Chapter 76 Β· Glossary

Security Baselines β€” Glossary

Key terms for security baseline establishment, deployment, integrity verification, and maintenance.

Security Baseline
A documented set of approved security configuration settings, patch levels, and requirements that every instance of an application environment must meet. Defines the minimum acceptable security state for systems, covering firewall rules, OS settings, file versions, authentication policies, and access controls. All deployed instances must conform to the baseline.
Configuration Drift
The gradual divergence of a system's actual configuration from its approved security baseline over time. Caused by manual administrative changes, software updates, emergency modifications, and unauthorized changes. Drift is invisible without active monitoring and increases attack surface incrementally. Detected through integrity measurements and continuous compliance monitoring.
Integrity Measurement
The process of comparing a system's current configuration state against its approved baseline to identify deviations. Should be performed frequently β€” ideally continuously β€” to minimize the window between a deviation occurring and being detected. Any identified deviation requires immediate investigation and remediation.
Security Compliance Toolkit (SCT)
A set of tools and configuration packs published by Microsoft to help organizations deploy and verify security baselines for Windows operating systems and Windows Server. Includes downloadable baseline configuration files, comparison tools, and deployment guidance. Allows organizations to apply Microsoft's recommended security settings without building baselines from scratch.
Group Policy
A Windows Active Directory feature that allows administrators to define and enforce configuration settings centrally and apply them to computers and users within an organizational structure. A primary mechanism for deploying security baselines in Windows environments. Continuously reapplies settings at defined intervals, providing ongoing baseline enforcement as well as initial deployment.
Mobile Device Management (MDM)
A platform for centrally managing and enforcing security configurations on mobile devices (smartphones, tablets, laptops) enrolled in the management system. Used to deploy baseline security settings β€” encryption requirements, screen lock policies, application restrictions β€” to devices regardless of their physical location. The mobile equivalent of Group Policy for desktop systems.
Baseline Deployment Automation
The use of centralized management tools (Group Policy, MDM, configuration management platforms like Ansible/Puppet/Chef) to apply security baseline configurations to systems consistently and at scale β€” without manual intervention on each device. Automation is essential because manual configuration across hundreds or thousands of devices is error-prone and impractical.
Manufacturer Baseline Recommendations
Security configuration guidance published by software and hardware manufacturers β€” operating system vendors, application developers, and appliance manufacturers β€” for securing their own products. Serves as the starting point for organizational baseline development. Examples include Microsoft's Windows security baselines (SCT), CIS Benchmarks, and vendor-specific hardening guides.
Baseline Conflict
A situation where security recommendations from different manufacturers contradict each other for the same system. For example, an application vendor recommends enabling a service that the OS security guide recommends disabling. Requires the organization to assess both positions, make a deliberate decision, document the reasoning, and test the chosen configuration before deployment.
Compliance Auditing
Periodic formal review comparing actual system configurations against documented baseline standards to produce evidence of compliance. Satisfies requirements of frameworks such as ISO 27001, NIST CSF, PCI DSS, and HIPAA. Complements continuous real-time monitoring by providing a structured, documented record of compliance status at defined intervals.
System Hardening
The process of configuring a system to reduce its attack surface by disabling unnecessary services, closing unused ports, applying secure default settings, enforcing least privilege, and applying the approved security baseline. Hardening is the implementation step that converts a baseline document into an actual security posture on a running system.