Skip to content
Home » IT Policies » Secure Configuration Policy (Baseline Hardening)

Secure Configuration Policy (Baseline Hardening)

1. Purpose

The purpose of this Secure Configuration Policy is to establish requirements for the secure configuration and hardening of information systems, applications, devices, cloud services, and network infrastructure.

Default configurations often contain unnecessary services, insecure settings, default credentials, and other weaknesses that can increase the risk of unauthorized access, malware infections, data breaches, and service disruptions. This policy establishes baseline security standards designed to reduce the organization’s attack surface and improve the overall security posture.

The organization shall implement and maintain secure baseline configurations for all technology assets throughout their lifecycle.

2. Scope

This policy applies to:

  • All employees
  • Contractors
  • Consultants
  • Temporary personnel
  • Third-party service providers responsible for managing organizational systems

This policy applies to:

  • Servers
  • Workstations
  • Laptops
  • Mobile devices
  • Network devices
  • Firewalls
  • Wireless infrastructure
  • Virtual machines
  • Cloud services
  • Containers
  • Applications
  • Databases
  • Software platforms
  • Security appliances
  • Internet-connected devices

The policy applies to both organization-owned and managed systems.

3. Policy Statement

All information systems shall be configured using secure baseline standards designed to minimize security risks and support business operations.

Default configurations shall not be relied upon for production environments. Systems shall be hardened prior to deployment and maintained through ongoing review, monitoring, and configuration management processes.

Secure configuration requirements shall be documented, approved, and consistently applied across the organization.

4. Objectives

The objectives of this policy are to:

  • Reduce the attack surface of organizational systems.
  • Eliminate unnecessary services and functionality.
  • Standardize secure system configurations.
  • Prevent unauthorized access.
  • Support regulatory and compliance requirements.
  • Improve system resilience against cyber threats.
  • Establish accountability for configuration management.
  • Reduce configuration-related vulnerabilities.

5. Definitions

Baseline Configuration

A documented set of approved security settings established for a system, device, application, or service.

Hardening

The process of reducing security risks by removing unnecessary functionality and implementing secure settings.

Configuration Drift

Unauthorized or unapproved deviation from an approved baseline configuration.

Production Environment

Systems actively supporting business operations and users.

Secure Configuration Standard

A documented set of approved security requirements for a specific technology platform.

6. Roles and Responsibilities

Executive Management

Responsible for:

  • Supporting secure configuration initiatives
  • Providing necessary resources
  • Approving security policies

Information Security Team

Responsible for:

  • Developing baseline standards
  • Reviewing configuration requirements
  • Monitoring compliance
  • Conducting assessments

IT Department

Responsible for:

  • Implementing secure configurations
  • Maintaining configuration documentation
  • Correcting configuration weaknesses
  • Managing system hardening activities

System Owners

Responsible for:

  • Ensuring systems comply with approved standards
  • Supporting remediation efforts
  • Reviewing configuration changes

Users

Responsible for:

  • Following organizational security requirements
  • Avoiding unauthorized system modifications
  • Reporting security concerns

7. Secure Baseline Configuration Requirements

All systems shall have documented baseline configurations appropriate for their function and risk level.

Baseline configurations shall:

  • Be documented
  • Be approved by management
  • Be reviewed periodically
  • Be maintained throughout the system lifecycle
  • Address applicable security risks

Baseline standards shall be developed using recognized industry guidance whenever possible.

Examples include:

  • CIS Benchmarks
  • NIST recommendations
  • Vendor security guidance
  • Industry best practices

8. Default Configuration Requirements

Vendor default configurations shall be reviewed before deployment.

The following actions shall be performed:

  • Change default passwords
  • Remove default accounts where possible
  • Disable unnecessary services
  • Disable unnecessary protocols
  • Remove unused software
  • Modify insecure default settings

Systems shall not be deployed into production with default credentials.

9. Account and Authentication Hardening

Systems shall implement secure authentication controls.

Requirements include:

  • Unique user accounts
  • Strong password requirements
  • Multi-factor authentication where applicable
  • Least privilege access
  • Account lockout protections
  • Removal of inactive accounts

Shared accounts shall be prohibited unless explicitly approved.

10. Operating System Hardening

Operating systems shall be configured to reduce security risks.

Hardening activities may include:

  • Removal of unnecessary software
  • Disabling unused services
  • Disabling unnecessary ports
  • Enabling host-based firewalls
  • Applying security updates
  • Enabling logging and auditing
  • Restricting administrative privileges

Security settings shall be aligned with approved baseline standards.

11. Server Hardening

Servers shall be configured according to approved security baselines.

