[Keyboard typing].

Hello, YouTubers. Welcome back to my

NetSec YouTube channel.

This is Johnny, a network and security

guy.

When I'm wearing my security hat,

one of popular questions I got asked

is about the

security of the system: How do I ensure this

system has been configured securely?

Usually, my answer is quite simple.

Let's run CIS-CAT scanning.

What is CIS-CAT?

This is just a tool created center for

Internet Security Configuration

Assessment Tool.

We are going to compare the target

configuration settings with core

configuration settings recommended. They

have hundreds of CS benchmarks for different

systems.

After the comparison, they're going to give

you a report that shows the score of how to

secure your system, and also give you

recommendations for how to remediate

those security holes you might have.

This whole tool makes the scanning,

validation, and reporting much easier and

simpler for users who need to find out

the best security configuration for

their system.

This is a

very helpful and useful tool. There are

two versions,

such as CIS-CAT Pro and CIS-CAT Lite.

In this video, I'm going to present how

you can download CIS-CAT Lite, how you can

run it, and how you can scan

for your target.

Now

let's jump into my lab, and we can start.

Let's start it!

1. Lab Topology

Now, let's take a look my lab topology.

For this lab, I have three machines.

One is Windows 2016,

which we are going to

launch CIS-CAT Lite from this machine to

do the scanning for Windows 10 and

51sec.local DC.

All those machines are in the domain.

If you are using workgroups, similar

operations.

Again, this is a very simple network. They're all

running in the same

network, 192.168.2.

If you have firewall between

your CIS-CAT Lite server and your

destinations, you may need to open your

firewalls,

but that will be in a different topic.

2. Download

Now, let's download the CIS-CAT Lite

version. It's a free

CAT tool

to scan your destination.

You can directly, using Google,

search for "CIS-CAT Lite." The first link will jump

out,

and it will be

this page.

For this form, what you need to do is--you

don't need to provide your credit card.

You provide your minimum personal

information: name,

organization, role,

email, sector, country,

how many employees, and how did you hear

about us.

Then,

click the "Get CIS-CAT" button.

In a couple of minutes,

you should be able to get the email like

this:

CIS Center for Internet Security,

CIS-CAT version 4,

and the download link here.

Click the link,

and the download should happen

immediately.

At about 148 megabytes.

Depending on your internet speed, one

minute, two minutes, you should be able to

get it.

So that how you can get it.

You may also get this

email as well to show you how to get

started with CIS-CAT Lite.

That will help you

to start to use

this tool.

You also can register for webmail

to get more information.

3. Run CIS-CAT Lite

After you download the software,

you will see

this zip file:

CIS-CAT Lite version 4.21.0.

To run it,

you don't need to install it.

The only thing you need to do is extract all.

I'm running

CIS-CAT Lite in my virtual machine.

I'm giving it 8 gigabytes of RAM

and 4 virtual CPUs.

It depends on

how many system you need to scan.

Usually,

even 4 gigabytes of RAM

and 2 virtual CPUs are

more than enough.

Once you unzip it, you will get

access to

this folder,

and you will find the "accessor-ui.exe" file.

To run it, it is very simple. Just right-click this "accessor-ui.exe" file and choose

"Run as administrator."

You will see it shows CIS-CAT Pro access

in the Windows title.

If we are syncing this, "Oh, maybe I

download the wrong one,"

but actually, the Windows title shows

"CIS-CAT Pro Accessor."

Eventually, you will get the CIS-CAT Lite

version

since

it's

a restricted version of this Pro.

You will see here "CIS-CAT Lite."

It uses the same Web GUI as the Pro version.

The only

thing is this is a restricted version.

It's a Lite version, and also you will

see they want you to

see the documentation, which is Pro

documentation. You won't find too much

information about the Lite, but you will see

everything for the Pro.

4. Assess Local System

Once you launch the Web GUI, scanning

the system gonna be very simple, either

local or remote.

The Lite version

has no limitation on how many targets you

can scan,

so you can scan local and the remote

system. Let's start from this local system

first.

The local system is Windows 2016, as I

mentioned before. So we are going to

use

Windows Server CIS controls

Assessment Module: Implementation Group 1,

which is the minimum requirement for the

server.

And we're going to choose this one,

automated checks, and the survey

questions.

So, you will get a lot of survey

questions for the interactive answers.

One thing:

The Lite version,

this is different from the Pro version:

you only have limited benchmarks.

The Pro version provides

hundreds of benchmarks for you to use, but

here the benchmarks only limited to a

couple, from Windows 10,

Ubuntu,

Google Chrome,

and the

minimum requirement for Windows Server.

After you choose the benchmarks and the

profile--

basically, the profile I would think of as

always being a baseline--

and you can add it.

So, once you choose "Add," it will

give you

a text box to ask you

questions.

You can just

click "OK." That's

about

29 questions for this survey.

