2. Secure Configuration

The goal of this control is to ensure devices are properly configured with secure settings.

This control expects organisations to:

  • Actively manage computers and network devices by:

    • Removing and disabling unnecessary user accounts.

    • Changing default and weak passwords.

    • Removing or disabling any unnecessary applications, system utilities, and network services.

    • Disabling auto-run features which allow file execution without user authorisation (such as when they are downloaded from the Internet).

    • Authenticating users before allowing them access to organisational data or services.

    • Activating device locking controls to protect against unauthorised physical access.

  • Implementing device unlocking credentials such as:

    • Protecting devices with a password, PIN, or biometric test.

    • Protecting passwords, PINS, and biometric tests from brute-forcing by:

      • Configuring wait times between attempts. These should allow no more than 10 guesses in 5 minutes.

      • Locking devices after no more than 10 unsuccessful attempts.

    • Mandating a minimum length of 6 characters where passwords or PINs are used as the sole method of unlocking a device.

Last updated