-
[Keyboard typing].
-
Hello, YouTubers. Welcome back to my
-
NetSec YouTube channel.
-
This is Johnny, a network and security
-
guy.
-
When I'm wearing my security hat,
-
one of popular questions I got asked
-
is about the
-
security of the system: How do I ensure this
-
system has been configured securely?
-
Usually, my answer is quite simple.
-
Let's run CIS-CAT scanning.
-
What is CIS-CAT?
-
This is just a tool created center for
-
Internet Security Configuration
-
Assessment Tool.
-
We are going to compare the target
-
configuration settings with core
-
configuration settings recommended. They
-
have hundreds of CS benchmarks for different
-
systems.
-
After the comparison, they're going to give
-
you a report that shows the score of how to
-
secure your system, and also give you
-
recommendations for how to remediate
-
those security holes you might have.
-
This whole tool makes the scanning,
-
validation, and reporting much easier and
-
simpler for users who need to find out
-
the best security configuration for
-
their system.
-
This is a
-
very helpful and useful tool. There are
-
two versions,
-
such as CIS-CAT Pro and CIS-CAT Lite.
-
In this video, I'm going to present how
-
you can download CIS-CAT Lite, how you can
-
run it, and how you can scan
-
for your target.
-
Now
-
let's jump into my lab, and we can start.
-
Let's start it!
-
1. Lab Topology
-
Now, let's take a look my lab topology.
-
For this lab, I have three machines.
-
One is Windows 2016,
-
which we are going to
-
launch CIS-CAT Lite from this machine to
-
do the scanning for Windows 10 and
-
51sec.local DC.
-
All those machines are in the domain.
-
If you are using workgroups, similar
-
operations.
-
Again, this is a very simple network. They're all
-
running in the same
-
network, 192.168.2.
-
If you have firewall between
-
your CIS-CAT Lite server and your
-
destinations, you may need to open your
-
firewalls,
-
but that will be in a different topic.
-
2. Download
-
Now, let's download the CIS-CAT Lite
-
version. It's a free
-
CAT tool
-
to scan your destination.
-
You can directly, using Google,
-
search for "CIS-CAT Lite." The first link will jump
-
out,
-
and it will be
-
this page.
-
For this form, what you need to do is--you
-
don't need to provide your credit card.
-
You provide your minimum personal
-
information: name,
-
organization, role,
-
email, sector, country,
-
how many employees, and how did you hear
-
about us.
-
Then,
-
click the "Get CIS-CAT" button.
-
In a couple of minutes,
-
you should be able to get the email like
-
this:
-
CIS Center for Internet Security,
-
CIS-CAT version 4,
-
and the download link here.
-
Click the link,
-
and the download should happen
-
immediately.
-
At about 148 megabytes.
-
Depending on your internet speed, one
-
minute, two minutes, you should be able to
-
get it.
-
So that how you can get it.
-
You may also get this
-
email as well to show you how to get
-
started with CIS-CAT Lite.
-
That will help you
-
to start to use
-
this tool.
-
You also can register for webmail
-
to get more information.
-
3. Run CIS-CAT Lite
-
After you download the software,
-
you will see
-
this zip file:
-
CIS-CAT Lite version 4.21.0.
-
To run it,
-
you don't need to install it.
-
The only thing you need to do is extract all.
-
I'm running
-
CIS-CAT Lite in my virtual machine.
-
I'm giving it 8 gigabytes of RAM
-
and 4 virtual CPUs.
-
It depends on
-
how many system you need to scan.
-
Usually,
-
even 4 gigabytes of RAM
-
and 2 virtual CPUs are
-
more than enough.
-
Once you unzip it, you will get
-
access to
-
this folder,
-
and you will find the "accessor-ui.exe" file.
-
To run it, it is very simple. Just right-click this "accessor-ui.exe" file and choose
-
"Run as administrator."
-
You will see it shows CIS-CAT Pro access
-
in the Windows title.
