Configuration Hardening

Benefit

Hardened basic configuration settings of your components

Activity

Understanding the importance of securing the technology stacks you’re using, apply secure configuration to stack elements, based on readily available guidance (e.g., open source projects, vendor documentation, blog articles). When your teams develop configuration guidance for their applications, based on trial-and-error and information gathered by team members, encourage them to share their learnings across the organization.

Identify key elements of common technology stacks, and establish configuration standards for those, based on teams' experiences of what works.

At this level of maturity, you don’t yet have a formal process for managing configuration baselines. Configurations may not be applied consistently across applications and deployments, and monitoring of conformance is likely absent.

Question

Do you harden configurations for key components of your technology stacks?

Quality criteria

Answers

Benefit

Consistent hardening of technology stack components in your organization

Activity

Establish configuration hardening baselines for all components in each technology stack used. To assist with consistent application of the hardening baselines, develop configuration guides for the components. Require product teams to apply configuration baselines to all new systems, and to existing systems when practicable.

Place hardening baselines and configuration guides under change management, and assign an owner to each. Owners have ongoing responsibility to keep them up-to-date, based on evolving best practices or changes to the relevant components (e.g., version updates, new features).

In larger environments, derive configurations of instances from a locally maintained master, with relevant configuration baselines applied. Employ automated tools for hardening configurations.

Question

Do you have hardening baselines for your components?

Quality criteria

Answers

Benefit

Clear view on component configurations to avoid non-conformities

Activity

Actively monitor the security configurations of deployed technology stacks, performing regular checks against established baselines. Ensure results of configuration checks are readily available, through published reports and dashboards.

When you detect non-conforming configurations, treat each occurrence as a security finding, and manage corrective actions within your established Defect Management practice.

Further gains may be realized using automated measures, such as “self-healing” configurations and security information and event management (SIEM) alerts.

As part of the process for updating components (e.g., new releases, vendor patches), review corresponding baselines and configuration guides, updating them as needed to maintain their relevance and accuracy. Review other baselines and configuration guides at least annually.

Periodically review your baseline management process, incorporating feedback and lessons learned from teams applying and maintaining configuration baselines and configuration guides.

Question

Do you monitor and enforce conformity with hardening baselines?

Quality criteria

Answers