Chapter 76 Β· Concepts

Security Baselines β€” Concepts Map

Six comparison tables: baseline elements, manufacturer sources, deployment mechanisms, stable vs. dynamic settings, configuration drift causes and risks, and the establish-deploy-maintain-audit lifecycle.

Table 1 β€” Security Baseline Elements
ElementWhat It CoversExample Deviation Risk
Firewall rulesWhich ports are open or blocked on the systemAttacker exploits an open port that should have been closed
Patch levelsWhich OS and application updates must be installedMissing patch leaves a known CVE exploitable on the system
OS file versionsCorrect system files in place with expected versionsReplaced or outdated system file introduces instability or backdoor
Authentication settingsPassword complexity, lockout thresholds, MFA requirementsWeak password policy allows brute-force or credential spray
Access controlsPrivilege boundaries, least privilege enforcementOver-privileged account compromised, leading to lateral movement
Service configurationWhich services and processes are permitted to runUnnecessary service provides additional attack surface
Table 2 β€” Manufacturer Baseline Sources
SourceWhat They ProvideExample
Application developerFile permissions, configuration settings for their applicationDatabase vendor's hardening guide for default port changes, service account privileges
Operating system manufacturerSecurity settings for the OS; group policy recommendationsMicrosoft Security Compliance Toolkit (SCT) for Windows 10/11/Server
Appliance manufacturerHardware-specific hardening; default credential changes; service disablingFirewall vendor's secure deployment guide for their specific device model
Third-party frameworksCross-platform benchmarks validated by security communityCIS Benchmarks covering dozens of OS and application types
Table 3 β€” Baseline Deployment Mechanisms
MechanismBest ForKey Characteristic
Active Directory Group PolicyWindows workstations and servers in a domainCentrally defined; reapplied at intervals; overwrites local changes
Mobile Device Management (MDM)Smartphones, tablets, remote laptopsDevice must be enrolled; works regardless of physical location
Configuration management tools (Ansible, Puppet, Chef)Servers β€” Windows and Linux; cloud and on-premisesDesired state defined in code; continuously enforced
Cloud policy platforms (AWS Config, Azure Policy)Cloud resources (VMs, storage, network configurations)Native to the cloud platform; real-time compliance monitoring
Security Compliance Toolkit (SCT)Windows environments; applying Microsoft-published baselinesPre-packaged baseline files that can be imported and deployed directly
Table 4 β€” Stable vs. Dynamic Baseline Settings
CategoryCharacteristicsExamplesMaintenance Needed?
Stable settingsLong-established best practices; rarely changeMinimum password length, firewall blocking unused ports, least privilege, disable guest accountsRarely β€” deploy and monitor
Vulnerability-driven updatesNew CVE discovered requiring configuration changeDisable a protocol version exploited by a new attack (e.g., TLS 1.0 retirement)Yes β€” update baseline as vulnerabilities emerge
Application-update-drivenUpdated app introduces new settings or removes old onesNew application version adds a security setting not in the previous releaseYes β€” review baseline with each major update
OS-migration-drivenNew OS has different policy structure or optionsMigrating from Windows Server 2016 to 2022 requires baseline reviewYes β€” full baseline review for each OS version change
Table 5 β€” Configuration Drift: Causes and Risks
Cause of DriftHow It HappensRisk
Temporary manual changesAdmin opens port for troubleshooting; never closes itPersistent attack surface on a system believed to be secure
Unauthorized software installationUser installs unapproved application that changes settingsNew services running; potential malware introduced
Inconsistent updatesPatch applied to some systems but not allUnpatched systems exploitable by known CVEs
Emergency changes not reversedSetting relaxed during incident; never restored post-incidentSecurity posture permanently weakened without intention
Attacker modificationCompromised system has settings changed to maintain persistenceWeakened defenses; persistent foothold for attacker
Table 6 β€” The Baseline Lifecycle: Establish β†’ Deploy β†’ Maintain β†’ Audit
PhaseActivitiesKey Tools/Sources
EstablishGather manufacturer recommendations; adapt to organizational needs; define approved settings; get formal approvalSCT, CIS Benchmarks, vendor hardening guides, organizational security policy
DeployPush baseline to all applicable systems via automated tooling; confirm deployment succeeded on all targetsGroup Policy, MDM, Ansible/Puppet/Chef, cloud policy platforms
MaintainMonitor for drift via continuous integrity checks; update baseline when vulnerabilities, app updates, or OS changes require it; test updates before broad rolloutSIEM, endpoint detection tools, configuration assessment platforms
AuditPeriodic formal comparison of actual configurations against baseline; produce compliance evidence; feed gaps back into remediationCompliance assessment tools, change management records, audit reports