Secure Configuration of Enterprise Assets and Software
Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).
Why Is This Control Critical?
As delivered from manufacturers and resellers, the default configurations for enterprise assets and software are normally geared toward ease-of-deployment and ease-of-use rather than strong security. Basic controls, open services and ports, default accounts or passwords, pre-configured Domain Name System (DNS) settings, older (vulnerable) protocols, and pre-installation of unnecessary software can be exploitable in their default state. Developing configuration settings with good security properties is a complex task beyond the ability of individual users, requiring analysis of potentially hundreds or thousands of options in order to make good choices. Even if a strong initial configuration is developed and installed, it must be continually managed to avoid security 'decay' as software is updated or patched, new security vulnerabilities are reported, and configurations are 'tweaked' to allow the installation of new software or to support new operational requirements.
Related Policy Templates
Safeguards (12)
| ID | Title | Function | IG | Checklist Items | Evidence |
|---|---|---|---|---|---|
| 4.1 | Establish and Maintain a Secure Configuration Process | Protect |
IG1
IG2
IG3
|
7 | 5 |
| 4.2 | Establish and Maintain a Secure Configuration Process for Network Infrastructure | Protect |
IG1
IG2
IG3
|
7 | 5 |
| 4.3 | Configure Automatic Session Locking on Enterprise Assets | Protect |
IG1
IG2
IG3
|
5 | 3 |
| 4.4 | Implement and Manage a Firewall on Servers | Protect |
IG1
IG2
IG3
|
9 | 7 |
| 4.5 | Implement and Manage a Firewall on End>User Devices | Protect |
IG1
IG2
IG3
|
7 | 5 |
| 4.6 | Securely Manage Enterprise Assets and Software | Protect |
IG1
IG2
IG3
|
10 | 7 |
| 4.7 | Manage Default Accounts on Enterprise Assets and Software | Protect |
IG1
IG2
IG3
|
7 | 3 |
| 4.8 | Uninstall or Disable Unnecessary Services on Enterprise Assets and Software | Protect |
IG2
IG3
|
5 | 3 |
| 4.9 | Configure Trusted DNS Servers on Enterprise Assets | Protect |
IG2
IG3
|
9 | 6 |
| 4.10 | Enforce Automatic Device Lockout on Portable End>User Devices | Respond |
IG2
IG3
|
9 | 5 |
| 4.11 | Enforce Remote Wipe Capability on Portable End>User Devices | Protect |
IG2
IG3
|
5 | 3 |
| 4.12 | Separate Enterprise Workspaces on Mobile End>User Devices | Protect |
IG3
|
7 | 5 |
Audit Verification Details
Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Systems are configured per an approved hardening baseline (CIS Benchmarks, DISA STIGs).
Compliance scan results against the approved baseline
Changes to protection controls follow the change management process.
Change tickets, approval records
Configuration drift is detected and remediated within defined timeframes.
Drift detection reports, remediation tickets
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Configuration compliance scan results against approved baseline | Scanned monthly |
| Document | Approved baseline configuration documentation | Reviewed quarterly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Establish and maintain a secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Systems are configured per an approved hardening baseline (CIS Benchmarks, DISA STIGs).
Compliance scan results against the approved baseline
Changes to protection controls follow the change management process.
Change tickets, approval records
Configuration drift is detected and remediated within defined timeframes.
Drift detection reports, remediation tickets
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Configuration compliance scan results against approved baseline | Scanned monthly |
| Document | Approved baseline configuration documentation | Reviewed quarterly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Changes to protection controls follow the change management process.
Change tickets, approval records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Contracts with third parties include security requirements.
Contract excerpts showing security clauses
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Firewall rules conform to a documented baseline and deny-by-default policy.
Firewall rule export, baseline comparison report
Changes to protection controls follow the change management process.
Change tickets, approval records
Firewall rules are reviewed on schedule and unused rules are removed.
Rule review records, change tickets for rule cleanup
Third-party service providers are inventoried and risk-assessed.
