The Importance of Configuration Compliance
The default configuration of most computers and networking devices favors ease-of-use over strong security. In addition, the security posture of computers tends to weaken over time as users change configurations to make them easier to use. Configuration management continuously hardens computers.
Limitations of System Configuration Management
While properly configured systems shrink attack surfaces, they do not eliminate exploits from occurring for the simple fact that some ports must be left open in order to support system operations. In addition, automatic updating of a computer's configuration can break existing software applications.
Vidder's Configuration Management Recommendations
In general, Vidder strongly recommends hardening systems by removing all unnecessary accounts and services, updating patches, and locking down unused network ports. All configuration-hardening changes must be made before connecting the device to the network.
In addition, Vidder strongly recommends automating the process of configuration management to ensure users do not decrease the security posture of any computer.
Vidder strongly recommends running a configuration management process as part of the nightly build.
Vidder strongly recommends configuration requirements be established and implemented for each unique software package running on production servers. For example, Apache running on REHL will have configuration requirements that are distinct from Apache running on other operating systems and distinct from running other applications on REHL.
Servers images must be hardened before putting them into the public cloud.
Vidder strongly recommends hardening client devices through group policy objects, or other similar methods.