Chapter 76 Β· Examples
Security Baselines β Worked Examples
The breach from missing baseline enforcement, configuration drift catching an attacker, the SCT deployment in a Windows enterprise, a baseline conflict requiring a judgment call, and a complete baseline lifecycle walkthrough for a new application deployment.
Example 1: The Missing Baseline β How One Unconfigured Server Becomes the Entry Point
A regional healthcare network deploys a new electronic health records (EHR) application across 40 servers. The security team creates a detailed security baseline: specific firewall rules, required patches, service configurations, authentication requirements. They test it, get it approved, and deploy it to 39 of the 40 servers. The 40th server β a secondary application node brought online two weeks later during a busy period β is set up quickly and the baseline deployment is skipped. "We'll get to it," someone notes in a ticket. The ticket is never acted on.
Six Months Later
An attacker conducting external reconnaissance identifies the 40th server. It is missing several patches that the other 39 servers have. One of those patches addresses a critical remote code execution vulnerability in the web application component. The attacker exploits the vulnerability, gains access to the server, and uses it as a pivot point to move laterally to the database servers containing patient records.
The other 39 servers are untouched β the baseline protected them. The 40th server's missing baseline caused the breach.
The Root Cause
The baseline itself was correct and effective. The failure was deployment: "all instances must follow the baseline" was not enforced. The 40th server was never brought into compliance.
The fix requires two things: (1) automated deployment tooling that ensures every new server receives the baseline at provisioning time, not as a manual post-deployment step; and (2) continuous compliance monitoring that would have detected the non-compliant server immediately after it went live and flagged it for remediation.
A security baseline only protects what it is applied to. Inconsistent deployment β even for a single instance β leaves a gap that attackers can find and exploit. Automation and continuous monitoring close this gap.
Example 2: Configuration Drift Detection β Catching an Attacker's Foothold
A financial services company runs continuous integrity monitoring on all production servers, comparing running configurations against approved baselines daily. On a Tuesday morning, the monitoring system generates an alert: Server FINPROD-07 shows three deviations from baseline.
The Alert Details
Deviation 1: A new local user account "svc_maint2" was created β not in the baseline, not in the change management system.
Deviation 2: Remote Desktop Protocol (RDP) was enabled on the server β the baseline requires it to be disabled for this server type.
Deviation 3: Windows Defender real-time protection was turned off β a direct violation of a baseline requirement.
None of these changes appeared in any authorized change request.
The Investigation
The security team investigates. They find that FINPROD-07 was accessed via an exploited vulnerability 3 days earlier. The attacker created the "svc_maint2" account as a persistent backdoor, enabled RDP for convenient remote access, and disabled Defender to avoid detection of their tools.
Because the integrity monitoring detected the drift within 24 hours of the attacker's first action, the incident is contained before the attacker exfiltrated any data. The account is removed, the settings are restored to baseline, the vulnerability is patched, and a full investigation is launched.
Configuration drift detection is a security control in its own right. When attackers compromise a system, they typically modify configurations to establish persistence and disable defenses. Continuous integrity monitoring catches these modifications as baseline deviations β providing an independent signal of potential compromise.
Example 3: Using Microsoft SCT to Deploy Windows Security Baselines
A mid-size enterprise has 800 Windows 10 workstations and 60 Windows Server 2022 servers. The security team is tasked with establishing and deploying a security baseline across the entire fleet. They start with the Microsoft Security Compliance Toolkit.
Step 1 β Download and Review the SCT Baseline
The team downloads the Windows 10 Security Baseline package from Microsoft. It contains pre-configured Group Policy Object (GPO) backups covering hundreds of security settings: audit policies, account lockout settings, Windows Defender configuration, network security settings, and more. The team reviews the recommended settings against their operational requirements. Most settings are adopted as-is; a handful are adjusted where the Microsoft default conflicts with a line-of-business application's requirements. Each adjustment is documented with justification.
Step 2 β Import and Test
The customized GPO is imported into Active Directory and applied to a test organizational unit containing 20 pilot workstations. IT runs business applications, tests network connectivity, verifies printing and file access, and confirms authentication works. Two minor issues are identified and resolved. After two weeks of stable operation on the pilot group, the baseline is approved for production deployment.
