When selecting operating systems, it is important that an organisation preferences vendors that have demonstrated a commitment to secure-by-design principles, secure programming practices and maintaining the security of their products. This will assist not only with reducing the potential number of security vulnerabilities in operating systems, but also increasing the likelihood that timely patches, updates or vendor mitigations will be released to remediate any security vulnerabilities that are found. Show
Control: ISM-1743; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A Operating system releases and versionsNewer releases of operating systems often introduce improvements in security functionality. This can make it more difficult for an adversary to craft reliable exploits for security vulnerabilities they discover. Using older releases of operating systems, especially those no longer supported by vendors, may expose an organisation to security vulnerabilities or exploitation techniques that have since been mitigated. In addition, 64-bit versions of operating systems support additional security functionality that 32-bit versions do not. Control: ISM-1407; Revision: 5; Updated: Dec-22; Applicability: All; Essential Eight: ML3 Control: ISM-1408; Revision: 5; Updated: Dec-22; Applicability: All; Essential Eight: N/A Standard Operating EnvironmentsAllowing users to setup, configure and maintain their own workstations and servers can result in an inconsistent operating environment. Such operating environments may assist an adversary in gaining an initial foothold on networks due to the higher likelihood of poorly configured or maintained workstations and servers. Conversely, a Standard Operating Environment (SOE) is designed to facilitate a standardised and consistent operating environment within an organisation. When SOEs are obtained from third parties, such as service providers, there are additional cyber supply chain risks that should be considered, such as the accidental or deliberate inclusion of malicious code or configurations. To reduce the likelihood of such occurrences, an organisation should endeavour to obtain their SOEs from trusted third parties while also scanning them for malicious code and configurations. As operating environments naturally change over time, such as patches or updates are applied, configurations are changed, and applications are added or removed, it is essential that SOEs are reviewed and updated at least annually to ensure that an up-to-date baseline is maintained. Control: ISM-1406; Revision: 2; Updated: Aug-20; Applicability: All; Essential Eight: N/A Control: ISM-1608; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A Control: ISM-1588; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A Hardening operating system configurationsWhen operating systems are deployed in their default state it can lead to an insecure operating environment that may allow an adversary to gain an initial foothold on networks. Many configuration settings exist within operating systems to allow them to be configured in a secure state in order to minimise this security risk. As such, the Australian Cyber Security Centre (ACSC) and vendors often produce guidance to assist in hardening the configuration of operating systems. Note, however, in situations where ACSC and vendor guidance conflicts, preference should be given to implementing ACSC hardening guidance. Control: ISM-1409; Revision: 1; Updated: Sep-18; Applicability: All; Essential Eight: N/A Control: ISM-0380; Revision: 9; Updated: Mar-22; Applicability: All; Essential Eight: N/A Control: ISM-0383; Revision: 8; Updated: Dec-22; Applicability: All; Essential Eight: N/A Control: ISM-0341; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A Control: ISM-1654; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3 Control: ISM-1655; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3 Control: ISM-1492; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A Control: ISM-1745; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A Control: ISM-1584; Revision: 1; Updated: Sep-21; Applicability: All; Essential Eight: N/A Control: ISM-1491; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
Application managementUnprivileged users’ ability to install any application can be exploited by an adversary using social engineering in order to convince them to install a malicious application. One way to mitigate this security risk, while also removing burden from system administrators, is to allow unprivileged users the ability to install approved applications from organisation-managed software repositories or from trusted application marketplaces. Furthermore, to prevent unprivileged users from removing security functionality, or breaking system functionality, unprivileged users should not have the ability to uninstall or disable approved software. Control: ISM-1592; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A Control: ISM-0382; Revision: 7; Updated: Mar-22; Applicability: All; Essential Eight: N/A Application controlApplication control can be an effective way to not only prevent malicious code from executing on workstations and servers, but also to ensure only approved applications can execute. When developing application control rulesets, determining approved executables (e.g. .exe and .com files), software libraries (e.g. .dll and.ocx files), scripts (e.g. .ps1, .bat, .cmd, .vbs and .js files), installers (e.g. .msi, .msp and .mst files), compiled HTML (e.g. .chm), HTML applications (e.g. .hta), control panel applets (e.g. .cpl) and drivers based on business requirements is a more secure method than simply approving those already residing on a workstation or server. Furthermore, it is preferable that an organisation defines their own application control rulesets, rather than relying on those from application control vendors, and validate them on an annual or more frequent basis. In implementing application control, an organisation should use a reliable method, or combination of methods, such as cryptographic hash rules, publisher certificate rules or path rules. Depending on the method chosen, further hardening may be required to ensure that application control mechanisms and application control rulesets cannot be bypassed by an adversary. Finally, application control event logs can assist in monitoring the security posture of systems, detecting malicious behaviour and contributing to investigations following cyber security incidents. To facilitate such activities, application control event logs should be captured and stored centrally. Control: ISM-0843; Revision: 9; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3 Control: ISM-1490; Revision: 3; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3 Control: ISM-1656; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3 Control: ISM-1657; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3 Control: ISM-1658; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3 Control: ISM-0955; Revision: 6; Updated: Apr-20; Applicability: All; Essential Eight: N/A Control: ISM-1582; Revision: 1; Updated: Sep-21; Applicability: All; Essential Eight: ML3 Control: ISM-1471; Revision: 2; Updated: Apr-20; Applicability: All; Essential Eight: N/A Control: ISM-1392; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A Control: ISM-1746; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A Control: ISM-1544; Revision: 2; Updated: Sep-21; Applicability: All; Essential Eight: ML3 Control: ISM-1659; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3 Control: ISM-0846; Revision: 8; Updated: Mar-22; Applicability: All; Essential Eight: N/A Control: ISM-1660; Revision: 1; Updated: Dec-22; Applicability: All; Essential Eight: ML2, ML3 Control: ISM-1661; Revision: 1; Updated: Dec-22; Applicability: All; Essential Eight: ML2, ML3 Control: ISM-1662; Revision: 1; Updated: Dec-22; Applicability: All; Essential Eight: ML3 Control: ISM-1663; Revision: 1; Updated: Dec-22; Applicability: All; Essential Eight: ML3 PowerShellPowerShell is a powerful scripting language developed by Microsoft and, due to its ubiquity and ease with which it can be used to fully control operating systems, is an important part of system administrator toolkits. However, PowerShell can also be a dangerous exploitation tool in the hands of an adversary. In order to prevent attacks leveraging security vulnerabilities in earlier PowerShell versions, Windows PowerShell 2.0 should be disabled or removed from operating systems. Additionally, PowerShell’s language mode should be set to Constrained Language Mode to achieve a balance between security and functionality. Finally, PowerShell event logs can assist in monitoring the security posture of systems, detecting malicious behaviour and contributing to investigations following cyber security incidents. To facilitate such activities, PowerShell event logs should be captured and stored centrally. Control: ISM-1621; Revision: 1; Updated: Sep-21; Applicability: All; Essential Eight: ML3 Control: ISM-1622; Revision: 0; Updated: Oct-20; Applicability: All; Essential Eight: ML3 Control: ISM-1623; Revision: 0; Updated: Oct-20; Applicability: All; Essential Eight: N/A Control: ISM-1624; Revision: 0; Updated: Oct-20; Applicability: All; Essential Eight: N/A Control: ISM-1664; Revision: 1; Updated: Dec-22; Applicability: All; Essential Eight: ML2, ML3 Control: ISM-1665; Revision: 1; Updated: Dec-22; Applicability: All; Essential Eight: ML3 Host-based Intrusion Prevention SystemMany security products rely on signatures to detect malicious code. This approach is only effective when malicious code has already been profiled and signatures are available from security vendors. Unfortunately, an adversary can easily create variants of known malicious code in order to bypass traditional signature-based detection. A Host-based Intrusion Prevention System (HIPS) can use behaviour-based detection to assist in identifying and blocking anomalous behaviour as well as detecting malicious code that has yet to be identified by security vendors. As such, it is important that a HIPS is implemented on workstations, critical servers and high-value servers. Control: ISM-1341; Revision: 2; Updated: Sep-18; Applicability: All; Essential Eight: N/A Control: ISM-1034; Revision: 7; Updated: Mar-22; Applicability: All; Essential Eight: N/A Software firewallTraditional network firewalls often fail to prevent the propagation of malicious code on networks, or an adversary from exfiltrating data from networks, as they only control which ports or protocols can be used between different network segments. Many forms of malicious code are designed specifically to take advantage of this by using common protocols, such as Hypertext Transfer Protocol, Hypertext Transfer Protocol Secure, Simple Mail Transfer Protocol or Domain Name System. Software firewalls are more effective than traditional network firewalls as they can control which applications and services can communicate to and from workstations and servers. As such, a software firewall should