Educause Security Discussion mailing list archives
Re: System Hardening Standards
From: Eric Lukens <eric.lukens () UNI EDU>
Date: Tue, 15 Nov 2016 14:32:17 -0600
Indeed, if every machine had to follow the rules exactly, many software packages would not function, especially those made by Oracle. Microsoft in their Security Compliance Manager baselines for Windows 10 have been removing what they see as unnecessary, legacy, or default settings since auditors have had a tendency to require that *all* settings be enforced. So sadly, rather than fixing the process, they've had to resort to molding the security standard to work around over-zealous auditors. See https://blogs.technet.microsoft.com/secguide/2015/11/18/changes-from-the-windows-8-1-baseline-to-the-windows-10-th11507-baseline/ for the full details on the Microsoft SCM changes. (Keep in mind this was their preview, there are mistakes in some of the settings there that they had to change or revert.) We use the SCM for our Windows baselines and CIS for Linux. I still consult the CIS guide for Windows to see if there are settings I want to add, and there's some of my own stuff in there as well, so our baseline does go "above and beyond" the Microsoft SCM defaults. -Eric On Tue, Nov 15, 2016 at 2:32 AM, Valdis Kletnieks <Valdis.Kletnieks () vt edu> wrote:
On Mon, 14 Nov 2016 12:44:43 -0800, Jessica Odom said:We use CIS (https://benchmarks.cisecurity.org/downloads/#free) andtweak toour environment. They provide a nice checklist and the technical detailofhow to perform the control, which is helpful since their standards ourverycomprehensive. We definitely cannot do everything they recommend and we annotate that in our documentation, but it serves as a useful learning exercise. --JessSpeaking as one of the unindicted co-conspirators who started the benchmarks, there was never any intent that every system apply every single control listed. You should apply all those controls that don't break the particular machine's reason for existence - and then document the ones you weren't able to turn off, and apply compensating controls (for instance, firewall/iptable rulesets that restrict access to only machines that need it, or additional logging/alert systems set up, possibly SNORT rulesets, etc etc).
-- ============================================================ Eric C. Lukens IT Security Compliance & Policy Analyst Information Security Innov Teaching & Tech Ctr 107 University of Northern Iowa Cedar Falls, IA 50614-0301 (319) 273-7434 http://www.uni.edu/elukens/ ============================================================
Current thread:
- System Hardening Standards Justin Harwood (Nov 14)
- Re: System Hardening Standards Adam Maynard (Nov 14)
- Re: System Hardening Standards Jessica Odom (Nov 14)
- Re: System Hardening Standards Valdis Kletnieks (Nov 15)
- Re: System Hardening Standards Harry Hoffman (Nov 15)
- Re: System Hardening Standards Eric Lukens (Nov 15)
- Re: System Hardening Standards Jessica Odom (Nov 14)
- Re: System Hardening Standards Taylor Randle (Nov 14)
- Re: System Hardening Standards Adam Maynard (Nov 14)
- <Possible follow-ups>
- Re: System Hardening Standards Shankar, Anurag (Nov 14)