Establish, implement, and maintain system hardening procedures.
CONTROL ID 12001
CONTROL TYPE Establish/Maintain Documentation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
System hardening through configuration management, CC ID: 00860
This Control has the following implementation support Control(s):
Configure the Intrusion Detection System and Intrusion Prevention System in accordance with organizational standards., CC ID: 04831
Configure session timeout and reauthentication settings according to organizational standards., CC ID: 12460
Configure âDockerâ to organizational standards., CC ID: 14457
Configure "etcd" to organizational standards., CC ID: 14535
Establish, implement, and maintain container orchestration., CC ID: 16350
Configure "Kubernetes" to organizational standards., CC ID: 14528
Configure the Remote Deposit Capture system to organizational standards., CC ID: 13569
Prohibit files from containing wild cards, as necessary., CC ID: 16318
Block and/or remove unnecessary software and unauthorized software., CC ID: 00865
Assign system hardening to qualified personnel., CC ID: 06813
Use the latest approved version of all software., CC ID: 00897
Change default configurations, as necessary., CC ID: 00877
Establish, implement, and maintain procedures to standardize operating system software installation., CC ID: 00869
Configure Least Functionality and Least Privilege settings to organizational standards., CC ID: 07599
Establish, implement, and maintain idle session termination and logout capabilities., CC ID: 01418
Install custom applications, only if they are trusted., CC ID: 04822
Configure virtual networks in accordance with the information security policy., CC ID: 13165
Configure Simple Network Management Protocol (SNMP) to organizational standards., CC ID: 12423
Configure the system's storage media., CC ID: 10618
Configure Internet Browser security options according to organizational standards., CC ID: 02166
Implement only one application or primary function per network component or server., CC ID: 00879
Remove all unnecessary functionality., CC ID: 00882
Establish, implement, and maintain the interactive logon settings., CC ID: 01739
Configure the settings of the system registry and the systems objects (for Windows OS only)., CC ID: 01781
Apply the appropriate warning message to systems., CC ID: 01596
Enable logon authentication management techniques., CC ID: 00553
Establish, implement, and maintain authenticators., CC ID: 15305
Configure each system's security alerts to organizational standards., CC ID: 12113
Configure the system security parameters to prevent system misuse or information misappropriation., CC ID: 00881
Configure knowledge-based authentication tools in accordance with organizational standards., CC ID: 13740
Disable or configure the e-mail server, as necessary., CC ID: 06563
Configure the system account settings and the permission settings in accordance with the organizational standards., CC ID: 01538
Establish and maintain specific directory installation rules and domain controller installation rules., CC ID: 01734
Establish, implement, and maintain appropriate shutdown procedures., CC ID: 01778
Configure Multi-Function Devices to clear their hard drives in between jobs., CC ID: 04816
Configure shared volumes to use the appropriate file system for the network protocols being operated (NT File System in Windows OS or Netware SS), and configure the security parameters., CC ID: 01927
Configure utility and device driver software in accordance with organizational standards., CC ID: 12340
Configure appropriate Partitioning schemes., CC ID: 02162
Configure attached printers and shared printers., CC ID: 04499
Establish, implement, and maintain network parameter modification procedures., CC ID: 01517
Configure Automated Teller Machines in accordance with organizational standards., CC ID: 12542
Enable or disable remote print browsing, as appropriate., CC ID: 05718
Configure the time server in accordance with organizational standards., CC ID: 06426
Verify the organization has Emergency Power Supplies available for the systems., CC ID: 01912
Configure Private Branch Exchanges in accordance with organizational standards., CC ID: 02219
Configure Wireless Access Points in accordance with organizational standards., CC ID: 12477
Configure mobile device settings in accordance with organizational standards., CC ID: 04600
Configure Cisco-specific applications and service in accordance with organizational standards., CC ID: 06557
Configure custom Oracle-specific applications and services in accordance with organizational standards., CC ID: 06565
Configure the Global Positioning System settings as appropriate., CC ID: 06888
Configure endpoint security tools in accordance with organizational standards., CC ID: 07049
Configure e-mail security settings in accordance with organizational standards., CC ID: 07055
Configure web server security settings in accordance with organizational standards., CC ID: 07059
Certify the system before releasing it into a production environment., CC ID: 06419
Establish, implement, and maintain virtualization configuration settings., CC ID: 07110
Configure Microsoft Office to Organizational Standards., CC ID: 07147
Configure Services settings to organizational standards., CC ID: 07434
Configure network protection settings to organizational standards., CC ID: 07601
Configure Account settings in accordance with organizational standards., CC ID: 07603
Configure system integrity settings to organizational standards., CC ID: 07605
Configure Protocol Configuration settings to organizational standards., CC ID: 07607
Configure Logging settings in accordance with organizational standards., CC ID: 07611
Configure Key, Certificate, Password, Authentication and Identity Management settings in accordance with organizational standards., CC ID: 07621
Configure Encryption settings in accordance with organizational standards., CC ID: 07625
Configure File Retention, Impact Level, and Classification Settings settings in accordance with organizational standards., CC ID: 07715
