A configuration audit is an information security procedure where you prepare a baseline configuration, and then compare this with the current configuration to perform a gap analysis, later working on closing those gaps to get as close as possible to the baseline configuration. This process of closing the gaps and achieving a maximum hardened state is called risk or vulnerability mitigation.

Most companies and organizations rely on strong configurations to ensure security in their systems. A well hardened and patched system is a nightmare for a hacker to break into. As many companies opt to move their operations to the cloud, configuration plays a great role in security now more than ever. A simple lapse in a network device, allowing default users to log in, would help a hacker gain access to a whole network in minutes.

A regular application has two major components: the frontend and the backend. The frontend is where the end users access the application as a visible resource. Anything that is not visible or not accessible to the end user, then, can be considered the backend. This includes the web server, application server, database server, router, firewall, and intrusion prevention and detection systems. All of these devices could be physically different or being handled by a single cluster of servers. All of these are software that can be installed on any physical server; that is, an Apache Web Server can be installed on a normal computer with the Windows operating system. A simple XAMPP package installs a web/app server, a database, and an application framework. All these different components come with different configurations—a simple misconfiguration at any level of the application architecture can compromise the security of the whole system:

A configuration audit will ensure that the structure of any organization's network security will be strengthened. Continuous monitoring of the changes to configurations of network devices and services in the infrastructure also helps to ensure safe configuration of the devices and servers. The following are some of the steps that can be taken to ensure strict hardening of servers:

1. Detecting any dynamic changes in the configuration
2. Configuration audit on new or changed configurations should be performed
3. Examining device and server logs strictly
4. Audit is to be performed on end-end of the network right from web application to the database

There are four major types of audits that can be performed during the configuration audit, as discussed in the following sections.