# Security Misconfigurations

## Table of Contents

- [Overview](#overview)
- [Viewing the System Misconfigurations](#viewing-the-system-misconfigurations)
- [Deploying Secure Configuration](#deploying-secure-configuration)

[Watch the video on YouTube](https://www.youtube-nocookie.com/embed/H7G5vISt2MY)

## Overview

Most of the time, security configurations of network systems are unmanaged, improperly configured, or left as default. As organizations increasingly rely on complex IT infrastructures, the potential for misconfiguration grows. There might be chances for default credentials, inactive/disabled firewall and antivirus, elevated privileges, and open shares that might arise security concerns.

A misconfigured system may leave an organization vulnerable to cyberattacks such as data breaches, ransomware, and denial-of-service attacks. Thus, identifying and addressing misconfigurations promptly is critical to maintaining the integrity, availability, and confidentiality of systems and data. In order to reduce the attack surface, **Vulnerability Manager Plus** continuously monitors all the systems in your network for security misconfigurations.

**Vulnerability Manager Plus** uses predefined templates for security configurations designed to harden your systems. These templates are curated from CIS (Center for Internet Security) and STIG (Security Technical Implementation Guide) benchmarks, ensuring adherence to industry standards. Any deviation from these templates will be listed as a misconfiguration, and the console will provide necessary fixes or resolutions to address the same without impacting critical operations.

**Applies to:**

- **Windows**
- **Linux**

## Viewing the System Misconfigurations

To view the security misconfigurations present across the managed computers, click on **Threats & Patches → Threats → System Misconfiguration**.

In this window, all misconfigurations are listed. Under **Category**, you can see the misconfiguration type; under **Affected Systems**, you can see the count of managed computers with that misconfiguration. By clicking on that count, you can see the names of affected systems individually. Under **Action**, you can see whether the fix is available, and if it is, you can see whether a reboot is required under the **Reboot Required** section.

By clicking on the **Filters** button, you can filter and prioritize them as per your need based on specific criteria.

![Security Misconfigurations](https://www.manageengine.com/products/desktop-central/help/images/vm1.png)

## Deploying Secure Configuration

After filtering, select the misconfigurations for which you need to deploy the fix by enabling the checkbox present beside that misconfiguration and clicking on **Fix**. You will be redirected to the **System Configurations** window.

![System Configurations Window](https://www.manageengine.com/products/desktop-central/help/images/vm2.png)

**Name and Description:** Under this section, you can name the configuration of your choice, and by clicking on **Add Description**, you can add the description if needed.

**Add Misconfiguration:** Under this section, you can see the selected misconfigurations for which you wanted to deploy the fix. Under the **Post Deployment Issues** section, you can see the impact this fix may have on the computer after deployment. If it won't have any impacts, *No Impact* will be mentioned. If you wish to add more misconfigurations to fix, click on **Add Misconfiguration**, filter, and add the required.

**Define Target:** After choosing the misconfigurations to fix, you can choose to include or exclude target computers of your choice under the **Define Targets** section. To learn more about defining targets, refer to [this page](https://www.manageengine.com/products/desktop-central/help/defining_targets.html).

**Execution Settings:** After defining the targets of your choice, configure the **Execution Settings**, which is optional. Under this section, if you want to configure notifications about this activity, select the *Enable Notifications* option. To learn more about this, refer to [this page](https://www.manageengine.com/products/desktop-central/help/configuring_execution_settings.html).

After configuring the required settings:

- If you want to deploy the fix immediately, select **Deploy Immediately**. This feature will deploy fixes to a maximum of 200 computers immediately, with the remaining selected computers getting their fixes deployed in their subsequent refresh cycle.
- If you click on **Deploy**, the deployment of the fixes will happen in their subsequent refresh cycle for all the selected computers.

**Note:**

1. System Misconfiguration status for each system will be updated after a [patch scan](https://www.manageengine.com/products/desktop-central/help/patch_management/patch-scan.html).
2. Sometimes, security settings might be inappropriately configured in Domain GPO and can't be overridden from the console. To manually resolve these misconfigurations, refer to these [articles](https://www.manageengine.com/vulnerability-management/misconfiguration/#misconfig-index).
3. You can track the status of security configuration deployments from **Deployment → Security Configurations**.
4. In any computer, if any misconfiguration fix deployment has failed, you can see that computer listed under **Attention Required** view. To view those computers, click on **Threats & Patches → Systems → Attention Required**, and under this section click on **Failed Security Configurations**, select the computers where the deployment has failed and click on **Deploy Failed Configuration** to reinitiate the deployment of that fix.

If you have any further questions, please refer to our [Frequently Asked Questions](https://www.manageengine.com/products/desktop-central/help/vulnerability-remediation/vulnerability-faq.html#misco) section for more information.