What is secure configuration baselines?

In modern organizations, the security threat landscape is constantly evolving, and IT pros and policy-makers must keep up with security threats and make required changes to system security settings to help mitigate these threats. Baseline is something you can measure all the time and compare it to identify the difference between the current state and the starting point.

Creating and maintaining your security baseline standards will be an ongoing process, requiring the help and support of a number of departments within the IT organization. The main goal of developing a security baseline is to promote and strengthen the security of the organizations computing assets.

In general, the business and technical requirements reflect the core of a baseline policy. It can also be a combination of your business requirements and industry-best practices. As a security administrator, your job is to translate these polices into a technical policy that you can apply in your IT environment.

Remember that establishing and maintaining security baselines will help to secure your environment and develop compliance.

You can use security baselines to:

• Ensure that user and device configuration settings are compliant with the baseline.
• Set configuration settings. For example, you can use Group Policy, Microsoft Endpoint Configuration Manager to configure a device with the setting values specified in the baseline.

Using security baselines in your organization

Even though the servers and security devices are designed to be secure out-of-the-box, many organizations still want more granular control over their security configurations. To navigate the large number of controls, organizations need guidance on configuring various security features. Security configuration baselines provides this in the form of guidance.

We recommend that you implement an industry-standard configuration that is broadly known and well-tested, as opposed to creating a baseline yourself. This helps increase flexibility and reduce costs. Different companies and industries follow different standards and policies to secure their IT infrastructure. The following are some of the popular standards that are widely used in the industry:

• National Institute of Standards and Technology (NIST)
• Center for Internet Security (CIS)
• Security Technical Implementation Guides (STIGs)
• National Security Agency (NSA) Configuration Guides:
• Microsoft Security Baselines

All apps and devices within your organization need to have a security baseline. The goal is to establish an appropriate level of security for all systems. This can differ from a configuration baseline because it deals solely with security related settings. Baselines may be different for end user devices and servers and operating systems. Using group policy and security templates can help to standardize system configurations and settings. There are security templates for account policies, local policies, system service, software restrictions and restricted groups. Consider these security objectives:

• Turn off all unnecessary services
• Restrict administrator access
• Restrict the ability of users to install software
• Change default configurations

What is Secure Configuration Management?

Fundamentally, secure configuration management refers to the set of security policies and procedures applied on systems, applications, and network devices.

The National Institute of Standards and Technology (NIST) defines security configuration management as “The management and control of configurations for an information system with the goal of enabling security and managing risk.”

Four key stages in Secure Configuration Management:

1. Device discovery: First, you’ll need to find the devices that need to be managed. You will also want to categorize and “tag” assets to avoid starting unnecessary services. Engineering workstations, for example, require different configurations than finance systems.
2. Establish configuration baselines: You will need to define acceptable secure configurations for each managed device type. Many organizations start with the benchmarks from trusted establishments like CIS or NIST for granular guidance on how devices should be configured.
3. Assess, alert and report changes: Once devices are discovered and categorized, the next step is to define a frequency for assessments. How often will you run a policy check? Real-time assessments may be available but are not required for all use cases.
4. Remediate: Once a problem is identified, either it needs to be fixed or someone needs to grant an exception. You are likely to have too much work to handle immediately, so prioritization is a key success criterion. You will also need to verify that expected changes actually took place for the audit.

Adopting standards for server and desktop systems is one step in developing a more-secure computer network. A secure IT infrastructure is a more efficient infrastructure. Convincing an organization to adopt security baseline standards will result in risk reductions by eliminating the vulnerabilities.

To learn how Secure Configuration Baselines can harden your business systems against hackers and achieve security by default, speak with us today.