Topic

Hardening operating system configurations

Applicable to

Non Classified, Official, Protected, Secret, Top Secret

History

Priority

should

Dec 2024

Default user accounts or credentials for operating systems, including for any pre-configured user accounts, are changed.

References to ‘accounts’ were changed to ‘user accounts’ in order to more closely match Microsoft Active Directory account types (i.e. ‘users’ and ‘computers’).

Dec 2022

Default accounts or credentials for operating systems, including for any pre-configured accounts, are changed.

The existing control relating to changing default credentials for operating systems was amended to changing default accounts or credentials for operating systems.

Mar 2022

Default credentials for pre-configured accounts are changed.

Miscellaneous changes were made to rationale and recommendations throughout the publication to clarify content without changing intent. This included a review from the Guidelines for System Hardening chapter through to the Guidelines for Data Transfers chapter.

2017

Default operating system accounts must be disabled, renamed or have their passphrasechanged.

Control Text Changed. No public explaination.

2015

Agencies must ensure that default operating system accounts are disabled, renamed or havetheir passphrase changed.

2010

Agencies should reduce potential vulnerabilities in their SOEs by:• removing unused accounts• renaming or deleting default accounts• replacing default passwords.

2008

Agencies should reduce potential vulnerabilities in their SOEs by: a. removing unused accounts b. renaming default accounts c. replacing default passwords.