Common security cross-exam termsDevice managementBeginner45 min read

What Is Security baseline? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

A security baseline is like a checklist of essential security rules that every computer or device must follow. It makes sure that all systems are set up with basic protections in place, like strong passwords and automatic updates. This helps organizations avoid common security mistakes and ensures a consistent level of safety across all their technology.

Common Commands & Configuration

aws configservice put-config-rule --config-rule '{"ConfigRuleName":"s3-bucket-public-read-prohibited","Source":{"Owner":"AWS","SourceIdentifier":"S3_BUCKET_PUBLIC_READ_PROHIBITED"}}'

Creates an AWS Config rule that checks if any S3 bucket has public read access enabled, enforcing a security baseline for S3 buckets.

Tests understanding of AWS Config managed rules for S3 compliance, commonly seen in AWS-SAA and SC-900 exams.

Get-MpComputerStatus | Select-Object AntivirusEnabled, RealTimeProtectionEnabled

Retrieves Windows Defender Antivirus status to verify if real-time protection is active, a key setting in security baselines.

Used in MD-102 and MS-102 to check baseline compliance for endpoint protection on Windows devices.

cis-cat-benchmark-runner.sh --benchmark CIS_Microsoft_Windows_10_Enterprise_v2.0.0_Level1 --output /tmp/report.html

Runs a CIS-CAT assessment against the Windows 10 Level 1 benchmark, generating a compliance report for baseline verification.

Relevant for CySA+ and Security+ exams that test vulnerability scanning and compliance assessment tools.

New-AzPolicyAssignment -Name 'CIS-Azure-Foundations' -PolicyDefinitionId '/providers/Microsoft.Authorization/policySetDefinitions/...' -ManagementGroupId 'mg-root'

Assigns a policy set definition (e.g., CIS Azure Foundations Baseline) at the management group level to enforce security baseline across subscriptions.

Appears in AZ-104 and SC-900 to test Azure Policy inheritance and baseline enforcement.

C:\Windows\System32\secedit /configure /db secedit.sdb /cfg security_baseline.inf /areas SECURITYPOLICY

Applies a local security policy from an INF file, used to enforce a security baseline on a Windows standalone system.

Tests knowledge of Windows security configuration tools in ISC2-CISSP and Security+ exams.

Set-MpPreference -DisableRealtimeMonitoring $false

Ensures real-time monitoring in Windows Defender is enabled, a core requirement in most security baselines for endpoints.

Command often used in MD-102 troubleshooting scenarios to bring a device back into baseline compliance.

aws iam update-account-password-policy --minimum-password-length 14 --require-uppercase-characters --require-lowercase-characters --require-symbols --require-numbers --max-password-age 90

Updates the AWS account password policy to meet security baseline recommendations for IAM users.

Tests password policy enforcement in AWS-SAA and Security+ exams as part of identity baseline.

Set-ExecutionPolicy -ExecutionPolicy Restricted -Scope LocalMachine

Sets PowerShell execution policy to Restricted, a common baseline setting to prevent unauthorized scripts from running.

Covers security hardening for Windows devices, tested in MD-102 and CySA+.

Security baseline appears directly in 38exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CompTIA Security+. Practise them →

Must Know for Exams

Security baselines appear across multiple certification exams because the concept is foundational to secure system administration, cloud security, and governance. Knowing the definition alone will not get you points. You need to understand how baselines are implemented, what tools are used to enforce them, and how they relate to compliance and risk management.

For the AWS Solutions Architect Associate (AWS-SAA) exam, security baselines are relevant to questions about AWS Config, AWS CloudFormation, and AWS Service Catalog. You might be asked how to ensure that all S3 buckets are encrypted by default. The answer often involves creating an AWS Config rule that checks each bucket against the baseline and using AWS Systems Manager to remediate non-compliant resources. Another common question is about preventing configuration drift in an Auto Scaling group. The solution is to use a launch template that applies a security baseline to each new instance.

For the CISSP exam, security baselines fall under Domain 3 (Security Architecture and Engineering) and Domain 7 (Security Operations). You need to understand that baselines are part of a broader security control framework. Expect questions about the difference between a baseline, a guideline, a standard, and a policy. For example, a policy says 'all systems must be configured securely,' a standard says 'use CIS benchmarks,' a baseline says 'apply these 50 specific settings,' and a guideline is a recommendation.

For the CompTIA Security+ exam, security baselines are covered in the context of secure system design and network security. You might see a scenario where an organization wants to ensure that all workstations have the same security settings. The correct answer is 'implement a security baseline' using Group Policy. Another question might ask which tool can be used to enforce a baseline in a mixed OS environment. The answer is a configuration management tool like Ansible or Chef.

For the CySA+ exam, baselines are important for continuous monitoring and anomaly detection. A common question type involves reviewing logs to identify a system that has deviated from its baseline. For example, if a baseline says that port 22 (SSH) should be disabled, but a log shows an SSH connection on a specific server, that is an anomaly and potentially an incident.

For the Microsoft exams (MD-102, MS-102, AZ-104, SC-900), security baselines are heavily tied to Intune, Azure Policy, and Microsoft Defender for Cloud. In MD-102 (Managing Modern Desktops), you will need to know how to deploy security baselines to Windows devices using Intune. In MS-102 (Microsoft 365 Administrator), questions focus on using security baselines for Microsoft 365 apps like Exchange Online and SharePoint. In AZ-104 (Azure Administrator), you need to know how Azure Policy enforces baselines and how to use Azure Blueprints. In SC-900 (Microsoft Security, Compliance, and Identity Fundamentals), baselines are introduced as a fundamental concept for securing cloud and hybrid environments.

Across all exams, watch for questions that describe a scenario where an organization is facing inconsistent security settings or compliance failures. The answer will almost always involve implementing a security baseline. Another common trap is confusing a baseline with a patch management policy. Baselines cover settings, not just updates.