Vendor inventory, risk assessment reports, security scorecards
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Firewall rule set export and review documentation | Reviewed quarterly |
| Record | Firewall change request and approval records | Per change |
| Record | Third-party risk assessment reports and scorecards | Annually per vendor |
| Document | Vendor contracts with security requirements | Per contract cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Firewall rules conform to a documented baseline and deny-by-default policy.
Firewall rule export, baseline comparison report
Changes to protection controls follow the change management process.
Change tickets, approval records
Firewall rules are reviewed on schedule and unused rules are removed.
Rule review records, change tickets for rule cleanup
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Firewall rule set export and review documentation | Reviewed quarterly |
| Record | Firewall change request and approval records | Per change |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Systems are configured per an approved hardening baseline (CIS Benchmarks, DISA STIGs).
Compliance scan results against the approved baseline
Access is granted based on least privilege and role-based access control.
RBAC configuration, access matrix documentation
Changes to protection controls follow the change management process.
Change tickets, approval records
Configuration drift is detected and remediated within defined timeframes.
Drift detection reports, remediation tickets
Access reviews and recertifications are completed on schedule.
Access review records with sign-off and remediation actions
Privileged access is monitored and audited.
Privileged access logs, PAM session recordings or reports
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Configuration compliance scan results against approved baseline | Scanned monthly |
| Document | Approved baseline configuration documentation | Reviewed quarterly |
| Record | Access review/recertification records with sign-off | Quarterly |
| Technical | Access control configuration evidence (RBAC settings, group memberships) | Reviewed quarterly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Contracts with third parties include security requirements.
Contract excerpts showing security clauses
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Changes to protection controls follow the change management process.
Change tickets, approval records
Third-party service providers are inventoried and risk-assessed.
Vendor inventory, risk assessment reports, security scorecards
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Changes to protection controls follow the change management process.
Change tickets, approval records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Access is granted based on least privilege and role-based access control.
RBAC configuration, access matrix documentation
DNS filtering is active and blocking known malicious domains.
DNS filter configuration, block statistics
Changes to protection controls follow the change management process.
Change tickets, approval records
Access reviews and recertifications are completed on schedule.
Access review records with sign-off and remediation actions
Privileged access is monitored and audited.
Privileged access logs, PAM session recordings or reports
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Record | Access review/recertification records with sign-off | Quarterly |
| Technical | Access control configuration evidence (RBAC settings, group memberships) | Reviewed quarterly |
| Technical | DNS filtering configuration and block statistics | Monthly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Response procedures and playbooks are documented and current.
Response playbooks with review dates
Multi-factor authentication is enforced on all in-scope systems and accounts.
MFA enrollment status reports, conditional access policy config
Systems are configured per an approved hardening baseline (CIS Benchmarks, DISA STIGs).
Compliance scan results against the approved baseline
Response procedures have been exercised through tabletop or simulation within the past 12 months.
Exercise reports, participant sign-off, lessons learned
Incident response actions are logged and tracked to completion.
Incident tickets, action item tracking, post-incident reviews
MFA exceptions are documented, approved, and compensating controls are in place.
Exception records with compensating control documentation
Configuration drift is detected and remediated within defined timeframes.
Drift detection reports, remediation tickets
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Response procedure/playbook documentation | Reviewed bi-annually |
| Record | Response action logs showing procedure execution | Per incident |
| Technical | Configuration compliance scan results against approved baseline | Scanned monthly |
| Document | Approved baseline configuration documentation | Reviewed quarterly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Changes to protection controls follow the change management process.
Change tickets, approval records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple® Configuration Profile or Android™ Work Profile to separate enterprise applications and data from personal applications and data.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Systems are configured per an approved hardening baseline (CIS Benchmarks, DISA STIGs).
Compliance scan results against the approved baseline
Changes to protection controls follow the change management process.
Change tickets, approval records
Configuration drift is detected and remediated within defined timeframes.
Drift detection reports, remediation tickets
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Configuration compliance scan results against approved baseline | Scanned monthly |
| Document | Approved baseline configuration documentation | Reviewed quarterly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |