Do you have any questions?
+48 22 487 8636
Do you have any questions?
+48 22 487 8636
Security configuration overview: The underestimated foundation of cyber resilience
In discussions about security testing, most attention is paid to vulnerability scanning and penetration testing. These are extremely important activities that allow us to find “holes” in the walls of our digital fortress. However, there is another, often overlooked but equally critical discipline that can be compared to a detailed technical inspection of the building itself. We can have walls without any cracks, but so what if the electrical system threatens to catch fire, the gas system is leaky, and the door locks are installed upside down? That “installation inspection” is the security configuration review.
It’s a methodical process of verifying that servers, network devices, cloud services and applications are configured securely and in accordance with industry best practices. While a vulnerability scanner asks “do you have outdated software?”, a configuration review asks “is your modern software set up in a secure way?”. It’s a proactive, foundational practice that eliminates entire classes of threats at the very source, drastically reducing the attack surface and strengthening the foundation upon which your entire cyber security strategy rests.
What is a security configuration review and why is it so often overlooked?
Security Configuration Review is a form of technical audit that aims to assess in detail the settings and configuration parameters of an IT system against a defined, secure baseline standard. Unlike a dynamic penetration test, it is a largely static “white-box” analysis in which the auditor, often in collaboration with the administrator, has a full view of configuration files, system settings and policies.
This activity is often overlooked for several reasons. First, it is less “spectacular” than penetration testing. Finding a critical bug in a firewall configuration may not sound as exciting as “taking control of a server,” but in practice it can prevent hundreds of such takeovers in the future.
Second, it requires deep, specialized knowledge of a specific technology. An effective review of a Linux server configuration requires a different skill set than auditing an AWS cloud environment or a next-generation firewall. Third, many organizations lack formal standards and baseline configurations to refer to, making evaluation subjective.
How is a configuration review different from a vulnerability scan and a penetration test?
While all three measures aim to improve security, each answers a different question and explores a different aspect.
Vulnerability scanning answers the question,“Is there a known, patchable softwarevulnerabilityin my system?” It mainly focuses on software versions and missing patches (fixes). The scanner will tell you that you are using an outdated version of Apache server with vulnerability CVE-2025-1234.
A penetration test answers the question,“Can any of the existing vulnerabilities (vulnerability, logic error, configuration error) be exploited in practice to achieve a specific goal by an attacker?” The focus is on exploitation. Pentester will try to actively exploit the CVE-2025-1234 vulnerability to demonstrate that it allows an attacker to take control of a server.
The configuration review answers the question,“Is my system, regardless of software version, built and configured according to best security practices?” It focuses on “hardening” (hardening). The auditor, even if the Apache server is on the latest version, will check hundreds of other settings: whether unsafe modules have been disabled, whether strong TLS ciphers are being used, whether file permissions are configured correctly.
Why is the default configuration “straight out of the box” one of the biggest risks?
Hardware and software manufacturers design their products to be as easy to launch and use as possible for the widest possible audience. This goal – maximum usability – is often in direct conflict with the goal of maximum security.
The default “straight out-of-the-box” (out-of-the-box) configuration is usually the most liberal and open. All possible services and functions are running (even those you will never use), default ports are open, and passwords for administrative accounts are simple and publicly known (e.g., “admin/admin”). The manufacturer assumes that it is the administrator who, after the first launch, will customize the configuration and secure it.
Unfortunately, in the rush of daily responsibilities, this second, crucial step is very often overlooked. Deploying systems in their default configuration is like leaving a door open and turning on the light for burglars. The configuration review and hardening process is precisely the methodical and systematic closing of those “doors” that the manufacturer has left open for our convenience.
| Typical configuration errors and their consequences | ||
| Area | Configuration error (Example) | Potential risks |
| Windows Server | Using a local administrator account with the same name and password on multiple servers. | Facilitate the attacker’s lateral movement (lateral movement) with “Pass the Hash” techniques. |
| Network device | Leaving the default password for the administration panel or enabled unsecured management protocol (e.g. Telnet). | Take full control of the device, the ability to eavesdrop and redirect all network traffic. |
| Cloud service (e.g. AWS S3) | Configure the storage (bucket) as publicly accessible (“public read”) to “facilitate” application access. | Leaks all data stored in the tray, available to anyone who knows its URL. |
| Database | The application service account has database administrator privileges (e.g. db_owner). | A SQL Injection vulnerability in an application can allow an attacker to delete an entire database or steal all the data. |
What role do standards such as CIS Benchmarks play in configuration review?
