2. Secure Configuration

The goal of this control is to ensure devices are properly configured with secure settings.

This control expects organisations to:

• Actively manage computers and network devices by:

  • Removing and disabling unnecessary user accounts.

  • Changing default and weak passwords.

  • Removing or disabling any unnecessary applications, system utilities, and network services.

  • Disabling auto-run features which allow file execution without user authorisation (such as when they are downloaded from the Internet).

  • Authenticating users before allowing them access to organisational data or services.

  • Activating device locking controls to protect against unauthorised physical access.

• Implementing device unlocking credentials such as:

  • Protecting devices with a password, PIN, or biometric test.

  • Protecting passwords, PINS, and biometric tests from brute-forcing by:

    • Configuring wait times between attempts. These should allow no more than 10 guesses in 5 minutes.

    • Locking devices after no more than 10 unsuccessful attempts.

  • Mandating a minimum length of 6 characters where passwords or PINs are used as the sole method of unlocking a device.