The hardening checklists are based on the comprehensive checklists produced by CIS. The Information Security Office has distilled the CIS benchmark down to the most critical steps for your devices, with a particular focus on configuration issues that are unique to the computing environment at The University of Texas at Austin.
How to read the checklists
Step - The step number in the procedure. If there is a UT Note for this step, the note number corresponds to the step number.
Check (√) - This is for administrators to check off when she/he completes this portion.
To Do - Basic instructions on what to do to harden the respective system
CIS - Reference number in The Center for Internet Security (CIS) benchmarks. The CIS documents outline in much greater detail how to complete each step.
UT Note - The notes at the bottom of the pages provide additional detail about the step for the university computing environment.
Cat I - For systems that include category I data, required steps are denoted with the ! symbol. All steps are recommended.
Cat II/III - For systems that include category II or III data, all steps are recommended, and some are required (denoted by the !).
Supported devices include the iPhone 3GS and newer, all iPads, and the iPod Touch 3rd generation and newer, running iOS 4 and above. Earlier versions of the hardware and operating system software do not support key security features, such as hardware encryption. Some security settings and options may not be available on older devices. Some settings require iOS 8.
Apple provides the Apple Configurator 2 (available through the App Store), which can be used to mass configure and manage large numbers of iOS devices.
|Step||√||To Do||CIS||UT Note||Cat I||Cat II/III|
|1||Update operating system to the latest version||1.1.1||§||!||!|
|2||Do not Jailbreak iOS to sideload applications||§||!|
|3||Enable Automatic Downloads of App Updates||1.1.19||§||!|
|4||Enable remote wipe functionality||§|
|5||Enable Find My iPhone||1.1.20||§|
|6||Encrypt device backups through iTunes||§||!|
|7||Erase all data before return, repair, or recycle||1.1.21||§||!||!|
|8||Require a passcode or password||1.1.2, 1.1.3||§||!||!|
|9||Enable TouchID with a complex password||1.1.3||§|
|10||Set Auto-Lock Timeout||1.1.4||§||!||!|
|11||Disable Grace Period for Screen Lock||§||!|
|12||Erase data upon excessive passcode failures||1.1.5||§||!|
|13||Enable Data Protection||§||!|
|14||Enable Fraud Warning in Safari||1.2.2||§||!|
|15||Disable AutoFill for sensitive information||1.2.3 - 1.2.5||§|
|16||Block cookies from third parties||§|
|17||Turn on Do Not Track||1.2.9||§|
|18||Turn off Ask to Join Networks||1.1.9||§||!|
|19||Turn off AirDrop when not in use||1.1.11||§|
|20||Turn off Bluetooth when not in use||1.1.14||§|
|21||Turn off Personal Hotspot when not in use||1.1.15||§||!||!|
|22||Forget Wi-Fi networks to prevent automatic rejoin||1.1.8||§|
|Additional Security Settings1|
|23||Turn off Location Services||1.1.16||§|
|24||Restrict access to Location Services, Contacts, Photos, etc.||§|
|25||Disable access to Control Center on Lock Screen||1.1.7||§|
|27||Enable Private Browsing in Mobile Safari as needed||1.2.8||§|
1These security settings are proactive in nature but are intended for devices where there exists a very high need for security, as they may negatively impact the user experience and interfere with the functionality and utility of many applications.
UT Note: Addendum
This list provides specific tasks related to the computing environment at The University of Texas at Austin.
Update operating system to the latest version
Apple devices ship with the most current version of the operating system available when the device was manufactured, but new updates often address security vulnerabilities in addition to bug fixes and adding new features. Not all devices will support the most recent version of iOS. Upgrade to the latest supported version for your device. Instructions for updating iOS devices are at http://support.apple.com/kb/HT4623.
For high-security environments, plan on replacing devices every 2-3 years in order to stay current on operating system releases.
