CIS Benchmarks: Hardening Your Infrastructure
CIS Benchmarks are detailed configuration guides developed by the Center for Internet Security to help organizations secure their systems. While CIS Controls tell you what security capabilities to have, CIS Benchmarks tell you exactly how to configure specific technologies securely.
This guide explains what CIS Benchmarks are, how they differ from CIS Controls, and how to use them effectively to harden your infrastructure.
Key Takeaways
| Point | Summary |
|---|---|
| What they are | Technology-specific configuration guides with detailed hardening settings |
| Coverage | 100+ benchmarks for operating systems, cloud platforms, databases, and more |
| Profiles | Level 1 (essential, minimal impact) and Level 2 (defense-in-depth) |
| Relationship to Controls | Benchmarks help implement CIS Control 4 (Secure Configuration) |
| Access | Free for non-commercial use; membership for full access and tools |
Quick Answer: CIS Benchmarks are detailed, technology-specific hardening guides. They provide hundreds of specific configuration recommendations (like "Set password minimum length to 14 characters") for operating systems, cloud platforms, applications, and network devices. Use CIS Benchmarks to implement CIS Control 4 (Secure Configuration) with specific, tested settings.
CIS Benchmarks vs CIS Controls
It's important to understand the distinction:
| Aspect | CIS Controls | CIS Benchmarks |
|---|---|---|
| Type | Security framework | Configuration guides |
| Scope | Entire security program | Specific technologies |
| Granularity | Safeguards (153 total) | Settings (hundreds per benchmark) |
| Example | "Establish secure configuration process" | "Set MaxPasswordAge to 365 days" |
| Use case | What to implement | How to configure |
How they work together: CIS Control 4 (Secure Configuration of Enterprise Assets and Software) recommends establishing secure configurations. CIS Benchmarks provide the specific settings to use.
Available CIS Benchmarks
CIS provides benchmarks for a wide range of technologies:
Operating Systems
| Benchmark | Use Case |
|---|---|
| Microsoft Windows 11 | Desktop/laptop hardening |
| Microsoft Windows Server | Server hardening |
| Ubuntu Linux | Linux desktop and server |
| Red Hat Enterprise Linux | Enterprise Linux |
| CentOS / Rocky Linux / AlmaLinux | RHEL-compatible systems |
| macOS | Apple desktop hardening |
| Debian | Debian-based systems |
| Amazon Linux 2 | AWS-native Linux |
Cloud Platforms
| Benchmark | Use Case |
|---|---|
| Amazon Web Services (AWS) | AWS account and service security |
| Microsoft Azure | Azure subscription security |
| Google Cloud Platform (GCP) | GCP project security |
| Oracle Cloud Infrastructure | OCI tenancy security |
| Alibaba Cloud | Alibaba Cloud security |
| Kubernetes | Container orchestration security |
| Docker | Container runtime security |
Web Servers and Middleware
| Benchmark | Use Case |
|---|---|
| Apache HTTP Server | Web server hardening |
| NGINX | Web server and proxy hardening |
| Apache Tomcat | Java application server |
| Microsoft IIS | Windows web server |
Databases
| Benchmark | Use Case |
|---|---|
| PostgreSQL | PostgreSQL database security |
| MySQL | MySQL database security |
| Microsoft SQL Server | SQL Server hardening |
| MongoDB | NoSQL database security |
| Oracle Database | Oracle database hardening |
Desktop Software
| Benchmark | Use Case |
|---|---|
| Google Chrome | Browser hardening |
| Mozilla Firefox | Browser hardening |
| Microsoft Office | Office suite security |
| Microsoft Edge | Edge browser hardening |
Network Devices
| Benchmark | Use Case |
|---|---|
| Cisco IOS | Cisco router/switch hardening |
| Palo Alto Networks | Firewall configuration |
| Juniper | Juniper network devices |
Benchmark Profile Levels
Each CIS Benchmark defines multiple profile levels:
Level 1 (L1)
Level 1 recommendations are intended for most organizations:
| Characteristic | Description |
|---|---|
| Impact | Minimal performance or functionality impact |
| Applicability | Broad applicability |
| Implementation | Relatively easy to implement |
| Risk reduction | Addresses most common risks |
Example L1 recommendation: Enable firewall on all workstations.
Level 2 (L2)
Level 2 recommendations provide defense-in-depth for sensitive environments:
| Characteristic | Description |
|---|---|
| Impact | May reduce functionality or performance |
| Applicability | High-security environments |
| Implementation | May require more careful planning |
| Risk reduction | Additional protection against sophisticated attacks |
Example L2 recommendation: Disable all unused services and protocols.
