Overview:
Establish and enforce security configuration settings for information technology products employed in organizational information systems.
Action Items:
3.4.2[a]
Determine if: security configuration settings for information technology products employed in the system are established and included in the baseline configuration.
3.4.2[b]
Determine if: security configuration settings for information technology products employed in the system are enforced.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
1
Examine: Configuration management policy; baseline configuration; procedures addressing configuration settings for the system; configuration management plan; system security plan; system design documentation; system configuration settings and associated documentation; security configuration checklists; evidence supporting approved deviations from established configuration settings; change control records; system audit logs and records; other relevant documents or records].
2
Interview: Personnel with security configuration management responsibilities; personnel with information security responsibilities; system or network administrators].
3
Test: Organizational processes for managing configuration settings; mechanisms that implement, monitor, and/or control system configuration settings; mechanisms that identify and/or document deviations from established configuration settings; processes for managing baseline configurations; mechanisms supporting configuration control of baseline configurations].
Related Documents (document name and content will vary by organization):
1) Configuration management policy
2) baseline configuration
3) procedures addressing configuration settings for the system
4) configuration management plan
5) system security plan
6) system design documentation
7) system configuration settings and associated documentation
8) security configuration checklists
9) evidence supporting approved deviations from established configuration settings
10) change control records
11) system audit logs and records
12) other relevant documents or records
Additional Guidance:
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers, workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, devices, wireless access points, network appliances, sensors), operating systems, middleware, and applications.
Security parameters are those parameters impacting the security state of systems including the parameters required to satisfy other security requirements. Security parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. NIST Special Publications 800-70 and 800-128 provide guidance on security configuration settings.
Article ID: 141
Created: September 26, 2022
Last Updated: September 27, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/nist-800-171-security-configuration-settings-3-4-2-141.html