0% found this document useful (0 votes)

44 views20 pages

ISM - Guidelines For System Hardening (March 2024)

Guideline security australia

Uploaded by

k21mtl

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

44 views20 pages

ISM - Guidelines For System Hardening (March 2024)

Guideline security australia

Uploaded by

k21mtl

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 20

Information Security

Manual
Published: 1 March 2024

Guidelines for System Hardening

Operating system hardening
Operating system selection

When selecting operating systems, it is important that an organisation preferences vendors that have demonstrated a
commitment to secure-by-design and secure-by-default principles, use of memory-safe programming languages where
possible (such as C#, Go, Java, Ruby, Rust and Swift), secure programming practices, and maintaining the security of their
products. This will assist not only with reducing the potential number of vulnerabilities in operating systems, but also
increasing the likelihood that timely patches, updates or vendor mitigations will be released to remediate any
vulnerabilities that are found.
Control: ISM-1743; Revision: 1; Updated: Mar-23; Applicability: All; Essential Eight: N/A
Operating systems are chosen from vendors that have demonstrated a commitment to secure-by-design and secure-by-
default principles, use of memory-safe programming languages where possible, secure programming practices, and
maintaining the security of their products.
Operating system releases and versions

Newer releases of operating systems often introduce improvements in security functionality. This can make it more
difficult for malicious actors to craft reliable exploits for vulnerabilities they discover. Using older releases of operating
systems, especially those no longer supported by vendors, may expose an organisation to vulnerabilities or exploitation
techniques that have since been mitigated. In addition, 64-bit versions of operating systems support additional security
functionality that 32-bit versions do not.
Control: ISM-1407; Revision: 5; Updated: Dec-22; Applicability: All; Essential Eight: ML3
The latest release, or the previous release, of operating systems are used.
Control: ISM-1408; Revision: 5; Updated: Dec-22; Applicability: All; Essential Eight: N/A
Where supported, 64-bit versions of operating systems are used.

Standard Operating Environments

Allowing users to setup, configure and maintain their own workstations and servers can result in an inconsistent
operating environment. Such operating environments may assist malicious actors in gaining an initial foothold on
networks due to the higher likelihood of poorly configured or maintained workstations and servers. Conversely, a
Standard Operating Environment (SOE), provided via an automated build process or a golden image, is designed to
facilitate a standardised and consistent operating environment within an organisation.

1
When SOEs are obtained from third parties, such as service providers, there are additional cyber supply chain risks that
should be considered, such as the accidental or deliberate inclusion of malicious code or configurations. To reduce the
likelihood of such occurrences, an organisation should endeavour to obtain their SOEs from trusted third parties while
also scanning them for malicious code and configurations.
As operating environments naturally change over time, such as patches or updates are applied, configurations are
changed, and applications are added or removed, it is essential that SOEs are reviewed and updated at least annually to
ensure that an up-to-date baseline is maintained.
Control: ISM-1406; Revision: 2; Updated: Aug-20; Applicability: All; Essential Eight: N/A
SOEs are used for workstations and servers.
Control: ISM-1608; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
SOEs provided by third parties are scanned for malicious code and configurations.
Control: ISM-1588; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A
SOEs are reviewed and updated at least annually.

Hardening operating system configurations

When operating systems are deployed in their default state, or with an unapproved configuration, it can lead to an
insecure operating environment that may allow malicious actors to gain an initial foothold on networks. Many settings
exist within operating systems to allow them to be configured in an approved secure state in order to minimise this
security risk. As such, the Australian Signals Directorate (ASD) and vendors often produce hardening guidance to assist in
hardening the configuration of operating systems. Note, however, in situations where ASD and vendor hardening
guidance conflicts, precedence should be given to implementing the most restrictive guidance.
Control: ISM-1914; Revision: 0; Updated: Mar-24; Applicability: All; Essential Eight: N/A
Approved configurations for operating systems are developed, implemented and maintained.
Control: ISM-1409; Revision: 4; Updated: Dec-23; Applicability: All; Essential Eight: N/A
Operating systems are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking
precedence when conflicts occur.
Control: ISM-0380; Revision: 9; Updated: Mar-22; Applicability: All; Essential Eight: N/A
Unneeded accounts, components, services and functionality of operating systems are disabled or removed.
Control: ISM-0383; Revision: 8; Updated: Dec-22; Applicability: All; Essential Eight: N/A
Default accounts or credentials for operating systems, including for any pre-configured accounts, are changed.
Control: ISM-0341; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
Automatic execution features for removable media are disabled.
Control: ISM-1654; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML1, ML2, ML3
Internet Explorer 11 is disabled or removed.
Control: ISM-1655; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3
.NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed.
Control: ISM-1492; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
Operating system exploit protection functionality is enabled.
Control: ISM-1745; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
Early Launch Antimalware, Secure Boot, Trusted Boot and Measured Boot functionality is enabled.
Control: ISM-1584; Revision: 1; Updated: Sep-21; Applicability: All; Essential Eight: N/A
Unprivileged users are prevented from bypassing, disabling or modifying security functionality of operating systems.
Control: ISM-1491; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
Unprivileged users are prevented from running script execution engines, including:
 Windows Script Host (cscript.exe and wscript.exe)
 PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe)
 Command Prompt (cmd.exe)

2
 Windows Management Instrumentation (wmic.exe)
 Microsoft Hypertext Markup Language (HTML) Application Host (mshta.exe).

Application management

Unprivileged users’ ability to install any application can be exploited by malicious actors using social engineering in order
to convince them to install a malicious application. One way to mitigate this security risk, while also removing burden
from system administrators, is to allow unprivileged users the ability to install approved applications from organisation-
managed software repositories or from trusted application marketplaces. Furthermore, to prevent unprivileged users
from removing security functionality, or breaking system functionality, unprivileged users should not have the ability to
uninstall or disable approved software.
Control: ISM-1592; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
Unprivileged users do not have the ability to install unapproved software.
Control: ISM-0382; Revision: 7; Updated: Mar-22; Applicability: All; Essential Eight: N/A
Unprivileged users do not have the ability to uninstall or disable approved software.

Application control

Application control can be an effective way to not only prevent malicious code from executing on workstations and
servers, but also to ensure only approved applications can execute. When developing application control rulesets,
determining approved executables (e.g. .exe and .com files), software libraries (e.g. .dll and.ocx files), scripts (e.g. .ps1,
.bat, .cmd, .vbs and .js files), installers (e.g. .msi, .msp and .mst files), compiled HTML (e.g. .chm files), HTML applications
(e.g. .hta files), control panel applets (e.g. .cpl files) and drivers based on business requirements is a more secure method
than simply approving those already residing on a workstation or server. Furthermore, it is preferable that an
organisation defines their own application control rulesets, rather than relying on those from application control
vendors, and validate them on an annual or more frequent basis.
In implementing application control, an organisation should use a reliable method, or combination of methods, such as
cryptographic hash rules, publisher certificate rules or path rules. Depending on the method chosen, further hardening
may be required to ensure that application control mechanisms and application control rulesets cannot be bypassed by
malicious actors.
Finally, centrally logging and analysing application control events can assist in monitoring the security posture of
systems, detecting malicious behaviour and contributing to investigations following cyber security incidents.
Control: ISM-0843; Revision: 9; Updated: Sep-21; Applicability: All; Essential Eight: ML1, ML2, ML3
Application control is implemented on workstations.
Control: ISM-1490; Revision: 3; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
Application control is implemented on internet-facing servers.
Control: ISM-1656; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3
Application control is implemented on non-internet-facing servers.
Control: ISM-1870; Revision: 0; Updated: Sep-23; Applicability: All; Essential Eight: ML1, ML2, ML3
Application control is applied to user profiles and temporary folders used by operating systems, web browsers and email
clients.
Control: ISM-1871; Revision: 0; Updated: Sep-23; Applicability: All; Essential Eight: ML2, ML3
Application control is applied to all locations other than user profiles and temporary folders used by operating systems,
web browsers and email clients.
Control: ISM-1657; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML1, ML2, ML3
Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML
applications and control panel applets to an organisation-approved set.
Control: ISM-1658; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3
Application control restricts the execution of drivers to an organisation-approved set.
Control: ISM-0955; Revision: 6; Updated: Apr-20; Applicability: All; Essential Eight: N/A
Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules.

