CIS 18 Critical Security Controls®

How to Achieve CIS® Compliance with Lansweeper

Complete Visibility

Discover assets you don’t even know about and eliminate blind spots.

Risk Mitigation

Anticipate potential cyber security attacks with audit preventive measures.

Threat Detection

Get an instant cybersecurity audit across your entire network through valuable reports.

What Are the 18 CIS Critical Security Controls®?

When companies struggle with what to do and how to demonstrate their Cyber Security efforts, many turn to ISO27001 & ISO27002. These frameworks are excellent for showing compliance but not well-suited for prioritizing, measuring and implementing practical IT-security initiatives. To that end, you need a consensus-based framework, such as the CIS 18 critical security controls®, which includes detailed practical and prioritized advice on how to implement cyber security. The CIS® controls include detailed instructions on what to do, how to measure, how to prioritize and how to audit your cybersecurity posture.

An IT Asset Inventory Database for CIS® Compliance

A well-maintained asset inventory is key in building a more comprehensive security program based on the CIS Critical Security Controls. As the controls are most effective when implemented in order, we have listed them below in order as well. The first two controls call for an Inventory of Hardware Software Assets and rely heavily on the IT asset inventory. This is where the benefits of Lansweeper, being at its core an ITAM solution, are the most obvious. However, Lansweeper can be used to support many of the other controls as well.


Inventory & Control of Enterprise Assets

Lansweeper continuously detects hardware assets on your network and reports on changes, as well as newly discovered devices. Create an inventory of workstations, servers, network devices, non-computing/IoT devices, mobile devices, cloud assets, and OT Devices. The first CIS control guides you to implement a process of regularly, automatically discovering these assets and their details, then authorizing or removing unauthorized devices. Use Lansweeper’s many scanning methods like Active Directory scanning and the passive scanning of Asset Radar to get a complete inventory of any device connected to the network.


Inventory & Control of Software Assets

Lansweeper automatically discovers the software along with its version number, publisher, and install date on all your hardware assets. You must implement a process for removing unwanted software from your network thereby leaving only authorized software on authorized devices. Lansweeper's out-of-the-box reports help to identify and mark software as “Allowed,” “Denied” or “Neutral”. Utilize the detailed software information to ensure only supported software is used in your IT environment.


Data Protection

For the Data Protection control, all data on end-user devices must be encrypted. Lansweeper scans detailed information for both AD users and AD computers, including the BitLocker recovery key. BitLocker encrypts disk volumes to protect the data on them from being accessed in an offline mode. To access the drive again, the BitLocker recovery key is required. Thanks to the pre-made BitLocker Recovery Keys Audit report, you have a list of all AD computers with their BitLocker recovery keys at your disposal when you need them.


Secure Configuration of Enterprise Assets & Software

The CIS Benchmarks help you implement secure software and hardware configurations. A substantial number of recommendations such as Processes, Services, Shares, Registry settings, System settings, users, user groups, and BitLocker status can be checked and reported on within Lansweeper. This lets you check for any outdated software, unnecessary services, misconfigured DNS settings, settings for automatic session locking, unauthorized administrators, and much more. Since Lansweeper scans all Windows services, that includes your firewalls. Through event log scanning and alerts, Lansweeper can instantly inform you whenever any Firewall settings have been changed.


Account Management

The core of the account management control is to establish and maintain an inventory of accounts. Using Active Directory, O365, Exchange, and local account scanning, Lansweeper provides a full inventory of all accounts, their groups, permissions, licenses, and all other AD details. Using Lansweeper’s built-in reports, you can easily find disabled AD accounts lingering around or accounts using simple O365 passwords. To maintain “the principle of least privilege”, Lansweeper tells you which users have local administrative rights on an asset-by-asset basis by showing all unauthorized administrators and controls who can manage your assets. Lansweeper itself also allows users to log in using SSO or, in Lansweeper Cloud, MFA.


Access Control Management

CIS Control #6 calls for the implementation of SSO, MFA, and a role-based access control structure, in order to maintain the Principle of Least Privilege. Lansweeper allows you to sign in using SSO, so it can be centralized along with access credentials to any other enterprise assets and software you have. In Lansweeper Cloud it is possible to set up MFA, either by itself by using the built-in MFA configuration, or in combination with SSO. In that case, you can use the MFA options made available by your identity provider. Once logged in, the actions a user can take are defined by the role they have been assigned. Each role defined in the web console has its own set of access rights and permissions. In Lansweeper Cloud you can also define asset scopes, allowing you to configure precisely which assets a user can access.


Continuous Vulnerability Management

Where software versions can be identified, Lansweeper's Security Insights and vulnerability reports verify whether the software has been updated with important security patches. The Security Insights in the Lansweeper Cloud console provides you with an overview of all known vulnerabilities, drawn from the NIST Vulnerability Database, that could pose a threat to your network. Besides that, Lansweeper continuously publishes audit reports to address trending vulnerability issues such as PrintNightmare and PetitPotam, so you can easily assess whether a particular software-related vulnerability has been addressed. You can list the results in an audit report or dashboard, or set up email alerts to review the report output straight from your inbox. Thanks to the Asset Lifecycle Information in LS Cloud, you can also keep track of any assets that have gone end-of-life and need to be retired or replaced.


Audit Log Management

The wealth of event log information available in Lansweeper allows you to keep an eye on anything that might indicate a security risk. Although Lansweeper is not a full-fledged log management system, it automatically collects logs from Windows servers and desktops. Event logs can be selected by source and searched, reported, and exported. Built-in error log and user logon reports help identify inconsistencies within log data.


Email and Web Browser Protections

Only fully supported browsers and email clients should be allowed to execute in your environment and they must be at the latest version provided by the vendor. Just like with any other software, Lansweeper allows you to keep track of the version numbers of browsers and email clients. By regularly running reports on your version numbers, you can make sure they are kept up to date. Lansweeper also regularly creates reports for important updates or when browser versions go end-of-life.


Malware Defenses

Anti-malware software can help you protect your IT environment against disruptions. Lansweeper can in turn help you manage your anti-malware software in a centralized way through software scanning, making sure that you have the right software in the right place and it is up to date. By using file property scanning or registry scanning, you can also make sure that all anti-malware signatures are up to date and that autorun and autoplay are disabled for any removable media.


Network Infrastructure Management

Keeping your network infrastructure up to date is essential to plugging and preventing any holes in your security profile. The asset lifecycle data in Lansweeper Cloud can help you keep track of any obsolete assets so they can be retired or replaced where necessary. As Lansweeper also scans any installed software versions, you can also keep an eye out for any software installs that still need to be updated to the latest stable release. All Lansweeper licenses now also come with a complementary Cloudockit license, that allows you to generate accurate architecture diagrams and technical documentation for your cloud environment.


Network Monitoring and Defense

Your network must be monitored and defended against security threats across the enterprise’s network infrastructure and user base. Lansweeper scans all Windows devices connected to your network for their security event logs. Event log alerts can then instantaneously warn you whenever a security event is scanned. Unlike report alerts, which run on a schedule, these event log alerts go out instantly. Lansweeper also integrates with some of the leading SIEM and SOAR tools in the industry, so that you always have the asset information you need at your fingertips, whenever you need to take action.


Application Software Security

An important step in software security is to monitor and accurately assess any software vulnerabilities. In the Security Insights tab of your Lansweeper Cloud console, you can find an overview of all known vulnerabilities, drawn from the NIST Vulnerability Database, ranked by severity based on its CVSS score. Attached to each listed vulnerability you can find a list of all at-risk devices as well as a short summary. It will also tell you when the vulnerability was first published and last updated. That way you can easily determine the threat level and prioritize where your intervention is needed the most.

Ready to get started? You'll be up and running in no time.