ASCS, the Australian safety authority, recommends different system hardening measures than we are familiar with. Here is an short overview.
System hardening is not an abstract topic for us. Our specialists deal with the concrete recommendations and specifications on a daily basis. One of them is Steffen Winternheimer, student assistant at FB Pro GmbH.
For this article, Steffen took a close look at the hardening standards on the other side of the globe – and gained some very interesting insights.
Not only Microsoft, DISA and CIS give recommendations
In the area of system hardening, we work with the most well-known standards. These come from the BSI (Bundesamt für Sicherheit in der Informationstechnik / German Federal Office for Information Security), from manufacturers such as Microsoft, and from organizations such as DISA (Defense Information Systems Agency) or CIS (Center for Internet Security).
Less well known, but no less informative, are the hardening recommendations of the ACSC.
What is the ACSC?
The Australian Cyber Security Centre (ACSC) is, analogous to the BSI in Germany, the Australian government’s leading agency for cyber security. The ACSC’s scope of activities covers the following fields:
- It monitors cyber threats worldwide
- It investigates the threat situation for Australia
- It leads the Australian government’s operational responses (“incident response”) to cyber attacks
How should Windows 10 be hardened according to ACSC? The Australian cyber security authority divides its recommendations into three categories for workstations running Windows 10 version 1909:
- “High Priorities” like applications and password policy.
- “Medium Priorities” such as anonymous connections, account lockout policy and endpoint device controls.
- “Low Priorities” such as the display of file extensions and security settings of files and directories.
The ACSC focuses on the “Medium Priorities”. These include
- the audit and logging policies
- network authentication
- power management
- account management
- the behavior of Windows Defender Antivirus
- the behavior of external data carriers
What the ACSC puts a lot of emphasis on
If you compare the recommendations of the ASCS with those of DISA and CIS, it becomes clear: In Australia, there are different priorities when it comes to system hardening than we are familiar with.
One priority is securing and isolating external data media such as floppy disks, CDs and DVDs. And pausing a Windows Defender scan should be disabled, according to the Australian Cyber Security Centre.
Other ACSC hardening priorities include control of Adobe Flash and Microsoft Edge’s Developer Tools. The scanning of cartridges (!) and Windows Portable Devices (WPD) are also strictly controlled.
The bottom line is that “only” about 50 to 60 percent of the ACSC specifications overlap with those of CIS and DISA.
In which points are overlaps?
Despite many differences, some of the ACSC’s hardening recommendations are in line with those of CIS and DISA. Commonalities include the following aspects, for example:
- credential caching
- credential entry
- exploit protection
- hardening Microsoft Edge password policy
- anonymous connections
- audit event management
- bridging networks
- hard drive encryption
- remote desktop services
- security policies
- server message block sessions
- session locking
- user rights policies
- Windows remote management
The look to “Down Under” was worthwhile. It clearly showed us that the IT security centers around the world sometimes concentrate on different aspects. That is a good thing! Because there are no universally valid measures for hardening systems – it pays to think outside the box!
Our findings have led us to add the ASCS recommendations to the Enforce Administrator – a component of the Enforce Suite. This means our customers can now use the #NoCodeHardening tool to secure their IT systems with the Australian standards as a supplement.
FB Pro GmbH ensures information security, data protection and compliance at the highest level. For this, our team relies on the Enforce Suite, among others. We implement the solution at our customers’ premises and are also happy to provide support as a managed service.
Would you like to learn more? Contact us without obligation.