Simple Meaning

Imagine you are building a new house. Before you start decorating or adding fancy furniture, you need to make sure the foundation is solid, the walls are straight, and the roof does not leak. A security baseline is exactly that for computers and networks. It is the absolute minimum set of security measures that must be in place before a system can be considered safe to use.

Think of it as the rulebook for setting up a new computer. When a company buys a hundred new laptops, they cannot just hand them out to employees and hope everyone sets them up securely. Some employees might forget to turn on the firewall, others might leave the default password, and some might install risky software. A security baseline prevents this chaos by defining exactly how each laptop must be configured before it leaves the IT department.

For example, the baseline might say: all laptops must have the operating system updated, the antivirus software must be active, the screen must lock after 5 minutes of inactivity, and the hard drive must be encrypted. These rules are not optional. They are the foundation of security. If you think of your computer like a castle, the security baseline is the moat, the drawbridge, and the strong walls. Without them, anyone could just walk in.

In the IT world, organizations use security baselines to make sure that every device, server, and network device follows the same security rules. This is important because a single weak link, like one server with a default password, can compromise the entire network. The baseline is usually created by security experts based on industry standards, such as those from the Center for Internet Security (CIS) or the National Institute of Standards and Technology (NIST). Once it is created, IT teams use tools to automatically apply the baseline to all systems, and they regularly check to make sure nobody has accidentally changed a security setting.

Even for home users, the idea of a security baseline is useful. It means doing the basic things: installing updates, using a strong password, enabling two-factor authentication, and not clicking on suspicious links. If everyone followed a simple personal security baseline, many cyberattacks would fail.

Full Technical Definition

A security baseline is a formally documented set of security configuration parameters, settings, and rules that define the minimum acceptable security posture for a specific type of system, device, or software application. It serves as a reference point against which actual configurations are measured and audited. In enterprise environments, security baselines are critical for enforcing consistency, reducing attack surface, and ensuring compliance with regulatory frameworks such as PCI DSS, HIPAA, GDPR, and ISO 27001.

Security baselines are typically derived from industry-recognized hardening guides. The most widely used sources are the Center for Internet Security (CIS) Benchmarks, the National Institute of Standards and Technology (NIST) Special Publication 800-53, and the Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs). These guides provide detailed, platform-specific configuration recommendations for operating systems (Windows, Linux, macOS), network devices (routers, switches, firewalls), cloud services (AWS, Azure, GCP), and applications (web servers, databases, email servers).

The implementation of a security baseline involves several technical components. First, the baseline is defined in a machine-readable format, often using Group Policy Objects (GPO) in Active Directory environments, Desired State Configuration (DSC) in PowerShell, or Ansible playbooks for Linux servers. The baseline settings can cover hundreds of individual parameters, including password policies (minimum length, complexity, expiration), account lockout thresholds, audit logging configurations, service disablement (removing unnecessary services like Telnet or FTP), registry key modifications, file permission restrictions, and firewall rule sets.

Once the baseline is defined, it is deployed using configuration management tools such as Microsoft Endpoint Configuration Manager (formerly SCCM), Azure Policy, AWS Config Rules, or Puppet. These tools can enforce the baseline automatically, remediate any drift, and generate compliance reports. Continuous monitoring is essential because systems can drift from the baseline due to manual changes, software updates, or user actions. Security Information and Event Management (SIEM) systems like Splunk or Azure Sentinel can be configured to alert when a system falls out of compliance with the baseline.

In cloud environments, security baselines are often implemented through policy-as-code. For example, in AWS, a security baseline might be enforced using AWS Identity and Access Management (IAM) policies that restrict permissions, AWS Config rules that check for unencrypted S3 buckets, and AWS CloudTrail logs that monitor for changes to key security settings. Azure offers Azure Policy and Azure Blueprints to enforce baselines across subscriptions. These tools ensure that any new resource automatically inherits the baseline configuration, preventing configuration drift from the moment of deployment.

A key technical aspect of security baselines is the concept of baselining as an ongoing process. It is not a one-time activity. When new vulnerabilities are discovered, or when software updates introduce new security features, the baseline must be updated. For example, when the Log4j vulnerability emerged in 2021, many organizations had to update their security baselines to ensure all Java applications were using a patched version. This process is known as baseline management and is part of a larger vulnerability management program.

Security baselines also play a role in incident response. When a security incident occurs, investigators compare the compromised system against its known baseline to identify changes made by the attacker. If the baseline shows that a particular service should be disabled, but it was found running during the investigation, that is a strong indicator of unauthorized activity. In forensic analysis, the baseline serves as a trusted starting point for determining what has changed.

For exams like AWS SAA, AZ-104, MS-102, and SC-900, you need to understand that security baselines are not just for on-premises systems. They are equally important for cloud resources. For example, the AZ-104 exam covers Azure Policy and how it can be used to enforce a security baseline across Azure subscriptions. The AWS SAA exam includes AWS Config and its rules for checking resource compliance against a baseline. The CISSP exam emphasizes the importance of baselines in the context of security governance and risk management. The Security+ exam covers baselines as a core concept of secure system design and implementation.

Real-Life Example

Think about a large apartment building that has a security guard at the front entrance. The guard does not know every single resident by face, so the building manager gives the guard a list of rules: everyone must show a key card to enter, no one is allowed in without a card, and all visitors must be signed in by a resident. That list of rules is the security baseline for the building.

Now, imagine that one day, a resident's friend tries to enter the building without a key card. The guard stops the friend and explains the rule. The friend says, 'But I am just here to drop off a package, it will only take a minute.' The guard cannot break the baseline. The baseline says 'everyone must have a key card,' so the friend cannot enter until a resident comes down to let them in. This is exactly how a security baseline works in IT. It does not allow exceptions unless the baseline itself is updated.

In the same building, there is a rule that all doors must be locked at 10 PM. That is part of the baseline. If a resident forgets to lock the door to the rooftop terrace, the security guard will lock it, because the baseline says it must be locked. The guard does not make a judgment call; the baseline is the absolute rule. In an IT environment, this is like a configuration management tool that automatically applies the security baseline settings to every computer, even if a user changed a setting. If the baseline says the firewall must be on, the tool will turn it back on automatically.

Let's extend the analogy further. The building manager reviews the security rules every few months. After a break-in at a nearby building, the manager adds a new rule: all visitors must have their photo taken at the front desk. This updates the baseline. Similarly, in cybersecurity, baselines are updated when new threats appear. For example, after a major ransomware attack that uses a specific vulnerability, the IT security team will add a new rule to the baseline that disables that vulnerable service or installs a patch.

The security baseline in the building also covers maintenance. Every fire extinguisher must be inspected monthly. That is a baseline requirement. If the inspection is skipped, it is a violation of the baseline. In IT, this is like the requirement that all systems must have antivirus definitions updated within 24 hours of a new definition release. If a system's antivirus is outdated, it is out of compliance with the baseline, and the security team is alerted.

Finally, think about the building's computer server room. The baseline says that only the IT manager and the building's security director have access. If someone else tries to enter, the door's electronic lock will not open. In IT, this is enforced through Access Control Lists (ACLs) and Role-Based Access Control (RBAC). The baseline defines who can access what, and the system enforces it. If an employee is moved to a new role, the baseline must be updated to grant the new permissions and revoke the old ones. This prevents former employees from retaining access to systems they should no longer use.

Why This Term Matters

In the real world of IT, security baselines matter because they prevent the most common cause of security breaches: human error and inconsistent configurations. When every system is set up differently, it is impossible to know if the environment is truly secure. A single misconfigured server, perhaps one with a default password or an open port, can be the entry point for an attacker to compromise the entire network. Security baselines eliminate this risk by ensuring that every system starts from a known secure state.

Security baselines also matter for compliance. Many industries are required by law to follow specific security standards. For example, healthcare organizations in the United States must comply with HIPAA, which requires that systems have safeguards to protect patient data. A security baseline demonstrates that the organization has implemented these safeguards. During an audit, the auditor will ask to see the baseline and the evidence that systems conform to it. Without a baseline, the organization cannot prove it is compliant.

From a practical standpoint, baselines make IT management easier. When a new system needs to be deployed, the IT team does not have to manually configure every security setting. They can apply the baseline automatically, ensuring that the system is secure from the moment it goes live. This saves time and reduces the chance of mistakes. It also makes troubleshooting easier because if a problem occurs, the IT team knows that the system's security settings are at least at the baseline level.

Another reason security baselines matter is incident response. When a security breach happens, the first question is always 'What changed?' By comparing the current state of a system to its baseline, investigators can quickly identify what an attacker modified. Without a baseline, they would have to guess what the original configuration should have been. This significantly slows down the investigation and can allow an attacker to remain undetected for longer.

For IT professionals who manage large environments, baselines are essential for maintaining security at scale. You cannot manually inspect each of thousands of servers. With automated baseline enforcement, you can trust that all systems are configured correctly. This is why security baselines are a core component of frameworks like the NIST Cybersecurity Framework and ISO 27001.

How It Appears in Exam Questions

In the AWS SAA exam, you might see a question like this: 'A company wants to ensure that all EC2 instances launched in its AWS account have encryption at rest enabled by default. What is the most efficient way to enforce this?' The correct answer is to use AWS Config with a managed rule that checks for encryption, and to use an IAM policy that denies the creation of unencrypted volumes. This is a security baseline enforcement question. Another scenario: 'A security team has defined a baseline for Linux instances that includes disabling root login via SSH. How can this be applied to all new instances in an Auto Scaling group?' The answer is to use a launch template or a custom Amazon Machine Image (AMI) that already has the baseline applied, and to use AWS Systems Manager to enforce the baseline on running instances.

For the Security+ exam, a typical multiple-choice question might read: 'An organization needs to ensure that all Windows 10 workstations have the same security settings, including disabling guest accounts and setting minimum password length. Which of the following should the organization implement?' The correct answer is a security baseline applied via Group Policy. A performance-based question might ask you to order the steps for implementing a security baseline: define the baseline, test it in a staging environment, deploy it using GPO, monitor for drift, and update the baseline when needed.

In the CISSP exam, questions are more theoretical. For example: 'An organization has implemented a security baseline for its servers. After a routine audit, several servers are found to have different configurations than the baseline. What is this condition called?' The answer is configuration drift. A follow-up question might ask: 'What is the best way to detect and correct configuration drift?' The answer is continuous monitoring with automated remediation, often using a configuration management tool.

For the AZ-104 exam, you might get a scenario: 'You are an Azure administrator responsible for enforcing security baselines across multiple subscriptions. You need to ensure that all resources are compliant with the company's security policy. What should you use?' The answer is Azure Policy and Azure Blueprints. The question might then ask: 'A non-compliant resource is found. How can you automatically remediate it?' The answer is to use a policy with a DeployIfNotExists effect that triggers a remediation task.

In the MS-102 exam, a typical question: 'Your organization uses Intune to manage Windows 10 devices. You need to ensure that all devices meet the company's security baseline. Which configuration profile type should you use?' The answer is a security baseline profile, which is a pre-defined set of settings in Intune. Another question: 'Users are turning off BitLocker on their devices, causing a security risk. How can you enforce the baseline?' The answer is to configure a policy that requires BitLocker and to set up automatic enforcement using Intune's compliance policies.

For the CySA+ exam, a scenario-based question: 'A security analyst notices that a web server that is normally compliant with the baseline is now showing an open port 3306 (MySQL). The baseline states that no database ports should be open. What is the first action the analyst should take?' The correct action is to investigate the change because it might indicate an unauthorized configuration change or a compromise. The analyst should then check logs to see who made the change and revert the server to the baseline if it was unauthorized.

