hello youtubers welcome back to my
nasdaq youtube channel
this is johnny a network and security
guy
when i'm wearing security hat
one of popular questions i got asked
is about
security of the system how i'm sure this
system has been configured securely
usually my answer is quite simple
that's wrong cis cat scanning
what is ciscat
this is just created the tool center for
internet security configuration
assessment tool
we are going to compare the target
configuration settings with cure
configuration settings recommended they
have 100 cs benchmarks for different
systems
after the comparison they're gonna give
you a report shows the score how to
secure your system and also give you
recommendation for how to remediate
those security holes you might have
this whole tool makes the scanning
validation and reporting much easier and
simpler for users who need to find out
the best security configuration for
their system
this is
very helpful and useful tool there are
two versions
such as cad flow and sas cad catalyte
in this video i'm gonna present it how
you can download cs catalyte how you can
run it and how you can do scan
for your target
now
let's jump into my lab and we can start
it
now let's take a look my lab topology
for this lab i have three machines
one is windows 2016
which we are gonna
launch cs cad lite from this machine to
do the scanning for windows 10 and
51 sec to local this dc
all those machines are in the domain
if you are using work groups and similar
operations
this is very simple network they're all
running in the same
network 192.168.2
if you have firewall between
your cis cad lite server and your
destinations you may need to open your
firewalls
but that will be in different topic
now let's download the cs cat lite
version free
cat tool
to scanning your destination
you can directly using the google to
search says cat lite the first link jump
out
that will be
this page
for this form what you need to do is you
don't need to provide your credit card
you private your minimum personal
information name
organization role
email sector country
how many employees how did you hear
about us
then
click get cs cad button
in couple minutes
you should be able to get the email like
this
cis center for internet security
says catalyte version 4
and the download link here
quick link
the downloading show happening
immediately
at about 148 megabytes
um place down your internet speed one
minute two minutes you should be able to
get it
so that how you can get it
you may also get the list
email as well to show you how to get
started with cis cad lite
that will help you
to start to use
this tool
you also can register for webmail
to get more informations
after you download the software
you will see
this zip file
says cad lite version 4.21.0
to run it
you don't need to install it
only thing you need to do extract all
i'm running
cs catalyte in my virtual machine
i'm giving a gigabyte to run
and for virtual cpu
it depending on
how many system you need to scan
usually
even four giga ram
to watch cpu
it's also more enough
once you unzip it you will get as
accessor
this folder
you will find out this assessor
dash gui exe file
to run it it is very simple just right
click this accessor
dash gui exe file run as administrator
you will see it shows cis cad pro access
in the windows title
if we are syncing this oh i maybe
download the wrong one
but actually the windows title shows
cscad pro accessor
eventually you will get cs cat light
version
since
that
restricted version from this floor
you will see here says cat light
it is using same web gui as pro version
only
thing is this is a restricted version
it's a light version and also you will
see they want you to
see the documentation which is pro
documentation you won't find too much
information about light but you will see
everything for the plot
once you launch the web degree scanning
the system gonna be very simple either
local or remote
the lite version
has no limitation how many targets you
can scan
so you can scan local and the remote
system that start from this local system
first
the local system is a windows 2016 as i
mentioned before so we're gonna
use
windows server list sas controls
assessment module implementation group 1
which is minimum requirement for the
server
and we're gonna choose list one
automated checks and the survey
questions
so you will get a lot of survey
questions for the interactive answers
one thing
the light version
this is different from pro version is
you only have limited benchmarks
for a pro version says dusty's provide
hundreds benchmarks for you to use but
here the benchmarks only limited a
couple from windows 10
ubuntu
google chrome
and the
minimum requirement for windows server
after you choose the benchmarks in the
profile
basically profile i was thinking it's
always baseline
and you can add it
so once you choose edit they will
give you
a text box to ask you
the questions
you can just
click okay okay
let about
29 questions for this survey
so
for me and just quickly
demonstrate the process i will pick
yes for all questions
so once all questions has been answered
let's select the profile and the
benchmark will be in this selected
section
after that
we can choose next
