Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
CSC3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers.
Family | CSC | Control Description | Foundational | Advanced |
---|---|---|---|---|
System | 3.1 | Establish standard secure configurations of operating systems and software applications. Standardized images should represent hardened versions of the underlying operating system and the applications installed on the system. These images should be validated and refreshed on a regular basis to update their security configuration in light of recent vulnerabilities and attack vectors. | Y | |
System | 3.2 | Follow strict configuration management, building a secure image that is used to build all new systems that are deployed in the enterprise. Any existing system that becomes compromised should be re-imaged with the secure build. Regular updates or exceptions to this image should be integrated into the organization’s change management processes. Images should be created for workstations, servers, and other system types used by the organisation. | Y | |
System | 3.3 | Store the master images on securely configured servers, validated with integrity checking tools capable of continuous inspection, and change management to ensure that only authorized changes to the images are possible. Alternatively, these master images can be stored in offline machines, air gapped from the production network, with images copied via secure media to move them between the image storage servers and the production network. | Y | File integrity of master images are verified as part of a continuous monitoring program. |
System | 3.4 | Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL, TLS or IPSEC. | Y | |
System | 3.5 | Use file integrity checking tools to ensure that critical system files (including sensitive system and application executables, libraries, and configurations) have not been altered. The reporting system should: have the ability to account for routine and expected changes; highlight and alert on unusual or unexpected alterations; show the history of configuration changes over time and identify who made the change (including the original logged-in account in the event of a user ID switch, such as with the su or sudo command). These integrity checks should identify suspicious system alterations such as: owner and permissions changes to files or directories; the use of alternate data streams which could be used to hide malicious activities; and the introduction of extra files into key system areas (which could indicate malicious payloads left by attackers or additional files inappropriately added during batch distribution processes). | Y | File integrity of critical system files are verified as part of a continuous monitoring program. |
System | 3.6 | Implement and test an automated configuration monitoring system that verifies all remotely testable secure configuration elements, and alerts when unauthorized changes occur. This includes detecting new listening ports, new administrative users, changes to group and local policy objects (where applicable), and new services running on a system. Whenever possible use tools compliant with the Security Content Automation Protocol (SCAP) in order to streamline reporting and integration. | Y | |
System | 3.7 | Deploy system configuration management tools, such as Active Directory Group Policy Objects for Microsoft Windows systems or Puppet for UNIX systems that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals. They should be capable of triggering redeployment of configuration settings on a scheduled, manual, or event-driven basis. | Y |
NIST 800-53 rev4
These are the mapped NIST 800-53 controls linked to CSC3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
CA-7: Continuous Monitoring
CM-2: Baseline Configuration
CM-3: Configuration Change Control
CM-5: Access Restrictions for Change
CM-6: Configuration Settings
CM-7: Least Functionality
CM-8: Information System Component Inventory
CM-9: Configuration Management Plan
CM-11: User-Installed Software
MA-4: Nonlocal Maintenance
RA-5: Vulnerability Scanning
SA-4: Acquisition Process
SC-15: Collaborative Computing Devices
SC-34: Non-Modifiable Executable Programs
SI-2: Flaw Remediation
SI-4: Information System Monitoring