be implemented on workstations and servers to restrict inbound and outbound network connections to an organisation-approved set of applications and services. Control: ISM-1416; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A Antivirus softwareWhen vendors develop software they may make coding mistakes that lead to security vulnerabilities. An adversary can take advantage of this by developing malicious code to exploit any security vulnerabilities that have not been detected and remedied by vendors. As significant time and effort is often involved in developing functioning and reliable exploits, an adversary will often attempt to reuse their exploits as much as possible. While exploits may have been previously identified by security vendors, they often remain viable against an organisation that does not have antivirus software in place. Control: ISM-1417; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
Device access control softwareDevice access control software can be used to prevent removable media and mobile devices from being connected to workstations and servers via external communication interfaces. This can assist in preventing the introduction of malicious code or the exfiltration of data by an adversary. In addition, an adversary can connect to locked workstations and servers via external communication interfaces that allow Direct Memory Access (DMA). In doing so, the adversary can gain access to encryption keys in memory or write malicious code to memory. The best defence against this security risk is to disable access to external communication interfaces that allow DMA, such as FireWire, ExpressCard and Thunderbolt. Control: ISM-1418; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A Control: ISM-0343; Revision: 6; Updated: Mar-22; Applicability: All; Essential Eight: N/A Control: ISM-0345; Revision: 6; Updated: Dec-21; Applicability: All; Essential Eight: N/A Operating system event loggingOperating system events can assist in monitoring the security posture of systems, detecting malicious behaviour and contributing to investigations following cyber security incidents. To facilitate such activities, operating system event logs should be captured and stored centrally. Control: ISM-0582; Revision: 7; Updated: Mar-22; Applicability: All; Essential Eight: N/A
Control: ISM-1747; Revision: 1; Updated: Dec-22; Applicability: All; Essential Eight: N/A Further informationFurther information on cyber supply chain risk management can be found in the cyber supply chain risk management section of the Guidelines for Procurement and Outsourcing. Further information on patching or updating operating systems can be found in the system patching section of the Guidelines for System Management. Further information on securely configuring Microsoft Windows operating systems can be found in the ACSC’s Hardening Microsoft Windows 10 version 21H1 Workstations publication. Further information on securely configuring Linux workstations and servers can be found in the ACSC’s Hardening Linux Workstations and Servers publication. Further information on exploit protection functionality within Microsoft Windows is available from Microsoft. Further information on implementing application control can be found in the ACSC’s Implementing Application Control publication. Further information on Microsoft’s ‘recommended block rules’ and ‘recommended driver block rules’ are available from Microsoft. Further information on the use of PowerShell can be found in the ACSC’s Securing PowerShell in the Enterprise publication. Further information on the use of PowerShell by blue teams is available from Microsoft while further information on obtaining greater visibility through PowerShell logging is available from FireEye. Further information on independent testing of security products’ ability to detect or prevent various stages of network intrusions is available from The MITRE Corporation. Further information on independent testing of antivirus software is available from AV-Comparatives and AV-TEST. Further information on the use of removable media can be found in the media usage section of the Guidelines for Media. Further information on event logging can be found in the event logging and monitoring section of the Guidelines for System Monitoring. Application hardeningApplication selectionWhen selecting applications, it is important that an organisation preferences vendors that have demonstrated a commitment to secure-by-design principles, secure programming practices and maintaining the security of their products. This will assist not only with reducing the potential number of security vulnerabilities in applications, but also increasing the likelihood that timely patches, updates or vendor mitigations will be released to remediate any security vulnerabilities that are found. Control: ISM-0938; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A Application releasesNewer releases of applications often introduce improvements in security functionality. This can make it more difficult for an adversary to craft reliable exploits for security vulnerabilities they discover. Using older releases of applications, especially those no longer supported by vendors, may expose an organisation to security vulnerabilities or exploitation techniques that have since been mitigated. This is particularly important for office productivity suites, web browsers and their extensions, email clients, Portable Document Format (PDF) software, and security products, as well as web server applications