Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: System Hardening Standards

From: Taylor Randle <TRandle () PARKER EDU>
Date: Mon, 14 Nov 2016 21:21:32 +0000
That's exactly what we've done. We don't follow a specific standard or framework down to the letter - we picked a 
framework (primarily NIST but have also borrowed from others - such as our state's security standards - we're in Texas 
so TAC 202 - we're private and, thus, not required to adhere but we still use it as a starting point/framework) and 
modified it to what works best for our environment and for our business processes and formed our own set of 
policies/guidelines accordingly - documenting all along the way.

For server hardening specifically, some resources that you may find useful:

NIST:   
        Checklists/Benchmark Repo:
        https://web.nvd.nist.gov/view/ncp/repository    

        Guide to General Server Security:
        http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123.pdf  
        
        Hardening Microsoft Windows:
        http://www.nist.org/news.php?extend.204 

CIS:
        https://benchmarks.cisecurity.org/downloads/#free  

SANS:
        Checklists:
         https://www.sans.org/score/checklists    
        
        Policy Templates:
        https://www.sans.org/security-resources/policies 
        
        Server Security policy template:
        https://www.sans.org/security-resources/policies/server-security/pdf/server-security-policy   

In addition to policy/frameworks/checklists, some tools that will help you:

        Nessus' basic scans will assist in vuln management/hardening but Nessus also has Policy Compliance Auditing and 
SCAP/OVAL scans which can audit your systems against known best practices/baselines - including the CIS/NIST benchmarks 
listed above.

        For *nix systems, I've found Lynis - https://cisofy.com/lynis/  - to be useful for hardening. 

Hope this helps.
~Taylor

Taylor Randle
Director, Client Services & IT Security

2540 Walnut Hill Lane, Dallas, TX 75229
trandle () parker edu 
www.parker.edu | www.parkerseminars.com



................................................






-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Adam 
Maynard
Sent: Monday, November 14, 2016 2:27 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] System Hardening Standards

I'd be interested in that as well. 

Right now I'm looking into CIS and/or NIST, then tweaking them to fix our environment.


-Adam

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Justin 
Harwood
Sent: Monday, November 14, 2016 12:36 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] System Hardening Standards

Hello,

Can someone recommend what you have used in the EDU space for system hardening standards that works well?

________________________________

This e-mail, including any attachments, is intended only for the addressee's use and may contain confidential and 
proprietary information. If you are not the intended recipient, you are hereby notified that any retention, 
dissemination, reproduction, or use of the information contained in this e-mail is strictly prohibited. If you have 
received this e-mail by error, please delete it and immediately notify the sender. Thank you for your cooperation.
Previous By Date Next
Previous By Thread Next

Current thread: