Back

Lock configurations to prevent circumventing security measures.


CONTROL ID
12187
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • System hardening through configuration management, CC ID: 00860

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Standard users are prevented from bypassing, disabling or modifying security functionality of operating systems. (Security Control: 1584; Revision: 0, Australian Government Information Security Manual, March 2021)
  • All users (with the exception of privileged users when performing specific administrative activities) cannot disable, bypass or be exempted from application control. (Security Control: 0846; Revision: 7, Australian Government Information Security Manual, March 2021)
  • Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed. (Security Control: 1524; Revision: 1, Australian Government Information Security Manual, March 2021)
  • Standard users are prevented from bypassing, disabling or modifying security functionality of applications. (Security Control: 1585; Revision: 0, Australian Government Information Security Manual, March 2021)
  • Microsoft Office macro security settings cannot be changed by users. (Security Control: 1489; Revision: 0, Australian Government Information Security Manual, March 2021)
  • Microsoft's latest recommended block rules are implemented to prevent application control bypasses. (Security Control: 1544; Revision: 1, Australian Government Information Security Manual, March 2021)
  • Microsoft Office macro security settings cannot be changed by users. (Control: ISM-1489; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Unprivileged users are prevented from bypassing, disabling or modifying security functionality of operating systems. (Control: ISM-1584; Revision: 1, Australian Government Information Security Manual, June 2023)
  • Office productivity suite security settings cannot be changed by users. (Control: ISM-1823; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Web browser security settings cannot be changed by users. (Control: ISM-1585; Revision: 2, Australian Government Information Security Manual, June 2023)
  • Security product security settings cannot be changed by users. (Control: ISM-1825; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Email client security settings cannot be changed by users. (Control: ISM-1748; Revision: 1, Australian Government Information Security Manual, June 2023)
  • PDF software security settings cannot be changed by users. (Control: ISM-1824; Revision: 0, Australian Government Information Security Manual, June 2023)
  • denies users the ability to disable the session or screen locking mechanism. (Control: ISM-0428; Revision: 9; Bullet 5, Australian Government Information Security Manual, June 2023)
  • Unprivileged users do not have the ability to uninstall or disable approved software. (Control: ISM-0382; Revision: 7, Australian Government Information Security Manual, June 2023)
  • All users (with the exception of local administrator accounts and break glass accounts) cannot disable, bypass or be exempted from application control. (Control: ISM-0846; Revision: 8, Australian Government Information Security Manual, June 2023)
  • Microsoft Office macro security settings cannot be changed by users. (Control: ISM-1489; Revision: 0, Australian Government Information Security Manual, September 2023)
  • Unprivileged users are prevented from bypassing, disabling or modifying security functionality of operating systems. (Control: ISM-1584; Revision: 1, Australian Government Information Security Manual, September 2023)
  • Office productivity suite security settings cannot be changed by users. (Control: ISM-1823; Revision: 0, Australian Government Information Security Manual, September 2023)
  • Web browser security settings cannot be changed by users. (Control: ISM-1585; Revision: 2, Australian Government Information Security Manual, September 2023)
  • Security product security settings cannot be changed by users. (Control: ISM-1825; Revision: 0, Australian Government Information Security Manual, September 2023)
  • Email client security settings cannot be changed by users. (Control: ISM-1748; Revision: 1, Australian Government Information Security Manual, September 2023)
  • PDF software security settings cannot be changed by users. (Control: ISM-1824; Revision: 0, Australian Government Information Security Manual, September 2023)
  • denies users the ability to disable the session or screen locking mechanism. (Control: ISM-0428; Revision: 9; Bullet 5, Australian Government Information Security Manual, September 2023)
  • Unprivileged users do not have the ability to uninstall or disable approved software. (Control: ISM-0382; Revision: 7, Australian Government Information Security Manual, September 2023)
  • All users (with the exception of local administrator accounts and break glass accounts) cannot disable, bypass or be exempted from application control. (Control: ISM-0846; Revision: 8, Australian Government Information Security Manual, September 2023)
  • Merchants should not circumvent any security measures on the mobile device (e.g., enabling USB debugging if already disabled or rooting the mobile device). (¶ 5.3.3, PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users, Version 1.1)
  • SL 2 – Prevent the intended circumvention of zone and conduit segmentation by entities using simple means with low resources, generic skills and low motivation. (9.1 ¶ 1 Bullet 2, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • SL 3 – Prevent the intended circumvention of zone and conduit segmentation by entities using sophisticated means with moderate resources, IACS specific skills and moderate motivation. (9.1 ¶ 1 Bullet 3, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • SL 4 – Prevent the intended circumvention of zone and conduit segmentation by entities using sophisticated means with extended resources, IACS specific skills and high motivation. (9.1 ¶ 1 Bullet 4, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • SL 1 – Prevent the casual or coincidental circumvention of zone and conduit segmentation. (9.1 ¶ 1 Bullet 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Prevent modification of environment variables by unauthorized users and groups. (M1039 Environment Variable Permissions, MITRE ATT&CK®, Enterprise Mitigations, Version 13.1)
  • Setting and locking device configuration (§ 5.13.2 ¶ 3 2.c., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Prevent or restrict changes to the configuration of the system under the following circumstances: [Assignment: organization-defined circumstances]. (CM-3(8) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Prevent or restrict changes to the configuration of the system under the following circumstances: [Assignment: organization-defined circumstances]. (CM-3(8) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Employ automated mechanisms to detect misconfigured or unauthorized system components; after detection, [Selection (one or more): remove the components; place the components in a quarantine or remediation network] to facilitate patching, re-configuration, or other mitigations. (3.4.2e, Enhanced Security Requirements for Protecting Controlled Unclassified Information, NIST SP 800-172)
  • Prevent or restrict changes to the configuration of the system under the following circumstances: [Assignment: organization-defined circumstances]. (CM-3(8) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Prevent or restrict changes to the configuration of the system under the following circumstances: [Assignment: organization-defined circumstances]. (CM-3(8) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)