Security Configuration Baseline
Security configuration baselines are standardized, documented settings that ensure systems are deployed securely and consistently. This lesson provides practical configuration templates for common platforms.
Configuration Management Overview
What is a Security Baseline?
A security baseline is a documented set of security settings and configurations that:
- Establishes minimum security requirements
- Provides consistent security across systems
- Simplifies compliance verification
- Reduces configuration errors
- Speeds deployment
- Forms the foundation for hardening
Benefits of Configuration Baselines
Security Benefits:
- Reduces attack surface
- Eliminates common vulnerabilities
- Enforces security policies
- Prevents configuration drift
- Standardizes security controls
Operational Benefits:
- Faster deployment
- Reduced errors
- Simplified troubleshooting
- Easier compliance auditing
- Better change management
- Knowledge transfer
Baseline Development Process
1. Identify system types (Windows, Linux, network, cloud)
2. Research security standards (CIS Benchmarks, DISA STIGs)
3. Define security requirements
4. Document baseline configuration
5. Create automated deployment (GPO, Ansible, etc.)
6. Test baseline
7. Validate compliance
8. Deploy to production
9. Monitor for drift
10. Update baseline as needed
Windows Server Security Baseline
Operating System Hardening
1. Account Policies
Password Policy:
Minimum password length: 14 characters
Password complexity: Enabled
Password history: 24 passwords remembered
Minimum password age: 1 day
Maximum password age: 365 days (or Never if MFA used)
Account lockout threshold: 5 invalid attempts
Account lockout duration: 30 minutes
Reset lockout counter after: 30 minutes
Account Lockout Policy:
- Prevents brute force attacks
- Balance security with user experience
- Consider MFA as alternative to lockout
2. Local Policies
Audit Policy:
Audit account logon events: Success, Failure
Audit account management: Success, Failure
Audit logon events: Success, Failure
Audit object access: Failure (or Success for sensitive objects)
Audit policy change: Success, Failure
Audit privilege use: Failure (or Success for sensitive privileges)
Audit process tracking: No auditing (or Success if forensics needed)
Audit system events: Success, Failure
User Rights Assignment:
Access this computer from network: Administrators, Authenticated Users
Act as part of operating system: (empty)
Allow log on locally: Administrators
Allow log on through Remote Desktop: Administrators, Remote Desktop Users
Back up files and directories: Administrators, Backup Operators
Change system time: Administrators, LOCAL SERVICE
Create permanent shared objects: (empty)
Debug programs: Administrators (remove if not needed)
Deny access to this computer from network: Guests, Local account
Deny log on locally: Guests
Force shutdown from remote system: Administrators
Load and unload device drivers: Administrators
Restore files and directories: Administrators, Backup Operators
Shut down the system: Administrators
Take ownership of files: Administrators
Security Options:
Accounts: Administrator account status: Disabled (rename first)
Accounts: Guest account status: Disabled
Accounts: Limit local account use of blank passwords: Enabled
Interactive logon: Display user information: User display name only
Interactive logon: Do not display last user name: Enabled
Interactive logon: Machine inactivity limit: 900 seconds (15 minutes)
Interactive logon: Message text for users attempting to log on: [Legal notice]
Interactive logon: Message title for users attempting to log on: [Legal notice]
Network access: Do not allow anonymous enumeration of SAM accounts: Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled
Network access: Let Everyone permissions apply to anonymous users: Disabled
Network access: Restrict anonymous access to Named Pipes and Shares: Enabled
Network security: Do not store LAN Manager hash value: Enabled
