Security for everyone

How to Achieve: CIS #9 Limitation and Control of Network Ports, Protocols, and Services


Security for Everyone


The main purpose of Critical Security Controls #9 is simple.

Manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices in order to minimize windows of vulnerability available to attackers.

Monitoring the continual operational use of ports, protocols, and services on networked devices helps you to both minimize the attack vector of your infrastructure and manage vulnerabilities effectively.

Sub-controls 1, 2, and 3 are the easiest to make for internet assets. By analyzing these sub-controls, we can see how easy they are.

Sub Control 1 (CIS Control #9.1): Associate Active Ports, Services, and Protocols to Asset Inventory

Control Description

Associate active ports, services, and protocols to the hardware assets in the asset inventory.

How to Achieve

Port scanning is a process of identifying open network ports and services on a host.

By conducting regular port scans, an organization can track which ports, protocols, and services are active on their network at any given time. This information can then be cross-referenced with the asset inventory to ensure that all active ports, protocols, and services are accounted for.

There are several offline tools available for port scanning, including:


Angry IP Scanner:


However, the most simple and effective solution for internet-facing assets is to use an online port scanner. Thankfully, We have TCP Full Port Scan tools that can be used with just a few clicks.

  1. Add your asset from the Asset Manager / Add Asset page.
  2. To use this scanning tool you need to verify your ownership from the Asset Manager / Manage page
  3. Go to TCP Full Port Scan detail.
  4. Select your asset from Fast Scan menu and click the 'Start Scan' button.

That's all you need.

Sub Control 2 (CIS Control #9.2): Ensure Only Approved Ports, Protocols, and Services Are Running

Control Description

Ensure that only network ports, protocols, and services listening on a system with validated business needs are running on each system.

How to Achieve

Managing and running a network infra can be a daunting task for any organization. There are so many ports, protocols, and services required to keep the business up and running that it can be difficult to track which ones are actually needed and which ones can be safely shut down.

The first step in ensuring that only approved ports, protocols, and services are running is to create a baseline of what is currently active on your network. This can be done using the same port scanning techniques described in Sub Control 1.

Once you have a list of all active ports, protocols, and services, you will need to cross-reference this information with your business needs. If there is no valid business need for a particular port, protocol, or service to be active, then it should be disabled.

In some cases, it may not be possible to completely disable a port, protocol, or service. In these cases, it is important to ensure that the port, protocol, or service is properly secured. This can be done by implementing firewalls and access control lists (ACLs) to restrict access to only those systems and users that require it.

Also, the output of the TCP Full Port Scan tool provides an overall risk assessment of open ports and services depending on whether or not clear text and remote management protocols used in the network.

Sub Control 3 (CIS Control #9.3): Perform Regular Automated Port Scans

Control Description

Perform automated port scans on a regular basis against all systems and alert if unauthorized ports are detected on a system.

How to Achieve

Automated and continuous port scanning is critical for any organization in order to track changes in the network and identify unauthorized ports, protocols, and services.

This control can be challenging to set up and maintain. Automated port scans require a network scanning tool that can scan ports and report parsable output. Then, an automation system needs to be created.

Fortunately, we have a continuous and automated security scanning solution that not only checks TCP and UDP ports on a regular basis but also checks for vulnerabilities with an automated scheduling engine.

At Security For Everyone company, we believe that security should be affordable and accessible to everyone. That's why we offer continuous security products at an affordable price point.

  1. Go to the Continuous Security product page.
  2. Add to cart and go to the checkout page.
  3. Use your coupon code if you have any and make a payment.
  4. Add your asset from the Asset Manager / Add Asset and verify your ownership from the Asset Manager / Manage page

That's all. All security and informational scans, like TCP Full Port Scan, will start in a few hours. Plus, these scans will automatically start continuously from now on.

Thank you for reading! Our experts are available 24/7 on our advanced support page. Do not hesitate to reach out to us.

cyber security services for everyone one. Free security tools, continuous vulnerability scanning and many more.
Try it yourself,
control security posture