Configuration Management: Often it is easier to have OS images that are completely hardened, and
use the image for the new system. We then update the image when new vulnerabilities are found or
patches need to be applied. Often though, we use a standard image and just apply the missing
patches. We do this for any device on our network, servers, workstations, phones, routers, switches,
etc. Pre-introduction into our production environment, we run vulnerability scans against the system
to ensure we didn't miss anything (rarely done on workstations; should be done on servers/network
equipment). Having a standard hardening baseline for each OS ensures all servers are similarly
hardened, and there should be no weak links. We also have the standardized hardening, making
troubleshooting much easier.