microsoft Windows Server
  • Microsoft Office 365 (O365)

Microsoft Windows 10 Home and Windows 10 Pro are both separate editions of Microsoft’s Windows 10 operating system. Microsoft provides a useful guide to the differences between these two editions of Windows at the following link (https://www.microsoft.com/en-us/windows/compare). Windows 10 Pro will be the primary edition of the Windows 10 operating system discussed within this document. Windows Home provides the basics most users need to accomplish everyday tasks, such as writing documents, manipulating spreadsheets, and browsing the Internet. It is also not meant for commercial usage. But most businesses need more in order to get their job done, and accordingly, Windows 10 Pro is designed to fill that niche.

Two common primary enterprise needs include management and security. Windows 10 Pro allows an organization to join a system to a domain. This means that a sever or domain controller will be able to remotely distribute policy and configuration settings from a single centralized system. These policies allow an enterprise to manage how their employees can use their computer system, such as locking their systems after a period of inactivity. Deploying policies are an extremely powerful enterprise feature that can also activate enterprise class security mitigations that may otherwise not be used. For instance, Windows 10 Pro contacts BitLocker, which is Microsoft’s full disk encryption system. BitLocker can also encrypt any Universal Serial Bus (USB) and other extra drives.

Office 365 is Microsoft’s subscription-based cloud offering that includes an entire suite of Microsoft’s web-based applications. This includes standard business applications like Word, Excel, and Outlook. Office 365 also includes the Office 365 Admin Center, which provides access to Azure Active Directory. This feature allows an enterprise to join Windows 10 Pro systems to a cloud-based domain. This provides many, but not all, of the security and management benefits of using a domain controller without needing to setup an instance of Microsoft Server on premises.

CIS Controls Assessment Module

The CIS Controls Assessment Module is designed to help organizations measure their implementation of the CIS Controls. The Controls Assessment Module functions as a module within CIS-CAT Assessor v4 (Pro and Lite) and can be run much like other assessments, making it compatible with existing CIS-CAT functionality including remote assessments and the CIS-CAT Pro Dashboard. CIS-CAT stands for the CIS Configuration Assessment Tool; Assessor compares the configuration of target systems to the recommended settings in CIS Benchmarks and the Controls Assessment Module, while Dashboard provides a way to view and track Assessor output over time. CIS-CAT Assessor Lite is a limited free version of Assessor, while CIS-CAT Pro Assessor and CIS-CAT Pro Dashboard require SecureSuite Membership.

The first version of the Controls Assessment Module covers IG1 in Windows 10 environments, providing a combination of automated checks and survey questions to cover the 43 IG1 Sub-Controls. For the more procedural Sub-Controls, the Controls Assessment Module allows users to save yes/no answers documenting their implementation of those Sub-Controls at the organizational level. For Sub-Controls that are conducive to automation, specific settings in the environment are checked to generate a machine-specific pass or fail for that Sub-Control.

Although it is the goal of CIS for a Windows 10 system configured with this Windows 10 Implementation Guide to pass a Controls Assessment Module assessment, there are subtle differences for a subset of CIS Sub-Controls. The Controls Assessment Module currently checks for the set of CIS Sub-Controls listed below with the differences between Sub-Control assessment methodologies between this Windows 10 Implementation Guide and the Controls Assessment Module.

Comparison of Features
Ctrl ID Controls Assessment Module Windows 10 Guide  
3.4 Passes if automatic updates are set to ‘Auto Download and schedule the install’ Shows how to enforce Windows 10 updates  
4.2 Passes if the Minimum Password Length meets or exceeds a specified minimum Shows how to change password and enforce length  
6.2 Passes if at least 1 Audit Policy Sub-Category is enabled Shows how to configure 1 log via LGPE  
8.2 Passes if any Antivirus is enabled and up-to-date Shows how to configure Windows Defender  
8.5 Passes if AutoPlay and AutoRun are disabled Shows how to configure AutoPlay and AutoRun  
9.4 Passes if all 3 Windows Firewall profiles are enabled and have a default deny rule for Inbound Traffic Shows how to enable Windows Defender firewall via UI and LGPE  
10.1 Passes if Windows 10 File History is turned on for at least 1 user Shows how to use Windows File History  
10.2 Passes if the date of the last successful Windows System Image backup occurred within a specified number of days Shows how to use the Windows 7 Backup tool  
10.4 Passes if native Windows encryption is turned on for the backup drives being used to store backups for File History and System Image backup (if enabled) Shows how to turn on BitLocker  
13.6 Passes if BitLocker is enabled on all drives Encourages usage of CIS Benchmarks for iOS and Android  
15.7 Passes if all wireless connections use WPA2 Shows how to check for network type  
16.9 Passes if all enabled local user accounts have been logged into within a specified number of days Shows how to view accounts on a system  
16.11 Passes if Interactive Logon Machine inactivity limit is enabled and less than a specified timeframe Shows how to configure Interactive logon limit  
       
       
       

CIS Control 1: Inventory and Control of Hardware Assets

Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.

Control 1.4: Maintain Detailed Asset Inventory

Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory shall include all assets, whether connected to the organization’s network or not.

Category

Procedural, Technical

Purpose

An accurate and up-to-date inventory of computer systems within a network is often the first step in securing an enterprise. This list of information systems is known as a hardware asset inventory. Having a definitive list of what hardware is supposed to be part of a network enables comparison against the list of systems that are actually in place. This allows for the identification of unauthorized devices that should not be connected. A hardware asset inventory also helps define what an organization needs to protect.

An asset inventory often extends beyond what is solely connected to the network. Many organizations utilize older smartphones, laptops, networking gear, and other technology that may not be connected, or even powered on, yet might still contain sensitive information if the data is exfiltrated outside of the network. In addition to physical systems, many enterprises use third-party services for website hosting or email that are hosted in the cloud. Accordingly, any third-party services and cloud platforms should be included in the asset inventory. Examples of what to track include: * General computer workstations, laptops, phones, tablets; * Physical systems and devices operated or possibly owned by another organization that are connected to the enterprise network (e.g., Point of Sale devices); and * Systems used by an organization that are cloud-hosted.

Although asset management does not specifically mitigate any threats, it is the foundation for a large majority of cybersecurity activities. Cybersecurity expert Daniel Meissler points out that If You’re Not Doing Continuous Asset Management You’re Not Doing Security, and argues that it is one of the most important aspects of cybersecurity. Meissler states that lacking this asset inventory is one of the main reasons that companies get breached. If you don’t know what you are supposed to be defending, you can’t properly defend it.

Automation

This Sub-Control is automatable but not every enterprise will have the resources to do so. Accordingly, many organizations will perform manual asset tracking by hand. Manual asset tracking often times uses a spreadsheet with predefined columns and rows to help companies track the right data. It is often cumbersome, prone to error, and takes a good deal of time to get right – yet even an inventory with some holes in it is better than no asset inventory at all. Automated asset inventory can include using a web application or program installed on an in-house computer to store and track information within a database. It can also include a scanning tool that will automatically query devices with a variety of methods. There is a hybrid solution, where organizations use free or open source tools, like those mentioned below, and copy the results from those scans into a spreadsheet or other database.

Guidance and Tools

A variety of software is available in the market to solve this problem, but it may be too expensive for everyone. The following is a list of free tools and software which can help to ease the burden of asset tracking:

  • Nmap: Famous multipurpose network scanner, used by system administrators and hackers across the world to identify which devices are connected to a network (https://nmap.org). Be careful to only scan networks for which permission was explicitly given. It is often impolite, and in many cases illegal, to scan networks owned by others.
  • Spiceworks: This is a free IT inventory and asset management software to identify devices and software on a network (https://www.spiceworks.com).
  • ZenMap: This tool utilizes Nmap and places a user interface on top of it to make the tool easier to use for those who do not feel comfortable using the command line (https://nmap.org/zenmap).
  • CIS Hardware Asset Tracking Spreadsheet: This free spreadsheet is created by CIS to help track enterprise systems and other assets. It can be modified as needed to meet an enterprise’s unique needs. The primary elements within the spreadsheet are also described within the relevant appendix.

Step-by-step instructions for implementing this Sub-Control can be found in: Hardware and Software Asset Tracking Spreadsheet

Control 1.6: Address Unauthorized Assets

Ensure that unauthorized assets are either removed from the network, quarantined or the inventory is updated in a timely manner

Category

Procedural

Purpose

This Sub-Control is meant to ensure that a list of authorized assets can be compared against the list of devices actually connected to an enterprise network. The difference between the devices on this list should be investigated and will likely include phones, tablets, and laptops. It is possible that a device under investigation is actually authorized to be in place, and in this case, it can be removed from the list. If a device is not meant to be on the network, it should be removed from the network and thoroughly investigated. Unauthorized devices may be accessing enterprise network traffic, including proprietary or sensitive information. They also are in position on the network from which to launch attacks and hack into organizational systems.

This Sub-Control helps to prevent unauthorized eavesdroppers on a public network. Attackers might be able to view enterprise traffic, or change it while it is being sent. Eavesdroppers can be listening on the wired and wireless network. Physically finding a device can be a difficult task, as it is often hard to associate a device name (e.g., John’s Android) or hardware network address media access control (MAC) address to a particular device by sight. Device names and MAC addresses can provide hints to the type of device, but they can also be faked to fool anyone trying to find the device. Changing a wireless fidelity (WiFi) network password may be a useful step to take if a specific device in question is unable to be identified, although this will only apply to wireless devices.

Automation

This Sub-Control is automatable, but will require someone with a higher than average level of network know-how in order to install, configure, and regularly use the right software packages.

Guidance and Tools

Many modern wireless access points and routers have a feature that will show a network map of all devices currently connected to the access point. It is often possible to click on any device in question and remove it from the network.

CIS Control 2: Inventory and Control of Software Assets

Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

Control 2.1: Maintain Inventory of Authorized Software

Maintain an up-to-date list of all authorized software that is required in the enterprise for any business purpose on any business system.

Category

Procedural

Purpose

An accurate and up-to-date inventory of all company software is nearly as important as tracking the hardware inventory, as detailed in Sub-Control 1.4. By tracking the software being used on organizational assets, it is possible to ensure that only authorized software is installed. This is known as creating an authorized software inventory. Unauthorized software may include older versions of previously authorized software applications, or software installed by an employee, unbeknownst to the enterprise (sometimes referred to as shadow IT). Unauthorized software also includes any malware or malicious code installed by an attacker that gained access to an enterprise system or network. Understanding the software installed on a system helps organizations to define their software attack surface, and allow for a plan to be devised to remove that software

Software should be tracked for all enterprise systems and devices, even if they do not have network access. An old, unpatched application running on a non-networked system may be connected to the enterprise network at some point in the future. Old phones, laptops, networking appliances, and other technology that are rarely powered on may still contain sensitive information. In addition to physical systems, some companies may rely upon cloud infrastructure for email and data storage. Virtualized systems are another asset type that can contain sensitive enterprise data. Software associated with cloud-based and virtualized systems should both be included in a software asset inventory. Therefore, examples of software on different types of systems that should be tracked to comply with this Sub-Control include:

  • Software pre-installed on the operating system,
  • Software installed by an organization,
  • Cloud infrastructure and applications, and
  • Virtual machines and their hypervisors.

Although asset management doesn’t specifically mitigate any threats, it is the foundation for a large majority of cybersecurity activities. Daniel Meissler, a renown cybersecurity expert, points out that “If You’re Not Doing Continuous Asset Management You’re Not Doing Security”, and argues that it’s one of the most important aspects of cybersecurity. Meissler states that lacking this asset inventory is one of the main reasons that companies get breached. If you don’t know what you are supposed to be defending, you can’t properly defend it. Organizations interested in a stretch goal to help address future threats can consider implementing CIS Sub-Control 2.4, which suggests the following information to be tracked:

  • name,
  • version,
  • publisher,
  • install date, and
  • operating system.

Automation

This Sub-Control is automatable but not all organizations will have the resources to do so. Many small- to medium-sized organizations will need to manually curate their software inventory. Manually tracking software information is generally done with a spreadsheet with predefined columns and rows to facilitate proper data collection. It is often cumbersome, prone to error, and takes a good deal of time to get right. Yet even an incomplete inventory is better than no asset inventory at all. Automated software inventory management can include using a web application or program installed on an in-house computer to store and track information within a database. It can also include a scanning tool that will automatically query devices with a variety of methods.

Guidance and Tools

There is no universally agreed upon method for tracking software assets. A variety of software is available in the market to solve this problem, but may be too expensive for many. The following is a list of free tools and software which can help to ease the burden of asset tracking:

  • Nmap: Famous multipurpose network scanner, used by system administrators and hackers across the world to identify which devices are connected to a network (https://nmap.org). Be careful to only scan networks for which permission was explicitly given. It is often impolite, and in many cases illegal, to scan networks owned by others.
  • ZenMap: This tool builds on top of Nmap, and puts a graphic user interface on top of it to make the tool easier to use for those who do not feel comfortable using the command line (https://nmap.org/zenmap).
  • Spiceworks: This is a free IT inventory and asset management software to identify devices and software on a network (https://www.spiceworks.com).
  • Netwrix: Variety of free tools to identify information about administrative access on any relevant systems (https://www.netwrix.com).
  • OpenAudIT: Inventory applications and software on workstation servers and network devices (http://www.open-audit.org).
  • CIS Software Asset Tracking Spreadsheet: This free spreadsheet is created by CIS to help track enterprise systems and other assets. It can be modified as needed to meet an enterprise’s unique needs.