here report output options
since we are using light version we only
have html it's already select for us
if you using pro you can use in csv text
xml and json
and we can pick
the destination you leave default
you also can save a configuration file
for the future to use it and you don't
have to do all the selection again
next
so it's a sql
confirmation start assessment
assessments usually
take
two minutes to get it done
all right
we got a report
ma'am you can choose view html
that will show you a really nice report
in your browser
for my list machine automatic checks
failed 11
items
we have four passed
for user survey questions we got 29
questions since we selected yes for all
of them we passed 100
totally
77
pass
you should be able to see all check
details
for each failed items
you will see remediation recommendations
here
that should help you
to remedy
this failed item
so this is the local scanning
we also able to do the remote system
scanning
as mentioned before i have windows 10
setup as my target
and which is also joined local domain
i'm going to use him js catalyte
windows 2016 servers to scan is windows
10 and we also can do
that domain controller scan as well so
we can do
both
so you need to choose advanced for
remote target assistant
you're going to use windows 10 here
and one thing you may want to make sure
is
you can pin
your remote server
that's our
destination windows 10 server we can
check the name
windows 10 4
so once you confirm that
you can type your system name there
choose your system type
it's windows
in the future we also can do ubuntu
scanning by level b in different video
one thing you need to remember the win
rm windows remote management service has
to be up and running by default it
should be up and running already
if not in then you need to go back to
see is cat pro documentation to see how
to enable windows im how to use group
policy
to
enable indesign for your
destination username
i'm going to use a domain admin account
ip address
username actually
you need to specify the domain here as
well using the format that required
which is the username plus 51sec
code just make sure your domain name is
cracked
username scratch password is right
temporary pass we don't need a lot now
after you enter the destination
information you need to pick
the benchmarks
so we are going to use in windows 10
enterprise benchmark
we can
choose next generation windows security
there's a couple of other lines you can
choose we choose level 2
after all those
options you select it you can save it
it will add it into your target system
here
before you scan to next step you want to
make sure you have connections to the
target
if you see any errors happens here you
may want to go back to check your
settings
as you can see here i do see an error or
code creating a section
so we need to fix that
information before we can continue
so you choose your target system
and choose add it
and verify those configurations one by
one so we notice
we put that wrong ip here
let's save
and allow me to test the connection
again
now
alloys calm
connection establish it
let's go to the next step
choose our target system as i mentioned
before we can add more here target
system like we can add the domain
controller dc
windows
http
same thing
since it's a windows server so we
probably
need to change
the benchmarks so i just choose the
automated
subcontrols only
save
now we have two systems
so you need to choose or you can choose
multiple forefront using a control you
can choose two of them together to scan
i want to make sure we can go to the dc
as well let's test connection
so connection has been
tested successfully
establish it establish it
so let's uh
choose both
and go to next
we need a benchmark for our windows 10
believe we can choose this one choose
add
and save
so now it shows one so we need
benchmarks at least one benchmark for
each of system
next
again html has been selected for us
report
folder we keep default
then we do start
assessment
this may take um
two three minutes to get the post
dumping since it's remote it's slower
than doing a local
the process is the same
it created a connection
and the land goes through
all controls they need to
validate using script
and then validate all settings
and then come back with report
well after probably five minutes five
six minutes
the report
has been generated
we finished our scanning
so you will be able to see both reports
let's take a quick look here
it's for windows 10.
you also can check along
domain controllers
51 sec dc1
so now we finished our remote scanning
basically that's how you can use
this free tool
to validate your security configuration
on your target system
you don't have to pay
any if you are only using those basic
profiles
for your system for windows 10 and the
server ubuntu google clone
if you have more other system need to be
validated then you have to
get the license for your pro version
that will be in my different videos
that's all for this video how you can
use free tool
cis cad lite
to check your security settings on your
target
i hope you enjoyed it
if you find anything useful in this
video give me a thumb up
also please subscribe my channel if you
haven't
thank you for watching
[Music]
you