What do the NSA and CISA advise for securing IT systems? System hardening!

The IT security specialists of two large US authorities have joined forces to write a guide. The topic is the secure configuration of IT systems. These are the recommendations and advice from NSA and CISA.

A plea for the secure configuration of systems

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) jointly published a Cybersecurity Advisory (CSA) on 5 October 2023.

The free PDF is titled “NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations”. The subtitle sums up very well what the purpose of the publication is: “A plea for network defenders and software manufacturers to fix common problems.”

The plea thus points out the most common cybersecurity misconfigurations in companies and organisations. In addition, the work by NSA and CISA also provides many practical tips and measures on how IT managers can properly secure operating systems and applications – i.e. Windows, Active Directory, MS Office, browsers and the like.

The focus here is on the secure configuration of the components. The summary of the CSA is: “Remove default credentials and harden configurations”. In short, the NSA-CISA white paper recommends that companies and organisations carry out proper system hardening to secure their IT infrastructures!

Why do CISA and NSA advise system hardening?

The Blue Teams and Red Teams of the US authorities, guided by the MITRE ATT&CK Framework (version 13), found “10 most common network misconfigurations” when they worked together. These are:

    1. Default configurations of software and applications
    2. Improper separation of user/administrator privilege
    3. Insufficient internal network monitoring
    4. Lack of network segmentation
    5. Poor patch management
    6. Bypass of system access controls
    7. Weak or misconfigured multifactor authentication (MFA) methods
    8. Insufficient access control lists (ACLs) on network shares and services
    9. Poor credential hygiene
    10. Unrestricted code execution

The misconfiguration or insecure configuration of operating systems and applications means that hackers often have an easy time. Therefore, it is eminently important to reduce typical gaps or even close them completely.

In the Executive Summary of the Joint Cybersecurity Advisory, both authorities advise these basic measures:

    • Disable unused services and implement access controls.
    • Update your applications regularly.
    • Automate patching, prioritising patches for known exploited vulnerabilities.
    • Reduce, restrict, audit and monitor administrative accounts and privileges.

The National Security Agency and the Cybersecurity and Infrastructure Security Agency thus recommend what is known in IT as “system hardening” or “hardening”. This symbolically locks the doors of your IT system landscape, making it much harder for attackers to infiltrate and compromise your networks, servers, standalone computers and IoT components.

This makes hardening the systems one of the preventive measures in the IT security triad (“protect – detect – response”). This clearly distinguishes hardening from many other solutions. These are usually located in the areas of “detection” and “response”:

Schaubild: Protect-Detect-Respond-Lösungen im Vergleich (Bild: FB Pro)

How well are your systems configured or “hardened”?

Find out – with AuditTAP! The free tool automatically documents the configuration of your systems and compares them with the current recommendations from Microsoft, the BSI, the CIS benchmarks and other proven standards.


How to install the AuditTAP and create a hardening report is explained in this video:

Good to know: The creation of documentation (guidelines, protocols, etc.) as well as the regular monitoring of hardening measures are something that companies have to pay attention to, and not just since the European General Data Protection Regulation (GDPR)! Companies and organisations that take information security and data protection in particular lightly now face hefty penalties.

But the direct consequences of a successful cyber attack are even more significant – for example, the costs of business interruption or damage to image and reputation.

How can professional system hardening be realised?

To harden a single Windows 11 computer can be quite challenging and time-consuming, as there are hundreds of settings to check and adjust. The implementation of established standards brings a significant relief. For example, the DISA issues recommendations for Windows hardening, as do security organisations such as CIS and ACSC.

To apply these configurations to an IT system landscape with dozens or even hundreds of systems and to monitor them permanently is an impossibility with manual labour. The only solution here is automation via a hardening tool such as the Enforce Adminstrator. This creates a “self-healing system”.

Enforce Administrator: Get more information!

Do you still have questions?

Do you want to know how to implement the configuration recommendations from NSA and CISA? Do you have questions about system hardening? Do you need support in developing a sustainable hardening strategy?

Or would you like to implement a solution such as the Enforce Administrator in your IT processes? Contact us! The FB Pro team of experts will be happy to help you in word and deed.

Send us an email!


Leave a Reply