System Hardening

Server and Application Infrastructure Not Shared

Description IT services run in their own virtual environments, vulnerabilities in one service cannot give access to other services. This includes no multiple websites on the same webserver unless they...

Service Hardening

Description Services run under their own account with minimal necessary privileges . Only necessary services run on production servers, and are only accessible to necessary interfaces using Host-based Firewalls. All...

Default Passwords changed

Description Default Passwords on any piece of hardware or software are changed before deployment. Specification Universal and/or default passwords must not be used. For existing systems that have built-in default...

Unintended Information Disclosure

Description Applications and services are configured to not display information that is unnecessary. Functionality is designed and configured to prevent enumeration of information. Specification Information that should not be enumerable...

Hardening Validation

Description IT systems have standard configurations that follow recommended hardening guidelines. Before new systems are taken into production, the systems are tested for adhering to the hardening guidelines. The standard...

Baseline configuration

Description Document a security configuration baseline for the system based on current best practices from vendors and desired functionality. The baseline must be updated at least annually. Use this baseline...