Skip to content

Installation and Upgrade - Windows

Introduction

Learn how to install, upgrade, and uninstall the CIS SecureSuite Platform on Microsoft Windows operating systems.

This guide covers:

Minimum Requirements

Verify that your system meets the following minimum requirements for running the CIS SecureSuite Platform.

Server

  • Microsoft Windows Server 2019 or 2022
  • 64 bit
  • 8 GB RAM
  • 2 vCPUs, 4 cores each
  • Minimum 40 GB total free disk space allocated to the main OS drive (usually C:\ drive):
    • Minimum 32 GB for the OS
    • 2 GB for the CIS SecureSuite Platform
    • 6 GB buffer for a small volume of configuration assessment results
    • Additional disk space on top of the 40 GB will be required depending on your organization's configuration assessment volume. One assessment is about 12 MB, 1,000 assessments about 12 GB, and 10,000 assessments about 120 GB.

Note

For optimal performance, we recommend retaining up to 10,000 assessments. CIS SecureSuite Platform System Admins can set file limits for the directory that holds assessments and schedule bulk deletion of assessments.

Traffic and Ports

  • Port 3306 available for MariaDB
  • Port 8081 available for Keycloak
  • Port 80 available for Apache
  • Traffic allowed on port 443
    • If installed on AWS, AWS security group must allow traffic on port 443
    • As needed, add an inbound rule in Windows Firewall
  • For the application to access the SMTP server for emails, port 25 (default), 465, or 587 (depending on your email configuration) needs to be included as an outbound rule
  • To opt in to the Industry Average Service, port 8883 must be included as an outbound rule

Info

The installer will verify that the required ports are available.

Browser

The CIS SecureSuite Platform officially supports Google Chrome only. Other browsers may work with the application but could produce unexpected behavior.

Cloud Installations

  • Use a static public IP so that the public IP does not change if the instance shuts down.
  • Ensure security groups or firewalls are properly configured to allow connectivity from external remote systems and within the instance.
  • If using an AWS EC2 instance, enable Instance metadata service. IMDSv2 can be either Optional or Required.

Java Runtime Environment (JRE)

The installer establishes Java environment variables specifically for use with the CIS SecureSuite Platform. To run the CIS SecureSuite Platform, no other application requiring a JRE can exist on the CIS SecureSuite Platform host server.

Before you Start

Download the following before installing the CIS SecureSuite Platform:

CIS SecureSuite Platform Installer

The CIS SecureSuite Platform Installer guides you through the installation process and ensures setup is done correctly.

Download the CIS SecureSuite Platform Installer

1. In WorkBench, go to Downloads.
2. Select Download CIS SecureSuite Platform.
3. Select the Windows bundle and then Download Selection.
4. Choose a directory to download the installer.
5. (If the installer is blocked) Right-click SecureSuite_windows-x64_Installer, select Properties and then Unblock if the box is unchecked.

SecureSuite License

SecureSuite licenses grant you full access to the CIS SecureSuite Platform's features and content. If a valid license is not in the location you designate during installation, the CIS SecureSuite Platform provides limited functionality.

Download SecureSuite License

1. In WorkBench, go to Downloads.
2. Select Download License.

The Download License button appears near the top right of the page, under the top navigation bar.

3. Select Download.

Download Issues?

If the file is not downloading, verify that JavaScript is enabled on your browser.

4. Extract the contents from the downloaded ZIP.

For the installation and use of the CIS SecureSuite Platform, you will only need the license.xml file from the extracted contents.

5. Move the license.xml file to a stable directory.

Info

During the installation of the CIS SecureSuite Platform, you will identify the directory above as the location where the application will look for your license. To change the license directory after installation, run the installer again and select the new directory on the Select License Directory screen.

Renewal

Your license expires when your SecureSuite membership expires. Upon renewing your membership, a new license file bundle will be available on WorkBench. Download your new license and move the license file to the folder you designated during installation. You'll likely overwrite your expired license file.