-
If we are syncing this, "Oh, maybe I
-
download the wrong one,"
-
but actually, the Windows title shows
-
"CIS-CAT Pro Accessor."
-
Eventually, you will get the CIS-CAT Lite
-
version
-
since
-
it's
-
a restricted version of this Pro.
-
You will see here "CIS-CAT Lite."
-
It uses the same Web GUI as the Pro version.
-
The only
-
thing is this is a restricted version.
-
It's a Lite version, and also you will
-
see they want you to
-
see the documentation, which is Pro
-
documentation. You won't find too much
-
information about the Lite, but you will see
-
everything for the Pro.
-
4. Assess Local System
-
Once you launch the Web GUI, scanning
-
the system gonna be very simple, either
-
local or remote.
-
The Lite version
-
has no limitation on how many targets you
-
can scan,
-
so you can scan local and the remote
-
system. Let's start from this local system
-
first.
-
The local system is Windows 2016, as I
-
mentioned before. So we are going to
-
use
-
Windows Server CIS controls
-
Assessment Module: Implementation Group 1,
-
which is the minimum requirement for the
-
server.
-
And we're going to choose this one,
-
automated checks, and the survey
-
questions.
-
So, you will get a lot of survey
-
questions for the interactive answers.
-
One thing:
-
The Lite version,
-
this is different from the Pro version:
-
you only have limited benchmarks.
-
The Pro version provides
-
hundreds of benchmarks for you to use, but
-
here the benchmarks only limited to a
-
couple, from Windows 10,
-
Ubuntu,
-
Google Chrome,
-
and the
-
minimum requirement for Windows Server.
-
After you choose the benchmarks and the
-
profile--
-
basically, the profile I would think of as
-
always being a baseline--
-
and you can add it.
-
So, once you choose "Add," it will
-
give you
-
a text box to ask you
-
questions.
-
You can just
-
click "OK." That's
-
about
-
29 questions for this survey.
-
So,
-
for me, I'm just quickly
-
demonstrating the process. I will click
-
"Yes" for all questions.
-
So, once all questions have been answered,
-
the selected profile and
-
benchmark will be in this selected
-
section.
-
After that,
-
we can choose "Next."
-
Here are the report output options.
-
Since we are using the Lite version, we only
-
have HTML. It's already selected for us.
-
If you're using the Pro, you can use CSV, text,
-
XML, and JSON.
-
And we can pick
-
the destination, and you leave it as default.
-
You also can save the configuration file
-
for the future use, and you don't
-
have to do all the selection again.
-
Click "Next."
-
So it will ask you for
-
confirmation to start the assessment.
-
The assessment usually
-
takes
-
two minutes to get done.
-
Alright,
-
we got a report.
-
Then, you can choose "View HTML," and
-
that will show you a really nice report
-
in your browser.
-
For my machine, the automated checks
-
failed 11
-
items,
-
we have 4 passed.
-
For user survey questions, we got 29
-
questions since we selected "Yes" for all
-
of them, we passed 100%.
-
Total
-
77%
-
pass.
-
You should be able to see all the check
-
details.
-
For each failed item,
-
you will see remediation recommendations
-
here.
-
That should help you
-
to remedy
-
the failed items.
-
So, this is the local scanning.
-
We're also able to do the remote system
-
scanning.
-
As mentioned before, I have Windows 10
-
set up as my target,
-
which is also joined to the local domain.
-
I'm going to use the CIS-CAT Lite
-
Windows 2016 server to scan this Windows
-
10, and we also can do
-
the domain controller scan as well. So,
-
we can do
-
both.
-
So, you need to choose "Advanced" for
-
remote or target system.
-
I'm going to use Windows 10 here.
-
And one thing you may want to make sure
-
is that
-
you can ping
-
your remote server.
-
That's our
-
destination, Windows 10 server. We can
-
check the name:
-
Windows 10-4.
-
So, once you confirm that,
-
you can type your system name there,
-
choose your system type,
-
(Windows).
-
In the future, we also can do Ubuntu
-
scanning, but that will be in a different video.
-
One thing you need to remember: the WinRM
-
(Windows Remote Management) Service has
-
to be up and running by default. It
-
should be up and running already.
-
If not, then you need to go back to
-
CIS-CAT Pro documentation to see how
-
to enable Windows ARM and how to use Group
-
Policy
-
to
-
enable Windows 10 for your
-
destination. Username:
-
I'm going to use a domain admin account.
-
IP address.
-
Username, actually,
-
you need to specify the domain here as
-
well using the format that's required:
-
which is username plus 51.sec.local.
-
Just make sure your domain name is
-
correct.
-
Username is correct. Password is correct.
-
No temporary password is needed. Now,
-
after you enter the destination
-
information, you need to pick
-
the benchmark.
-
So, we are going to use the Windows 10
-
Enterprise benchmark.
-
We can
-
choose Next Generation Windows Security.
-
There's a couple of other options you can
-
choose, but we choose level 2.
-
After all those
-
options you selected it, you can save it,
-
and it will add it into your target system
-
here.
-
Before you scan to next step, you want to
-
make sure you have a connection to the
-
target.
-
If you see any errors happens here, you
-
may want to go back to check your
-
settings.
-
As you can see here, I do see an error
-
occurred while creating a session.
-
So, we need to fix that
-
information before we can continue.
-
So, you choose your target system,
-
and choose "Edit" to
-
verify those configurations one by
-
one. So, we noticed
-
I put that wrong IP here.
-
Save.
-
Let me test the connection
-
again.
-
Now,
-
the error is gone, and the
-
connection is established.
-
Let's go to the next step.
-
Choose our target system. As I mentioned
-
before, we can add more target
-
system here, like, we can add the domain
-
controller (DC),
-
Windows,
-
HTTP,
-
etc.
-
Since it's a Windows Server, we
-
probably
-
need to change
-
the benchmarks, so I just choose the
-
automated
-
sub-controls only
-
and save it.
-
Now, we have two systems.
-
So, you need to choose, or you can choose
-
multiple of them using the controls. You
-
can choose two of them together to scan.
-
i want to make sure we can go to the DC
-
as well. Let's test the connection.
-
So, connection has been
-
tested successfully.
-
It's established.
-
So, let's
-
choose both
-
and go to the next step.
-
We need a benchmark for our Windows 10.
-
I believe we can choose this one. Choose,
-
add,
-
and save.
-
So, now it shows one. So, we need
-
at least one benchmark for
-
each system.
-
Click "Next."
-
Again, HTML has been selected for us.
-
The report
-
folder, we keep default.
-
Then, we do start
-
assessment.
-
This may take
-
two or three minutes to get the post.
-
Since it's remote, it's slower
-
than doing a local.
-
The process is the same.
-
It created a connection
-
and then goes through
-
all the controls they need to
-
validate using script.
-
And then validate all settings,
-
and then come back with the report.
-
Well, after probably five minutes or
-
six minutes,
-
the report
-
has been generated.
-
We finished our scanning.
-
So, you will be able to see both reports.
-
Let's take a quick look here.
-
It's for Windows 10.
-
You also can check along
-
domain controllers,
-
51secdc1.
-
So, now we finished our remote scanning.
-
Basically, that's how you can use
-
this free tool
-
to validate your security configuration
-
on your target system.
-
You don't have to pay
-
anything if you are only using those basic
-
profiles.
-
For your system, for Windows 10, and the
-
server Ubuntu, Google Chrome,
-
if you have more, other systems need to be
-
validated. Then, you have to
-
get the license for your Pro version.
-
That will be in different videos.
-
That's all for this video. This is how you can
-
use the free tool,
-
CIS-CAT Lite,
-
to check your security settings on your
-
target.
-
I hope you enjoyed it.
-
If you find anything useful in this
-
video, give me a thumb up.
-
Also, please subscribe to my channel if you
-
haven't.
-
Thank you for watching.
-
[Music].