Configure System settings in accordance with organizational standards., CC ID: 07806
Configure Virus and Malware Protection settings in accordance with organizational standards., CC ID: 07906
Configure User Notification settings in accordance with organizational standards., CC ID: 08201
Configure Windows Components settings in accordance with organizational standards., CC ID: 08263
Configure File System settings in accordance with organizational standards., CC ID: 08294
Configure Control Panel settings in accordance with organizational standards., CC ID: 08311
Configure Capacity and Performance Management settings in accordance with organizational standards., CC ID: 08353
Configure Personal Information Handling settings in accordance with organizational standards., CC ID: 08396
Configure Data Backup and Recovery settings in accordance with organizational standards., CC ID: 08406
Configure Nonrepudiation Configuration settings in accordance with organizational standards., CC ID: 08432
Configure Device Installation settings in accordance with organizational standards., CC ID: 08438
Configure Security settings in accordance with organizational standards., CC ID: 08469
Configure Power Management settings in accordance with organizational standards., CC ID: 08515
Configure Patch Management settings in accordance with organizational standards., CC ID: 08519
Configure Start Menu and Task Bar settings in accordance with organizational standards., CC ID: 08615
Configure the proxy server to organizational standards., CC ID: 12115
Configure Red Hat Enterprise Linux to Organizational Standards., CC ID: 08713
Configure Polycom HDX to Organizational Standards., CC ID: 08986
Configure Apache and Tomcat to Organizational Standards., CC ID: 08987
Configure IIS to Organizational Standards., CC ID: 08988
Configure Microsoft SQL Server to Organizational Standards., CC ID: 08989
Configure Oracle WebLogic Server to Organizational Standards., CC ID: 08990
Configure security and protection software according to Organizational Standards., CC ID: 11917
Configure dedicated systems used for system management according to organizational standards., CC ID: 12132
Configure Application Programming Interfaces in accordance with organizational standards., CC ID: 12170
Configure the Domain Name System in accordance with organizational standards., CC ID: 12202
Configure payment systems in accordance with organizational standards., CC ID: 12217
Configure File Integrity Monitoring Software to Organizational Standards., CC ID: 11923
Configure Bluetooth settings according to organizational standards., CC ID: 12422
Remove backup files after initializing and hardening is complete., CC ID: 01602
Perform vulnerability testing before final installation., CC ID: 00884
Reboot the system after initial systems hardening is complete and before certification., CC ID: 01603
Configure systems to protect against unauthorized data mining., CC ID: 10095
Implement safeguards to prevent unauthorized code execution., CC ID: 10686
Configure network switches to organizational standards., CC ID: 12120
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
The hardware and software systems and procedures for an Authentication Service provider shall be reasonably secure from intrusion and misuse. (§ 30(3)(a), The Electronic Communications and Transactions Act, 2002)
A purchaser may supply installation parameters necessary for the program to function properly and may customize the software by choosing options. (§ 90(3), The Electronic Communications and Transactions Act, 2002)
Check that the database is hardened and not placed in a vulnerable spot within the network. (Annex A1: Database Security 51, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users. (Security Control: 1494; Revision: 0, Australian Government Information Security Manual, March 2021)
When using a software-based isolation mechanism to share a physical server's hardware, the underlying operating system running on the server is hardened. (Security Control: 1605; Revision: 0, Australian Government Information Security Manual, March 2021)
An approach for patching or updating applications and drivers that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used. (Security Control: 0303; Revision: 6, Australian Government Information Security Manual, March 2021)
Video conferencing and IP telephony infrastructure is hardened. (Control: ISM-1562; Revision: 0, Australian Government Information Security Manual, June 2023)
Systems and applications are designed and configured to reduce their attack surface. (P3:, Australian Government Information Security Manual, June 2023)
When using a software-based isolation mechanism to share a physical server's hardware, the underlying operating system is hardened. (Control: ISM-1605; Revision: 1, Australian Government Information Security Manual, June 2023)
Configuration settings for wireless access points are hardened. (Control: ISM-1710; Revision: 1, Australian Government Information Security Manual, June 2023)
Video conferencing and IP telephony infrastructure is hardened. (Control: ISM-1562; Revision: 0, Australian Government Information Security Manual, September 2023)
Systems and applications are designed and configured to reduce their attack surface. (P3:, Australian Government Information Security Manual, September 2023)
When using a software-based isolation mechanism to share a physical server's hardware, the underlying operating system is hardened. (Control: ISM-1605; Revision: 1, Australian Government Information Security Manual, September 2023)
Configuration settings for wireless access points are hardened. (Control: ISM-1710; Revision: 1, Australian Government Information Security Manual, September 2023)
Operating systems are hardened using ASD and vendor hardening guidance. (Control: ISM-1409; Revision: 3, Australian Government Information Security Manual, September 2023)
Web browsers are hardened using ASD and vendor hardening guidance. (Control: ISM-1412; Revision: 5, Australian Government Information Security Manual, September 2023)