and other internet-accessible server applications. Control: ISM-1467; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A Control: ISM-1483; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A Hardening application configurationsWhen applications are deployed in their default state it can lead to an insecure operating environment that may allow an adversary to gain an initial foothold on networks. This can be especially risky for office productivity suites, web browsers, email clients, PDF software and security products as such applications are routinely targeted for exploitation. Many configuration settings exist within such applications to allow them to be configured in a secure state in order to minimise this security risk. As such, the ACSC and vendors often produce guidance to assist in hardening the configuration of such applications. Note, however, in situations where ACSC and vendor guidance conflicts, preference should be given to implementing ACSC hardening guidance. Control: ISM-1806; Revision: 0; Updated: Dec-22; Applicability: All; Essential Eight: N/A Control: ISM-1412; Revision: 3; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3 Control: ISM-1470; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A Control: ISM-1235; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A Control: ISM-1486; Revision: 1; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3 Control: ISM-1485; Revision: 1; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3 Control: ISM-1666; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2 Control: ISM-1667; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3 Control: ISM-1668; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3 Control: ISM-1669; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3 Control: ISM-1542; Revision: 0; Updated: Jan-19; Applicability: All; Essential Eight: ML2, ML3 Control: ISM-1670; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3 Control: ISM-1601; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A Control: ISM-1585; Revision: 1; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3 Control: ISM-1748; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A Microsoft Office macrosMicrosoft Office files can contain embedded code, known as a macro, written in the Visual Basic for Applications programming language. A macro can contain a series of commands that can be coded or recorded and replayed at a later time to automate repetitive tasks. Macros are powerful tools that can be easily created by users to greatly improve their productivity. However, an adversary can also create macros to perform a variety of malicious activities, such as assisting to compromise workstations in order to exfiltrate or deny access to data. To reduce this security risk, an organisation should disable Microsoft Office macros for users that do not have a demonstrated business requirement and secure their use for the remaining users that do. Finally, Microsoft Office macro event logs can assist in monitoring the security posture of systems, detecting malicious behaviour and contributing to investigations following cyber security incidents. To facilitate such activities, Microsoft Office macro event logs should be captured and stored centrally. Control: ISM-1671; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3 Control: ISM-1488; Revision: 1; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3 Control: ISM-1672; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3 Control: ISM-1673; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3 Control: ISM-1674; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3 Control: ISM-1487; Revision: 1; Updated: Sep-21; Applicability: All; Essential Eight: ML3 Control: ISM-1675; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3 Control: ISM-1676; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3 Control: ISM-1489; Revision: 0; Updated: Sep-18; Applicability: All; Essential Eight: ML2, ML3 Control: ISM-1677; Revision: 1; Updated: Dec-22; Applicability: All; Essential Eight: ML2, ML3 Control: ISM-1678; Revision: 1; Updated: Dec-22; Applicability: All; Essential Eight: ML3 Further informationFurther information on cyber supply chain risk management can be found in the cyber supply chain risk management section of the Guidelines for Procurement and Outsourcing. Further information on patching or updating applications can be found in the system patching section of the Guidelines for System Management. Further information on securely configuring Microsoft Office can be found in the ACSC’s Hardening Microsoft 365, Office 2021, Office 2019 and Office 2016 publication. Further information on configuring Microsoft Office macro settings can be found in the ACSC’s Microsoft Office Macro Security publication. Further information on event logging can be found in the event logging and monitoring section of the Guidelines for System Monitoring. Authentication hardeningAccount and authentication typesThe guidance within this section is equally applicable to all account types. This includes unprivileged accounts, privileged accounts, break glass accounts and service accounts. In addition, the guidance is equally applicable to interactive authentication and non-interactive authentication. Authenticating to systemsBefore access to a system and its resources is granted to a user, it is essential that they are authenticated. This can be achieved via multi-factor authentication, such as a username along with a passphrase and security key, or via single-factor authentication, such as a username and a passphrase. Control: ISM-1546; Revision: 0; Updated: Aug-19; Applicability: All; Essential Eight: N/A Multi-factor authenticationMulti-factor authentication uses two or more authentication factors. This may include:
