Bryan Owen

Developing a Secure Baseline

Blog Post created by Bryan Owen on Oct 22, 2016

In provisioning a PI System for an independent cyber security assessment later in Q4 the team is tasked with deploying a lab that closely mimics a professionally managed enterprise security infrastructure.


Why? The stakeholders in this project aren’t so interested in theoretical defenses as much as being able to make informed decisions about baseline defensibility. For instance, understanding the level of effort to address residual risks is useful in evaluating TCO. 


So we return to the task of building out a lab to match a professional security infrastructure. The obvious answer is to follow industry benchmarks.  Coincidently, the tools and benchmarks we selected are recently summarized at by Sean Metcalf @PyroTek3 – Thanks Sean!

» Securing Windows Workstations: Developing a Secure Baseline » Active Directory Security


It’s great to see this kind of guidance condensed in a straight forward manner.  The advice is centric to Windows Workstations. About the only difference we plan for the PI System servers including PI Coresight is to deploy in 'Server Core' mode by removing the GUI.  Server Core mode is the Microsoft default and recommended by OSIsoft.  Although not yet a majority statistic, we do observe PI System deployments are increasingly taking advantage of Server Core (mostly because there is less patching .


My overall confidence in a Windows 2012 R2 baseline selection for this project is good.  Our teams in the field observe most enterprises deploy PI Systems on hardened images customized by IT, hardly any enterprise runs with Windows default settings.  Please add comments if there is a different baseline we should be considering for this kind of independent assessment or imagine what you would like to have should we make the PI System available as a virtual image.