Security Control 3:
Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers

Prevent attackers from exploiting services and settings that allow easy access through networks and browsers: Build a secure image that is used for all new systems deployed to the enterprise, host these standard images on secure storage servers, regularly validate and update these configurations, and track system images in a configuration management system.

Key: REQ = Required, REC = Recommended, OPT = Optional

IDDetailsHighMedLow

3.1

Run a stable version of software and make sure it is fully patched. Remove outdated or older software from the system.

REQ REQ REQ

3.2

All remote administration of servers, workstation, network devices, and similar equipment should be done over secure channels.

[additional details]

Protocols such as telnet, virtual network computing (VNC), remote desktop protocol (RDP), or other protocols that do not natively support strong encryption should only be used if they are performed over a secondary encryption channel, such as secure sockets layer (SSL) or Internet protocol security (IPSEC).

REQ REQ REQ

3.3

Strict configuration management should be followed, building a secure image that is used to build all new systems that are deployed.

REQ REC OPT

3.4

Any existing system that becomes compromised is re-imaged with the secure build.

REQ REC OPT

3.5

Regular updates to this image are integrated into the change management processes.

REQ REC OPT

3.6

Systems should be hardened, including underlying operating system and the applications installed on the system (e.g., Center for Internet Security benchmarks).

[additional details]

This hardening would typically include removal of unnecessary accounts, disabling or removal of unnecessary services, and configuring nonexecutable stacks and heaps through the use of operating system features such as data execution prevention (DEP). Such hardening also involves, among other measures, applying patches, closing open and unused network ports, implementing host-based Intrusion Detection Systems and/or intrusion prevention systems, and erecting host-based firewalls.

REQ REC OPT

3.7

Any deviations from the standard build or updates to the standard build should be documented and approved in the change management process..

REQ REC OPT

3.8

Ensure contracts to buy systems include that the systems are configured securely out of the box using standardized images.

REQ REC OPT

3.9

The master images must be stored on securely configured servers, with integrity checking tools and change management to ensure that only authorized changes to the images are possible.

[additional details]

Alternatively, these master images can be stored in offline machines, air-gapped from the production network, with images copied via secure media to move them between the image storage servers and the production network.

REQ REC OPT

3.10

Utilize file integrity checking tools on at least a weekly basis to ensure that critical system files (including sensitive system and application executables, libraries, and configurations) have not been altered.

[additional details]

All alterations to such files should automatically generate alerts. The reporting system should have the ability to account for routine and expected changes, highlighting unusual or unexpected alterations.

REQ REC OPT

3.11

At least quarterly, run assessment programs (CIS) on a varying sample of systems to determine which ones are configured according to the secure configuration guidelines.

REQ REC OPT

Additional Reading