Educause Security Discussion mailing list archives
Re: System Hardening Standards
From: Taylor Randle <TRandle () PARKER EDU>
Date: Mon, 14 Nov 2016 21:21:32 +0000
That's exactly what we've done. We don't follow a specific standard or framework down to the letter - we picked a framework (primarily NIST but have also borrowed from others - such as our state's security standards - we're in Texas so TAC 202 - we're private and, thus, not required to adhere but we still use it as a starting point/framework) and modified it to what works best for our environment and for our business processes and formed our own set of policies/guidelines accordingly - documenting all along the way. For server hardening specifically, some resources that you may find useful: NIST: Checklists/Benchmark Repo: https://web.nvd.nist.gov/view/ncp/repository Guide to General Server Security: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123.pdf Hardening Microsoft Windows: http://www.nist.org/news.php?extend.204 CIS: https://benchmarks.cisecurity.org/downloads/#free SANS: Checklists: https://www.sans.org/score/checklists Policy Templates: https://www.sans.org/security-resources/policies Server Security policy template: https://www.sans.org/security-resources/policies/server-security/pdf/server-security-policy In addition to policy/frameworks/checklists, some tools that will help you: Nessus' basic scans will assist in vuln management/hardening but Nessus also has Policy Compliance Auditing and SCAP/OVAL scans which can audit your systems against known best practices/baselines - including the CIS/NIST benchmarks listed above. For *nix systems, I've found Lynis - https://cisofy.com/lynis/ - to be useful for hardening. Hope this helps. ~Taylor Taylor Randle Director, Client Services & IT Security 2540 Walnut Hill Lane, Dallas, TX 75229 trandle () parker edu www.parker.edu | www.parkerseminars.com ................................................ -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Adam Maynard Sent: Monday, November 14, 2016 2:27 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] System Hardening Standards I'd be interested in that as well. Right now I'm looking into CIS and/or NIST, then tweaking them to fix our environment. -Adam -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Justin Harwood Sent: Monday, November 14, 2016 12:36 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] System Hardening Standards Hello, Can someone recommend what you have used in the EDU space for system hardening standards that works well? ________________________________ This e-mail, including any attachments, is intended only for the addressee's use and may contain confidential and proprietary information. If you are not the intended recipient, you are hereby notified that any retention, dissemination, reproduction, or use of the information contained in this e-mail is strictly prohibited. If you have received this e-mail by error, please delete it and immediately notify the sender. Thank you for your cooperation.
Current thread:
- System Hardening Standards Justin Harwood (Nov 14)
- Re: System Hardening Standards Adam Maynard (Nov 14)
- Re: System Hardening Standards Jessica Odom (Nov 14)
- Re: System Hardening Standards Valdis Kletnieks (Nov 15)
- Re: System Hardening Standards Harry Hoffman (Nov 15)
- Re: System Hardening Standards Eric Lukens (Nov 15)
- Re: System Hardening Standards Jessica Odom (Nov 14)
- Re: System Hardening Standards Taylor Randle (Nov 14)
- Re: System Hardening Standards Adam Maynard (Nov 14)
- <Possible follow-ups>
- Re: System Hardening Standards Shankar, Anurag (Nov 14)