3
Control: ISM-1471; Revision: 2; Updated: Apr-20; Applicability: All; Essential Eight: N/A
When implementing application control using publisher certificate rules, both publisher names and product names are
used.
Control: ISM-1392; Revision: 4; Updated: Mar-23; Applicability: All; Essential Eight: N/A
When implementing application control using path rules, only approved users can modify approved files and write to
approved folders.
Control: ISM-1746; Revision: 1; Updated: Mar-23; Applicability: All; Essential Eight: N/A
When implementing application control using path rules, only approved users can change file system permissions for
approved files and folders.
Control: ISM-1544; Revision: 3; Updated: Dec-23; Applicability: All; Essential Eight: ML2, ML3
Microsoft’s recommended application blocklist is implemented.
Control: ISM-1659; Revision: 1; Updated: Dec-23; Applicability: All; Essential Eight: ML3
Microsoft’s vulnerable driver blocklist is implemented.
Control: ISM-1582; Revision: 1; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
Application control rulesets are validated on an annual or more frequent basis.
Control: ISM-0846; Revision: 8; Updated: Mar-22; Applicability: All; Essential Eight: N/A
All users (with the exception of local administrator accounts and break glass accounts) cannot disable, bypass or be
exempted from application control.
Control: ISM-1660; Revision: 2; Updated: Dec-23; Applicability: All; Essential Eight: ML2, ML3
Allowed and blocked application control events are centrally logged.

Command Shell

The Command shell was the first shell developed by Microsoft to assist with the automation of routine system
administration tasks, such as running Windows Commands via batch scripts. However, the Command shell can also be
used by malicious actors to run Windows Commands on compromised systems. As such, centrally logging and analysing
command line process creation events can assist in monitoring the security posture of systems, detecting malicious
behaviour and contributing to investigations following cyber security incidents.
Control: ISM-1889; Revision: 0; Updated: Dec-23; Applicability: All; Essential Eight: ML2, ML3
Command line process creation events are centrally logged.

PowerShell

PowerShell is a powerful scripting language developed by Microsoft and, due to its ubiquity and ease with which it can
be used to fully control operating systems, is an important part of system administrator toolkits. However, PowerShell
can also be a dangerous exploitation tool in the hands of malicious actors.
In order to prevent attacks leveraging vulnerabilities in earlier PowerShell versions, Windows PowerShell 2.0 should be
disabled or removed from operating systems. Additionally, PowerShell’s language mode should be set to Constrained
Language Mode to achieve a balance between security and functionality.
Finally, centrally logging and analysing PowerShell events can assist in monitoring the security posture of systems,
detecting malicious behaviour and contributing to investigations following cyber security incidents.
Control: ISM-1621; Revision: 1; Updated: Sep-21; Applicability: All; Essential Eight: ML3
Windows PowerShell 2.0 is disabled or removed.
Control: ISM-1622; Revision: 0; Updated: Oct-20; Applicability: All; Essential Eight: ML3
PowerShell is configured to use Constrained Language Mode.
Control: ISM-1623; Revision: 1; Updated: Dec-23; Applicability: All; Essential Eight: ML2, ML3
PowerShell module logging, script block logging and transcription events are centrally logged.
Control: ISM-1624; Revision: 0; Updated: Oct-20; Applicability: All; Essential Eight: N/A
PowerShell script block logs are protected by Protected Event Logging functionality.

4
Host-based Intrusion Prevention System

Many security products rely on signatures to detect malicious code. This approach is only effective when malicious code
has already been profiled and signatures are available from security vendors. Unfortunately, malicious actors can easily
create variants of known malicious code in order to bypass traditional signature-based detection. A Host-based Intrusion
Prevention System (HIPS) can use behaviour-based detection to assist in identifying and blocking anomalous behaviour
as well as detecting malicious code that has yet to be identified by security vendors. As such, it is important that a HIPS is
implemented on workstations, critical servers and high-value servers.
Control: ISM-1341; Revision: 2; Updated: Sep-18; Applicability: All; Essential Eight: N/A
A HIPS is implemented on workstations.
Control: ISM-1034; Revision: 7; Updated: Mar-22; Applicability: All; Essential Eight: N/A
A HIPS is implemented on critical servers and high-value servers.
Software firewall

Traditional network firewalls often fail to prevent the propagation of malicious code on networks, or malicious actors
from exfiltrating data from networks, as they only control which ports or protocols can be used between different
network segments. Many forms of malicious code are designed specifically to take advantage of this by using common
protocols, such as Hypertext Transfer Protocol, Hypertext Transfer Protocol Secure, Simple Mail Transfer Protocol or
Domain Name System. Software firewalls are more effective than traditional network firewalls as they can control which
applications and services can communicate to and from workstations and servers. As such, a software firewall should be
implemented on workstations and servers to restrict inbound and outbound network connections to an organisation-
approved set of applications and services.
Control: ISM-1416; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
A software firewall is implemented on workstations and servers to restrict inbound and outbound network connections to
an organisation-approved set of applications and services.

Antivirus software

When vendors develop software, they may make coding mistakes that lead to vulnerabilities. Malicious actors can take
advantage of this by developing malicious code to exploit any vulnerabilities that have not been detected and remedied
by vendors. As significant time and effort is often involved in developing functioning and reliable exploits, malicious
actors will often attempt to reuse their exploits as much as possible. While exploits may have been previously identified
by security vendors, they often remain viable against an organisation that does not have antivirus software in place.
Control: ISM-1417; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
Antivirus software is implemented on workstations and servers with:
 signature-based detection functionality enabled and set to a high level
 heuristic-based detection functionality enabled and set to a high level
 reputation rating functionality enabled
 ransomware protection functionality enabled
 detection signatures configured to update on at least a daily basis
 regular scanning configured for all fixed disks and removable media.

Device access control software

Device access control software can be used to prevent removable media and mobile devices from being connected to
workstations and servers via external communication interfaces. This can assist in preventing the introduction of
malicious code or the exfiltration of data by malicious actors.
In addition, malicious actors can connect to locked workstations and servers via external communication interfaces that
allow Direct Memory Access (DMA). In doing so, malicious actors can gain access to encryption keys in memory or write
malicious code to memory. The best defence against this security risk is to disable access to external communication
interfaces that allow DMA, such as FireWire, ExpressCard and Thunderbolt.

5
Control: ISM-1418; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A
If there is no business requirement for reading from removable media and devices, such functionality is disabled via the
use of device access control software or by disabling external communication interfaces.
Control: ISM-0343; Revision: 6; Updated: Mar-22; Applicability: All; Essential Eight: N/A
If there is no business requirement for writing to removable media and devices, such functionality is disabled via the use
of device access control software or by disabling external communication interfaces.
Control: ISM-0345; Revision: 6; Updated: Dec-21; Applicability: All; Essential Eight: N/A
External communication interfaces that allow DMA are disabled.

Operating system event logging

Centrally logging and analysing operating system events can assist in monitoring the security posture of systems,
detecting malicious behaviour and contributing to investigations following cyber security incidents.
Control: ISM-0582; Revision: 8; Updated: Dec-23; Applicability: All; Essential Eight: N/A
The following events are centrally logged for operating systems:
 application and operating system crashes and error messages
 changes to security policies and system configurations
 successful user logons and logoffs, failed user logons and account lockouts
 failures, restarts and changes to important processes and services
 requests to access internet resources
 security product-related events
 system startups and shutdowns.

Further information

Further information on cyber supply chain risk management can be found in the cyber supply chain risk management
section of the Guidelines for Procurement and Outsourcing.
Further information on patching or updating operating systems can be found in the system patching section of the
Guidelines for System Management.
Further information on hardening Microsoft Windows operating systems can be found in ASD’s Hardening Microsoft
Windows 10 version 21H1 Workstations publication and on the Microsoft Security Baselines Blog.
Further information on hardening Linux workstations and servers can be found in ASD’s Hardening Linux Workstations
and Servers publication.
Further information on exploit protection functionality within Microsoft Windows is available from Microsoft.
Further information on implementing application control can be found in ASD’s Implementing Application Control
publication.
Further information on Microsoft’s recommended application blocklist and vulnerable driver blocklist are available from
Microsoft.
Further information on command line process logging is available from Microsoft.
Further information on the use of PowerShell can be found in ASD’s Securing PowerShell in the Enterprise publication.
Further information on the use of PowerShell by blue teams is available from Microsoft while further information on
obtaining greater visibility through PowerShell logging is available from Mandiant.
Further information on independent testing of security products’ ability to detect or prevent various stages of network
intrusions is available from The MITRE Corporation.
Further information on independent testing of antivirus software is available from AV-Comparatives and AV-TEST.
Further information on the use of removable media can be found in the media usage section of the Guidelines for
Media.

6
Further information on event logging can be found in the event logging and monitoring section of the Guidelines for
System Monitoring.

User application hardening

User applications

This section is applicable to applications typically installed on user workstations, such as office productivity suites, web
browsers and their extensions, email clients, Portable Document Format (PDF) software, and security products (e.g.
antivirus software, device access control software, HIPS and software firewalls). Information on server applications can
be found in the server application hardening section of these guidelines.

