What is ‘secure configuration’, why is it so important and how can it be implemented? Find out everything you need to know about the secure configuration of systems here.
Definition: What is Secure Configuration?
Secure Configuration is a technical measure in which applications, operating systems, networks and devices are configured in such a way that they are significantly better protected against potential cyber threats.
For example, unnecessary services are deactivated and secure settings are implemented to minimise a system’s attack surface. The aim is also to close security gaps and control access to important resources.
Alternative names: What else is Secure Configuration called?
‘Secure Configuration’ is often referred to as “Security Configuration” or “Security Settings”. The term is also known as ‘System Hardening’ .
Differences: What is the difference between Secure Configuration and System Hardening?
Essentially, there is no difference between Secure Configuration and System Hardening – both terms are used synonymously. They describe the same procedure for configuring entire IT systems or individual applications so that they are (more) secure – and therefore ‘hardened’ or, in other words, better protected against attacks.
Examples: What is done with Secure Configuration?
There are numerous measures that you can use to securely configure an IT system such as an operating system or an individual application. These include the following, for example:
-
- Regularly checking the activated services to ensure that only necessary functions are running.
- Services should only be operated with minimal rights and, if possible, run in isolated environments.
- The principle of least privilege also applies to maintenance interfaces and access.
- It is important to restrict access to operating system configuration files.
- Secure Configuration also includes switching off insecure and unneeded interfaces …
- … and the deactivation of unnecessary autostart mechanisms and operating system components.
In total, there are hundreds of settings that are recommended by organisations such as BSI, CIS, DISA and ACSC or companies such as Microsoft.
Goals: Which systems need Secure Configuration?
In principle, all IT systems should be hardened. This means
-
- Operating systems such as Windows and Linux
- Servers such as web, database and email servers
- Applications such as browsers and Office programmes
- Cloud services such as Microsoft Azure and AWS
- IoT devices such as smart home devices or smart gadgets
- OT devices such as the control systems of machines
One of the aims of Secure Configuration is to bring the respective IT environment up to date with the state of the art techniques. This is impossible with older systems such as Windows XP or Windows 7, as they are no longer supplied with patches and updates.
If the use of these outdated operating systems is nevertheless necessary, they must be configured as securely as possible. This minimises the risk of successful cyber attacks as far as possible.
Implementation: How can Windows be configured securely?
This cannot be answered in one sentence, as at least 500 or more settings usually have to be adjusted during OS Hardening – per operating system and workstation! You can find more background information on this in these guides from us:
Hardening: Is there Secure Configuration for Linux?
Yes, because the various Linux distributions – like any operating system – have various security vulnerabilities due to services and functions activated by default and thus attack surfaces that hackers can exploit! However, the Secure Configuration of a Linux computer or server can be challenging. You can find out why in our guide on Linux System Hardening.
Advantages: Why is Secure Configuration so important?
Minimisation of vulnerabilities
Many systems are easy to attack in their standard configuration. Secure Configuration significantly reduces the attack surface. And it limits the ‘collecting frenzy of the data octopuses’, which includes data espionage by Windows.
More protection against cyber attacks
Properly implemented System Hardening in combination with other IT security measures makes it more difficult for ‘cyber criminals’ to compromise and hijack systems, steal data or even paralyse machines.
Versatile defence shield
A professionally implemented Secure Configuration ‘blocks’ typical malware threats. For example: A Mimikatz attack loses its terror thanks to System Hardening. And: Secure Configuration even helps against new types of ‘AI attacks’ such as polymorphic malware.
Less cyber damage
If attackers succeed in infiltrating an IT system, they can spread more slowly due to the System Hardening. In the best-case scenario, they will not cause any significant damage thanks to the Secure Configuration.
Fulfilment of compliance requirements
From NIS2 and ISO 27001 to BAIT/ZAIT/VAIT and DORA through to TISAX and WLA-SCS: more and more laws, regulations and standards require System Hardening or Secure Configuration. For most companies, complying with these is not a ‘nice to have’, but a ‘must have’ – otherwise supply relationships with customers may be jeopardised or penalties may be imposed.
Obtaining / renewing a cyber insurance policy
Not only regulations, but also more and more cyber insurance policies now require Secure Configuration. If companies cannot provide evidence of hardening based on standards, they will receive a contract with poor conditions (and therefore more expensive) or no policy at all.
Target group: Which companies need Secure Configuration?
All of them! Regardless of whether you are a solo entrepreneur, start-up, medium-sized company or corporation: IT systems should be hardened and configured as securely as possible everywhere.
After all, the question is not whether a company will be attacked by hackers, but when. In times of increasing ‘cyber wars’, everyone is a victim. Attackers often seek the path of least resistance. These are primarily unprotected or poorly secured systems.
Successful cyber attacks have unpleasant and expensive consequences for companies of all sizes. In the worst case, an incident can lead to the insolvency or bankruptcy of a company. Unfortunately, this is happening more and more frequently.
Intervals: How often should you carry out a security configuration?
Anyone who works in IT knows that every status quo is a snapshot with an extremely short half-life. Particularly in large system landscapes, things are constantly changing because new devices are added and old ones are decommissioned. In addition, there are new operating systems, applications, cloud solutions, updates and the like.
This means that the Secure Configuration of systems is a ‘permanent construction site’! A review should take place regularly – preferably every few weeks – and at least once a quarter. This requires clearly defined processes: Security Configuration Management.
As the Secure Configuration and checking of settings is a complex ‘mammoth task’, it is advisable to automate System Hardening. Hardening tools such as the Enforce Administrator are helpful here. More on this in a later section.
Responsibility: Who is responsible for the secure configuration of systems?
The Secure Configuration of systems is the responsibility of a company’s IT security experts and system administrators. As hardening can be very time-consuming and requires a great deal of expertise, Secure Configuration is often outsourced to external service providers.
It is extremely important that they are not just called in once for basic System Hardening, but on a regular basis. This is because, as mentioned in the last point, permanent Security Configuration Management is required.
In addition to the executors, management also has a duty. On the one hand, this includes those responsible for IT, i.e. the IT manager, the CISO and/or the CTO. The (in many cases non-specialist) management must also deal with the topic of ‘System Hardening’ or ‘secure configuration’.
Why? Managing directors are responsible for preventing damage to their company – this also includes cyber attacks. If IT security is not made a ‘top priority’, this can have serious consequences for the company management, including heavy fines.
Audit: How do you check whether systems are really securely configured?
Special tests are needed to find out whether the Secure Configuration of applications or operating systems has really been implemented well. One option is pentests or MDR systems, which uncover vulnerabilities and anomalies in IT landscapes.
A check with AuditTAP is more precise. This free tool was specially developed to check the hardening of applications and operating systems in accordance with various standards. The AuditTAP Risk Score shows you at a glance how (in)secure the tested system is configured.
Optimisation: Can Secure Configuration be automated?
Yes, with a tool such as the Enforce Administrator, you can carry out automated System Hardening based on globally recognised standards. These include the latest Secure Configuration recommendations from the BSI (German Federal Office for Information Security), the DISA (Defense Information Systems Agency), the CIS (Center for Internet Security) and the ACSC (Australian Cyber Security Centre) as well as the hardening benchmarks from Microsoft.
With the Enforce Administrator, you can harden Windows 10/11 and Windows server systems as well as Office applications and browsers – even in complex and very large IT system landscapes. Centralised, automated and permanent.
Do you still have questions?
Would you like to know more about the topic of ‘Secure Configuration / System Hardening’? Or do you need active support with the Secure Configuration of your systems? Feel free to contact us! The hardening experts at FB Pro will be happy to help and advise you.
Images: Freepik