Understanding CIS Control 3
This week, we’re focusing on CIS Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers. More specifically:
“Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.” 1.
Configuration management ensures that the software and devices running on the network are current, trusted and secure. Examples of secure configuration include shutting off unnecessary server ports, disabling unnecessary services/options, eliminating unneeded programs and internal root accounts, and limiting/denying visitor access. Many software applications are configured with ease-of-use in mind over absolute security; this means organizations must be thoughtful and intentional about striking the right balance when introducing new software to the environment. Control 3 can e challenging for large organizations where hundreds to thousands of systems and devices configured properly. Nevertheless, it’s important – not only for security, but for making systems more stable and reliable.
Achieving Control 3
How can your organization successfully apply Control 3? Here are the key steps:
- Establish configuration baselines
- Create standard images of operating systems and software applications
- Store master images of the systems
- Consistently manage and update the systems
The first step is to establish configuration baselines. What does a secure configuration look like? There are many existing standards to help you with this, including CIS Security Benchmarks. CIS Security Benchmarks are community-developed, consensus-based configuration guides available free in PDF format.
Once you’ve identified a secure baseline, create a standard (or “gold”) image of operating systems and software applications. Your gold image is something you can always return to, knowing that it’s configured based on your organization’s security needs. Store your gold images securely so you can access and deploy them as needed.
Finally, you’ll need to consistently manage your system and software configurations to make sure they remain secure. Over time, even a well-secured machine left unmonitored will deteriorate as users change settings, install/uninstall programs, and download applications. Automated configuration assessment tools (such as CIS-CAT) can scan systems’ compliance to specific configurations and report compliance over time, identifying inconsistencies and providing remediation steps.
Looking for more information about CIS Control 3?
Previous blog posts from this series:
 CIS Critical Security Controls for Effective Cyber Defense, Version 6.1