Configure Key, Certificate, Password, Authentication and Identity Management settings in accordance with organizational standards.
CONTROL ID 07621
CONTROL TYPE Configuration
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain system hardening procedures., CC ID: 12001
This Control has the following implementation support Control(s):
Configure Kerberos pre-authentication to organizational standards., CC ID: 16480
Configure time-based user access restrictions in accordance with organizational standards., CC ID: 16436
Configure "MFA Delete" to organizational standards., CC ID: 15430
Configure Identity and Access Management policies to organizational standards., CC ID: 15422
Configure the Identity and Access Management Access analyzer to organizational standards., CC ID: 15420
Configure "Support device authentication using certificate" to organizational standards., CC ID: 15410
Install LAPS AdmPwd GPO Extension, as necessary., CC ID: 15409
Configure "Require pin for pairing" to organizational standards., CC ID: 15395
Configure "Do not allow password expiration time longer than required by policy" to organizational standards., CC ID: 15390
Configure "Enable Local Admin Password Management" to organizational standards., CC ID: 15387
Configure "Allow Microsoft accounts to be optional" to organizational standards., CC ID: 15368
Configure "Turn off picture password sign-in" to organizational standards., CC ID: 15347
Configure "Enable insecure guest logons" to organizational standards., CC ID: 15344
Configure the "cert-expiry" argument to organizational standards., CC ID: 14541
Configure "client certificate authentication" to organizational standards., CC ID: 14608
Configure the "client certificate bundles" to organizational standards., CC ID: 14518
Configure the "external-server-cert" argument to organizational standards., CC ID: 14522
Configure the "Network Security: Restrict NTLM: Incoming NTLM traffic" to organizational standards., CC ID: 07622
Configure the "Network Security: Allow PKU2U authentication requests to this computer to use online identities" to organizational standards., CC ID: 07638
Configure the "Interactive logon: Require Domain Controller authentication to unlock workstation" to organizational standards., CC ID: 07639
Configure the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" to organizational standards., CC ID: 07663
Configure the "Maximum password age" to organizational standards., CC ID: 07688
Configure the "Network Security: Restrict NTLM: Add server exceptions in this domain" to organizational standards., CC ID: 07693
Configure "Accounts: Limit local account use of blank passwords to console logon only" to organizational standards., CC ID: 07697
Configure the "Minimum password length" to organizational standards., CC ID: 07711
Configure the "Microsoft network server: Server SPN target name validation level" to organizational standards., CC ID: 07714
Configure the "Network Security: Restrict NTLM: Audit Incoming NTLM Traffic" to organizational standards., CC ID: 07730
Configure the "Domain member: Maximum machine account password age" to organizational standards., CC ID: 07737
Configure the "Password must meet complexity requirements" to organizational standards., CC ID: 07743
Configure the "Service Account Tokens" to organizational standards., CC ID: 14646
Configure the "Interactive logon: Require smart card" to organizational standards., CC ID: 07753
Configure the "System cryptography: Force strong key protection for user keys stored on the computer" to organizational standards., CC ID: 07763
Configure the "rotate" argument to organizational standards., CC ID: 14548
Configure the "Network Security: Restrict NTLM: Audit NTLM authentication in this domain" to organizational standards., CC ID: 07769
Configure the "Domain controller: Refuse machine account password changes" to organizational standards., CC ID: 07827
Configure the "Store passwords using reversible encryption" to organizational standards., CC ID: 07829
Configure the "Network security: Allow Local System to use computer identity for NTLM" to organizational standards., CC ID: 07830
Configure the "Interactive logon: Prompt user to change password before expiration" to organizational standards., CC ID: 07844
Configure the "Network Security: Restrict NTLM: NTLM authentication in this domain" to organizational standards., CC ID: 07859
Configure the "Enforce password history" to organizational standards., CC ID: 07877
Configure the "Domain member: Disable machine account password changes" to organizational standards., CC ID: 07883
Configure the "Interactive logon: Smart card removal behavior" to organizational standards., CC ID: 07884
Configure the "Logon options" to organizational standards., CC ID: 07917
Configure the "Prevent ignoring certificate errors" to organizational standards., CC ID: 07924
Configure the "Turn off Encryption Support" to organizational standards., CC ID: 08028
Configure the "Disable changing certificate settings" to organizational standards., CC ID: 08042
Configure the "Check for server certificate revocation" to organizational standards., CC ID: 08120
Configure the "Do not allow passwords to be saved" to organizational standards., CC ID: 08178
Configure the "RPC Endpoint Mapper Client Authentication" to organizational standards., CC ID: 08202
Configure the "Restrictions for Unauthenticated RPC clients" to organizational standards., CC ID: 08240
Configure the "Maximum lifetime for user ticket renewal" to organizational standards., CC ID: 08257
Configure the "System objects: Default owner for objects created by members of the Administrators group" to organizational standards., CC ID: 08269
Configure the "Enforce user logon restrictions" to organizational standards., CC ID: 08274
Configure the "Require a Password When a Computer Wakes (Plugged In)" to organizational standards., CC ID: 08404
Configure the "Configure login authentication for POP3" to organizational standards., CC ID: 08413
Configure the "Turn on PIN sign-in" to organizational standards., CC ID: 08415
Configure the "Interactive logon: Machine account lockout threshold" to organizational standards., CC ID: 08419
Configure the "Allow the use of biometrics" to organizational standards., CC ID: 08435
Configure the "Configure login authentication for IMAP4" to organizational standards., CC ID: 08443
Configure the "Allow simple passwords" to organizational standards., CC ID: 08476
Configure the "Require a Password When a Computer Wakes (On Battery)" to organizational standards., CC ID: 08487
Configure the "Require password" to organizational standards., CC ID: 08511
Configure the "Time without user input before password must be re-entered" to organizational standards., CC ID: 08518
Configure the "Allow basic authentication" to organizational standards., CC ID: 08522
Configure the "External send connector authentication: Domain Security" to organizational standards., CC ID: 08527
Configure the "External send connector authentication: Ignore Start TLS" to organizational standards., CC ID: 08530
Configure the "Turn on Basic feed authentication over HTTP" to organizational standards., CC ID: 08548
Configure the "Number of attempts allowed" to organizational standards., CC ID: 08569
Configure the "Password Expiration" to organizational standards., CC ID: 08576
Configure the "External send connector authentication: DNS Routing" to organizational standards., CC ID: 08579
Configure the "Require alphanumeric password" to organizational standards., CC ID: 08582
Configure the "Allow access to voicemail without requiring a PIN" to organizational standards., CC ID: 08585
Configure the "Require Client Certificates" to organizational standards., CC ID: 08597
Configure the "Disallow Digest authentication" to organizational standards., CC ID: 08602
Configure the "Accounts: Block Microsoft accounts" to organizational standards., CC ID: 08613
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
The PMK caching period is not set to greater than 1440 minutes (24 hours). (Control: ISM-1330; Revision: 1, Australian Government Information Security Manual, June 2023)
Multi-factor authentication is enabled by default for an organisation's non-organisational users (but users can choose to opt out) if they authenticate to the organisation's internet-facing services. (Control: ISM-1681; Revision: 1, Australian Government Information Security Manual, June 2023)
The PMK caching period is not set to greater than 1440 minutes (24 hours). (Control: ISM-1330; Revision: 1, Australian Government Information Security Manual, June 2024)
The PMK caching period is not set to greater than 1440 minutes (24 hours). (Control: ISM-1330; Revision: 1, Australian Government Information Security Manual, September 2023)
Multi-factor authentication is used by default to authenticate users to online customer services that process, store or communicate sensitive data, however, users may choose to opt out. (Control: ISM-1681; Revision: 2, Australian Government Information Security Manual, September 2023)
Verify that renewal instructions are sent with sufficient time to renew time bound authenticators. (2.3.3, Application Security Verification Standard 4.0.3, 4.0.3)
Verify that the application gives the option to terminate all other active sessions after a successful password change (including change via password reset/recovery), and that this is effective across the application, federated login (if present), and any relying parties. (3.3.3, Application Security Verification Standard 4.0.3, 4.0.3)
function properly with periodic authenticator change/refresh operation; and (5.7.1 ¶ 1 (c), Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
If self-signed certificates are used instead of a PKI, the certificate subject itself signed its certificate, thus there never is a trusted third-party or CA. This should be compensated by deploying the self-signed public key certificates to all peers that need to validate them via an otherwise secu… (5.11.2 ¶ 3, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
Use of device certificates per Section 5.13.7.3 Device Certificates (§ 5.13.7.2.1 ¶ 4 Bullet 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
Create a wireless network password (Pre-shared key) (§ 5.13.1.4 ¶ 2(3), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
Create a wireless network password (Pre-shared key) (§ 5.13.1.4 ¶ 2 3., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
Enable user authentication and encryption mechanisms for the management interface of the AP. (§ 5.13.1.1 ¶ 2 5., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
Use of device certificates per Section 5.13.7.3 Device Certificates (§ 5.13.7.2.1 ¶ 4 Bullet 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
Are configured for local device authentication (see Section 5.13.7.1). (§ 5.13.3 ¶ 1 2., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
The statement in the configuration file (usually found at /etc/named.conf for BIND running on UNIX) that describes a TSIG key (key name [ID], signing algorithm, and key string) should not directly contain the key string. When the key string is found in the configuration file, the risk of key comprom… (DOMAIN NAME SYSTEM SECURITY SECURE DNS TRANSACTIONS: ¶ 7, Guideline 662G1: Systems Security, 662G1-00)