The importance of configuration

A recent Linux.com article highlights how configuration is important to security. Many times, when I’m visiting a site, and I ask if they have a configuration standard, or kickstart, or build image, I get blank stares. Many companies do not have a configuration standard – whether merely a document or otherwise. This standard is useful in two ways: 1) to set up the system initially, and 2) to document how the system is configured for later reference (change management comes in to play here as well). It also frees non-security minded IT folks from having to think about it all the time – most IT folks are not as paranoid as security folks. We actively look for holes in things, not just whether something will meet user requirements or not. The security folks can review the configuration standard on a regular basis to make sure that security requirements are met as well, and let the “regular” IT folks worry about user requirements.