So,

for me, I'm just quickly

demonstrating the process. I will click

"Yes" for all questions.

So, once all questions have been answered,

the selected profile and

benchmark will be in this selected

section.

After that,

we can choose "Next."

Here are the report output options.

Since we are using the Lite version, we only

have HTML. It's already selected for us.

If you're using the Pro, you can use CSV, text,

XML, and JSON.

And we can pick

the destination, and you leave it as default.

You also can save the configuration file

for the future use, and you don't

have to do all the selection again.

Click "Next."

So it will ask you for

confirmation to start the assessment.

The assessment usually

takes

two minutes to get done.

Alright,

we got a report.

Then, you can choose "View HTML," and

that will show you a really nice report

in your browser.

For my machine, the automated checks

failed 11

items,

we have 4 passed.

For user survey questions, we got 29

questions since we selected "Yes" for all

of them, we passed 100%.

Total

77%

pass.

You should be able to see all the check

details.

For each failed item,

you will see remediation recommendations

here.

That should help you

to remedy

the failed items.

So, this is the local scanning.

We're also able to do the remote system

scanning.

As mentioned before, I have Windows 10

set up as my target,

which is also joined to the local domain.

I'm going to use the CIS-CAT Lite

Windows 2016 server to scan this Windows

10, and we also can do

the domain controller scan as well. So,

we can do

both.

So, you need to choose "Advanced" for

remote or target system.

I'm going to use Windows 10 here.

And one thing you may want to make sure

is that

you can ping

your remote server.

That's our

destination, Windows 10 server. We can

check the name:

Windows 10-4.

So, once you confirm that,

you can type your system name there,

choose your system type,

(Windows).

In the future, we also can do Ubuntu

scanning, but that will be in a different video.

One thing you need to remember: the WinRM

(Windows Remote Management) Service has

to be up and running by default. It

should be up and running already.

If not, then you need to go back to

CIS-CAT Pro documentation to see how

to enable Windows ARM and how to use Group

Policy

to

enable Windows 10 for your

destination. Username:

I'm going to use a domain admin account.

IP address.

Username, actually,

you need to specify the domain here as

well using the format that's required:

which is username plus 51.sec.local.

Just make sure your domain name is

correct.

Username is correct. Password is correct.

No temporary password is needed. Now,

after you enter the destination

information, you need to pick

the benchmark.

So, we are going to use the Windows 10

Enterprise benchmark.

We can

choose Next Generation Windows Security.

There's a couple of other options you can

choose, but we choose level 2.

After all those

options you selected it, you can save it,

and it will add it into your target system

here.

Before you scan to next step, you want to

make sure you have a connection to the

target.

If you see any errors happens here, you

may want to go back to check your

settings.

As you can see here, I do see an error

occurred while creating a session.

So, we need to fix that

information before we can continue.

So, you choose your target system,

and choose "Edit" to

verify those configurations one by

one. So, we noticed

I put that wrong IP here.

Save.

Let me test the connection

again.

Now,

the error is gone, and the

connection is established.

Let's go to the next step.

Choose our target system. As I mentioned

before, we can add more target

system here, like, we can add the domain

controller (DC),

Windows,

HTTP,

etc.

Since it's a Windows Server, we

probably

need to change

the benchmarks, so I just choose the

automated

sub-controls only

and save it.

Now, we have two systems.

So, you need to choose, or you can choose

multiple of them using the controls. You

can choose two of them together to scan.

i want to make sure we can go to the DC

as well. Let's test the connection.

So, connection has been

tested successfully.

It's established.

So, let's

choose both

and go to the next step.

We need a benchmark for our Windows 10.

I believe we can choose this one. Choose,

add,

and save.

So, now it shows one. So, we need

at least one benchmark for

each system.

Click "Next."

Again, HTML has been selected for us.

The report

folder, we keep default.

Then, we do start

assessment.

This may take

two or three minutes to get the post.

Since it's remote, it's slower

than doing a local.

The process is the same.

It created a connection

and then goes through

all the controls they need to

validate using script.

And then validate all settings,

and then come back with the report.

Well, after probably five minutes or

six minutes,

the report

has been generated.

We finished our scanning.

So, you will be able to see both reports.

Let's take a quick look here.

It's for Windows 10.

You also can check along

domain controllers,

51secdc1.

So, now we finished our remote scanning.

Basically, that's how you can use

this free tool

to validate your security configuration

on your target system.

You don't have to pay

anything if you are only using those basic

profiles.

For your system, for Windows 10, and the

server Ubuntu, Google Chrome,

if you have more, other systems need to be

validated. Then, you have to

get the license for your Pro version.

That will be in different videos.

That's all for this video. This is how you can

use the free tool,

CIS-CAT Lite,

to check your security settings on your

target.

I hope you enjoyed it.

If you find anything useful in this

video, give me a thumb up.

Also, please subscribe to my channel if you

haven't.

Thank you for watching.

[Music].