Step-by-step instructions for implementing this Sub-Control can be found in: Hardware and Software Asset Tracking Spreadsheet

Control 2.2: Ensure Software Is Supported by Vendor

Ensure that only software applications or operating systems currently supported and receiving vendor updates are added to the organization’s authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.

Category

Procedural

Purpose

The phrase vendor supported software means that a program or application being used for enterprise business is a product currently offered and available for purchase from the developer. Furthermore, a supported application is still generally under development, which means that software and security updates are regularly made available and distributed to customers. If an organization is using unsupported software, any computer system running that software will most likely be vulnerable to attack.

Software that is out of date often contains vulnerabilities and other software bugs that can be used by an attacker to gain a foothold within an enterprise network. The longer software goes without receiving an update, the more likely it is to have significant security problems. Therefore, triaging the number of bugs and their severity is key. Allowing unpatched and old software within an enterprise is one of the most dangerous practices possible from a security perspective.

Automation

This Sub-Control is not automatable. No automated method exists for a computer system to identify if software purchased from a vendor is currently supported.

Guidance and Tools

The primary thing that can be done is to understand the support structure from the developer for any software application before it is purchased and installed. This may involve researching alternative products and the reviews available online. Useful items to investigate before the software is purchased include:

  • Length of pledged support – Support may be provided for 5 years, whereas others may only be supported for 6 months. This is one of the most critical factors.
  • Cost of support – Many products will receive updates for free, yet others may charge for updates.
  • Who will provide support – The original developer or some other developer may support the application.
  • Support history – Pledges of support are often made, but sometimes not kept.

Control 2.6: Address Unapproved Software

Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.

Category

Procedural

Purpose

This Sub-Control is the natural progression from Sub Control 2.1. Once a software asset inventory has been created, each computer, phone, and/or tablet should be checked to ensure that the software installed on that system is authorized to be there. When unapproved software is identified, it should be uninstalled or otherwise removed. A regular cadence should be established to survey relevant systems for unauthorized software.

Unapproved software has not been reviewed by anyone within an organization that has decision authority for IT. Additionally, it has not been reviewed by a security professional to understand if the software meets an organization’s minimum baselines for security. Unapproved software is commonly out of date and can contain known vulnerabilities that can be exploited. Unapproved software may also be malware, all of which should be avoided.

Automation

This is an automatable Sub-Control and multiple types of tools can used to alleviate this problem. Examples include typical IT asset management tools, that can help to track both hardware and software, alongside versions of software in use. Refer to Sub-Controls 1.4 and 2.1 for additional information regarding this category of software tools. Another category of software that can help is antivirus, which helps to identify malicious software installation and identify when it is on a system. Finally, whitelisting software will let an enterprise specify a list of applications that are allowed to run on enterprise systems.

Guidance and Tools

Many operating systems ship with tools that help accomplish this Sub-Control, in whole or in part. Many of the applications that come pre-installed with operating systems, such as games, social media, and other types of software are candidate for deletion. Additionally, software can be purchased, open source or free tools can be downloaded, to assist. 10AppsManager is an application that can help delete applications that come pre-installed within Windows 10 (https://www.thewindowsclub.com/10appsmanager-windows-10).

Step-by-step instructions for implementing this Sub-Control can be found in: Uninstalling Software

CIS Control 3: Continuous Vulnerability Management

Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.

Control 3.4: Deploy Automated Operating System Patch Management Tools

Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor.

Category

Technical

Purpose

Security patches are updates to a computer’s operating system (OS) or installed software applications, and are a basic part of IT maintenance. The patches the OS developers provide often contain new features, but also contain fixes to recently discovered security vulnerabilities. Over time, operating systems go “stale” and need to be updated. Without a constant stream of security patches, computer systems can be infected by malware that can read sensitive company data, or simply destroy it. Accordingly, patching systems is one of the primary ways an enterprise can protect itself from attackers.

Automation

Many modern operating systems already contain ways to natively manage security patches. Enabling native patch management can be done on a case-by-case basis or via a domain controller to manage enterprise systems (which is more common in larger organizations.) Software from external sources can also be installed on all enterprise systems which reports the current status back to a local server or cloud-based platform. The CIS Windows 10 Benchmark can be useful in showing users how to setup the operating system to automatically acquire and install updates.

Guidance and Tools

There are free products available to assist with patch management. By default, `Windows 10 is configured to download and install updates automatically (https://support.microsoft.com/en-us/help/12373/windows-update-faq)`_ unless that is modified by a user or administrator.

_images/BenchmarksLogo3.png

CIS offers PDFs with configuration guidelines for 100+ technologies (https://www.cisecurity.org/cis-benchmarks).

Step-by-step instructions for implementing this Sub-Control can be found in: Configuring Automated Operating System Patch Management Tools via Windows Settings

Control 3.5: Deploy Automated Software Patch Management Tools

Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor.

Category

Technical

Purpose

Security patches are updates to a computer system’s operating system or installed software, and applying them are a basic part of IT maintenance. Just like patching the OS, patching these software applications is a basic part of cybersecurity. The patches from application developers may contain new features, but also contain fixes to recently discovered security vulnerabilities. Without a constant stream of security patches, old and insecure applications can have vulnerabilities exploited, and infected by malware that can read sensitive enterprise data, or simply destroy it.

Automation

Some operating systems can help to remind users to update certain applications, especially those obtained within the application market place that is part of the operating system. With today’s platforms, app stores are not just on mobile devices. Microsoft Windows 10 has an app store called Windows Apps and Apple’s store is called the Mac App Store. Both stores can be configured to automatically install software updates from the application developer that were initially installed via an app store.

Software obtained outside of an app store must be updated in an entirely different manner. Third-party software distributed outside the app store requires dedicated management software to patch it. In the end, keeping the total number of programs installed onto a computer to the smallest number possible helps with both management and security, by reducing attack surface.

Guidance and Tools

In many instances, it may be worthwhile to attempt to only install applications from the Microsoft App Store as updates to those applications can be more easily managed. Not all business applications will be available in the Microsoft App Store and this will likely only be a partial solution.

Step-by-step instructions for implementing this Sub-Control can be found in: Automatic Application Updates via the Microsoft Application Store.

CIS Control 4: Controlled Use of Administrative Privileges

The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.

Control 4.2: Change Default Passwords

Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.

Category

Procedural

Purpose

Default passwords are the passwords that ship with computers, applications, routers, and other equipment. Default passwords are a very common way for computer systems, devices, and applications to be hacked. Lists of default passwords for operating systems, applications, and devices are readily available on the Internet for anyone to download and try. Therefore, enterprise passwords need to be changed from the defaults to something that is not easily guessable or easily available from a search engine.

If a password for a wireless router is guessed, an attacker will be able to add and remove network devices, which will allow them to read sensitive enterprise information. To guess a router’s default password, it is often sufficient to identify the manufacturer and model of the device. Attackers may be able to find this information by viewing the device in person, or remotely based on a router’s wireless network name (i.e., service set identifier (SSID)), MAC address, and network scans. Lists are easily available online with the default passwords for wireless routers commonly used in small and home offices. If a password for an application, device, or other system is guessed, an attacker may be able to read the enterprise information stored there, or take control of the entire device.

Automation

Changing default passwords within software and network equipment is generally not automatable. Each software application or piece of network equipment has to be individually investigated and changed.

Guidance and Tools

One of the main issues with changing default passwords is the need to remember all of the passwords. Writing passwords down onto paper is considered an insecure practice. A better option is to use a password manager. Free examples include:

_images/BenchmarksLogo4.png

The Benchmarks for an OS or application may contain passwords that should be changed, but not all products will have CIS Benchmarks, or have default passwords (https://www.cisecurity.org/cis-benchmarks).

Step-by-step instructions for implementing this Sub-Control can be found in: Changing the Default Password

Control 4.3: Ensure the Use of Dedicated Administrative Accounts

Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not Internet browsing, email, or similar activities.

Category

Procedural

Purpose

Accounts on a computer system can have different types and sets of privileges. The accounts with the highest access privileges are called administrative accounts. Other terms for administrative account include admin account or superuser accounts. These accounts grant access to all of a computer system’s data and functionality. It follows that protecting these accounts is of the utmost importance. If administrative accounts are abused or taken advantage of, they can be used to compromise an entire system and potentially the other computers connected to them via a network. For example, if an administrative account is used to browse the web, and accidentally downloads malware, the malware will be able to run on a computer with the highest levels of access.

Yet administrative accounts are needed for certain important tasks, such as installing new programs, updating the operating system, or adding new users. This Sub-Control states that administrative tasks need to be performed with a separate account solely dedicated to administrative tasks. Normal user accounts should be used for everyday business tasks, like using accounting software or performing market research via the web. If a vulnerability is exploited within a normal user account, the impact will be substantially less than if the same vulnerability is exploited under an admin account.

If someone is able to obtain administrative access on a computer system, they essentially have the keys to the kingdom. They will be able to steal passwords stored on the computer, which may be used in other computer systems or applications within a network. They will also be able to install a rootkit which is a type of malware that is sometimes undetectable, even by antivirus software. These types of information could compromise enterprise systems for months or even years.

Automation

This Sub-Control generally cannot be automated. Users must manually check to identify if their account is an administrator and establish separate administrative accounts.

Guidance and Tools

There is no standard that can be pointed to for how to keep everyday user accounts and administrative accounts separate. With that said, the following guidance can be useful:

  • Passwords should be different for everyday accounts and administrative accounts.
  • If multifactor authentication is not in use, the passwords for administrative accounts should follow current best practices for password strength.
  • Once a task is completed that required administrative access, make sure to immediately logout of the account.

Step-by-step instructions for implementing this Sub-Control can be found in: Identifying if an Account is an Administrator

CIS Control 5: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

Control 5.1: Establish Secure Configurations

Maintain documented security configuration standards for all authorized operating systems and software.

Category

Technical

Purpose

Establishing secure configurations means that each computer system within an enterprise must have the appropriate security settings applied. Many computers do not come with all of the security settings appropriately configured “out of the box” as these settings tend to decrease the functionality and options afforded to users. Further complicating the situation, as operating systems and applications receive updates configuration settings can change. New configuration settings may be created, and others may be removed. This creates a constant problem that needs to be regularly monitored and addressed.

As delivered by manufacturers and resellers, the default configurations for operating systems and applications are normally geared towards ease-of-deployment and ease-of-use – not security. Open services and ports, default accounts or passwords, older (vulnerable) protocols, preinstallation of unneeded software; all can be exploitable in their default state. All of these improperly configuration settings can be taken advantage of by attackers. Properly configuring enterprise computer systems can help to defend against major types of malware and even network-based attacks.

Automation

This Sub-Control is completely automatable if an enterprise decides to acquire the appropriate software. Moving past this Sub-Control, some software tools can help organizations to maintain secure configurations over time, which can be quite difficult. Although initial configurations may be done by hand, monitoring for changes and out of date settings is best performed by software.

Guidance and Tools

Many tools are available to check and maintain secure configurations within an enterprise. Additionally, multiple organizations put out configuration guidance for systems and applications.

_images/BenchmarksLogo5.png

CIS offers free PDFs with configuration guidelines for 100+ technologies (https://www.cisecurity.org/cis-benchmarks).

CIS Control 6: Maintenance, Monitoring and Analysis of Audit Logs

Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.

Control 6.2: Activate Audit Logging

Ensure that local logging has been enabled on all systems and networking devices.

Category

Technical

Purpose

On the surface, logging may appear to be a low priority activity, but it is a critical cybersecurity control to have in place within an enterprise. Once a security breach occurs, reviewing logs is often the primary way that computer incident responders identify who did what, and when they did it. Furthermore, if logging is enabled on network devices (e.g., routers), historical activities can be tracked for the entire enterprise network. Logs can also be helpful to an enterprise when performing general maintenance activities to understand the current status of computer systems and networks, and be notified to take action if there is a problem.

Logging is not a prevention mechanism, meaning that logs do not stop any attacks directly. Instead logs help to provide tamper detection, which means if an unauthorized modification occurs within an enterprise computer system (or its data), it is possible to know that something was changed.

Automation

There are various methods of how to automate logging. Enabling logging on systems can be done manually on a system by system basis. Yet logging is often considered a system configuration option and can be automated with software dedicated to assessing and implementing secure configurations. Moving past just enabling logs, systems known as SIEMs (security information and event management) can be utilized that ingest log data from all systems in an enterprise, and perform data analysis to find breaches or network-wide issues or failures. SEIMs typically require a more advanced IT infrastructure and dedicated IT personnel to manage.