Practise Security baseline Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Scenario: Fresh Green Corp, a company with 200 employees, has been using a mixture of Windows 10 and Windows 11 laptops. Some employees have installed personal software, others have disabled the firewall to use a legacy app, and a few have set simple passwords like 'Password123'. The IT manager is concerned because there is no consistent security.

The company decides to implement a security baseline. First, the IT team uses the Microsoft 365 security baseline for Windows devices as a starting point. They import this baseline into Intune. The baseline includes rules: all devices must have Windows Defender Antivirus enabled, the firewall must be on for all profiles, screen lock must activate after 15 minutes of inactivity, BitLocker drive encryption must be enabled, and user accounts cannot have blank passwords.

The IT team creates a configuration profile in Intune that pushes these settings to all laptops. They also set up a compliance policy that marks any device that does not meet the baseline as non-compliant. Non-compliant devices lose access to company email and SharePoint. Within two days, all devices are automatically updated to meet the baseline. The IT team also creates a report that shows which devices are compliant and which are not.

A week later, an employee named Bob tries to disable the firewall on his laptop to connect to a gaming server at home. The next day, his laptop is flagged as non-compliant, and he cannot access his work email. He contacts IT, who explain the baseline policy. Bob's laptop is automatically re-configured by Intune to re-enable the firewall. This shows how the baseline enforces security even when users try to change settings.

Later, during an annual security audit, the auditor asks for proof that the company has consistent security configurations. The IT team provides the baseline document and the compliance report showing that 98% of devices are compliant. The auditor is satisfied, and Fresh Green Corp passes the audit. This scenario shows exactly why security baselines are important for both security and compliance.

Common Mistakes

Confusing a security baseline with a security policy.

A security policy is a high-level document that states the organization's security goals and objectives. A security baseline is a specific, technical set of configuration settings that implement the policy. They are not interchangeable.

Think of the policy as the 'what' and the baseline as the 'how'. The policy says 'we must be secure,' the baseline says 'set the firewall to block all inbound traffic except HTTP/HTTPS.'

Applying a security baseline once and never updating it.

Security threats evolve. A baseline that was secure a year ago might be vulnerable now. If you do not update the baseline, old weaknesses remain. This is called 'baseline drift' in a negative sense because the baseline itself becomes outdated.

Set a schedule, such as quarterly, to review and update the baseline. Subscribe to security advisories from the baseline source (e.g., CIS or Microsoft) and apply updates when critical vulnerabilities are announced.

Applying a baseline to all systems without testing it first.

A baseline might break critical applications. For example, disabling all legacy encryption protocols might prevent an old financial app from connecting to its database. This can cause outages and frustration.

Always test the baseline in a staging environment that mirrors production. Run the baseline against test systems first, and validate that all necessary services still work. Only then deploy to production.

Thinking that once the baseline is applied, no other security measures are needed.

A security baseline is just the minimum. It does not protect against zero-day vulnerabilities, sophisticated phishing attacks, or insider threats. It is one layer of defense, not the complete solution.

Treat the baseline as the 'foundation' of a security strategy. Add additional layers like encryption, multi-factor authentication, intrusion detection, security awareness training, and regular penetration testing on top of it.

Assuming that all users and systems have the same baseline needs.

Different systems have different functions and risks. A domain controller is more sensitive than a guest WiFi access point. Applying the same baseline to both could be too restrictive for one and not restrictive enough for the other.

Create multiple baseline profiles based on system role. For example, a 'Standard Workstation' baseline, a 'Server Baseline', and a 'High Security Server' baseline. Assign the appropriate baseline to each system based on its data sensitivity and function.

Failing to monitor for configuration drift after applying the baseline.

Configuration drift happens automatically due to updates, user changes, or software installations. If you do not monitor for drift, the baseline becomes useless over time because systems will no longer be configured as intended.

Use automated tools that continuously check systems against the baseline and alert when drift is detected. Many tools can also automatically revert the system back to the baseline configuration.

Exam Trap — Don't Get Fooled

{"trap":"Choosing 'Implement a security baseline' when the question asks for the BEST way to respond to a specific new vulnerability.","why_learners_choose_it":"Learners often remember that security baselines are a best practice for security configuration, so they assume it is the answer to any security question. The trap is that baselines are proactive and broad, not reactive to a single vulnerability."

,"how_to_avoid_it":"When a question describes a specific, new vulnerability (like a critical buffer overflow in a particular service), the BEST immediate action is usually to apply a patch, disable the vulnerable service, or add an access control list. The baseline should be updated later to include the new configuration. Always think: is this a one-time fix for a specific threat, or a general principle for consistent configuration?

For specific threats, choose a direct countermeasure. For broad consistency issues, choose the baseline."

Commonly Confused With

Security baselinevsSecurity policy

A security policy is a high-level document that defines an organization's security goals, objectives, and management intent. A security baseline is a specific set of technical configuration settings that must be applied to a system to achieve the requirements set forth in the policy. The policy is the 'why', the baseline is the 'how'.

A security policy states 'All devices must be protected from malware.' The security baseline specifies 'Enable Real-time Protection in Windows Defender and set it to automatically scan downloads.'

Security baselinevsConfiguration drift

Configuration drift is the condition where a system's actual configuration has changed from its defined baseline. It is not the same as the baseline itself. Drift is the problem that baselines are designed to prevent. If the baseline is the rulebook, drift is what happens when someone breaks the rules.

The baseline says port 22 (SSH) must be closed. An administrator opens port 22 for a temporary task and forgets to close it. The system has now drifted from the baseline.

Security baselinevsHardening guide

A hardening guide is a document that provides detailed instructions on how to securely configure a system. It is a reference document. A security baseline is the actual set of parameters that are enforced. You use the hardening guide to create the baseline. The guide is the recipe, the baseline is the baked cake.

The CIS Benchmark for Windows Server 2019 is a hardening guide. The IT team uses it to create a Group Policy Object that enforces specific settings. That GPO is the security baseline.