Limited Functionality

Without a valid license in the folder you designated during installation, the CIS SecureSuite Platform restricts the following functionality:

  • Remote configuration assessments cannot be performed
  • New Controls assessments cannot be created or imported

Install the CIS SecureSuite Platform

The CIS SecureSuite Platform Installer will help set up the application, database, and services for you.

Required Task and Services

The installation process will create three services (MariaDB, SecureSuite_Windows, and Apache_HTTPD) and a task (Keycloak). All must be running to support the application. Do not disable any of these tasks and services.

Cancelling Installations

If the installation is cancelled, manual uninstallation may be required. Follow the Uninstall Manually procedure for guidance.

Start Installation

1. Run SecureSuite_windows-x64_Installer as an administrator.
2. Select Next on the Welcome page to start the installation.

Installation Errors

If you encounter installation errors, do not close the installer before getting the logs.

Select Destination Directory

Define the directory where the CIS SecureSuite Platform application, MariaDB, and Java will be installed. For most Windows environments, the destination directory will be C:\Program Files\SecureSuite. Ensure you have allocated enough memory to this directory.

1. Select Browse to find the destination directory for the installation.

2. In the Select Directory window, double-click the desired directory to choose it.
3. Select Next.

Select License Directory

Define where you downloaded your organization's SecureSuite license. The CIS SecureSuite Platform validates your license at the beginning of each command execution performed.

1. Select Browse to find your license file.

2. In the Select File window, select license.xml.

Note

Ensure you load a valid license file. The field only accepts XML files, and will remain empty if you attempt to load files of other types.

3. Select Next.

Configure HTTPS

Encrypting data in transit is vital for safeguarding your private and sensitive information. Choose and configure one of the two Transport Layer Security (TLS) options to safeguard your data.

1. Consider the following requirements and details for SSL certificates before choosing a TLS option:

  • Self-signed certificate

    • Requires port 443 availability
    • Installer creates the self-signed certificate for you
    • Valid for 90 days from creation
    • The certificate can be found here: C:/destination-directory\SecureSuite\certificates
    • Trust the certificate utilizing the command line during/post installation or via Google Chrome post installation
    • In Google Chrome, specify the list of names covered by the SSL certificate in the Subject Alternative Name (SAN)

  • Organization/CA certificate

    • Requires port 443 availability
    • Obtain your organization's certificate from your Certificate Authority (CA)
    • Create a keystore file in P12 (PKCS 12) format. Only this format is supported
      • A new keystore is recommended. The CSR must come from the keystore planned for use.
      • Use your tool of choice. Some Members have found this digicert knowledge base article helpful.

2. Select a TLS option and configure the fields accordingly:

  • HTTPS with a new self-signed certificate
    • Description: Enter a descriptive, user-friendly name for the self-signed certificate file. Consider including the expiry date as a reminder.
    • Password: Enter a keystore password for access to the certificate.
    • Confirm Password: Enter the password again.

  • HTTPS with an existing certificate
    • Certificate: Select Browse to find and choose the certificate file.
    • Password: Enter the keystore password exactly as it is in the CSR and keystore.
    • Confirm Password: Enter the password again.

Warning

If the password does not match what is in the CSR and keystore, the CIS SecureSuite Platform will be inaccessible. If the password does not match what is in the CSR and keystore, the CIS SecureSuite Platform will be inaccessible.

3. Select Next when finished.

The installer will take a moment to configure various services.

Set Up Database Admin

Set up the native admin account for your MariaDB server.

1. Enter a password.

Password Requirements

  • Minimum 14 characters
  • Does not start with a special character
  • At least 1 lowercase letter
  • At least 1 uppercase letter
  • At least 1 number
  • At least 1 of these special characters: !#$%^

2. Enter the password again in the Confirm Password field.

Info

For those backing up their CIS SecureSuite Platform database, store the password in a secure but discoverable place. root is the username of the account.

3. Select Next.

Set Up CIS SecureSuite Platform Admin

Set up an admin account for the CIS SecureSuite Platform.

1. Configure the the CIS SecureSuite Platform admin user as follows:

  • First Name: Enter the first name of the admin.
  • Last Name: Enter the last name of the admin.
  • Email: Enter the professional email of the admin.
  • Password: Enter a password for the admin account.
  • Confirm Password: Re-enter the password.

Password Requirements

  • Minimum 14 characters
  • Does not start with a special character
  • At least 1 lowercase letter
  • At least 1 uppercase letter
  • At least 1 number
  • At least 1 of these special characters: !#$%^

Note

Store the password for the account in a secure but discoverable place. You'll need it to log in to the CIS SecureSuite Platform. admin is the username of the account.

Protect the admin password as the account has full administrative access to the CIS SecureSuite Platform.

2. Select Next.

Set up Identity Access Management Vault

Set up the module that manages user identity and access.

1. Enter a password.

Password requirements

  • Minimum 14 characters
  • Does not start with a special character
  • At least 1 lowercase letter
  • At least 1 uppercase letter
  • At least 1 number
  • At least 1 of these special characters: !#$%^

2. Enter the password again in the Confirm Password field.
3. Select Next.

Note

Store the password for the account in a secure but discoverable place.

Set Up Identity Access Management

Create a Keycloak admin account for IAM. Keycloak supports all of the CIS SecureSuite Platform's user authentication, handling single sign-on (SSO), multi-factor authentication (MFA), and Lightweight Directory Access Protocol (LDAP).

1. Enter a password.

Password requirements

  • Minimum 14 characters
  • Does not start with a special character
  • At least 1 lowercase letter
  • At least 1 uppercase letter
  • At least 1 number
  • At least 1 of these special characters: !#$%^

2. Enter the password again in the Confirm Password field.
3. Select Next.

The installer will finalize the configuration:

Complete Installation

After the installer finalizes the configuration, you should see the Installation Complete page.

  • Select Open Application to start using the CIS SecureSuite Platform or Close to exit out of the installer.

Going forward, whenever you or other users in your organization need to use the CIS SecureSuite Platform, open Google Chrome and go to your CIS SecureSuite Platform URL (e.g., https://123.456.78.901/SecureSuite/). Be aware that the application URL must have "SecureSuite" capitalized as shown in the example; otherwise, you'll encounter an error.

"Your connection isn't private" Warning

If you are using a self-signed certificate that has not been added to the trust store, you will see a warning that the connection is not secure whenever you open the CIS SecureSuite Platform.

Select Advanced and then Continue to ... to log in to the CIS SecureSuite Platform.



To learn more about certificates and remove the warning, refer to HTTPS Certificate Trust.

Guidance on logging in to the CIS SecureSuite Platform

Refer to the Login section of the Get Started guide for instructions on how to log in to the CIS SecureSuite Platform.

Review Installation

After the installation is complete, the following folders should be in your destination directory.

Warning

CIS does not support any modifications to the installation made without the installer. If you do so, we cannot guarantee the CIS SecureSuite Platform will work.

Folder Description
securesuite_imports Contains configuration assessment results only in ARF XML format produced by CIS-CAT Pro Assessor. Reports failing to import will move to the error folder, while successfully imported reports will move to the processed folder. It is possible to manually place reports in the input folder for CIS SecureSuite Platform import.
certificate By default, contains only self-signed certificates user-selected/created to support HTTPS during installation. You may optionally store an organizational certificate here, but it is not required. If, during upgrades, members modify communication protocols, folder contents will not be cleared.
conf* Contains the configuration file that supports CIS SecureSuite Platform functionality. Modifications to this file are supported only if done through the installer. Users other than System or Administrator are prevented from viewing this file.
content Contains the supported CIS Benchmark content for the CIS SecureSuite Platform. The Benchmarks provided will be the latest supported content at the time of the most recent CIS SecureSuite Platform version release. On upgrade, new content will be added to this folder. Old Benchmarks must be removed manually. The CIS SecureSuite Platform officially supports CIS Benchmark automated assessment content delivered with the application in datastream format.
logs Contains CIS-CAT Pro Assessor and CIS SecureSuite Platform logs. For troubleshooting purposes, CIS Product Support may ask for these files.

