Controls Assessment Module¶
Introduction¶
The CIS Controls Assessment Module (CAM) is designed to help organizations measure their implementation of the CIS Controls. This module exists within CIS-CAT Pro Assessor v4 and can be run like a configuration assessment, making it compatible with CIS-CAT functionality including remote assessments and the CIS SecureSuite Platform.
Version 1.0.2 of the Controls Assessment Module focuses on Implementation Group 1 in Windows 10 environments, providing a combination of automated checks and survey questions to cover the 43 Implementation Group 1 CIS Sub-Controls. For the more procedural Sub-Controls, the Controls Assessment Module allows users to save yes/no answers documenting their implementation of those Sub-Controls. For Sub-Controls that are conducive to automation, specific settings in the environment are checked to generate a machine-specific pass or fail for that Sub-Control.
For more information about the CIS Controls Implementation Groups, see V7.1 of the CIS Controls.
Terms of Use¶
Use of the Controls Assessment Module is subject to CIS’s Membership Terms of Use and the Terms of Service and Privacy Policy currently in use for our CIS WorkBench site.
Deployment¶
Download and install the latest version of CIS-CAT Assessor v4.
Info
Refer to Installation and License Management for guidance on setting up CIS-CAT Pro Assessor v4.
Assessable Operating Systems¶
The CAM is designed to assess Microsoft Windows 10 machines.
Warning
The CAM hasn't been tested with other operating systems yet. Attempting to use the CAM to assess non-Windows 10 machines could result in unpredictable behavior or unreliable results.
Types of Checks in the Controls Assessment Module¶
The Controls Assessment Module uses both automated checks and survey questions to assess implementations of the CIS Controls. All checks, regardless of type, will receive a Pass or Fail result.
Automated Checks¶
The automated checks use PowerShell scripts to measure the machine-specific implementation of a Sub-Control.
Survey Questions¶
The survey questions utilize user-provided answers to determine if a Sub-Control is successfully implemented. Answer the survey questions in config\assessor-cli.properties. You can update the answers between assessments as the organization’s implementation of these Sub-Controls changes. These answers are used as organization-wide answers that apply to all machines in an assessment.
Optionally, survey questions can be configured to be asked interactively during an assessment. While this allows for more granular, machine-specific answers to the questions, it also requires each survey question designated as interactive to be answered at the start of each machine’s assessment. Providing answers interactively can become tedious for assessments with large numbers of machines or for frequent assessments, so it is recommended that the interactive survey question feature be used only if there are answers to specific survey questions that vary from machine to machine in the organization.
Configure Controls Assessment Module¶
The following Controls Assessment Module-specific configuration options are available.
Customizable Values for Automated Checks¶
There are four customizables values for automated checks. If your organization wishes to use different values than the defaults, update the customizable values in the assessor-cli.properties file, under the section entitled “CAM IG1 Customizable Values.”
Values¶
| Sub-Control | Description | Default |
|---|---|---|
| 4.2 | Required Minimum Password Length | 14 |
| 10.2 | Maximum Days Without System Image Backup | 90 |
| 16.9 | Maximum Inactivity Days | 90 |
| 16.11 | Maximum Screen Lock Timeout | 900 |
Change Value¶
For example, if your organization requires a minimum password length of only 10 instead of the default 14, change the variable value and save the file:
xccdf_org.cisecurity_value_4.2_var=10
Survey Questions¶
The survey questions can be found in the assessor-cli.properties file, under the section entitled “CAM IG1 Survey Questions”. Each survey question has an instruction line, question line, and answer line.
Change Value¶
All answers to the survey questions are set to no by default, meaning that each of these Sub-Controls will be assessed as a Fail. For the Sub-Controls that your organization is successfully implementing, the corresponding value should be changed to yes, meaning that Sub-Control will be assessed as a Pass.
For example, if your organization is implementing Sub-Control 12.1, change the variable value from no to yes and save the file:
##Sub-Control 12.1 Question: Does your organization maintain an up-to-date inventory of all of the organization’s network boundaries?
xccdf_org.cisecurity_value_12.1_var=yes
Require Interactive Answers¶
To require an interactive, machine-specific answer to a survey question instead of an organization-level answer, enter the sharp symbol (#) at the start of an answer line to comment it out:
##Sub-Control 12.1 Question: Does your organization maintain an up-to-date inventory of all of the organization’s network boundaries?
#xccdf_org.cisecurity_value_12.1_var=no
Commenting out an answer line will result in the answer value on that line being ignored, and the question will be asked on the Assessor command line for each machine in the assessment.
Run Controls Assessments¶
Once you have configured the Assessor properties and sessions files appropriately, as well as any Controls Assessment Module specific settings as described above, then you are ready to run the Controls Assessment Module.
GUI¶
The Controls Assessment Module can be run via the GUI:
- When adding Benchmarks to a basic scan or advanced scan, select the desired Controls assessment (i.e., automated Sub-Controls only, survey question Sub-Controls only, or full/all Sub-Controls).
- Add the desired Controls assessment to the
assessmentselement of the configuration XML file, which can loaded to the GUI to run advanced scans.
CLI¶
The Controls Assessment Module can be run via the CLI in three ways:
Note
Use Command Prompt to first navigate to the directory where Assessor is installed and then enter the command to run the assessment.
Interactive Mode (-i option)¶
1. Enter the following command:
Assessor-cli.bat -i
2. Enter the number (e.g., 26) of the one of the CIS Controls Assessment Module assessments.
3. Enter 1, 2, or 3 to select a profile.
Manual Mode (-b option)¶
Controls Assessment Module and a profile directly with Assessor’s -b option.
- Enter one of the commands depending on the profile:
Automatic Mode (-cfg option)¶
Assessor’s Configuration File XML mode
Assessor-CLI.bat -cfg <config XML file>
Overall Results¶
The results from Controls Assessment Module assessments can be viewed in the same ways that the results from other assessments can be. The assessment results includes details about the Sub-Control number, title, description, rationale, and remediation.
- Manually or automatically import the assessment results to the CIS SecureSuite Platform.
- Generate reports (e.g., HTML, CSV, etc.)
Automated Check Detailed Results¶
You may want to view script-specific outputs for individual Controls Assessment Module automated checks in order to see why a particular check passed or failed.
This information can be viewed in several ways:
HTML Report¶
1. Run a Controls assessment through the GUI and select HTML as a reporting option or through the CLI with the -html option.
Assessor-CLI.bat -b benchmarks\CIS_Controls_Assessment_Module_v1.0.2.xml -p "Implementation Group 1 for Windows 10 (Partial) - Automated Sub-Controls Only" -html
An HTML report will be generated for each machine in the assessment.
2. Open the report in a browser and expand Show Rule Result XML for the Sub-Control with an automated check to see additional information.
3. In the expanded text box, look between the <out> and </out> tags to see the output from the PowerShell script.
Assessor Log File¶
1. If running an assessment through the GUI, select at least the Write log messages with a level of WARN, ERROR, or INFO log level. If running an assessment through the CLI, run with at least the -vvv log level.
2. Go to the logs folder in the Assessor directory and open the appropriate log file that includes the information from a Controls Assessment Module assessment.
3. Search (Ctrl + F or Command + F) for CAM Sub-Control x.x to find the relevant information.
Profiles¶
There are three Controls Assessment Module profiles to choose from:
- Implementation Group 1 for Windows 10 (Partial) - Automated Sub-Controls Only
- This profile runs only the automated checks which currently covers 13 Sub-Controls.
- Sub-Controls: 3.4, 4.2, 6.2, 8.2, 8.5, 9.4, 10.1, 10.2, 10.4, 13.6, 15.7, 16.9, and 16.11.
- Implementation Group 1 for Windows 10 (Partial) - Survey Question Sub-Controls Only
- This profile runs only the survey questions which currently covers 30 Sub-Controls.