Conducting a configuration review based on an auditor’s subjective “sense of security” is ineffective and unreliable. To be objective, repeatable and comprehensive, the process must be based on recognized, external standards.
The world’s most important and respected collection of such standards are the CIS Benchmarks, published by the Center for Internet Security (CIS). These are extremely detailed, several-hundred-page “hardening guides” for more than 100 different technologies. Each benchmark contains hundreds of specific, verifiable configuration recommendations, along with detailed risk descriptions, implementation instructions and impact assessments.
There are huge benefits to using CIS Benchmarks as a basis for configuration review:
- Comprehensiveness: Provides assurance that no important aspect of the configuration has been overlooked.
- Objectivity: the evaluation is not based on opinion, but on a comparison with a globally recognized standard.
- Prioritization: Benchmarks often divide recommendations into levels (Level 1 – basic, Level 2 – for high-security environments), making it easier to prioritize actions.
- Proof of due diligence: Demonstrating compliance with CIS Benchmarks is a strong argument in discussions with auditors, insurers and regulators.
What is “configuration drift” (configuration drift) and how to control it?
Even if we “harden” all our systems one time according to best practices, there is no guarantee that they will remain in this secure state forever. In a dynamic IT environment, administrators, in a rush to solve day-to-day problems, often make temporary configuration changes (“I’ll just open this port on the firewall for a while to check something…”), forgetting to undo them later. Over time, the sum of these small, undocumented changes leads to the phenomenon of configuration drift.
Configuration drift is the gradual and uncontrolled departure of a system’s actual configuration from its original secure baseline. It is a silent enemy of security that slowly and imperceptibly opens new vulnerabilities.
Combating this requires two key actions. First, automating configuration management with Infrastructure as Code (IaC) tools such as Ansible, Puppet or Group Policy. Defining configuration in code and enforcing it automatically on a regular basis prevents manual, unauthorized changes. Second, implement continuous compliance monitoring, such as through Cloud Security Posture Management (CSPM) platforms in the cloud, which constantly compare the current configuration to the desired state and alert you to any deviation.
How does nFlo perform specialized configuration reviews and help implement hardening?
At nFlo, we view configuration review and hardening as a proactive, fundamental part of building cyber resilience. Our services in this area are designed to provide clients with not just a report, but real, measurable improvements in the security of their critical systems.
We offer specialized Configuration Review services for a wide range of technologies. Our experienced engineers and auditors conduct an in-depth configuration review based on CIS Benchmarks standards and our years of experience:
- Operating systems (Windows Server, Linux).
- Network devices and firewalls from leading manufacturers.
- Public cloud services (Microsoft Azure, AWS, Microsoft 365).
- Database and application servers.
The result of the audit is a detailed report indicating deviations from best practices, along with a prioritized list of corrective recommendations. Most importantly, we do not leave our clients with the report alone. Our engineering team actively supports the hardening implementation process. We help create secure baseline images of systems (“golden images”), reconfigure devices and implement automated configuration management mechanisms that prevent “drift” and ensure that a secure state is maintained over the long term.
About the author:
Justyna Kalbarczyk
Justyna is a versatile specialist with extensive experience in IT, security, business development, and project management. As a key member of the nFlo team, she plays a commercial role focused on building and maintaining client relationships and analyzing their technological and business needs.
In her work, Justyna adheres to the principles of professionalism, innovation, and customer-centricity. Her unique approach combines deep technical expertise with advanced interpersonal skills, enabling her to effectively manage complex projects such as security audits, penetration tests, and strategic IT consulting.
Justyna is particularly passionate about cybersecurity and IT infrastructure. She focuses on delivering comprehensive solutions that not only address clients' current needs but also prepare them for future technological challenges. Her specialization spans both technical aspects and strategic IT security management.
She actively contributes to the development of the IT industry by sharing her knowledge through articles and participation in educational projects. Justyna believes that the key to success in the dynamic world of technology lies in continuous skill enhancement and the ability to bridge the gap between business and IT through effective communication.