[Keyboard typing].
Hello, YouTubers. Welcome back to my
NetSec YouTube channel.
This is Johnny, a network and security
guy.
When I'm wearing my security hat,
one of popular questions I got asked
is about the
security of the system: How do I ensure this
system has been configured securely?
Usually, my answer is quite simple.
Let's run CIS-CAT scanning.
What is CIS-CAT?
This is just a tool created center for
Internet Security Configuration
Assessment Tool.
We are going to compare the target
configuration settings with core
configuration settings recommended. They
have hundreds of CS benchmarks for different
systems.
After the comparison, they're going to give
you a report that shows the score of how to
secure your system, and also give you
recommendations for how to remediate
those security holes you might have.
This whole tool makes the scanning,
validation, and reporting much easier and
simpler for users who need to find out
the best security configuration for
their system.
This is a
very helpful and useful tool. There are
two versions,
such as CIS-CAT Pro and CIS-CAT Lite.
In this video, I'm going to present how
you can download CIS-CAT Lite, how you can
run it, and how you can scan
for your target.
Now
let's jump into my lab, and we can start.
Let's start it!
1. Lab Topology
Now, let's take a look my lab topology.
For this lab, I have three machines.
One is Windows 2016,
which we are going to
launch CIS-CAT Lite from this machine to
do the scanning for Windows 10 and
51sec.local DC.
All those machines are in the domain.
If you are using workgroups, similar
operations.
Again, this is a very simple network. They're all
running in the same
network, 192.168.2.
If you have firewall between
your CIS-CAT Lite server and your
destinations, you may need to open your
firewalls,
but that will be in a different topic.
2. Download
Now, let's download the CIS-CAT Lite
version. It's a free
CAT tool
to scan your destination.
You can directly, using Google,
search for "CIS-CAT Lite." The first link will jump
out,
and it will be
this page.
For this form, what you need to do is--you
don't need to provide your credit card.
You provide your minimum personal
information: name,
organization, role,
email, sector, country,
how many employees, and how did you hear
about us.
Then,
click the "Get CIS-CAT" button.
In a couple of minutes,
you should be able to get the email like
this:
CIS Center for Internet Security,
CIS-CAT version 4,
and the download link here.
Click the link,
and the download should happen
immediately.
At about 148 megabytes.
Depending on your internet speed, one
minute, two minutes, you should be able to
get it.
So that how you can get it.
You may also get this
email as well to show you how to get
started with CIS-CAT Lite.
That will help you
to start to use
this tool.
You also can register for webmail
to get more information.
3. Run CIS-CAT Lite
After you download the software,
you will see
this zip file:
CIS-CAT Lite version 4.21.0.
To run it,
you don't need to install it.
The only thing you need to do is extract all.
I'm running
CIS-CAT Lite in my virtual machine.
I'm giving it 8 gigabytes of RAM
and 4 virtual CPUs.
It depends on
how many system you need to scan.
Usually,
even 4 gigabytes of RAM
and 2 virtual CPUs are
more than enough.
Once you unzip it, you will get
access to
this folder,
and you will find the "accessor-ui.exe" file.
To run it, it is very simple. Just right-click this "accessor-ui.exe" file and choose
"Run as administrator."
You will see it shows CIS-CAT Pro access
in the Windows title.
If we are syncing this, "Oh, maybe I
download the wrong one,"
but actually, the Windows title shows
"CIS-CAT Pro Accessor."
Eventually, you will get the CIS-CAT Lite
version
since
it's
a restricted version of this Pro.
You will see here "CIS-CAT Lite."
It uses the same Web GUI as the Pro version.
The only
thing is this is a restricted version.
It's a Lite version, and also you will
see they want you to
see the documentation, which is Pro
documentation. You won't find too much
information about the Lite, but you will see
everything for the Pro.
4. Assess Local System
Once you launch the Web GUI, scanning
the system gonna be very simple, either
local or remote.
The Lite version
has no limitation on how many targets you
can scan,
so you can scan local and the remote
system. Let's start from this local system
first.
The local system is Windows 2016, as I
mentioned before. So we are going to
use
Windows Server CIS controls
Assessment Module: Implementation Group 1,
which is the minimum requirement for the
server.
And we're going to choose this one,
automated checks, and the survey
questions.
So, you will get a lot of survey
questions for the interactive answers.
One thing:
The Lite version,
this is different from the Pro version:
you only have limited benchmarks.
The Pro version provides
hundreds of benchmarks for you to use, but
here the benchmarks only limited to a
couple, from Windows 10,
Ubuntu,
Google Chrome,
and the
minimum requirement for Windows Server.
After you choose the benchmarks and the
profile--
basically, the profile I would think of as
always being a baseline--
and you can add it.
So, once you choose "Add," it will
give you
a text box to ask you
questions.
You can just
click "OK." That's
about
29 questions for this survey.
