logo

Change and Configuration Management Best Practices Guide

Systems are constantly changing. Change and configuration management best practices allow organizations to keep track of configuration changes in a way that allows for rapid feature updates without any service outages, but many organizations struggle to find the ideal formula to make this process successful.

So, what are the best practices in change and configuration management? There are a lot of best practices in this space, but we recommend you follow these five essential steps to get the most out of your change and configuration management strategy:

Step 1: Adopt an IT Framework for Change Control Processes

Adopting a trusted security framework will ensure that you are implementing IT infrastructure best practices and streamlining your IT services. These frameworks should act as a roadmap to ensure that a changing IT estate is doing so in an approved, intended, and secure fashion. There are several frameworks to choose from, a couple examples being ITIL or COBIT.

Researching these frameworks should assist an organization in determining which best suits its IT environment. A strictly enforced change control process is the foundation of your defense against not only malicious activity, but the likelihood of a misconfiguration incident. Having a change control process in place will reduce the likelihood of a breach, reduce the time to detect a breach and minimize the damage a breach would cause.

Step 2: Adopt a Well-Known Hardening Standard such as CIS or NIST

You’ll want to incorporate a system hardening standard in your IT environments such as the Center for Internet Security’s CIS Benchmarks or NIST Compliance. System Hardening is the process of securing a system’s configuration and settings to reduce IT vulnerability and the possibility of being compromised. This can be done by reducing the attack surface which attackers continuously try to exploit for purpose of malicious activity.

By creating a secure and compliant state for all IT systems and combining that with ongoing, context-based change control plus baseline management, ensures systems remain in a secure and compliant state at all times.

Step 3: Get to Know Your Applications in the Environment – Baseline, Record, Review, and Document Changes

  • Baseline: Getting a baseline from all of your systems in the environment will give the applications you’ll work with a starting point for comparing any changes to the systems in the future. This not only applies to files and applications but also to the system’s security and configuration policies. Establishing a ‘Gold Standard’ image/baseline that you can apply to your systems and then monitor them for configuration drift makes things much easier whenever remediation or reversion is required.
  • Record: Ensure that the changes or baselines that are being made are also being recorded for auditing and forensic purposes. It is crucial to have your patches, configuration changes, file changes, account changes, registry changes monitored on a real-time basis. Long periods of time between scans and monitoring could allow for changes to go unnoticed if they occur between each of the scanning periods. Having changes to your systems recorded in real-time will also assist in any changes made during troubleshooting. Say one of the system engineers is troubleshooting an application and needs to roll back a configuration that was made. He could easily look back at the audit records and ensure that everything is set back to its original state.
  • Review: Changes occurring within an IT environment should be reviewed on a constant basis and as frequently as possible. The review should consist of monitoring for malicious activity and intended safe changes. This review process can be easier to follow if the tool in use that is monitoring the changes does so in real-time. That way the changes can be reviewed for any malicious activity as they are happening rather than being found in a report, days or even weeks after the changes have occurred.
  • Document: Documentation should be processed and developed throughout the change and configuration management process. The documentation process should not be left to the end of the change process to ensure that all information and actions that occurred throughout the change process are documented for future troubleshooting and forensics if needed. IT Service Management tools such as ServiceNow and Cherwell are commonly used in today’s IT environments to follow the mentioned IT Frameworks above and ensure that all processes are documented and recorded properly.

Step 4: Choose an Application/System That Allows You to Differentiate Between Good/Bad Changes

A tool as such is another crucial part of the best practices for Change and Configuration Management. This goes in line with one of the previous points mentioned above in regards to adopting an IT Framework for your Change Control Process. This framework should ensure that all necessary testing has taken place before patches or modifications are pushed out to production systems, ensuring that changes will not cause unwanted side effects or any new issues. It also allows for an organization to specify what changes should be happening, during what time, and on what systems. Anything that falls outside of that allotted window can then be identified as an unplanned change and potential configuration drift.

With a tool such as Netwrix Change Tracker, you have the ability to connect the application to your existing IT Service Management (ITSM) tools which as a result combines the ability to correlate changes within your environment with an approved ticket or set of intelligent change rules. This helps to prevent and protect against all forms of the breach as well as gain full control of changes for security and compliance. Learn more about our integration capabilities by visiting our ITSM Integrations webpage.

Step 5: Implement A Form OF Vulnerability Scanning and a More Immediate Form of Configuration Scanning

Maintaining a secure posture can be easily accomplished by utilizing NNT’s suite of security products and our automated feature set. First, continuous vulnerability scanning should be done. NNT Vulnerability Tracker allows you to schedule these to be initiated automatically. This automated scanning will output reports for your team to follow up and remediate vulnerabilities found on your systems. Constant monitoring/scanning of the system’s configuration settings should go along with the vulnerability scanning.

You’ll want to use a tool similar to Netwrix Change Tracker that can monitor the hardened settings alongside your selected framework in order to validate that configuration drift is not occurring within the environment. When drift does occur outside of a designated window, you can use the integrity monitoring and logging capabilities to get a full view of exactly what happened within the environment.

Dirk Schrader is a Resident CISO (EMEA) and VP of Security Research at Netwrix. A 25-year veteran in IT security with certifications as CISSP (ISC²) and CISM (ISACA), he works to advance cyber resilience as a modern approach to tackling cyber threats. Dirk has worked on cybersecurity projects around the globe, starting in technical and support roles at the beginning of his career and then moving into sales, marketing and product management positions at both large multinational corporations and small startups. He has published numerous articles about the need to address change and vulnerability management to achieve cyber resilience.