Insecure default values in software settings can be exploited by attackers to compromise the system that runs the software. As a countermeasure, there exist security-configuration guides specifying in detail which values are secure. However, most administrators still refrain from hardening existing systems because the system functionality is feared to deteriorate if secure settings are applied. To foster the application of security-configuration guides, it is necessary to identify those rules that would restrict the functionality. This article presents our approach to use combinatorial testing to find problematic combinations of rules and machine learning techniques to identify the problematic rules within these combinations. The administrators can then apply only the unproblematic rules and, therefore, increase the system's security without the risk of disrupting its functionality. To demonstrate the usefulness of our approach, we applied it to real-world problems drawn from discussions with administrators at Siemens and found the problematic rules in these cases. We hope that this approach and its open-source implementation motivate more administrators to harden their systems and, thus, increase their systems' general security.

翻译：软件设置中的不安全默认值可能被攻击者利用，从而危及运行该软件的系统。作为对策，存在安全配置指南，详细说明哪些值是安全的。然而，大多数管理员仍然避免对现有系统进行加固，因为他们担心应用安全设置会导致系统功能恶化。为了促进安全配置指南的应用，有必要识别那些会限制功能的规则。本文提出了一种方法，利用组合测试来发现规则的组合问题，并结合机器学习技术识别这些组合中的问题规则。管理员随后可以仅应用无问题的规则，从而在确保系统功能不受干扰的前提下提升其安全性。为证明该方法的有效性，我们将其应用于与西门子管理员讨论中提炼的实际问题，并在这些案例中成功找到了问题规则。我们希望该方法及其开源实现能激励更多管理员加固其系统，从而提升系统的整体安全性。