Services: Configuration Review
Goal
Identification of incorrect and inefficient settings in established configurations.
Initial Situation
The customer provides all configuration settings of the target system as well as optionally corresponding documentation (user manuals, hardening guides, etc.).
Approach
- Parsing: Dissecting of individual configuration settings and attributes.
- Evaluation: Assessment and evaluation of each configuration setting.
- Auditing Detection of inefficient and incorrect configuration settings.
Result
The customer is provided with a document that contains all discovered vulnerabilities of the tested settings. Each weakness is tabulated, where each entry contains an individual risk assessment, technical details about the problems, and suggestions for countermeasures.
Pros and Cons
The configuration settings are the basis for the functional behavior of a system. A config review can detect central points with absolute certainty that a network-based analysis can only detect with significant effort. These tests are therefore complementary to classic network scans and penetration tests.
Reference Example
Configuration Review Reverse Proxy: A large Swiss financial institution secures exposed services (almost 1000 items) through a granularly configured reverse proxy. We were able to read this huge data volume through custom-made parsing modules. Thanks to this database-driven approach we were able to make a subsequent assessment of the configuration settings. In addition, simulations could be implemented to directly illustrate changes and their consequences. Just like the aforementioned financial institution, many customers request a periodic vertical redundancy check of their current configuration settings. Delta and trend analyses pose no problem for us.
