How do I create my security baseline in configurations?
Your baseline defines what security checks your organization wants to fulfill per benchmark. It is a subset of all the checks that Nanitor offers. Upon installation, Nanitor ships with a best practice baseline based on PCI-DSS compliance standards and Nanitor recommendations. You may want to customize your baseline, i.e. add or remove checks from your baseline.
To view all the rules in the benchmark: Go to Configurations and select the Benchmark. For example shown below the Windows 10 benchmark which currently has 86 rules in baseline (out of 278).
To view all the benchmark rules available (not only ones in baseline), ensure that the “In Baseline” filter is deselected.
Then you can go through all the checks, click on each rule to evaluate, and also see your current status with respect to each check. For example you might want a more strict account lockout policy using the 15 minute duration recommended by CIS (rather than 30 minutes recommended by PCI and Nanitor).
To add the rule (here 1.2.1) to the baseline, simply click on the rule which brings up a dialog as shown below. Then:
- Check the “In baseline” checkbox
- And enter an explanation in the comment
To save the changes, scroll down and click “Save and Close” or cancel if you decide not to go ahead with changes:
When you make changes to the baseline, you will notice a popup at the bottom of the window prompting to Save the Baseline. We recommend that you finish making all the changes you are planning to do at the time before saving the baseline. Once the baseline has been saved, it will go live and scores recalculated.
Similarly, to remove a rule, simply uncheck the “In Baseline” and enter an explanation and then save the changes.
Finally click on the Save Baseline button to make the changes go live.
After the baseline is saved, we can clearly see the changes, where the more strict account lockout duration policy is now in the baseline:
Our recommendation is to use our recommended out-of-the-box policy as a starting point and harden your systems to fulfill those policies, modifying the baseline as needed. Then going forward we recommend going through the rich set of available checks and continously review your baseline, add checks that make sense for your improved security.