The Ultimate Manual to CIS Hardening Guidelines
The Center of Internet Security (CIS) comprises cybersecurity professionals and experts from around the world who identify, validate, and promote cyber defense security practices.
The CIS has developed various international hardening standards and benchmarks that provide insight into improving your cybersecurity controls. Its hardening guidelines are a part of CIS’s mission to bring physical protection to combination locks, mind video cameras, and motion detectors and prevent intruders from breaching facilities.
These guidelines secure the servers and computers by minimizing their attack surface, vulnerability, and potential attack vectors. This also eliminates system flaws that cybercriminals could otherwise exploit to access sensitive user data.
What Are CIS Hardening Benchmarks?
CIS benchmarks refer to a set of best practices designed to secure a target system configuration and are endorsed by academia, government, industry, and business. Each of the guidance recommendations references one or more CIS controls and can help organizations improve their cyber defense capabilities.
Many popular compliance standards like HIPAA, NIST, PCI DSS, and SRG consider CIS guidelines as the industry standard for hardening systems and hardware.
What is a hardened system? Hardened systems refer to computer systems that are secured by eliminating or mitigating vulnerabilities to make them inaccessible to unauthorized users.
The term ‘vulnerability’ here refers to software weaknesses and flaws that may occur during the implementation, consideration, design, or administration of a system. Once the system gets compromised, threat actors can exploit these vulnerabilities to hack into devices, systems, and networks.
In a nutshell, CIS hardening guidelines or benchmarks are fundamental to your system’s safety and compliance and are among the recommended security configurations and best practices.
Following a CIS network gives you a standard way to configure common digital assets, including your cloud infrastructure and operating systems, ensuring you don’t have to reinvent the wheel and also provides a clear roadmap to minimize the attack surface.
How CIS Hardening Guidelines Work
The first step of the benchmark development process is to define the benchmark scope, followed by a discussion with volunteers creating and testing the working drafts process. What’s more, the CIS WorkBench community website even allows contributors to create discussion threads until everyone agrees on the proposed recommendations and the working draft.
Once all involved parties are in consensus, the collaborators publish the final benchmark and release it online.
Currently, there are over 100 CIS benchmarks for more than 25 vendor product families. Each CIS benchmark covers two levels of configuration:
- Level 1 focuses on reducing the attack surface and covers basic configurations that are easy to implement and don’t significantly impact business functions.
- Level 2 focuses on in-depth defense intended for a high-security environment. As such, recommendations at this level need more coordination and planning for successful implementation with minimal operational disruption.
Entities can harden their hardware, systems, networks, and servers after applying these configuration changes.
Let’s look at the different benchmark categories:
- Desktop/Web browsers — Chrome, Edge, Firefox, Internet Explorer, Safari
- Mobile devices — Apple and Android systems
- Network devices — Device configuration
- Security metrics, Servers/OS servers/others
- Virtualization platforms
- Cloud — Sharepoint server benchmarks, Benchmarks for cloud providers like Microsoft Azure, Oracle, IBM, and Amazon
Before we deep dive further, it’s also important to understand CIS controls.
Serious benchmarks (version 7.1) divide 20 control categories into three sections: basic, foundational, and organizational.
Approaching security from different angles—people, software, and process—CIS controls help private and public enterprises improve systems to more secure settings from the default usability mode.
Basic Controls
- Inventory and Control of Hardware Assets
- Inventory and Control of Software Assets
- Continuous Vulnerability Management
- Controlled Use of Administrative Privileges
- Secure Configuration for Hardware/Software on Mobile Devices, Laptops, Workstations, Servers
- Maintenance, Monitoring, and Analysis of Audit Logs
Foundational Controls
- Email and Web Browser Protections
- Malware Defenses
- Limitation and Control of Network Ports, Protocols, and Services
- Data Recovery Capabilities
- Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- Boundary Defense
- Data Protection
- Controlled Access Based on the Need to Know
- Wireless Access Control
- Account Monitoring and Control
Organizational Controls
- Implement a Security Awareness and Training Program
- Application Software Security
- Incident Response and Management
- Penetration Tests and Red Team Exercises
How Does System Hardening Reduce the Attack Surface?
When we use the term “attack surface,” we’re referring to all potential flaws (vulnerabilities) that threat actors can exploit to hack into a network, device, or system. System hardening tools and techniques can mitigate as many of these vulnerabilities as possible to reduce the attack surface.
