ASD's Blueprint for Secure Cloud

Operating System Hardening

This page provides a template and guidance to assist organisations in documenting their approach to operating system hardening associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Estimated reading time: 5 minutes

Due to the number of applicable controls in ASD’s Guidelines for System Hardening, guidance on system hardening has been split into its five sections for the purpose of this SSP. The following controls have been grouped by equipment types and as as they relate to hardening of operating systems within <SYSTEM-NAME>.

Operating system selection, versions, releases and SOEs

Applicability

ISM controls relating to the operating system selection, releases and versions and standard operating environments (SOE) within <SYSTEM-NAME>’s system boundary are applicable to and covered by this section of the SSP.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Organisational policies and processes implemented

All vendors of operating systems used within <SYSTEM-NAME> have been assessed by <ORGANISATION-NAME> as demonstrating a commitment to secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, secure programming practices, and maintaining the security of their products.

<SYSTEM-NAME> uses Microsoft Intune for the enrolment and configuration of endpoints (including Windows 10, 11 and iOS endpoints), that serve as the SOE for <SYSTEM-NAME>.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Technical controls implemented

Technical controls for operating system hardening and SOEs within <SYSTEM-NAME> were configured with reference to ASD’s Blueprint for Secure Cloud, and applied by <ORGANISATION-NAME> with regard to any malicious configurations that may have been injected. These controls will continue to be reviewed on an ongoing basis, with regard to the Blueprint and consideration of any malicious configurations that could be injected.

Operating systems used within <SYSTEM-NAME>’s system boundary, along with their releases and versions, are listed in the Operating System Releases table below. All versions used are 64-bit and are of either the latest or N-1 releases. Windows endpoints are configured via Intune to use Microsoft’s General Availability Channel.

ComponentVendorOperating SystemReleaseVersion
EndpointsMicrosoftWindows22H2 (Windows 10)64-bit
23H2 (Windows 11)(N/A: 64-bit only)
Mobile DevicesAppleiOS16(N/A: 64-bit only)
17(N/A: 64-bit only)
<ON-PREM SERVERS>Microsoft<WINDOWS SERVER><2022>(N/A: 64-bit only)
<ON-PREM SERVERS><VENDOR><LINUX DISTRO><RELEASE><64-BIT>

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Hardening Windows endpoints

Applicability

This section of the SSP covers the following control topics within ASD’s ISM’s Operating System Hardening section, as they apply to all endpoints and servers within <SYSTEM-NAME>:

  • Hardening operating system configurations
  • Application management
  • Application control
  • Command Shell
  • PowerShell
  • Host-based Intrusion Prevention System
  • Software firewall
  • Antivirus software
  • Device Access

Organisational policies and processes implemented

<ORGANISATION-NAME> has not implemented any specific organisational policies or processes related to hardening operating system configurations for <SYSTEM-NAME> beyond ensuring implementation of the below technical controls as part of this System Security Plan, and reviewing all below configurations on an annual or more frequent basis.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Technical controls implemented

<ORGANISATION-NAME> has not implemented any specific organisational policies or processes relating to hardening operating systems within <SYSTEM-NAME> beyond ensuring implementation of the below technical controls as part of this SSP and reviewing the below configurations on at least an annual basis (if not more frequently).

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Hardening server operating systems

Applicability

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Organisational policies and processes implemented

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Technical controls implemented

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Security & Governance

Design

External documentation

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra