CIS Control 4: Secure Configuration of Enterprise Assets and Software

DEEP DIVE

Covers system hardening and secure configuration baselines. Updating to cross-reference and link to the main CIS Critical Security Controls v8 wiki.

Updated 4/12/2026cis, controls, secure-configuration, hardening, v8

As part of the overarching CIS Critical Security Controls Version 8 framework, Control 4 focuses on ensuring that all systems within an organization's environment are deployed and maintained in a hardened, secure state.

Before an organization can adequately implement secure configurations, it must first have a comprehensive understanding of what assets it owns. Therefore, implementing CIS Control 1: Inventory and Control of Enterprise Assets and CIS Control 2: Inventory and Control of Software Assets are essential prerequisites to Control 4.

The Need for Secure Configuration

Out-of-the-box hardware and software are rarely configured with security as the primary objective. Vendors typically default to "ease of use" and "maximum compatibility," which often leaves unnecessary ports open, default accounts enabled, and legacy protocols active. Secure configuration (or system hardening) is the process of altering these defaults to minimize the attack surface.

Even after a strong initial configuration is deployed, configuration drift can occur. Systems naturally deviate from their hardened state over time as software is patched, administrators "tweak" settings to troubleshoot issues, or new operational requirements demand changes. Control 4 mandates that configurations must be continually managed to prevent the degradation of security.

Cloud and Shared Responsibility Edge Cases

Configuration management extends to cloud environments, but responsibilities can shift. For example, in a Platform as a Service (PaaS) environment, the service provider may manage and harden the underlying operating system. However, the secure configuration, patching, and updating of the hosted applications and data remain the responsibility of the enterprise. For more on managing cloud vendors, see CIS Control 15: Service Provider Management.

Core Safeguards for Control 4

CIS Control 4 outlines five specific safeguards to establish and maintain hardening standards across the enterprise:

  • 4.1 Establish and Maintain a Secure Configuration Process: Define a secure configuration process for all enterprise assets (end-user devices, mobile, IoT, and servers) and software. This documentation must be reviewed and updated annually, or whenever significant enterprise changes occur.
  • 4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure: Network devices require specialized configurations. Routers, switches, and load balancers must follow a similarly rigorous, annually reviewed configuration process. See CIS Control 12: Network Infrastructure Management for deeper operational guidance.
  • 4.3 Configure Automatic Session Locking on Enterprise Assets: Systems must automatically lock after a defined period of inactivity to prevent physical tampering or unauthorized access.
    • General-purpose operating systems: Must not exceed 15 minutes of inactivity.
    • Mobile end-user devices: Must not exceed 2 minutes of inactivity.
  • 4.4 Implement and Manage a Firewall on Servers: Servers must run a firewall where supported. Acceptable implementations include OS-native firewalls (like iptables or Windows Defender Firewall), virtual firewalls, or third-party firewall agents.
  • 4.5 Implement and Manage a Firewall on End-User Devices: All endpoints must utilize a host-based firewall or port-filtering tool to block unauthorized inbound connections and restrict outbound traffic where appropriate.

Establishing and Tailoring Baselines

Developing secure configurations from scratch is labor-intensive and prone to error. Enterprises should begin with publicly developed, vetted, and widely supported baselines. Recommended sources include:

  • The CIS Benchmarks™ Program
  • The National Institute of Standards and Technology (NIST®) National Checklist Program Repository

Handling Exceptions and Deviations

Organizations should augment these public baselines to align with internal policies or industry regulations. It is highly common for strict benchmarks to conflict with legacy applications or specific operational needs. In these edge cases, standard configurations must be adjusted. All deviations from the baseline, along with the business rationale and compensating controls, must be formally documented to facilitate future security reviews or audits.

For large or complex environments, a "one-size-fits-all" baseline is ineffective. Enterprises will likely need multiple baseline configurations tailored to the specific security requirements or data classifications of the underlying assets. (Refer to CIS Control 3: Data Protection for guidance on data classification).

Continuous Management and Tooling

Enforcing configurations requires dedicated tooling to audit systems and detect deviations from the standard image. Configuration management tools typically operate using one of three methodologies:

  1. Agent-based inspection: A dedicated agent is permanently installed on each managed asset. This provides continuous monitoring and enforcement but requires ongoing agent health management.
  2. Agentless inspection: The scanning tool remotely logs into the enterprise asset using administrator credentials. This reduces endpoint bloat but requires strict credential management and network line-of-sight. See CIS Control 5: Account Management to ensure scanner service accounts are tightly controlled.
  3. Hybrid inspection: A remote session is initiated, a dynamic/temporary agent is pushed to the target system to perform the configuration scan, and the agent is immediately removed upon completion.

Routine configuration scanning should be integrated alongside your broader vulnerability management program. For details on integrating these scans, review CIS Control 7: Continuous Vulnerability Management.