- Sub-Controls: 1.4, 1.6, 2.1, 2.2, 2.6, 3.5, 4.3, 5.1, 7.1, 7.7, 8.4, 10.5, 11.4, 12.1, 12.4, 13.1, 13.2, 14.6, 15.10, 16.8, 17.3, 17.5, 17.6, 17.7, 17.8, 17.9, 19.1, 19.3, 19.5, and 19.6.
- Implementation Group 1 for Windows 10 (Full) - Automated Checks and Survey Questions
- This profile runs both the automated checks and the survey questions which covers all 43 of the IG1 Sub-Controls.
PowerShell¶
The automated checks utilize PowerShell scripts. These scripts are designed to read only the configuration data from target systems. No changes to your PowerShell settings should be necessary to run these scripts.
The Assessor calls PowerShell using the -ExecutionPolicy bypass option. This option allows the Assessor to temporarily bypass the existing PowerShell execution policy just for the duration of each script’s run without changing the system’s overall PowerShell execution policy. Additionally, the Unblock-File command runs against the scripts when they are called. This command enables the scripts to remaining unblocked/trusted even after running the CAM.
While using -ExecutionPolicy bypass and Unblock-File provides a smoother user experience, please consider any policy and security implications they might have for your organization prior to running the CAM. Currently, the PowerShell scripts for the CAM are not signed.
Info
Refer to PowerShell Execution Policies to ensure that you understand the security implications of these settings.
Automated Check Design¶
For the automated checks, the CIS team needed to decide what constituted passing a Sub-Control. We made our best effort to account for Group Policy (GP) and non-GP settings, as well as machine-level and user-level settings.
Group Policy¶
GP settings can be dictated either by a domain controller such as Active Directory if the machine is domain joined or through a local GP specified in the Local Group Policy Editor.
Domain settings generally override local machine settings, and local GP settings typically override per-user settings on the machine. While many domain-level GP settings overlap with local GP settings, the steps to configure these settings can vary between the two types. When GP instructions are provided in the Controls Assessment Module, these refer to the Local GP Editor.
GP-enforced settings are generally preferred from a security perspective since they require greater levels of privilege to change, making it harder for a user or attacker to undermine security settings. However, when possible, both GP and non-GP settings were factored in to the automated checks to accommodate organizations who are not using GP.
Machine vs. User Settings¶
Some settings on a machine can apply to the entire machine or just to particular users on that machine. Sometimes, but not always, the distinction for settings stored in the registry is the difference between the HKEY Local Machine and the HKEY Current User registry hives.
From a security perspective, machine settings are preferred over user settings as they apply security policies to the entire machine. When possible, both types of settings were factored in to the automated checks. Be aware that the CAM checks the per-user settings of the user running Assessor or those specified in the Assessor sessions file.
Remediation for Automated Checks¶
3.4 Deploy Automated Operating System Patch Management Tools¶
The automated check for 3.4 requires the download and installation of updates to be automatic and without user intervention. The check will fail even if automatic update downloads are enabled, but users can decide whether to install those updates.
CAM checks the following registry settings:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate DisableWindowsUpdateAccess
(Fail if this setting is set to 1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU NoAutoUpdate
(Fail if this setting is set to 1)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
(Fail if this setting is not set to 4)
Remediation Steps
1. Open Local Group Policy Editor.
2. Go to Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates.
3. Select Enabled.
4. For Configure automatic updating, select 4 – Auto download and schedule the install.
Note
Other settings (e.g., scheduling updates) can be set as appropriate for your organization and are not assessed by CAM. Similar settings are available at the Domain level as well.
5. Select Apply to finish.
4.2 Change Default Passwords¶
Since Windows 10 does not have default passwords, the automated check for 4.2 focuses on the having "values consistent with administrative-level accounts" portion of the Sub-Control.
CAM checks for a required minimum password length. By default, the required minimum is 14 (which is consistent with the Windows Benchmark), but this setting can be adjusted in the assessor-cli.properties file as appropriate for your organization.
Remediation Steps
1. Open Local Group Policy Editor.
2. Go to Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy > Minimum password length.
3. Enter a new minimum password length and select Apply.
Info
Similar settings are available at the Domain level as well.
6.2 Activate Audit Logging¶
The automated check for 6.2 CAM verifies that at least one sub-category of logging is turned on (but does not currently require specific sub-categories). This check should pass with a default Windows installation.
Tip
For recommended audit sub-categories, see section 17 of the appropriate Windows Benchmark.
Remediation Steps
1. Open Local Group Policy Editor.
2. Go to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies.
3. Select the desired logging category and enable/disable the sub-categories.
Info
Similar settings are available at the Domain level as well.
8.2 Ensure Anti-Malware Software and Signatures are Updated¶
For the automated check for 8.2, CAM verifies that an anti-malware tool is enabled and up-to-date on the machine.
Remediation Steps
In Control Panel > System and Security > Security and Maintenance, look under Security > Virus Protection to see whether Windows shows that an anti-malware program is On or Off.
The exact steps for ensuring that anti-malware software is enabled and that automatic updates for that software are turned on varies depending on which anti-malware software is being used.
8.5(a) Configure Devices to Not Auto-Run Content (AutoRun)¶
CAM's check for 8.5 is divided into two separate checks—one for AutoRun and one for AutoPlay. 8.5(a) is the AutoRun check.
CAM checks the following registry settings to see if at least one of them is set to disable AutoRun:
# Pass if this setting is set to 1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoAutoRun
# Pass if this setting is set to 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoAutoRun
# Pass if this setting is set to 0xff
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoDriveTypeAutoRun
# Pass if this setting is set to 0xff
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoDriveTypeAutoRun
# Pass if this setting is set to 0x3FFFFFF
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoDriveAutoRun
# Pass if this setting is set to 0x3FFFFFF
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoDriveAutoRun
Note
While the Machine settings or Current User settings are accepted by CAM, the Machine settings are preferred because they would turn AutoRun off for all users on the machine.
Remediation Steps
1. Open Local Group Policy Editor.
2. Go to Computer Configuration > Administrative Templates > Windows Components > AutoPlay Policies > Set the default behavior for AutoRun.
3. Select Enabled, and then select Do not execute any autorun commands from the drop down menu.
Info
Similar settings are available at the Domain level as well.
8.5(b) Configure Devices to Not Auto-Run Content (AutoPlay)¶
The automated check for 8.5 is divided into two separate checks—one for AutoRun and one for AutoPlay. 8.5(b) is the AutoPlay check.
CAM checks the following registry setting to see if it is set to disable for AutoPlay:
# Pass if this setting is set to 0x3FFFFFF
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers DisableAutoPlay
Remediation Steps
1. Open Windows 10 Settings, go to AutoPlay Settings. 2. Toggle Use AutoPlay for all media and devices to Off.
Note
This is a per user setting.
9.4 Apply Host-Based Firewalls or Port Filtering¶
The automated check for 9.4 ensures that all three host-based Windows Firewall profiles (Domain, Private, and Public) are using a default-deny rule for incoming traffic.
Remediation Steps
1. Open Windows Security and go to Firewall & network protection.
2. (If a Firewall profile is disabled) Select the profile and set the Microsoft Defender Firewall toggle to On.
3. Select Advanced Settings and then Windows Defender Firewall Properties.
4. Select Block (default) for Inbound Connections in the three profile tabs.
5. Select Apply to finish.
10.1 Ensure Regular Automated Backups¶
The automated check for 10.1 verifies that Windows 10 File History is turned on for at least one user.
Remediation Steps
1. Open Windows Settings and go to Update & Security > Files Backup.
2. Select an existing backup drive or select Add a drive, choose a drive, and set Automatically back up my files to On.
3. (Optional) Select More options to include or exclude individual folders from the backups.
