What benchmarks do you use to secure your systems? Do you automate this process? If so, how?
I am trying to develop a process to ensure our systems are hardened uniformly for general business use. In the past, I’ve made the mistake and overly hardening (NSA Guidelines) my environment and broke a few things
@seag33k I think the DISA STIG is a decent resource, but like you mentioned it can break things, but they are very robust and available for a lot of platforms (https://iase.disa.mil/stigs/pages/a-z.aspx), if you are looking at cloud infrastructure the FedRAMP standard (https://www.fedramp.gov/documents/) is an augmented NIST 800-53 guideline last time I looked at it, that is fairly robust. Other ones that come to mind are the OWASP Top Ten for web applications (https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project), Microsoft has their recommendations and some tooling (https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-baselines), as well as the CIS Security Baselines (https://www.cisecurity.org/cis-benchmarks/). I’ve spent more time on the systems side of the house, so those are the once that come to mind.
On the automation front I think that depends on the platform(s) you are trying to manage and each might have a some separate components you can leverage, are you targeting, systems, network, cloud, web apps, mobile or all the above?
Thanks for the input. I am focused on laptops, servers, & network gear at the moment. I’ve been looking into the CIS membership which includes associated GPO’s and scripts to automate the deployment. They also have a scanning tool (CIS-CAT Pro) which evaluates systems based on the targeted CIS benchmarks. There are other benefits to the membership, but its not cheap.
Looking through the Microsoft Security Compliance Toolkit brought up a question. Does this integrate with any enterprise tools? They have a link to their Policy Analyzer tool which works well if your only reviewing a small number of hosts. Are there any other tools that could do this across the enterprise? Also, does anyone know where I could find guides associated with the GPO’s from the MS Security Compliance Toolkit? Something that does into detail for each of their settings in the GPO?
Although this may not be the level of detail you are looking for, you could check out the spreadsheets at Group Policy Settings Reference for Windows and Windows Server.
Jay, thanks, but yes I was hoping for a bit more detail since some of the items are quite clear.