Step 3 β Deploy and Enforce
The GPO is linked to the production organizational units covering all 800 workstations. Group Policy propagates to all machines at the next Group Policy refresh cycle (every 90 minutes by default, or immediately on next login). Within 24 hours, all 800 workstations have received the baseline. Group Policy reapplies the settings continuously β if a user or local administrator modifies a setting that Group Policy controls, Group Policy overwrites it at the next refresh. The baseline is now enforced, not just deployed once.
The Microsoft Security Compliance Toolkit eliminates the need to build a Windows baseline from scratch. Starting from Microsoft's tested recommendations, customizing for operational requirements, testing before broad deployment, and using Group Policy for continuous enforcement is the standard enterprise approach.
Example 4: Baseline Conflict β Application Vendor vs. OS Security Guide
An organization is deploying a specialized manufacturing control system application on Windows Server. The application vendor's deployment guide contains a security section with specific requirements. The organization also uses the Microsoft Windows Server Security Baseline as their standard. When configuring the new server, the team identifies a conflict.
The Conflict
Application vendor requires: The Windows Remote Management (WinRM) service must be enabled and accessible on port 5985 for the application's remote monitoring and management functionality. The vendor states the application will not function correctly without it.
Microsoft security baseline says: WinRM should be disabled unless explicitly required. When enabled, it must be restricted to specific IP address ranges and require HTTPS (port 5986), not HTTP (port 5985). The default HTTP port 5985 is flagged as an attack surface risk.
Resolution
The team does not blindly follow either recommendation. They assess both positions:
- The vendor's requirement is legitimate: the monitoring function genuinely needs WinRM.
- The Microsoft concern is legitimate: WinRM on HTTP with no IP restriction is a credential exposure risk.
Decision: Enable WinRM on HTTPS (port 5986) rather than HTTP, and restrict access to the specific IP addresses of the monitoring servers. This satisfies the application's functional requirement while applying the Microsoft security principle of encrypted transport and IP restriction. The decision is documented in the server's baseline deviation record with the technical justification.
Baseline conflicts require judgment β not automatic deference to either party. The goal is to find a configuration that satisfies legitimate functional requirements while applying the strongest security controls compatible with those requirements. All deviations from either recommendation must be documented with reasoning.
Example 5: Full Baseline Lifecycle β New Application Deployment
A healthcare organization is deploying a new patient portal application. The security team leads the baseline development and management process from beginning to end.
Establish (Week 1β2)
The team collects baseline sources: the portal application vendor's hardening guide, the Microsoft Windows Server 2022 SCT baseline for the OS layer, and the web server vendor's security configuration guide. They identify 247 security-relevant settings across the three layers. After review and internal alignment, they produce an approved baseline document covering all three layers, with 12 settings customized from the manufacturer defaults and the customization rationale documented.
Deploy (Week 3)
The OS and web server baseline settings are pushed via Group Policy and configuration management scripts. Application settings are deployed via the vendor's administrative console. Deployment is verified: a configuration assessment tool runs against the 8 production servers and confirms all 247 required settings are in the correct state on all 8 servers. 100% compliance at launch.
Maintain (Ongoing)
Continuous monitoring compares server configurations against the baseline daily. In month 3, a vulnerability bulletin requires disabling TLS 1.1 on the web servers. The baseline is updated, tested on one server, confirmed compatible with the application, then deployed to all servers via Group Policy update within 48 hours of the bulletin. In month 7, the application is upgraded to a new version that requires a new configuration setting. The baseline is updated and redeployed.
Audit (Quarterly)
A quarterly compliance audit runs a formal assessment against the baseline and produces a compliance report for management and regulatory purposes. The reports show 100% compliance at each quarterly audit β no gaps found. The audit records are stored as evidence for HIPAA compliance assessments. When the annual external audit occurs, the organization can demonstrate continuous documented compliance with its security baseline requirements.
A complete baseline lifecycle β establish, deploy, maintain, audit β provides both operational security and compliance evidence. Each phase is essential: a well-established baseline that isn't maintained becomes obsolete; a maintained baseline without auditing produces no compliance evidence; deployment without monitoring allows drift to go undetected.