Last year, a Fortune 500 company traced a ransomware intrusion back to a single server running an unrestricted PowerShell execution policy and an open SMBv1 port—both settings that a proper security baseline would have eliminated on day one. The uncomfortable truth is that most breaches don't exploit zero-days; they exploit configuration neglect. Security baselines are the unglamorous, deeply effective countermeasure that separates hardened environments from soft targets.
What Is a Security Baseline?
A security baseline is a defined set of configuration standards applied uniformly across systems of a given role. It codifies decisions—what services run, what protocols are permitted, how authentication behaves—into a repeatable, auditable state. Rather than hoping every admin configures systems correctly, you enforce correctness by default.
Frameworks like CIS Benchmarks, DISA STIGs, and Microsoft Security Baselines provide vetted starting points. The key is adapting them to your environment, not blindly applying every setting.
Servers vs. Workstations: Different Threat Models, Different Baselines
Servers and workstations share an OS kernel but live in fundamentally different threat contexts. Servers face network-borne attacks, privilege escalation, and lateral movement. Workstations face phishing, browser exploits, and credential theft. Your baselines must reflect this.
Server baseline priorities:
- Minimize attack surface (disable unnecessary roles and features)
- Restrict remote access to hardened protocols
- Enforce aggressive audit logging
Workstation baseline priorities:
- Application whitelisting and execution control
- Credential theft mitigations (Credential Guard, LSA protection)
- Browser and email client hardening
Practical Implementation: Configuration Snippets
Disable SMBv1 on Windows Servers (PowerShell):
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
Set-SmbServerConfiguration -EnableSMB1Protocol $false -ForceEnforce NTLMv2-only authentication via Group Policy:
Computer Configuration → Policies → Windows Settings → Security Settings →
Local Policies → Security Options →
"Network security: LAN Manager authentication level" → "Send NTLMv2 response only. Refuse LM & NTLM"Linux server baseline — disable unnecessary services and harden SSH (CIS-aligned):
# Disable unused services
systemctl disable --now rpcbind avahi-daemon cups
# Harden SSH: /etc/ssh/sshd_config
PermitRootLogin no
MaxAuthTries 3
X11Forwarding no
AllowTcpForwarding no
ClientAliveInterval 300
ClientAliveCountMax 2
Protocol 2Enable PowerShell Constrained Language Mode on workstations (registry):
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" `
-Name "__PSLockdownPolicy" -Value 4Automating Baseline Enforcement
Manual configuration doesn't scale. Use Group Policy Objects (GPOs) for Windows domains, Ansible playbooks or Puppet manifests for Linux fleets, and Microsoft Intune or SCCM for hybrid and remote workstation management.
Ansible example — enforce file permissions baseline:
- name: Ensure /etc/passwd permissions
file:
path: /etc/passwd
owner: root
group: root
mode: '0644'The real power emerges when you combine enforcement with drift detection. Tools like OSCAP (OpenSCAP), Microsoft Defender for Endpoint's baseline assessment, or Qualys Policy Compliance continuously compare live configurations against your defined baseline and flag deviations before attackers find them.
Measuring Baseline Compliance
A baseline you don't measure is a baseline you don't have. Track these metrics:
- Compliance percentage per system role (target: 95%+ within 30 days of deployment)
- Mean time to remediate drift (target: under 72 hours for critical settings)
- Exception count — every exception should have a documented owner, justification, and expiration date
Report these monthly to leadership. Baselines become politically durable when they produce visible, trending metrics.
Avoiding Common Pitfalls
Don't apply DISA STIG settings wholesale to production servers without testing—you will break applications. Stand up a validation environment, apply baselines incrementally, and document every exception. Treat your baseline as living code: version-control it, review it quarterly, and update it when new vulnerabilities reshape the threat landscape.
Final Thought
Security baselines aren't glamorous. They don't make conference keynotes. But they eliminate entire categories of misconfiguration that attackers depend on. Build the baseline, automate its enforcement, measure its compliance, and you'll find that your incident response team has a lot less to respond to.
Have questions about server and workstation security baselines? I'm always happy to talk shop — reach out or connect with me on LinkedIn.