Server applications are hardened using ASD and vendor hardening guidance. (Control: ISM-1246; Revision: 5, Australian Government Information Security Manual, September 2023)
ICT equipment is hardened using ASD and vendor hardening guidance. (Control: ISM-1858; Revision: 1, Australian Government Information Security Manual, September 2023)
Office productivity suites are hardened using ASD and vendor hardening guidance. (Control: ISM-1859; Revision: 1, Australian Government Information Security Manual, September 2023)
PDF software is hardened using ASD and vendor hardening guidance. (Control: ISM-1860; Revision: 1, Australian Government Information Security Manual, September 2023)
The procedures for applying the appropriate hardening techniques in order to manage the security and functionality of System Software should be included in the Standard Operating Procedures for the information technology security officer. (Control: 0790 Table Row "System maintenance", Australian Government Information Security Manual: Controls)
The organization should install, configure, operate, and administer the evaluated products in accordance with the evaluation documentation. (Control: 0289, Australian Government Information Security Manual: Controls)
The organization must ensure High Grade Cryptographic Equipment and high assurance products are installed, configured, operated, and administered in accordance with the specific guidance from Defence Signals Directorate. (Control: 0290, Australian Government Information Security Manual: Controls)
High Grade Cryptographic Equipment and high assurance products must not be used in an unevaluated configuration. (Control: 0292, Australian Government Information Security Manual: Controls)
The organization must ensure security patches, driver updates, firmware updates, and application installations are conducted in a way that verifies the authenticity and integrity of the process. (Control: 0303, Australian Government Information Security Manual: Controls)
The organization must configure, harden, and secure web servers. (Control: 1242, Australian Government Information Security Manual: Controls)
The organization should securely configure the Database Management System software in accordance with the vendor's guidance. (Control: 1246, Australian Government Information Security Manual: Controls)
Network security devices that are connected to dual-stack networks or Internet Protocol version 6 networks must be Internet Protocol version 6 capable. (Control: 1186, Australian Government Information Security Manual: Controls)
The organization should maintain an initial hardening of the system to prevent or reduce potential vulnerabilities to the system. Organizations should develop installation procedures for the hardening of workstations and servers. (§ 3.5.8, § 3.5.10, § 3.5.12, Australian Government ICT Security Manual (ACSI 33))
The organization should harden the workstation application security configurations (e.g., disabling unnecessary features in Microsoft Office applications, pdf viewers, and web browsers. (Mitigation Strategy Effectiveness Ranking 26, Strategies to Mitigate Targeted Cyber Intrusions)
The organization should harden the server application security configuration (e.g., web applications, databases, data storage systems, and Customer Relationship Management). (Mitigation Strategy Effectiveness Ranking 28, Strategies to Mitigate Targeted Cyber Intrusions)
System components which are used for the rendering of the cloud service are hardened according to generally established and accepted industry standards. The hardening instructions used are documented as well as the implementation status. (Section 5.6 RB-22 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
Configuration verification and audit comprises a series of reviews and audits that verify the physical existence of CIs and check that the CIs are correctly recorded in the CMDB and controlled libraries. It includes the verification of Release and configuration documentation before changing the live… (§ 7.3.5, OGC ITIL: Service Support)
You securely configure the network and information systems that support the operation of essential functions. (B4.b ¶ 1, NCSC CAF guidance, 3.1)
The entity uses a combination of controls to restrict access to its information assets including data classification. The entity enforces logical separations of data structures and the segregation of incompatible duties applies device security hardening and security configuration policies, including… (S7.1 Restricts access to information assets, Privacy Management Framework, Updated March 1, 2020)
Is the system configured to filter JavaScript? (Table Row VI.2, OECD / World Bank Technology Risk Checklist, Version 7.3)
Is the system configured to filter the Java Virtual Machine vulnerability? (Table Row VI.7, OECD / World Bank Technology Risk Checklist, Version 7.3)
The partition that Mac OS X will be installed on should be securely erased prior to installation. By erasing the partition, potential vulnerabilities caused by previous settings will be eliminated. (Pg 22, Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition)
Ensure the container host has been Hardened Description: A container host is able to run one or more containers. It is of utmost importance to harden the host to mitigate host security misconfiguration. Rationale: You should follow infrastructure security best practices and harden your host OS. Keep… (1.1.1, The Center for Internet Security Docker Level 1 Linux Host OS Benchmark, v 1.2.0)
Ensure the container host has been Hardened Description: A container host is able to run one or more containers. It is of utmost importance to harden the host to mitigate host security misconfiguration. Rationale: You should follow infrastructure security best practices and harden your host OS. Keep… (1.1.1, The Center for Internet Security Docker Level 2 Linux Host OS Benchmark, v 1.2.0)
Peer-to-peer WLANs should have mutual authentication enabled. (§ 2.3.2 (2.3.2.060), The Center for Internet Security Wireless Networking Benchmark, 1)
