# 2. Secure Configuration

The goal of this control is to ensure devices are properly configured with secure settings.

This control expects organisations to:

* Actively manage computers and network devices by:
  * Removing and disabling unnecessary user accounts.
  * Changing default and weak passwords.
  * Removing or disabling any unnecessary applications, system utilities, and network services.
  * Disabling auto-run features which allow file execution without user authorisation (such as when they are downloaded from the Internet).
  * Authenticating users before allowing them access to organisational data or services.
  * Activating device locking controls to protect against unauthorised physical access.
* Implementing device unlocking credentials such as:
  * Protecting devices with a password, PIN, or biometric test.
  * Protecting passwords, PINS, and biometric tests from brute-forcing by:
    * Configuring wait times between attempts. These should allow no more than 10 guesses in 5 minutes.
    * Locking devices after no more than 10 unsuccessful attempts.
  * Mandating a minimum length of 6 characters where passwords or PINs are used as the sole method of unlocking a device.