I recently spoke with Configuresoft's Technology Strategist, George Gerchow, and Vice President of Marketing, Andrew Bird, about the top ten configuration mistakes most commonly made and how to avoid them. Here is what Configuresoft provided:
1. Antivirus software: Antivirus software is worthless to an enterprise if it's not properly installed and configured. Users are also known for disabling antivirus from starting up with the OS to speed their access to corporate materials, without realizing the security ramifications. Organizations should deploy an enterprise solution that can monitor for the presence of antivirus software and ensure it's able to discover and remediate security threats.
2. Service accounts: If an incorrect account is assigned to a service, and if that account's password changes, the system prints an outage and that account becomes locked. Make sure that service accounts are consistently configured and the password is changed on a regular basis. Automating the change follows recommendations by NIST, DISA, and Microsoft Hardening Guidelines, among others.
3. Administrative and guest accounts and passwords: Servers are shipped with default passwords that are readily available from the manufacturers or online. Finding them is easy--see the following URL for an example:
http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php
In many cases these passwords are never changed. In addition, administrators often use the same password on multiple pieces of equipment. Rename or change server and administrative passwords from their default settings and rename and change them on a regular basis. This falls into organizational and regulatory practices. Usually, the standard is changing these every 60-90 days, including for DMZ environments.
4. Software inventory: Too often, the wrong version of software is installed and running in the corporate environment. Ensure the correct version (product key) and install source is consistent with file servers. Ensure that software on the workstations or servers were distributed from ones network rather than from a rogue CD. Validate file system settings and registry keys to ensure that software is correctly installed.
5. Event log settings: Event logs are rarely set properly; they are set with too short of a retention window and log size and are inconsistent throughout the enterprise. Ensure that they're consistently configured across the board. Auditors make sure there are 60 days of retention and that they're configured and set to keep 60 days of data.
6. Global and Local Administrator Groups: Validate who is a member of local and global admin groups, ensuring access creep or extended permissions haven't occurred. Specify members located across the board.
7. Open shares: The risk of sharing folders and permissions across the network means there's no way to track who has what rights to what shares. This should be consistently audited every 60 days to ensure organizations are following the concept of "least privilege" or need-to-know access.
8. OS levels and Service packs: Anecdotally, and based on a sampling of end-user enterprise organizations, approximately 10 out of 100 systems are mis-configured. Make sure all the OSs are at an appropriate level to follow corporate standards and note compliance exceptions.
9. Patch management: Any large enterprise is usually a month behind on patches; there are always systems that are mis-configured with incorrect patch levels. Use due care in verifying every last DLL and registry key change to help meet Service Level Agreements (SLAs) and failed patch reports.
10. Change Rollback: Understand the unplanned, undesired changes; centralize automated and audited change rollbacks. From registry key changes to patch deployment and service settings, mitigate undesired and out of band changes. Patch rollback.