Network security: LAN Manager authentication level: Send NTLMv2 response only. Refuse LM & NTLM
Network security: Minimum session security for NTLM SSP: Require NTLMv2, Require 128-bit encryption
Shutdown: Allow system to be shut down without logon: Disabled
System cryptography: Use FIPS compliant algorithms: Enabled (if required by compliance)
User Account Control: Admin Approval Mode for built-in Administrator: Enabled
User Account Control: Behavior of elevation prompt for administrators: Prompt for credentials
User Account Control: Behavior of elevation prompt for standard users: Prompt for credentials
User Account Control: Detect application installations: Enabled
User Account Control: Run all administrators in Admin Approval Mode: Enabled
3. Services Configuration
Disable Unnecessary Services:
Computer Browser: Disabled
FTP Publishing Service: Disabled (if not needed)
IIS Admin Service: Disabled (if not web server)
Remote Registry: Disabled
SNMP Service: Disabled (or properly configured if needed)
SSDP Discovery: Disabled
Telnet: Disabled (use SSH)
Universal Plug and Play: Disabled
Windows Media Player Network Sharing: Disabled
World Wide Web Publishing: Disabled (if not web server)
Xbox Services: Disabled (server environment)
Secure Running Services:
Windows Remote Management: If enabled, require HTTPS
Remote Desktop Services: If enabled, require NLA, use strong encryption
DNS Client: Running
Windows Firewall: Running
Windows Update: Running (Automatic)
Windows Defender: Running (if no third-party AV)
4. Windows Firewall
Domain Profile:
Firewall state: On
Inbound connections: Block (default)
Outbound connections: Allow (default)
Log dropped packets: Yes
Log successful connections: No (or Yes for high security)
Log file location: %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
Log file max size: 16384 KB
Public Profile:
Firewall state: On
Inbound connections: Block all
Outbound connections: Allow (default)
Display notification: Yes
Allow local port exceptions: No
Private Profile:
Firewall state: On
Inbound connections: Block (default)
Outbound connections: Allow (default)
Display notification: Yes
Inbound Rules (Examples):
Allow only necessary ports:
- RDP (3389): From admin workstations only
- SMB (445): From internal network only
- WinRM (5985/5986): From admin systems only
- Active Directory (various): From AD clients only
5. Registry Security
Important Registry Keys:
Disable SMBv1:
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
SMB1: 0
Enable SMB Signing:
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
RequireSecuritySignature: 1
HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters
RequireSecuritySignature: 1
Disable LLMNR:
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient
EnableMulticast: 0
Disable NBT-NS:
HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
NodeType: 2
LSA Protection:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
RunAsPPL: 1
Credential Guard (Windows 10/Server 2016+):
HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard
EnableVirtualizationBasedSecurity: 1
RequirePlatformSecurityFeatures: 1 or 3
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
LsaCfgFlags: 1
6. File System Security
NTFS Permissions on System Directories:
C:\Windows\System32
Administrators: Full Control
SYSTEM: Full Control
Users: Read & Execute
TrustedInstaller: Full Control
C:\Program Files
Administrators: Full Control
SYSTEM: Full Control
Users: Read & Execute
TrustedInstaller: Full Control
C:\Users
Administrators: Full Control
SYSTEM: Full Control
Each user: Full Control on own folder only
Remove Unnecessary Shares:
net share C$ /delete
net share D$ /delete
(Keep only necessary admin shares)
Windows Update Configuration
Group Policy Settings:
Configure Automatic Updates: Enabled
Option: 4 - Auto download and schedule install
Scheduled install day: Every day
Scheduled install time: 03:00
Automatic Updates detection frequency: 1 hour
Allow Automatic Updates immediate installation: Enabled
Enable recommended updates: Enabled
No auto-restart with logged on users: Disabled (servers should schedule maintenance)
WSUS or Windows Update for Business:
- Centralized update management
- Test updates before production
- Staggered deployment
- Defer feature updates (stability)
- Install security updates promptly
BitLocker Configuration
Enable BitLocker on All Volumes:
Require startup PIN with TPM: Enabled (laptops, high security)
Encryption method: XTS-AES 256-bit
Recovery password: Enabled and escrowed to AD
Deny write access to removable drives not protected: Enabled
Enforce drive encryption on removable data drives: Enabled
Remote Desktop Security
RDP Configuration:
Require Network Level Authentication: Enabled
Encryption level: High
Do not allow passwords to be saved: Enabled
Set client connection encryption level: High Level
Require secure RPC communication: Enabled
Always prompt for password: Enabled
Additional RDP Security:
- Limit RDP access to specific IPs/networks
- Use VPN + RDP (not direct Internet RDP)
- Implement account lockout
- Monitor RDP logs
- Consider RD Gateway for external access
- Use certificate-based authentication
Linux Server Security Baseline
Operating System Hardening (Ubuntu/Debian)
1. User and Authentication
Password Policy (/etc/login.defs):
PASS_MAX_DAYS 365
PASS_MIN_DAYS 1
PASS_MIN_LEN 14
PASS_WARN_AGE 7
PAM Configuration (/etc/pam.d/common-password):
# Enforce password complexity
password requisite pam_pwquality.so retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
# Remember password history
password required pam_pwhistory.so remember=24
# Use SHA-512 for password hashing
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
Account Lockout (/etc/pam.d/common-auth):
# Lock account after 5 failed attempts for 30 minutes
auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=1800
SSH Hardening (/etc/ssh/sshd_config):
# Protocol and Ciphers
Protocol 2
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512,hmac-sha2-256
# Authentication
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no (or yes if no key-based option)
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
# Access Control
AllowUsers deployuser adminuser (or AllowGroups)
DenyUsers root guest
# Session Settings
ClientAliveInterval 300
ClientAliveCountMax 0
LoginGraceTime 60
MaxAuthTries 3
MaxSessions 2
# Security Features
StrictModes yes
IgnoreRhosts yes
HostbasedAuthentication no
PermitUserEnvironment no
X11Forwarding no (or yes if needed, with X11UseLocalhost yes)
# Logging
SyslogFacility AUTH
LogLevel VERBOSE
Disable Root Login:
# Lock root account
sudo passwd -l root
# Use sudo for privileged operations
# Add users to sudo group
sudo usermod -aG sudo username
2. Network Security
Sysctl Network Hardening (/etc/sysctl.conf):
# IP Forwarding (disable if not a router)
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Ignore ICMP echo requests (optional, breaks troubleshooting)
# net.ipv4.icmp_echo_ignore_all = 1
# Ignore source routed packets
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Log Martian packets
net.ipv4.conf.all.log_martians = 1
# Ignore ICMP redirects (secure redirect)
net.ipv4.conf.all.secure_redirects = 0
# Enable TCP SYN cookies (DDoS protection)
net.ipv4.tcp_syncookies = 1
# Disable IPv6 if not used
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
# Enable reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Apply settings
# sudo sysctl -p
UFW Firewall (Ubuntu):
# Enable UFW
sudo ufw enable
# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH (change port if non-standard)
sudo ufw allow 22/tcp
# Allow specific services
sudo ufw allow from 10.0.0.0/8 to any port 22 proto tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Enable logging
sudo ufw logging on
# Status
sudo ufw status verbose
IPTables Alternative (if not using UFW):
# Flush existing rules
iptables -F
# Default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow SSH from specific network
iptables -A INPUT -p tcp -s 10.0.0.0/8 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# Allow HTTP/HTTPS
iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# Log dropped packets
iptables -A INPUT -j LOG --log-prefix "iptables-dropped: "
# Save rules
iptables-save > /etc/iptables/rules.v4
3. Service Hardening
Disable Unnecessary Services:
# List all services
systemctl list-unit-files --type=service
# Disable unnecessary services
sudo systemctl disable avahi-daemon
sudo systemctl disable cups
sudo systemctl disable bluetooth
sudo systemctl disable isc-dhcp-server (if not DHCP server)
sudo systemctl disable isc-dhcp-server6
sudo systemctl disable rpcbind
sudo systemctl disable nfs-server (if not NFS server)
sudo systemctl disable vsftpd (if not FTP server)
4. File System Security
/etc/fstab Secure Mount Options:
# /tmp with noexec, nosuid, nodev
tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0
# /var/tmp
tmpfs /var/tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0
# /dev/shm
tmpfs /dev/shm tmpfs defaults,rw,nosuid,nodev,noexec 0 0
# Separate /var/log (recommended)
/dev/sda5 /var/log ext4 defaults,nosuid,nodev,noexec 0 2
File Permissions:
# Secure cron
chmod 600 /etc/crontab
chmod 700 /etc/cron.d
chmod 700 /etc/cron.daily
chmod 700 /etc/cron.hourly
chmod 700 /etc/cron.monthly
chmod 700 /etc/cron.weekly
# Secure SSH keys
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
# Secure system files
chmod 644 /etc/passwd
chmod 644 /etc/group
chmod 600 /etc/shadow
chmod 600 /etc/gshadow
# Disable SUID/SGID on unnecessary files
find / -perm -4000 -type f -exec ls -la {} \; 2>/dev/null
# Review and remove unnecessary SUID bits
chmod u-s /path/to/file
5. Auditing and Logging
Auditd Configuration (/etc/audit/rules.d/audit.rules):
# Delete all existing rules
-D
# Buffer Size
-b 8192
# Failure Mode (0=silent 1=printk 2=panic)
-f 1
# Monitor /etc/passwd
-w /etc/passwd -p wa -k passwd_changes
# Monitor /etc/group
-w /etc/group -p wa -k group_changes
# Monitor /etc/shadow
-w /etc/shadow -p wa -k shadow_changes
# Monitor sudoers
-w /etc/sudoers -p wa -k sudoers_changes
-w /etc/sudoers.d/ -p wa -k sudoers_changes
# Monitor SSH config
-w /etc/ssh/sshd_config -p wa -k sshd_config_changes
# Monitor login/logout
-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins
# Monitor privileged commands
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
# Monitor file deletions
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
# Make configuration immutable (reboot to change)
-e 2
Syslog Configuration:
# /etc/rsyslog.conf
# Send logs to central server
*.* @@logserver.example.com:514
# Secure permissions on log files
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
# Log all authentication messages
auth,authpriv.* /var/log/auth.log
6. Automatic Updates
Ubuntu/Debian (unattended-upgrades):
# Install
sudo apt install unattended-upgrades
# Configure /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
};
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "03:00";
Unattended-Upgrade::Mail "[email protected]";
# Enable
sudo dpkg-reconfigure -plow unattended-upgrades
7. Additional Security Tools
Install and Configure AIDE (file integrity):
# Install
sudo apt install aide
# Initialize database
sudo aideinit
# Move database
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
# Run check
sudo aide --check
# Schedule regular checks (cron)
0 5 * * * /usr/bin/aide --check | mail -s "AIDE Report" [email protected]
Install and Configure Fail2Ban:
# Install
sudo apt install fail2ban
# Configure /etc/fail2ban/jail.local
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5
destemail = [email protected]
sendername = Fail2Ban
action = %(action_mwl)s
[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
# Start service
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
Network Device Security Baseline
Cisco Router/Switch Configuration
1. Basic Security
! Hostname and domain
hostname Router01
ip domain-name example.com
! Disable unnecessary services
no ip source-route
no ip http server
no ip http secure-server
no service pad
no service finger
