Budgetless CIS Top 20: Control 1: Hardware Assets

Summary:  Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.

This one is arguably the easiest to implement for free. There are lots of utilities out there that will continuously scan your entire address space and identify what is on it. The larger your network, the more likely you have things attached to it that you aren’t even aware of that a scan can assist in finding.

Like most controls, this is a control you will continually revisit as you mature, so start small and just gather what you can. There is a difference between active and passive asset scanning and they seem opposite to me. Active is periodic scans of the network to determine what devices are there and passive is constantly listening to something like a mirrored switch port to gather device information.


1.1 Active Scanning: I recommend Spiceworks or Lansweeper here. Both are free, but Lansweeper is only free up to 100 devices. Spiceworks is a great product and will help you out with Control 2 as well. A couple others that are good and comprehensive for free are AssetTiger, Snipe-IT, GLPI and SysAid.

1.2 Passive Scanning: If you really want to tackle this subcontrol, look at Alienvault, they have a free version that will do it. But for no budget, I’d start with active scanning and add passive down the road.

1.3 DHCP Logging – Hopefully you already have a syslog server. I recommend Kiwi Syslog, it’s $300 and works great. With that, you can just turn on DHCP logging on your DHCP server, use free tools like NXLog or Event Forwarder (my preference) by Solarwinds and set it up to forward your logs to Kiwi.

1.4 Detailed asset inventory – Basically, you need to store all the stuff from the first three subcontrols. Spiceworks let’s you export all your inventory to an Excel spreadsheet and that is a good start that you can keep up with going forward. Most others have some sort of reporting too. Just make sure you keep up with assets both on and off the network.

1.5 Asset Information – On your above spreadsheet or in Spiceworks, you need to make sure the machine owner, hardware address, whether it’s been approved to be on network or not, etc

1.6 Unauthorized Assets – When an inventory scan finds something new, if it’s unauthorized, it needs to be removed. It’s it’s legitimate, add it to your inventory.

1.7 & 1.8 – Both of these involve only letting authorized devices connect to the network, using something like a MAC address filter or 802.1x and certificates. They are more on the advanced side, but if you are using Server 2012 or above and Windows 7 or above, you can set up a RADIUS server, configure GPOs and a certificate authority and do 802.1x pretty simply. It’s a lot more to keep up with to get a system online though up front as your’ll have to allow each machine through AD/RADIUS, etc before you get a DHCP address. It’s possible, but it’s a lot of work. It might be more beneficial for smaller organizations to just implement this on network ports in conference rooms, commons areas like the lobby, etc to reduce rick and worry about doing it on internal offices, etc later when budget allows.