User application selection

When selecting user applications, it is important that an organisation preferences vendors that have demonstrated a
commitment to secure-by-design and secure-by-default principles, use of memory-safe programming languages where
possible (such as C#, Go, Java, Ruby, Rust and Swift), secure programming practices, and maintaining the security of their
products. This will assist not only with reducing the potential number of vulnerabilities in user applications, but also
increasing the likelihood that timely patches, updates or vendor mitigations will be released to remediate any
vulnerabilities that are found.
Control: ISM-0938; Revision: 6; Updated: Mar-23; Applicability: All; Essential Eight: N/A
User applications are chosen from vendors that have demonstrated a commitment to secure-by-design and secure-by-
default principles, use of memory-safe programming languages where possible, secure programming practices, and
maintaining the security of their products.

User application releases

Newer releases of user applications often introduce improvements in security functionality. This can make it more
difficult for malicious actors to craft reliable exploits for vulnerabilities they discover. Using older releases of user
applications, especially those no longer supported by vendors, may expose an organisation to vulnerabilities or
exploitation techniques that have since been mitigated. This is particularly important for office productivity suites, web
browsers and their extensions, email clients, PDF software, and security products.
Control: ISM-1467; Revision: 3; Updated: Mar-22; Applicability: All; Essential Eight: N/A
The latest release of office productivity suites, web browsers and their extensions, email clients, PDF software, and
security products are used.

Hardening user application configurations

When user applications are deployed in their default state, or with an unapproved configuration, it can lead to an
insecure operating environment that may allow malicious actors to gain an initial foothold on networks. This can be
especially risky for office productivity suites, web browsers and their extensions, email clients, PDF software, and security
products as such applications are routinely targeted for exploitation. Many settings exist within such applications to
allow them to be configured in an approved secure state in order to minimise this security risk. As such, ASD and vendors
often produce hardening guidance to assist in hardening the configuration of these applications. Note, however, in
situations where ASD and vendor hardening guidance conflicts, precedence should be given to implementing the most
restrictive guidance.
Control: ISM-1915; Revision: 0; Updated: Mar-24; Applicability: All; Essential Eight: N/A
Approved configurations for user applications are developed, implemented and maintained.
Control: ISM-1806; Revision: 1; Updated: Mar-23; Applicability: All; Essential Eight: N/A
Default accounts or credentials for user applications, including for any pre-configured accounts, are changed.
Control: ISM-1470; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A
Unneeded components, services and functionality of office productivity suites, web browsers, email clients, PDF software
and security products are disabled or removed.
Control: ISM-1235; Revision: 4; Updated: Mar-22; Applicability: All; Essential Eight: N/A

7
Add-ons, extensions and plug-ins for office productivity suites, web browsers, email clients, PDF software and security
products are restricted to an organisation-approved set.
Control: ISM-1667; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
Microsoft Office is blocked from creating child processes.
Control: ISM-1668; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
Microsoft Office is blocked from creating executable content.
Control: ISM-1669; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
Microsoft Office is blocked from injecting code into other processes.
Control: ISM-1542; Revision: 0; Updated: Jan-19; Applicability: All; Essential Eight: ML2, ML3
Microsoft Office is configured to prevent activation of Object Linking and Embedding packages.
Control: ISM-1859; Revision: 2; Updated: Dec-23; Applicability: All; Essential Eight: ML2, ML3
Office productivity suites are hardened using ASD and vendor hardening guidance, with the most restrictive guidance
taking precedence when conflicts occur.
Control: ISM-1823; Revision: 0; Updated: Mar-23; Applicability: All; Essential Eight: ML2, ML3
Office productivity suite security settings cannot be changed by users.
Control: ISM-1486; Revision: 1; Updated: Sep-21; Applicability: All; Essential Eight: ML1, ML2, ML3
Web browsers do not process Java from the internet.
Control: ISM-1485; Revision: 1; Updated: Sep-21; Applicability: All; Essential Eight: ML1, ML2, ML3
Web browsers do not process web advertisements from the internet.
Control: ISM-1412; Revision: 6; Updated: Dec-23; Applicability: All; Essential Eight: ML2, ML3
Web browsers are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking
precedence when conflicts occur.
Control: ISM-1585; Revision: 2; Updated: Mar-23; Applicability: All; Essential Eight: ML1, ML2, ML3
Web browser security settings cannot be changed by users.
Control: ISM-1670; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
PDF software is blocked from creating child processes.
Control: ISM-1860; Revision: 2; Updated: Dec-23; Applicability: All; Essential Eight: ML2, ML3
PDF software is hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking
precedence when conflicts occur.
Control: ISM-1824; Revision: 0; Updated: Mar-23; Applicability: All; Essential Eight: ML2, ML3
PDF software security settings cannot be changed by users.
Control: ISM-1601; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
Microsoft’s attack surface reduction rules are implemented.
Control: ISM-1748; Revision: 1; Updated: Mar-23; Applicability: All; Essential Eight: N/A
Email client security settings cannot be changed by users.
Control: ISM-1825; Revision: 0; Updated: Mar-23; Applicability: All; Essential Eight: N/A
Security product security settings cannot be changed by users.

Microsoft Office macros

Microsoft Office files can contain embedded code, known as a macro, written in the Visual Basic for Applications
programming language. A macro can contain a series of commands that can be coded or recorded and replayed at a later
time to automate repetitive tasks. Macros are powerful tools that can be easily created by users to greatly improve their
productivity. However, malicious actors can also create macros to perform a variety of malicious activities, such as
assisting to compromise workstations in order to exfiltrate or deny access to data. To reduce this security risk, an
organisation should disable Microsoft Office macros for users that do not have a demonstrated business requirement
and secure their use for the remaining users that do.
Finally, centrally logging and analysing Microsoft Office macro events can assist in monitoring the security posture of
systems, detecting malicious behaviour and contributing to investigations following cyber security incidents.

8
Control: ISM-1671; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML1, ML2, ML3
Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.
Control: ISM-1488; Revision: 1; Updated: Sep-21; Applicability: All; Essential Eight: ML1, ML2, ML3
Microsoft Office macros in files originating from the internet are blocked.
Control: ISM-1672; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML1, ML2, ML3
Microsoft Office macro antivirus scanning is enabled.
Control: ISM-1673; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
Microsoft Office macros are blocked from making Win32 API calls.
Control: ISM-1674; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3
Only Microsoft Office macros running from within a sandboxed environment, a Trusted Location or that are digitally
signed by a trusted publisher are allowed to execute.
Control: ISM-1890; Revision: 0; Updated: Dec-23; Applicability: All; Essential Eight: ML3
Microsoft Office macros are checked to ensure they are free of malicious code before being digitally signed or placed
within Trusted Locations.
Control: ISM-1487; Revision: 2; Updated: Dec-23; Applicability: All; Essential Eight: ML3
Only privileged users responsible for checking that Microsoft Office macros are free of malicious code can write to and
modify content within Trusted Locations.
Control: ISM-1675; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3
Microsoft Office macros digitally signed by an untrusted publisher cannot be enabled via the Message Bar or Backstage
View.
Control: ISM-1891; Revision: 0; Updated: Dec-23; Applicability: All; Essential Eight: ML3
Microsoft Office macros digitally signed by signatures other than V3 signatures cannot be enabled via the Message Bar or
Backstage View.
Control: ISM-1676; Revision: 0; Updated: Sep-21; Applicability: All; Essential Eight: ML3
Microsoft Office’s list of trusted publishers is validated on an annual or more frequent basis.
Control: ISM-1489; Revision: 0; Updated: Sep-18; Applicability: All; Essential Eight: ML1, ML2, ML3
Microsoft Office macro security settings cannot be changed by users.
Control: ISM-1677; Revision: 2; Updated: Dec-23; Applicability: All; Essential Eight: N/A
Allowed and blocked Microsoft Office macro execution events are centrally logged.

Further information

9
Further information on configuring Microsoft Office macro settings can be found in ASD’s Restricting Microsoft Office
Macros publication.
Further information on event logging can be found in the event logging and monitoring section of the Guidelines for
System Monitoring.

Server application hardening

Server applications

This section is applicable to applications associated with specific server functionality, such as Microsoft Active Directory
Domain Services (AD DS), database management system software, email server software and web hosting software.
Information on user applications can be found in the user application hardening section of these guidelines.

Server application selection

When selecting server applications, it is important that an organisation preferences vendors that have demonstrated a
commitment to secure-by-design and secure-by-default principles, use of memory-safe programming languages where
possible (such as C#, Go, Java, Ruby, Rust and Swift), secure programming practices, and maintaining the security of their
products. This will assist not only with reducing the potential number of vulnerabilities in server applications, but also
increasing the likelihood that timely patches, updates or vendor mitigations will be released to remediate any
vulnerabilities that are found.
Control: ISM-1826; Revision: 0; Updated: Mar-23; Applicability: All; Essential Eight: N/A
Server applications are chosen from vendors that have demonstrated a commitment to secure-by-design and secure-by-
default principles, use of memory-safe programming languages where possible, secure programming practices, and
maintaining the security of their products.

