RE: STIG Implementation

["THOMAS, DEDRIC" <dt7089 () att com>]

Good Morning!

First, let me "WELCOME" you to the "IA World", in an attempt not to repeat the last two responses (which pointed out 
very good points may I add), you need to work with the SysAdmin in order to ensure that the Server is working properly 
and the applications that reside on top of the OS are not broken through the STIG Process.  A Manual STIG'n can be very 
time consuming, but will get you very familiar "REAL QUICK" with understanding the STIG'n Process and what actual 
settings/configurations are being modified via the GOLD Disk.  My suggestion would be the following:

1.  If you are working with a SysAdmin ensure they are available for testing during the STIG Process to ensure that the 
Server/Workstation is functional after STIG'n.

2.  VMS - If you are uploading the results into VMS, please by ALL MEANS annotate the findings with as much detail as 
possible for this will save you headaches during audits (If you want to have what I consider a "Book of Life" - Log 
Book of your Auditing Activities) this will help in the future also.  You will always have a reference point to go to 
if you have any questions about a particular Server or Workstation.

3.  Any findings that appear to not be mitigated or can't be due to the functionality of the Server, please Annotate 
accordingly.  And BY ALL MEANS DO NOT FALSIFY any information in VMS.  It's the quickest way to be given an eternal 
Lunch Break from the DoD!

I hope these points help you as you guide your way through the IA World!  

Best of Luck

~Dedric :-)

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Keith Kooyman
Sent: Friday, August 17, 2012 9:54 AM
To: Rob Riggins; security-basics () securityfocus com
Subject: RE: STIG Implementation

I have used Gold Disk a number of times.  It is a good process to use for
analysis but be very careful of using it to automatically harden a server.
You have a very high likelihood of hosing the server, requiring a
reinstall.  When a person is green there's a big tendency to automate
server hardening as much as possible, but experience teaches a person that
automation can only do so much.  One can automate a semi-hardened template
that generically takes a first pass at security, but from then on a wise
person takes the controls and manually steers through the mine field of
server hardening.  I have found that this process typically takes multiple
passes through the hardening process - testing after each pass - to ensure
the server is ready for prime time.  Even then, a wise professional will
closely monitor and test the first few weeks of production to ensure
nothing was missed.  It's tedious work to be sure but hackers are
tenacious, so we must be even more so.  After all this then the new server
can join the rest of the pack for testing on a regular schedule.


Regards,

Keith Kooyman

This email may contain the thoughts and opinions of Keith Kooyman and does
not represent official Texas State Technical College Waco policy.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Rob Riggins
Sent: Thursday, August 16, 2012 1:57 PM
To: security-basics () securityfocus com
Subject: Re: STIG Implementation

My advice with the Gold Disk is to definitely not run the automated
remediation process. Make the changes manually, because the remediation
process can break things. But of course, you can break things manually
too, but at least you will have an idea what you did, if you remediate
manually.

Gold Disk only reviews Windows and some installed components. The Gold
Disk is being phased out this year. You have two other choices: SCAP tools
and manual reviews.

What other components are on the server? You will need to review those
components with the corresponding STIGs too.

For STIG reviews, use the STIG Viewer. It will create checklists from
STIGs. After you manually run through the checklist items, you can create
an export file to upload to VMS (if that's where the results are going).

Will you upload the results into VMS?

I could write a tiny book on this. This process can be very frustrating if
you are doing it without someone guiding you.

Rob


On Tue, Jul 31, 2012 at 4:59 PM, <JNMiller1978 () gmail com> wrote:
> Hello All,
>
> I am new to the IA field and was wondering if anyone would like to
> share some of their experience with STIG Implementation.  I am going
> through them manually no as I have not gained access to Gold Disk yet.
>
> ----------------------------------------------------------------------
> -- Securing Apache Web Server with thawte Digital Certificate In this
> guide we examine the importance of Apache-SSL and who needs an SSL
> certificate.  We look at how SSL works, how it benefits your company
> and how your customers can tell if a site is secure. You will find out
> how to test, purchase, install and use a thawte Digital Certificate on
> your Apache web server. Throughout, best practices for set-up are
> highlighted to help you ensure efficient ongoing management of your
> encryption keys and digital certificates.
>
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4
> 42f727d1
> ----------------------------------------------------------------------
> --



--
Rob Riggins
Minneapolis, MN

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide
we examine the importance of Apache-SSL and who needs an SSL certificate.
We look at how SSL works, how it benefits your company and how your
customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f7
27d1
------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------