Vulnerabilities occur in various ways. Unpatched software and firmware and password vulnerabilities like using default or hardcoded passwords, for instance, can create an exploitable attack surface.
The following are other common examples of vulnerabilities:
- Missing or poorly configured access controls
- Unencrypted data-at-rest or network traffic
- Misconfiguration of BIOS, servers, ports, firewalls, routers, and switches
System hardening uncovers these vulnerabilities—both advanced and basic—and remediates them, which minimizes and eventually eliminates the system’s attack surface.
How To Write and Maintain Hardening Guidelines?
Hardening guidelines serve as standard operating procedures when rolling out new systems. They cover the space between newly installed operating systems and the minimum acceptable security level and can apply to any common environment like database systems and network devices.
Let’s look at how you can write and maintain effective hardening guidelines for your organization’s operating systems.
Adapt CIS Hardening Guidelines to Your Organization
CIS’s Security Configuration Benchmarks apply to a wide range of operating systems and application platforms. Once you understand your functional requirements, the CIS benchmarks can serve as the perfect source for ideas and common best practices.
While we recommend starting with a CIS benchmark, we discourage adopting the entity’s work blindly without putting it into organizational context and applying your own system management experience and working style.
Let us explain—suppose some of the protection outlined in the CIS benchmarks prevents someone with physical access to a system from booting it up. At times, this may be more hindrance than help in a data center environment with strongly controlled physical access.
So, applying CIS guidelines without considering organizational application and implementation is never a good idea.
Understand that Expert Statements Aren’t the Law
Carefully evaluate each of the suggested settings, and only keep those that provide maximum value and agree with your organization’s existing security practices and policies.
Admittedly, this evaluation is daunting and time-consuming—but necessary nevertheless.
Just because the CIS mentions a practice in its benchmark doesn’t automatically make it suitable for your organization and system managers.
Here’s the deal: security isn’t black and white. Every security configuration should be implemented after performing a local assessment of risks and priorities. That’s exactly why different enterprises select different settings for things like password policies and supporting Windows protocols.
Suppose CIS benchmarks suggest disabling a single registry key. While this may be good for typical security-related situations, it may cause your legacy applications to stop working. Therefore, it’s critical to think through the risk represented by each setting (the registry key in our example) and the cost of updating the application when assessing your system.
CIS hardening guidelines may also miss important parts of an enterprise hardening strategy in some cases.
For example, if your system is frequently subjected to brute-force attacks, you need to adopt a holistic host integrity checking that includes break-in detection and intrusion prevention services.
Apply Organization-Specific Settings for Common Services
Once you’ve outlined your organization’s hardening guidelines, try to identify areas not explicitly covered by the CIS benchmarks that may be needed in your operating environment.
Organizations with a centralized authentication system should use production Unix and Windows systems. Specific configuration requirements and integration rules should also be a part of the hardening guidelines in such instances.
Business continuity tools and backups are also a part of hardening guidelines. While these may deviate from pure security settings, the security of organizational data and system availability are still top concerns for security teams.
If your organization invests in third-party tools like anti-malware tools or file system integrity checkers, you’ll need organization-specific settings then as well. Ensure you include installation and configuration.
Log management is also important here.
Issues like centralized logging servers, log attention policy, and integration with security events and incident management procedures should also be customized as part of your organization’s hardening guidelines.
Consider Network Infrastructure
CIS hardening guidelines focus on systems as standalone individual elements, but the network infrastructure should also be considered in building a secure system. Infrastructure settings like Domain Name System servers, time synchronization, and Simple Network Management Protocol configuration are good starting security points.
Organizations that have deployed IPv6 need to implement appropriate IPv6 configuration in their hardening guidelines. Additional organization-specific security infrastructure (Example: Active Directory Federation Services, system-to-system virtual private networks) are another factor where settings are common to many systems and are part of these guidelines.
Ensure Regular Review
The whole point of CIS hardening guidelines is to standardize operations and mitigate risk. This also means they should be periodically adapted to changes in security policies.
Hardening guidelines should be reviewed every two years at least. The good thing is that operating systems like Windows and Unix require fewer changes in each new release, so reviewing your hardening system isn’t as time-consuming as it used to be.
That said, other new features that are integrated may have a security impact. Ensure you factor them—and relevant security policies and risk assessments—to protect your systems.