Use configuration hardening by disabling all unnecessary services in the router configuration.
Harden Web servers to tighten the security and remove exploitable tools.
Harden an application server after installation. Rename built-in accounts, and change the password.
Harden DNS servers.
Harden mail … (§ 3-3, § 3-10, § 3-13, § 3-15, MasterCard Electronic Commerce Security Architecture Best Practices, April 2003)
Verify the system configuration standards are consistent with industry-accepted hardening standards. (§ 2.2.a, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
Examine the system configuration standards and verify they are consistent with industry-accepted system hardening standards. (Testing Procedures § 2.2.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
Interview personnel and examine policies to verify the system configuration standards are applied to new systems when they are initially configured. (Testing Procedures § 2.2.c, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
Review the documented policies and procedures to verify they include processes that the protocols in use only support secure versions and configurations. (Testing Procedures § 4.1.b Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
Develop configuration standards for all system components. (§ 2.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
Verify the system configuration standards are consistent with industry-accepted hardening standards. (§ 2.2.a Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
Are system configuration standards applied when new systems are configured? (PCI DSS Question 2.2(c), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
Are security parameter settings set appropriately on system components? (PCI DSS Question 2.2.4(c), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations? (PCI DSS Question 4.1(c), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations? (PCI DSS Question 4.1(c), PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
Are system configuration standards applied when new systems are configured? (PCI DSS Question 2.2(c), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
Are security parameter settings set appropriately on system components? (PCI DSS Question 2.2.4(c), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
Are security policies and operational procedures for managing vendor defaults and other security parameters documented, in use, and known to all affected parties? (PCI DSS Question 2.5, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations? (PCI DSS Question 4.1(c), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
Are security parameter settings set appropriately on system components? (PCI DSS Question 2.2.4(c), PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations? (PCI DSS Question 4.1(c), PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
Are system configuration standards applied when new systems are configured? (PCI DSS Question 2.2(c), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Are security parameter settings set appropriately on system components? (PCI DSS Question 2.2.4(c), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Are security policies and operational procedures for managing vendor defaults and other security parameters documented, in use, and known to all affected parties? (PCI DSS Question 2.5, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations? (PCI DSS Question 4.1(c), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Are system configuration standards applied when new systems are configured? (PCI DSS Question 2.2(c), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
Are security parameter settings set appropriately on system components? (PCI DSS Question 2.2.4(c), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
Are security policies and operational procedures for managing vendor defaults and other security parameters documented, in use, and known to all affected parties? (PCI DSS Question 2.5, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations? (PCI DSS Question 4.1(c), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
Servers should be subject to standard security management practices, which includes applying a comprehensive set of management tools (e.g., maintenance utilities, remote support, enterprise management tools, and back-up software). (CF.07.02.06d, The Standard of Good Practice for Information Security)
Business applications should be protected against unauthorized access to information by hardening the Operating System (e.g., ensuring that all unnecessary software, network services, and applications have been disabled / removed). (CF.04.01.02a, The Standard of Good Practice for Information Security)
Network devices should be subject to standard security management practices, which includes 'hardening' the operating system(s) that support them (e.g., by patching all known vulnerabilities, disabling unnecessary services, removing unnecessary scripts, drivers, features and sub-systems, and changin… (CF.09.01.03b, The Standard of Good Practice for Information Security)
The Digital Rights Management server should be subject to standard security management practices (eg restricting physical access, performing system 'hardening', applying Change Management and malware protection, monitoring them and performing regular reviews). (CF.08.08.06, The Standard of Good Practice for Information Security)
Office equipment shall be deployed according to a standard, technical configurations (e.g., disabling unnecessary services, such as web, mail, and File Transfer Protocol, and changing default administration passwords). (CF.12.03.02b, The Standard of Good Practice for Information Security)
Important internal Certification Authorities (and related sub-certification authorities) should be protected by 'hardening' the operating system(s) that support them (e.g., by patching all known vulnerabilities, disabling unnecessary services, and changing vendor supplied default parameters, such as… (CF.08.06.03b, The Standard of Good Practice for Information Security)
