Skip to content

Configuration Management Standard

Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Configuration Management Policy
Framework Reference: Secure Controls Framework – Configuration Management (CFG)


This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Configuration Management requirements established by Summit Technology Holdings, LLC (STH). It documents the controls and practices used to establish, enforce, and monitor secure baseline configurations for all technology assets to support system integrity and reduce attack surfaces.


This standard applies to all systems, applications, cloud services, and infrastructure components managed by FRHC, including servers, workstations, network devices, and virtual machines in both production and non-production environments. It applies equally to on-premises systems at the Evocative datacenter and cloud resources in Azure and AWS.


FRHC’s configuration management practices are governed by formal build procedures and managed configuration baselines, implemented through Group Policy Objects (GPO) for servers and Microsoft Intune policies for workstations. Changes to baseline configurations are managed through the change control process to prevent unauthorized modifications.

  • Parent Policy Mapping: STH Configuration Management Policy, Section 3.1
  • SCF Mapping: CFG-01 (Configuration Management Program)

3.2 System Hardening Through Baseline Configurations

Section titled “3.2 System Hardening Through Baseline Configurations”

FRHC hardens all systems—both servers and workstations—based on benchmarks from the Center for Internet Security (CIS) and Microsoft. Server hardening is enforced via Active Directory Group Policy; workstation hardening is managed through Intune configuration policies. The FRHC System Build Procedure provides guidance for manual steps not enforceable through policy. Pre-production systems are maintained under separate hardening policies in distinct Active Directory environments. Qualys performs quarterly scans to assess compliance against CIS benchmarks and identify drift.

  • Parent Policy Mapping: STH Configuration Management Policy, Section 3.2
  • SCF Mapping: CFG-02 (Secure Baseline Configurations)

FRHC baseline configurations explicitly disable nonessential operating system features, background services, and administrative tools. System builds are tailored to the specific business role of the system or user. Requests for additional functionality require business justification and approval through the change control process.

  • Parent Policy Mapping: STH Configuration Management Policy, Section 3.3
  • SCF Mapping: CFG-03 (Least Functionality)

All software installed on FRHC servers, desktops, and laptops must be approved by IT management. Users may not install unapproved software without a management-approved exception. Software licenses are tracked centrally, with annual audits conducted to detect unauthorized installations. Requests for new or additional licenses are submitted through a support request workflow.

  • Parent Policy Mapping: STH Configuration Management Policy, Section 3.4
  • SCF Mapping: CFG-04 (Software Usage Restrictions)

Unless otherwise authorized, users are not granted administrative rights to their own workstations. This restriction is enforced via Group Policy and Intune to prevent software installation or modification without IT involvement, reducing the risk of malware introduction and license violations.

  • Parent Policy Mapping: STH Configuration Management Policy, Section 3.5
  • SCF Mapping: CFG-05 (User-Installed Software)

FRHC uses Microsoft Intune to push and enforce configuration profiles to all workstations, and GPO to enforce server configurations. Qualys monitors and reports on configuration drift, flagging systems that no longer align with approved baselines. Deviations are reviewed by IT for remediation or documented exception.

  • Parent Policy Mapping: STH Configuration Management Policy, Section 3.6
  • SCF Mapping: CFG-06 (Configuration Enforcement)

FRHC uses Microsoft Intune for zero-touch provisioning. When a device is joined to Microsoft Entra ID (Azure AD), Intune automatically enrolls and configures it using predefined security policies and application deployment profiles. This ensures new systems are hardened and compliant from the point of initial deployment.

  • Parent Policy Mapping: STH Configuration Management Policy, Section 3.7
  • SCF Mapping: CFG-07 (Zero-Touch Provisioning (ZTP))

FRHC maintains evidence supporting configuration management controls, including baseline configuration exports, GPO and Intune policy documentation, Qualys scan reports, and change control records. Evidence is retained and made available to Summit Technology Holdings, LLC (STH) to support enterprise governance, audit, and compliance activities.


All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.

Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.


Parent Policy:

  • Summit Technology Holdings – Configuration Management Policy

Regulatory Requirements:

  • HIPAA Security Rule:
    • 45 CFR §164.308(a)(1)(ii)(A) – Risk Analysis
    • 45 CFR §164.308(a)(1)(ii)(B) – Risk Management
    • 45 CFR §164.312(c)(1) – Integrity
  • AICPA SOC 2 Trust Services Criteria:
    • Security (CC7.1, CC7.2, CC7.3)
    • Availability (A1.2)

Framework Alignment:

  • CFG-01 – Configuration Management Program
  • CFG-02 – Secure Baseline Configurations
  • CFG-03 – Least Functionality
  • CFG-04 – Software Usage Restrictions
  • CFG-05 – User-Installed Software
  • CFG-06 – Configuration Enforcement
  • CFG-07 – Zero-Touch Provisioning (ZTP)

RevDescriptionDateApproved
-Policy createdOctober 2019M Machin
1.0Formatting UpdateSeptember 2022WSI
1.1Policy updated and approved for 2024May 2024WSI
2.0Updated and approved for 2025July 2025M Machin
3.0Converted to StandardApril 2026M Machin
3.1Corrected parent policy mapping references to current section format (Section N → Section 3.x)April 2026M Machin

Internal Use Only