Chapter 76 Β· Tricks

Security Baselines β€” Exam Tricks

High-yield distinctions, common traps, and pattern recognition for security baseline questions on the Security+ exam.

Trick 1 A Baseline Document Is Not a Control. Automated Enforcement Is the Control.

The exam will present scenarios where an organization "has a security baseline" but is still experiencing security failures. The trick is recognizing that a baseline document sitting on a SharePoint server does nothing. The control is the automated tooling that deploys, enforces, and monitors the baseline on actual systems. When a question asks what is missing or what should be added, look for the enforcement mechanism β€” not more documentation.

Pattern Recognition
"Organization has a documented baseline but servers have inconsistent configurations"
β†’ Missing: automated deployment (Group Policy, MDM, Ansible) and continuous monitoring
"Which ensures the baseline remains in effect after deployment?"
β†’ Continuous integrity monitoring / automated enforcement (not one-time deployment)
"What mechanism deploys baseline settings to hundreds of Windows workstations?"
β†’ Active Directory Group Policy (primary Windows mechanism)
"What deploys security settings to enrolled mobile devices?"
β†’ Mobile Device Management (MDM)
Memory anchor: Baseline = what. Group Policy / MDM / automation = how it actually gets there. The "what" without the "how" is just a wishlist.
Trick 2 Configuration Drift Is Slow, Silent, and Cumulative β€” Continuous Monitoring Is the Defense.

Exam questions on configuration drift often describe symptoms β€” systems that appear healthy but have degraded security posture β€” and ask for the cause or the solution. The key characteristics of drift: it happens gradually (not in a single event), it is invisible without active monitoring, and each individual change may seem minor while the cumulative effect is significant. The detection mechanism is integrity measurement / continuous monitoring; the response to detected drift is immediate investigation and remediation.

Pattern Recognition
"Systems gradually became less secure despite no policy changes" / "settings changed without authorization"
β†’ Configuration drift
"How is configuration drift detected?"
β†’ Integrity measurements / continuous compliance monitoring comparing current state to baseline
"Integrity check finds unauthorized changes β€” what is the response?"
β†’ Immediate investigation (could be admin error OR attacker activity) then remediation
Memory anchor: Drift = the boiling frog. Each small change seems fine alone. The cumulative effect is a system that has drifted far from secure. Only monitoring catches it.
Trick 3 You Don't Build Baselines from Scratch β€” Start with Manufacturer Recommendations.

The exam may ask where security baselines come from or what the starting point is for building one. The answer is always manufacturer recommendations β€” not internal policy, not guesswork. Three sources: application developer, OS manufacturer, appliance manufacturer. For Windows specifically, Microsoft's Security Compliance Toolkit (SCT) is the named tool. Organizations start there and adapt for their context.

Pattern Recognition
"What is the starting point for creating a Windows security baseline?"
β†’ Microsoft Security Compliance Toolkit (SCT)
"Where do baseline recommendations for a specific application come from?"
β†’ The application developer's hardening guide / security configuration documentation
"Two manufacturer baselines conflict β€” what should the organization do?"
β†’ Assess both, choose one, document the decision and rationale, test before deploying
Memory anchor: SCT = Microsoft's pre-built baseline kit for Windows. Application dev = app-specific settings. Appliance vendor = hardware hardening. All three layers, all from their respective makers.
Trick 4 Baselines Are Not Static β€” Three Events That Require Updates.

The exam distinguishes between settings that rarely change (stable best practices) and situations that require active baseline updates. Know the three triggers for baseline updates cold: new vulnerability discovered, application updated, new OS installed. A question describing one of these situations and asking what should be done β€” the answer involves updating the baseline, not just patching or waiting.

Pattern Recognition
"New CVE requires disabling a feature / changing a configuration setting"
β†’ Update the baseline + test + deploy; don't wait for the scheduled review
"Application upgraded to new version with different configuration requirements"
β†’ Review and update the baseline for the new version's settings
"New operating system deployed" β€” can we use the old baseline?
β†’ No β€” OS version change requires a full baseline review; old settings may not apply
"Before deploying updated baseline organization-wide, what step is essential?"
β†’ Test the updated baseline on a representative test group first
Memory anchor: New vuln β†’ New app version β†’ New OS = Update the baseline. Test before you deploy. Don't wait for the annual review when a critical vulnerability is active.
Practice Scenarios β€” Apply the Tricks
Scenario A: A company has a detailed written security baseline for its 200 Linux servers. An audit finds that 40 servers have settings that differ from the baseline in various ways β€” some have extra services running, some have incorrect firewall rules, some have outdated file versions. The security team is surprised because they thought they had addressed this. What is the most likely root cause, and what needs to be implemented?
Scenario B: A healthcare organization's integrity monitoring system alerts that a server has three unauthorized changes: a new local user account, RDP enabled, and antivirus real-time protection disabled. The changes occurred overnight when no authorized administrator was working. What should the security team do first, and why?
Scenario C: A new critical vulnerability is announced for a Windows Server feature that the organization does not actively use. The security team confirms that disabling the feature would have no operational impact. The organization's annual baseline review is scheduled for next month. What is the correct course of action?