Mobile devices should be provided with standard technical build configurations that include running a standard Operating System, trusted applications, and reliable communications software. (CF.14.02.04a, The Standard of Good Practice for Information Security)
Protection of the instant messaging infrastructure should be improved by 'hardening' instant messaging servers (e.g., by locking down the Operating System and application). (CF.15.02.04b, The Standard of Good Practice for Information Security)
Business applications should be protected against unauthorized access to information by hardening the Operating System (e.g., ensuring that all unnecessary software, network services, and applications have been disabled / removed). (CF.04.01.02a, The Standard of Good Practice for Information Security, 2013)
Network devices should be subject to standard security management practices, which includes 'hardening' the operating system(s) that support them (e.g., by patching all known vulnerabilities, disabling unnecessary services, removing unnecessary scripts, drivers, features and sub-systems, and changin… (CF.09.01.03b, The Standard of Good Practice for Information Security, 2013)
The Digital Rights Management server should be subject to standard security management practices (eg restricting physical access, performing system 'hardening', applying Change Management and malware protection, monitoring them and performing regular reviews). (CF.08.08.06, The Standard of Good Practice for Information Security, 2013)
Office equipment shall be deployed according to a standard, technical configurations (e.g., disabling unnecessary services, such as web, mail, and File Transfer Protocol, and changing default administration passwords). (CF.12.03.02b, The Standard of Good Practice for Information Security, 2013)
Protection of the instant messaging infrastructure should be improved by 'hardening' instant messaging servers (e.g., by locking down the Operating System and application). (CF.15.02.04b, The Standard of Good Practice for Information Security, 2013)
Servers should be subject to standard security management practices, which includes applying a comprehensive set of management tools (e.g., maintenance utilities, remote support, enterprise management tools, and back-up software). (CF.07.02.09d, The Standard of Good Practice for Information Security, 2013)
Mobile devices should be provided with standard technical build configurations that include running a standard Operating System, trusted applications, and reliable communications software. (CF.14.02.04, The Standard of Good Practice for Information Security, 2013)
Servers should be configured to protect memory against misuse by malicious or compromised applications (e.g., by enabling Data Execution Prevention and using Address Space Layout Randomization to prevent buffer overflow attacks). (CF.07.02.06, The Standard of Good Practice for Information Security, 2013)
Servers should be configured in accordance with documented standards / procedures, which cover using standardized, predetermined server images to build / configure servers. (CF.07.02.01b, The Standard of Good Practice for Information Security, 2013)
Verify that server configuration is hardened as per the recommendations of the application server and frameworks in use. (14.1.3, Application Security Verification Standard 4.0.3, 4.0.3)
Establish standard secure configurations of your operating systems and software applications. Standardized images should represent hardened versions of the underlying operating system and the applications installed on the system. These images should be validated and refreshed on a regular basis to u… (Control 3.1, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
The organization should implement secure configurations for hardware and software on laptops, workstations, mobile devices, and servers. (Critical Control 3, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
The organization should use hardened versions of the Operating System and applications to make the standardized images. (Critical Control 3.3, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
The organization should conduct a configuration review of the database software and the Operating System where it resides, for each application that relies on a database, to verify the database settings have been hardened in accordance with the standard hardening templates. (Critical Control 6.7, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
User access to diagnostic and configuration ports shall be restricted to authorized individuals and applications. (IS-30, The Cloud Security Alliance Controls Matrix, Version 1.3)
Reduce the attack surface of SWIFT-related components by performing application hardening on the SWIFT-certified messaging and communication interfaces and related applications. (2.10A Control Objective, Swift Customer Security Controls Framework (CSCF), v2019)
Reduce the cyber attack surface of SWIFT-related components by performing system hardening. (2.3 Control Objective, Swift Customer Security Controls Framework (CSCF), v2019)
Maintain documented, standard security configuration standards for all authorized operating systems and software. (CIS Control 5: Sub-Control 5.1 Establish Secure Configurations, CIS Controls, V7)
Protection Against Malicious Code. Users need to be aware that malicious code may be introduced into their environment through network connections. Malicious code may not be detected before damage is done unless suitable safeguards are implemented. Malicious code may result in compromise of security… (¶ 13.6, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
The organization institutes controls over service account (i.e., accounts used by systems to access other systems) lifecycles to ensure strict security over creation, use, and termination; access credentials (e.g., no embedded passwords in code); frequent reviews of account ownership; visibility for… (PR.AC-4.3, CRI Profile, v1.2)
