How do I establish baseline security configurations?

Answer

Establish baseline security configurations by selecting standards like CIS Benchmarks, customizing for your environment, documenting settings, implementing through automation, and monitoring for drift.

Understanding Security Baselines

A security baseline is the minimum-security configuration for a particular system or device type, defined based on security best practices, vendor recommendations, regulatory requirements, and organizational policies.

Baselines specify settings like which services and features are enabled or disabled, security configuration parameters, network configurations, installed software, security tool configurations, and access control settings.

Once baselines are established, all systems of that type should be configured to match the baseline, creating consistency across the environment and ensuring security configurations aren't left to individual administrators' discretion or default vendor settings that may prioritize usability over security.

Why Baselines Matter

Default configurations often prioritize ease of use, compatibility, and feature richness rather than security. Vendors enable services and features by default that many organizations don't need, expanding the attack surface unnecessarily.

Settings that make sense for consumer products may be inappropriate for systems handling sensitive government information.

Without documented baselines, configuration drift occurs as different administrators make different decisions or systems gradually deviate from secure settings over time.

Adversaries actively seek misconfigured systems as easy initial access points. Automated scanning tools constantly probe the internet looking for systems with default credentials, unnecessary services, unpatched vulnerabilities, or weak security settings.

Baseline configurations systematically address these risks by establishing known-good, security-focused configurations that all systems must meet.

Common Secure Configuration Standards

Organizations don't need to create baselines from scratch. Several authoritative sources provide detailed secure configuration guidance.

The Center for Internet Security (CIS) publishes CIS Benchmarks for hundreds of technologies including operating systems, cloud platforms, databases, network devices, and applications, providing detailed, consensus-based configuration guidance developed by security experts.

The Defense Information Systems Agency (DISA) maintains Security Technical Implementation Guides (STIGs) that provide highly prescriptive configuration guidance for government and defence environments, often more stringent than CIS Benchmarks.

Vendors like Microsoft, Cisco, and AWS publish security configuration guides for their products. NIST provides configuration guidance in various publications. The Canadian Centre for Cyber Security publishes guidance relevant to Canadian requirements.

For CPCSC purposes, leveraging CIS Benchmarks or STIGs provides credible, defensible baseline starting points that external assessors will recognize and respect.

Developing Your Baseline Configuration

The baseline development process typically involves several steps:

• Inventory your environment, identifying all systems, devices, and applications that process, store, or transmit specified information
• Select appropriate standards by choosing relevant CIS Benchmarks, STIGs, or other guidance for each technology in your environment
• Review and customize the standards, as not every recommendation will be appropriate for your operational requirements
• Document your baseline in a baseline configuration document for each system type listing all security-relevant settings and their required values
• Obtain approval for baselines from appropriate authorities, typically IT leadership, security teams, and potentially business stakeholders
• Implement the baselines across existing systems and use them as the standard for new system deployments

Implementation Approaches

Implementing baselines manually by configuring each system individually is time-consuming, error-prone, and doesn't scale. Better approaches include:

• Configuration management tools like Ansible, Puppet, Chef, or Microsoft System Center Configuration Manager that can automatically apply baseline configurations across many systems consistently
• Group Policy in Active Directory environments allows centralized configuration management for Windows systems
• Mobile Device Management (MDM) solutions apply baseline configurations to mobile devices
• Infrastructure-as-Code for cloud environments embeds security configurations in deployment templates and scripts, ensuring systems are configured correctly from the moment they're provisioned
• Container and virtual machine images can be hardened to baseline standards, then used as templates for all deployments

Automated approaches ensure consistency, enable rapid deployment, and support ongoing compliance monitoring.

Configuration Management and Change Control

Once baselines are established, configuration management processes prevent unauthorized or undocumented changes. All changes to baseline configurations should follow a formal change control process including:

• Change request documentation
• Security impact analysis assessing how proposed changes affect security posture
• Approval by appropriate authorities
• Testing in non-production environments before production implementation
• Implementation with documentation
• Verification that changes were applied correctly

Emergency changes may need expedited processes, but should still be documented and retroactively reviewed.

Changes to individual systems that deviate from baseline require explicit approval and documentation of the deviation, its business justification, and compensating controls if the deviation weakens security.

Monitoring for Configuration Drift

Even with strong change control, configuration drift occurs over time as systems are patched, applications are updated, or unauthorized changes are made.

Continuous monitoring for drift using configuration assessment tools that regularly scan systems and compare current configurations against approved baselines is essential. Tools like Tenable, Qualys, or open-source alternatives like OpenSCAP can automatically identify deviations and alert security teams.

When drift is detected, investigate the root cause. Was it an authorized change that wasn't properly documented, an unauthorized change that should be reverted, or a vendor patch that modified settings requiring baseline update?

Remediate the drift by either reverting the system to baseline if the change was unauthorized or updating the baseline documentation if the change is approved.

Tracking drift metrics helps identify problem systems or areas where baseline maintenance needs attention.

Baseline Review and Updates

Baselines are not static and require periodic review and updates. Consider the following factors:

• Technology changes as new products and versions are deployed
• Threats evolve, making previously acceptable configurations insufficient
• Vendor guidance updates as new vulnerabilities are discovered and addressed
• Operational requirements change, potentially justifying configuration modifications
• Regulatory requirements may change, requiring configuration updates

Schedule formal baseline reviews at least annually, or more frequently for rapidly changing environments or following significant security incidents.

During reviews, assess whether current baselines remain appropriate, incorporate new security guidance from CIS, DISA, or vendors, remove obsolete baselines for deprecated technologies, and update documentation to reflect approved changes.

Common Baseline Areas

Key configuration areas that baselines should address include:

• Account and authentication settings such as password complexity, account lockout, session timeout, and multifactor authentication requirements
• Network configurations covering firewall rules, open ports, wireless security, and remote access settings
• Service and protocol management specifying which services and network protocols are enabled or disabled
• Audit and logging configurations defining what events are logged, log retention periods, and log protection
• Encryption settings specifying what data is encrypted, what cryptographic algorithms are used, and key management
• Patching and updates policies defining update schedules and approval processes
• Physical and administrative controls configuring BIOS/UEFI security, boot security, and USB device restrictions
• Application settings securing business applications, web browsers, and productivity tools

Each area contributes to overall system security posture.

Balancing Security and Usability

Implementing highly restrictive baseline configurations can impact system usability and business processes. Finding appropriate balance requires:

• Understanding business requirements and operational constraints
• Starting with secure baseline standards and only deviating when there are compelling business needs
• Documenting and approving all deviations with clear justification
• Implementing compensating controls when security settings must be relaxed
• Regularly reassessing whether approved deviations are still necessary or if business processes can adapt to allow more secure configurations

Security that makes business operations impossible isn't sustainable, but convenience that undermines protection of specified information isn't acceptable. The goal is maximum reasonable security.

Documentation for CPCSC Compliance

External assessors conducting Level 2 assessments will examine your baseline configuration process thoroughly. They'll expect to see:

• Documented baseline standards for all system types handling specified information
• Evidence that systems are actually configured according to baselines through configuration assessment reports, manual verification during assessment, or automated monitoring data
• Change control documentation showing configuration changes are managed systematically
• Configuration drift monitoring and remediation
• Periodic baseline reviews and updates

Organizations that can demonstrate mature configuration management processes with comprehensive baselines, automated enforcement, and continuous monitoring will pass this assessment component smoothly, while those with ad-hoc configuration management will face significant deficiencies requiring remediation.

Learn More

Additional resources for establishing baseline security configurations:

• Protecting Specified Information (ITSP.10.171)
• CIS Benchmarks - Center for Internet Security