Server application releases

Newer releases of server applications often introduce improvements in security functionality. This can make it more
difficult for malicious actors to craft reliable exploits for vulnerabilities they discover. Using older releases of server
applications, especially those no longer supported by vendors, may expose an organisation to vulnerabilities or
exploitation techniques that have since been mitigated. This is particularly important for internet-facing server
applications, such as web hosting software.
Control: ISM-1483; Revision: 2; Updated: Mar-23; Applicability: All; Essential Eight: N/A
The latest release of internet-facing server applications are used.

Hardening server application configurations

When server applications are deployed in their default state, or with an unapproved configuration, it can lead to an
insecure operating environment that may allow malicious actors to gain an initial foothold on networks. This can be
especially risky for server applications as such applications are routinely targeted for exploitation. Many settings exist
within server applications to allow them to be configured in an approved secure state in order to minimise this security
risk. As such, ASD and vendors often produce hardening guidance to assist in hardening the configuration of server
applications. Note, however, in situations where ASD and vendor hardening guidance conflicts, precedence should be
given to implementing the most restrictive guidance.
Control: ISM-1916; Revision: 0; Updated: Mar-24; Applicability: All; Essential Eight: N/A
Approved configurations for server applications are developed, implemented and maintained.
Control: ISM-1246; Revision: 6; Updated: Dec-23; Applicability: All; Essential Eight: N/A
Server applications are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking
precedence when conflicts occur.
Control: ISM-1260; Revision: 4; Updated: Mar-23; Applicability: All; Essential Eight: N/A
Default accounts or credentials for server applications, including for any pre-configured accounts, are changed.
Control: ISM-1247; Revision: 4; Updated: Mar-23; Applicability: All; Essential Eight: N/A
Unneeded accounts, components, services and functionality of server applications are disabled or removed.

10
Control: ISM-1245; Revision: 3; Updated: Mar-23; Applicability: All; Essential Eight: N/A
All temporary installation files and logs created during server application installation processes are removed after server
applications have been installed.
Restricting privileges for server applications

If a server application operating as a local administrator or root account is compromised by malicious actors, it can
present a significant security risk to the underlying server. In addition, server applications by default are often capable of
widely accessing their underlying server’s file system. Therefore, restricting the ability of server applications to access
their underlying server’s file system can limit damage should malicious actors compromise the server application.
Control: ISM-1249; Revision: 3; Updated: Mar-23; Applicability: All; Essential Eight: N/A
Server applications are configured to run as a separate account with the minimum privileges needed to perform their
functions.
Control: ISM-1250; Revision: 2; Updated: Mar-23; Applicability: All; Essential Eight: N/A
The accounts under which server applications run have limited access to their underlying server’s file system.

Microsoft Active Directory Domain Services domain controllers

Microsoft AD DS domain controllers hold sensitive data for systems, such as hashed credentials for all user accounts. As
such, particular care should be taken to secure these servers. This can be achieved by hardening their configuration while
using dedicated domain administrator user accounts exclusively for their administration. In doing so, technical controls
should ensure these dedicated domain administrator user accounts cannot be used to connect to or administer other
systems.
Finally, centrally logging and analysing security-related events for Microsoft AD DS can assist in monitoring the security
posture of systems, detecting malicious behaviour and contributing to investigations following cyber security incidents.
Control: ISM-1827; Revision: 0; Updated: Mar-23; Applicability: All; Essential Eight: N/A
Microsoft AD DS domain controllers are administered using dedicated domain administrator user accounts that are not
used to administer other systems.
Control: ISM-1828; Revision: 0; Updated: Mar-23; Applicability: All; Essential Eight: N/A
The Print Spooler service is disabled on Microsoft AD DS domain controllers.
Control: ISM-1829; Revision: 0; Updated: Mar-23; Applicability: All; Essential Eight: N/A
Passwords and cpasswords are not used in Group Policy Preferences.
Control: ISM-1830; Revision: 1; Updated: Dec-23; Applicability: All; Essential Eight: N/A
Security-related events for Microsoft AD DS are centrally logged.

Microsoft Active Directory Domain Services account hardening

Misconfigured user accounts within Microsoft AD DS can pose a significant threat to the security of a system. For
example, when malicious actors are able to obtain credentials for a user account, along with associated system access,
they may further compromise the system by querying Microsoft AD DS in order to assist with gaining an understanding
of the environment, moving laterally through the network and escalating privileges by compromising privileged accounts.
Furthermore, malicious actors with this level of access can become difficult to detect and remove, as they may not need
to use exploits for vulnerabilities to achieve their goals. Malicious activities performed by compromised user accounts
may also appear very similar to legitimate system activities.
Control: ISM-1832; Revision: 0; Updated: Mar-23; Applicability: All; Essential Eight: N/A
Only service accounts and computer accounts are configured with Service Principal Names (SPNs).
Control: ISM-1833; Revision: 0; Updated: Mar-23; Applicability: All; Essential Eight: N/A
Service accounts are provisioned with the minimum privileges required and are not members of the domain
administrators group or similar highly privileged groups.
Control: ISM-1834; Revision: 0; Updated: Mar-23; Applicability: All; Essential Eight: N/A
Duplicate SPNs do not exist within the domain.
Control: ISM-1835; Revision: 0; Updated: Mar-23; Applicability: All; Essential Eight: N/A
Privileged user accounts are configured as sensitive and cannot be delegated.

11
Control: ISM-1836; Revision: 0; Updated: Mar-23; Applicability: All; Essential Eight: N/A
User accounts require Kerberos pre-authentication.
Control: ISM-1837; Revision: 0; Updated: Mar-23; Applicability: All; Essential Eight: N/A
User accounts are not configured with password never expires or password not required.
Control: ISM-1838; Revision: 0; Updated: Mar-23; Applicability: All; Essential Eight: N/A
The UserPassword attribute for user accounts is not used.
Control: ISM-1839; Revision: 0; Updated: Mar-23; Applicability: All; Essential Eight: N/A
Account properties accessible by unprivileged users are not used to store passwords.
Control: ISM-1840; Revision: 0; Updated: Mar-23; Applicability: All; Essential Eight: N/A
User account passwords do not use reversible encryption.
Control: ISM-1841; Revision: 0; Updated: Mar-23; Applicability: All; Essential Eight: N/A
Unprivileged user accounts cannot add machines to the domain.
Control: ISM-1842; Revision: 0; Updated: Mar-23; Applicability: All; Essential Eight: N/A
Dedicated service accounts are used to add machines to the domain.
Control: ISM-1843; Revision: 0; Updated: Mar-23; Applicability: All; Essential Eight: N/A
User accounts with unconstrained delegation are reviewed at least annually, and those without an associated Kerberos
SPN or demonstrated business requirement are removed.
Control: ISM-1844; Revision: 0; Updated: Mar-23; Applicability: All; Essential Eight: N/A
Computer accounts that are not Microsoft AD DS domain controllers are not trusted for delegation to services.

Microsoft Active Directory Domain Services security group memberships

Microsoft AD DS contains a number of built-in security groups that have elevated permissions or deliberately relaxed
security policies. These security groups are often required for a specific purpose; however, overuse or inappropriate use
may allow malicious actors to more easily move laterally throughout a network or escalate their privileges. Privileged
security groups in particular should be limited to the smallest set of possible users to limit malicious actors’ opportunities
for privilege escalation.
Control: ISM-1620; Revision: 1; Updated: Mar-23; Applicability: All; Essential Eight: N/A
Privileged user accounts are members of the Protected Users security group.
Control: ISM-1845; Revision: 0; Updated: Mar-23; Applicability: All; Essential Eight: N/A
When a user account is disabled, it is removed from all security group memberships.
Control: ISM-1846; Revision: 0; Updated: Mar-23; Applicability: All; Essential Eight: N/A
The Pre-Windows 2000 Compatible Access security group does not contain user accounts.

Further information

12
Further information on email servers can be found in the email gateways and servers section of the Guidelines for Email.

Authentication hardening
Account and authentication types

The guidance within this section is equally applicable to all account types unless specified otherwise. This includes
unprivileged accounts, privileged accounts, break glass accounts and service accounts. In addition, the guidance is
equally applicable to interactive authentication and non-interactive authentication.

Authenticating to systems

Before access to a system and its resources is granted to a user, it is essential that they are authenticated. This can be
achieved via multi-factor authentication, such as a username along with a passphrase and security key, or less preferably
via single-factor authentication, such as a username and a passphrase.
Control: ISM-1546; Revision: 0; Updated: Aug-19; Applicability: All; Essential Eight: N/A
Users are authenticated before they are granted access to a system and its resources.

