https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/ism/cyber-security-guidelines/guidelines-for-system-hardening
- Operating system selection
- Operating system releases and versions
- Standard Operating Environments
- Hardening operating system configurations
- Application management
- Application control
- Command Shell
- PowerShell
- Host-based Intrusion Prevention System
- Software firewall
- Antivirus application
- Device access control
- Operating system event logging
- User applications
- User application selection
- User application releases
- Hardening user application configurations
- Artificial intelligence applications
- Email clients
- Office productivity suites
- Portable Document Format applications
- Security products
- Web browsers
- Microsoft Office macros
- Server applications
- Server application selection
- Server application releases
- Hardening server application configurations
- Restricting privileges for server applications
- Microsoft Active Directory services
- Microsoft Active Directory Domain Services domain controllers
- Microsoft Active Directory Domain Services account hardening
- Microsoft Active Directory Domain Services security group memberships
- Microsoft Active Directory Certificate Services
- Microsoft Active Directory Federation Services
- Microsoft Entra Connect
- Server application event logging
- User accounts and authentication types
- Authenticating to systems
- Insecure authentication methods
- Multi-factor authentication
- Single-factor authentication
- Password strength
- Setting credentials for user accounts
- Setting credentials for built-in Administrator accounts, break glass accounts, local administrator accounts and service accounts
- Changing credentials
- Protecting credentials
- User account lockouts
- Session termination
- Session locking
- Screen locking
- Logon banner
- Hypervisors
- Containerisation
- Functional separation between computing environments
- Further information on container security can be found in National Institute of Standards and Technology Special Publication 800-190, Application Container Security Guide.
- Further information on cyber supply chain risk management can be found in the ‘Cyber supply chain risk management’ section of the Guidelines for procurement and outsourcing.
- Further information on vendors that have made a pledge to implement Secure by Design and Secure by Default principles and practices can be found on the United States’ Cybersecurity & Infrastructure Security Agency’s Secure by Design Pledge website.
- Further information on the use of cloud services can be found in the ‘Managed services and cloud services’ section of the Guidelines for procurement and outsourcing.
- Further information on hardening operating systems can be found in the ‘Operating system hardening’ section of these guidelines.
- Further information on patching or updating operating systems and applications can be found in the ‘System maintenance’ section of the Guidelines for system management.
- Further information on event logging can be found in the ‘Security monitoring’ section of the Guidelines for security assurance.
- Further information on hypervisor security can be found in National Institute of Standards and Technology Special Publication 800-125A Rev. 1, Security Recommendations for Server-based Hypervisor Platforms.