Session 18: Secure Configuration Management (SCM)

Secure Configuration Management Overview and Goals
Understanding Secure Configuration Management as a Process
The Critical Importance of Configuration
Defining a Security Baseline
Frameworks and Governance Foundation
The SCM Lifecycle Phases
Phase One: Planning and Baseline Definition
Phase Two: Implementation and Deployment
Phase Three: Monitoring and Compliance Validation
Phase Four: Review and Continuous Improvement
Phase Five: Documentation and Audit Readiness
The Role of GRC in SCM
Configuration Baselines and Hardening
Understanding Baselines
Hardening Principles
Windows Baseline Highlights
Linux Baseline Highlights
Roles and Responsibilities
Challenges and Best Practices
Common Challenges
Best Practices for SCM
SCM in Incident Response
Introduction to Docker
Docker versus VM versus OS
Example of Docker Usage
Understanding the Dockerfile
Docker Image Explained
Docker Container Explained
Docker Workflow: From Definition to Execution
Docker Commands Reference
Dockerfile Instructions Explained

Secure Configuration Management Overview and Goals

Secure Configuration Management represents a fundamental approach to maintaining consistent security across an organization's infrastructure. At its core, a baseline serves as a standard configuration that all systems must follow, establishing requirements such as strong passwords, disabled unnecessary services, enabled antivirus protection, and properly configured firewall rules. Any deviation from this baseline triggers alerts to maintain consistent security across the environment.

The Center for Internet Security, operating as a non-profit organization, provides a set of prioritized and actionable best practices known as the CIS Critical Security Controls. These controls offer organizations a structured framework for implementing security measures that address the most critical threats.

Organizations gravitate toward CIS Controls because they provide a clear, practical, and globally recognized baseline that effectively reduces the most common cyber risks without introducing unnecessary complexity. Compared to heavier frameworks like NIST or ISO, CIS Controls are easier and faster to implement, making them ideal for organizations seeking strong security without huge overhead. The controls are directly mapped to real attack techniques, ensuring that security teams defend against threats that actually matter in the current landscape. Beyond technical benefits, these controls help companies prove compliance, improve audit outcomes, and standardize security across all environments.

Understanding Secure Configuration Management as a Process

Secure Configuration Management functions primarily as a security process that ensures all systems follow a consistent, secure configuration baseline to reduce risk. SCM leverages existing asset inventory to identify what devices and workloads exist and must be monitored. The process integrates with change management to distinguish between approved configuration changes and unauthorized or risky modifications.

SCM controls how configurations are defined, deployed, and verified throughout their lifecycle. In essence, SCM serves as the technical enforcement mechanism for GRC policies, translating governance requirements into actionable security controls.

Although SCM operates as a process, organizations typically implement it using tools like Intune, Azure Policy, Microsoft Defender for Endpoint, or CIS-CAT to automate enforcement and detection activities. Intune helps manage and secure devices by enforcing configuration profiles, app controls, and compliance rules across Windows, mobile, and other endpoints from a central cloud console. Azure Policy enforces governance at scale by auditing, denying, or automatically fixing resource configurations in Azure to ensure everything follows organizational security and compliance standards. Microsoft Defender for Endpoint provides advanced endpoint protection by detecting threats, blocking malicious activity, and offering rich alerts and telemetry to investigate and respond to attacks.

In simple terms, SCM keeps all assets securely configured by combining clear baselines with continuous monitoring and change control. It represents both a security process and the tools that enforce it.

The Critical Importance of Configuration

Configuration matters critically because misconfigurations cause greater than sixty percent of security incidents according to a CIS 2025 report. Common configuration failures such as default credentials, open ports, and weak permissions act as attack entry points that adversaries readily exploit.

SCM keeps every system aligned to a trusted baseline by monitoring for configuration drift and automatically fixing settings that fall out of compliance. This capability allows quick recovery after an attack because the system can be restored to its clean, approved state without needing complex troubleshooting or manual reconfiguration.

Defining a Security Baseline

A security baseline is built from industry standards like CIS, NIST, and Microsoft baselines such as those found in Microsoft Purview, combined with your organization's compliance requirements and business needs. The baseline reflects the level of security and restrictions your company accepts based on risk decisions.

For example, a company creates an Azure VM baseline using CIS Controls to disable insecure protocols and enforce strong authentication, Microsoft recommendations to enable Defender for Cloud, use managed identities, enforce HTTPS, and enable Azure Monitor logs, plus internal rules requiring BitLocker encryption and NSGs that allow only approved ports. All Azure VMs must follow these combined settings, and any drift triggers an alert for investigation.

Frameworks and Governance Foundation

SCM is guided by frameworks including NIST, CIS, ISO, and DISA STIGs, which provide baselines for secure configurations. CIS Benchmarks turn these standards into practical templates that organizations can implement. A governance model translates high-level policy into enforceable technical controls and procedures, with audit feedback keeping everything aligned with risk management objectives.

The SCM Lifecycle Phases

Phase One: Planning and Baseline Definition

In this phase, the organization identifies which assets and configurations need to be controlled. Standards like CIS Benchmarks, DISA STIGs, or vendor guides are selected to define a secure baseline. Risk levels are carefully considered, as production servers may require stricter rules than test machines, and management formally approves the baseline. All settings are documented and version-controlled for future reference.

As an example, a company decides all Windows servers must have BitLocker enabled, unnecessary services disabled, and audit logging active, and these rules are approved and recorded before deployment begins.

Phase Two: Implementation and Deployment

The approved baselines are applied to new systems such as servers, VMs, or containers during this phase. Secure templates, also called Golden Images, are used to ensure consistency across deployments. A Golden Image is a pre-configured template or snapshot of a system, used to quickly create new servers, VMs, or computers. It includes the base OS like Windows Server 2022, security settings such as BitLocker, firewall configurations, and disabled SMBv1, plus monitoring tools and logging capabilities. This ready-to-use image ensures all new systems are consistent and secure, and can be deployed in production or test environments.

During deployment, unnecessary accounts and services are disabled, permissions are set appropriately, and firewalls configured according to baseline requirements. Each system is validated before being released to production.

For instance, deploying a new Azure VM using a Golden Image that already has endpoint protection, required firewall rules, and restricted admin accounts applied ensures immediate compliance with security standards.

Phase Three: Monitoring and Compliance Validation

Systems are continuously scanned to detect configuration drift, comparing their current state with the approved baseline. Alerts are generated for unauthorized changes, and results are integrated with tools like SIEM or vulnerability management platforms. Evidence is kept for audit purposes and compliance verification.

As an example, an endpoint monitoring tool detects that an employee enabled a disabled service on a server, triggering an alert for review and remediation.

Phase Four: Review and Continuous Improvement

Audit and monitoring data are analyzed to identify trends and improve baselines over time. Baselines are updated as threats evolve, and exceptions are handled with compensating controls when necessary. Updated baselines are re-approved and versioned to maintain proper change control.

For instance, after a new vulnerability is discovered in Windows Server, the baseline is updated to disable the affected service, and the updated rules are documented and approved before deployment.

Phase Five: Documentation and Audit Readiness

All baselines, changes, and approvals are maintained in a central repository for easy access and review. Configurations are linked to tickets for traceability, and approved files may have hashes to prove integrity. Audit reports are generated to show compliance levels and demonstrate control effectiveness to regulators or clients.

During an ISO 27001 audit, for example, the security team shows auditors that all servers follow the approved baseline and provides reports of any deviations and corrective actions taken.

The Role of GRC in SCM

A company needs a GRC framework covering Governance, Risk, and Compliance to define policies based on its industry and specific needs. For example, a bank will have policies aligned with banking regulations. Risk management identifies threats and applies mitigations using standards like ISO 27001. Compliance measures how well the organization follows these policies and standards. From these standards, a baseline is created, specifying the secure configurations systems must follow. SCM enforces these baselines through its lifecycle of planning, deployment, monitoring, continuous improvement, and documentation.

Configuration Baselines and Hardening

Understanding Baselines

A baseline is like a gold image for system configurations. It represents a documented and approved set of secure default settings that act as a known-good state. Baselines are used to compare systems, rollback changes if needed, and ensure consistency across the environment. Organizations usually maintain separate baselines for operating systems, network devices, applications, and cloud workloads. They are stored in a central repository like Git, SharePoint, or an SCM portal and reviewed periodically to stay up-to-date with evolving threats.

Hardening Principles

Hardening means securing a system by following a few fundamental rules. Only necessary features and services are enabled, following the principle of least functionality. Users get only the access they need, adhering to least privilege. Default settings are secure, such as denying all connections unless explicitly allowed. Detailed logging and auditing are enabled to track activity, and multiple layers of controls provide defense in depth across OS, network, and applications.

Least functionality can be demonstrated when a Windows Server is installed with only IIS enabled while disabling FTP, SMBv1, and print services to reduce the attack surface. Least privilege is applied when a SOC analyst is granted read-only access in Microsoft Sentinel instead of Global Admin rights. Track activity is implemented through Azure Activity Logs and Microsoft Sentinel continuously recording sign-ins, role changes, and suspicious actions for auditing. Defense in depth is achieved when an enterprise protects data using firewalls, EDR like Defender for Endpoint, MFA, network segmentation, and encrypted backups together.

Windows Baseline Highlights

A Windows server baseline might include disabling the Guest account, enforcing strong passwords, requiring UAC and secure LSA protection, enabling BitLocker with TPM plus PIN, turning off insecure protocols like SMBv1 and unencrypted RDP, and configuring the Windows Firewall for host-based segmentation. These settings ensure the system starts in a secure, consistent state and can be checked against the baseline to detect unauthorized changes.

Host-based segmentation restricts access so only necessary services communicate on the same host. Web ports like 80 open to the internet, database ports like 1433 only to the app server, and admin ports like 3389 only to IT machines. This limits exposure and prevents lateral movement if a system is compromised.

Linux Baseline Highlights

To secure a Linux system, enforce SSH key authentication instead of password logins and disable root SSH access along with unused services like xinetd and telnet. Configure the sudoers file to grant minimum privileges while logging all administrative actions. Enable SELinux or AppArmor in enforcement mode to control application behavior, and restrict cron and at jobs so only authorized users can schedule tasks. These steps help maintain a secure, controlled environment.

SSH passwordless key-based authentication works by offering a more secure alternative to traditional password-based authentication. Typically, an SSH client connects to an SSH server by providing a password, which is prone to brute-forcing or guessing. The more secure method utilizes public key cryptography. The client first generates a pair of keys: a public key that can be shared safely, and a private key that must be kept secure. The client shares its public key with the server during an existing authenticated session. When the client attempts to connect again, it presents its public key to the server. The server finds the key and then encrypts a message using this public key, sending the encrypted message back to the client. If the client possesses the matching private key, it can successfully decrypt the message, thereby proving its identity and gaining access to the machine without needing a password. Generating an SSH key pair using the ssh-keygen command and using ssh-copy-id to securely transfer the public key to a Raspberry Pi server demonstrates the successful password-less login.

When connecting via SSH, the server first checks if the username exists in /etc/passwd and if it has a valid shell. Each user's allowed public keys are stored in their home directory under ~/.ssh/authorized_keys. The file contains only the public keys, optionally with a comment, not the username. When a client connects, it specifies the username, and the server checks that user's authorized_keys for a matching key based on the user directory. If a match is found, the server challenges the client to prove possession of the private key; otherwise, access is denied.

Roles and Responsibilities

Stakeholders in SCM have clearly defined responsibilities. System owners are responsible for approving baselines and exceptions. Administrators and engineers implement and maintain configurations. The security team defines requirements and monitors compliance, while the Change Advisory Board reviews proposed changes. Auditors and GRC teams validate documentation and controls.

Challenges and Best Practices

Common Challenges

Configuration drift often occurs between environments, and manual changes outside the approval process can create risks. Many organizations lack proper baseline version control, and overly broad exceptions can weaken security. Limited visibility in hybrid cloud setups further complicates configuration management.

Best Practices for SCM

It is important to maintain a centralized baseline repository and enforce change tracking with approval workflows. Configuration scanning helps detect drift, and exceptions should be regularly reviewed and re-justified. Integrating SCM metrics into security KPIs improves oversight and accountability.

SCM in Incident Response

Baselines make it easier to detect deviations that could signal a breach. Known-good configurations allow systems to be quickly restored, and configuration logs help trace attacker persistence. SCM data supports threat-hunting, post-incident analysis, and serves as a foundation for future hardening efforts.

Introduction to Docker

Docker is a platform that allows you to package applications and their dependencies into standardized units called containers. Think of it as a way to bundle everything your application needs to run, including code, runtime, system tools, libraries, and settings, into a single package that can run consistently across different computing environments. Docker solves the classic "it works on my machine" problem by ensuring that if a container runs on your laptop, it will run the same way in production, on a colleague's machine, or in the cloud. For blue teamers, Docker is particularly valuable because it allows you to quickly spin up isolated environments for testing security tools, analyzing malware, or replicating vulnerable systems without risking your host machine.

Docker versus VM versus OS

Understanding the relationship between Docker containers, virtual machines, and operating systems is crucial for grasping how containerization works. An operating system sits directly on hardware and manages all system resources. A virtual machine runs on top of a hypervisor and includes a complete guest operating system, which means each VM contains its own kernel, system libraries, and binaries, making VMs heavy in terms of resource consumption and slow to start. Docker containers, on the other hand, share the host operating system's kernel and only package the application and its dependencies, making them lightweight and fast to start. While a VM might take minutes to boot and consume gigabytes of RAM, a Docker container can start in seconds and use only megabytes of memory. In security contexts, VMs provide stronger isolation because each has its own kernel, while containers are more efficient for running multiple isolated services quickly, though they share the underlying kernel which can be a security consideration.

Example of Docker Usage

Imagine you're a blue team analyst who needs to test how a web application behaves when attacked by SQL injection. Instead of installing Apache, MySQL, PHP, and the vulnerable application directly on your machine, which could take hours and potentially compromise your system, you can use Docker to pull a pre-configured vulnerable web application container. Within minutes, you have a fully functional vulnerable environment running in isolation. You can test your detection rules, practice incident response, experiment with patches, and when you're done, simply delete the container. Security teams also use Docker to deploy honeypots, run security scanning tools like OWASP ZAP or Metasploit in isolated environments, or maintain consistent versions of forensic tools across their team.

Understanding the Dockerfile

A Dockerfile is a text document containing a series of instructions that Docker uses to automatically build an image. Think of it as a recipe or blueprint that tells Docker exactly how to construct your application environment step by step. Each instruction in the Dockerfile creates a layer in the final image, and these layers are cached, making subsequent builds faster if nothing has changed. For security professionals, Dockerfiles are important because they provide transparency and reproducibility. You can audit exactly what goes into an image, ensure no unnecessary packages are included that could expand the attack surface, and version control your infrastructure as code.

Docker Image Explained

A Docker image is a read-only template that contains the application code, runtime, libraries, environment variables, and configuration files needed to run an application. You can think of an image as a snapshot or a class in object-oriented programming. It's the blueprint from which containers are created. Images are built in layers, with each instruction in a Dockerfile creating a new layer on top of the previous one. Images can be stored in registries like Docker Hub, allowing teams to share and distribute consistent environments. From a security perspective, images should be carefully vetted since they form the foundation of your containers, and compromised images can introduce vulnerabilities across your entire infrastructure.

Docker Container Explained

A container is a running instance of a Docker image. It's what you get when you execute an image. While an image is static and read-only, a container is dynamic and includes a writable layer where changes during runtime are stored. Multiple containers can be created from the same image, and each runs in isolation with its own filesystem, networking, and process space, though they share the host OS kernel. Containers are ephemeral by design, meaning they can be easily created, stopped, and destroyed without affecting other containers or the host system. For blue teamers, this isolation is valuable for containing potentially malicious code, testing security configurations, or running untrusted applications in a sandboxed environment.

Docker Workflow: From Definition to Execution

The Docker workflow follows a clear progression from code to running application. You start by writing a Dockerfile that defines your application environment, specifying the base image, installing dependencies, copying application files, and configuring how the application should run. This represents the definition phase. Next, you build this Dockerfile into an image using the docker build command, which processes each instruction and creates a reusable template. Once you have an image, you run it with the docker run command, which creates and starts a container from that image. The container is now a live, isolated instance of your application that can be accessed, monitored, stopped, and restarted as needed. This represents the execution phase. This pipeline is powerful because it separates the definition through Dockerfile, the template through image, and the execution through container, allowing you to version control your infrastructure, share consistent environments, and rapidly deploy applications.

Docker Commands Reference

The docker pull command followed by imagename and tagname downloads a specific image from a registry to your local system, allowing you to use it as a base for containers or builds. If you omit the tag, Docker automatically pulls the latest version.

The docker image pull command provides an alternative for downloading images from a registry, functionally equivalent to docker pull but using the newer image management syntax.

The docker image ls command displays all images currently stored on your local system, showing details like repository name, tag, image ID, creation date, and size.

The docker image rm command removes one or more images from your local system to free up disk space, though you cannot delete an image that's currently being used by a container.

The docker image build command constructs a new image from a Dockerfile by executing each instruction in sequence and committing the resulting layers.

The docker build command with the -t flag followed by a name like helloworld and a period builds an image from the Dockerfile in the current directory and tags it with the name "helloworld" for easy reference. The period indicates the build context is the current directory.

The docker run command followed by options, image name, command, and arguments creates and starts a new container from the specified image, applying any options like port mappings or volume mounts.

The docker run command with -d flag, --name option, -p for port mapping runs a container in detached mode with a custom name and maps ports between host and container. For example, docker run -d --name webserver -p 80:80 webserver runs a container in detached mode with the custom name "webserver" and maps port 80 on the host to port 80 in the container.

The docker run -d command followed by an image name starts a container in detached mode, running in the background, and assigns it a randomly generated name.

The docker ps command lists all currently running containers with details including container ID, image used, command running, creation time, status, and port mappings.

The docker ps -a command shows all containers on your system, including those that are stopped or exited, giving you a complete view of container history.

The docker start command followed by a container ID restarts a previously stopped container using its container ID or name, resuming it from where it left off.

The docker stop command followed by a container ID gracefully shuts down a running container by sending a SIGTERM signal, allowing processes to clean up before stopping.

The docker exec command with -it flags followed by container ID and bash opens an interactive bash shell inside a running container, allowing you to execute commands and inspect the container's filesystem and processes.

Dockerfile Instructions Explained

The FROM instruction specifies the base image that your new image will be built upon, establishing the starting point for all subsequent instructions. For example, FROM ubuntu uses Ubuntu as the foundation.

The RUN instruction executes commands during the image build process, typically used for installing packages, updating systems, or configuring the environment. For example, RUN apt-get update -y updates package lists.

The COPY instruction transfers files or directories from your host machine into the container's filesystem at build time. For example, COPY /host/path /container/path moves local files into the image.

The WORKDIR instruction sets the working directory for subsequent instructions in the Dockerfile and establishes the default directory when the container starts. For example, WORKDIR /app makes /app the current directory.

The EXPOSE instruction documents which network port the container will listen on at runtime, serving as metadata for other developers and tools. For example, EXPOSE 80 indicates the container serves traffic on port 80.

The CMD instruction defines the default command that executes when the container starts, providing the main process that keeps the container running. For example, CMD ["apache2ctl", "-D", "FOREGROUND"] starts Apache in foreground mode.

# Use Ubuntu as base image
FROM ubuntu:24.04

# Update packages (optional but recommended)
RUN apt-get update && apt-get install -y \
    curl \
    && rm -rf /var/lib/apt/lists/*

# Default command when container starts
CMD ["bash"]

docker build -t ubuntumini .
docker run -it ubuntumini