IG1 IG2 IG3

Implement and Manage a Firewall on End>User Devices

Control Group: 4. Secure Configuration of Enterprise Assets and Software

Asset Type: Devices

Security Function: Protect

Description

Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Review and document current firewall rule sets

7

Define required firewall rules based on business needs

8

Implement and test firewall rules

9

Schedule periodic rule review and cleanup

Tool Recommendations

CIS-CAT Pro CIS Official Benchmark Tool; Industry Standard

Automated CIS Benchmark assessment tool for configuration compliance scanning across OS, applications, and cloud

Center for Internet Security · CIS SecureSuite membership

Qualys Policy Compliance Gartner MQ Leader, Vulnerability Management 2024

Cloud-based configuration assessment and compliance platform with CIS Benchmark support and continuous monitoring

Qualys · Per-asset subscription

Tripwire Enterprise Gartner Peer Insights, Security Configuration Management 2024

Security configuration management and file integrity monitoring platform with policy compliance and drift detection

Fortra (Tripwire) · Per-node subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Direct Endpoint Exploitation from Network

Confidentiality

Attackers exploit services running on end-user devices (RDP, SMB, WinRM) that are accessible because no host-based firewall blocks inbound connections from unauthorized sources.

Peer-to-Peer Malware Spread Between Workstations

Availability

Malware on one workstation spreads directly to other workstations via network shares and services because no endpoint firewall restricts workstation-to-workstation traffic.

Vulnerabilities (When Safeguard Absent)

No Default-Deny Firewall on End-User Devices

Without a host-based firewall with a default-deny inbound rule, end-user devices accept connections on all ports, exposing every running service to the network.

Unrestricted Outbound Communication from Endpoints

Without firewall port filtering on endpoints, malware can establish outbound connections to command-and-control servers on any port or protocol.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Technical	Firewall rule set export and review documentation	Reviewed quarterly
Record	Firewall change request and approval records	Per change
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Secure Configuration Management Policy

Control 4, Control 9, Control 12

Firewall Policy

Control 4

Related Safeguards in Control 4

4.1 Establish and Maintain a Secure Configuration Process

4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure

4.3 Configure Automatic Session Locking on Enterprise Assets

4.4 Implement and Manage a Firewall on Servers

4.6 Securely Manage Enterprise Assets and Software

4.7 Manage Default Accounts on Enterprise Assets and Software

4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software

4.9 Configure Trusted DNS Servers on Enterprise Assets

4.10 Enforce Automatic Device Lockout on Portable End>User Devices

4.11 Enforce Remote Wipe Capability on Portable End>User Devices

4.12 Separate Enterprise Workspaces on Mobile End>User Devices