Skip to main content
← All controls
CIS-4.4 / SC-7 / A.13.1.3 CIS Controls v8

Personal firewall on by default

Demonstrate that personal firewalls are enabled by default on all managed endpoints and that configurations enforce this state consistently across the enterprise.

Description

What this control does

This control ensures that host-based firewalls on endpoints (workstations, laptops, mobile devices) are enabled by default before deployment and remain active during operation. The personal firewall filters inbound and outbound network traffic based on defined rulesets, blocking unauthorized connections and malicious network activity at the endpoint level. By activating personal firewalls as a baseline configuration, organizations provide defense-in-depth against network-based attacks, lateral movement, and unauthorized data exfiltration even when perimeter defenses are bypassed or unavailable.

Control objective

What auditing this proves

Demonstrate that personal firewalls are enabled by default on all managed endpoints and that configurations enforce this state consistently across the enterprise.

Associated risks

Risks this control addresses

  • Attackers exploit unprotected endpoints to establish unauthorized network connections for command-and-control communications
  • Malware propagates laterally across the network through endpoints lacking host-based firewall protection
  • Unauthorized applications exfiltrate sensitive data via outbound connections that would otherwise be blocked
  • Remote attackers directly access services running on endpoints when devices connect to untrusted networks
  • Insider threats bypass network monitoring controls by communicating directly from endpoints without firewall filtering
  • Ransomware spreads through SMB or RDP connections to endpoints with disabled host firewalls
  • Configuration drift results in inconsistent firewall states across the endpoint fleet, creating exploitable gaps in network segmentation

Testing procedure

How an auditor verifies this control

  1. Obtain the organization's endpoint security baseline configuration documentation and identify the personal firewall settings defined for all endpoint types
  2. Request firewall configuration exports from the endpoint management platform (GPO, MDM, EDR console) showing default firewall policies applied during provisioning
  3. Select a representative sample of endpoints across different operating systems, geographic locations, and business units (minimum 25 devices or 10% of population)
  4. Execute remote queries or use configuration management tools to verify firewall service status on sampled endpoints in real-time
  5. Review firewall policy rules applied to sampled endpoints, confirming restrictive inbound default-deny rules and controlled outbound policies are active
  6. Interview IT operations staff to confirm procedures for handling endpoints where firewall services are found disabled or misconfigured
  7. Examine exception approval records and verify documented business justification exists for any endpoints granted firewall exemptions
  8. Review automated compliance monitoring dashboards or SIEM alerts to confirm continuous monitoring detects firewall service interruptions
Evidence required Configuration policy exports from Active Directory Group Policy Objects, Microsoft Intune, Jamf Pro, or equivalent endpoint management platforms showing firewall-enabled settings. Compliance scan reports or EDR console screenshots displaying real-time firewall status across sampled endpoints. Exception approval documentation including business justification, risk acceptance signatures, and compensating controls for any endpoints operating without active firewalls.
Pass criteria All sampled endpoints demonstrate active personal firewall services in enforcing mode with default-deny inbound rules, baseline configuration policies enforce firewall activation, and any documented exceptions include formal risk acceptance and compensating controls.

Where this control is tested

Audit programs including this control

Workstation Hardening Quick Check

Are your laptops actually hardened — disk encryption, local admin, screen lock, USB control?

7 controls · v1.0