Insecure authentication methods

Authentication methods need to resist theft, interception, duplication, forgery, unauthorised access and unauthorised
modification. For example, Local Area Network (LAN) Manager and NT LAN Manager authentication methods use weak
hashing algorithms. As such, credentials used as part of LAN Manager authentication and NT LAN Manager
authentication (i.e. NTLMv1, NTLMv2 and NTLM2) can easily be compromised. Instead, an organisation should use
Kerberos for authentication within Microsoft Windows environments.
Control: ISM-1603; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A
Authentication methods susceptible to replay attacks are disabled.
Control: ISM-1055; Revision: 4; Updated: Oct-20; Applicability: All; Essential Eight: N/A
LAN Manager and NT LAN Manager authentication methods are disabled.

Multi-factor authentication

Multi-factor authentication uses two or more different authentication factors. This may include:
 something users know, such as a memorised secret (i.e. personal identification number, password or passphrase)
 something users have, such as a security key, smart card, passkey, smartphone or one-time password token
 something users are, such as a fingerprint pattern or their facial geometry.
Users of online services, privileged users of systems and users with access to data repositories are more likely to be
targeted by malicious actors due to their access. For this reason, it is especially important that multi-factor
authentication is used for these accounts. In addition, multi-factor authentication is vital to any administrative activities
as it can limit the consequences of a compromise by preventing or slowing malicious actors’ ability to gain unrestricted
access to assets. In this regard, multi-factor authentication can be implemented as part of jump server authentication
where assets being administered do not support multi-factor authentication themselves.
When implementing multi-factor authentication, several different authentication factors can be implemented.
Unfortunately, some authentication factors, such as biometrics or codes sent via Short Message Service, Voice over
Internet Protocol or email, are more susceptible to compromise than others. For this reason, authentication factors that
involve something users have should be used with something users know. Alternatively, something users have that is
unlocked by something users know or are (often known as passwordless multi-factor authentication) can be used.
Furthermore, for increased security, the use of phishing-resistant multi-factor authentication is recommended to protect
against real-time phishing attacks.
Finally, centrally logging and analysing multi-factor authentication events can assist in monitoring the security posture of
systems, detecting malicious behaviour and contributing to investigations following cyber security incidents.
Control: ISM-1504; Revision: 3; Updated: Dec-23; Applicability: All; Essential Eight: ML1, ML2, ML3

13
Multi-factor authentication is used to authenticate users to their organisation’s online services that process, store or
communicate their organisation’s sensitive data.
Control: ISM-1679; Revision: 1; Updated: Sep-23; Applicability: All; Essential Eight: ML1, ML2, ML3
Multi-factor authentication is used to authenticate users to third-party online services that process, store or communicate
their organisation’s sensitive data.
Control: ISM-1680; Revision: 1; Updated: Sep-23; Applicability: All; Essential Eight: ML1, ML2, ML3
Multi-factor authentication (where available) is used to authenticate users to third-party online services that process,
store or communicate their organisation’s non-sensitive data.
Control: ISM-1892; Revision: 0; Updated: Dec-23; Applicability: All; Essential Eight: ML1, ML2, ML3
Multi-factor authentication is used to authenticate users to their organisation’s online customer services that process,
store or communicate their organisation’s sensitive customer data.
Control: ISM-1893; Revision: 0; Updated: Dec-23; Applicability: All; Essential Eight: ML1, ML2, ML3
Multi-factor authentication is used to authenticate users to third-party online customer services that process, store or
communicate their organisation’s sensitive customer data.
Control: ISM-1681; Revision: 3; Updated: Dec-23; Applicability: All; Essential Eight: ML1, ML2, ML3
Multi-factor authentication is used to authenticate customers to online customer services that process, store or
communicate sensitive customer data.
Control: ISM-1173; Revision: 4; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
Multi-factor authentication is used to authenticate privileged users of systems.
Control: ISM-0974; Revision: 6; Updated: Sep-21; Applicability: All; Essential Eight: ML2, ML3
Multi-factor authentication is used to authenticate unprivileged users of systems.
Control: ISM-1505; Revision: 3; Updated: Dec-23; Applicability: All; Essential Eight: ML3
Multi-factor authentication is used to authenticate users of data repositories.
Control: ISM-1401; Revision: 5; Updated: Sep-21; Applicability: All; Essential Eight: ML1, ML2, ML3
Multi-factor authentication uses either: something users have and something users know, or something users have that is
unlocked by something users know or are.
Control: ISM-1872; Revision: 1; Updated: Dec-23; Applicability: All; Essential Eight: ML2, ML3
Multi-factor authentication used for authenticating users of online services is phishing-resistant.
Control: ISM-1873; Revision: 1; Updated: Dec-23; Applicability: All; Essential Eight: ML2
Multi-factor authentication used for authenticating customers of online customer services provides a phishing-resistant
option.
Control: ISM-1874; Revision: 1; Updated: Dec-23; Applicability: All; Essential Eight: ML3
Multi-factor authentication used for authenticating customers of online customer services is phishing-resistant.
Control: ISM-1682; Revision: 3; Updated: Dec-23; Applicability: All; Essential Eight: ML2, ML3
Multi-factor authentication used for authenticating users of systems is phishing-resistant.
Control: ISM-1894; Revision: 0; Updated: Dec-23; Applicability: All; Essential Eight: ML3
Multi-factor authentication used for authenticating users of data repositories is phishing-resistant.
Control: ISM-1559; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
Memorised secrets used for multi-factor authentication are a minimum of 6 characters, unless more stringent
requirements apply.
Control: ISM-1560; Revision: 2; Updated: Mar-22; Applicability: S; Essential Eight: N/A
Memorised secrets used for multi-factor authentication on SECRET systems are a minimum of 8 characters.
Control: ISM-1561; Revision: 2; Updated: Mar-22; Applicability: TS; Essential Eight: N/A
Memorised secrets used for multi-factor authentication on TOP SECRET systems are a minimum of 10 characters.
Control: ISM-1683; Revision: 2; Updated: Dec-23; Applicability: All; Essential Eight: ML2, ML3
Successful and unsuccessful multi-factor authentication events are centrally logged.

14
Single-factor authentication

A significant threat to the compromise of accounts is credential cracking tools. When malicious actors gain access to a list
of usernames and hashed credentials from a system, they can attempt to recover username and credential pairs by
comparing the hashes of known credentials with the hashed credentials they have gained access to. By finding a match
malicious actors will know the credential associated with a given username.
In order to reduce this security risk, an organisation should implement multi-factor authentication. Note, while single-
factor authentication is no longer considered suitable for protecting sensitive or classified systems, it may not be possible
to implement multi-factor authentication on some systems. In such cases, an organisation will need to increase the time
on average it takes malicious actors to compromise a credential by continuing to increase its length over time. Such
increases in length can be balanced against useability through the use of passphrases rather than passwords. In cases
where systems do not support passphrases, and as an absolute last resort, the strongest password length and complexity
supported by a system will need to be implemented.
Finally, centrally logging and analysing single-factor authentication events can assist in monitoring the security posture of
systems, detecting malicious behaviour and contributing to investigations following cyber security incidents.
Control: ISM-0417; Revision: 5; Updated: Oct-19; Applicability: All; Essential Eight: N/A
When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented
instead.
Control: ISM-0421; Revision: 8; Updated: Dec-21; Applicability: All; Essential Eight: N/A
Passphrases used for single-factor authentication are at least 4 random words with a total minimum length of 14
characters, unless more stringent requirements apply.
Control: ISM-1557; Revision: 2; Updated: Dec-21; Applicability: S; Essential Eight: N/A
Passphrases used for single-factor authentication on SECRET systems are at least 5 random words with a total minimum
length of 17 characters.
Control: ISM-0422; Revision: 8; Updated: Dec-21; Applicability: TS; Essential Eight: N/A
Passphrases used for single-factor authentication on TOP SECRET systems are at least 6 random words with a total
minimum length of 20 characters.
Control: ISM-1558; Revision: 2; Updated: Mar-22; Applicability: All; Essential Eight: N/A
Passphrases used for single-factor authentication are not a list of categorised words; do not form a real sentence in a
natural language; and are not constructed from song lyrics, movies, literature or any other publicly available material.
Control: ISM-1895; Revision: 0; Updated: Dec-23; Applicability: All; Essential Eight: N/A
Successful and unsuccessful single-factor authentication events are centrally logged.

