GRCWatch
Sign inStart free trial

CIS Control 4.5: Implement and Manage Firewalls on End-User Devices

Host-based firewalls are your first line of defense against unauthorized network access. CIS Control 4.5 requires a default-deny posture on every endpoint—blocking all traffic except explicitly allowed services and ports. This foundational control reduces attack surface and limits lateral movement.

What this means

Deploy and maintain firewall software or port-filtering tools on all end-user devices (laptops, desktops, workstations). Configure each firewall with a default-deny rule that rejects all inbound and outbound traffic by default, then explicitly whitelist only necessary services, ports, and protocols. This inverted security model ensures only trusted communication flows occur.

How to comply

  1. 1.Select a host-based firewall solution compatible with your OS ecosystem (Windows Defender Firewall, macOS, Linux iptables/firewalld, or third-party tools)
  2. 2.Configure default-deny inbound and outbound rules on all endpoints
  3. 3.Document and whitelist only essential business services and ports (e.g., HTTP/HTTPS for browsers, RDP for remote access)
  4. 4.Deploy firewall configurations centrally via group policy, MDM, or configuration management tools
  5. 5.Enable firewall logging to track blocked and allowed traffic for audit trails
  6. 6.Test firewall rules to verify legitimate applications function while unauthorized traffic is blocked
  7. 7.Review and update firewall rules quarterly or when business requirements change
  8. 8.Monitor compliance and flag non-compliant or disabled firewalls automatically

Evidence auditors look for

  • Firewall configuration screenshots showing default-deny rules and whitelisted ports
  • Endpoint management reports proving 100% firewall deployment across devices
  • Firewall logs with timestamps of blocked and allowed traffic
  • Policy documents defining approved services and ports by role
  • Change management records for firewall rule updates
  • Audit reports from vulnerability scans confirming firewall effectiveness
  • MDM or configuration management dashboards showing real-time compliance status

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically deploys firewall configurations to all endpoints, tracks real-time compliance status, and generates CIS 4.5 audit reports with one click—eliminating manual device checks and spreadsheet tracking.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS 4.1 — Establish and Maintain a Software InventoryCIS 6.1 — Establish and Maintain an Inventory of Authorized SoftwareCIS 8.1 — Establish and Maintain an Inventory of Authorized and Unauthorized Software