Security baselinevsCompliance policy

A compliance policy checks whether a device or system meets certain requirements, such as the security baseline. It is a tool used to verify and enforce the baseline, but it is not the baseline itself. The baseline is the set of rules; the compliance policy is the gatekeeper that checks if the rules are being followed.

In Intune, you define a security baseline profile (the settings). Then you create a compliance policy that says 'if a device does not have these settings, mark it as non-compliant.' The compliance policy enforces the baseline.

Security baselinevsStandard operating procedure (SOP)

An SOP is a step-by-step set of instructions for performing a task, such as how to set up a new user account. A security baseline is a set of required configuration states. An SOP guides an action, while a baseline defines an end state.

An SOP for setting up a new server includes the steps: install OS, join domain, and apply security baseline GPO. The actual settings that the GPO enforces are the baseline.

Step-by-Step Breakdown

1

Identify the system or device type

The first step is to determine which systems need a baseline. This could be Windows workstations, Linux servers, network switches, cloud storage accounts, or mobile devices. Each type has its own security considerations and configuration options. You cannot apply a single baseline to all things.

2

Select a baseline source or standard

Use authoritative sources such as CIS Benchmarks, NIST guidelines, DISA STIGs, or vendor-provided baselines (e.g., Microsoft Security Baselines for Windows). These sources are created by experts and are regularly updated. Avoid creating a baseline from scratch unless you have deep expertise.

3

Customize the baseline for your organization

Even a standard baseline might need adjustments. For example, a CIS benchmark might recommend disabling all legacy authentication protocols, but your organization might have a legacy app that requires NTLM. You may need to create an exception, but you should document the risk and plan to replace the app.

4

Test the baseline in a non-production environment

Apply the baseline to a subset of test systems that mirror your production environment. Verify that all applications still function, that users can log in, and that no critical services are broken. This step prevents costly outages. Document any issues and adjust the baseline as needed.

5

Define the baseline in a machine-readable format

Translate the baseline settings into a format that can be deployed automatically. For Windows, this is often a Group Policy Object (GPO) or a Microsoft Intune configuration profile. For Linux, it might be an Ansible playbook or a Chef cookbook. For cloud, it might be an Azure Policy or an AWS Config rule.

6

Deploy the baseline to production systems

Use configuration management tools to push the baseline to all target systems. This should be done in waves to minimize risk. Apply to a small group first, verify, then roll out to the entire fleet. Ensure that the deployment tool can also enforce the baseline automatically if a setting changes.

7

Monitor for compliance and drift

Continuously check that systems stay compliant with the baseline. Use tools that generate reports on compliance status. Set up alerts for any system that reports as non-compliant. Some tools can automatically remediate the drift by reapplying the baseline settings.

8

Update the baseline periodically

Review the baseline at least quarterly or whenever a critical vulnerability is announced. Update it to include new security measures. For example, when a new encryption protocol becomes standard or when an old protocol is deprecated. After updating, repeat the testing and deployment process.

9

Document the baseline and changes

Keep a record of what the baseline contains, the date it was deployed, any exceptions, and the rationale for changes. This documentation is critical for audits and for future administrators. It also helps during incident response to quickly understand the expected state of systems.

Practical Mini-Lesson

Let's dive into how security baselines work in practice for a common scenario: securing Windows 10 workstations in an enterprise environment. You are the IT security administrator, and you need to ensure that all 500 laptops and desktops in your organization are consistently configured.

First, you start with a trusted source. The Microsoft Security Compliance Toolkit provides pre-built baselines for Windows 10. These baselines include configurations for User Account Control (UAC), Windows Defender Firewall, BitLocker, and many other settings. You download the baseline and import it into the Local Group Policy Object (LGPO) tool. This gives you a set of registry keys and policy settings that you can review.

Before deploying, you need to decide how to distribute the baseline. In an on-premises Active Directory environment, the best method is to create a Group Policy Object (GPO) linked to an Organizational Unit (OU) that contains all the Windows 10 computers. You edit the GPO to include the settings from the baseline. For example, under Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy, you set the minimum password length to 14 characters and require password history of 24 passwords. Under Windows Defender Firewall with Advanced Security, you enable the firewall for all profiles and block inbound connections by default.

But there is a challenge: some users need to connect to a legacy file server that uses an older, less secure protocol. If you blindly apply the baseline, those users will lose connectivity. This is where you customize the baseline. You create a separate GPO for a 'Legacy App Users' OU that still enforces most of the baseline but allows the specific legacy protocol. You also create a risk acceptance document signed by management acknowledging the exception.

Once the GPOs are deployed, you need to monitor compliance. You use a tool like Microsoft Endpoint Manager (Intune) or a third-party tool like ManageEngine. These tools can scan each computer and compare its settings against the baseline. The report shows which computers are compliant and which have drift. For example, a user might have disabled the firewall to run a local game server. The monitoring tool flags the device as non-compliant.

In a modern, cloud-connected environment, you would use Intune. Intune has built-in security baselines for Windows 10 and Windows 11. You simply select the baseline version and choose which settings to include. Intune then pushes these settings to enrolled devices using a configuration profile. You can also set up compliance policies that check if the device is compliant with the baseline. If a device is non-compliant, you can automatically revoke access to corporate resources.

What can go wrong? The most common issue is breaking an application. For example, the baseline might require that all network shares be encrypted. If an older application uses an unencrypted connection, it will stop working. That is why testing is crucial. Another issue is user pushback. Users might complain that they cannot install software or that they have to use complex passwords. In this case, education is important: explain why these settings are necessary for security.

Professioals should also understand that baselines are not a 'set and forget' activity. When Microsoft releases a new version of the Windows 10 security baseline (usually twice a year), you need to review the changes, test them, and deploy them. If you ignore the updates, your baseline becomes outdated and may miss new protections or include deprecated settings.

Finally, remember that baselines are just one part of a defense-in-depth strategy. They should be combined with regular vulnerability scanning, patch management, endpoint detection and response (EDR), and user training. A baseline cannot stop a determined attacker who has compromised a user's credentials, but it can make the attacker's job much harder.