Guidance and Tools

There are many types of logs that can be enabled. When beginning to enable logging on enterprise systems, utilize software and hardware inventory lists to ensure that the proper types of logs were enabled for each system or application. Look to enable logs for both the operating systems and supported applications for all enterprise systems, and also survey network devices like firewalls and wireless access points to understand their logging capabilities. In order to enable logging on firewalls and wireless access points, documentation may be required for the unique network appliance in an enterprise.

_images/BenchmarksLogo6.png

CIS offers free PDFs with configuration guidelines for 100+ technologies (https://www.cisecurity.org/cis-benchmarks).

Step-by-step instructions for implementing this Sub-Control can be found in: Enabling the System Event Audit Log

CIS Control 7: Email and Web Browser Protections

Minimize the attack surface and the opportunities for attackers to manipulate human behavior though their interaction with web browsers and email systems.

Control 7.1: Ensure Use of Only Fully Supported Browsers and Email Clients

Ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideally only using the latest version of the browsers and email clients provided by the vendor.

Category

Procedural

Purpose

Web browsers and email clients are some of the most common applications that employees use to access the Internet. This means that browsers and email clients are on the front line of an organization’s IT infrastructure and are regularly exposed to a variety of digital threats. In fact, they are arguably the most exposed applications within an enterprise. Because of this, browsers and email systems should be kept up-to-date since the most recent version of a software application includes the most recent security patches.

Attacks on email clients and browsers can lead to a variety of cybersecurity problems. One such example is the installation of browser extensions, which are small applications that can extend a browser’s functionality. These can be helpful and provide security benefits (e.g., managing passwords). Unfortunately, if an attacker is able to install a malicious browser extension, they can often severely compromise the security of a browser by viewing all web activity and potentially reading information that would normally be inaccessible.

Automation

Some browsers update automatically by default, like Chrome, whereas others will require an additional configuration. Email clients can be similarly setup to receive automated updates. Security tools can be utilized to understand when browsers, email clients, and other programs are out of date.

Guidance and Tools

Keeping browsers and email clients up to date is generally a fairly simple task. Besides using supported software in the first place, it is important to take the extra step to make sure that browsers and clients regularly receive the security updates and patches that are made available. These updates are not installed by default on all browsers and email clients, meaning the browsers and clients need to be manually configured. Once browsers and email clients are properly configured, only require period monitoring is required.

_images/BenchmarksLogo7.png

CIS Benchmarks: CIS offers free PDFs with configuration guidelines for common browsers (https://www.cisecurity.org/cis-benchmarks).

Control 7.7: Use of DNS Filtering Services

Ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideally only using the latest version of the browsers and email clients provided by the vendor.

Category

Technical

Purpose

While the DNS can be difficult to grasp, the important details are relatively simple. DNS can be thought of as a phonebook for websites that translates a human understandable domain such as (www.cisecurity.org) to a series of numbers that a computer can understand (i.e., Internet Protocol (IP) address). Therefore, when a computer wants to connect to cisecurity.org, it uses DNS to look up where it can find example.com, much like how a phone book would be used to search a person’s name to get their phone number. And all of this happens transparently in the background when requesting a webpage, so that individuals to solely need to remember the domain name instead of complex IP addresses.

This Sub-Control helps prevent enterprise infrastructure from connecting to known malicious servers that control, host, or distribute malware, or collect sensitive information. Many attackers will host a malicious domain like “evil.com” to enable malicious activities, such as tricking users into giving sensitive credentials (i.e., phishing) or control already infected systems. By using a DNS filtering service, an enterprise can ensure their systems are pointing to a filtered phonebook (DNS responses) that would not provide bad phone number to any known bad domains; thereby protecting an enterprise from being infected or communicating with malicious systems.

Automation

There are many ways that this Sub-Control can be implemented in an environment and it will mostly depend on how the enterprise is currently configured. This Sub-Control is completely automatable with the correct hardware and software being used in a network. Unfortunately, the implementation of this Sub-Control will likely require someone with specialized knowledge of networking and DNS, alongside an external trusted source for DNS information.

Guidance and Tools

Multiple organizations exist that provide DNS filtering. Some even provide this service free of charge such as Quad9. With a simple configuration change, enterprise systems will use the filtering service with little to no impact on an organization’s Internet browsing all the while blocking bad traffic. Accordingly, the following resources can be of assistance:

CIS Control 8: Malware Defenses

Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.

Control 8.2: Ensure Anti-Malware Software and Signatures Are Updated

Ensure that the organization’s anti-malware software updates its scanning engine and signature database on a regular basis.

Category

Technical

Purpose

Anti-malware, also known as anti-virus, is a well-known security technology. Anti-malware suites work by constantly monitoring all of the running applications on a system, and alerting an enterprise administrator if a malicious program or other suspicious activity is detected. A list of suspicious applications and actions that the security technology looks for is created and kept up-to-date by the anti-virus company. That company regularly delivers updates to the suspicious applications and actions list on a regular basis, and these updates are called signatures. If signatures are not downloaded and installed on a regular basis, machines may be vulnerable to the most recent attacks. Because it is easy to forget, antivirus updates should be set to automatically download and install on each and every computer or server in an enterprise.

Malware is software specifically designed to attack computer systems, devices, and data. Malware is the catch-all term for spyware, adware, and all the other types of malicious software, and it is quick to change and hard to track. Malware can enter an enterprise through any number of points such as email attachments, malicious apps, web pages, and USB drives. Modern malware can be quite benign and just slow a computer system down, or be much more pernicious and pilfer passwords, steal proprietary company secrets, or delete all enterprise data.

Automation

This is an easy Sub-Control to automate and is worth the time spent to properly configure.

Guidance and Tools

Although there are free products designed to remove malware, many free antivirus tools may actually be malware themselves, or try to install malware on a computer system. The safest option is to use and properly configure the set of tools that comes with Windows 10. Microsoft provides two closely related products for free that come built-into every copy of Windows.

Step-by-step instructions for implementing this Sub-Control can be found in: Checking Windows Defender Security Center and Enabling Windows Defender Security Center via LGPE

Control 8.4: Configure Anti-Malware Scanning of Removable Media

Configure devices so that they automatically conduct an anti-malware scan of removable media when inserted or connected.

Category

Technical

Purpose

Removable media includes USB drives, memory cards, and external hard drives - just to name a few examples. These devices are commonly used to store photos, videos, and many types of enterprise data. Removable media is also one method used by attackers to install malicious software on computer systems. This attack method can be used to infect traditional enterprise workstations, but also computer systems viewed as secure since they lack a WiFi or Internet connection. Entirely banning the use of removable media is often impractical for businesses. In order to combat this threat, enterprise systems should be configured to scan removable devices for malware before they can be read by users.

Malware is software specifically designed to attack computer systems, devices, and data. Malware can enter an enterprise through any number of points such as email attachments, malicious apps, web pages, and USB drives. This Sub-Control was specifically included due to the emerging technique of dropping USB drives embedded with malware in parking lots or other areas where employees are likely to pick them up and plug them into enterprise systems. One academic study dropped 300 USB sticks around a school which resulted in ~50% of them being inserted into computers. Many were inserted into a computer within 6 minutes.

Automation

This Sub-Control is somewhat automatable and is worth the expense to properly configure it. Windows Defender may not be able to scan removable media every time a new one is inserted, as scans will need to be configured and performed manually on every usage.

Guidance and Tools

Windows Defender, a program built-into Windows, can perform a scan of removable media devices. This functionality is called a “custom scan” within the tool. Third-party tools can also be purchased to scan removable devices every time one is inserted in an automated manner. This Sub-Control should be implemented for of the systems within an enterprise.

Step-by-step instructions for implementing this Sub-Control can be found in: Scanning Removable Devices via LGPE

Control 8.5: Configure Devices to Not Auto-Run Content

Configure devices to not auto-run content from removable media.

Category

Technical

Purpose

Removable media includes USB drives, memory cards, and external hard drives - just to name a few examples. These devices are commonly used to store photos, videos, and many types of enterprise data. Removable media is also one method used by attackers to install malicious software on computer systems. This attack method can be used to infect traditional enterprise workstations, but also computer systems viewed as secure since they lack a WiFi or Internet connection. Entirely banning the use of removable media is often impractical for businesses. If software on a USB device is allowed to automatically run, it may be able to install malware with limited to no user interaction.

Malware is software specifically designed to attack computer systems, devices, and data. Malware can enter an enterprise through any number of points such as email attachments, malicious apps, web pages, and USB drives. This Sub-Control was specifically included due to the emerging technique of dropping USB drives embedded with malware in parking lots or other areas where employees are likely to pick them up and plug them into enterprise systems. One academic study dropped 300 USB sticks around a school which resulted in ~50% of them being inserted into computers. Many were inserted into a computer within 6 minutes.

Automation

This Sub-Control is automatable natively in Windows 10 Pro. There is a setting within Windows 10 Pro that provides control on how content is run from removable devices. If a computer is joined to a domain, these policies can be deployed across all the computers in a network.

Guidance and Tools

Removable devices should not be trusted. How enterprise systems treat removable devices is controllable via the AutoPlay within the Windows 10 Pro Control Panel. Configuring the devices to Ask Me Every Time will give administrators the ability to make this decision before programs are run.

Step-by-step instructions for implementing this Sub-Control can be found in: Configuring AutoPlay via Windows Control Panel and Configuring AutoPlay via LGPE

CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services

Manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices in order to minimize windows of vulnerability available to attackers.

Control 9.4: Apply Host-Based Firewalls or Port-Filtering

Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.

Category

Technical

Purpose

Computers are already setup with a default set of networking features right out of the box. This is typically a permissive set of configurations that allows computer systems to connect to whatever resources average users need. Host-based firewalls help to manage these network configurations, block external unsolicited attempts to connect to a computer system, lessen the impact of malware, and log network traffic for future analysis. Indeed, it is easier to download malware onto an enterprise computer if there is no firewall in place. Malware installed on an enterprise system can pilfer or destroy sensitive enterprise data, perform a Denial of Service (DoS) on various systems, or look to infect other aspects of the network. By properly configuring the built-in firewall an enterprise can help to reduce the ways that a system can be attacked. Additionally, it can help to stop downloaded malware from communicating home and work to prevent its installation in the first place.

Automation

This Sub-Control is completely automatable within Windows 10 Pro.

Guidance and Tools

Properly enabling the firewalls built into operating systems goes a long way towards properly implementing this control. If a computer is joined to a domain, the built-in firewalls can be automatically configured across all the computers within an enterprise network. Windows 10 comes with a firewall that will help to implement this Sub-Control. Third-party solutions are also available that can accomplish the same tasks for Windows and also support other platforms.

_images/BenchmarksLogo8.png

CIS offers free configuration guidelines for common operating systems and their firewalls (https://www.cisecurity.org/cis-benchmarks).

Step-by-step instructions for implementing this Sub-Control can be found in: Enabling Windows Defender Firewall

CIS Control 10: Data Recovery Capabilities

The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.

Control 10.1: Ensure Regular Automated Backups

Ensure that all system data is automatically backed up on a regular basis.

Category

Technical

Purpose

A backup is a duplicate of a computer system’s data. If an attacker breaches a network or computer system, their first step will often be to change system configurations to ensure they have continued access in the future. In the process of doing so, attackers will sometimes make subtle alterations to data that can jeopardize an organization’s effectiveness at a later date. Backups also help to protect against many types of malware, including newer variants such as ransomware and destructive malware, which may encrypt or simply delete an organization’s data.

Backups also help to harden an organization against natural disasters like fire and floods. Additionally, over time, systems will fail and a plan needs to be in place to make sure that a business can recover from whatever incident occurs. Automated backups taken on a regular basis are a key component of an enterprise disaster recovery plan.

Automation

This Sub-Control is entirely automatable with very little effort on a Windows 10 system. Configuring this Sub-Control enterprise-wide across all systems can take a fair amount of IT knowledge to initially install. Backups are often setup by configuring an application to backup information to an external computer dedicated to backups, or to an external hard drive.

Guidance and Tools

Most operating systems come with built-in backup programs and utilities, which will need to be properly installed, setup, and configured. It is best practice to manually check enterprise backups from time to time to make sure that backup systems are working as intended, and can actually be utilized in case of a disaster. The following are examples of free backup utilities:

Step-by-step instructions for implementing this Sub-Control can be found in: Configuring Microsoft File History

Control 10.2: Perform Complete System Backups

Ensure that all of the organization’s key systems are backed up as a complete system, through processes such as imaging, to enable the quick recovery of an entire system.

Category

Technical

Purpose

A backup is a duplicate of a computer system’s data, but different types and degrees of backups exist. A backup is commonly viewed as a small collection of a system’s overall data. Often times only a few important folders are backed up, such as containing photos, receipts, contracts, or tax information. This information may be stored on another computer system, external hard drive, removable media, or cloud service. This strategy is insufficient for protecting an organization. Flavors of backups include incremental, differential, or complete. A complete system image is a snapshot of all data and settings on a system.