Setting credentials for user accounts

Before new credentials are issued for user accounts, it is important that users provide sufficient evidence to verify their
identity, such as by users physically presenting themselves and their pass to a service desk or by answering a set of
challenge-response questions. Following the verification of user identity, credentials should be randomly generated and
provided to users via a secure communications channel or, if not possible, split into two parts with one part provided to
users and the other part provided to supervisors. Subsequently, users should reset their credentials on first use to ensure
that they are not known by other parties.
Control: ISM-1593; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
Users provide sufficient evidence to verify their identity when requesting new credentials.
Control: ISM-1227; Revision: 5; Updated: Mar-22; Applicability: All; Essential Eight: N/A
Credentials set for user accounts are randomly generated.
Control: ISM-1594; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
Credentials are provided to users via a secure communications channel or, if not possible, split into two parts with one
part provided to users and the other part provided to supervisors.
Control: ISM-1595; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
Credentials provided to users are changed on first use.
Control: ISM-1596; Revision: 2; Updated: Dec-22; Applicability: All; Essential Eight: N/A

15
Credentials, in the form of memorised secrets, are not reused by users across different systems.

Setting credentials for break glass accounts, local administrator accounts and service accounts

When break glass accounts, local administrator accounts and service accounts use common usernames or weak
credentials, it may allow malicious actors that compromises credentials on one workstation or server to easily
compromise other workstations and servers. As such, it is critical that credentials for break glass accounts, local
administrator accounts and service accounts are long, unique, unpredictable and managed.
To provide additional security and credential management functionality for service accounts, Microsoft introduced group
Managed Service Accounts to Microsoft Windows Server. In doing so, service accounts that are created as group
Managed Service Accounts do not require manual credential management by system administrators, as the operating
system automatically ensures that they are long, unique, unpredictable and managed. This ensures that service account
credentials are secure, not misplaced or forgotten, and that they are automatically changed on a regular basis. However,
in cases where the use of group Managed Service Accounts is not possible, credentials for service accounts should still be
unique and unpredictable with a minimum length of 30 characters.
Control: ISM-1685; Revision: 2; Updated: Jun-23; Applicability: All; Essential Eight: ML2, ML3
Credentials for break glass accounts, local administrator accounts and service accounts are long, unique, unpredictable
and managed.
Control: ISM-1795; Revision: 1; Updated: Jun-23; Applicability: All; Essential Eight: N/A
Credentials for break glass accounts, local administrator accounts and service accounts are a minimum of 30 characters.
Control: ISM-1619; Revision: 0; Updated: Oct-20; Applicability: All; Essential Eight: N/A
Service accounts are created as group Managed Service Accounts.

Changing credentials

Generally, credentials should not need to be changed on a frequent basis. However, some events may necessitate the
requirement for individual accounts, or groups of accounts, to change their credentials. This can include credentials
being compromised (such as appearing in an online data breach database), being suspected of being compromised (such
as when malicious actors gain access to a network), being discovered stored on networks in the clear, being transferred
across networks in the clear, when membership of shared accounts change and if they have not been changed in the
past 12 months.
Control: ISM-1590; Revision: 2; Updated: Jun-23; Applicability: All; Essential Eight: N/A
Credentials are changed if:
 they are compromised
 they are suspected of being compromised
 they are discovered stored on networks in the clear
 they are discovered being transferred across networks in the clear
 membership of a shared account changes
 they have not been changed in the past 12 months.
Control: ISM-1847; Revision: 0; Updated: Mar-23; Applicability: All; Essential Eight: N/A
Credentials for the Kerberos Key Distribution Center’s service account (KRBTGT) are changed twice, allowing for
replication to all Microsoft Active Directory Domain Services domain controllers in-between each change, if:
 the domain has been directly compromised
 the domain is suspected of being compromised
 they have not been changed in the past 12 months.

Protecting credentials

Written down credentials (e.g. memorised secrets), and dedicated devices that store or generate credentials (e.g.
security keys, smart cards and one-time password tokens), when kept together with systems they are used to
authenticate to can increase the likelihood of malicious actors gaining unauthorised access to systems. For example,

16
when smart cards are left on desks, one-time password tokens are left in laptop computer bags, security keys are left
connected to computers or passphrases are written down and stuck to computer monitors. Furthermore, obscuring
credentials as they are entered into systems can assist in protecting them against screen scrapers and shoulder surfers.
When using Microsoft Windows systems, memory integrity, Local Security Authority protection, Credential Guard and
Remote Credential Guard functionality, all preferably with a Unified Extensible Firmware Interface (UEFI) lock, can be
enabled to provide additional protection for credentials. In addition, malicious actors that have access to systems may
attempt to steal cached credentials. To reduce this security risk, cached credentials should be limited to only one
previous logon.
If storing credentials on systems, sufficient protection should be implemented to prevent them from being
compromised. For example, credentials can be stored in a password manager or hardware security module, while
credentials stored in a database should be hashed, salted and stretched. Coupled with this, an organisation should
regularly scan their systems to detect and remediate any credentials that are being stored in an unprotected manner,
such as in the clear in documents, on network file shares or in other data repositories.
Control: ISM-0418; Revision: 6; Updated: Dec-22; Applicability: All; Essential Eight: N/A
Credentials are kept separate from systems they are used to authenticate to, except for when performing authentication
activities.
Control: ISM-1597; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A
Credentials are obscured as they are entered into systems.
Control: ISM-1896; Revision: 0; Updated: Dec-23; Applicability: All; Essential Eight: ML3
Memory integrity functionality is enabled.
Control: ISM-1861; Revision: 2; Updated: Dec-23; Applicability: All; Essential Eight: ML3
Local Security Authority protection functionality is enabled.
Control: ISM-1686; Revision: 1; Updated: Dec-23; Applicability: All; Essential Eight: ML3
Credential Guard functionality is enabled.
Control: ISM-1897; Revision: 0; Updated: Dec-23; Applicability: All; Essential Eight: ML3
Remote Credential Guard functionality is enabled.
Control: ISM-1749; Revision: 0; Updated: Mar-22; Applicability: All; Essential Eight: N/A
Cached credentials are limited to one previous logon.
Control: ISM-1402; Revision: 6; Updated: Mar-22; Applicability: All; Essential Eight: N/A
Credentials stored on systems are protected by a password manager; a hardware security module; or by salting, hashing
and stretching them before storage within a database.
Control: ISM-1875; Revision: 0; Updated: Sep-23; Applicability: All; Essential Eight: N/A
Networks are scanned at least monthly to identify any credentials that are being stored in the clear.

Account lockouts

Locking an account after a specified number of failed logon attempts reduces the likelihood of successful forms of brute-
force attacks, such as credential guessing attacks, credential spraying attacks and credential stuffing attacks by malicious
actors. However, care should be taken as implementing account lockout functionality can increase the likelihood of a
denial of service. Alternatively, some systems can be configured to automatically slowdown repeated failed logon
attempts (known as rate limiting) rather than locking accounts. Implementing multi-factor authentication is also an
effective way of reducing the likelihood of successful credential spraying attacks.
Control: ISM-1403; Revision: 3; Updated: Jun-23; Applicability: All; Essential Eight: N/A
Accounts, except for break glass accounts, are locked out after a maximum of five failed logon attempts.

Session termination

Implementing measures to terminate user sessions and restart workstations on a daily basis, outside of business hours
and after an appropriate period of inactivity, can assist in both system maintenance activities as well as removing
malicious actors that may have compromised a system but failed to gain persistence.
Control: ISM-0853; Revision: 3; Updated: Sep-22; Applicability: All; Essential Eight: N/A

17
On a daily basis, outside of business hours and after an appropriate period of inactivity, user sessions are terminated and
workstations are restarted.

Session and screen locking

Session and screen locking prevents unauthorised access to a system which a user has already authenticated to.
Control: ISM-0428; Revision: 9; Updated: Dec-22; Applicability: All; Essential Eight: N/A
Systems are configured with a session or screen lock that:
 activates after a maximum of 15 minutes of user inactivity, or if manually activated by users
 conceals all session content on the screen
 ensures that the screen does not enter a power saving state before the session or screen lock is activated
 requires users to authenticate to unlock the session
 denies users the ability to disable the session or screen locking mechanism.
Logon banner

Displaying a logon banner to users each time they logon to systems can act as a way of reminding users of their security
responsibilities. Logon banners may cover topics such as:
 the sensitivity or classification of the system
 access requirements for the system
 usage policies for the system and its resources
 details of any monitoring activities for the system.
Control: ISM-0408; Revision: 5; Updated: Sep-23; Applicability: All; Essential Eight: N/A
Systems have a logon banner that reminds users of their security responsibilities when accessing the system and its
resources.

Further information

Further information on cyber supply chain risk management can be found in the cyber supply chain risk management
section of the Guidelines for Procurement and Outsourcing.
Further information on implementing multi-factor authentication can be found in ASD’s Implementing Multi-Factor
Authentication publication.
Further information on event logging can be found in the event logging and monitoring section of the Guidelines for
System Monitoring.
Further information on randomly generating passphrases (preferably using five dice rolls and a long word list) is available
from the Electronic Frontier Foundation while a random dice roller is available from RANDOM.ORG.
Further information on group Managed Service Accounts in Microsoft Windows Server is available from Microsoft.
Further information on changing credentials for the Kerberos Key Distribution Center’s service account can be found in
Microsoft’s Active Directory accounts and Active Directory Forest Recovery - Reset the krbtgt password publications. A
script for changing credentials for this service account is also available from Microsoft.
Further information memory integrity functionality is available from Microsoft.
Further information on Local Security Authority protection functionality is available from Microsoft.
Further information on Credential Guard functionality and Remote Credential Guard functionality is available from
Microsoft.
Further information on mitigating the use of stolen credentials can be found in ASD’s Mitigating the Use of Stolen
Credentials publication.
Further information on mitigating the use of stolen credentials can also be found in Microsoft’s Mitigating Pass-the-
Hash (PtH) Attacks and Other Credential Theft Techniques, Version 1 and 2 publication.