Do not Jailbreak iOS to sideload applications
Jailbreaking takes advantage of known vulnerabilities in the operating system to bypass and disable the security controls that prevent unauthorized software from executing in iOS. While this does allow the use of software that is not available in the App Store, it also significantly weakens the overall security of the device. Apple reviews all applications in the App Store to filter out malicious and infected software. While not perfect, this approach does reduce the ability of malware to spread on un-Jailbroken devices. Unlike traditional computers, virus scanners and anti-malware applications for mobile operating systems like iOS are not bundled with the operating system and not comparable to their desktop counterparts in their ability to detect and quarantine malicious software. Thus, the so-called walled garden approach taken by Apple adds a significant layer of security and a hurdle for malware developers to overcome. Some applications are now checking for Jailbroken devices and refusing to install on them as well out of (misguided) piracy concerns.
Additionally, Jailbreaks may prevent you from upgrading to newer versions of iOS as they become available, as it takes time for the groups responsible for Jailbreaks to identify and exploit vulnerabilities in newer versions of iOS. Upgrading may mean losing your Jailbreak and the applications you've installed from other sources, but not upgrading may expose you to the security vulnerabilities that were addressed by the newer version of iOS.
You should understand that by Jailbreaking your device, you are taking on increased responsibility for securing your device and protecting yourself from malicious software. Devices used with Category I data should not be Jailbroken.
Enable Automatic Downloads of App Updates
Application updates often address security vulnerabilities in addition to bug fixes and adding new features. It is recommended that applications, especially those used to interact with The internet and web-based services (e.g. Internet browsers) be updated frequently. This feature will automatically download and install application updates when they become available.
Enable remote wipe functionality
The intent with this is to ensure that if the device is lost, the data can be erased remotely. There are number of ways to accomplish this with iOS:
Austin Exchange Messaging Service provides this functionality to synchronized devices. Device wipes can be requested by the Exchange server administrator or initiated by the account holder through Outlook Web Access under Options > Mobile Devices.
Apple's iCloud service provides, among other things, the ability to track GPS enabled devices, display messages on the screen, lock a device, and wipe all data. These features are provided free of charge to owners of iPhone 4 and newer, iPod Touch 4th generation and newer, and all iPad devices, but this does need to be setup on the device in advance (i.e. it can't be done after the device is lost). This feature is called Find My iPhone, which is discussed in more detail later.
Enable Find My iPhone
Find My iPhone is a free service provided by Apple that allows users to track and remotely lock or erase an iDevice. Despite the name, this service also works with iPad and iPod Touch devices. A free iCloud account is required to use this service. If a device is lost or stolen, having this service enabled may allow the owner to find and recover the device with the assistance of the University Police Department (UTPD). Even if recovery of the device isn't possible, the ability to remotely erase may protect any sensitive data that was stored on it. With iOS7 Apple introduced Activation Lock, so enabling Find My iPhone now also prevents someone from erasing and restoring a device without entering the iCloud username and password associated with it.
To enable Find My iPhone:
If using iOS 8, enable Send Last Location:
Encrypt device backups through iTunes
By default, backups of devices made in iTunes are not encrypted. This may expose sensitive data if the computer is lost or compromised. Additionally, data in the backup might be used to compromise the associated iOS device.
To enable encrypted backups, connect the iOS device to the computer, open iTunes, and check "Encrypt |LF||LF|devicetype|RF||RF| backup" under Options. Select a strong, complex password when prompted.
Erase all data before return, repair, or recycle
In order to prevent an unauthorized person from being able to recover sensitive information from the device, the disk should be overwritten via the "Erase All Content and Settings" setting before it is out of your physical control.
Require a passcode or password
Setting a passcode prevents casual unauthorized access to a device. A passcode is also required in order to enable Data Protection and take full advantage of the encrypted storage of all recent iOS devices.
To configure a passcode:
In addition to the default 4 digit passcode, Apple also supports the use of numeric passcodes greater than 4 digits and regular alphanumeric passwords. There have been examples of brute force attacks against passcodes that bypass the normal user log in mechanisms and attack the keychain directly to prevent data from being erased after 10 invalid attempts (which is the default behavior). Since a 4 digit passcode only has a maximum of 10,000 possible combinations, we recommend that users select a longer passcode or a password when possible. iOS will present the standard numeric keypad for entry regardless of the length of a passcode, so long as the passcode consists only of numbers. For high-security applications, it is recommended that a standard alphanumeric password be used instead of a passcode.
