Lab #2: Executive Summary
Windows Hardening Defense, starts with the basics, Log in with least amount of privileges. Always use Firewall and AV. Monitor channels for security advisories and alerts. Know your system(s). Patch early and patch often, Unpatched Systems are the lowest of low hanging fruit. Have a patch policy documented and stick with it. Review patches as they are released and determine criticality based on the exploit, threat footprint for your system(s), and whether or not there is a POC or fully weapon exploit in the wild. When possible, test patches before rolling out in production on servers. Most clients should have automatic updates enabled for the OS and any application listening on a socket or used with untrusted data (java, adobe, browsers, etc...) Servers should be updated during maintenance windows if possible and depending on criticality (of threat and server).
Security Technical Implementation Guide is a Compendium of DOD Policies, Security Regulations and Best Practices for Securing an IA or IA-Enabled Device (Operating System, Network, Application Software, etc.) A Guide for Information Security. Mandated in DODD 8500.1, DODI 8500.2 and endorsed by CJCSI 6510.01, AR 25-2, and AFI 33-202. The goals of STIG are to provide Intrusion Avoidance, Intrusion Detection, Security Implementation Guidance, Response and Recovery.
DISA STIGs offers configuration guides and checklists for: Databases, Operating Systems, Web Servers, Etc... Also provides standard “findings” and impact ratings CAT I, CAT II, CAT III. First draft November 2006; first release July 2008. 129 requirements covering: Program Management, Design & Development, Software Configuration Management, Testing and Deployment. ASD STIG applies to “all DoD developed, architected, and administered applications and systems connected to DoD networks”. Essentially anything plugged into DoD. Requirements can be extremely broad: APP3510: The Designer
Citations: http://www.disa.mil/ and http://iase.disa.mil/stigs/index.html#