CIS Control 9

CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services

This article delves into CIS Control 9 and the five sub-controls associated with the third Foundational CIS Control.

Every source of security control guidance (see following examples) recommends the same thing: any network ports, protocols and running services increases the opportunity for a system to be compromised. As an analogy, think of the Star Wars® ‘Death Star’: It was designed to be impregnable, seemingly impossible to attack. But it still needed an engine, which in turn needed an exhaust port, which ultimately left it prone to a fatal strike. Therefore, in any scenario, be it for IT systems or planet-busting, intergalactic weapons of mass destruction, reducing the ‘attack surface’ is a critical security control.

The main reasons why monitoring open ports is ordained a key security control:

  • The more open/accessible we make a system, the greater the attack surface (even for the Death Star). With new exploits being discovered every day, anything that reduces the potential for attack, the better
  • Where a service is needed, and there is a choice of ports/protocols offered i.e. HTTP or HTTPS using TLS 1.2+, we want to use the secured variant
  • By extension, we also want to ensure that the non-encrypted channel is never used and disable it

The Center for Internet Security provides this rationale for CIS Control 9: “Attackers search for remotely accessible network services that are vulnerable to exploitation. Common examples include poorly configured web servers, mail servers, file and print services, and DNS servers installed by default on a variety of different device types, often without a business need for the given service. Many software packages automatically install services and turn them on as part of the installation of the main software package without informing the user. Attackers scan for such services and attempt to exploit these services, often attempting to exploit default user IDs and passwords or widely available exploitation code”

But this security best practice is not unique to just the CIS Controls – every source of security control guidance, be it the CIS Controls, NERC CIP, NIST 800-53, or PCI-DSS V3.2.1, all recommend the same thing: any network port, protocol and running services increases the opportunity for a system to be compromised.

NNT recently hosted a webinar with the Center for Internet Security Any Port in a Storm of Cyber Security Remains a Problem: CIS Control 9. Learn how to detect open ports and protocols on your network and the steps to mitigate the threats by watching the webinar on-demand.

Now, let’s dive into the five sub-controls associated with this critical security control.

9.1: Associate Active Ports, Services, and Protocols to Asset Inventory

  • Associate active ports, services, and protocols to the hardware assets in the asset inventory.

In this sub-control, organizations must identify all active ports and installed services (running or not) for each endpoint. In order to address this control, organizations must have already addressed sub-control 1.4: Maintain Detailed Asset Inventory and sub-control 1.5: Maintain Asset Inventory Information.

All ports, protocols and services within your environment must be properly defined, tracked and controlled. More importantly, any corrections needed to be made should be handled within a reasonable timeframe. By having knowledge of what is running on your network and eliminating unnecessary means of communication, organizations significantly reduce their attack surface and limit the number of entry points for attackers.

9.2: Ensure Only Approved Ports, Protocols, and Services Are Running

  • Ensure that only network ports, protocols, and services listening on a system with validated business needs are running on each system.

Developing a baseline should be one of the first things you do. This sub-control encourages organizations to establish a secure baseline of what ports and services are supposed to be running on each device, which will allow you to compare future scans with your known, trusted baseline.

open portsUsing hardening guidelines like the CIS Benchmarks is a great place to start and can be deployed and monitored through configuration management tools like Change Tracker. Alternatively, using an automated scanning tool like Vulnerability Tracker will allow you to perform a baseline port scan of the hardened system.

Remember, there is no such thing as “100% secure”, and there are no truly “safe” ports, but the more you can minimize functionality, the more you can reduce the attack surface presented.

NNT recently developed an Open Ports Hardening Guide which includes a full listing of well-known and assigned ports and their uses.

>> Download NNT's Guide to Hardening Open Ports, Protocols and Services 

>> You can also make use of the NNT Security Control Guide Hardening System Services here

9.3: Perform Regular Automated Port Scans

Vulnerability Tracker solution brief

  • Perform automated port scans on a regular basis against all systems and alert if unauthorized ports are detected on a system.

Now, with a secure baseline established, organizations are encouraged to perform regular automated port scans across the entire environment. The scan should note any discrepancies from the baseline and alert administrators to investigate the activity immediately. Conducting port scans on a regular basis will help organizations determine which services are listening on the network, which scans are open, and identify the version of the protocol and service listening on each port.

NNT Vulnerability Tracker can scan thousands of endpoint devices in a short period of time – to learn more, download our Vulnerability Tracker Solution Brief.

9.4: Apply Host-Based Firewalls or Port-Filtering

  • Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.

In this sub-control, organizations are encouraged to apply host-based firewalls to end systems. Applying only network-based firewalls is not enough because traffic on the same subnet can bypass network firewall configurations.

9.5: Implement Application Firewalls

  • Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged.

This sub-control advises organizations to use application firewalls and place them in front of any critical servers. In order for an organization to adequately mitigate risks, a layered perimeter of defenses including application-aware firewalls should be implemented to block unauthorized access.


Security hardening is always a balance between maximizing security and delivering the required functions for a platform. Put simply, the more functions provided by a platform, the greater the opportunity for attack, because any functionality has the potential to be misused and abused.

Open ports are significant within this because any network-based attack must utilize network-accessible services, so it’s a logical way to measure the attack surface of a platform. But the risk of such a linear interpretation of this objective is that other more straightforward hardening practices may be overlooked. NNT technology will provide you with not just simple to use tools for identifying and tracking changes to open ports, but as a matter of course encompass visibility of all other key vulnerability considerations. This includes the analysis of:

  • Running services and their startup states
  • Installed software and related known vulnerabilities
  • Security-related configuration settings
  • Any new and changed system files

NNT SecureOps® automates these functions for you within the context of your day-to-day IT Service Operations to maintain security and expose breach activity. Even in a dynamic enterprise where security threats would otherwise remain hidden, NNT can cut out the change noise to clearly identify security issues.

NNT Change Tracker Gen7 R2 provides an integrated Network Port Scanner to discover open ports across all devices within your network estate. Furthermore, Change Tracker will repeatedly re-scan the network and clearly highlight any adds, changes or moves.

NNT Vulnerability Tracker also provides an option for open port discovery on an automated basis and equally delivers other essential security controls relating to vulnerability management. Alternatively, organizations can download OpenVAS (Greenbone Community Edition) for a free network-wide port scan.

For more reading and opinion, read NNT CTO Mark Kedgley’s article with InfoSecurity Magazine Why Open Port Monitoring is Both an Essential and Flawed Security Control

Figure: System Entity Relationship Diagram

CIS Control 9

Contact Us

USA Offices

New Net Technologies LLC
4850 Tamiami Trail, Suite 301
Naples, Florida, 34103

New Net Technologies LLC
1175 Peachtree St NE
Atlanta, Georgia, 30361.

Tel: (844) 898-8358
[email protected]


UK Office

New Net Technologies Ltd
The Russell Building, West Common
Harpenden, Hertfordshire

Tel: 020 3917 4995
 [email protected]

SC Magazine Cybersecurity 500 CSGEA Winners 2021 CIS benchmarking SEWP Now Certified IBM Security
Copyright 2022, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.