To configure a complex passcode or password:
Enable TouchID with a complex password
If the device supports TouchID (iPhone 5S and newer), configure a complex password (8 characters minimum with letters, numbers, and symbols) and enable TouchID. TouchID will allow you to authenticate to the phone without having to type in the password except when the phone is first turned on or when you have not authenticated to the phone via TouchID in more than 48 hours. Using a complex password instead of a passcode makes brute force attacks significantly harder and more time consuming, protecting the data on the phone better (the standard 4 digit passcode is defeatable in under 3 minutes). While TouchID is not perfect, this combination still represents better security than a simple passcode alone.
Set auto-lock timeout
This option automatically locks the device after it has been inactive for the specified amount of time.
To enable the auto-lock timeout:
1. Tap Settings.
Disable grace period for screen lock
The grace period allows the device to be unlocked after auto-locking without providing an unlock code. Setting a value of "Immediately" will require the passcode to be entered regardless of when the device was last locked.
To disable the grace period for screen lock:
Erase data upon excessive passcode failures
Devices can be configured to automatically erase user settings and data after ten passcode failures. As excessive passcode failures typically indicate the device is out of your physical control, enabling this may protect the confidentiality of information stored on the device.
To enable this option:
Enable Data Protection
With devices that support hardware encryption (iPhone 3GS and later, iPod Touch 3rd gen and later, and all iPads), iOS 4 and above allow applications to use an encryption key derived from your passcode to protect application data. Enabling this feature is as simple as setting a passcode on the device.
To verify that data protection is enabled:
Note: If the device originally shipped with iOS 3 (e.g. the iPhone 3GS, iPad, and iPod Touch), this feature will not be available until the device is restored after upgrading to iOS 4. This feature is not available on older devices, such as the iPhone 3G and earlier models, at all, as they do not support hardware encryption.
It is important to understand that applications must be specifically designed to utilize data protection. Do not store or use sensitive data with applications that do not make use of data protection. More information regarding this feature is available on Apple's site at iOS 4: Understanding data protection.
With iOS 7 and above all third party applications and the native system apps such as Messages, Mail, Calendar, Contacts, and Photos make use of Data Protection to encrypt data.
Enable Fraud Warning in Safari
The Fraudulent Website Warning feature in Safari helps protect users from visiting potentially fraudulent Internet sites. If you navigate to a known fraudulent site covered by this service, Safari will not load the site and instead display a warning about its suspect nature.
Disable AutoFill for sensitive information
AutoFill will remember information entered into forms and then automatically fill in this information in matching fields on later forms. While this may be convenient, it also may result in the storage of sensitive information locally on the device. Additionally, automatically filling in fields on web forms could result in unintentional disclosure of sensitive data to unauthorized people. It is strongly recommended that, at a minimum, the storage of Credit Cards be disabled.
To disable AutoFill:
Block cookies from third parties
Third party cookies are set by websites other than those specifically navigated to by you. These cookies are often used for tracking and may facilitate identification and behavioral analysis of users for the purposes of advertising. While third party cookies do not represent a specific security threat, they offer no benefit to end users and help erode online privacy.
To configure blocking of third party cookies:
Turn on Do Not Track
The Do Not Track option instructs Safari to send a specific header in web requests that indicates the your preference not to be tracked by the websites you visit. Many sites have opted to honor this preference so there is some small privacy benefit from enabling it. It is important to note, however, that this feature is strictly voluntary and web sites are under no obligation to honor it. There are no guarantees that any specific web site will now, or, in the future, continue to, obey this header.
To turn on Do Not Track:
Turn off Ask to Join Networks
By default, iOS devices will prompt you to join an unknown network, if any are detected, when no networks that have previously been connected to are available. The issue is that anyone can run a wireless hotspot and, joining a poorly configured or insecure network could allow a malicious user on that same network to intercept, capture, and alter any network traffic sent by a user. In fact, many attackers will intentionally run wireless networks in popular, crowded areas, like airports and coffee shops, hoping to lure unsuspecting users into connecting. If this feature is disabled, you must manually select a wireless network to join from a list of detected available networks. This may reduce the risk of inadvertently joining a similarly named yet untrusted network (e.g. “defualt” instead of “default”).
