Educause Security Discussion mailing list archives

Re: System Hardening Standards

From: Eric Lukens <eric.lukens () UNI EDU>
Date: Tue, 15 Nov 2016 14:32:17 -0600

Indeed, if every machine had to follow the rules exactly, many software
packages would not function, especially those made by Oracle.

Microsoft in their Security Compliance Manager baselines for Windows 10
have been removing what they see as unnecessary, legacy, or default
settings since auditors have had a tendency to require that *all* settings
be enforced. So sadly, rather than fixing the process, they've had to
resort to molding the security standard to work around over-zealous
auditors. See
https://blogs.technet.microsoft.com/secguide/2015/11/18/changes-from-the-windows-8-1-baseline-to-the-windows-10-th11507-baseline/
for the full details on the Microsoft SCM changes. (Keep in mind this was
their preview, there are mistakes in some of the settings there that they
had to change or revert.)

We use the SCM for our Windows baselines and CIS for Linux. I still consult
the CIS guide for Windows to see if there are settings I want to add, and
there's some of my own stuff in there as well, so our baseline does go
"above and beyond" the Microsoft SCM defaults.

-Eric

On Tue, Nov 15, 2016 at 2:32 AM, Valdis Kletnieks <Valdis.Kletnieks () vt edu>
wrote:

On Mon, 14 Nov 2016 12:44:43 -0800, Jessica Odom said:

We use CIS (https://benchmarks.cisecurity.org/downloads/#free) and

tweak to

our environment.  They provide a nice checklist and the technical detail

of

how to perform the control, which is helpful since their standards our

very

comprehensive.  We definitely cannot do everything they recommend and we
annotate that in our documentation, but it serves as a useful learning
exercise.  --Jess


Speaking as one of the unindicted co-conspirators who started the
benchmarks,
there was never any intent that every system apply every single control
listed.

You should apply all those controls that don't break the particular
machine's
reason for existence - and then document the ones you weren't able to turn
off, and apply compensating controls (for instance, firewall/iptable
rulesets
that restrict access to only machines that need it, or additional
logging/alert
systems set up, possibly SNORT rulesets, etc etc).




-- 
============================================================
Eric C. Lukens       IT Security Compliance & Policy Analyst
Information Security           Innov Teaching & Tech Ctr 107
University of Northern Iowa       Cedar Falls, IA 50614-0301
(319) 273-7434                   http://www.uni.edu/elukens/
============================================================

Current thread:

System Hardening Standards Justin Harwood (Nov 14)
- Re: System Hardening Standards Adam Maynard (Nov 14)
  - Re: System Hardening Standards Jessica Odom (Nov 14)
    - Re: System Hardening Standards Valdis Kletnieks (Nov 15)
    - Re: System Hardening Standards Harry Hoffman (Nov 15)
    - Re: System Hardening Standards Eric Lukens (Nov 15)
  - Re: System Hardening Standards Taylor Randle (Nov 14)
- <Possible follow-ups>
- Re: System Hardening Standards Shankar, Anurag (Nov 14)