Introduction to baselining

Security baselining is the practice of implementing a minimum set of standards and configuration within your environment; more specifically, capturing a minimum configuration for your Windows devices. Building a baseline provides a minimum defined standard, which will help ensure a more secure environment as you deploy systems and devices within your enterprise. Depending on the size of your organization, baselines could vary from checklists or spreadsheets that someone follows to ensure the predefined security controls are in place to a captured snapshot or image that is already preconfigured with the predefined security controls. In addition to the starting baseline, there are additional management tools to layer and enforce baseline configurations. A couple of examples include Group Policy Objects (GPOs) and Mobile Device Management (MDM).

Unless you are a small business with under 100 employees, it would be impractical to deploy any type of system or device and inpidually configure it every time a new version is built, especially if your user counts and servers start reaching the hundreds to thousands, with an extremely high volume of device deployments carried out on a day-to-day basis. This could also be very error-prone. Because of this, it is extremely important that a well-defined program is put in place to minimize the potential error-prone steps involved with deploying systems, and to ensure that devices receive their baseline and hardening configurations systematically.

Another important factor to consider with baselining is that your organization may be required to follow strict regulatory compliance regulations that will enforce the need to ensure specific security requirements are adhered to. Baselines help when you are audited or when the need to provide evidence arises. Some regulatory compliance examples include the following:

• Payment Card Industry Data Security Standard (PCI DSS)
• Health Insurance Portability and Accountability Act (HIPAA)
• Federal Information Security Management Act (FISMA)
• The Sarbanes-Oxley Act
• General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA)

We can expect this to continue to grow as privacy continues to become a big discussion point and challenge. It is important to have a minimum understanding of what regulatory compliances are, especially when they directly relate to your organization's sector. They will play a big part in planning your overall security baselining.

As you begin to define and deploy your baselines, you will find that one baseline will not fit all situations. You will need to document and build them for different use cases. The following list gives some examples of where unique baselines may need to be defined:

• Network devices, such as switches, routers, firewalls, and so on
• Windows systems, such as servers and clients
• Linux/Unix systems
• Storage/file servers
• Database servers
• Web servers
• Application servers

As we look more specifically at the Windows environment, you may end up with baselines for different architectures.

For Windows Server, you have the following:

• The Windows Domain Controller (DC) server
• Windows Server Internet Information Services (IIS)
• The Windows SQL database server
• The Windows DNS server
• Windows Remote Desktop services

For the Windows client, you have the following:

• The standard Windows client (the user workstation)
• Privileged Access Workstation (PAW)
• The Windows Virtual client

Now that we've provided an overview of what baselines are, the next few sections will cover items that provide detail around the foundation and overall strategy that support the ability to build well-defined baselines and ensure consistency. Deploying baselines without well-defined policies, processes, and a framework will not be successful in the long term and can leave your organization vulnerable. In addition, having these foundations in place provides a platform to ensure leadership engagement and sign-off, which drives a consistent message to the organization about the importance that each associate has in its success.