The organization institutes controls over service account (i.e., accounts used by systems to access other systems) lifecycles to ensure strict security over creation, use, and termination; access credentials (e.g., no embedded passwords in code); frequent reviews of account ownership; visibility for… (PR.AC-4.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
Implements the configuration settings; (CM-6b., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
Implements the configuration settings; (CM-6b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
Implements the configuration settings; (CM-6b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
Implements the configuration settings; (CM-6b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. (M1053 Data Backup, MITRE ATT&CK®, Enterprise Mitigations, Version 13.1)
Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques. (M1028 Operating System Configuration, MITRE ATT&CK®, Enterprise Mitigations, Version 13.1)
Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates. (M1054 Software Configuration, MITRE ATT&CK®, Enterprise Mitigations, Version 13.1)
System hardening; or (Attachment 1 Section 1. 1.3. Bullet 3, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability Assessments CIP-010-4, Version 4)
Review of system hardening used by the party; or (Attachment 1 Section 2. 2.2 Bullet 5, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability Assessments CIP-010-4, Version 4)
Introduction of malicious code mitigation: Use one or a combination of the following methods to achieve the objective of mitigating malicious code (per Transient Cyber Asset capability):
- Review of antivirus update level;
- Review of antivirus update process used by the party;
- Review of applicati… (Section 2. 2.2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-2, Version 2)
Software Vulnerability Mitigation: Use one or a combination of the following methods to achieve the objective of mitigating the risk of vulnerabilities posed by unpatched software on the Transient Cyber Asset (per Transient Cyber Asset capability):
- Security patching, including manual or managed up… (Section 1. 1.3., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-2, Version 2)
System hardening; or (Attachment 1 Section 1. 1.3. Bullet 3, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
Review of system hardening used by the party; or (Attachment 1 Section 2. 2.2 Bullet 5, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
Review of system hardening used by the party; or (Attachment 1 Section 5. 5.2 5.2.1 Bullet 5, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
Do UNIX computers or Linux computers that transmit scoped data conform to the UNIX hardening standards? (§ G.16.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
Do UNIX computers or Linux computers that process scoped data conform to the UNIX hardening standards? (§ G.16.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
Do UNIX computers or Linux computers that store scoped data conform to the UNIX hardening standards? (§ G.16.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
Do windows systems that transmit scoped data conform to the windows hardening standards? (§ G.17.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
Do windows systems that process scoped data conform to the windows hardening standards? (§ G.17.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
Do windows systems that store scoped data conform to the windows hardening standards? (§ G.17.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On mainframes that transmit scoped data, are Enterprise Security Manager (Resource Access Control Facility) and inherent security configuration settings configured to support the access control standards and requirements? (§ G.18.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On mainframes that process scoped data, are Enterprise Security Manager (Resource Access Control Facility) and inherent security configuration settings configured to support the access control standards and requirements? (§ G.18.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On mainframes that store scoped data, are Enterprise Security Manager (Resource Access Control Facility) and inherent security configuration settings configured to support the access control standards and requirements? (§ G.18.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
For cloud computing services, are the component and system configuration standards available during a client audit? (§ V.1.20.4, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
Does security hardening involve the cloud computing providers providing default hardened images? (§ V.1.49.1, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
For cloud computing services, does system hardening involve client supplied default hardened images? (§ V.1.49.2, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
For cloud computing services, are The Center for Internet Security hardening standards applied? (§ V.1.49.3, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
For cloud computing services, are the National Institute of Standards and Technology hardening standards applied? (§ V.1.49.4, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
For cloud computing services, are the System Administration, Networking, And Security Institute hardening standards applied? (§ V.1.49.5, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
For cloud computing services, are the vendor hardening standards applied? (§ V.1.49.6, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
For cloud computing services, are other hardening standards applied? (§ V.1.49.7, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
For cloud computing services that use a hypervisor to transmit, process, or store scoped data, are hypervisor hardening standards applied? (§ V.1.72.1, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
§ 3.10.1 ¶ 1: As part of the configuration management program, CMS business partners are highly encouraged to use the documents listed in Appendix C to develop configuration standards, templates, and processes to securely configure Medicare systems.
§ 3.10.1 ¶ 3: The CMS hierarchy for implementi… (§ 3.10.1 ¶ 1, § 3.10.1 ¶ 3, § 3.10.2 ¶ 2, § 3.10.3, § 3.10.4 ¶ 2, § 3.10.4 ¶ 4, CMS Business Partners Systems Security Manual, Rev. 10)
CSR 2.1.2: The organization must ensure all security features are available and activated.
CSR 3.6.5: The organization must configure the operating system so the security software and application controls cannot be circumvented.
CSR 10.7.9: The organization must configure the security settings to th… (CSR 2.1.2, CSR 3.6.5, CSR 10.7.9, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
The organization must adhere to all security requirements listed in the applicable Operating System STIG(s) and the applicable Desktop Application STIG(s) when using devices that access a DoD network remotely. (§ 3, § 5.1, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
§ 2.2 (WIR3160) Host servers and computers that have Good Mobile Messaging (GMM) services installed on them should be hardened in accordance with the applicable operating system STIG (Security Technical Implementation Guide).
§ 2.2 (WIR3250) Ensure that all required wireless e-mail servers and dev… (§ 2.2 (WIR3160), § 2.2 (WIR3250), App B.1 Row "Enable Access to Good Contacts", App B.1 Row "Enable beaming contacts", § 3.3.1, DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3)
Host servers and computers that have Windows Mobile Messaging services installed on them should be hardened in accordance with the applicable operating system STIG (Security Technical Implementation Guide).
§ 2.2 (WIR2250) All required wireless e-mail server and device configuration should be imple… (§ 2.2 (WIR2160), § 2.2 (WIR2250), § 3.4.1, § 3.4.2, App B.1Row "SSL connection to ISA server", App B.2 Row "SSL connection to Exchange", DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4)
Hardening / patching / maintenance of OSs and applications IAW industry standards. DoD SRGs and STIGS or DoD-accepted equivalents must be used if the service is private or community cloud used by DoD. For Information Assurance (IA) Vulnerability Management (IAVM) message compliance, the CSP will be … (Section 5.10.3.1 ¶ 2 Bullet 5, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
The organization must verify that all Department of Defense configuration guides or implementation guides have been implemented for enclaves and Automated Information System applications. (ECSC-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
Determine whether management has processes to harden applications and systems (e.g., installing minimum services, installing necessary patches, configuring appropriate security settings, enforcing principle of least privilege, changing default passwords, and enabling logging). (App A Objective 6.13, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Management should have a process to introduce changes to the environment in a controlled manner. Changes to the IT environment include the following:
- Configuration management of IT systems and applications.
- Hardening of systems and applications.
- Use of standard builds.
