What benchmarks do you use to secure your systems? Do you automate this process? If so, how?
I am trying to develop a process to ensure our systems are hardened uniformly for general business use. In the past, I’ve made the mistake and overly hardening (NSA Guidelines) my environment and broke a few things
On the automation front I think that depends on the platform(s) you are trying to manage and each might have a some separate components you can leverage, are you targeting, systems, network, cloud, web apps, mobile or all the above?
Thanks for the input. I am focused on laptops, servers, & network gear at the moment. I’ve been looking into the CIS membership which includes associated GPO’s and scripts to automate the deployment. They also have a scanning tool (CIS-CAT Pro) which evaluates systems based on the targeted CIS benchmarks. There are other benefits to the membership, but its not cheap.
Looking through the Microsoft Security Compliance Toolkit brought up a question. Does this integrate with any enterprise tools? They have a link to their Policy Analyzer tool which works well if your only reviewing a small number of hosts. Are there any other tools that could do this across the enterprise? Also, does anyone know where I could find guides associated with the GPO’s from the MS Security Compliance Toolkit? Something that does into detail for each of their settings in the GPO?