SANS Top 20 Critical Control #3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

2 minute read Ken Kantzer on

CISOs have a tough job. They are faced with securing data across thousands of devices. They are often brought in after a bad breach and are asked to make sure “it never happens again.” Throw in ISO/IEC 27001 or PCI-DSS compliance reporting, and it can lead to an overwhelmed question: when it comes to developing a roadmap for my company’s security, where is the best to start?

The Crux of the Control

I can sum it up in three words.




The more systems that are secure by default, the less twiddling your IT team has to do for each deployment. Less twiddling means fewer chances to make careless security errors.

The PKC Insight

I’ll come out and say it: configuration management and baselining is the hardest, most time-consuming responsibility of the CISO. We’ve seen many failed attempts to satisfy this control by creating baseline images: you have an image for Windows 7, Windows Server 2003, Windows Server 2008, a template for OS X, a template for…you get the picture. Difficult but doable. A word of caution: these templates need to leave flexibility for different use cases and to cover corner cases. Usually a combination of deployment checklists that cover your basic use cases (i.e. different checklists for HR than for your R&D or accounting shops) and a set of minimal baseline images are necessary.

The real challenge is keeping up with configurations post-deployment. This is because frequent patching, version changes, and one-off cases will quickly make any baseline template obsolete and not even large, well-staffed security teams can keep up with these changes manually.

So what’s the solution? You have got to automate the process of configuration management, and the success of automation depends heavily on the first two SANS controls. In order to efficiently and effectively automate, you have to know what you’re dealing with, both in terms of hardware and software. Only then can you devise a system (or buy one) that flags non-secure configurations and allows you to mark them as exceptions or vulnerabilities that must be dealt with.

You may have noticed that this sounds very similar to vulnerability assessment and remediation, which is the next topic, so I won’t spoil all the interesting bits yet. Stay tuned!

The previous article talked about the second SANS Top 20 control: Inventory of Authorized and Unauthorized Software

The next article will talk about the fourth SANS Top 20 control: Continuous Vulnerability Assessment and Remediation


Ken is a Founding Partner of PKC