If a system is breached by an attacker, infected with malware, or involved in an accident (e.g., fire, flood), it often takes a long time to bring a system or network back online. This could include reinstalling and re-configuring all of the enterprise systems and applications. Complete system backups rectify this issue by backing up not just important folders, but by backing up the entire computer, which can be pushed to new systems. Although this approach is a more complex solution, it makes recovery from a disaster or computer incident significantly faster. Backups protect against many types of malware including ransomware and destructive malware.

Automation

This Sub-Control is entirely automatable, although it requires a medium to advanced level of IT knowledge to initially setup and configure. It is often implemented by configuring a specific application to backup information to an external storage location with sufficient free space.

Guidance and Tools

It is best practice to manually check backups from time to time to make sure that any type of backups that an organization is relying upon is working as intended. Microsoft provides a system image creation and backup utility within Windows 10 Pro. There may be a need to obtain additional tools and services for backing up non-Windows systems. The following are examples of free backup utilities that can be used to take system images:

Step-by-step instructions for implementing this Sub-Control can be found in: Creating System Images with Windows 10 Pro

Control 10.4: Protect Backups

Ensure that backups are properly protected via physical security or encryption when they are stored, as well as when they are moved across the network. This includes remote backups and cloud services.

Category

Technical, Procedural

Purpose

Backups can help an enterprise recover from a variety of disaster situations, be they the cause of malicious actors or accidents. Yet backups can be physically and digitally targeted by attackers looking to hurt an enterprise. Backups that are connected to a network can be altered or deleted by malware, and physical backup drives can be stolen or suffer fires, floods, and other natural disasters. Backups need to be protected from these threats in order to be useful when the time comes. Digital mitigations include authenticating users before access and encrypting backups. Physical mitigations include keeping backup drives locked away from thieves, and also outside of the same fire zone. This means that if a fire or flood were to strike an organization’s physical location, the backups would not be affected. This is sometimes accomplished by using third-party backup services to store data offsite. These backups need to be protected as well.

There are two primary groups of threats to backups: digital and physical. Digital threats include local and remote attempts to access backups without being properly authenticated. Additional issues include altering or deleting backups. Physical threats include theft of physical backups or natural disasters (e.g., fires, floods).

Automation

This Sub-Control can be somewhat automated. Third-party services can use a virtual private network (VPN) when backing up enterprise information to an offsite server. Microsoft’s BitLocker can encrypt any backups stored on a system. Physical protection of backups cannot be automated.

Guidance and Tools

Beware – encryption software can be dangerous if the password or encryption key is forgotten. If the password or key is lost, any enterprise data encrypted under that password or key will be unrecoverable.

Step-by-step instructions for implementing this Sub-Control can be found in: Enabling BitLocker

CIS Control 10.5: Ensure All Backups Have At least One Offline Backup Destination

Ensure that all backups have at least one offline (i.e., not accessible via a network connection) backup destination.

Category

Procedural, Technical

Purpose

Over the past few years a new type of malware has become popular that prevents enterprises from accessing their own data. This malware requires affected organizations to pay money in order to regain access to their data, whereas a related form of this malware may instead block access and never provide it ever again. Malware that requires money to obtain access once again is called ransomware. Ransomware uses cryptography to block access to a system’s data via encryption. If the data is never provided back, it is considered destructive malware.

Besides user education and antivirus software, one of the best defenses against ransomware is backing up data to another system before there is a problem. But backups alone would not completely prevent this malware from accomplishing its goals. Typical backups may be connected to another system or network, meaning backup data can still be attacked. Therefore, regular backups should be stored in an unconnected, off-the-network, manner.

Keeping offline backups helps organizations recover and restore systems when ransomware or destructive malware hits a system. A common way for this malware to get into a network is to be installed via email attachments or downloads for websites. Both of these types of malware have impacted law enforcement, hospitals, governments, and academic institutions and cost millions of dollars to recover.

Automation

This is a very difficult Sub-Control to automate. Keeping offline backups means that once a backup is created, it needs to be manually removed from the network and stored elsewhere.

Guidance and Tools

The following documents can provide additional assistance in defending against ransomware:

CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches

Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

CIS Control 12: Boundary Defense

Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data.

Control 12.1: Maintain an Inventory of Network Boundaries

Maintain an up-to-date inventory of all of the organization’s network boundaries.

Category

Technical

Purpose

Network boundaries define how data flows and traverses an enterprise network. Wired and wireless boundaries will exist, alongside logical boundaries. Logical boundaries sometimes include subnetworks (e.g., subnets) or virtual local area networks (vLANs). Generally, information cannot flow from one subnet to another without a networking device such as a firewall or router acting as a gatekeeper. This establishes trust boundaries between network segments. Therefore, a survey should be conducted to understand current trust boundaries in an enterprise network.

Understanding network boundaries can be challenging in a network that developed organically. The simplest example of a network boundary is the demarcation between a wireless and wired network. Another commonly seen example of a network boundary is the external network, and the internal intranet which generally is not accessible from outside of the trust boundary. Additionally, another important boundary to keep in mind is when a single organization has multiple physical locations. Often IT will work to logically connect all of their physical locations together.

Specifically noting which networks are within a trust boundary, and then regularly checking them helps to prevent from accidentally trusting an untrustworthy device or network component. For instance, public users such as customers should not be granted access to the intranet, which often contains sensitive enterprise information.

Automation

This Sub-Control is generally not automatable. System owners and administrators will need to manually annotate and define network boundaries. This task needs to be performed on a fairly regular basis.

Guidance and Tools

Network scanning and monitoring tools can help test predefined network boundaries. Over time, internal networks can be misconfigured and the networking tools can help to test of network segments are actually segmented.

  • Nmap: Famous multipurpose network scanner, used by system administrators and hackers across the world to identify which devices are connected to your network (https://nmap.org). This tool can identify network devices, ports, and simple configuration settings. Only scan networks you don’t own, as that is often impolite, and in many cases illegal.
  • ZenMap: This tool builds on top of Nmap, and puts a graphic user interface on top of it to make the tool easier to use for those who do not feel comfortable using the command line (https://nmap.org/zenmap).

Control 12.4: Deny Communication Over Unauthorized Ports

Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only authorized protocols are allowed to cross the network boundary in or out of the network at each of the organization’s network boundaries.

Category

Technical

Purpose

The overarching CIS Control 12 details precautions that should be taken for boundary defense, which is the notion of establishing and protecting a perimeter around an organization’s externally facing networking equipment. Sub-Control 12.4 manages how communication is controlled on networking devices, such as firewalls. In order to accomplish this, the firewall configuration and ruleset in use should be carefully reviewed, monitored, and curated. If an enterprise-grade firewall is not in use, many of the dual-use modems/wireless access points from the ISP will often have a firewall built into the system which can be enabled.

A large majority of attacks launched against an organization will attempt to enter networks through a firewall. Firewalls often act the default entry point into a network and can deny communication over certain ports. Because of this they are under nearly constant attack and must be configured properly to protect the organization’s assets sitting behind them. A firewall is typically envisioned to protect against basic attacks using a variety of protocols such as Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Network Time Protocol (NTP).

Automation

Expensive enterprise tools can be purchased that require skilled technical staff to monitor and verify router configurations. This is generally not automatable for small- to medium-sized businesses.

Guidance and Tools

It is not possible to list all of the models of networking equipment. The following links are provided to show how to enable the built-in firewalls on some of the most common modems/wireless access points from United States Internet Service Providers (ISPs):

_images/BenchmarksLogo.png

CIS offers in-depth guidance for many types of firewalls and other network appliances (https://www.cisecurity.org/cis-benchmarks).

CIS Control 13: Data Protection

The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information.

Control 13.1: Maintain an Inventory of Sensitive Information

Maintain an inventory of all sensitive information stored, processed, or transmitted by the organization’s technology systems, including those located on-site or at a remote service provider.

Category

Procedural

Purpose

Sensitive data can be stored on smartphones, point of sale (POS) terminals, and backend systems. Enterprises should have a listing of their sensitive information, and which computer systems retain that data. Those that do not carefully identify and separate their most sensitive and critical assets from less sensitive, publicly accessible information on internal networks can have a hard time preventing unauthorized access. If sensitive enterprise information is stored on an unknown or unprotected system, the information is more likely to be accessed in an unauthorized manner. Any listing of sensitive information in formation should also be properly labeled. If sensitive enterprise information is not labeled correctly, then it may be accidentally distributed to unauthorized outside parties.

Automation

This Sub-Control is generally not automatable. It is most often necessary to manually identify and list sensitive files and other applicable information through usage of lists and labels within files or documents.

Guidance and Tools

Sensitive information can be tracked in a spreadsheet in a similar manner to hardware and software assets. CIS offers a free spreadsheet to track sensitive information within the enterprise contained within the Appendix of this document. The definitions of, and policies surrounding the usage of labels for data classification should be understood by all employees handling sensitive information. This in turn means that all sensitive, confidential, or proprietary information should be clearly labeled for internal use. Ultimately, what constitutes sensitive information is defined by local laws and the needs of an enterprise. Examples of sensitive information include:

  • Personally Identifiable Information (PII);
  • Trade secrets or proprietary information;
  • Financial information (e.g., taxes, debit card numbers);
  • Cryptographic keys;
  • Passwords; and
  • Biometric data.

Control 13.2: Remove Sensitive Data or Systems Not Regularly Accessed by Organization

Remove sensitive data or systems not regularly accessed by the organization from the network. These systems shall only be used as stand-alone systems (disconnected from the network) by the business unit needing to occasionally use the system or completely virtualized and powered off until needed.

Category

Technical

Purpose

A breach of sensitive enterprise data and systems can cost time, money, and bring an organization out of compliance with local laws governing sensitive information. Sensitive data and computer systems infrequently accessed may not receive the regular maintenance and attention necessary to properly manage them. Therefore, systems that are infrequently used should be removed from service across the entire enterprise network. This helps to reduce enterprise attack surface leaving fewer systems that can be targeted. Older and infrequently used systems may fall into disrepair. These systems are not likely to receive regular software updates, which means the operating system and applications will likely contain vulnerabilities that can be exploited to access the system and any data.

Automation

There is no way to automate the implementation of this Sub-Control. Individuals will be needed to manually label sensitive data, and identify which systems store that sensitive data. Putting this Sub-Control into place will often require a hardware asset inventory as detailed in Sub-Control 1.4, alongside a sensitive information inventory as detailed in Sub-Control 13.1.

Guidance and Tools

Systems that are irregularly accessed and maintained should not be network connected while hosting sensitive enterprise information. If the systems are necessary to ensuring the goals of the organization, consider attempting to use them in a non-networked fashion or virtualizing the system.

Control 13.6: Encrypt Mobile Device Data

Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices

Note

The definition of a mobile device varies from organization to organization. Some organizations will only apply this Sub-Control to smartphones and tablets, whereas others will include laptops within the purview of “mobile.” Organizations defining laptops as mobile devices should look to ensure that BitLocker is implemented.

Category

Technical

Purpose

Smartphones and tablets used by employees for work activities contain a treasure trove of sensitive enterprise data. This includes both personal devices and those provided by the company. This is true for upper management, rank and file, and all employees in between. It is commonplace for employees to use a phone to obtain company email. Therefore, an organization’s sensitive email, with proprietary secrets, financials, and more, is stored on a device that an employee could easily misplace or have stolen. One of the best ways to help protect against these failures is to encrypt a company’s information while on the device.

Automation

This Sub-Control is automatable if the correct combination of hardware, software, and policy is purchased. The correct software to obtain will depend on the way that enterprise devices are provided to employees such as with Bring Your Own Device (BYOD) scenarios. Enterprise mobility management (EMM) systems can force all of the smartphones or tablets accessing company email to encrypt mobile data. This Sub-Control can also be solved in a manual fashion with the correct configuration options without much effort.

Guidance and Tools

Mobile data is often secured by default on mobile devices, but this is not always the case. For each phone accessing enterprise email, the appropriate encryption setting must be selected. This will look different on each type of phone, so it may be difficult to identify step-by-step instructions. A vast majority of users will have phones from Samsung, Google, or Apple, therefore identifying and learning how to encrypt data on each of these platforms will often be sufficient. For additional information on how to secure mobile devices, reference the CIS Mobile Companion Guide. It was created with many of the industry’s leading experts and provides created detailed guidance for how to secure mobile devices.

_images/BenchmarksLogo1.png

CIS provides detailed instructions for how to secure Google’s Android and Apple’s iOS mobile platforms. Instructions for encrypting the device can be found within these two documents (https://www.cisecurity.org/benchmark/google_android),(https://www.cisecurity.org/benchmark/apple_ios).

CIS Control 14: Controlled Access Based on the Need to Know

The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.

Control 14.6: Protect Information Through Access Control Lists

Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.

Category

Procedural

Purpose

Different types of employees will need varying levels of access within an enterprise. Users with more sensitive roles and job responsibilities may need additional access, such as Human Resources and Finances, whereas users with more simple workplace needs will necessitate fewer permissions. This means that access to data, systems, and files should be provided according to business needs. Administrative or super user access should not be provided to all employees.

