CIS Control 2.7: Allowlist Authorized Scripts
Unauthorized scripts pose a critical execution risk in your environment. CIS Control 2.7 requires you to use technical controls like digital signatures and version control to ensure only approved scripts can run. This guide walks SMBs through practical implementation without the enterprise overhead.
What this means
CIS 2.7 mandates technical enforcement of script execution policies. Rather than relying on manual monitoring, you must deploy controls that digitally verify scripts before they execute—blocking anything unsigned or unapproved. This includes PowerShell (.ps1), Python (.py), and other scripting languages. Version control tracks which scripts are authorized, and bi-annual (or more frequent) reassessment ensures the allowlist stays current as threats evolve.
How to comply
- 1.Identify all scripting languages in use across your environment (PowerShell, Python, Bash, VBScript, etc.)
- 2.Establish a baseline inventory of approved scripts with digital signatures or hashes
- 3.Deploy application whitelisting or script execution policies at the OS level (AppLocker, Software Restriction Policies, or EDR solutions)
- 4.Configure digital signature verification for all scripts before execution
- 5.Implement version control to track script changes and maintain audit trails
- 6.Document approval workflows for new or modified scripts
- 7.Schedule bi-annual reassessment of approved scripts and remove obsolete entries
- 8.Monitor and log all script execution attempts, including blocked unauthorized scripts
Evidence auditors look for
- Digital signature certificates applied to all approved scripts
- AppLocker or equivalent whitelisting policies configured and enforced
- Version control repository (Git, SVN) with signed commits and change logs
- Script execution logs showing blocked unauthorized attempts
- Documented bi-annual reassessment records with date and reviewer
- EDR/MDR agent reports filtering on script execution events
- Group Policy or endpoint configuration baseline for script controls
- Change management process documentation linking to script approvals
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
See how GRCWatch handles this control automatically.
See how GRCWatch handles this control automatically
Start free trial