NIST SP 800-128 GUIDE FOR SECURITY-FOCUSED CONFIGURATION MANAGEMENT OF INFORMATION SYSTEMS
_______________________________________________________________________________________________
CHAPTER 3 PAGE 31
This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-128
in implementation of a secure configuration baseline for each system and constituent CIs, (i.e.,
each established CI is the object of a documented and approved secure configuration).
3.2.1 ESTABLISH SECURE CONFIGURATIONS
In developing and deploying a system, secure configurations are established for the system and its
constituent CIs. Secure configurations may include:
• Setting secure values (i.e., the parameters that describe how particular automated
functions of IT products behave) including, but not limited to:
o OS and application features (enabling or disabling depending on the specific
feature, setting specific parameters, etc.);
o Services (e.g., automatic updates) and ports (e.g., DNS over port 53);
o Network protocols (e.g., NetBIOS, IPv6) and network interfaces (e.g., Bluetooth,
IEEE 802.11, infrared);
o Methods of remote access (e.g., SSL, VPN, SSH, IPSEC);
o Access controls (e.g., controlling permissions to files, directories, registry keys,
and restricting user activities such as modifying system logs or installing
applications);
o Management of identifiers/accounts (e.g., changing default account names,
determining length of time until inactive accounts are disabled, using unique user
names, establishing user groups);
o Authentication controls (e.g., password length, use of special characters,
minimum password age, multifactor authentication/use of tokens);
o Audit settings (e.g., capturing key events such as failures, logons, permission
changes, unsuccessful file access, creation of users and objects, deletion and
modification of system files, registry key and kernel changes);
o System settings (e.g., session timeouts, number of remote connections, session
lock); and
o Cryptography (e.g., using [FIPS 140-3]
-validated cryptographic protocols and
algorithms to protect data in transit and in storage);
• Applying vendor-released patches in response to identified vulnerabilities, including
software updates;
• Using approved, signed software, if supported;
• Implementing safeguards through software to protect end-user machines against attack
(e.g., antivirus, antispyware, anti-adware, personal firewalls, host-based intrusion
detection systems);
• Applying network protections (e.g., TLS, IPSEC);
• Establishing the location where a component physically and logically resides (e.g.,
behind a firewall, within a DMZ, on a specific subnet, etc.); and
• Maintaining and updating technical specification and design documentation, system
security documentation, system procedures, etc.
In many cases, organizational policies, in accordance with federal laws, standards, directives, and
orders, establish generally accepted common secure configurations (e.g., National Checklist
Program, DISA STIGs, CIS benchmarks). Configurations identified in the National Checklist
Program Repository
20
as well as SCAP-expressed checklists are a source for establishing
20
NIST [SP 800-70] provides information on the National Checklist Program and Repository. Also see