Understanding Security Baseline in Device Management

A security baseline is a predefined set of security configuration settings and policies that establish a minimum security standard for devices, systems, and applications within an organization. It serves as a foundational benchmark against which all systems are measured, ensuring that every device adheres to a consistent, hardened configuration that reduces risk exposure. In the context of device management, security baselines are particularly critical because endpoints such as laptops, desktops, and mobile devices are often the first line of attack from malicious actors.

The concept of a security baseline extends beyond simple password policies or firewall rules. It encompasses a holistic approach to security posture, including settings for operating system hardening, application whitelisting, network access controls, user permissions, encryption standards, logging configurations, and patch management. In enterprise environments, security baselines are typically developed based on industry best practices, regulatory requirements, and threat intelligence. Frameworks such as the Center for Internet Security (CIS) Benchmarks, National Institute of Standards and Technology (NIST) Special Publication 800-53, and Microsoft Security Baselines are widely adopted to guide organizations in building effective baselines.

For exam candidates preparing for certifications like AWS-SAA, ISC2-CISSP, CySA+, MD-102, MS-102, AZ-104, SC-900, and Security+, understanding security baselines is essential. These exams test not only the definition but also the practical implementation, monitoring, and remediation of baseline deviations. For example, in AWS, security baselines apply to EC2 instances, S3 buckets, and IAM roles, often enforced through AWS Config rules or Service Control Policies (SCPs). In Microsoft environments, security baselines are deployed via Group Policy, Intune, or Azure Policy to enforce consistent settings across Windows devices and cloud resources.

Security baselines also play a pivotal role in compliance audits. They provide a measurable way to demonstrate adherence to standards like PCI DSS, HIPAA, GDPR, and SOC 2. Without a baseline, organizations struggle to prove that security controls are in place and effective. Baselines enable automated compliance checks, reducing manual effort and human error. Tools such as Microsoft Defender for Cloud, AWS Security Hub, and CIS-CAT (Configuration Assessment Tool) continuously compare system configurations against the defined baseline and alert administrators to any drift.

a security baseline is not static. As new threats emerge, software updates are released, and business requirements evolve, baselines must be reviewed and updated periodically. This lifecycle management includes baseline definition, deployment, monitoring, assessment, and remediation. In exam questions, candidates may be asked to identify when a baseline should be updated or how to handle a device that falls out of compliance. The key takeaway is that a security baseline is the minimum acceptable security configuration; anything below that level is considered a vulnerability or risk.

Finally, security baselines are tightly integrated with device management solutions. In Microsoft Intune (covered by MD-102 and MS-102), administrators can create and assign security baseline policies to Windows 10/11 devices, controlling settings like BitLocker encryption, firewall rules, antivirus configurations, and user account control. On-premises Active Directory leverages Group Policy to enforce similar baselines. In cloud environments like AWS and Azure, baselines are enforced through infrastructure-as-code templates, ensuring that every new resource is provisioned with security in mind. Understanding these integration points is crucial for exam success and real-world implementation.

AWS Security Baseline Configuration Using AWS Config

In the AWS ecosystem, security baselines are enforced through a combination of AWS Config rules, Service Control Policies (SCPs), and the AWS Well-Architected Framework. A security baseline in AWS defines the minimum security posture for resources such as EC2 instances, S3 buckets, IAM users, VPCs, and RDS databases. Unlike traditional on-premises environments, cloud baselines must account for shared responsibility, where the customer is responsible for securing their data and configurations.

AWS Config is the primary service for baseline monitoring and compliance. It allows administrators to define custom or managed rules that check resource configurations against compliance standards. For example, a security baseline might require that all S3 buckets have block public access enabled, that EC2 instances use only approved AMIs, or that IAM users have MFA enabled. AWS Config continuously evaluates resources and generates compliance reports, alerting administrators when a resource deviates from the baseline. This is a frequent topic in AWS-SAA and SC-900 exams, where candidates must understand how to set up and interpret compliance results.

Another critical component is AWS Organizations and SCPs, which act as a security baseline across multiple accounts. SCPs allow central governance by restricting the maximum permissions available to IAM roles and users within member accounts. For instance, a baseline SCP might deny all actions on resources unless they are tagged with an approved environment tag. This ensures that developers cannot accidentally launch unmonitored resources. Exam questions often test the difference between SCPs, IAM policies, and resource-based policies, especially in multi-account scenarios.

Security baselines in AWS also leverage AWS Security Hub, which aggregates findings from Config, GuardDuty, Inspector, and other services. Security Hub provides a consolidated view of compliance scores based on industry standards like CIS AWS Foundations Benchmark and NIST 800-53. Administrators can configure automated remediation actions using AWS Lambda functions or Systems Manager Automation. For example, if an EC2 instance is found to have an open SSH port to 0.0.0.0/0, a remediation action can automatically revoke the security group rule. This is a practical approach tested in CySA+ and Security+ exams, emphasizing the importance of automated response.

A common pitfall when implementing AWS security baselines is overly permissive IAM roles or misconfigured S3 bucket policies. The principle of least privilege is central to any baseline. AWS provides tools like IAM Access Analyzer to identify resources shared with external entities, which is a direct violation of many baselines. Another key area is encryption. A baseline should mandate that all data at rest uses AWS KMS with customer-managed keys and data in transit uses TLS 1.2 or higher. AWS Config rules like s3-bucket-server-side-encryption-enabled and ec2-encrypted-volumes enforce these settings.

In exam contexts, candidates are often presented with scenarios where a security baseline has been violated and asked to determine the appropriate response. For example, if a Config rule shows that an S3 bucket is publicly accessible, the correct answer might involve updating the bucket policy or enabling block public access settings. Understanding the relationship between baseline definitions, compliance checks, and remediation actions is essential. The AWS security baseline is dynamic; updates to the underlying standards or threat landscape may require changes to Config rules or SCPs. Candidates should also know how to use AWS CloudFormation or Terraform to deploy baseline configurations as code, ensuring repeatability and auditability.

Finally, AWS Security Hub integrates with third-party tools and SIEMs to provide a holistic view. The baseline compliance score is often a key metric in security dashboards. For those pursuing AWS-SAA or SC-900, remember that security baselines are not just about detection but also prevention. By enforcing baselines at account creation or resource provisioning, organizations can reduce the attack surface significantly. This proactive approach is a core concept tested across all the listed exams.

Microsoft Intune Security Baseline Policies for Windows Devices

Microsoft Intune is a leading cloud-based device management solution that includes built-in security baseline policies for Windows 10 and later devices. These baselines are pre-defined sets of configuration settings curated by Microsoft security experts to enforce a hardened state out of the box. They cover critical areas such as BitLocker drive encryption, Windows Defender Antivirus, user account control (UAC), firewall rules, browser security, and application control. For exams like MD-102, MS-102, and SC-900, understanding how to deploy and manage Intune security baselines is critical.

The primary advantage of using Intune security baselines is that they are regularly updated as new threats emerge and best practices evolve. Microsoft publishes baseline versions (e.g., Security Baseline for Windows 10 May 2020, November 2022) and automatically notifies administrators when a new version becomes available. However, the baseline does not automatically apply; administrators must either assign a baseline to a group or import the settings into a custom policy. This distinction is often tested: a candidate must know that baselines are provided as templates, not automatically enforced, unless an administrator actively assigns them.

Each Intune security baseline policy contains hundreds of individual settings, but exam questions focus on the most impactful ones. For example, BitLocker encryption settings ensure that all drives, including fixed data drives and removable drives, are encrypted. Windows Defender Antivirus settings include real-time protection, cloud-delivered protection, and sample submission. UAC settings control when and how administrative privileges are elevated. Firewall settings typically enforce default inbound block and outbound allow rules, with specific exceptions for authorized applications. These settings collectively create a baseline that significantly reduces the risk of malware infection, data exfiltration, and unauthorized access.

Deploying an Intune security baseline is straightforward. Administrators navigate to the Endpoint Security node, select Security Baselines, choose a baseline template (e.g., Windows 10 Security Baseline), and assign it to Azure AD groups. The baseline can be customized by toggling individual settings, but the default configuration represents the recommended security posture. Once assigned, devices check in during their next sync and apply the settings. If a setting conflicts with an existing Configuration Manager or Group Policy setting, Intune settings take precedence, which is a key point for MD-102 and MS-102 exams.

One common exam scenario involves monitoring compliance. Intune provides a report on how many devices are compliant with the assigned baseline. Devices that are non-compliant may be blocked from accessing corporate resources via Conditional Access policies. For example, if a device fails to have BitLocker enabled, Conditional Access can prevent it from accessing Exchange Online or SharePoint. This combination of baseline enforcement and conditional access is a powerful security control tested in SC-900 and MS-102.

Troubleshooting baseline issues is another critical skill. If a Windows device fails to apply a baseline setting, the administrator should check the device sync status, review the Settings Catalog for conflicts, and examine the Windows event logs under Microsoft/Intune. A common cause of failure is that the device is not properly enrolled in Intune or that the user account lacks the necessary licenses (e.g., Microsoft 365 E3 or E5). Exam questions may present a scenario where a device shows as compliant but the actual configuration is incorrect, requiring the administrator to manually verify using the Microsoft Endpoint Manager console or the Windows Security app.

Finally, Intune security baselines are not limited to Windows. There are baselines for Microsoft Edge and also for Windows 365 Cloud PCs. For cross-platform management, Intune supports security policies for macOS, iOS, and Android devices, but these are not referred to as baselines in the same sense. Understanding the scope and limitations helps in answering exam questions about device management. The bottom line is that Microsoft Intune security baselines provide a fast, reliable way to enforce consistent security settings across thousands of devices, reducing the administrative burden and improving the overall security posture.

CIS Benchmarks as a Security Baseline Standard

The Center for Internet Security (CIS) Benchmarks are globally recognized, consensus-based best practices for security configuration. They serve as a de facto security baseline for operating systems, cloud platforms, network devices, and applications. For professionals preparing for ISC2-CISSP, CySA+, Security+, and AZ-104, understanding CIS Benchmarks is essential because they are frequently referenced in exam objectives and real-world compliance frameworks. CIS Benchmarks provide detailed, step-by-step guidance on how to harden a system against known attack vectors.

Each CIS Benchmark is organized by technology and version. For example, CIS Benchmark for Windows 10, for Ubuntu Linux, for AWS Foundations, and for Microsoft Azure. The benchmarks are divided into levels. Level 1 recommendations are easy to implement with minimal impact on functionality and are considered a good starting point for any security baseline. Level 2 recommendations offer more advanced hardening but may reduce system usability or require more testing. In exam contexts, candidates are often asked to choose the appropriate level for a given environment. For example, for a server running critical applications, Level 1 is typically sufficient, while a highly sensitive environment like a government system may require Level 2.

CIS Benchmarks are updated regularly as new vulnerabilities are discovered and attack techniques evolve. Organizations that adopt CIS Benchmarks as their security baseline must have a process for periodically reviewing and updating their configurations. Automated tools like CIS-CAT (CIS Configuration Assessment Tool) can scan systems and compare them against the latest benchmark version, generating compliance reports. This automation is a key topic in CySA+ and Security+ exams, where candidates must interpret scan results and prioritize remediation actions.

A common exam question format presents a scenario where a company uses CIS Benchmark Level 1 for its Windows servers. An administrator notices that the server is failing a specific check related to password length. The correct response should involve identifying the failing setting, understanding its importance, and applying the appropriate Group Policy or Intune policy to enforce the required password length. CIS Benchmarks also include recommendations for logging, auditing, and disabling unnecessary services, all of which are foundational to a strong security posture.