Requirements include:

  • Minimal software installation
  • Removal of unnecessary services
  • Restricted administrative access
  • Secure remote management
  • Logging and monitoring
  • Malware protection where appropriate
  • Security patching

Internet-facing servers shall receive additional security review.

12. Workstation Hardening

Workstations shall be configured using approved baseline standards.

Requirements include:

  • Endpoint protection
  • Full disk encryption
  • Automatic security updates
  • Screen lock enforcement
  • Secure browser configurations
  • Restricted administrative rights

Users shall not disable security controls without authorization.

13. Mobile Device Hardening

Mobile devices accessing organizational resources shall implement:

  • Device encryption
  • Password or PIN protection
  • Automatic lock settings
  • Mobile device management controls where applicable
  • Remote wipe capability
  • Current operating system versions

Lost or stolen devices shall be reported immediately.

14. Network Device Hardening

Network devices shall be securely configured.

Requirements include:

  • Removal of default credentials
  • Secure management protocols
  • Configuration backups
  • Access restrictions
  • Logging and monitoring
  • Timely firmware updates

Insecure management protocols shall be disabled whenever possible.

15. Wireless Network Security

Wireless networks shall be configured using secure settings.

Requirements include:

  • WPA3 preferred
  • WPA2 Enterprise minimum
  • Strong authentication
  • Segregation of guest networks
  • Encryption of wireless communications
  • Periodic security reviews

Open wireless networks shall not be used for business operations.

16. Firewall and Security Appliance Hardening

Firewalls and security appliances shall follow secure configuration standards.

Requirements include:

  • Deny-by-default rule sets
  • Regular rule reviews
  • Logging enabled
  • Administrative access restrictions
  • Secure management protocols
  • Backup configurations

Unnecessary firewall rules shall be removed.

17. Database Hardening

Databases shall be configured to protect organizational data.

Requirements include:

  • Strong authentication
  • Encryption where required
  • Removal of default accounts
  • Restricted administrative access
  • Audit logging
  • Timely patching

Access shall be limited to authorized users and applications.

18. Application Hardening

Applications shall be securely configured before deployment.

Requirements include:

  • Removal of default credentials
  • Secure session management
  • Secure authentication controls
  • Restriction of unnecessary features
  • Logging and monitoring
  • Secure configuration of integrations

Applications shall follow secure development and deployment standards.

19. Cloud Service Hardening

Cloud resources shall be configured using approved security baselines.

Requirements include:

  • Least privilege access
  • Multi-factor authentication
  • Logging and monitoring
  • Encryption where appropriate
  • Secure storage configurations
  • Network segmentation where applicable

Cloud configurations shall be reviewed regularly.

20. Logging and Monitoring

Systems shall generate logs sufficient to support:

  • Security monitoring
  • Incident investigations
  • Compliance reviews
  • Operational troubleshooting

Logging shall be enabled for:

  • Authentication events
  • Administrative activities
  • Configuration changes
  • Security events
  • Access control events

Logs shall be protected from unauthorized modification.

21. Configuration Change Management

Configuration changes shall follow approved change management procedures.

Changes shall:

  • Be documented
  • Be reviewed when appropriate
  • Be tested prior to implementation
  • Be approved by authorized personnel
  • Be recorded for audit purposes

Unauthorized configuration changes are prohibited.

22. Vulnerability Management

Systems shall be periodically assessed for:

  • Configuration weaknesses
  • Missing security settings
  • Insecure services
  • Misconfigurations
  • Unauthorized changes

Identified issues shall be remediated according to organizational risk management procedures.

23. Configuration Compliance Reviews

Periodic reviews shall be conducted to verify compliance with approved baselines.

Reviews may include:

  • Configuration audits
  • Vulnerability scans
  • Security assessments
  • Automated compliance monitoring
  • Manual inspections

Findings shall be documented and addressed.

24. Exceptions

Exceptions to this policy must:

  • Be documented
  • Include business justification
  • Include risk assessment
  • Be approved by management
  • Be reviewed periodically

Temporary exceptions shall include an expiration date.

25. Enforcement

Violations of this policy may result in:

  • Removal of system access
  • Disciplinary action
  • Contract termination
  • Legal action where appropriate

26. Review and Maintenance

This policy shall be reviewed:

  • At least annually
  • Following major technology changes
  • Following security incidents
  • Following regulatory changes

Updates shall be approved by executive management.

27. Related Policies

  • Information Security Policy
  • Access Control Policy
  • Change Management Policy
  • Vulnerability Management Policy
  • Patch Management Policy
  • Endpoint Security Policy
  • Network Security Policy
  • Incident Response Policy

28. Policy Approval

Policy Owner: Information Security Manager

Approved By: Executive Management

Effective Date: __________________

Review Date: __________________

Version: 1.0