So,
for me, I'm just quickly
demonstrating the process. I will click
"Yes" for all questions.
So, once all questions have been answered,
the selected profile and
benchmark will be in this selected
section.
After that,
we can choose "Next."
Here are the report output options.
Since we are using the Lite version, we only
have HTML. It's already selected for us.
If you're using the Pro, you can use CSV, text,
XML, and JSON.
And we can pick
the destination, and you leave it as default.
You also can save the configuration file
for the future use, and you don't
have to do all the selection again.
Click "Next."
So it will ask you for
confirmation to start the assessment.
The assessment usually
takes
two minutes to get done.
Alright,
we got a report.
Then, you can choose "View HTML," and
that will show you a really nice report
in your browser.
For my machine, the automated checks
failed 11
items,
we have 4 passed.
For user survey questions, we got 29
questions since we selected "Yes" for all
of them, we passed 100%.
Total
77%
pass.
You should be able to see all the check
details.
For each failed item,
you will see remediation recommendations
here.
That should help you
to remedy
the failed items.
So, this is the local scanning.
We're also able to do the remote system
scanning.
As mentioned before, I have Windows 10
set up as my target,
which is also joined to the local domain.
I'm going to use the CIS-CAT Lite
Windows 2016 server to scan this Windows
10, and we also can do
the domain controller scan as well. So,
we can do
both.
So, you need to choose "Advanced" for
remote or target system.
I'm going to use Windows 10 here.
And one thing you may want to make sure
is that
you can ping
your remote server.
That's our
destination, Windows 10 server. We can
check the name:
Windows 10-4.
So, once you confirm that,
you can type your system name there,
choose your system type,
(Windows).
In the future, we also can do Ubuntu
scanning, but that will be in a different video.
One thing you need to remember: the WinRM
(Windows Remote Management) Service has
to be up and running by default. It
should be up and running already.
If not, then you need to go back to
CIS-CAT Pro documentation to see how
to enable Windows ARM and how to use Group
Policy
to
enable Windows 10 for your
destination. Username:
I'm going to use a domain admin account.
IP address.
Username, actually,
you need to specify the domain here as
well using the format that's required:
which is username plus 51.sec.local.
Just make sure your domain name is
correct.
Username is correct. Password is correct.
No temporary password is needed. Now,
after you enter the destination
information, you need to pick
the benchmark.
So, we are going to use the Windows 10
Enterprise benchmark.
We can
choose Next Generation Windows Security.
There's a couple of other options you can
choose, but we choose level 2.
After all those
options you selected it, you can save it,
and it will add it into your target system
here.
Before you scan to next step, you want to
make sure you have a connection to the
target.
If you see any errors happens here, you
may want to go back to check your
settings.
As you can see here, I do see an error
occurred while creating a session.
So, we need to fix that
information before we can continue.
So, you choose your target system,
and choose "Edit" to
verify those configurations one by
one. So, we noticed
I put that wrong IP here.
Save.
Let me test the connection
again.
Now,
the error is gone, and the
connection is established.
Let's go to the next step.
Choose our target system. As I mentioned
before, we can add more target
system here, like, we can add the domain
controller (DC),
Windows,
HTTP,
etc.
Since it's a Windows Server, we
probably
need to change
the benchmarks, so I just choose the
automated
sub-controls only
and save it.
Now, we have two systems.
So, you need to choose, or you can choose
multiple of them using the controls. You
can choose two of them together to scan.
i want to make sure we can go to the DC
as well. Let's test the connection.
So, connection has been
tested successfully.
It's established.
So, let's
choose both
and go to the next step.
We need a benchmark for our Windows 10.
I believe we can choose this one. Choose,
add,
and save.
So, now it shows one. So, we need
at least one benchmark for
each system.
Click "Next."
Again, HTML has been selected for us.
The report
folder, we keep default.
Then, we do start
assessment.
This may take
two or three minutes to get the post.
Since it's remote, it's slower
than doing a local.
The process is the same.
It created a connection
and then goes through
all the controls they need to
validate using script.
And then validate all settings,
and then come back with the report.
Well, after probably five minutes or
six minutes,
the report
has been generated.
We finished our scanning.
So, you will be able to see both reports.
Let's take a quick look here.
It's for Windows 10.
You also can check along
domain controllers,
51secdc1.
So, now we finished our remote scanning.
Basically, that's how you can use
this free tool
to validate your security configuration
on your target system.
You don't have to pay
anything if you are only using those basic
profiles.
For your system, for Windows 10, and the
server Ubuntu, Google Chrome,
if you have more, other systems need to be
validated. Then, you have to
get the license for your Pro version.
That will be in different videos.
That's all for this video. This is how you can
use the free tool,
CIS-CAT Lite,
to check your security settings on your
target.
I hope you enjoyed it.
If you find anything useful in this
video, give me a thumb up.
Also, please subscribe to my channel if you
haven't.
Thank you for watching.
[Music].