Unneeded accounts, components, services and functionality of operating systems are disabled or removed.
Topic
Hardening operating system configurations
Applicable to
all
History
Priority
should
Mar 2022
Unneeded accounts, components, services and functionality of operating systems are disabled or removed.
Miscellaneous changes were made to rationale and recommendations throughout the publication to clarify content without changing intent. This included a review from the Guidelines for System Hardening chapter through to the Guidelines for Data Transfers chapter.
2017
Unneeded operating system accounts, software, components, services and functionalityshould be removed or disabledWhen local administrator accounts are used with common account names and passphrases itcan allow an adversary that compromises these credentials on one workstation or server toeasily transfer across the network to other workstations or servers. Even if local administratoraccounts have unique names and have unique passphrases, an adversary can still identifythose accounts based on their security identifier and use this information to focus anyattempts to use brute force to discover credentials for a workstation or server if they can getaccess to the Security Accounts Manager (SAM) database.
Control Text Changed. No public explaination.
2015
Agencies should remove or disable unneeded operating system accounts, software,components, services and functionality.
2010
Agencies should develop a hardened SOE for workstations and servers, covering:••••removal of unneeded software and operating system componentsdisabling of unused or undesired functionality in software and operating systemsuse of data execution prevention functionality, preferably hardware based, when availableimplementation of access controls on relevant objects to limit system users and programs to theminimum access required• installation of antivirus software• installation of software-based firewalls limiting inbound and outbound network connections• configuration of either remote logging or the transfer of local event logs to a central server.
2008
Agencies should develop a hardened standard operating environment (SOE) for workstations, covering: a. removal of unneeded software b. disabling of unused or undesired functionality in installed software and operating systems c. implementation of access controls on relevant objects to limit system users and programs to the minimum access needed to perform their duties d. installation of software-based firewalls limiting inbound and outbound network connections e. configuration of either remote logging or the transfer of local event logs to a central server.