When you purchase a system, the manufacturer’s default settings are rarely the most secure. Each system and component needs to be configured to achieve a secure state or baseline configuration.
Configuration management is the process of identifying, controlling, accounting for, and auditing any changes made to that established baseline.
Determine the necessary services, applications, or capabilities
Install and update Antivirus.
Ivan oversees the operating systems for the company. Once he establishes a baseline, he can configure similar systems with the same baseline to achieve the same level and depth of security.
I established the
baseline. Now I will deploy
it to our other systems.
Install standard software packages.
Update and patch operating system and applications.
Click here to turn off unnecessary ports
Systems provide a wide variety of functions and services. Determine which functions and services the company requires and disable unused or unnecessary physical and logical ports and protocols to prevent unauthorized access.
services do I need?
Principle of Least Functionality
Configuration management includes controlling who can chage system configurations. An organization’s security policies specify who can install software on its systems. Permitted software includes updates and security patches to existing software applications from approved sources. Prohibited software includes software that an organization considers potentially malicious. System or security administrators are commonly the only ones allowed to install additional applications on a system.
Only users with
Control User-installed Software
Enforce Security Configuration
Configuration settings are the parameters that you can change to affect the security or the functionality of hardware, software, or firmware components on servers, workstations, scanners, printers, firewalls, routers, wireless access points, operating systems, and applications.
The security parameters set up (registry settings; account, file, or directory settings; and settings for ports, protocols, and remote connections) create a secure configuration, or system lockdown. Any unapproved changes get blocked.
Track, review, and approve changes to any computing environment before rolling changes out to production systems. To accomplish this, the organization has the management and technical team leads join the monthly meeting to address change controls.
During the meeting, everyone reviews all proposed changes to discuss potential impacts to the system and to the physical environment before the organization implements the changes.
Configuration Change Control
A subject matter expert (SME)
reviews the plan to identify any
security-related issues. The SME
may correct any potential issues.
Security Impact Analysis
Document a detailed plan
that includes the security
impact of the changes.
Analyze the potential security impact of the requested changes:review the security plans to understand security requirementreview system design documentation to understand the implementation
of controlsassess risk to determine if additional controls are needed
Click to continue
The SME submits the updated change plan to the change control board.
Analyze the potential security
impact of the requested changes
A user within the organization submits
a request for major changes to the
system and/or the environment.
George needs to add an additional network storage appliance to the organization’s server farm. all of the servers are in a data center with locked doors.
To gain access to the data center, George requests a key card to enter the data center to modify the hardware configuration. The center manager arranges for the change during scheduled downtime and records the changes made and the time.
Identify base processes run on host system
A “normal” environment includes:
A list of administrator-approved programs, IP and email addresses that can access the network.Blocks whatever is not on the list.
Click on down arrows
A list of applications, email addresses, IP addresses, and websites that CANNOT access the network.Assumes everything not on the list is OK.
Maintain proper software inventory
Black and white lists determine what applications and software get installed as well as websites that the user can visit.
To implement whitelisting, the organization must establish a “normal” environment and then have control over it.
Control what applications and versions get deployed
Click here to implement whitelisting
Control Administrative rights on host systems versions