Penetration Testing mailing list archives
Re: DISA Security Readiness Review Evaluation Scripts
From: Toby Bearden <tbearden () comcast net>
Date: Fri, 25 Nov 2005 07:56:50 -0600
The DISA stigs are very comprehensive. The only thing you have to be careful about is going to far. I have used the os, database, and web server stigs a lot, and the best way to do it the first time you try is to incrementally apply the changes, then test the server and make sure it still has the functionality you require. If you apply everything and then try to work your way back, you are doomed. The first time I did it, I would apply about 5-10 changes, test functionality, if it worked, take a ghost image, and apply 5-10 more changes. That way you can easily drop back to a working point.
Also, you need to really understand what you are doing with regards to permissions and user rights if you are going to follow the stig. Otherwise you will make changes that will block out functionality you need, and it may be difficult to work backwards. Definitely try it a few times on a non-production server first. Also, depending on the environment(NT domain, AD, etc...) there are a couple of known gotcha's with the protocols.
Good Luck, Toby On Nov 24, 2005, at 2:19 AM, hannibal blog wrote:
Hello did anyone try the publicly available disa SRR availble at http://iase.disa.mil/stigs/SRR/ what is the diference between the publicly available ones and those reserved to .mil ? What do u think about using them to audit a customer win 2k server ?---------------------------------------------------------------------- --------Audit your website security with Acunetix Web Vulnerability Scanner:Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do!Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831---------------------------------------------------------------------- ---------
------------------------------------------------------------------------------Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- DISA Security Readiness Review Evaluation Scripts hannibal blog (Nov 24)
- Re: DISA Security Readiness Review Evaluation Scripts Toby Bearden (Nov 25)
- <Possible follow-ups>
- RE: DISA Security Readiness Review Evaluation Scripts Smith, Michael J. (Nov 25)
- RE: DISA Security Readiness Review Evaluation Scripts techlists (Nov 25)
- RE: DISA Security Readiness Review Evaluation Scripts Matt (Nov 27)