GRCWatch
Sign inStart free trial

CIS Control 4.4: Implement and Manage a Firewall on Servers

Server firewalls are your first line of defense against unauthorized network access. CIS Control 4.4 requires implementing firewalls on all servers to filter inbound and outbound traffic. This foundational control is critical for blocking malicious connections and limiting lateral movement across your network.

What this means

This control requires deploying and actively managing firewalls on all servers in your environment. Organizations can choose from three primary approaches: virtual firewalls (cloud-native network segmentation), operating system-level firewalls (Windows Defender Firewall, iptables), or third-party firewall agents installed directly on servers. The firewall must be configured with default-deny rules, allowing only necessary traffic to and from the server.

How to comply

  1. 1.Inventory all servers and determine which support firewall implementation (typically all modern servers)
  2. 2.Select firewall solution type: virtual firewall, OS firewall, or third-party agent based on your infrastructure
  3. 3.Deploy firewalls with default-deny inbound rules and explicit allow policies for business-critical services
  4. 4.Document required ports and protocols for each server and configure rules accordingly
  5. 5.Enable logging and monitoring of firewall rule violations and suspicious connection attempts
  6. 6.Establish a change management process for firewall rule additions and modifications
  7. 7.Review and validate firewall configurations quarterly to remove obsolete rules
  8. 8.Test firewall effectiveness through vulnerability scanning and penetration testing

Evidence auditors look for

  • Screenshots of Windows Defender Firewall settings with inbound/outbound rules configured
  • Linux firewall configuration files (iptables or firewalld rules) with documented port access
  • Virtual firewall security group policies from AWS, Azure, or GCP showing network segmentation
  • Third-party firewall agent logs showing rule enforcement and blocked connections
  • Firewall rule change log with approval dates and business justification
  • Server inventory spreadsheet mapping each server to its firewall implementation type
  • Firewall audit reports from quarterly reviews showing rule cleanup and remediation

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically discovers all servers in your environment, identifies which ones lack firewall configurations, and tracks firewall rule changes—eliminating manual audits and streamlining evidence collection for your CIS 4.4 compliance review.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS Control 4.1: Establish and Implement a Secure Configuration ProcessCIS Control 4.3: Address Unauthorized SoftwareCIS Control 4.5: Manage Firewall on Network PerimeterCIS Control 6.1: Establish an Incident Response Process