Level 2


Description:

Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, input and output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications.  Security parameters are those parameters impacting the security state of systems including the parameters required to satisfy other security requirements. Security parameters include: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the systems configuration baseline.  Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors.  [SP 800-70] and [SP 800-28] provide guidance on security configuration settings. 


Priority: High 


Domain: CONFIGURATION MANAGEMENT (CM) 


Services Associated with AWS: 

  • AWS Config, AWS Systems Manager


Services Associated with Azure:

  • Azure Security Center
  • Azure Policy
  • Azure Automation
  • Azure Active Directory (Azure AD)
  • Azure Monitor
  • Azure Defender
  • Azure Resource Manager (ARM)
  • Azure Key Vault
  • Azure Firewall
  • Azure Virtual Network (VNet)


Objective Evidence: 

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how IT Asset Management (ITAM) is implemented
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Administrative: supporting documentation to demonstrate how Role Based Access Control (RBAC) is properly & securely implemented
  • Technical: screen shot of groups and membership assignment
  • Technical: screen shot of Configuration Management Database (CMDB) console 


Possible Technology Considerations:

  • Identity & Access Management (IAM)
  • Secure Baseline Configurations (SBC)
  • Configuration Management Database (CMDB)
  • IT Asset Management (ITAM)
  • Event Log Monitoring
  • Privileged Access Management (PAM)
  • Role Based Access Control (RBAC) 


What needs to be answered:

Are security settings included as part of baseline configurations? Are changes to security settings documented? Are security settings as restrictive as possible while still allowing jobs to be performed?   


Checks for AWS

  • Establish and Enforce Security Configuration Settings
    Description: This check ensures that organizations establish and enforce security configuration settings for the information technology products employed in their organizational systems. Security configuration settings include parameters that affect the security posture and functionality of hardware, software, and firmware components such as servers, workstations, network devices, operating systems, and applications. Organizations establish organization-wide configuration settings and derive specific settings for individual systems, incorporating recognized benchmarks and secure configuration guides.
  • Maintain Configuration Baseline with Security Settings
    Description: This check verifies that organizations maintain a configuration baseline that includes security settings for information technology products. The configuration baseline serves as a reference point for comparing the current configuration of systems against the established security settings. By maintaining a configuration baseline, organizations can ensure that security settings are consistently enforced and deviations from the baseline can be identified and addressed.
  • Regularly Update Security Configuration Settings
    Description: This check emphasizes the importance of regularly updating security configuration settings. Organizations should stay current with recognized benchmarks, secure configuration guides, and vendor recommendations to ensure that the security settings align with the latest best practices and address emerging threats. Regular updates help organizations maintain a strong security posture and protect their systems from known vulnerabilities.
     


Checks for Azure

  • Enforce Security Configuration Settings for Azure Resources:
    Description: This check ensures that organizations enforce security configuration settings for Azure resources. Security configuration settings include parameters that affect the security posture and functionality of Azure resources such as virtual machines, storage accounts, networking components, and services. Organizations establish and enforce organization-wide security configuration settings based on recognized benchmarks, secure configuration guides, and best practices to maintain a secure Azure environment.
  • Maintain Configuration Baseline with Security Settings in Azure:
    Description: This check verifies that organizations maintain a configuration baseline that includes security settings for Azure resources. The configuration baseline serves as a reference point for comparing the current configuration of Azure resources against the established security settings. By maintaining a configuration baseline, organizations can ensure that security settings are consistently enforced, deviations from the baseline are identified, and appropriate remediation actions are taken.
  • Regularly Update Security Configuration Settings in Azure:
    Description: This check emphasizes the importance of regularly updating security configuration settings in Azure. Organizations should stay current with recognized benchmarks, secure configuration guides, and Azure security recommendations to ensure that the security settings align with the latest best practices and address emerging threats. Regular updates help organizations maintain a strong security posture and protect their Azure resources from known vulnerabilities.


More Details: Security configuration settings controlled by IT staff and restricted from general employee usage.