Benchmarks & Guidelines

#1

What benchmarks do you use to secure your systems? Do you automate this process? If so, how?

I am trying to develop a process to ensure our systems are hardened uniformly for general business use. In the past, I’ve made the mistake and overly hardening (NSA Guidelines) my environment and broke a few things :slight_smile:

2 Likes

#2

@seag33k I think the DISA STIG is a decent resource, but like you mentioned it can break things, but they are very robust and available for a lot of platforms (https://iase.disa.mil/stigs/pages/a-z.aspx), if you are looking at cloud infrastructure the FedRAMP standard (https://www.fedramp.gov/documents/) is an augmented NIST 800-53 guideline last time I looked at it, that is fairly robust. Other ones that come to mind are the OWASP Top Ten for web applications (https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project), Microsoft has their recommendations and some tooling (https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-baselines), as well as the CIS Security Baselines (https://www.cisecurity.org/cis-benchmarks/). I’ve spent more time on the systems side of the house, so those are the once that come to mind.

On the automation front I think that depends on the platform(s) you are trying to manage and each might have a some separate components you can leverage, are you targeting, systems, network, cloud, web apps, mobile or all the above?

0 Likes

#3

Cody -

Thanks for the input. I am focused on laptops, servers, & network gear at the moment. I’ve been looking into the CIS membership which includes associated GPO’s and scripts to automate the deployment. They also have a scanning tool (CIS-CAT Pro) which evaluates systems based on the targeted CIS benchmarks. There are other benefits to the membership, but its not cheap.

1 Like

#4

Looking through the Microsoft Security Compliance Toolkit brought up a question. Does this integrate with any enterprise tools? They have a link to their Policy Analyzer tool which works well if your only reviewing a small number of hosts. Are there any other tools that could do this across the enterprise? Also, does anyone know where I could find guides associated with the GPO’s from the MS Security Compliance Toolkit? Something that does into detail for each of their settings in the GPO?

0 Likes

#5

Although this may not be the level of detail you are looking for, you could check out the spreadsheets at Group Policy Settings Reference for Windows and Windows Server.

0 Likes

#6

Jay, thanks, but yes I was hoping for a bit more detail since some of the items are quite clear.

0 Likes