Choosing a Profile
| Environment | Recommended Profile |
|---|---|
| General business | Level 1 |
| Sensitive data | Level 1 + selected Level 2 |
| Regulated industries | Level 2 |
| High-security | Level 2 with additional hardening |
Example: AWS Foundations Benchmark
The CIS AWS Foundations Benchmark is one of the most commonly used. It includes recommendations organized by AWS service:
Identity and Access Management
| Recommendation | Level |
|---|---|
| Avoid root account for daily tasks | L1 |
| Enable MFA for root account | L1 |
| Enable MFA for IAM users with console access | L1 |
| Rotate access keys every 90 days | L1 |
| Don't use root access keys | L1 |
| Set strong password policy | L1 |
Storage
| Recommendation | Level |
|---|---|
| Enable S3 bucket versioning for sensitive data | L2 |
| Enable S3 bucket logging | L1 |
| Enable EBS encryption by default | L1 |
| Block public access to S3 buckets | L1 |
Logging
| Recommendation | Level |
|---|---|
| Enable CloudTrail in all regions | L1 |
| Enable CloudTrail log file validation | L2 |
| Enable access logging for CloudTrail S3 bucket | L1 |
| Enable CloudTrail encryption | L2 |
Monitoring
| Recommendation | Level |
|---|---|
| Create metric filters and alarms for unauthorized API calls | L1 |
| Create metric filters for root account usage | L1 |
| Create metric filters for IAM policy changes | L1 |
| Enable VPC Flow Logs | L2 |
Networking
| Recommendation | Level |
|---|---|
| No security groups allow unrestricted SSH | L1 |
| No security groups allow unrestricted RDP | L1 |
| Enable VPC Flow Logs for default VPC | L2 |
| Restrict default security group | L1 |
Example: Windows Server Benchmark
The CIS Windows Server Benchmark covers extensive configuration settings. The following examples are representative of typical CIS Benchmark recommendations. Note: Specific values may vary between benchmark versions and Windows Server editions. Always consult the latest CIS Benchmark document for your specific OS version.
Account Policies
| Recommendation | Level | Setting |
|---|---|---|
| Password history | L1 | Remember 24 passwords |
| Maximum password age | L1 | 365 days or less |
| Minimum password age | L1 | 1 day or more |
| Minimum password length | L1 | 14 characters |
| Password complexity | L1 | Enabled |
| Account lockout threshold | L1 | 5 attempts or fewer |
Audit Policy
| Recommendation | Level | Setting |
|---|---|---|
| Audit credential validation | L1 | Success and Failure |
| Audit user account management | L1 | Success and Failure |
| Audit security group management | L1 | Success |
| Audit logon events | L1 | Success and Failure |
| Audit object access | L2 | Success and Failure |
Security Options
| Recommendation | Level | Setting |
|---|---|---|
| Rename administrator account | L1 | Custom name |
| Rename guest account | L1 | Custom name |
| Disable guest account | L1 | Disabled |
| Enable UAC | L1 | All prompts |
| Enable Credential Guard | L2 | Enabled |
Implementing CIS Benchmarks
Step 1: Identify Applicable Benchmarks
Inventory your technology stack and identify relevant benchmarks:
| Technology | Applicable Benchmark |
|---|---|
| AWS cloud infrastructure | CIS AWS Foundations |
| Ubuntu servers | CIS Ubuntu Linux |
| PostgreSQL databases | CIS PostgreSQL |
| Employee laptops (Mac) | CIS macOS |
Step 2: Choose Profile Level
Determine appropriate profile level based on:
- Data sensitivity
- Regulatory requirements
- Acceptable operational impact
- Security maturity
Step 3: Assess Current State
Compare current configurations to benchmark recommendations:
Manual assessment: Review settings against benchmark
Automated assessment: Use scanning tools
Step 4: Prioritize Remediation
Not all recommendations carry equal weight:
| Priority | Criteria |
|---|---|
| Critical | Exposes significant risk, easy to exploit |
| High | Significant risk, more complex to exploit |
| Medium | Moderate risk or impact |
| Low | Minor improvement |
Focus on L1 recommendations first, then add L2 based on risk tolerance.
Step 5: Implement Changes
Apply configuration changes:
Infrastructure as Code: Incorporate into Terraform, CloudFormation, or Ansible
Group Policy: For Windows environments
Configuration management: Puppet, Chef, or Ansible
Step 6: Validate and Monitor
Continuously verify benchmark compliance:
Initial validation: Confirm changes were applied correctly
Ongoing monitoring: Detect configuration drift
Regular reassessment: As benchmarks are updated
Automation Tools
CIS-CAT Pro
CIS offers CIS-CAT Pro, an automated assessment tool:
| Feature | Description |
|---|---|
| Scanning | Automated benchmark assessment |
| Reporting | Compliance reports and dashboards |
| Remediation guidance | Specific fix recommendations |
| Multiple platforms | Support for many benchmarks |
Third-Party Tools
Many security tools incorporate CIS Benchmark checks:
| Tool | Capability |
|---|---|
| AWS Security Hub | CIS AWS Foundations checks |
| Azure Security Center | CIS Azure benchmark checks |
| Prisma Cloud | Multi-cloud CIS compliance |
| Qualys | CIS benchmark scanning |
| Nessus | CIS benchmark audit files |
| OpenSCAP | Linux benchmark automation |
Infrastructure as Code
Implement CIS Benchmarks in your IaC:
Terraform:
- AWS: Use modules with CIS-compliant defaults
- Pre-commit hooks for compliance checking
Ansible:
- Use CIS hardening roles from Ansible Galaxy
- Lockdown roles for Linux systems
CloudFormation:
- Include CIS-compliant security group rules
- Enable logging and encryption by default
CIS Benchmarks and Compliance
CIS Benchmarks are widely recognized in compliance contexts:
SOC 2
SOC 2 requires secure configurations. CIS Benchmarks provide:
- Evidence of configuration standards
- Specific settings to demonstrate
- Audit-ready documentation
ISO 27001
ISO 27001 Control A.8.9 (Configuration management) is addressed by:
- Documented configuration standards (benchmarks)
- Configuration verification (assessment tools)
- Change management for configurations
PCI DSS
PCI DSS requirement 2 (secure configurations) explicitly references CIS Benchmarks as an acceptable hardening standard.
HIPAA
HIPAA Security Rule technical safeguards can be implemented using CIS Benchmarks for secure configuration.
Common Challenges
Challenge 1: Operational Impact
Some benchmark recommendations may affect functionality.
Solution:
- Test in non-production first
- Start with Level 1 recommendations
- Document exceptions with justification
Challenge 2: Keeping Up with Updates
Benchmarks are updated regularly.
Solution:
- Subscribe to CIS updates
- Schedule quarterly benchmark reviews
- Use automated tools that update with new benchmarks
Challenge 3: Exception Management
Not all recommendations apply to all systems.
Solution:
- Document exceptions with risk acceptance
- Implement compensating controls where needed
- Review exceptions periodically
Challenge 4: Scale
Applying benchmarks across many systems is labor-intensive.
Solution:
- Use configuration management tools
- Implement Infrastructure as Code
- Automate compliance scanning
Relationship to CIS Controls
CIS Benchmarks primarily support CIS Control 4 (Secure Configuration):
| CIS Safeguard | How Benchmarks Help |
|---|---|
| 4.1: Secure Configuration Process | Benchmarks provide the baseline |
| 4.2: Network Infrastructure Configuration | Network device benchmarks |
| 4.4: Firewall on Servers | Server benchmark firewall sections |
| 4.5: Firewall on End-User Devices | Desktop benchmark firewall settings |
| 4.6: Securely Manage Assets | Benchmark management interface settings |
| 4.7: Manage Default Accounts | Benchmark account recommendations |
| 4.8: Disable Unnecessary Services | Benchmark service hardening |
Other controls supported by benchmarks:
| CIS Control | Relevant Benchmark Sections |
|---|---|
| 3 (Data Protection) | Encryption, access control sections |
| 8 (Audit Log Management) | Logging and audit sections |
| 12 (Network Infrastructure) | Network device benchmarks |
Getting Started
For Small Organizations
- Identify critical systems: What hosts sensitive data?
- Download relevant benchmarks: Free from CIS website
- Apply Level 1 recommendations: Manual or scripted
- Document baseline: What configurations you've applied
- Schedule reviews: Quarterly or when systems change
For Larger Organizations
- Inventory technology stack: Comprehensive assessment
- Select benchmarks: Match to your technologies
- Implement automated scanning: CIS-CAT or third-party tools
- Integrate with CI/CD: Include in build pipelines
- Track compliance: Dashboard and reporting
- Manage exceptions: Formal process for deviations
Common Questions
Are CIS Benchmarks free?
The benchmarks themselves are free for non-commercial use. CIS SecureSuite membership provides additional tools and support, including CIS-CAT Pro, for a fee.
How often are benchmarks updated?
Benchmarks are updated when technology versions change or when new security recommendations emerge. Major OS releases typically receive new benchmark versions within months.
Should I implement Level 2 everywhere?
Not necessarily. Level 2 recommendations may impact functionality. Start with Level 1 and add Level 2 for high-security systems or where risks justify the operational impact.
Do benchmarks replace vulnerability scanning?
No. Benchmarks ensure secure configurations. Vulnerability scanning identifies known vulnerabilities. You need both: hardened configurations AND patched vulnerabilities.
How do benchmarks relate to cloud provider recommendations?
CIS Benchmarks often align with but may exceed cloud provider best practices. AWS Well-Architected Framework, Azure Security Benchmark, and GCP Security Command Center all reference or align with CIS Benchmarks.
Need help implementing CIS Benchmarks or building a secure configuration program? Talk to our team
Sources
- CIS Benchmarks Downloads - Official benchmark documents
- CIS SecureSuite - CIS membership and tools
- CIS-CAT Pro - Automated assessment tool
- AWS Foundations Benchmark - AWS-specific guidance
- CIS Controls v8 - How benchmarks support controls