Note, however, that if a memorised secret is written down, or stored in a document on a system, this becomes something that a user has rather than something a user knows. Privileged users, users of remote access solutions and users with access to important data repositories are more likely to be targeted by an adversary due to their access. For this reason, it is especially important that multi-factor authentication is used for these accounts. In addition, multi-factor authentication is vital to any administrative activities as it can limit the consequences of a compromise by preventing or slowing an adversary’s ability to gain unrestricted access to assets. In this regard, multi-factor authentication can be implemented as part of jump server authentication where assets being administered do not support multi-factor authentication themselves. When implementing multi-factor authentication, several different authentication factors can be implemented. Unfortunately, some authentication factors, such as biometrics or codes sent via Short Message Service, Voice over Internet Protocol or email, are more susceptible to compromise than others. For this reason, authentication factors that involve something a user has should be used as part of multi-factor authentication. Furthermore, for increased security, the use of verifier impersonation resistant authentication factors are recommended to protect against real-time phishing attacks. Finally, multi-factor authentication event logs can assist in monitoring the security posture of systems, detecting malicious behaviour and contributing to investigations following cyber security incidents. To facilitate such activities, multi-factor authentication event logs should be captured and stored centrally. Control: ISM-0974; Revision: 6; Updated: Sep-21; Applicability: All; Essential Eight: N/A Control: ISM-1173; Revision: 4; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3 Control: ISM-1504; Revision: 1; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3 Control: ISM-1679; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3 Control: ISM-1680; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3 Control: ISM-1681; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3 Control: ISM-1505; Revision: 1; Updated: Sep-21; Applicability: All; Essential Eight: ML3 Control: ISM-1401; Revision: 5; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3 Control: ISM-1682; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3 Control: ISM-1559; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A Control: ISM-1560; Revision: 2; Updated: Mar-22; Applicability: S; Essential Eight: N/A Control: ISM-1561; Revision: 2; Updated: Mar-22; Applicability: TS; Essential Eight: N/A Control: ISM-1683; Revision: 1; Updated: Dec-22; Applicability: All; Essential Eight: ML2, ML3 Control: ISM-1684; Revision: 1; Updated: Dec-22; Applicability: All; Essential Eight: ML3 Single-factor authenticationA significant threat to the compromise of accounts is credential cracking tools. When an adversary gains access to a list of usernames and hashed credentials from a system they can attempt to recover username and credential pairs by comparing the hashes of known credentials with the hashed credentials they have gained access to. By finding a match an adversary will know the credential associated with a given username. In order to reduce this security risk, an organisation should implement multi-factor authentication. Note, while single-factor authentication is no longer considered suitable for protecting sensitive or classified data, it may not be possible to implement multi-factor authentication on some systems. In such cases, an organisation will need to increase the time on average it takes an adversary to compromise a credential by continuing to increase its length over time. Such increases in length can be balanced against useability through the use of passphrases rather than passwords. In cases where systems do not support passphrases, and as an absolute last resort, the strongest password length and complexity supported by a system will need to be implemented. Control: ISM-0417; Revision: 5; Updated: Oct-19; Applicability: All; Essential Eight: N/A Control: ISM-0421; Revision: 8; Updated: Dec-21; Applicability: All; Essential Eight: N/A Control: ISM-1557; Revision: 2; Updated: Dec-21; Applicability: S; Essential Eight: N/A Control: ISM-0422; Revision: 8; Updated: Dec-21; Applicability: TS; Essential Eight: N/A Control: ISM-1558; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A Setting credentials for user accountsBefore new credentials are issued for user accounts, it is important that users’ provide sufficient evidence to verify their identity, such as by users physically presenting themselves and their pass to a service desk or by answering a set of challenge-response questions. Following the verification of user identity, credentials should be randomly generated and provided to users via a secure communications channel or, if not possible, split into two parts with one part provided to users and the other part provided to supervisors. Subsequently, users should reset their credentials on first use to ensure that they are not known by other parties. Control: ISM-1593; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A