Users with large amount of system access can easily make accidental changes that affect multiple users and systems. Sometimes these changes will not be easily recoverable, like deleting an entire network drive. Another scenario worth considering is if a user with broad privileges has their accounts compromised, the attacker would be able to access everything that user is able to access.

Automation

User access can be accomplished through Windows Active Directory Group Policy. This functionality can also be controlled through Windows Intune. Not all systems will be domain joined – for instance firewalls will also need access control decisions made and enforced. Ultimately access control decisions will need to be made by a human.

Guidance and Tools

Correctly configuring access control on a computer system can be a complex task.

  • Qualys Browser Check: A tool to check if a browser is up-to-date with all its patches (https://browsercheck.qualys.com).
  • OpenVAS: A tool to scan systems to check security baselines (www.openvas.org).
_images/BenchmarksLogo2.png

CIS offers free PDFs with configuration guidelines for 100+ technologies, which can be used to correctly configure users, applications, and other access control lists (https://www.cisecurity.org/cis-benchmarks).

CIS Control 15: Wireless Access Control

The processes and tools used to track/control/prevent/correct the security use of wireless local area networks (WLANs), access points, and wireless client systems.

Control 15.7: Leverage the Advanced Encryption Standard (AES) to Encrypt Wireless Data

Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.

Category

Procedural

Purpose

The Advanced Encryption Standard, or AES, is an algorithm used encrypt information standardized by the United States Government in 2001. It is considered a modern, strong cipher that has withstood attempts to break it for years. This purpose of this Sub-Control is to make sure that an organization’s wireless traffic is strongly encrypted. AES is built into most wireless access points, or wireless routers, that can be bought at major electronics stores. AES is utilized with Wireless Protected Access version 2, or WPA2. Using Wireless Equivalent Privacy (WEP) or Wireless Protected Access (WPA) version 1 does not meet this Sub-Control, as AES will not be the algorithm used to encryption wireless information. Both WEP and WPA also have other significant flaws and should not be used. It is easier for an attacker to sniff wireless communications than wired communications, and by properly setting up AES, anyone on the wireless network will not be able to understand the transmitted network traffic.

Automation

This Sub-Control is entirely automatable for many types of wireless traffic, including WiFi. Simply selecting the proper configuration settings on a wireless access point will make sure AES is being used for all devices that connect to the network.

Guidance and Tools

AES should be enabled for all wireless networks within an enterprise. This includes 2.4 Gigahertz (GHz) and 5 GHz, as these are two completely separate wireless networks that must be properly configured. It’s not possible to list all of the models of wireless routers, but the following links are provided to show how to enable encryption on some of the most common wireless access points from United States ISPs.

Step-by-step instructions for implementing this Sub-Control can be found in: Identifying if a WiFi Connection is Using AES

Control 15.10: Create Separate Wireless Network for Personal and Untrusted Devices

Create a separate wireless network for personal or untrusted devices. Enterprise access from this network should be treated as untrusted and filtered and audited accordingly.

Category

Procedural

Purpose

Some computers, tablets and smartphones are more trustworthy than others. If a device is bought, configured, and safely used by an employee or enterprise, it is likely more trustworthy than a completely unknown device that an enterprise has never seen before. This level of trust can be extended past enterprise devices and into a company’s networks. Devices that are trusted and used only for company tasks should be kept on a completely separate network from personal devices owned by employees or guests. This will keep devices that are misconfigured, infected with malware, or insecurely built from being used to infect a network and its systems. These devices may already harbor malware that could steal sensitive enterprise data, or attack other computers and devices on a network. One infected device can place every device within the network in danger.

Automation

Making a clearly identified guest network available for personal and guest devices helps employees and guests know which networks are for enterprise use and which are not. There is no easy way to automate this Sub-Control. Separate networks will need to be created and properly configured at each wireless access point. Many popular wireless access points come with the ability to broadcast a guest network built right in.

Guidance and Tools

The following resources show how to create guest networks on some of the most common wireless access points from United States ISPs.

CIS Control 16: Account Monitoring and Control

Actively manage the life cycle of system and application accounts - their creation, use, dormancy, deletion - in order to minimize opportunities for attackers to leverage them.

Control 16.8: Disable Any Unassociated Accounts

Disable any account that cannot be associated with a business process or business owner.

Category

Technical

Purpose

Extraneous accounts can be used to attack the system they are associated with, but also to compromise other nodes on a network. These accounts can be created on accident, for testing purposes, or be leftover accounts from contractors or employees no longer employed at an organization. Attackers often find and exploit legitimate, but inactive user accounts, and use them to impersonate legitimate users. When this occurs, it makes tracking the activities of attacker behavior quite difficult for those responding to a breach or performing forensic analysis. This Sub-Control states the need for disabling unassociated accounts but not deleting them. Deletion is not recommended as this will not preserve the audit trail and hamper any future computer incident investigations.

Unassociated accounts are often known as “stale” or “ghost” accounts on a system, and are a weak link for attackers. Accounts that have not been used by an employee are valuable accounts for an attacker to overtake. This is due in large part since the original account owners are not actively using the account, so it is difficult for an enterprise to notice if the account is being used maliciously.

Automation

This Sub-Control is not entirely automatable. Products and scripts can be written to highlight suspect accounts, but the ultimate decision on whether accounts should be disabled may need to be made by a human.

Guidance and Tools

Regardless of the edition of Windows 10 that is in use, all local and remote accounts on enterprise computer systems should be regularly checked and audited. This also extends to smartphones, network appliances, and any system that enterprise utilize accounts for user access.

Step-by-step instructions for implementing this Sub-Control can be found in: Viewing Accounts on a Windows 10 System

Control 16.9: Disable Dormant Accounts

Automatically disable dormant accounts after a set period of inactivity.

Category

Technical, Procedural

Purpose

System and user accounts establish identity and access on information systems. Operating system privileges and granular file permissions can be assigned to individual users and groups of users (i.e., roles). When an organization is using Active Directory and domain controllers, each employee is generally assigned an account and assigned roles for what they are allowed to do within an organization’s entire network architecture. Local accounts unique to a system are often also utilized. When employees leave an organization, or even change organizational units, their privileges are removed. Yet it is possible to go a step further and automatically disable accounts after a predetermined period of time. Deleting accounts is not always recommended as this may disturb user, system, or application logs, or other information that may be needed to audit user activity in case an incident is discovered in the future.

Dormant accounts are often known as “stale” or “ghost” accounts on a system, and are a weak link for attackers. Accounts that have not been used by an employee are valuable accounts for an attacker to overtake. This is due in large part since the original account owners are not actively using the account, so it is difficult for an enterprise to notice if the account is being used

Automation

Products and scripts can be written to highlight suspect accounts, but the ultimate decision on the length of time before an account should be disabled will need to be made by a human.

Guidance and Tools

There is no standard for the time interval before inactive accounts should be disabled. The length of time is sometimes 15 – 30 days, whereas others recommend 90 days. Enterprises requiring a higher level of security should utilize shorter timeframes.

Step-by-step instructions for implementing this Sub-Control can be found in: Viewing Accounts on a Windows 10 System

Control 16.11: Lock Workstation Sessions After Inactivity

Automatically lock workstation sessions after a standard period of inactivity.

Category

Technical

Purpose

Using a password to regularly log into a computer can cause trouble for a user, especially if a computer quickly locks. Yet too often computers are left unattended without being locked. Unlocked computers allow anyone to access the information and applications open on a system. A point of sale (POS) system, tax information, and even an employee’s personal information will be available to anyone who walks up to an unattended enterprise workstation. This Sub-Control applies to more than just a computer system since smartphones and tablets can also be left unlocked.

This Sub-Control is important because it protects from very basic, low-effort, and easy to do attacks. People with very little technical skill can walk up to a computer and access a company’s information if there is no lock on the system. If someone with technical knowledge accessed a system without a lockscreen, depending on how the computer is setup, they can install malware and potentially access passwords used by employees. In a worst-case scenario, they can potentially bring enterprise computer systems and networks down if passwords are reused or if the computer they are on is setup to manage other devices.

Automation

This type of policy can be controlled and monitored automatically if you have your systems joined to a domain. This is a fairly basic configuration setting that can be completely accomplished automatically.

Guidance and Tools

There is no universally agreed upon time frame for how quickly a computer should lock. Locking after one or two minutes of inactivity may be too quick, and cause frustration while trying to read emails, articles, and spreadsheets. Many organizations recommend 5 minutes as a balance between security and usability. With that said, the following should be kept in mind:

  • All computers, phones, and tablets should have their settings changed to lock after a predetermined time. Although you may not be able to enforce it, at least asking employees who use their phones to access work emails to put a password or lock on their personal phones and tablets.
  • Employees should be regularly reminded of the dangers of leaving their computer systems unlocked.

Step-by-step instructions for implementing this Sub-Control can be found in: Automatically Locking a Workstation.

CIS Control 17: Implement a Security Awareness and Training Program

For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.

Control 17.3: Implement a Security Awareness Program

Create a security awareness program for all workforce members to complete on a regular basis to ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of the organization. The organization’s security awareness program should be communicated in a continuous and engaging manner.

Category

Procedural

Purpose

Employees are the first line of defense in any good security program. In some sense, the phrase “you are only as strong as your weakest link” is very true in security. Sometimes all it takes is one employee to unknowingly install a malicious program on their computer to lead to a security breach. This is why it is important that all employees know practice a basic awareness of how to keep themselves and the company secure. This starts with a security awareness program.

Many of the top security threats taking advantage of the human factor of security. These include social engineering type attacks such as phishing, spear phishing, vishing, pretexting, baiting, and others. Many threats take advantage of human tendency or emotion. They look to trick employees who are not paying attention to detail or who get caught believing an emotional story.

Automation

There are third-party training platforms available which can reduce the overhead of implementing a security awareness program. Third-party training platforms are engaging and up-to-date but may be too costly for small organizations.

Guidance and Tools

A good security awareness program is more than just an onboarding program or annual training. The U.S. Department of Health and Human Services (HHS) provides material for cybersecurity awareness training. The Multi-State Information Sharing and Analysis Center (MS-ISAC) has a monthly security newsletter that people can subscribe for a free monthly newsletter targeted at end users (https://learn.cisecurity.org/ms-isac-subscription). Here are some key components of a good security awareness program:

  • Acceptable use policy: This policy should be in place to lay out the expectations an organization has around its security. This should explain to the employee that they have responsibilities for security in their everyday work.
  • New employee onboarding training: New employees need to know organizational expectations for security. This training can be formal training provided by third-parties, or may be informal training provided by their supervisor.
  • Management awareness: Employees need to hear and feel that management takes security seriously and is counting on them to do their part. This can be accomplished by dedicating a moment to security in corporate wide meetings or announcements.
  • Posters and spotlights: Hanging security awareness posted, like those from SANS (https://www.sans.org/security-resources/posters), or sending out Security Spotlight emails on a regular basis are a good way to continually emphasis security to employees.
  • Annual refresher training: Employees should be asked to go through a security awareness refresher once a year.

Control 17.5: Train Workforce on Secure Authentication

Train workforce members on the importance of enabling and utilizing secure authentication.

Category

Procedural

Purpose

Especially with the move to a cloud-first and mobile-first world, employees now more than ever need to be trained to properly manage their user accounts. In many cases, their user account is the only line of defense to prevent an attacker from infiltrating an organization’s enterprise infrastructure. Employee user account security is important even if an enterprise company has a local network. Storing passwords on sticky notes, sharing password with co-workers, or using the same password for all accounts are all examples of poor practices which can be exploited by attackers leading to significant harm for a company.

Account takeovers are a common approach for attackers to gain a foothold within an organization and begin taking data or control. With access to a legitimate account, attackers will often attempt to move horizontally to take over other accounts, launch phishing campaigns which appear legitimate, and look to obtain sensitive. Additionally, it can be very difficult to detect and track an attacker who has taken over a legitimate account. Finally, users may share personal passwords with enterprise accounts. Personal accounts may be a victim of a breach, and the username and password for the enterprise account is no always changed.

Automation

There are third-party training platforms available which can provide up-to-date information on secure workforce authentication, but these may be too costly for small organizations. Many platforms and services provide the ability to setup two factor authentication (2FA).

Guidance and Tools

Employees should be trained on how to setup user accounts and keep them secure. This training should be provided upon hire and should be included in the annual security awareness training. It is critical that a company also establish that each employee has a unique account for themselves. To the extent possible, do not permit shared accounts. Although shared accounts may be advantageous for licensing and other purposes, they are less than ideal security conditions. The Electronic Frontier Foundation provides a useful poster on secure authentication.

Here are a few keys points all employees should know about their accounts:

  • Use strong, unique passwords: Create passwords which are 14 characters or more.
  • Setup 2FA on all possible accounts: This adds an additional and critical step to a website’s login process. 2FA uses a smartphone or hardware device to identify someone to a website. Visit twofactorauth.org for instructions on setting up 2FA on popular websites.
  • Do not share passwords: It is not possible to track who performed what action when multiple users have the same password.
  • Do not use the same password for all accounts: The best practice is to use unique passwords for every account. At a minimum, do not use passwords used for personal use for business use.
  • Do not use any personally identifiable information in your passwords: Names, birthdays, and street addresses may be easy to remember but they are also easily found online and should always be avoided in passwords to ensure the greatest strength.
  • Avoid using similar passwords that change only a single word or character: This practice weakens account security across multiple sites.

Control 17.6: Train Workforce on Identifying Social Engineering Attacks

Train the workforce on how to identify different forms of social engineering attacks, such as phishing, phone scams, and impersonation calls.

Category

Procedural

Purpose

Social engineering attacks are one of the more common and successful types of attacks. This is because they prey upon human tendencies and emotions. Even if not always successful, any successfully social engineering attack can have a tremendous impact on an organization. While these types of attacks are often preventable, they are getting more and more sophisticated and harder to spot. This is why is important for employees to know what to look for and how to spot suspicious activity in their email, over the phone, and even in person.

Social engineering attacks include phishing, spear phishing, vishing, pretexting, baiting, tailgating, and quid pro quo. Phishing is the most common type of social engineering attack, and occurs when an attacker is able to get a victim to perform some action such as disclosing sensitive information like an enterprise password. Another form of phishing will trick the user to navigating to a website that downloads malicious software and subsequently installs it on an enterprise system.

Automation

There are third-party training platforms available which can reduce the overhead of implementing a security awareness program for identifying social engineering attempts. Third-party training platforms are engaging and up-to-date but may be too costly for small organizations.

Guidance and Tools

Social engineering attacks are best defeated by an aware and skeptical employee base. Employees need to be aware of their tendencies and maintain a healthy skepticism of anyone or any communication which is not from a trusted, known party. Holding regular social engineering awareness trainings along with regular corporate communications which show examples of social engineering attacks are good exercises. Conducting role-playing training for employees to be exposed to this type of tactic will help employees respond appropriately in real world scenarios.

  • Google: This high-quality video can be used to train employees on how to Stay Safe from Phishing and Scams.
  • NIST: This high-quality video can be used to train employees on how to identify social engineering attack titled You’ve been Phished.
  • Much of the guidance provides in 17.5 can be useful for this Sub-Control.

Control 17.7: Train Workforce on Sensitive Data Handling

Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive information.

Category

Procedural

Purpose

The act of labeling data according to its sensitivity is a type of data classification. It often involves placing a “PROPRIETARY”, “SENSITIVIE”, OR “CONFIDENTIAL” mark on a document. These markings allow organizations to more easily make the appropriate security decisions to govern their own data. This often involves allocating additional resources and developing policies to protect sensitive company information. For instance, placing trade secrets on a cloud platform may not be wise if their secrecy is pivotal to the business continuing normal operation. If an organization does not perform data classification, it is more likely that unintentional data loss may occur. Therefore, clearly labeling data prevents intentional and unintentional data breaches.

Automation

This Sub-Control is generally not automatable. Third-party organizations offer platforms that can help to train users in the proper way to handle sensitive information.

Guidance and Tools

Proper sensitive data handling begins with having a sensitive data policy. This policy should detail what information is considered sensitive, how employees should identify it, and how to handle the data. One this policy is in place; it is important that employee be trained on how to follow the policy and be reminded of the importance of seeking approval for any exceptions. Be sure to include the follow in the policy and subsequent training:

  • How to identify sensitive information.
  • How to transmit sensitive information within the organization.
  • When it is appropriate and how to transmit sensitive information outside the organization.
  • How to direct outside organizations to transmit sensitive data to you.
  • Where to digitally store sensitive information.
  • What to do if you find sensitive information in an unauthorized location.
  • When it is appropriate to print sensitive information, how to store printed copies, and how to dispose of it.
  • How long to retain sensitive information and how to securely dispose of it.
  • How to seek exceptions to sensitive data policy.

Control 17.8: Train Workforce on Causes of Unintentional Data Exposure

Train workforce members to be aware of causes for unintentional data exposures, such as losing their mobile devices or emailing the wrong person due to autocomplete in email.

Category

Procedural

Purpose

People play a huge role in preventing data breaches, often more critical than any technological solution. Employees must be regularly exposed to and reminded of causes of data exposure and data breaches. The following is a non-exhaustive list:

  • Loss of device with sensitive information;
  • Leaving sensitive information in an insecure area;
  • Downloading sensitive information to temporary or download folders which are not secure;
  • Sending sensitive information over insecure communication channels (e.g., unencrypted email, text messages);
  • Sending sensitive information to the wrong recipient;
  • Insufficiently reviewing newly created data for its proper sensitivity level;
  • Assigning permissions to sensitive information to the wrong person;
  • Improperly segmenting data based on need to know; and
  • Improperly setting access controls on sensitive data.

Automation

This Sub-Control is generally not automatable. Network appliances can be put into place such as a firewall, data loss prevention, intrusion detection system, or an endpoint protection suite (e.g., antivirus) to prevent data exposure. Third-party organizations offer platforms that can help to train users to recognize the symptoms of accidental and unintentional ways to affect the security of an organization.

Guidance and Tools

It is important regularly training workforce members, but not overwhelm them. Do not expect them to be cybersecurity experts. The key is identifying key events and continuing to remind them to report any and all suspicious happenings, even if they are unsure. By regularly reminding employees of accidental causes of data breaches, they will be more mindful and can understand the risks associated with their actions.

Control 17.9: Train Workforce Members on Identifying and Reporting Incidents

Train workforce members to be able to identify the most common indicators of an incident and be able to report such an incident.

Category

Procedural

Purpose

As with most incidents, the earlier a security incident is identified and a response is initiated, the less severe the incident will likely become. It is also true that earlier detection often leads to more information being available about the incident. This information may be key to stopping an ongoing attack and to understanding certain details such as how the attack was conducted and what impact it caused. One of the key details required in many states laws is information on how the breach occurred, how many people were impacted, and what was done to remedy the attack. Reducing the impact and understanding the details of the breach are both much more achievable with earlier detection and response. Employees are key to this early detection. Employees should be trained on the types of things to look for and how to report suspicious behavior or events.

Automation

This Sub-Control is generally not automatable. Network appliances can be put into place such as a firewall, intrusion detection and prevention system, or an endpoint protection suite (e.g., antivirus) to stop incidents from occurring in the first place. Third-party organizations offer platforms that can help to train users to recognize the symptoms of an incident.

Guidance and Tools

It is important not to overwhelm workforce members or expect them to be security experts. It is unreasonable to expect them to all become cybersecurity experts, but i important they report suspicious happenings and occurrences. The key is identifying key events and continuing to remind them to report these if seen. Here is a non-exhaustive list of some events to train employees to report:

  • Emails asking for sensitive information that are out of context or from unknown senders.
  • Emails from an unknown sender who is asking the person to click a link.
  • Phone calls from unknown, unverifiable source asking for sensitive information or to make changes to their account.
  • Unknown people in areas of the office designated for employees only.
  • Sensitive data is observed in a non-secure physical or digital location.
  • Removable media that is not labeled and not claimed by an employee.
  • Evidence of unknown programs running on their computer, such as a Windows User Account Control (UAC) prompt for an unrecognizable program.

CIS Control 19: Incident Response and Management

Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.

Control 19.1: Document Incident Response Procedures

Ensure that there are written incident response plans that define roles of personnel as well as phases of incident handling/management.

Category

Procedural

Purpose

If an organization continuously operates for a long enough period of time, it is likely that they will suffer a cyber breach. Even if a breach never occurs, it is best to plan for the possibility, even if just from a legal liability standpoint. When a data breach occurs, it can feel like multiple extremely important events are all taking place at the same time. Important processes, procedures, and security critical tasks can be forgotten during this time frame. That is in part why a series of written procedure for how to handle a cyber incident before it occurs is needed.

The threats surrounding this Sub-Control mostly revolve around the inappropriate handling of a cyber incident while it is active. This means accidents from internal employees tasked with responding to the breach. This is especially true if the breach is the first one an organization has experienced. Improper data breach handling can lead to the breach getting worse, for instance malware getting deeper into a network and having additional access to sensitive data.

Automation

There is no way to automate this this Sub-Control. Yet this does not mean that an incident response plan and associated response procedures must be made from scratch. Incident response procedures can be procured from other similar organizations that already have them in place. These procedures can be modified to fit most organizations’ needs.

Guidance and Tools

Many organizations offer useful incident response guidance.

Control 19.3: Designate Management Personnel to Support Incident Handling

Designate management personnel, as well as backups, who will support the incident handling process by acting in key decision-making roles.

Category

Procedural

Purpose

During an incident, many important decisions will need to be made in a short timeframe. For this reason, it is necessary for management personnel with the authority to make those decisions to be involved in the incident handling process. Designated management personnel should have a clear understanding of their role in the process ahead of time, before incidents occur. Backup personnel should also be designated in case the corresponding primary personnel are unavailable when an incident arises.

Automation

There is no way to automate this this Sub-Control. Yet this does not mean that an incident response plan and associated response procedures must be made from scratch. It is possible to obtain incident response procedures from other similar organizations that already have them in place. These procedures likely nominate management and technical roles for certain response positions, and these can be can be modified to fit an organization’s needs.

Guidance and Tools

Many organizations offer useful incident response guidance.

Control 19.5: Maintain Contact Information for Reporting Security Incidents

Assemble and maintain information on third-party contact information to be used to report a security incident, such as Law Enforcement, relevant government departments, vendors, and Information Sharing and Analysis Center (ISAC) partners.

Category

Procedural

Purpose

Incidents often necessitate the involvement or notification of multiple third-party organizations. Depending on the nature of the incident, it may be necessary to contact law enforcement, other government agencies, vendors and business partners, or Information Sharing and Analysis Center (ISAC) partners. It is best to have the contact information for these organizations consolidated, up-to-date, and easily accessible, as it may be difficult and time-consuming to try to look up all of this information while an incident is taking place. Keep in mind that some cyber incidents may result in limited access to networks and files during incident response, so having this information available in varied locations or formats (including a hardcopy) can also be helpful.

Automation

There is no way to automate this this Sub-Control. Yet this does not mean that an incident response plan and associated response procedures must be made from scratch. It is possible to obtain incident response procedures from other similar organizations that already have them in place. These procedures likely nominate management and technical roles for certain response positions, and these can be can be modified to fit an organization’s needs.

Guidance and Tools

Many organizations offer useful incident response guidance.

Control 19.6: Publish Information Regarding Reporting Computer Anomalies and Incidents

Publish information for all workforce members, regarding reporting computer anomalies and incidents, to the incident handling team. Such information should be included in routine employee awareness activities.

Category

Procedural

Purpose

The types of computer incidents regularly affecting a company can be useful when devising training activities. Each incident is an opportunity for learning, and then using those lessons to improve the process that is already in place. Besides feeding back into computer incident response activities, this information can also be communicated to contractors and employees of an organization as part of the regular user education process for cybersecurity. Understanding the general threats a company faces can help employees to make better decisions the next time around, responding more appropriately, and ultimately mitigating the impact of an incident.

Publishing information about previous computer incidents helps personnel prevent improper handling of an incident. Improper incident handling can lead to malware accessing your sensitive enterprise data for longer periods of time as it may not be properly removed. Another issue of significance is that improper incident handling may violate local and federal laws about the privacy of data and breach notifications.

Automation

This Sub-Control generally cannot be automated. Yet this does not mean that an incident response plan and associated response procedures must be made from scratch. You can obtain incident response procedures can be procured from other similar organizations that already have them in place. These procedures can be modified to fit your needs.

Guidance and Tools

The following can be useful when looking to report computer anomalies and incidents:

Appendix

This section contains step-by-step guidance to secure a Windows 10 platform in according with CIS Implementation Group 1.

Hardware and Software Asset Tracking Spreadsheet

Elements of a Hardware Asset Tracking Spreadsheet can include the following:

  • Asset Name: Colloquial name of the asset
  • Type: The type of the asset (e.g., workstation, firewall, router)
  • Description: A description of the asset
  • Model: The model of the asset
  • Manufacturer: The organization that created the asset
  • Internal ID: Any identifier used internally to name a manufacturer
  • MAC: The MAC address of the asset
  • IP: The IP address of the asset, but this may change over time.
  • Physical Location: The location within enterprise the asset is located, may be N/A for virtual or cloud-based systems
  • Purchase Date: The date the asset was acquired by the organization.
  • Warranty Information: Any relevant warranty information needed for the manufacturer
  • Other Notes: Other notes as needed:
_images/HardwareAssetTrackingSpreadsheet.png

Sensitive Information Tracking Spreadsheet

Elements of a Sensitive Information Tracking Spreadsheet can include the following:

  • Name
  • Type
  • Description
  • Model
  • Manufacturer
  • Vendor ID
  • Internal ID
  • Purchase Date
  • Warranty Information
  • Other Notes
_images/HardwareAssetTrackingSpreadsheet.png

Uninstalling Software

Applies to Sub-Control 2.6

Perform a search for Settings.

_images/SearchingForSettings.png

Searching for Settings.

Select Apps.

_images/WindowsSettingsHomeScreen.png

Windows Settings Home Screen.