no service tcp-small-servers
no service udp-small-servers
no cdp run (on interfaces facing untrusted networks)
! Enable essential services
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
no service dhcp
! Logging
logging buffered 64000
logging console critical
logging trap informational
logging facility local7
logging source-interface Loopback0
logging host 10.0.0.100
2. Access Control
! Enable AAA
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
! TACACS+ server
tacacs-server host 10.0.0.50 key 7 [encrypted-key]
! Local users (fallback)
username admin privilege 15 secret [strong-password]
! Console security
line con 0
login authentication default
exec-timeout 10 0
logging synchronous
transport output none
! VTY security
line vty 0 4
access-class VTY-ACCESS in
exec-timeout 10 0
logging synchronous
transport input ssh
transport output ssh
! ACL for VTY access
ip access-list standard VTY-ACCESS
permit 10.0.0.0 0.0.0.255
deny any log
3. SSH Configuration
! Generate RSA keys
crypto key generate rsa modulus 2048
! SSH configuration
ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 3
! Disable telnet, enable SSH only
line vty 0 4
transport input ssh
4. Interface Security
! Disable unused interfaces
interface GigabitEthernet0/1
shutdown
description UNUSED
! Access port configuration
interface GigabitEthernet0/2
description USER_ACCESS
switchport mode access
switchport access vlan 10
switchport port-security
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
! Trunk port configuration
interface GigabitEthernet0/24
description TRUNK_TO_CORE
switchport mode trunk
switchport trunk allowed vlan 10,20,30
switchport nonegotiate
5. Security Features
! DHCP snooping
ip dhcp snooping
ip dhcp snooping vlan 10,20,30
interface GigabitEthernet0/2
ip dhcp snooping limit rate 10
! Dynamic ARP Inspection
ip arp inspection vlan 10,20,30
interface GigabitEthernet0/2
ip arp inspection limit rate 10
! IP Source Guard
interface GigabitEthernet0/2
ip verify source
! Disable CDP on untrusted interfaces
interface GigabitEthernet0/1
no cdp enable
! BPDU Guard
spanning-tree portfast bpduguard default
! Root Guard on uplinks
interface GigabitEthernet0/24
spanning-tree guard root
6. Management Plane Security
! SNMP v3 (if SNMP needed)
snmp-server group ADMIN v3 priv
snmp-server user snmpadmin ADMIN v3 auth sha AuthPass123 priv aes 128 PrivPass123
snmp-server host 10.0.0.100 version 3 priv snmpadmin
! NTP
ntp authenticate
ntp authentication-key 1 md5 [key]
ntp trusted-key 1
ntp server 10.0.0.200 key 1
! Banner
banner login ^C
*****************************************************************************
AUTHORIZED ACCESS ONLY
This system is for authorized use only. All activity is monitored and logged.
Unauthorized access is prohibited and will be prosecuted.
*****************************************************************************
^C
Cloud Security Baseline (AWS Example)
AWS Security Configuration
1. IAM Best Practices
# Root account security
- Enable MFA on root account
- Don't use root for daily operations
- Rotate root access keys (or delete them)
- Use strong, unique password
# IAM Users
- Enforce password policy:
* Minimum 14 characters
* Require uppercase, lowercase, numbers, symbols
* Password expiration: 90 days
* Prevent password reuse: 24 passwords
* Require MFA for console access
# IAM Roles
- Use roles instead of access keys where possible
- Follow least privilege principle
- Regular access review
- Use AWS managed policies where appropriate
- Custom policies for specific needs
# Access Keys
- Rotate every 90 days
- No access keys for root account
- Use temporary credentials (STS) when possible
- Monitor key usage in CloudTrail
2. Network Security (VPC)
# VPC Configuration
- Use multiple AZs for high availability
- Public subnets for internet-facing resources
- Private subnets for application/database tiers
- Use NAT Gateway for outbound from private subnets
- Enable VPC Flow Logs
# Security Groups (Stateful)
- Default deny
- Least privilege rules
