CIS Logo
tagline: Confidence in the Connected World
HomeCIS ControlsCIS Control 9: Limitation and Control of Network Ports, Protocols and Services

Limitation and Control of Network Ports, Protocols and Services

CIS Control 9This is a foundational Control

Manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices in order to minimize windows of vulnerability available to attackers.

CIS RAM is an information security risk assessment method that helps organizations implement and assess their security posture against the CIS Controls. Download CIS RAM

Why is this CIS Control critical?

Attackers search for remotely accessible network services that are vulnerable to exploitation. Common examples include poorly configured web servers, mail servers, file and print services, and Domain Name System (DNS) servers installed by default on a variety of different device types, often without a business need for the given service. Many software packages automatically install services and turn them on as part of the installation of the main software package without informing a user or administrator that the services have been enabled. Attackers scan for such services and attempt to exploit these services, often attempting to exploit default user IDs and passwords or widely available exploitation code.

Main Points:
  • Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.
  • Perform automated port scans on a regular basis against all systems and alert if unauthorized ports are detected on a system.
Want to implement this foundational Control?

Download the CIS Controls for more details on implementing this and the other 19 Controls.

Download all
CIS Controls (PDF)

Already downloaded the CIS Controls?

We have several resources to help you implement: