Re: Security Standards

["Cornwell, Kay (NIH/NIGMS) [E]" <CornwelK () nigms nih gov>]

NIST has a repository of checklists - they come from CIS, NSA, DISA, and Vendors (Microsoft, Red Hat,etc.)

The National Vulnerability Database (NVD) National checklist program repository is the first place to start.

They point you to the source for the checklist, they don't maintain the checklist themselves.

http://web.nvd.nist.gov/view/ncp/repository





You can search based on Authority (ie. See all DISA checklists, All CIS checklists), or product categories (firewall, 
email servers,) or Target Product (windows 2008, Mac OS X 10.5, )



For Windows Server 2008 there are two - DISA has a comprehensive checklist, updated in Dec and Microsoft has their 
Security Guide


The Windows Security guide listed is actually an older version - this one uses a static spreadsheet to list local 
Template settings and it contains an appendix which explains them in a prose format (easier to look at for your first 
run through the document, I think).



There is an updated version which has dropped the appendix and has a smarter spreadsheet for template policy (See 
Security Compliance Mgmt Toolkit below)





Defense Information Systems Agency  06/25/2009

Windows Server 2008 Security Checklist (Version 6, Release 1.6)
http://web.nvd.nist.gov/view/ncp/repository/checklistDetail?id=3D228
Prose http://web.nvd.nist.gov/view/ncp/repository/checklist/download?id=3D232>



         Microsoft Windows Server 2008

         Microsoft Corporation  02/01/2008

Windows Server 2008 Security Guide (Microsoft-Produced) (1.0)
http://web.nvd.nist.gov/view/ncp/repository/checklistDetail?id=3D264

Prose http://web.nvd.nist.gov/view/ncp/repository/checklist/download?id=3D138


For Microsoft you'll want to download the Security Compliance Management Toolkit. It contains the updated 2008 security 
guidance and Windows 7 along with IE 8 and office 2007 tools. (or you can download them separately)

http://technet.microsoft.com/en-us/library/cc677002.aspx


With these two, I'd be surprised to see anyone else do a checklist for 2008

Kay Cornwell, MS
GSEC, GSLC, GSNA
NIH











-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On=
 Behalf Of John Morrison
Sent: Thursday, January 07, 2010 2:27 PM
To: Youngquist, Jason R.
Cc: security-basics () securityfocus com
Subject: Re: Security Standards



It looks like you are the leader in this field. Not even MS has any

information about this. You could start with the Windows Server 2003

and Windows Vista guides and create your own check lists to

distribute. It seems that nobody else with a business that relies on

card transactions is as brave as you and has not got to the point of

deploying these new technologies.



2010/1/7 Youngquist, Jason R. <jryoungquist () ccis edu>:

> I've looked at both the NSA and Center for Internet Security sites and th=
ey don't have any checklists for Windows Server 2008 and Windows 7.  Though=
ts on where to find checklists for these two operating systems?

>

> Thanks.

> Jason Youngquist

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------