Control: ISM-1227; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A Control: ISM-1594; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A Control: ISM-1595; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A Control: ISM-1596; Revision: 2; Updated: Dec-22; Applicability: All; Essential Eight: N/A Account lockoutsLocking an account after a specified number of failed logon attempts reduces the likelihood of successful credential spraying attacks by an adversary. However, care should be taken as implementing account lockout functionality can increase the likelihood of a denial of service. Alternatively, some systems can be configured to automatically slowdown repeated failed logon attempts (known as rate limiting) rather than locking accounts. Implementing multi-factor authentication is also an effective way of reducing the likelihood of successful credential spraying attacks. Control: ISM-1403; Revision: 2; Updated: Oct-19; Applicability: All; Essential Eight: N/A Insecure authentication methodsAuthentication methods need to resist theft, interception, duplication, forgery, unauthorised access and unauthorised modification. For example, Local Area Network (LAN) Manager and NT LAN Manager authentication methods use weak hashing algorithms. As such, credentials used as part of LAN Manager authentication and NT LAN Manager authentication (i.e. NTLMv1, NTLMv2 and NTLM2) can easily be compromised. Instead, an organisation should use Kerberos for authentication within Microsoft Windows environments and ensure all privileged accounts are members of the Protected Users security group. Control: ISM-1603; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A Control: ISM-1055; Revision: 4; Updated: Oct-20; Applicability: All; Essential Eight: N/A Control: ISM-1620; Revision: 0; Updated: Oct-20; Applicability: All; Essential Eight: N/A Protecting credentialsWhen local administrator accounts and service accounts use common usernames and credentials, it can allow an adversary that compromises credentials on one workstation or server to easily compromise other workstations and servers. As such, it is critical that credentials for local administrator accounts and service accounts are long, unique, unpredictable and managed. To provide additional security and credential management functionality for service accounts, Microsoft introduced group Managed Service Accounts to Microsoft Windows Server. In doing so, service accounts that are created as group Managed Service Accounts do not require manual credential management by system administrators, as the operating system automatically ensures that they are long, unique, unpredictable and managed. This ensures that service account credentials are secure, not misplaced or forgotten, and that they are automatically changed on a regular basis. However, in cases where the use of group Managed Service Accounts is not possible, credentials for service accounts should still be unique and unpredictable with a minimum length of 30 characters. Written down credentials (e.g. memorised secrets), and dedicated devices that store or generate credentials (e.g. security keys, smart cards and one-time password tokens), when kept together with systems they are used to authenticate to can increase the likelihood of an adversary gaining unauthorised access to systems. For example, when smart cards are left on desks, one-time password tokens are left in laptop bags, security keys are left connected to computers or passphrases are written down and stuck to computer monitors. Furthermore, obscuring credentials as they are entered into systems can assist in protecting them against screen scrapers and shoulder surfers. If storing credentials on systems, sufficient protection should be implemented to prevent them from being compromised. For example, credentials can be stored in a password manager or hardware security module, while credentials stored in a database should be hashed, salted and stretched. In addition, Windows Defender Credential Guard and Windows Defender Remote Credential Guard can be enabled to provide additional protection for credentials. When using Microsoft Windows systems, cached credentials are stored in the Security Accounts Manager database and can allow a user to logon to a workstation they have previously logged onto even if the domain is not available. Whilst this functionality may be desirable from an availability perspective, this functionality can be abused by an adversary who can retrieve these cached credentials. To reduce this security risk, cached credentials should be limited to only one previous logon. Control: ISM-1685; Revision: 1; Updated: Dec-22; Applicability: All; Essential Eight: ML2, ML3 Control: ISM-1619; Revision: 0; Updated: Oct-20; Applicability: All; Essential Eight: N/A Control: ISM-1795; Revision: 0; Updated: Sep-22; Applicability: All; Essential Eight: N/A Control: ISM-0418; Revision: 6; Updated: Dec-22; Applicability: All; Essential Eight: N/A Control: ISM-1597; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A Control: ISM-1402; Revision: 6; Updated: Mar-22; Applicability: All; Essential Eight: N/A Control: ISM-1686; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3 Control: ISM-1749; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A Control: ISM-1590; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