- Reference other security groups (not IP ranges) when possible
- Descriptive rule descriptions
# Network ACLs (Stateless)
- Default allow for default NACL
- Custom NACLs for additional layer
- Deny known bad IPs
- Allow necessary traffic only
# Example Security Group:
Web-SG:
Inbound:
- 443/tcp from 0.0.0.0/0 (HTTPS from Internet)
- 80/tcp from 0.0.0.0/0 (HTTP, redirect to HTTPS)
Outbound:
- All to 0.0.0.0/0 (allow all outbound)
App-SG:
Inbound:
- 8080/tcp from Web-SG (app traffic from web tier)
Outbound:
- 3306/tcp to DB-SG (MySQL to database)
DB-SG:
Inbound:
- 3306/tcp from App-SG (MySQL from app tier)
Outbound:
- None required
3. S3 Security
# Bucket Configuration
- Block all public access (unless specifically needed)
- Enable versioning
- Enable MFA Delete
- Enable server-side encryption (SSE-S3 or SSE-KMS)
- Enable logging to another bucket
- Enable object lock (for compliance)
# Bucket Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyInsecureTransport",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
# Access Logging
- Enable access logging
- Store logs in separate bucket
- Lifecycle policy to archive/delete old logs
4. EC2 Security
# Instance Configuration
- Use latest AMIs
- Enable encryption for EBS volumes
- Use IMDSv2 (Instance Metadata Service v2)
- Install security agents (AV, EDR, HIDS)
- Enable CloudWatch monitoring
- Regular patching
# Security Best Practices
- Use IAM roles instead of access keys
- Minimize instance metadata access
- Use Systems Manager Session Manager instead of SSH
- Enable termination protection for critical instances
- Use Auto Scaling for resilience
- Regularly snapshot critical volumes
5. Logging and Monitoring
# Enable AWS CloudTrail
- All regions enabled
- Management events logged
- Data events for sensitive S3 buckets
- Log file validation enabled
- Multi-region trail
- Store logs in S3 with encryption
- Enable CloudWatch Logs integration
# AWS Config
- Enable in all regions
- Monitor compliance with rules
- Snapshot configuration changes
- Remediate non-compliant resources
# GuardDuty
- Enable in all regions
- Monitor for threats
- Integrate with Security Hub
- Automated response with Lambda
# CloudWatch Alarms
- Root account usage
- Unauthorized API calls
- Console login without MFA
- IAM policy changes
- Security group changes
- NACL changes
- Network gateway changes
- Failed authentication attempts
Configuration Baseline Management
Baseline Deployment
Windows (Group Policy):
- Create GPOs for each baseline
- Link to appropriate OUs
- Test in isolated OU first
- Use GPO reporting
- Document all settings
- Version control GPO backups
Linux (Ansible):
---
- name: Apply Security Baseline
hosts: linux_servers
become: yes
tasks:
- name: Set password policy
lineinfile:
path: /etc/login.defs
regexp: '^PASS_MAX_DAYS'
line: 'PASS_MAX_DAYS 365'
- name: Configure SSH
template:
src: sshd_config.j2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: '0600'
notify: Restart SSH
- name: Enable UFW firewall
ufw:
state: enabled
policy: deny
direction: incoming
Compliance Monitoring
Automated Scanning:
- Microsoft SCAP tools (Windows)
- OpenSCAP (Linux)
- AWS Config Rules (AWS)
- Azure Policy (Azure)
- GCP Security Command Center (GCP)
Regular Audits:
- Weekly automated scans
- Monthly manual reviews
- Quarterly comprehensive audits
- Document exceptions
- Track remediation
Drift Detection:
- Monitor configuration changes
- Alert on unauthorized changes
- Automated remediation
- Change approval workflow
- Regular baseline updates
Documentation Requirements
Baseline Documentation Should Include:
- Purpose and scope
- System types covered
- Detailed configuration settings
- Rationale for each setting
- Implementation instructions
- Verification procedures
- Exception process
- Update history
- Approval signatures
- Review schedule
Next Lesson: Implementation Checklist - A comprehensive checklist covering all 93 Annex A controls, implementation guidance, evidence requirements, and a practical timeline for achieving ISO 27001 certification.