Security Basics mailing list archives
RE: STIG Implementation
From: Keith Kooyman <keith.kooyman () tstc edu>
Date: Fri, 17 Aug 2012 08:54:12 -0500
I have used Gold Disk a number of times. It is a good process to use for analysis but be very careful of using it to automatically harden a server. You have a very high likelihood of hosing the server, requiring a reinstall. When a person is green there's a big tendency to automate server hardening as much as possible, but experience teaches a person that automation can only do so much. One can automate a semi-hardened template that generically takes a first pass at security, but from then on a wise person takes the controls and manually steers through the mine field of server hardening. I have found that this process typically takes multiple passes through the hardening process - testing after each pass - to ensure the server is ready for prime time. Even then, a wise professional will closely monitor and test the first few weeks of production to ensure nothing was missed. It's tedious work to be sure but hackers are tenacious, so we must be even more so. After all this then the new server can join the rest of the pack for testing on a regular schedule. Regards, Keith Kooyman This email may contain the thoughts and opinions of Keith Kooyman and does not represent official Texas State Technical College Waco policy. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Rob Riggins Sent: Thursday, August 16, 2012 1:57 PM To: security-basics () securityfocus com Subject: Re: STIG Implementation My advice with the Gold Disk is to definitely not run the automated remediation process. Make the changes manually, because the remediation process can break things. But of course, you can break things manually too, but at least you will have an idea what you did, if you remediate manually. Gold Disk only reviews Windows and some installed components. The Gold Disk is being phased out this year. You have two other choices: SCAP tools and manual reviews. What other components are on the server? You will need to review those components with the corresponding STIGs too. For STIG reviews, use the STIG Viewer. It will create checklists from STIGs. After you manually run through the checklist items, you can create an export file to upload to VMS (if that's where the results are going). Will you upload the results into VMS? I could write a tiny book on this. This process can be very frustrating if you are doing it without someone guiding you. Rob On Tue, Jul 31, 2012 at 4:59 PM, <JNMiller1978 () gmail com> wrote:
Hello All, I am new to the IA field and was wondering if anyone would like to share some of their experience with STIG Implementation. I am going through them manually no as I have not gained access to Gold Disk yet. ---------------------------------------------------------------------- -- Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4 42f727d1 ---------------------------------------------------------------------- --
-- Rob Riggins Minneapolis, MN ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f7 27d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- STIG Implementation JNMiller1978 (Aug 01)
- RE: STIG Implementation Cate, Jim (Aug 01)
- Re: STIG Implementation Rob Riggins (Aug 16)
- RE: STIG Implementation Keith Kooyman (Aug 17)
- RE: STIG Implementation THOMAS, DEDRIC (Aug 21)
- RE: STIG Implementation Keith Kooyman (Aug 17)