Session terminationImplementing measures to terminate user sessions and restart workstations on a daily basis, outside of business hours and after an appropriate period of inactivity, can assist in both system maintenance activities as well as removing an adversary that may have compromised a system but failed to gain persistence. Control: ISM-0853; Revision: 3; Updated: Sep-22; Applicability: All; Essential Eight: N/A Session and screen lockingSession and screen locking prevents unauthorised access to a system which a user has already authenticated to. Control: ISM-0428; Revision: 9; Updated: Dec-22; Applicability: All; Essential Eight: N/A
Logon bannerDisplaying a logon banner to users before access is granted to a system reminds them of their security responsibilities. Logon banners may cover topics such as:
Control: ISM-0408; Revision: 4; Updated: Sep-18; Applicability: All; Essential Eight: N/A Control: ISM-0979; Revision: 4; Updated: Sep-18; Applicability: All; Essential Eight: N/A Further informationFurther information on cyber supply chain risk management can be found in the cyber supply chain risk management section of the Guidelines for Procurement and Outsourcing. Further information on implementing multi-factor authentication can be found in the ACSC’s Implementing Multi-Factor Authentication publication. Further information on event logging can be found in the event logging and monitoring section of the Guidelines for System Monitoring. Further information on randomly generating passphrases (preferably using five dice rolls and a long word list) is available from the Electronic Frontier Foundation while a random dice roller is available from RANDOM.ORG. Further information on group Managed Service Accounts in Microsoft Windows Server is available from Microsoft. Further information on mitigating the use of stolen credentials can be found in the ACSC’s Mitigating the Use of Stolen Credentials publication. Further information on mitigating the use of stolen credentials can also be found in Microsoft’s Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques, Version 1 and 2 publication. Virtualisation hardeningContainerisationContainers allow for versatile deployment of systems and, in doing so, should be treated the same as any other system. However, controls in a containerised environment may take a different form when compared to other types of systems. For example, patching the operating system of a workstation may be performed differently to ensuring that a patched image is used for a container, however, the principle is the same. In general, the same security risks that apply to non-containerised systems will likely apply to containerised systems. Functional separation between computing environmentsPhysical servers often use a software-based isolation mechanism to share their hardware among multiple computing environments. In doing so, a computing environment could consist of an entire operating system installed in a virtual machine where the isolation mechanism is a hypervisor, such as cloud services providing Infrastructure as a Service, or alternatively, a computing environment could consist of an application which uses the shared kernel of the underlying operating system of the physical server where the isolation mechanism is an application container or application sandbox, such as cloud services providing Platform as a Service. Note, however, the logical separation of data within a single application, such as cloud services providing Software as a Service, is not considered to be the same as multiple computing environments. An adversary who has compromised a single computing environment, or who legitimately controls a single computing environment, might exploit a misconfiguration or security vulnerability in the isolation mechanism to compromise other computing environments on the same physical server or compromise the underlying operating system of the physical server. As such, it is important that additional controls are implemented when a software-based isolation mechanism is used to share a physical server’s hardware. Control: ISM-1460; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A Control: ISM-1604; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A Control: ISM-1605; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A Control: ISM-1606; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A Control: ISM-1607; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A Control: ISM-1461; Revision: 5; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A Further informationFurther information on container security can be found in National Institute of Standards and Technology Special Publication 800-190, Application Container Security Guide. Further information on cyber supply chain risk management can be found in the cyber supply chain risk management section of the Guidelines for Procurement and Outsourcing. Further information on the use of cloud services can be found in the managed services and cloud services section of the Guidelines for Procurement and Outsourcing. Further information on hardening operating systems can be found in the operating system hardening section of these guidelines. Further information on patching or updating operating systems and applications can be found in the system patching section of the Guidelines for System Management. Further information on event logging can be found in the event logging and monitoring section of the Guidelines for System Monitoring. Further information on hypervisor security can be found in National Institute of Standards and Technology Special Publication 800-125A Rev. 1, Security Recommendations for Server-based Hypervisor Platforms. |