Secure Configuration (CIS Control 4)

CIS Control 4 requires organisations to establish, document and maintain secure configurations for all hardware and software across the enterprise -- from operating systems and browsers to servers and network devices. The goal is to minimise the attack surface by removing unnecessary features and default credentials.

Back to Dictionary

What is secure configuration?

Secure configuration, also known as hardening, is the practice of configuring systems and software with security as the starting point rather than functionality. Most products ship with default settings that prioritise usability and compatibility, but these are rarely the most secure choices.

Hardening involves disabling unnecessary services and protocols, changing default passwords, configuring firewall rules, and removing sample accounts and trial installations.

CIS Benchmarks

The Center for Internet Security publishes detailed configuration guides, known as CIS Benchmarks, for hundreds of products -- from Windows and Linux to macOS, cloud platforms and network devices. Benchmarks specify precisely which settings should be changed and to which values, with a rationale for each recommendation.

CIS Benchmarks are freely available and widely accepted as industry best practice for secure configuration.

Configuration drift: Even after initial hardening, configurations can drift away from the secure baseline over time. Continuous configuration monitoring -- for example through SCAP-based scanners -- is necessary to maintain the desired security level.

Configuration baselines

A configuration baseline is the documented, approved standard configuration for a given system type. All systems of that type should be configured in accordance with the baseline. Deviations from the baseline must be approved and documented.

Configuration baselines work hand in hand with asset inventory (CIS Control 1) -- you cannot harden what you do not know exists.

Default passwords and default accounts

One of the simplest and most effective hardening measures is to change all default passwords and disable or rename default accounts (such as "admin", "administrator" and "root"). Many well-known attacks still exploit unchanged default credentials.

Relationship to other CIS Controls

Secure configuration supports and is supported by several other CIS Controls:

CIS Control 1 (Asset Inventory): You must know which assets exist before you can harden them.
CIS Control 2 (Software Inventory): Identifying all installed software helps you remove unauthorised or unnecessary applications.
CIS Control 7 (Continuous Vulnerability Management): Patching and hardening are complementary activities that together reduce the attack surface.

Frequently Asked Questions about Secure Configuration (CIS Control 4)

What is CIS Control 4?

CIS Control 4 focuses on establishing and maintaining secure configurations for enterprise hardware and software. It is about hardening systems by removing unnecessary features, changing default credentials and applying security-focused settings.

What are CIS Benchmarks?

CIS Benchmarks are detailed, freely available configuration guides published by the Center for Internet Security. They provide specific, tested recommendations for securely configuring hundreds of products, from operating systems to cloud platforms.

What is configuration drift?

Configuration drift occurs when a system's configuration changes over time from the approved secure baseline. This can happen through manual changes, software updates or misconfigurations, and it increases the attack surface.

Why are default passwords a security risk?

Default passwords are publicly known and are among the first credentials attackers try. Failing to change them leaves systems vulnerable to trivial attacks. Hardening requires changing all default passwords and disabling or renaming default accounts.

Is CIS Control 4 included in Implementation Group 1?

Yes. CIS Control 4 is part of IG1, which means it is considered essential cyber hygiene that every organisation should implement, regardless of size or resources.