Control Summary
Establish and maintain the secure configuration of enterprise assets and software.
Why is it needed?
By default, enterprise assets and software often come with configurations tailored for ease of deployment and user-friendliness rather than prioritising security. These default settings may include basic controls, open services and ports, default accounts or passwords, pre-configured Domain Name System (DNS) settings, outdated and vulnerable protocols, and the inclusion of unnecessary pre-installed software, all of which can pose security risks if left unaltered.
Moreover, the management and maintenance of security configuration updates are critical throughout the entire lifecycle of enterprise assets and software. These updates should be carefully monitored and approved through a structured configuration management workflow process to establish a comprehensive record. Such records not only ensure compliance but also serve as valuable resources for incident response and audit support. This control is of paramount importance for a wide range of environments, encompassing on-premises devices, remote devices, network devices, and cloud-based systems.
Implementing Control
Meeting this control at a basic level requires establishing and maintaining a secure configuration process, configuring automatic session locking on enterprise assets, and implementing and managing a firewall on servers and end-user devices.
Implementation Group 1 requires the following seven safeguards:
4.1 Establish and Maintain a Secure Configuration Process
The creation and ongoing management of a secure configuration can be challenging and take some time and effort; however, publicly available resources can be leveraged. There are many security baselines available for each system, starting with publicly developed, vetted, and supported security benchmarks.
4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure
Implement and maintain a robust configuration process for network devices, ensuring its security. Regularly review and update the documentation on an annual basis or whenever significant business changes occur that could impact this security measure.
4.3 Configure Automatic Session Locking on Enterprise Assets
Establish an automated session timeout protocol for enterprise assets, which will lock sessions following a designated period of inactivity. The inactivity timeout for general-purpose operating systems should not surpass 15 minutes, while for mobile end-user devices, it should not exceed 2 minutes.
4.4 Implement and Manage a Firewall on Servers
Deploy and oversee firewalls on servers, leveraging suitable options such as virtual firewalls, operating system firewalls, or third-party firewall agents where applicable.
4.5 Implement and Manage a Firewall on End-User Devices
Install and oversee a host-based firewall or port-filtering tool on end-user devices, configured with a default-deny rule that blocks all traffic except for explicitly permitted services and ports.
4.6 Securely Manage Enterprise Assets and Software
It is also essential to govern enterprise assets and software through version-controlled infrastructure as code.
4.7 Manage Default Accounts on Enterprise Assets and Software
Administer default accounts on enterprise assets and software, including root, administrator, and other vendor-provided pre-configured accounts. Possible approaches may involve deactivating these default accounts or rendering them nonfunctional.
Additional safeguards at level 2 or 3:
4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software
4.9 Configure Trusted DNS Servers on Enterprise Assets
4.10 Enforce Automatic Device Lockout on Portable End-User Devices
4.11 Enforce Remote Wipe Capability on Portable End-User Devices
4.12 Separate Enterprise Workspaces on Mobile End-User Devices
Incident Response Solutions 