What is Configuration Review?
Configuration reviews can help ensure that servers and network devices are securely configured, and alert you to any errors and misconfigurations. While vulnerability assessments and penetration testing provides an analysis from an external point of view, configuration reviews provide an in-depth view from within your servers and network devices.
To detect insecure configurations in the server operating system and commonly used software.
To detect insecure configurations in the operating system of network and security devices.
To detect insecure configurations in the operating system of end user computers.
Configuration Review Process
Run scanning tools or conduct manual review to detect potential misconfigurations.
Perform manual verification to confirm validity of detected misconfigurations.
Analyze issues against best practices and recommend corrective action.
Verify if previously detected issues have been fixed adequately.
Frequently Asked Questions
How do you perform the configuration analysis?
For target systems supported by our scanning tools, there are a two options depending on the specific product:
- Direct network access: Our scanning tools must be able to access the target system over the network. This may require physical onsite access or remote access (e.g. VPN). Administrative access is required to extract the configuration. We will require either a test administrator account or your administrator can input their credentials into the tool during the scanning.
- Configuration export: Our scanning tool can import configuration files from some specific products for offline analysis.
For target systems not supported by our scanning tools, we will arrange a screen-sharing session with your administrator and review the configuration parameters via the system administrative interface.
What best practices do you use?
We adopt the CIS Benchmarks where available from the Center for Internet Security or the Security Technical Implementation Guides (STIGs) from the U.S. Defense Information Systems Agency (DISA) or security guidelines published by the product vendor.
What if I have my own configuration standards?
We can conduct the review based on your standards provided that the configuration parameters are specific and non-ambiguous.
What tools do you use?
We use both commercial and open source tools including Tenable Nessus Pro, Microsoft Security Compliance Toolkit, etc.