To disable Ask to Join Networks:
Turn off AirDrop when not in use
AirDrop is a service that provides a very simple and easy way to transfer files and information between iOS devices. As with all such services, it is safer to have it enabled only when it is actively being used and you are expecting to transfer or receive files.
To turn AirDrop off:
Turn off Bluetooth when not in use
Disabling Bluetooth reduces the remote attack surface of devices and may also prevent you from unintentionally connecting to unknown Bluetooth services and devices. Bluetooth should be enabled only when it is actively being used.
To turn off Bluetooth:
Turn off Personal Hotspot when not in use
The Personal Hotspot feature allows devices with cellular data connections to share their network connectivity with other devices over Bluetooth, Wi-Fi, or USB. This feature should be disabled when not in use to prevent unauthorized usage and reduce the remote attack surface of the device.
To turn off Personal Hotspot:
Forget Wi-Fi networks to prevent automatic rejoin
By default, an iOS device will remember and automatically rejoin networks that it has previously associated with. The problem with this is a trusted but unauthenticated Wi-Fi network may be spoofed and then automatically joined. Additionally, if previously joined network has a common SSID, such as “default” or “linksys”, it is very probable that the device will encounter an untrusted instance of a same-named Wi-Fi network and automatically join it.
To forget a remembered or connected Wi-Fi network:
Note: the Wi-Fi network must be in range for it to appear in the list of available networks to forget; if the Wi-Fi network is no longer in range, the user must reset all network settings, which will forget all Wi-Fi networks.
Turn off Location Services
Location Services allows installed applications and visited websites the ability to request your current location. Once access is granted to an application, the application may request the data again at any time with no further notification to users.
To turn off Location Services:
Restrict access to Location Services, Contacts, Photos, etc.
With iOS 7, application access to Location Services, Contacts, Photos, Calendars, and similar user data can all be controlled and restricted on a per application basis. Applications will prompt for access to this user data once, and afterwards changes can be made in Settings -> Privacy and selecting the specific type of information that was requested. So instead of disabling Location Services, for example, you could go to Settings -> Privacy -> Location Services and specifically choose the applications you wish to allow to access your current location. Location Services in particular is unique as this service can also be configured to place an icon in the status bar when in use as a visual notification that an app is accessing your location.
It is strongly recommended that users go through this setting and disable access to personal and confidential data from applications that have no need of it. Additionally, some forms of advertising (e.g. location based iAds) and ad tracking can be disabled and limited here.
Disable access to Control Center on Lock Screen
The Control Center introduced in iOS 7 allows users to quickly access certain frequently used settings and applications without having to unlock the device. Almost immediately after the release of iOS 7, a vulnerability was found in this feature that allowed anyone with physical access to the device to bypass the lock screen and access a significant amount of potentially sensitive data on a device. While this specific flaw was fixed with iOS 7.0.2, the nature of the Control Center and the applications it grants access to both make it a valuable target for attackers. Disabling access to the Control Center from the Lock Screen could help mitigate any future bypass exploits that are found. The Control Center is still available with this setting, the device just has to be unlocked first.
To disable the Control Center from the Lock Screen:
On iPhone 5S and newer devices, TouchID allows a fingerprint to unlock the device in place of entering a passcode/password. While TouchID is substantially better than not having a passcode at all, the best option for high security environments is still a strong alphanumeric password. TouchID has also been bypassed, although not in a way that would make it less viable or secure for most users. Despite this, questions do remain as to what data Apple is capturing in order to facilitate TouchID and how this data is stored and accessed. As with all biometric identification schemes, users should exercise extreme caution before use, as you can't change the aspects of your person that these systems use if they turn out to be untrustworthy (that is to say, you can't change your fingerprints).
To disable TouchID:
While disabling TouchID and setting a complex password is the most secure configuration, it obviously is the least usable configuration as this complex password has to be entered every time to unlock the device. TouchID combined with a complex password is more secure than a simple passcode alone, while still convenient to use. Don't disable TouchID only to use a 4 digit passcode.
Enable Private Browsing in Mobile Safari as needed
Private Browsing is a mode that can be enabled in Safari that will prevent the browser from tracking your browsing history, performed searches, or use any AutoFill information. This is useful for protecting privacy and thwarting advertiser tracking. Note that this mode only persists for the selected session.
To enable Private Browser for a Safari session: