Control 5.1: Establish Secure Configurations¶
Maintain documented security configuration standards for all authorized operating systems and software.
Category¶
Technical
Purpose¶
Establishing secure configurations means that each computer system within an enterprise must have the appropriate security settings applied. Many computers do not come with all of the security settings appropriately configured “out of the box” as these settings tend to decrease the functionality and options afforded to users. Further complicating the situation, as operating systems and applications receive updates configuration settings can change. New configuration settings may be created, and others may be removed. This creates a constant problem that needs to be regularly monitored and addressed.
As delivered by manufacturers and resellers, the default configurations for operating systems and applications are normally geared towards ease-of-deployment and ease-of-use – not security. Open services and ports, default accounts or passwords, older (vulnerable) protocols, preinstallation of unneeded software; all can be exploitable in their default state. All of these improperly configuration settings can be taken advantage of by attackers. Properly configuring enterprise computer systems can help to defend against major types of malware and even network-based attacks.
Automation¶
This Sub-Control is completely automatable if an enterprise decides to acquire the appropriate software. Moving past this Sub-Control, some software tools can help organizations to maintain secure configurations over time, which can be quite difficult. Although initial configurations may be done by hand, monitoring for changes and out of date settings is best performed by software.
Guidance and Tools¶
Many tools are available to check and maintain secure configurations within an enterprise. Additionally, multiple organizations put out configuration guidance for systems and applications.
- OpenVAS: Tool to scan systems to check security baselines (https://www.openvas.org).
- DISA STIG: The DISA STIGs are a set of configuration guidance developed and maintained by the United States Department of Defense (DoD) (https://iase.disa.mil/stigs/Pages/index.aspx).
CIS offers free PDFs with configuration guidelines for 100+ technologies (https://www.cisecurity.org/cis-benchmarks).