Security baselines provide a secure starting point for an operating system. The first step in creating security baselines is creating a written security policy. Once the organization creates the security policy, administrators use different methods, such as Group Policy, security templates, or imaging, to deploy security baselines. Later, they can check existing systems against the security baselines to verify the systems are still secure.
For example, imagine that your organization’s security policy mandates that users should not be able to install software. Administrators deploy systems enforcing this policy. Later, they can check existing systems to ensure that users cannot install software and the original security baselines are still intact.
An organization will typically have several security baselines. For example, end-user operating systems use one baseline, generic servers use another baseline, and specialty servers use other baselines.
Each operating system is different, so there isn’t a standard checklist that identifies how to lock down all operating systems. However, there is a place to check the vendor’s documentation. If you’re trying to secure an operating system or an application running on the operating system, check the documentation. This documentation often includes valuable information with easy-to-follow steps.
Some vendors include tools to help create a security baseline. For example, Microsoft Server operating systems include the Security Configuration Wizard (SCW). SCW leads administrators through a series of questions about a system and then creates an Extensible Markup Language (XML) database file that includes a wide assortment of security settings. Administrators can import these settings into a Group Policy object to apply them.
Note: This blog is an excerpt from the
CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide.
Enforcing Security Baselines with Group Policy
Microsoft domains use Group Policy to standardize the configuration of systems. An administrator can create and apply a Group Policy object (GPO) to configure all the systems in the domain, or target specific systems.
The magic of Group Policy is that an administrator can configure a single setting within a GPO and apply it to multiple users or computers with very little effort. A GPO works the same way whether it’s being applied to five systems or five thousand. Group Policy is applied when a computer starts up and when a user logs on. The system periodically checks for any changes to Group Policy and automatically applies them.
Another benefit of Group Policy is that it regularly reapplies security settings. If a problem or attack compromises a system, this process helps keep the Group Policy security settings in place.
Using Security Templates for Security Baselines
GPOs have so many capabilities that it’s difficult for any single administrator to learn and know all the possible security settings. However, you can use preconfigured security templates to address many different security needs. Additionally, you can modify any of the security templates to meet specific needs. For example, if your organization has strict security guidelines for systems, you can use security templates to configure the settings and apply them consistently across the organization.
You can use Group Policy and security templates to standardize system configuration and security settings. These methods allow you to enforce strict company guidelines when deploying computers and reapply security settings to multiple computers.
Security templates provide a secure starting point for systems to enforce a security baseline. You can use them to deploy multiple security settings to individual computers and to multiple computers through a GPO.
Security templates include the following sections:
- Account Policies. This includes password and lockout policy settings.
- Local Policies. You can control many user rights with settings in this section.
- System Services. You can use this to disable any unnecessary services.
- Software Restrictions. You can control what software can be installed on a system and what software can run on a system.
- Restricted Groups. You can control any group with this setting. For example, you can use this to control which users are in the Administrators group.
Using Configuration Baselines for Security Baselines
A configuration baseline documents the configuration of a system. This includes all the system configuration settings, such as printer configuration, application settings, and TCP/IP settings. It may also include a host software baseline, which lists all software installed on the system.
The differences between a configuration baseline and a security baseline can be a little fuzzy. The security baseline settings are strictly security related. The configuration baseline settings ensure consistent operation of the system. However, since the configuration baseline contributes to improved availability of a system, which is part of the security triad, it also contributes to overall security.
An important consideration with a configuration baseline is keeping it up to date. Administrators should update the configuration baseline after changing or modifying the system. This includes after installing new software, deploying service packs, or modifying any other system configuration settings.
Configuration baselines document system configuration and should be updated when the system is updated. This includes after installing new software, deploying service packs, or modifying any system configuration settings.
It’s also important to maintain the integrity of the configuration baseline. The change management section later in this chapter covers the importance of managing changes to prevent unintended outages.
Performance Baselines and Baseline Reporting
A performance baseline identifies the overall performance of a system at a point in time. If performance deteriorates later, administrators can compare the current performance against the baseline report. The differences between the current measurements and the baseline help an administrator differentiate between normal performance and actual problems.
The baseline report includes information on usage of basic system hardware resources, such as the processor, memory, disk, and network interface card (NIC). It also includes additional system data, such as logs to show normal behavior.
As an example, Performance Monitor is a tool used within Windows systems to create performance baseline reports. A performance baseline report will capture snapshots of key metrics every thirty minutes throughout a seven-day period. These snapshots will give a good picture of a system’s performance during peak performance times and slack times. An administrator can later compare current performance with the baseline to identify any differences.
The following figure shows Performance Monitor with a dynamic system performance report displayed. The report includes multiple sections, titled System Performance Report, Summary, Diagnostic Results, CPU, Network, Disk, Memory, and Report Statistics, and in the figure, the Summary and Diagnostic Results are expanded. An administrator can expand any of the other sections by clicking the down arrow on the far right of the section title.
Baseline reporting documents normal system performance. Administrators compare current performance against a baseline report to determine abnormal activity.
As an example, imagine that you are asked to troubleshoot the performance of a server because it’s running slow. During your investigation, you discover that the system has an average of twenty active SSH sessions and the processor utilization averages at about 50 percent.
Is this normal? Is the system under attack? If you have a baseline report, you can compare the current activity with the baseline report to determine normal behavior. The performance baseline report will often provide you the answers. However, if you don’t have a performance baseline report, you may spend a lot of time and effort investigating normal performance that is unrelated to any problem.
As a comparison, anomaly-based intrusion detection systems (IDSs) use baselines to identify problems. As a reminder, the anomaly-based IDS starts by creating a baseline and then compares current behavior against the baseline. Without a baseline, the anomaly-based IDS cannot detect anomalies. Similarly, without a security or configuration baseline, you can’t detect changes.
Other Security+ Study Resources
- Security+ blogs organized by categories
- Security+ blogs with free practice test questions
- Security+ blogs on new performance based questions
- Mobile Apps: Apps for mobile devices running iOS or Android
- Audio Files: (Learn by listening with over 4 1/2 hours of audio on Security+ topics)
- Flashcards: 31 Security+ Topic flashcards and 17 Security+ acronyms flashcards (free samples)
- Quality Practice Test Questions: Over 475 quality Security+ practice test questions with full explanations
- Full Security+ Study Packages: Quality practice test questions, audio, and Flashcards)