All of the installed applications on the Windows 10 machine are available here. Select the application that should be uninstalled. Note that some of the listed apps cannot be uninstalled.

_images/ListingofInstalledApplications.png

Listing of Installed Applications

Select Uninstall.

_images/SelectedInstalledApplication.png

Selected Installed Application

Select Uninstall another time to confirm.

_images/UninstallingAnApplication.png

Uninstalling An Application

Configuring Automated Operating System Patch Management Tools via Windows Settings

Applies to Sub-Control 3.4

Note

The local group policy method used in the next section is the preferred way of implementing this Sub-Control.

In the Windows search bar with the magnifying glass icon, type windows update. This is shown below.

_images/SearchingForWindowsUpdateSettings.png

Searching for Windows Update Settings

Select Windows Update settings. This will bring you to the Windows update panel. This screen shows the status of updates on a computer.

_images/WindowsUpdateStatus.png

Windows update status

Note

Selecting Check for updates will automatically search for a system update. Selecting Advanced options will provide additional system update settings.

Ensure that Pause Updates is set to Off.

_images/AdvancedUpdateOptions.png

Advanced Update Options

Configuring Automated Operating System Patch Management Tools via LGPE

Applies to Sub-Control 3.4

Note

Local Group Policy Editor can be used to configure device settings for patching Windows 10 Pro.

In the Windows search bar with the magnifying glass icon, type local group to open the Local Group Policy Editor. This is shown below:

_images/SearchingForLocalGroupPolicyEditor.png

Searching for Local Group Policy Editor

The Local Group Policy Editor is show below.

_images/LocalGroupPolicyEditorHomeScreen.png

Local Group Policy Editor Home Screen

Under Computer Configurations, select Administrative Templates, and then Windows Components.

_images/LGPEWindowsComponents.png

LGPE Windows Components

Select Windows Update and double click Configure Automatic Updates.

_images/LGPEWindowsUpdateSettings.png

LGPE Windows Update Settings

Ensure that Enabled is selected, and Configure automatic updating is set to: 4 – Auto download and schedule the install. Select OK.

_images/AutodownloadHomeScreen.png

Autodownload Home Screen

Automatic Application Updates via the Microsoft Application Store

Applies to Sub-Control 3.5

In the Windows search bar with the magnifying glass icon, type Microsoft Store.

_images/SearchingTorTheMicrosoftStore.png

Searching for the Microsoft Store

The Microsoft Store is shown below. Select the three dots (…) in the top right under the X.

_images/MicrosoftStoreHomeScreen.png

Microsoft Store Home Screen

Select Settings.

_images/AvailableSettingsInMicrosoftStore.png

Available Settings in Microsoft Store

Ensure that Update apps automatically is set to On.

_images/DetailedSettingsInMicrosoftApplicationStore.png

Detailed Settings in Microsoft Application Store

More steps are required to partially fulfill this Sub-Control. In the Windows search bar with the magnifying glass icon, type windows update. This is shown below.

_images/SearchingForWindowsUpdateSettings.png

Searching For Windows Update Settings

Select Windows Update settings. This will bring you to the Windows update panel. This screen shows the status of updates on this computer. Select Advanced options.

_images/WindowsUpdateHomeScreen.png

Windows Update Home Screen

Selecting Advanced options will provide additional system update settings shown here.

_images/WindowsUpdateAdvancedOptions.png

Windows Update Advanced Options

Selecting Give me updates for other Microsoft products when I update Windows will automatically download updates for applications like Microsoft Word or Microsoft Excel.

_images/AdvancedWindowsUpdateOptions.png

Advanced Windows Update Options

Changing the Default Password

Applies to Sub-Control 4.2

Note

The best method of achieving this Sub-Control is via local group policy in the next section.

Perform a search for Settings.

_images/SearchingForWindowsSettings.png

Searching for Windows Settings

Select Accounts.

_images/WindowsSettingsHomeScreen.png

Windows Settings Home Screen

Select Sign-in options.

_images/WindowsAccountsHomeScreen.png

Windows Accounts Home Screen

Select Change your account password.

_images/Sign-inOptionsHomeScreen.png

Sign-in Options Home Screen

Type the new password into the password field.

Note

Ensure the password is not a commonly used one.

_images/ChangingAWindowsPassword.png

Changing a Windows Password

Enforcing Password Length via LGPE

Applies to Sub-Control 4.2

Note

The Local Group Policy Editor can be used to enforce a minimum password length. The CIS Windows 10 Benchmark recommends a 14-character password.

In the Windows search bar with the magnifying glass icon, type local group to open the Local Group Policy Editor. This is shown below.

_images/SearchingForLGPE.png

Searching for LGPE

The Local Group Policy Editor is shown below.

_images/LocalGroupPolicyEditorHomeScreen.png

Local Group Policy Editor Home Screen

Under Computer Configuration, expand Windows Settings and select Security Settings.

_images/LGPESecuritySettings.png

LGPE Security Settings

Select Account Policies, then Password Policy and then Minimum password length.

_images/LGPEMinimumPasswordLength.png

LGPE Minimum Password Length

Input 14 as the minimum password length and select Apply.

Note

This will not automatically make a user change their password to meet policy. Users will need to manually update their password, but Windows will ensure that future passwords are at least 14 characters long.

_images/SelectingMinimumPasswordLength.png

Selecting Minimum Password Length

Identifying if an Account is an Administrator

Applies to Sub-Control 4.3

Perform a search for Settings.

_images/SearchingForWindowsSettings.png

Searching for Windows Settings

Select Accounts.

_images/WindowsSettingsHomeScreen.png

Windows Settings Home Screen

Accounts that have administrative access will say Administrator under the username.

_images/AccountHomeScreen.png

Account Home Screen

Checking Windows Defender Security Center

Applies to Sub-Control 8.2

Note

Windows Defender is enabled in Windows 10 by default. The following steps help to ensure that Windows Defender is properly enabled and the defaults have not been changed. This is not a substitute for configuring Windows Defender via the Windows LGPE. This is shown in Enabling Windows Defender Security Center via LGPE

Search for Windows defender in the search bar.

_images/SearchingForWindowsDefender.png

Searching for Windows Defender

Any items that need to be attended to will have an exclamation point within a triangle under the icon.

_images/WindowsDefenderSecurityCenterHomeScreen.png

Windows Defender Security Center Home Screen

Enabling Windows Defender Security Center via LGPE

Applies to Sub-Control 8.2

Note

Windows Defender Antivirus is enabled by default, and this prevents it from being disabled by a user.

In the Windows search bar with the magnifying glass icon, type local group to open the Local Group Policy Editor.

_images/SearchingForLocalGroupPolicyEditor.png

Searching for Local Group Policy Editor

The Local Group Policy Editor is show below.

_images/LGPEHomeScreen.png

LGPE Home Screen

Select Computer Configuration and expand Administrative Templates.

_images/LGPEAdministrativeTemplates.png

LGPE Administrative Templates

Expand Windows Components and then Windows Defender Antivirus.

_images/LGPEWindowsDefenderAntivirus.png

LGPE Windows Defender Antivirus

Double click Turn off Windows Defender Antivirus and ensure Disabled is selected.

_images/WindowsDefenderAntivirusSettings.png

LGPE Windows Defender Antivirus

Additional actions are required. Click the blue back arrow in the top left of the Local Group Policy Editor and select Real-time Protection, followed by Turn off real-time protection.

_images/LGPEReal-timeProtection.png

LGPE Real-time Protection

Ensure that Turn off real-time protection is Disabled. This prevents the application from being disabled.

_images/Real-timeProtectionSettings.png

Real-time Protection Settings

Enabling the System Event Audit Log

Applies to Sub-Control 6.2

Note

Enabling system logs on a Windows 10 system can be a complex task. There are hundreds of different types of logs that can all be enabled differently. This Guide shows one of many possible methods for enabling system event audit logs. For organizations looking for a solution balancing ease of use and security, CIS recommends organizations enable the following log types from Microsoft (https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations).

In the Windows search bar with the magnifying glass icon, type local group to open the Local Group Policy Editor. This is shown below:

_images/SearchingForLocalGroupPolicyEditor.png

Searching for Local Group Policy Editor

The Local Group Policy Editor is show below.

_images/LocalGroupPolicyEditorHomeScreen.png

Local Group Policy Editor Home Screen

Under Computer Configurations, select Security Settings, and then Advanced Audit Policy Configuration.

_images/AdvancedAuditPolicyConfiguration.png

Advanced Audit Policy Configuration

Expand Advanced Audit Policy Configuration to show System Audit Policies - Local Group Policy Object. Expand once more to show the audit policies.

_images/SystemAuditPolicies.png

System Audit Policies

Under Account Logon, select Audit Credential Validation. Ensure that Configure the following audit events is checked, and that Success is checked.

_images/AuditCredentialValidationPolicies.png

Audit Credential Validation Policies

Under Account Management, select Audit Computer Account Management. Ensure that Configure the following audit events is checked, and that Success is checked.

_images/AuditComputerAccountManagement.png

Audit Computer Account Management

Under Account Management, select Audit Other Account Management Events. Ensure that Configure the following audit events is checked, and that Success is checked.

_images/AuditOtherAccountManagementEvents.png

Audit Other Account Management Events

Under Account Management, select Audit Security Group Management. Ensure that Configure the following audit events is checked, and that Success is checked.

_images/AuditSecurityGroupManagement.png

Audit Security Group Management

Under Account Management, select Audit User Account Management. Ensure that Configure the following audit events is checked, and that Success is checked.

_images/AuditUserAccountManagement.png

Audit User Account Management

Under Detailed Tracking, select Audit Process Creation. Ensure that Configure the following audit events is checked, and that Success is checked.

_images/AuditUserAccountManagement.png

Audit Process Creation

Under Logon/Logoff, select Audit Logoff. Ensure that Configure the following audit events is checked, and that Success is checked.

_images/AuditLogoff.png

Audit Logoff

Under Logon/Logoff, select Audit Logon. Ensure that Configure the following audit events is checked, and that Success is checked. Also ensure that Failure is checked.

_images/AuditLogon.png

Audit Logon

Under Logon/Logoff, select Audit Special Logon. Ensure that Configure the following audit events is checked, and that Success is checked.

_images/AuditSpecialLogon.png

Audit Special Logon

Under Policy Change, select Audit Audit Policy Change. Ensure that Configure the following audit events is checked, and that Success is checked. Also ensure that Failure is checked.

_images/AuditAuditPolicyChange.png

Audit Audit Policy Change

Under Policy Change, select Audit Authentication Policy Change. Ensure that Configure the following audit events is checked, and that Success is checked.

_images/AuditAuditPolicyChange.png

Audit Authentication Policy Change

Under System, select Audit IPsec Driver. Ensure that Configure the following audit events is checked, and that Success is checked. Also ensure that Failure is checked.

_images/AuditIPsecDriver.png

Audit IPsec Driver

Under System, select Audit Security State Change. Ensure that Configure the following audit events is checked, and that Success is checked. Also ensure that Failure is checked.

_images/AuditSecurityStateChange.png

Audit Security State Change

Under System, select Audit Security System Extension. Ensure that Configure the following audit events is checked, and that Success is checked. Also ensure that Failure is checked.

_images/AuditSecuritySystemExtension.png

Audit Security System Extension

Under System, select Audit System Integrity. Ensure that Configure the following audit events is checked, and that Success is checked. Also ensure that Failure is checked.

_images/AuditSystemIntegirty.png

Audit System Integrity

Note

Organizations interested in configuring a broader set of audit logs are encouraged to review the CIS Windows 10 Benchmark (https://www.cisecurity.org/benchmark/microsoft_windows_desktop/).

Scanning Removable Devices via LGPE

Applies to Sub-Control 8.4

In the Windows search bar with the magnifying glass icon, type local group to open the Local Group Policy Editor.

_images/SearchingForLocalGroupPolicyEditor.png

Searching for Local Group Policy Editor

The Local Group Policy Editor is show below.

_images/LGPEHomeScreen.png

LGPE Home Screen

Select Computer Configuration and expand Administrative Templates.

_images/LGPEAdministrativeTemplates.png

LGPE Administrative Templates

Expand Windows Components and then Windows Defender Antivirus.

_images/LGPEWindowsDefenderAntivirus.png

LGPE Windows Defender Antivirus

Select Scan and double click Scan removable drives.

_images/LGPEWindowsDefenderAntivirusScan.png

LGPE Windows Defender Antivirus Scan

Ensure this setting is set to Enabled.

Note

Note that this will not automatically scan any inserted device. Instead, if a Windows Defender Antivirus scan is run while a removable drive is inserted, that drive will also be within scope of the scan.

_images/WindowsAntivirusScanSettings.png

Windows Antivirus Scan Settings

Ensure that Turn off real-time protection is Disabled. This prevents the application from being disabled.

_images/Real-timeProtectionSettings.png

Real-time Protection Settings

Configuring AutoPlay via Windows Control Panel

Applies to Sub-Control 8.5

Perform a search for Settings.

_images/SearchingForWindowsSettings.png

Searching for Windows Settings

Select Devices.

_images/LGPEHomeScreen.png

Windows Settings Home Screen

Select AutoPlay.

_images/BluetoothAndOtherDevicesSettings.png

Bluetooth & other devices Settings

AutoPlay should be turned off.

_images/AutoPlaySettings.png

AutoPlay Settings

Configuring AutoPlay via LGPE

Applies to Sub-Control 8.5

Note

The Local Group Policy Editor can be used to configure the Windows 10 AutoPlay settings in addition to Windows Control Panel.

In the Windows search bar with the magnifying glass icon, type local group to open the Local Group Policy Editor.

_images/SearchingForLGPE.png

Searching for LGPE

The Local Group Policy Editor is shown below.

_images/LocalGroupPolicyEditorHomeScreen.png

LGPE Home Screen

Select Computer Configuration and expand Administrative Templates.

_images/LGPEAdministrativeTemplates.png

LGPE Administrative Templates

Select Windows Components and AutoPlay Policies.

_images/LGPEAutoPlayPolicies.png

LGPE AutoPlay Policies

Select Set the default behavior for AutoRun and ensure that setting is Disabled.

_images/LGPEAutoRunSettings.png

LGPE AutoRun Settings

Additionally, under AutoPlay Policies, Select Turn off Autoplay.

_images/TurnOffAutoPlaySettings.png

Turn Off AutPlay Settings

Set the value to Enabled.

_images/ProperAutoPlayConfiguration.png

Proper AutoPlay Configuration

Enabling Windows Defender Firewall

Applies to Sub-Control 9.4

Search for Windows Defender in the search bar.

_images/SearchingForWindowsDefender.png

Searching for Windows Defender

Select Firewall & network protection.

_images/WindowsDefenderSecurityCenterHomeScreen.png

Windows Defender Security Center Home Screen

Ensure that the Domain network, Private network, and Public network firewalls are set to on.

_images/FirewallAndNetworkProtectionSettings.png

Firewall and Network Protection Settings

If one of the three firewalls are not set to on, select that firewall to enable it.

_images/WindowsFirewallPublicNetworkSettings.png

Windows Firewall Public Network Settings

TODO Verify private network

Creating System Images with Windows 10 Pro

Applies to Sub-Control 10.2

Search for backup within the Windows search bar.

_images/SearchingForWindowsBackupSettings.png

Searching for Windows Backup Settings

The main backup screen within Windows 10 will be displayed. Select Go to Backup and Restore (Windows 7).

_images/Windows10BackupSettings.png

Windows 10 Backup Settings

Select Set up backup.

_images/BackupAndRestoreHomeScreen.png

Backup and Restore Home Screen

Select the local or network drive where backups should be stored.

_images/SelectingTheStorageLocationForBackups.png

Selecting the Storage Location for Backups

Choose whether Windows will select which files need to be backed up, or if this is a decision that needs to be made on a file by file basis. This example lets Windows select the files to be saved.

_images/ChoosingTheStorageLocation.png

Choosing the Storage Location

Select which accounts will be backed up. All accounts may be the most prudent option.

_images/SelectingTheAccountsThatWillBeBackedUp.png

Selecting the Accounts that will be Backedup

The backup will then begin. This may take a long amount of time to successfully complete.

_images/SuccessfulBackUpScreen.png

Successful Backup

Configuring Microsoft File History

Applies to Sub-Control 10.1

Search for backup within the Windows search bar.

_images/SearchingForWindowsBackupSettings.png

Searching for Windows Backup Settings

The main backup screen within Windows 10 will be displayed. Select Add a drive under Back up using File History.

_images/Windows10BackupSettings.png

Windows 10 Backup Settings

The Backup options home screen will be presented.

Note

There must be an external hard drive or removable media (e.g., USB drive, thumb drive) connected to the computer to backup information onto.

_images/FileHistoryBackupOptions.png

File history backup options

Scroll down and select See advanced options.

_images/AdvancedFileHistoryOptions.png

Advanced File History Options

Ensure File history in turned on.

_images/FinalFileHistoryScreen.png

Final File History Screen

Enabling BitLocker

Applies to Sub-Control 10.4

Note

BitLocker can be complicated to enable. In addition to this guidance, it may be useful to consult the Microsoft documentation (https://support.microsoft.com/en-us/help/4502379/windows-10-device-encryption).

Search for BitLocker within the Windows search bar. Select Manage BitLocker.

_images/SearchingForBitLocker.png

Searching for BitLocker

The primary BitLocker Drive Encryption screen within Windows 10 will be displayed. Select Turn on BitLocker.

_images/TurnOnBitLockerSetting.png

Turn on Bitlocker Setting

An error may be displayed if the computer in question lacks a hardware encryption module (e.g., Trusted Platform Module). TPMs are the preferred method to enable encryption on Windows 10 but encryption can be used without it. The following error will likely be presented.

_images/StartingBitLockerErrorScreen.png

Starting BitLocker Error Screen

In order to solve this issue, the Windows Local Group Policy Editor can be used. Follow this path to navigate to the correct LGPE settings. Select Computer Configuration and navigate the following: Administrative Templates, Windows Components, BitLocker Drive Encryption, Fixed System Drives, Configure use of hardware-based encryption for fixed data drives.

_images/ConfigureHardware-basedEncryption.png

Configure hardware-based encryption

Enable this setting and then select Use BitLocker software-based encryption when hardware encryption is not available.

_images/EnablingSoftware-basedEncryption.png

Configure Software-based Encryption

Another setting must also be configured to resolve this error. Under Computer Configuration, select Administrative Templates and then Windows Components.

_images/IdentifyingAdditionalBitLockerSettings.png

Identifying Additional BitLocker Settings

Select BitLocker Drive Encryption, followed by Operating System Drives, and then select Require additional authentication at startup.

_images/SearchingForBitLockerStartupAuthenticationSettings.png

Searching for BitLocker Startup Authentication Settings

Enable this setting and select Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive). This should solve the error, restart the steps in this section.

_images/RequiringAdditionalAuthenticationAtStartupPolicy.png

Requiring Additional Authentication at Startup Policy

The system in question will need to check additional settings before enabling BitLocker.

_images/CheckingTheSystemForBitLockerSupport.png

Checking the System for BitLocker Support

The following screen will be presented. Select Next.

_images/BitLockerSetup.png

BitLocker Setup

Select Next after reviewing the warnings from Windows.

_images/BitLockerPreparationScreen.png

BitLocker Preparation Screen

Additional preparation for BitLocker. Wait until this process completes.

_images/AdditionalBitLockerPreparationScreen.png

Additional BitLocker Preparation Screen

Select Next.

_images/WindowsRecoveryWarning.png

Windows Recovery Warning

This screen allows the user the option for how to unlock the encrypted drive at startup. This guide will use the Enter a password method.

_images/UnlockSelectionMethod.png

Unlock Selection Method

A password is necessary to unlock BitLocker. Input a password.

Warning

If you forget the BitLocker password, you will be unable to unlock any computer with BitLocker enabled. All data on the system will be lost. Make a backup of the password and consider using a password manager.

_images/BitLockerPasswordCreation.png

BitLocker Password Creation

A recovery key should be stored elsewhere if the BitLocker password is lost. Without the recovery key, if the password is forgotten then the system will be completely inaccessible.

_images/RecoveryKeySelection.png

Recovery Key Selection

This guide encourages average users to select the faster option but for systems storing sensitive data, users are encouraged to encrypt the entire drive (the second option).

_images/EncryptionTypeSelection.png

Encryption Type Selection

Ensure Run BitLocker system check is selected. Select Continue.

_images/RunBitLockerSystemCheck.png

Run BitLocker System Check

Select New encryption mode (best for fixed drives on this device).

_images/ChoosingEncryptionMode.png

Choosing the Encryption Mode

Identifying if a WiFi Connection is Using AES

Applies to Sub-Control 15.7

Search for network within the Windows search bar.

_images/SearchingForWindowsNetworkStatus.png

Searching for Windows Network Status

Select Change connection properties.

_images/WindowsNetworkStatus.png

Windows Network Status

The following network connection screen will be shown.

_images/InformationAboutASpecificNetwork.png

Information About a Specific Network

If WPA2 is listed under Security type then AES is being used to secure this wireless connection.

_images/IdentifyingAESOnLocalWiFi.png

Identifying AES on Local Wifi

Viewing Accounts on a Windows 10 System

Applies to Sub-Control 16.8

Perform a search for Settings.

_images/SearchingForWindowsSettings.png

Searching for Windows Settings

Select Accounts.

_images/WindowsSettingsHomeScreen.png

Windows Settings Home Screen

Select Family & other people.

_images/InformationAboutASpecificNetwork.png

Individual Account Home Screen

Other accounts on the computer are sometimes viewable on this screen. If the user viewing this display is not an administrator, they may not be able to see all of the accounts on the system.

_images/IdentifyingOtherAccountsOnWindows.png

Identifying Other Accounts on Windows

Automatically Locking a Workstation

Applies to Sub-Control 16.11

In the Windows search bar with the magnifying glass icon, type local group to open the Local Group Policy Editor.

_images/SearchingForLGPE.png

Searching for LGPE

The Local Group Policy Editor is shown below.

_images/LocalGroupPolicyEditorHomeScreen.png

Local Group Policy Editor Home Screen

Select Computer Configurations and then Windows Settings.

_images/LGPEWindowsSettings.png

LGPE Windows Settings

Select Security Settings and then Local Policies.

_images/LGPELocalPolicies.png

LGPE Local Policies

Select Security Options and then double click Interactive logon: Machine interactivity limit.

_images/SelectingInteractiveLogonSettings.png

Selecting Interactive Logon Settings

The CIS Windows 10 Benchmark recommends 900 seconds or fewer. Choosing 600 seconds is 10 minutes.

_images/InteractiveLogonSettings.png

Interactive Logon Settings

Joining a Windows 10 System to a Domain

How to Join a Windows 10 Pro machine to an O365 Domain

Perform a search for Settings.

_images/SearchingForSettings.png

Searching for Settings.

Select Accounts and then Access work or school.

_images/WindowsSettingsHomeScreen.png

Windows Settings Home Screen.

Select Connect.

_images/AccessWorkOrSchool.png

Access Work or School

Enter an email address and password to connect to the domain.

_images/AddingASystemToADomain.png

Adding a System to a Domain

Acronyms & Abbreviations

2FA
Two Factor Authentication
AES
Advanced Encryption Standard
BYOD
Bring Your Own Device
CIS
Center for Internet Security
COTS
Commercial Off the Shelf
DISA
Defense Information Systems Agency
DNS
Domain Name System
DoD
Department of Defense
DoS
Denial of Service
DoJ
Department of Justice
EMM
Enterprise Mobility Management
FIOS
Fiber Optic Service
FTP
File Transfer Protocol
GHz
Gigahertz
HHS
Health and Human Services
HTTP
Hypertext Transfer Protocol
HTTPS
HTTP Secure
IG
Implementation Group
IP
Internet Protocol
ISP
Internet Service Provider
ISAC
Information Sharing and Analysis Center
IT
Information Technology
LGPE
Local Group Policy Editor
MAC
Media Access Control
NIST
National Institute of Standards and Technology
NTP
Network Time Protocol
O365
Microsoft Office 365
OS
Operating System
PAN
Personal Area Network
PDF
Portable Document Format
PII
Personally Identifiable Information
RAM
Risk Assessment Method
SIEM
Security Information and Event Management
SME
Small- and Medium Enterprises
SP
Special Publication
SSID
Service Set Identifier
SSL
Secure Sockets Layer
TLS
Transport Layer Security
TPM
Trusted Platform Module
USB
Universal Serial Bus
vLAN
Virtual Local Area Network
VPN
Virtual Private Networking
WEP
Wireless Equivalent Policy
WiFi
Wireless Fidelity
WPA
Wireless Protection Access
WPA2
Wireless Protection Access Version 2
WPAN
Wireless Personal Area Network

Contribution Guidelines

Here are the types of contributions we are looking for:

  • Grammatical Fixes and errors
  • Additional means for implementing a Sub-Control
  • Well established tools and processes
  • Additional References

License

This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode).

To further clarify the Creative Commons license related to the CIS Controls™ content, you are authorized to copy and redistribute the content as a framework for use by you, within your organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you remix, transform, or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Controls framework are also required to refer to (http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing the most up to date guidance. Commercial use of the CIS Controls is subject to the prior approval of CIS® (Center for Internet Security, Inc. ®).

Acknowledgements

CIS® (Center for Internet Security, Inc. ®) would like to thank the many security experts who volunteer their time and talent to support the CIS Controls™ and other CIS work. CIS products represent the effort of a veritable army of volunteers from across the industry, generously giving their time and talent in the name of a more secure online experience for everyone.

Editors:

  • Joshua M Franklin

Contributors:

  • Aaron Wilson
  • Aaron Piper
  • Robin Regnier
  • Phil Langlois
  • Phyllis Lee

Endnote

All references to tools or other products in this document are provided for informational purposes only, and do not represent the endorsement by CIS of any particular company, product, or technology.

Contact Information