Back

Configure Key, Certificate, Password, Authentication and Identity Management settings in accordance with organizational standards.


CONTROL ID
07621
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

This Control has the following implementation support Control(s):
  • Configure Kerberos pre-authentication to organizational standards., CC ID: 16480
  • Configure time-based user access restrictions in accordance with organizational standards., CC ID: 16436
  • Configure "MFA Delete" to organizational standards., CC ID: 15430
  • Configure Identity and Access Management policies to organizational standards., CC ID: 15422
  • Configure the Identity and Access Management Access analyzer to organizational standards., CC ID: 15420
  • Configure "Support device authentication using certificate" to organizational standards., CC ID: 15410
  • Install LAPS AdmPwd GPO Extension, as necessary., CC ID: 15409
  • Configure "Require pin for pairing" to organizational standards., CC ID: 15395
  • Configure "Do not allow password expiration time longer than required by policy" to organizational standards., CC ID: 15390
  • Configure "Enable Local Admin Password Management" to organizational standards., CC ID: 15387
  • Configure "Allow Microsoft accounts to be optional" to organizational standards., CC ID: 15368
  • Configure "Turn off picture password sign-in" to organizational standards., CC ID: 15347
  • Configure "Enable insecure guest logons" to organizational standards., CC ID: 15344
  • Configure the "cert-expiry" argument to organizational standards., CC ID: 14541
  • Configure "client certificate authentication" to organizational standards., CC ID: 14608
  • Configure the "client certificate bundles" to organizational standards., CC ID: 14518
  • Configure the "external-server-cert" argument to organizational standards., CC ID: 14522
  • Configure the "Network Security: Restrict NTLM: Incoming NTLM traffic" to organizational standards., CC ID: 07622
  • Configure the "Network Security: Allow PKU2U authentication requests to this computer to use online identities" to organizational standards., CC ID: 07638
  • Configure the "Interactive logon: Require Domain Controller authentication to unlock workstation" to organizational standards., CC ID: 07639
  • Configure the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" to organizational standards., CC ID: 07663
  • Configure the "Maximum password age" to organizational standards., CC ID: 07688
  • Configure the "Network Security: Restrict NTLM: Add server exceptions in this domain" to organizational standards., CC ID: 07693
  • Configure "Accounts: Limit local account use of blank passwords to console logon only" to organizational standards., CC ID: 07697
  • Configure the "Minimum password length" to organizational standards., CC ID: 07711
  • Configure the "Microsoft network server: Server SPN target name validation level" to organizational standards., CC ID: 07714
  • Configure the "Network Security: Restrict NTLM: Audit Incoming NTLM Traffic" to organizational standards., CC ID: 07730
  • Configure the "Domain member: Maximum machine account password age" to organizational standards., CC ID: 07737
  • Configure the "Password must meet complexity requirements" to organizational standards., CC ID: 07743
  • Configure the "Service Account Tokens" to organizational standards., CC ID: 14646
  • Configure the "Interactive logon: Require smart card" to organizational standards., CC ID: 07753
  • Configure the "System cryptography: Force strong key protection for user keys stored on the computer" to organizational standards., CC ID: 07763
  • Configure the "rotate" argument to organizational standards., CC ID: 14548
  • Configure the "Network Security: Restrict NTLM: Audit NTLM authentication in this domain" to organizational standards., CC ID: 07769
  • Configure the "Domain controller: Refuse machine account password changes" to organizational standards., CC ID: 07827
  • Configure the "Store passwords using reversible encryption" to organizational standards., CC ID: 07829
  • Configure the "Network security: Allow Local System to use computer identity for NTLM" to organizational standards., CC ID: 07830
  • Configure the "Interactive logon: Prompt user to change password before expiration" to organizational standards., CC ID: 07844
  • Configure the "Network Security: Restrict NTLM: NTLM authentication in this domain" to organizational standards., CC ID: 07859
  • Configure the "Enforce password history" to organizational standards., CC ID: 07877
  • Configure the "Domain member: Disable machine account password changes" to organizational standards., CC ID: 07883
  • Configure the "Interactive logon: Smart card removal behavior" to organizational standards., CC ID: 07884
  • Configure the "Logon options" to organizational standards., CC ID: 07917
  • Configure the "Prevent ignoring certificate errors" to organizational standards., CC ID: 07924
  • Configure the "Turn off Encryption Support" to organizational standards., CC ID: 08028
  • Configure the "Disable changing certificate settings" to organizational standards., CC ID: 08042
  • Configure the "Check for server certificate revocation" to organizational standards., CC ID: 08120
  • Configure the "Do not allow passwords to be saved" to organizational standards., CC ID: 08178
  • Configure the "RPC Endpoint Mapper Client Authentication" to organizational standards., CC ID: 08202
  • Configure the "Restrictions for Unauthenticated RPC clients" to organizational standards., CC ID: 08240
  • Configure the "Maximum lifetime for user ticket renewal" to organizational standards., CC ID: 08257
  • Configure the "System objects: Default owner for objects created by members of the Administrators group" to organizational standards., CC ID: 08269
  • Configure the "Enforce user logon restrictions" to organizational standards., CC ID: 08274
  • Configure the "Require a Password When a Computer Wakes (Plugged In)" to organizational standards., CC ID: 08404
  • Configure the "Configure login authentication for POP3" to organizational standards., CC ID: 08413
  • Configure the "Turn on PIN sign-in" to organizational standards., CC ID: 08415
  • Configure the "Interactive logon: Machine account lockout threshold" to organizational standards., CC ID: 08419
  • Configure the "Allow the use of biometrics" to organizational standards., CC ID: 08435
  • Configure the "Configure login authentication for IMAP4" to organizational standards., CC ID: 08443
  • Configure the "Allow simple passwords" to organizational standards., CC ID: 08476
  • Configure the "Require a Password When a Computer Wakes (On Battery)" to organizational standards., CC ID: 08487
  • Configure the "Require password" to organizational standards., CC ID: 08511
  • Configure the "Time without user input before password must be re-entered" to organizational standards., CC ID: 08518
  • Configure the "Allow basic authentication" to organizational standards., CC ID: 08522
  • Configure the "External send connector authentication: Domain Security" to organizational standards., CC ID: 08527
  • Configure the "External send connector authentication: Ignore Start TLS" to organizational standards., CC ID: 08530
  • Configure the "Turn on Basic feed authentication over HTTP" to organizational standards., CC ID: 08548
  • Configure the "Number of attempts allowed" to organizational standards., CC ID: 08569
  • Configure the "Password Expiration" to organizational standards., CC ID: 08576
  • Configure the "External send connector authentication: DNS Routing" to organizational standards., CC ID: 08579
  • Configure the "Require alphanumeric password" to organizational standards., CC ID: 08582
  • Configure the "Allow access to voicemail without requiring a PIN" to organizational standards., CC ID: 08585
  • Configure the "Require Client Certificates" to organizational standards., CC ID: 08597
  • Configure the "Disallow Digest authentication" to organizational standards., CC ID: 08602
  • Configure the "Accounts: Block Microsoft accounts" to organizational standards., CC ID: 08613