- Patch management. (II.C.10 Change Management Within the IT Environment, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Before a system is put into the production environment, it should be hardened by removing or disabling any unnecessary or insecure files and services. (Pg 29, FFIEC IT Examination Handbook - E-Banking, August 2003)
Whether network servers are satisfactorily hardened against the risk of internal or external hacking. (App A Tier 2 Objectives and Procedures C.2 Bullet 6, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Securing containers from applications within them. (Risk Management Audit and Controls Assessment Bullet 3 Sub-bullet 2 Sub-sub-bullet 3, FFIEC Security in a Cloud Computing Environment)
Securing the host from containers and vice versa. (Risk Management Audit and Controls Assessment Bullet 3 Sub-bullet 2 Sub-sub-bullet 4, FFIEC Security in a Cloud Computing Environment)
Security configuration, provisioning, logging, and monitoring. Misconfiguration of cloud resources is a prevalent cloud vulnerability and can be exploited to access cloud data and services. System vulnerabilities can arise due to the failure to properly configure security tools within cloud computin… (Risk Management Cloud Security Management Bullet 4, FFIEC Security in a Cloud Computing Environment)
The service provider shall use the level 1 guidelines from the center for internet security to develop a list of prohibited or restricted functions, protocols, ports, and/or services or establish its own list, if the united states government configuration baseline is not available. (Column F: CM-7, FedRAMP Baseline Security Controls)
Implements the configuration settings; (CM-6b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Implement the configuration settings; (CM-6b., FedRAMP Security Controls High Baseline, Version 5)
Implement the configuration settings; (CM-6b., FedRAMP Security Controls Low Baseline, Version 5)
Implement the configuration settings; (CM-6b., FedRAMP Security Controls Moderate Baseline, Version 5)
The system must be configured to provide only essential capabilities. (§ 5.6.5, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
Are all Operating Systems appropriately configured to protect critical data and sensitive data, e.g., disabling unnecessary services and accounts? (IT - Security Program Q 8, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
All hosts should be appropriately hardened. They should be configured to provide the minimum amount of services to users and hosts, have defaults changed, display warning banners, have auditing enabled, and log security events. (§ 3.1.2 ¶ 3, Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1)
Implement the configuration settings; (CM-6b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Implement the configuration settings; (CM-6b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
Implement the configuration settings; (CM-6b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
Implement the configuration settings; (CM-6b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
Implement the configuration settings; (CM-6b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
Implement the configuration settings; (CM-6b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Implement the configuration settings; (CM-6b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
Organizational records and documents should be examined to ensure mandatory configuration settings are used throughout the system; configuration settings are documented; automated mechanisms are used to manage, apply, and verify configuration settings; the security settings are configured to the mos… (CM-6, CM-6(1), CM-6.8, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
Implements the configuration settings; (CM-6b. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Implements the configuration settings; (CM-6b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Implements the configuration settings; (CM-6b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Security must be as portable as the containers themselves, so organizations should adopt techniques and tools that are open and work across platforms and environments. Many organizations will see developers build in one environment, test in another, and deploy in a third, so having consistency in as… (7 ¶ 6, NIST SP 800-190, Application Container Security Guide)
Secure and harden development endpoints (i.e., endpoints for software designers, developers, testers, builders, etc.) to perform development-related tasks using a risk-based approach. (PO.5.2, NIST SP 800-218, Secure Software Development Framework: Recommendations for Mitigating the Risk of Software Vulnerabilities, Version 1.1)
The organization should establish the configuration settings for each system component. (SG.CM-6 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The smart grid Information System must fail to a known state for defined failures. (SG.SC-22 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The smart grid Information System should store the system state information when it is in failure. (SG.SC-22 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization should use automated mechanisms to centrally manage, apply, and verify configuration settings. (App F § CM-6(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization must establish and document mandatory configuration settings that configure the security settings of Information Technology products to the most restrictive mode consistent with Information System Operational Requirements. (App F § CM-6.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization must implement the configuration settings. (App F § CM-6.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization should use standard configurations for systems, system components, and Information Technology products. (App F § SA-12(5), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The Information System should load and execute the operating environment from hardware-enforced, read-only media. (App F § SC-34.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The Information System must load and execute defined applications from hardware-enforced, read-only media. (App F § SC-34.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization should use nonautomated mechanisms or procedures as compensating controls in accordance with the general tailoring guidance when the Industrial Control System cannot support automated mechanisms for centrally managing, applying, and verifying configuration settings. (App I § CM-6 Control Enhancement: (1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
Establish continuous monitoring configuration settings issues and coordination sub-group. (T1000, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Establish a process to provide technical help to continuous monitoring mitigators. (T0995, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
The organization implements the configuration settings. (CM-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization implements the configuration settings. (CM-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization implements the configuration settings. (CM-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization implements the configuration settings. (CM-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
Implements the configuration settings; (CM-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
Implements the configuration settings; (CM-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
Implements the configuration settings; (CM-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
Implements the configuration settings; (CM-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Implement the configuration settings; (CM-6b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Employ [Selection (one or more): design modification, augmentation, reconfiguration] on [Assignment: organization-defined systems or system components] supporting mission essential services or functions to increase the trustworthiness in those systems or components. (SA-23 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Implement the configuration settings; (CM-6b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Employ [Selection (one or more): design modification, augmentation, reconfiguration] on [Assignment: organization-defined systems or system components] supporting mission essential services or functions to increase the trustworthiness in those systems or components. (SA-23 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Implements the configuration settings; (CM-6b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
Wherever feasible, use data encryption, in combination with host protection and access control, to protect higher-risk personal information. (Part I ¶ 10, California OPP Recommended Practices on Notification of Security Breach, May 2008)
