March 19, 2019

CIS Compliance Tools for macOS — What You Need to Know

The Center for Internet Security (CIS), outlines a gold standard for how companies all over the globe should secure their macOS devices in their Apple OS Benchmark. Achieving CIS compliance for macOS devices helps organizations to improve their overall cybersecurity posture—helping to prevent costly security breaches.

What is CIS compliance? What does it entail? And, how can your organization meet key CIS benchmarks for compliance?

Using a security configuration tool is a key strategy for achieving Mac compliance for CIS’ Apple OS benchmark. Here are a few ways you can meet CIS benchmarks:

CIS Compliance Assurance: Enforcing Software Updates

One of the custom security settings you can enforce is the implementation of the latest macOS software updates. Keeping Macs up to date with their latest software patches is key for eliminating potential vulnerabilities that attackers may otherwise exploit.

The Apple macOS 10.13 CIS benchmark document specifies these update installation criteria as scored metrics for their CIS compliance checks:

  • Verify all Apple-provided software is current.
  • Enable auto-updates.
  • Enable app update installs.
  • Enable system data files and security update installs.
  • Enable macOS update installs.

By configuring Macs to employ these security settings, you can be one step closer to Mac compliance for CIS. Additionally, you can close security gaps by always staying up to date with the latest software patches.

CIS Compliance Assurance: Bluetooth Settings

Bluetooth devices can be incredibly convenient for adding communication headsets or wireless devices to your company’s macOS devices. However, leaving your Macs open to discovery for Bluetooth devices can cause issues such as incorrect device pairings—or worse, someone using it to track the device’s location or exploit it to gain control of data or voice channels.

CIS recommends turning off Bluetooth if no paired devices exist, and turning on the display of Bluetooth device status in the menu bar when it is on. This way, users can see which Bluetooth devices they’re connected to and avoid unwanted connections.

Another recommended security setting, though not one that is required for CIS compliance for macOS devices, is to make the device discoverable for Bluetooth only when the preference pane is open.

CIS Compliance Assurance: Screen Saver Controls

Inactivity controls are crucial for preventing unauthorized use of a computer mobile device. It’s all too easy for someone to walk over to an unattended Mac that the user forgot to lock and simply start going through confidential files and proprietary information. So, CIS compliance for macOS calls for a security setting where the inactivity window before engaging a screen saver that locks the Mac out from access is less than 20 minutes.

The shorter this interval, the better for both CIS compliance and your Mac’s security. Why use a screen saver instead of just locking the screen? This way, any proprietary information that may have been on display will be covered by the screen saver when the device is not in use.

CIS Compliance Assurance: User Account Login Settings

A significant portion of CIS’ Apple OS Benchmark document is concerned with user accounts and how they’re accessed. Some of the key controls for user accounts that are scored under CIS compliance checks include:

  • Displaying the login window with empty name and password fields.
  • Disabling the “Show Hints” feature for passwords.
  • Disabling guest account logins.
  • Disabling the “allow guests to connect to shared folders” setting.
  • Removing the guest home folder.

Having a blank username and password field at the login screen makes it harder for someone to hijack a locked macOS device, since the hijacker will now have to guess both a username and a password, instead of just a password.

Likewise, disabling the password hint feature makes it much harder for an illicit user to guess the password based on their knowledge of the subject. Also, some users may end up putting part (or all) of their actual password in the hint, making it too easy to guess the password.

Guest accounts let someone log into a computer with “basic” access without having to create an account or password. Malicious users can abuse this access to attempt privilege escalation attacks where they steal progressively higher account credentials through phishing attacks leveraging any insider info they may have discovered. Disabling guest accounts, along with eliminating guest folders and access to any shared folders, helps to prevent this scenario.

CIS Compliance Assurance: Disabling the Automatic Run of “Safe Files” in Safari

Safari, the default browser for macOS devices, has a setting that will automatically run or execute what it considers to be “safe” files. However, malicious actors have taken advantage of this setting to perform “drive-by” attacks against computer networks by creating malicious files that match ones in the “safe file” list. So, CIS compliance for Macs demands that this setting be disabled.

These are just a few of the security settings that are needed for CIS compliance on macOS devices.

Subscribe to the Kandji Blog