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The PMK caching period is not set to greater than 1440 minutes (24 hours). (Control: ISM-1330; Revision: 1, Australian Government Information Security Manual, June 2023)
  • Multi-factor authentication is enabled by default for an organisation's non-organisational users (but users can choose to opt out) if they authenticate to the organisation's internet-facing services. (Control: ISM-1681; Revision: 1, Australian Government Information Security Manual, June 2023)
  • The PMK caching period is not set to greater than 1440 minutes (24 hours). (Control: ISM-1330; Revision: 1, Australian Government Information Security Manual, June 2024)
  • The PMK caching period is not set to greater than 1440 minutes (24 hours). (Control: ISM-1330; Revision: 1, Australian Government Information Security Manual, September 2023)
  • Multi-factor authentication is used by default to authenticate users to online customer services that process, store or communicate sensitive data, however, users may choose to opt out. (Control: ISM-1681; Revision: 2, Australian Government Information Security Manual, September 2023)
  • Verify that renewal instructions are sent with sufficient time to renew time bound authenticators. (2.3.3, Application Security Verification Standard 4.0.3, 4.0.3)
  • Verify that the application gives the option to terminate all other active sessions after a successful password change (including change via password reset/recovery), and that this is effective across the application, federated login (if present), and any relying parties. (3.3.3, Application Security Verification Standard 4.0.3, 4.0.3)
  • function properly with periodic authenticator change/refresh operation; and (5.7.1 ¶ 1 (c), Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • If self-signed certificates are used instead of a PKI, the certificate subject itself signed its certificate, thus there never is a trusted third-party or CA. This should be compensated by deploying the self-signed public key certificates to all peers that need to validate them via an otherwise secu… (5.11.2 ¶ 3, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Use of device certificates per Section 5.13.7.3 Device Certificates (§ 5.13.7.2.1 ¶ 4 Bullet 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Create a wireless network password (Pre-shared key) (§ 5.13.1.4 ¶ 2(3), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Create a wireless network password (Pre-shared key) (§ 5.13.1.4 ¶ 2 3., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Enable user authentication and encryption mechanisms for the management interface of the AP. (§ 5.13.1.1 ¶ 2 5., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Use of device certificates per Section 5.13.7.3 Device Certificates (§ 5.13.7.2.1 ¶ 4 Bullet 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Are configured for local device authentication (see Section 5.13.7.1). (§ 5.13.3 ¶ 1 2., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • The statement in the configuration file (usually found at /etc/named.conf for BIND running on UNIX) that describes a TSIG key (key name [ID], signing algorithm, and key string) should not directly contain the key string. When the key string is found in the configuration file, the risk of key comprom… (DOMAIN NAME SYSTEM SECURITY SECURE DNS TRANSACTIONS: ¶ 7, Guideline 662G1: Systems Security, 662G1-00)