Educause Security Discussion mailing list archives
Re: Server 2008 GPOs for isolated PCI environment
From: "Eric C. Lukens" <eric.lukens () UNI EDU>
Date: Wed, 28 Nov 2012 09:33:42 -0600
I used the Microsoft "SSLF" (Specialized Security – Limited Functionality) standards as the starting point for my GPOs. Keep in mind that the SSLF standard disables Remote Desktop in about 3 or 4 different ways, so if you using a Remote Desktop server with thin clients like I am, you need to change some of the settings. Generally I found the settings work well, but they are harsh in a few spots and some applications need a specific setting reverted, which I do on a server-by-server basis with a second group policy object that is only applied to that server. There are a lot of "security" settings that aren't set in these policies, because in reality those settings don't prevent users from doing things, they just hide things. But you still will need to go through and enable additional settings that make sense for your environment. The CIS standards are very similar, but the advantage of the Microsoft standards are in the use of the Security Compliance Manager application. It lets you export the standards as a Group Policy backup, among other options, that can easily be imported into Group Policy or SCCM. Regardless, I'd still read through the CIS standards to make sure you're doing everything you should, though our QSAs were fine with the SSLF standards from Microsoft. http://technet.microsoft.com/en-us/library/gg236605.aspx When documenting, I say I use the SSLF standard: "Server 2008 x86, Server 2008 x64, and Server 2008 R2 shall be configured according to the manufacturer’s documentation titled “Windows Server® 2008 Security Guide Version 3.0,” published in February 2009 as part of the “Security Compliance Management Toolkit Series.” Newer versions of the same security standard shall be acceptable. The “Windows Server® 2008 Security Guide Version 3.0” provides two security standards, the “Specialized Security – Limited Functionality (SSLF)” standard shall be used." I then go and list the exceptions that are made, like for remote desktop and settings on individual machines. I document the other, non-security settings separately as they are not part of the "hardening" of the system. -Eric -------- Original Message -------- Subject: [SECURITY] Server 2008 GPOs for isolated PCI environment From: Nick Recchia <nprecchia () USFCA EDU> To: SECURITY () LISTSERV EDUCAUSE EDU Date: 11/27/2012 6:58 PM
We are implementing a new 2008 server to assist in fulfilling PCI SAQ D requirements (our vendor is Moneris). Does anyone have PCI 2008 GPOs we may leverage? Thanks in advance. -Nick -- Nicholas Recchia, Ed.D. /Security Administrator/ ITS - Security Services infosec.usfca.edu <http://infosec.usfca.edu>
-- Eric C. Lukens IT Security Policy and Risk Assessment Analyst ITS-Network Services Curris Business Building 15 University of Northern Iowa Cedar Falls, IA 50614-0121 (319) 273-7434 http://www.uni.edu/elukens/ If you see an attachment called smime.p7s, you may disregard it. It is an S/MIME digital signature file to validate the authenticity of this email message.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Server 2008 GPOs for isolated PCI environment Nick Recchia (Nov 27)
- Re: Server 2008 GPOs for isolated PCI environment Eric C. Lukens (Nov 28)