Cyber Essentials Secure Configuration

Cyber Essentials Secure Configuration

The Cyber Essentials secure configuration controls ensures that computers and network devices are properly configured to reduce the level of inherent vulnerabilities and provide only the services required by users to fulfil their role.

Cyber Essentials Secure Configuration Requirements

Computers and Network Devices

Default installations of computers and network devices can provide cyber attackers with a variety of opportunities to gain unauthorized access to an organisation’s information. By applying some simple technical controls when installing computers and network devices you can minimise inherent vulnerabilities and increase protection against common types of cyber attack.

The cyber essentials certification requires organisations to be active in its management of computers and network devices and to routinely:

• remove and disable unnecessary user accounts.
• change any default or guessable account passwords to something non-obvious.
• remove or disable unnecessary software (including applications, system utilities and network services)
• disable any auto-run features which allows file execution without user authorisation (such as when they are downloaded from the Internet)
• authenticate users before allowing internet-based access to commercially or personally sensitive data, or data which is critical to the running of the organisation

Password Based Authentication

As much as is reasonably practicable, technical controls and policies must shift the burden away from individual users and reduce reliance on them knowing and using good practices. Cyber essentials certification therefore requires that the organisation makes good use of the technical controls available on password-protected systems.

For password-based authentication in Internet-facing services the organisation must:
• protect against brute-force password guessing, by using at least one of the following methods:
               o lock accounts after no more than 10 unsuccessful attempts
               o limit the number of guesses allowed in a specified time period to no more than 10 guesses within 5 minutes

• set a minimum password length of at least 8 characters
• not set a maximum password length
• change passwords promptly when the organisation knows or suspects they have been compromised
• have a password policy that tells users:
               o how to avoid choosing obvious passwords (such as those based on easily discoverable information)
               o not to choose common passwords (this could be implemented by technical means, using a password blacklist)
               o not to use the same password anywhere else, at work or at home
               o where and how they may record passwords to store and retrieve them securely 
               o if they may use password management software — if so, which software and how
               o which passwords they really must memorise and not record anywhere

Learn more about the other cyber essentials controls

Our services

Shopping Cart