*The conf folder contains the securesuite-config.yml file that contains information to support the operation of the CIS SecureSuite Platform. The installation process limits read/write privileges to only the users whose credentials are validated by Microsoft Windows OS security mechanisms, typically System and Administrators. Users who are not a member of the authenticated group do not have privileges to view or write to the file.

Tip

To save a bit of disk space, delete the following:
- C:\...\SecureSuite\keycloak\lib\amazon-corretto-17.0.13.11.1-windows-x64-jdk.zip (~178 MB)
- C:\...\SecureSuite\keycloak\windows\keycloak-24.0.5.zip (~170 MB)
- C:\...\SecureSuite\apache\httpd-2.4.63-250207-win64-VS17.zip (~11 MB)
- C:\...\SecureSuite\mariaDB\windows\mariadb-11.4.3-winx64.zip (~88 MB)

Upgrade the CIS SecureSuite Platform

CIS will regularly release new versions of the CIS SecureSuite Platform with additional features, functionality, and changes.

1. Download the latest version of the CIS SecureSuite Platform from WorkBench.
2. Run the downloaded SecureSuite_windows-x64_Installer as an administrator.
3. On the Welcome page, select Next.

Back up the CIS SecureSuite Platform Database

Refer to Back Up and Restore Database with Mariabackup for guidance on taking a backup of your CIS SecureSuite Platform data.

4. Upload a different license file if necessary and select Next.

5. Generate a new self-signed certificate or update your SSL certificate if necessary and select Next.

6. Select Yes if you want to back up the existing SecureSuite.war file or No if you do not.

What is the SecureSuite.war file?

The file holds everything needed to run your application, including compiled Java code, embedded Tomcat, web pages, stylesheets, and configurations. Taking a backup of the file is helpful if you need to revert to a previous version of the CIS SecureSuite Platform due to potential update errors.

The upgrade will start automatically:

7. Select Open Application to start using the CIS SecureSuite Platform or Close to exit out of the installer.

Uninstall the CIS SecureSuite Platform

Uninstall with the CIS SecureSuite Platform Uninstaller

Completed installations of the CIS SecureSuite Platform should use the CIS SecureSuite Platform Uninstaller. Uninstalling will delete all data and services supporting the CIS SecureSuite Platform.

1. Go to the root directory of the destination directory (e.g., C:\Program Files\SecureSuite).
2. Run SecureSuite_Uninstalleras an administrator.
3. Select Next to run the uninstallation.

You will see the progress of the uninstallation:

4. Once the uninstallation finishes, select Close to exit out of the uninstaller.

5. Restart your system to complete the uninstallation.

Note

Restarting your system is a must. If you do not, you may encounter issues reinstalling the application.

Uninstall Manually

If you cancelled the installation, you may need to manually uninstall the services, environment variables, or files related to the CIS SecureSuite Platform.

1. Stop and delete services.
2. Delete environment variables.
3. Delete SecureSuite files.

Note

Please follow the steps in order. All services should be stopped and deleted before deleting the SecureSuite folder.

Stop and Delete Services

Depending on how far the installation progressed, one or more of the services may not have been installed, and will not appear in the list of services. Follow the instructions below for only the installed services.

1. Open Services.
2. Right-click SecureSuite_Windows and select Stop.

3. Repeat step 2 for the MariaDB and Apache HTTPD services.
4. Run Command Prompt as an administrator.
5. Execute the following command to delete the installed services: 

sc delete "SecureSuite_Windows" && sc delete "MariaDB" && sc delete "Apache_HTTPD"

Note

Adjust the command above to delete only the installed services. For example, if the Apache_HTTPD service was not installed, remove && sc delete "Apache_HTTPD".

