Configuration Management

Configuration management is the process of establishing, documenting and maintaining secure default settings for systems, servers and network devices. It ensures consistency across the organisation's IT environment and reduces the attack surface.

Back to Dictionary

What is configuration management?

Configuration management is the practice of ensuring that all systems within the organisation are set up correctly and consistently. This applies to servers, workstations, network equipment, cloud resources and applications.

Default installations of operating systems and software are rarely secure. They ship with open ports, enabled default accounts, unnecessary services and weak settings. Configuration management addresses this by defining secure baselines and enforcing them across the environment.

It is closely linked to patch management (keeping systems up to date), vulnerability scanning (identifying misconfigurations) and endpoint security (protecting devices). Together, they reduce the attack surface significantly.

Hardening and baselines

Hardening is the process of making a system more secure by reducing its attack surface:

Remove unnecessary services: Disable software and services that are not in use. Each active service is a potential attack vector.
Close ports: Allow only the ports that are required. Use host-based firewalls to restrict network access.
Change default settings: Change default passwords, rename default accounts and disable guest accounts.
Enable logging: Turn on logging for security-relevant events and send logs to a SIEM.
Apply least privilege: Services and processes should run with the minimum necessary permissions.

Security baselines such as CIS Benchmarks provide detailed recommendations for hardening specific platforms. They can be used as a starting point and adapted to the organisation's needs.

Configuration management in practice

Effective configuration management requires processes and automation:

Configuration Management Database (CMDB): A central database that tracks all IT assets and their configuration. The CMDB provides an overview of what is installed where and which version is running.

Infrastructure as Code (IaC): Define configurations as code that can be version-controlled, tested and deployed automatically. Tools such as Ansible, Puppet and Terraform ensure reproducible and consistent configuration.

Drift detection: Monitor systems continuously for deviations from the approved baseline. Automated tools can alert on or automatically remediate configuration drift. This is closely related to monitoring.

Change management: All configuration changes should be approved and documented. This ensures traceability and makes it possible to roll back changes if they cause problems.

Combine configuration management with vulnerability scanning to identify systems that deviate from baselines, and penetration tests to verify that the configuration actually withstands attacks.

Regulations and standards

CIS 18 dedicates Control 4 to the secure configuration of enterprise assets and software. It covers establishing baselines, hardening and continuous monitoring of configurations.

ISO 27001 and Annex A address configuration management in controls A.8.9 (configuration management) and A.8.19 (installation of software). An ISMS should define processes for secure configuration as part of technical and organisational measures.

NIS2 and DORA require organisations to maintain secure configurations of their ICT systems. Under GDPR, secure configuration is part of protecting personal data.

Frequently Asked Questions about Configuration Management

What is a security baseline?

A security baseline is a documented standard configuration that defines the minimum security settings for a given system type. Examples include CIS Benchmarks and Microsoft Security Baselines.

What is hardening?

Hardening is the process of reducing the attack surface of a system by removing unnecessary services, closing ports, disabling default accounts and applying secure settings. It makes the system more resilient to attacks.

How do you keep track of configuration changes?

Use a change management system to approve, document and track all changes. Automated tools can detect deviations from baselines (configuration drift) and alert or automatically remediate them.