10.2 Perform Complete System Backups¶
The automated check for 10.2 verifies that a successful Windows System Image backup was generated within a specified timeframe. By default, CAM uses 90 days for this timeframe, but this setting can be adjusted in the assessor-cli.properties file as appropriate for your organization.
Remediation Steps
1. Go to Control Panel > System and Security > Backup and Restore (Windows 7).
2. Select Create a system image and follow the instructions.
10.4 Protect Backups¶
The automated check for 10.4 verifies that if Windows 10 File History or Windows System Image backups is enabled, the backup drive is encrypted with native Windows encryption (either hardware/device encryption or BitLocker software encryption). If either/both of these backup methods are enabled, the check will fail if the corresponding backup drives are not encrypted. If neither backup method is enabled, the check will also fail.
Remediation Steps
Enable Windows 10 File History, Windows System Image backups, or both. Regardless of the backup method, ensure that the corresponding backup drive destinations are encrypted with native Windows encryption.
Enable File History
1. Open Windows Settings and go to Update & Security > Files Backup.
2. Select an existing backup drive or select Add a drive, choose a drive, and set Automatically back up my files to On.
3. (Optional) Select More options to include or exclude individual folders from the backups.
Windows Image Backup
1. Go to Control Panel > System and Security > Backup and Restore (Windows 7).
2. Select Create a system image and follow the instructions.
13.6 Encrypt Mobile Device Data¶
While sub-control 13.6 does explicitly specify mobile devices, the automated check for 13.6 does not discriminate by device type. This CAM check passes if native Windows encryption (either hardware/device encryption or BitLocker software encryption) is enabled for all drives.
Remediation Steps
1. Go to Control Panel > System and Security > BitLocker Drive Encryption.
2. Select Turn on BitLocker.
15.7 Leverage the Advanced Encryption Standard (AES) to Encrypt Wireless Data¶
The automated CAM check for 15.7 ensures that any wireless connections detected for the machine are making use of CCMP (the Counter Mode CBCMAC Protocol, a mode of AES used for WLAN connections as discussed in IEEE 802.11i). If no wireless connections are detected, this check will receive a Pass.
Remediation Steps
1. Open Control Panel and select View network status and tasks.
2. Select the Wi-Fi connection.
3. Select Wireless Properties.
4. Go to the Security tab.
5. Configure as follows:
- Security type: Select WPA2-Enterprise
- Encryption type: Select AES.
6. Select OK.
16.9 Disable Dormant Accounts¶
The automated CAM check for 16.9 checks the last logon date for each of the enabled local machine accounts and verifies that they have been logged in to within a specified time frame. If the account has never been logged in to, this time frame is applied to the last password set date instead. By default, CAM uses 90 days for this timeframe, but this setting can be adjusted in the assessor-cli.properties file as appropriate for your organization.
Remediation Steps¶
Ensure that any accounts not meeting the specified dormancy time frame are disabled.
Tip
Use the net user <username> /domain| findstr “Last” command to identify last login times for users.
Accounts can be disabled in two ways:
- Command Prompt
- Computer Management
1. Go to System Tools > Local Users and Groups > Users.
2. Double-click the user.
3. (If unchecked) Select Account is disabled to disable the user.
4. Select Apply to finish.
16.11 Lock Workstation Sessions After Inactivity¶
The CAM automated check for 16.11 ensures that the lock screen timeout does not exceed a maximum value and that the lock screen is enabled. The default maximum timeout value for CAM is 900 seconds/15 minutes (consistent with the Windows Benchmark), but this setting can be adjusted in the assessor-cli.properties file as appropriate for your organization.
Remediation Steps¶
The lock screen timeout value can be set via local group policy as follows:
1. Open Local Group Policy Editor.
2. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options and double-click Interactive logon: Machine inactivity limit.
3. Enter a value and select Apply.
Note
This setting may require a reboot to take effect.