Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

17) Does your organisation operate a secure configuration process to reduce any unnecessary vulnerabilities in your IT systems including servers, endpoints, network devices and systems hosted in a cloud environment?

August 30, 2022
IT Operations
Secure Configuration

Answer yes if your organisation has a configuration process that is followed for all IT assets. The process should define security settings and disable unneeded services, thereby reducing your attack surface. Please describe how your secure configuration process is performed, including both automated and manual checks. Please upload any relevant documentation (as a PDF file) as evidence.

A security configuration checklist (also called a lockdown guide, hardening guide, or benchmark) is a series of steps or procedures for configuring an IT product to a particular operational environment, for verifying that the product has been configured properly, and for identifying unauthorised changes to the product.

You should build a different configuration checklist for each type of IT equipment deployed within your environment (one for your end points, one for your servers, and one for your network devices etc.). The checklists should include a standard set of steps that your IT team can follow to harden the devices and reduce their vulnerability to attack. Typically this includes upgrading the devices firmware/software, disabling unused services, changing default passwords, and restricting management access to network devices.

Equipment should only be deployed within your environment when it has been correctly configured using the relevant checklist.

How to implement the control

There are many examples of configuration checklists scattered throughout the internet. For small and medium sized businesses, you should build a checklist for each type of equipment you deploy within your environment and network. For an example checklist, please contact

Cyber Essentials has some good advice on secure configuration that can be found here.

The NCSC has published some advice and guidance on securing endpoint devices here.

For larger organisations, although not essential, you may want to invest in a Configuration management database (CMDB) to help you manage the configuration of your devices throughout your estate.

If you would like to contribute to this article or provide feedback, please email Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.