Secure Configuration of Enterprise Assets and Software
Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).
Why Is This Control Critical?
As delivered from manufacturers and resellers, the default configurations for enterprise assets and software are normally geared toward ease-of-deployment and ease-of-use rather than strong security. Basic controls, open services and ports, default accounts or passwords, pre-configured Domain Name System (DNS) settings, older (vulnerable) protocols, and pre-installation of unnecessary software can be exploitable in their default state. Developing configuration settings with good security properties is a complex task beyond the ability of individual users, requiring analysis of potentially hundreds or thousands of options in order to make good choices. Even if a strong initial configuration is developed and installed, it must be continually managed to avoid security 'decay' as software is updated or patched, new security vulnerabilities are reported, and configurations are 'tweaked' to allow the installation of new software or to support new operational requirements.