These days, implementing a minimum level of security protections on your organization-owned devices is expected by your customers, suppliers, and employees. Whether you leverage an outsourced IT group (such as an MSP or MSSP) or have an internal team, best practices around endpoint security should be taken seriously.
The challenge is that many organizations don't know where to start, and their MDM/EMM solution (if they have one) only covers a few basic settings, which simply won't cut it.
Luckily, The Center for Internet Security (CIS) is an excellent starting point, and by many is considered the 'Gold Standard' of IT security and compliance. They have a global community of cyber security experts, and have published 100+ configuration guidelines for various technology groups to safeguard systems against today's evolving cyber threats.
What is CIS compliance?
CIS outlines a gold standard for how companies all over the globe should secure their macOS devices in their Apple OS Benchmark. Achieving CIS compliance for macOS devices helps organizations to improve their overall cybersecurity posture—helping to prevent costly security breaches.
CIS has worked with the Apple community since 2009 to publish a benchmark for each version of Apple's desktop OS, known as macOS (fka OS X). Their latest release contains specific configuration recommendations for Apple macOS 10.13 High Sierra, while their Apple macOS 10.14 Mojave benchmark is currently in the works. These are exhaustive documents that cover a wide range of security compliance policies and best practices. Here are a few examples of recommended settings from the latest CIS benchmark for macOS:
- Disable screen sharing
- Disable "wake for network access"
- Ensure NFS server is not running
- Reduce the sudo timeout period
The current release, "CIS Apple macOS 10.13 Benchmark" (195 pages), provides prescriptive guidance for establishing a secure configuration posture for Apple macOS 10.13. It contains over 100 individual recommendations, categorized as either 'Level 1' profile or 'Level 2' profile. Additionally, recommendations are marked as either 'Scored' or 'Not Scored'. Scoring allows organizations to conduct internal and/or external security compliance audits to assess organization-wide participation. We elaborate briefly on Profile Definitions and Scoring Information below.
Level 1 - Items in this profile intend to:
- Be practical and prudent
- Provide a clear security benefit
- Not inhibit the utility of the technology beyond acceptable means
Level 2 - This profile extends the "Level 1" profile. Items in this profile exhibit one or more of the following characteristics:
- Are intended for environments or use cases where security is paramount
- Acts as defense in depth measure
- May negatively inhibit the utility or performance of the technology
A scoring status indicates whether compliance with the given recommendation impacts the assessed target's benchmark score. The following scoring statuses are used in this benchmark:
- Scored - Failure to comply with "Scored" recommendations will decrease the final benchmark score. Compliance with "Scored" recommendations will increase the final benchmark score.
- Not Scored - Failure to comply with "Not Scored" recommendations will not decrease the final benchmark score. Compliance with "Not Scored" recommendations will not increase the final benchmark score.
When reviewing the CIS benchmark, each individual recommendation is detailed, listing Profile Applicability (Level 1 or Level 2), Scoring Applicability, Description, Rationale, Audit Instructions, Remediation Instructions, and Impact.
How can your organization meet key CIS benchmarks for compliance?
Using a security configuration tool is a key strategy for achieving Mac compliance for CIS’ Apple OS benchmark. Here are a few examples of ways you can meet CIS benchmarks:
CIS Compliance Assurance: Enforcing Software Updates
One of the custom security settings you can enforce is the implementation of the latest macOS software updates. Keeping Macs up to date with their latest software patches is key for eliminating potential vulnerabilities that attackers may otherwise exploit.
The Apple macOS 10.13 CIS benchmark document specifies these update installation criteria as scored metrics for their CIS compliance checks:
- Verify all Apple-provided software is current
- Enable auto-updates
- Enable app update installs
- Enable system data files and security update installs
- Enable macOS update installs
By configuring Macs to employ these security settings, you can be one step closer to Mac compliance for CIS. Additionally, you can close security gaps by always staying up to date with the latest software patches.
CIS Compliance Assurance: Bluetooth Settings
Bluetooth devices can be incredibly convenient for adding communication headsets or wireless devices to your company’s macOS devices. However, leaving your Macs open to discovery for Bluetooth devices can cause issues such as incorrect device pairings—or worse, someone using it to track the device’s location or exploit it to gain control of data or voice channels.
CIS recommends turning off Bluetooth if no paired devices exist, and turning on the display of Bluetooth device status in the menu bar when it is on. This way, users can see which Bluetooth devices they’re connected to and avoid unwanted connections.
Another recommended security setting, though not one that is required for CIS compliance for macOS devices, is to make the device discoverable for Bluetooth only when the preference pane is open.
CIS Compliance Assurance: Screen Saver Controls
Inactivity controls are crucial for preventing unauthorized use of a computer mobile device. It’s all too easy for someone to walk over to an unattended Mac that the user forgot to lock and simply start going through confidential files and proprietary information. So, CIS compliance for macOS calls for a security setting where the inactivity window before engaging a screen saver that locks the Mac out from access is less than 20 minutes.
The shorter this interval, the better for both CIS compliance and your Mac’s security. Why use a screen saver instead of just locking the screen? This way, any proprietary information that may have been on display will be covered by the screen saver when the device is not in use.
CIS Compliance Assurance: User Account Login Settings
A significant portion of CIS’ Apple OS Benchmark document is concerned with user accounts and how they’re accessed. Some of the key controls for user accounts that are scored under CIS compliance checks include:
- Displaying the login window with empty name and password fields
- Disabling the “Show Hints” feature for passwords
- Disabling guest account logins
- Disabling the “allow guests to connect to shared folders” setting
- Removing the guest home folder
Having a blank username and password field at the login screen makes it harder for someone to hijack a locked macOS device, since the hijacker will now have to guess both a username and a password, instead of just a password.
Likewise, disabling the password hint feature makes it much harder for an illicit user to guess the password based on their knowledge of the subject. Also, some users may end up putting part (or all) of their actual password in the hint, making it too easy to guess the password.
Guest accounts let someone log into a computer with “basic” access without having to create an account or password. Malicious users can abuse this access to attempt privilege escalation attacks where they steal progressively higher account credentials through phishing attacks leveraging any insider info they may have discovered. Disabling guest accounts, along with eliminating guest folders and access to any shared folders, helps to prevent this scenario.
CIS Compliance Assurance: Disabling the Automatic Run of “Safe Files” in Safari
Safari, the default browser for macOS devices, has a setting that will automatically run or execute what it considers to be “safe” files. However, malicious actors have taken advantage of this setting to perform “drive-by” attacks against computer networks by creating malicious files that match ones in the “safe file” list. So, CIS compliance for Macs demands that this setting be disabled.
These are just a few of the security settings that are needed for CIS compliance on macOS devices.
As you can tell, although CIS has done an excellent job at organizing and publishing recommendations, most organizations don't have the resources or know-how to execute. As previously mentioned, the current benchmark is 195 pages. Furthermore, each new OS requires updates, which itself can be very time consuming. This is why we built Kandji.
Before Kandji, organizations had three options to comply with CIS:
- Manually apply each recommended setting to each Mac, and hope they stayed that way
- Manually write, deploy, and maintain code (scripts) for each recommended setting
- Risk not being secure or compliant, and hope nothing bad happens
With Kandji, you can say goodbye to coding to comply with CIS. Simply click the toggle next to the parameters you wish to enable and you’re done. Soon, Kandji will make this even easier, by presenting a single toggle allowing you to enable the entire CIS benchmark with just a click. Welcome to one-click security compliance.