RB Consultancy Logo
Call NOW

Cyber Essentials: Secure Configuration

Introduction

Having securely configured devices is a key component of cyber security best practice. This reduces risk and aims to ensure devices are not vulnerable to attack. Whether an organisation is pursuing Cyber Essentials, Cyber Essentials Plus, or just looking to be secure, having a secure configuration for devices is a crucial step.

 

Why Secure Configurations Are Important

Default configurations are not always secure. Standard (out of the box) configurations can include many weaknesses, including default passwords, unnecessary user accounts, and pre-installed / unused applications – these can allow attackers to gain unauthorised access. By applying some simple technical controls, it’s possible to reduce these risks and protect against common types of attacks.

 

Secure Configuration in Cyber Essentials

To meet Cyber Essentials certification requirements, organisations must regularly:

  • Remove/disable unnecessary user accounts, such as guest and administrative accounts that are not being used
  • Change any default or guessable passwords, to a unique and secure alternative
  • Remove or disable unnecessary software, including applications, utilities, and services
  • Disable auto-run / auto-play functionality, to prevent malicious software from running automatically and without user interaction
  • Ensure users are authenticated before allowing them access to organisational data and services, to restrict access to authorised personnel.
  • Ensure appropriate device locking controls, to restrict access when someone is physically present 

 

Considerations and Key Notes

When reviewing secure configuration of devices, please consider:

  • Default passwords are major security risks – attackers use these all the time
  • Easy to guess and reused passwords are a major security risk – attackers try to use these too
  • Unnecessary or unused software should be removed to reduce risk and also reduce ongoing maintenance to keep up to date
  • Stopping auto-run / auto-play is important for downloads too – it reduces the risk of malicious software running automatically
  • Biometric controls (like face-id) are considered to be much more secure than using standard passwords alone – passwords can be guessed and/or stolen 
  • Implementing ways to slow down and block password guessing helps stop hackers, ‘device lockouts’ and ‘throttling’ (delaying login prompts and fully locking devices if a number of failed attempts takes place) really help

 

Key Notes

  • Ensure ‘throttling’ the rate of login attempts (so the wait time increases) and/or device locking (after no more than 10 failed attempts) is configured for each of your devices. If the vendor does not allow this configuration, ensure the vendor default settings are in place
  • If using PIN to unlock a device, ensure the PIN is a minimum of 6 characters 

 

Example Scenario

Organisation ABC are using Windows laptops to access organisational data.

  • For Organisation ABC, focus is on the secure configuration of windows laptops
  • Check and remove unused and/or unnecessary software
  • Check local user accounts – disable any that are not required or are not being used
  • Ensure unique accounts are available to all users – no accounts being shared
  • Check and change any default passwords that may be in place
  • If local accounts are being used check throttling / lockout settings
  • Make sure ‘autoplay’ setting is turned to ‘off’ – consider this for all software (including operating system and browser)
  • Check ‘screen lock’ settings to ensure automatic locking of device after a set time
  • Use ‘windows key + L’ to lock the screen when you are away from the device
  • Set the laptop with biometrics, a pin of at least 6 characters, or a password of at least 12 characters (if not using multi-factor authentication or a way to block common passwords)

 

Tips and Recommendations

  1. Regularly review and remove unused software
  2. Consider vulnerability assessment and/or patch management tools to help automate systems checks for vulnerabilities – and address findings
  3. Use biometrics rather than passwords only to unlock devices
  4. Change the default password on ISP routers
  5. Seek guidance and support from an NCSC Cyber Advisor for implementation of the technical controls (such as RB Consultancy Ltd)

For more detailed guidance, review the IT Requirement for Infrastructure document and/or visit the IASME knowledge hub for Cyber Essentials.

 

How We Help

At RB Consultancy Ltd we support organisations to improve cyber security and to meet Cyber Essentials and Cyber Essentials Plus requirements. As NCSC assured service providers and IASME certification body:

  • We explain the importance of secure configurations
  • We help ensure devices are set up securely
  • We explain why the Cyber Essentials questions are being asked and how they intend to protect organisations in different ways
  • We ensure secure configuration settings and processes align with Cyber Essentials guidelines
  • We assess and issue organisations with Cyber Essentials and Cyber Essentials Plus certifications

 

Conclusion

Secure configurations are a critical component of cyber security and Cyber Essentials certification, helping to protect your business from cyber threats. Insecure configurations can leave your organisation vulnerable. By implementing best practices and ensuring compliance with Cyber Essentials technical controls, organisations can significantly reduce their cyber risk. If you need any assistance with secure configuration settings, or Cyber Essentials / Cyber Essentials Plus certification, please contact us for support.

Cyber Essentials: Secure Configuration

Tagged ,

Leave a Reply

Your email address will not be published. Required fields are marked *

RB Consultancy

Company Details

  • Registered address: 20 - 22 Wenlock Road, London, England, N1 7GU
  • Trading address: Pioneer House, Pioneer Business Park, North Road, Ellesmere Port, Cheshire, CH65 1AD
  • Company Number: 14677066
  • VAT Registration Number: 479590726

Useful Links

Services

Contact

Cyber Essentials
Copyright © 2024 – All rights reserved.