18
Virtualisation hardening
Hypervisors

This section is applicable to both Type 1 hypervisors (those that run on bare metal) and Type 2 hypervisors (those that
run on top of a general-purpose operating system). In doing so, Type 1 hypervisors should be treated as operating
systems while Type 2 hypervisors should be treated as applications. Note, as Type 1 hypervisors are themselves
lightweight operating systems, they can be treated as a combination of both a software-based isolation mechanism and
an underlying operating system. Conversely, Type 2 hypervisors will run on top of a general-purpose operating system
that may be provided by a different vendor to that of the software-isolation mechanism.

Containerisation

Containers allow for versatile deployment of systems and, in doing so, should be treated the same as any other system.
However, controls in a containerised environment may take a different form when compared to other types of systems.
For example, patching the operating system of a workstation may be performed differently to ensuring that a patched
image is used for a container, however, the principle is the same. In general, the same security risks that apply to non-
containerised systems will likely apply to containerised systems.

Functional separation between computing environments

Physical servers often use a software-based isolation mechanism to share their hardware among multiple computing
environments. In doing so, a computing environment could consist of an entire operating system installed in a virtual
machine where the isolation mechanism is a hypervisor, such as cloud services providing Infrastructure as a Service, or
alternatively, a computing environment could consist of an application which uses the shared kernel of the underlying
operating system of the physical server where the isolation mechanism is an application container or application
sandbox, such as cloud services providing Platform as a Service. Note, however, the logical separation of data within a
single application, such as cloud services providing Software as a Service, is not considered to be the same as multiple
computing environments.
Malicious actors who have compromised a single computing environment, or who legitimately control a single
computing environment, might exploit a misconfiguration or vulnerability in the isolation mechanism to compromise
other computing environments on the same physical server or compromise the underlying operating system of the
physical server. As such, it is important that additional controls are implemented when a software-based isolation
mechanism is used to share a physical server’s hardware.
Control: ISM-1460; Revision: 4; Updated: Mar-23; Applicability: All; Essential Eight: N/A
When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism is from
a vendor that has demonstrated a commitment to secure-by-design and secure-by-default principles, use of memory-safe
programming languages where possible, secure programming practices, and maintaining the security of their products.
Control: ISM-1604; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A
When using a software-based isolation mechanism to share a physical server’s hardware, the configuration of the
isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative
interface used to manage the isolation mechanism.
Control: ISM-1605; Revision: 1; Updated: Mar-22; Applicability: All; Essential Eight: N/A
When using a software-based isolation mechanism to share a physical server’s hardware, the underlying operating
system is hardened.
Control: ISM-1606; Revision: 2; Updated: Sep-23; Applicability: All; Essential Eight: N/A
When using a software-based isolation mechanism to share a physical server’s hardware, patches, updates or vendor
mitigations for vulnerabilities are applied to the isolation mechanism and underlying operating system in a timely
manner.
Control: ISM-1848; Revision: 0; Updated: Mar-23; Applicability: All; Essential Eight: N/A
When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism or
underlying operating system is replaced when it is no longer supported by a vendor.
Control: ISM-1607; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A

19
When using a software-based isolation mechanism to share a physical server’s hardware, integrity and log monitoring
are performed for the isolation mechanism and underlying operating system in a timely manner.
Control: ISM-1461; Revision: 5; Updated: Mar-22; Applicability: S, TS; Essential Eight: N/A
When using a software-based isolation mechanism to share a physical server’s hardware for SECRET or TOP SECRET
computing environments, the physical server and all computing environments are of the same classification and belong to
the same security domain.
Further information

Further information on container security can be found in National Institute of Standards and Technology Special
Publication 800-190, Application Container Security Guide.
Further information on cyber supply chain risk management can be found in the cyber supply chain risk management
section of the Guidelines for Procurement and Outsourcing.
Further information on the use of cloud services can be found in the managed services and cloud services section of the
Guidelines for Procurement and Outsourcing.
Further information on hardening operating systems can be found in the operating system hardening section of these
guidelines.
Further information on patching or updating operating systems and applications can be found in the system patching
section of the Guidelines for System Management.
Further information on event logging can be found in the event logging and monitoring section of the Guidelines for
System Monitoring.
Further information on hypervisor security can be found in National Institute of Standards and Technology Special
Publication 800-125A Rev. 1, Security Recommendations for Server-based Hypervisor Platforms.