6. Refresh Services and check that you cannot see the installed services.
7. Open Task Scheduler.
8. Select Task Scheduler Library, right-click Keycloak, and select End.

9. Return to Command Prompt.
10. Execute the following command to delete the Keycloak task: 

schtasks /delete /tn Keycloak /f

11. Refresh Task Scheduler and check that Keycloak is no longer in the task list.

Delete Environment Variables

1. In Windows Search, enter Environment Variables and select Edit the system environment variables.
2. Select Environment Variables....

3. In System variables, check if the value of JAVA_HOME is in the SecureSuite folder and proceed accordingly:

  • If yes, select JAVA_HOME then Delete.

  • If no, move to the next step.

4. Delete the SECURESUITE_CONFIG_FILE and SECURESUITE_LOG_DIR environment variables.
5. Select the Path environment variable and then Edit.

6. Select the MariaDB environment variable that points to the SecureSuite folder then Delete.

7. Repeat step 5 for the Keycloak environment variable and, if you deleted the JAVA_HOME variable earlier, %JAVA_HOME%\bin.

Delete SecureSuite Files

1. Navigate to the destination directory where you installed SecureSuite.
2. Right-click SecureSuite and select Delete.

3. Restart your system.

Note

Restarting your system is a must. If you do not, you may encounter issues reinstalling the application.

HTTPS Certificate Trust

Self-signed certificates that are not in the system's trust store will produce a trust warning within the browser.

Some organizations' security policies do not permit self-signed certificates. These organizations must utilize a certificate trusted by a public or private certificate authority (CA). While both self-signed and organizational certificates assist in protecting incoming assessment data, each organization must use its own discretion to decide whether the browser warnings are acceptable.

Certificates Validated by CA

Using a certificate issued by a public or private CA allows you to associate a different fully qualified domain name (FQDN) of your choosing that would be accessible to others.

Organizations should publish a DNS record that matches the subject alternative name (common name attribute is deprecated), which will be the FQDN. The DNS name is selected by the organization.

It’s possible to use an IP address to the subject alternative name; however, if the IP changes, a new certificate would need to be generated. It's also possible to utilize the IP of the host server, but utilizing an organizational certificate is a good approach to avoid exposing the IP of the host server.

Using a certificate is best practice as it ensures you are accessing the correct page and prevents “man in the middle” and cache poisoning attempts.

It is an organization’s preference whether to purchase a certificate from a public CA such as digicert. Most organizations have access to a public CA when they have a website. Certificates allow the organization’s website to be automatically trusted by various browsers.

Organizations may also choose to maintain a private CA. This certificate will be validated over a corporate/VPN internal network. This is a good approach for an internal application that an organization wants to trust. If this approach is pursued, the certificate still must be added to the trust store/keychain.

When testing access to a web server, it’s helpful to use the FQDN from the host to ensure it is working. Try pinging the site and flushing the DNS after any changes.

For example, a server can have the hostname web on the domain acme.org and there is an A record for web.acme.org with the IP address 1.2.3.4. You can create a CNAME DNS record that uses web.acme.org and set an alias to something else like website.acme.com and the cert is valid as long as it matches up with website.acme.com.

Add Certificate to Trust Store

To fully trust self-signed certificates and avoid browser warnings, each machine that will access the CIS SecureSuite Platform instance must have the certificate added to its trust store.

Note

Administrator is the minimum group membership required to complete this procedure. If you are not the administrator of your computer, contact your system administrator.

1. Open Manage computer certificates (certlm).

2. Expand Trusted Root Certification Authorities store.
3. Right-click Certificates, go to All Tasks, and select Import.

4. Follow the steps in the Certificate Import Wizard to import the securesuite_public.crt file created by the installer.

Location of Certificate File

The cert file can be found in the certificates folder (e.g., C:\Program Files\SecureSuite\certificates).

Additional Resources

For assistance resolving issues with the installer, refer to Resolve Installation Errors.