Mastering Secure Configuration: From Setup to Certification

Why Secure Configuration Matters

Secure configuration is often called the foundation of cybersecurity because it addresses the most basic question: "Are your systems set up securely?" Many cyber attacks succeed not because of sophisticated hacking techniques, but because systems are left with insecure default settings.

Default configurations are designed for ease of use and broad compatibility, not security. Vendors typically enable features that make initial setup simple, but these same features can create vulnerabilities. Secure configuration involves changing these defaults to prioritise security over convenience.

The Cyber Essentials Approach

Cyber Essentials takes a risk-based approach to secure configuration, focusing on the most important security settings that provide the greatest protection against common attacks. The scheme recognises that organisations need practical, achievable security measures.

Key Principles

• Remove unnecessary functionality: Disable or remove features, services, and software that aren't needed
• Change default settings: Modify default configurations to more secure alternatives
• Apply security templates: Use established security baselines and configuration guides
• Regular review: Periodically audit and update configurations as needed
• Document everything: Maintain records of configuration decisions and changes

Configuration Areas to Address

Step-by-Step Implementation

1. Inventory Your Systems

Before you can secure your configurations, you need to know what you have. Create a comprehensive inventory of all devices, operating systems, and applications in your organisation. Include:

• Desktop and laptop computers
• Servers and virtual machines
• Mobile devices and tablets
• Network equipment (routers, switches, access points)
• IoT devices and smart equipment
• Software applications and services

2. Establish Security Baselines

For each type of system in your inventory, establish a security baseline. These are standardised, secure configurations that all similar systems should follow. Use established guides such as:

• NCSC device guidance and security configuration guides
• CIS (Center for Internet Security) benchmarks
• Vendor-specific security hardening guides
• Industry-specific security standards

3. Implement Configurations

Apply your security baselines systematically across all systems. For efficiency and consistency, consider using automation tools where possible:

• Group Policy for Windows environments
• Mobile Device Management (MDM) for smartphones and tablets
• Configuration management tools for servers
• Network device management platforms

4. Document and Monitor

Maintain comprehensive documentation of your security configurations and implement monitoring to detect unauthorised changes:

• Configuration documentation and change logs
• Regular configuration audits and compliance checks
• Automated monitoring for configuration drift
• Incident response procedures for unauthorised changes

Common Mistakes and How to Avoid Them

Platform-Specific Guidance

Windows Systems

Microsoft provides extensive security guidance for Windows systems. Key areas include:

• Enable Windows Defender and real-time protection
• Configure User Account Control (UAC) appropriately
• Disable unnecessary Windows features and services
• Apply Microsoft security baselines
• Configure Windows Firewall with appropriate rules
• Enable BitLocker encryption for data protection

macOS Systems

Apple systems also require security configuration attention:

• Enable FileVault full disk encryption
• Configure System Integrity Protection (SIP)
• Enable Gatekeeper and XProtect
• Configure secure boot and firmware password
• Disable unnecessary sharing services
• Apply CIS benchmarks for macOS

Linux Systems

Linux systems offer extensive configuration options:

• Disable unnecessary services and daemons
• Configure iptables or modern firewall solutions
• Implement mandatory access controls (SELinux/AppArmor)
• Configure secure SSH settings
• Apply CIS benchmarks for your Linux distribution
• Enable audit logging and monitoring

Mobile Device Configuration

With the rise of remote work, mobile device security has become crucial:

Essential Mobile Security Settings

• Require device lock screens with strong authentication
• Enable automatic device encryption
• Configure remote wipe capabilities
• Restrict app installation sources
• Enable automatic security updates
• Configure email and data access policies

Mobile Device Management (MDM)

For organisations with multiple mobile devices, MDM solutions provide centralised configuration management:

• Microsoft Intune for mixed environments
• Jamf Pro for macOS and iOS devices
• Google Workspace for Android and Chrome devices
• VMware Workspace ONE for enterprise environments

Network Device Configuration

Network equipment forms the foundation of your security perimeter and requires careful configuration:

Router and Firewall Settings

• Change default administrative passwords
• Disable unnecessary network services
• Configure secure management protocols (HTTPS, SSH)
• Enable logging and monitoring
• Implement network access controls
• Regular firmware updates and security patches

Wireless Network Security

• Use WPA3 encryption (or WPA2 if WPA3 unavailable)
• Disable WPS (Wi-Fi Protected Setup)
• Change default network names (SSIDs)
• Implement guest network isolation
• Enable wireless intrusion detection
• Regular review of connected devices

Maintaining Secure Configurations

Secure configuration isn't a one-time activity. It requires ongoing attention and maintenance:

Regular Review Process

• Monthly: Review new devices and applications for secure configuration
• Quarterly: Audit existing configurations against security baselines
• Annually: Comprehensive review and update of security baselines
• As needed: Configuration updates following security incidents or new threats

Change Management

Implement a formal change management process for configuration modifications:

• Require approval for configuration changes
• Test changes in non-production environments first
• Document all changes with rationale and rollback procedures
• Monitor systems after changes for unexpected behaviour

Preparing for Cyber Essentials Assessment

When preparing for your Cyber Essentials assessment, assessors will look for evidence that you have:

• Implemented security configurations appropriate for your environment
• Documented your configuration standards and procedures
• Established processes for maintaining and updating configurations
• Demonstrated that configurations are applied consistently across similar systems
• Shown evidence of regular review and updates to security settings

Getting Started

If secure configuration seems overwhelming, start with the basics and build gradually:

1. Inventory: List all your systems and their current configurations
2. Prioritise: Focus on internet-facing systems and those handling sensitive data first
3. Research: Find appropriate security baselines for your key systems
4. Implement: Apply configurations systematically, testing as you go
5. Document: Record what you've done and why
6. Monitor: Set up processes to detect and respond to configuration changes

Remember, secure configuration is about making your systems harder to attack while maintaining their functionality for legitimate business purposes. The goal is practical security, not theoretical perfection.