Accelerated MacOS Core Dump Analysis
No ratings yet
Accelerated MacOS Core Dump Analysis
250 pages
29 FD 74
No ratings yet
29 FD 74
23 pages
Intro To Python Till Strings
100% (1)
Intro To Python Till Strings
114 pages
OrionNPMAdministratorGuide PDF
No ratings yet
OrionNPMAdministratorGuide PDF
495 pages
Clock Angle Problem
No ratings yet
Clock Angle Problem
3 pages
SQL Windows
No ratings yet
SQL Windows
424 pages
Windows Security - Trusted Computing Technologies
No ratings yet
Windows Security - Trusted Computing Technologies
35 pages
Network Element Icons
No ratings yet
Network Element Icons
8 pages
Monitoring & Automation Improvements
No ratings yet
Monitoring & Automation Improvements
10 pages
Hardening Document Sample1
No ratings yet
Hardening Document Sample1
28 pages
MMS2017 SCCM SQL Optimal Performance v05
No ratings yet
MMS2017 SCCM SQL Optimal Performance v05
64 pages
BP 2009 Metro Availability PDF
No ratings yet
BP 2009 Metro Availability PDF
66 pages
XenDesktop KT Checklist
No ratings yet
XenDesktop KT Checklist
21 pages
Eibel, Goeran - Citrix XenDesktop & XenApp 7.7 - 7.8 - Plan-Build-Run Reference Guide (2016, Books On Demand) - Libgen - Li
No ratings yet
Eibel, Goeran - Citrix XenDesktop & XenApp 7.7 - 7.8 - Plan-Build-Run Reference Guide (2016, Books On Demand) - Libgen - Li
1,039 pages
ASSHU Handbook - 2025 Term1 - Secondary 13-1-25 E-Version
No ratings yet
ASSHU Handbook - 2025 Term1 - Secondary 13-1-25 E-Version
8 pages
ITT320 Chapter 7-10
No ratings yet
ITT320 Chapter 7-10
86 pages
Reference Architecture: Lenovo Client Virtualization With Citrix Xendesktop
No ratings yet
Reference Architecture: Lenovo Client Virtualization With Citrix Xendesktop
74 pages
Setup A Kiosk With Ubuntu and Chromium - O'Brien Labs
No ratings yet
Setup A Kiosk With Ubuntu and Chromium - O'Brien Labs
15 pages
Nutanix On HPE DX-TechData-Partner-29th-Apri-2020
No ratings yet
Nutanix On HPE DX-TechData-Partner-29th-Apri-2020
43 pages
CWS 252 1I en InstructorExerciseWorkbook 4 5 Days v01
No ratings yet
CWS 252 1I en InstructorExerciseWorkbook 4 5 Days v01
281 pages
Practical Performance Profiling
No ratings yet
Practical Performance Profiling
562 pages
Moogsoft at A Glance
No ratings yet
Moogsoft at A Glance
2 pages
ODBP Voting System Security Requirements 080423
No ratings yet
ODBP Voting System Security Requirements 080423
11 pages
Gorakhpur Center: Ministry of Electronics & Information Technology (Meity), Government of India
No ratings yet
Gorakhpur Center: Ministry of Electronics & Information Technology (Meity), Government of India
33 pages
MD 100 - 21 05 21
No ratings yet
MD 100 - 21 05 21
361 pages
NSX-T 3.1 LB Encyclopedia-V1.3
No ratings yet
NSX-T 3.1 LB Encyclopedia-V1.3
195 pages
Unified Computing: Data Center Systems Engineer
No ratings yet
Unified Computing: Data Center Systems Engineer
34 pages
Accounting Research Method:: Types of Research According To Category
No ratings yet
Accounting Research Method:: Types of Research According To Category
15 pages
The Ultimate Golden Image Automation GuideV2
No ratings yet
The Ultimate Golden Image Automation GuideV2
37 pages
Vsphere Esxi Vcenter Server 652 Host Management Guide PDF
No ratings yet
Vsphere Esxi Vcenter Server 652 Host Management Guide PDF
190 pages
CWS-215-2I - 15 - Citrix Analytics - v2.04
No ratings yet
CWS-215-2I - 15 - Citrix Analytics - v2.04
39 pages
Lab Answer Key - Module 2 - Working With The Pipeline
No ratings yet
Lab Answer Key - Module 2 - Working With The Pipeline
19 pages
Citrix Virtual Desktop Handbook: Xendesktop 7.X
No ratings yet
Citrix Virtual Desktop Handbook: Xendesktop 7.X
141 pages
Vsphere Esxi Vcenter Server 702 Host Management Guide
No ratings yet
Vsphere Esxi Vcenter Server 702 Host Management Guide
215 pages
Common SQL Queries
No ratings yet
Common SQL Queries
91 pages
25TB04
No ratings yet
25TB04
74 pages
Vsphere Esxi Vcenter Server 651 Platform Services Controller Administration Guide
No ratings yet
Vsphere Esxi Vcenter Server 651 Platform Services Controller Administration Guide
182 pages
Monitor IIS: How To
No ratings yet
Monitor IIS: How To
20 pages
XD7 - Blueprint - v4
No ratings yet
XD7 - Blueprint - v4
20 pages
MD 101
No ratings yet
MD 101
68 pages
CWS-215-2I 00 Overview v2.12
No ratings yet
CWS-215-2I 00 Overview v2.12
52 pages
Guide Lab Cloud
No ratings yet
Guide Lab Cloud
115 pages
Windows Hardening Checklist
No ratings yet
Windows Hardening Checklist
4 pages
5684 - Carolina Conduit Systems, Inc. Unity Park FINAL SIGNED AGREE 5684 PDF - Redacted
No ratings yet
5684 - Carolina Conduit Systems, Inc. Unity Park FINAL SIGNED AGREE 5684 PDF - Redacted
246 pages
Bài tập Anh 8 Global Lưu Hoàng Trí 12. UNIT 12. LIFE ON OTHER PLANETS
No ratings yet
Bài tập Anh 8 Global Lưu Hoàng Trí 12. UNIT 12. LIFE ON OTHER PLANETS
15 pages
Mcafee Application and Change Control 8.3.x - Windows Product Guide 6-13-2022
No ratings yet
Mcafee Application and Change Control 8.3.x - Windows Product Guide 6-13-2022
271 pages
PDF Nf102 Nutanix Ahv Basics
No ratings yet
PDF Nf102 Nutanix Ahv Basics
22 pages
Information Security With Nutanix PDF
No ratings yet
Information Security With Nutanix PDF
22 pages
CNS 222 3I en StudentManual 4 5 Days v01
No ratings yet
CNS 222 3I en StudentManual 4 5 Days v01
348 pages
Veiled Sex in Ball Games
No ratings yet
Veiled Sex in Ball Games
16 pages
Weekly Wonders - Villainous Archetypes Volume IV
No ratings yet
Weekly Wonders - Villainous Archetypes Volume IV
8 pages
Integrating Netscaler With Microsoft Azure Active Directory
No ratings yet
Integrating Netscaler With Microsoft Azure Active Directory
25 pages
Sewing Pants Trousers EC73-491 Menswear Fly Front Zipper
No ratings yet
Sewing Pants Trousers EC73-491 Menswear Fly Front Zipper
12 pages
Q:E:C Method of Notetaking
No ratings yet
Q:E:C Method of Notetaking
3 pages
HookPoint Deck
No ratings yet
HookPoint Deck
57 pages
Talent Management Unit 3
No ratings yet
Talent Management Unit 3
16 pages
Nutanix Flow: Nutanix Tech Note Version 1.2 - June 2020 - TN-2094
No ratings yet
Nutanix Flow: Nutanix Tech Note Version 1.2 - June 2020 - TN-2094
55 pages
TA3 - GA - Unit 2
No ratings yet
TA3 - GA - Unit 2
35 pages
Perform Post-Installation Configuration of Windows Server
No ratings yet
Perform Post-Installation Configuration of Windows Server
20 pages
SEWING Sleeves
100% (2)
SEWING Sleeves
4 pages
Anti-Virus Comparative: Performance Test
No ratings yet
Anti-Virus Comparative: Performance Test
12 pages
Unit 7 - Study and Work
No ratings yet
Unit 7 - Study and Work
6 pages
Tasks Infographic
No ratings yet
Tasks Infographic
7 pages
Citrix or VDI Handbook - WINDOWS System-1
No ratings yet
Citrix or VDI Handbook - WINDOWS System-1
39 pages
AppSense Application Manager Administration Guide
No ratings yet
AppSense Application Manager Administration Guide
107 pages
Exercise LMT
No ratings yet
Exercise LMT
4 pages
Android Event Scheduler Reminder Application
No ratings yet
Android Event Scheduler Reminder Application
4 pages
Citrix WHITEPAPER XD Enterprise Design White Paper
No ratings yet
Citrix WHITEPAPER XD Enterprise Design White Paper
42 pages
Harley Griesbach Resume
No ratings yet
Harley Griesbach Resume
2 pages
ITT FutureStateTechPlaybookForWebpage
No ratings yet
ITT FutureStateTechPlaybookForWebpage
131 pages
Level 1 Unit 1 Reading Comprehension & Writing Worksheet Reading Comprehension Unit 1
No ratings yet
Level 1 Unit 1 Reading Comprehension & Writing Worksheet Reading Comprehension Unit 1
7 pages
Troubleshooting OSD Configuration Manager
No ratings yet
Troubleshooting OSD Configuration Manager
21 pages
PGP/PGM500: Service Manual
No ratings yet
PGP/PGM500: Service Manual
20 pages
TN Nutanix Calm
No ratings yet
TN Nutanix Calm
23 pages
BP 2071 AHV Networking
No ratings yet
BP 2071 AHV Networking
48 pages
HP 1 Steel
No ratings yet
HP 1 Steel
4 pages
BOOK of CXD 200 Xendesktop 7.5 Managing
No ratings yet
BOOK of CXD 200 Xendesktop 7.5 Managing
89 pages
Lesson 2 - Economics As Social Science
No ratings yet
Lesson 2 - Economics As Social Science
27 pages
Practicum Report Basic Physics Swing Simple 1
No ratings yet
Practicum Report Basic Physics Swing Simple 1
7 pages
I Acr 2013 Poster Buenosaires Final
No ratings yet
I Acr 2013 Poster Buenosaires Final
1 page
CEFR Indicators - Master - A1-C2 - CEF Indicators - Share
No ratings yet
CEFR Indicators - Master - A1-C2 - CEF Indicators - Share
75 pages
Nom & Prenom Matricule Cnss Nombre de Jours Travailles
No ratings yet
Nom & Prenom Matricule Cnss Nombre de Jours Travailles
7 pages
Top 10 Best Practices For Windows 10 OSD With ConfigMgr
No ratings yet
Top 10 Best Practices For Windows 10 OSD With ConfigMgr
22 pages
A Guide To Deep Learning and Neural Networks
No ratings yet
A Guide To Deep Learning and Neural Networks
15 pages
Data Foundation For Spectrum Fusion Level 1 Quiz - Attempt Review
No ratings yet
Data Foundation For Spectrum Fusion Level 1 Quiz - Attempt Review
26 pages
Microsoft - Examcollectionpremium.70 416.v2015!10!15.by - Rabz.90q
No ratings yet
Microsoft - Examcollectionpremium.70 416.v2015!10!15.by - Rabz.90q
85 pages
Failure Analysis of An Onshore Pipeline in Petroleum Industry
No ratings yet
Failure Analysis of An Onshore Pipeline in Petroleum Industry
9 pages
Moldflow
No ratings yet
Moldflow
12 pages
Implementing NetScaler VPX™ - Second Edition
From Everand
Implementing NetScaler VPX™ - Second Edition
Sandbu Marius
No ratings yet
AppDynamics Third Edition
From Everand
AppDynamics Third Edition
Gerardus Blokdyk
No ratings yet

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.

ISM - Guidelines For System Hardening (March 2024)

Uploaded by

ISM - Guidelines For System Hardening (March 2024)

Uploaded by

Information Security

Guidelines for System Hardening

Standard Operating Environments

Hardening operating system configurations

Device access control software

Operating system event logging

User application hardening

User application selection

User application releases

Hardening user application configurations

Microsoft Office macros

Server application hardening

Server application selection

Server application releases

Hardening server application configurations

Microsoft Active Directory Domain Services domain controllers

Microsoft Active Directory Domain Services account hardening

Microsoft Active Directory Domain Services security group memberships

Insecure authentication methods

Setting credentials for user accounts

Session and screen locking

Functional separation between computing environments

You might also like

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.