For cloud environments, CIS Benchmarks for AWS and Azure are particularly relevant. The AWS Foundations Benchmark covers IAM, S3, logging (CloudTrail), VPC, and EC2. For instance, it recommends ensuring that S3 buckets have block public access enabled, that CloudTrail is enabled in all regions, and that IAM users require MFA. In AZ-104 and SC-900 exams, candidates must understand how Azure Policy can be used to enforce CIS Azure Foundations Baseline recommendations. Azure Policy definitions can be assigned at the management group level to ensure that new resources automatically comply with the baseline.

One challenge with CIS Benchmarks is that they can be overwhelming due to the sheer number of recommendations. Organizations must prioritize based on risk. Examining the CIS Controls (formerly Critical Security Controls) provides a high-level framework that maps to the benchmarks. For example, CIS Control #1 is Inventory and Control of Hardware Assets, which aligns with baseline recommendations for disabling unnecessary devices. CIS Control #7 is Continuous Vulnerability Management, which relates to regular scans against the baseline. This mapping is often tested in ISC2-CISSP exams, where candidates must connect controls to implementation.

Finally, it is worth noting that CIS Benchmarks are not mandatory by law, but they are widely adopted due to their alignment with other standards like NIST and PCI DSS. They provide a clear, actionable baseline that can be audited. For exam preparation, candidates should be familiar with the structure of CIS Benchmarks (levels, categories, scoring) and know how to use tools like CIS-CAT or cloud-native solutions (e.g., AWS Security Hub, Azure Security Center) to assess compliance. The ability to interpret a scan result and apply remediation is a skill that directly translates to passing questions on CySA+, Security+, and AZ-104.

Troubleshooting Clues

Device not applying Intune security baseline settings

Symptom: Windows device shows as compliant in Intune console but actual settings differ on the device.

This often occurs when the baseline policy is assigned to a user group but the device is not Azure AD joined or enrolled in Intune properly. Alternatively, a conflict with a Configuration Manager policy might override the Intune settings.

Exam clue: In MD-102 exams, candidates must identify that baselines require device enrollment and that conflicts with legacy GPO can cause apparent compliance.

S3 bucket publicly accessible despite AWS Config rule

Symptom: AWS Config rule S3_BUCKET_PUBLIC_READ_PROHIBITED shows non-compliant, but bucket policy appears correct.

The bucket might have a bucket ACL that grants public access, not a bucket policy. AWS Config rules evaluate both ACLs and policies. Also, blocking public access at the account level may be disabled.

Exam clue: Tests understanding of S3 access control mechanisms (ACLs vs policies) and AWS Config rule scope in AWS-SAA.

CIS benchmark scan shows fail for 'Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'

Symptom: Scan report indicates the setting is disabled on Windows servers.

The security policy for SAM enumeration is configured via Group Policy or local security policy. It might be misconfigured or overridden by a conflicting GPO.

Exam clue: Relevant in CySA+ and Security+, where candidates must know how to analyze CIS scan results and apply Group Policy objects to remediate.

BitLocker encryption not enforcing on Intune-managed device

Symptom: Device reports non-compliant for BitLocker, but encryption is enabled on C: drive.

Intune baseline may require encryption on all fixed drives, not just the OS drive. The baseline might also require a specific recovery key escrow method (e.g., Azure AD). If the key is not backed up to Azure AD, compliance fails.

Exam clue: MD-102 and MS-102 exams test that BitLocker baseline includes recovery key management; missing escrow triggers non-compliance.

Azure Policy assignment does not evaluate existing resources

Symptom: After assigning a policy to enforce CIS Azure baseline, existing resources remain non-compliant without any trigger.

Azure Policy by default evaluates only new resources during creation or updates. Existing resources require a manual compliance scan or a policy that includes 'Enforce' effect. The assignment may be missing an audit setting.

Exam clue: AZ-104 exams test the difference between audit and deny effects and the need to trigger evaluation on existing resources.

Windows Defender settings show as not managed despite Intune baseline

Symptom: In Windows Security app, Defender shows 'managed by your organization' but some settings are greyed out incorrectly.

This can happen when the Intune baseline has a conflict with a local GPO or another MDM policy. The Intune baseline might be configured to 'not configured' for that setting, allowing other policies to take precedence.

Exam clue: MD-102 troubleshooting often involves baseline conflicts; candidates must check the Settings Catalog or baseline details to find the source.

IAM user password policy not applying to all users

Symptom: Password policy set in AWS IAM applies to new users but some existing users still have weak passwords.

The account password policy only affects future password changes. Existing passwords remain until the user changes them. Force password change at next login must be enabled separately.

Exam clue: AWS-SAA and Security+ exams test that baseline password policies are not retroactive; users may need to be forced to update.

CIS-CAT scan on Azure VM fails due to missing dependencies

Symptom: When running CIS-CAT on an Azure Windows VM, the scan fails with errors about missing PowerShell modules or .NET version.

CIS-CAT requires certain prerequisites like PowerShell 5.1 or later, .NET Framework, and administrative privileges. The VM might be using a poorly maintained image.

Exam clue: CySA+ exams test that scan tools have dependencies and that administrators must validate the target environment before scanning.

Memory Tip

Think of a security baseline as the 'factory reset of security', it is the minimum safe state you can always return to.

Learn This Topic Fully

This glossary page explains what Security baseline means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Quick Knowledge Check

1.A company wants to enforce a security baseline across all its AWS accounts using AWS Organizations. Which service should be used to restrict the maximum permissions available to IAM users and roles in member accounts?

2.In Microsoft Intune, which of the following is true about security baseline policies?

3.CIS Benchmarks are divided into levels. Which level is recommended for a production server with minimal operational impact?

4.An AWS Config rule shows that multiple EC2 instances have security groups with SSH open to the entire internet (0.0.0.0/0). What is the best immediate remediation to bring the environment back into baseline compliance?

5.A Windows device is assigned an Intune security baseline policy but fails to apply BitLocker settings. The device shows as compliant for all other settings. What is the most likely cause?