Windows running inside the QEMU emulator on an OpenBSD desktop.
The U.S. Department of Defense has a wide range of documents known as the "STIGs" — Security Technical Implementation Guide. These describe US DOD's view of best practices. Get them here: http://iase.disa.mil/stigs/stig/
If you're in US DOD or a contractor to it, you will be regularly audited. If you convince the auditor that you're following the STIG, the audit will succeed quickly. If you don't follow a STIG item, that may be acceptable as long as you can provide an explanation of why you are doing that and what you are doing to provide the needed security in that area.
If you are not connected to DOD, then the STIGs may seem somewhat paranoid and of little interest. But they do provide a good starting point for your policy. At the very least, they provide an organized set of concerns to be addressed in your policy.
If you are in US DOD or are a contractor, DISA will give you their "Gold Disk" and its SRR or the System Requirements Review checklist, and the associated scripts that you can run to automate the process. However, unless you are part of DOD or one of their contractors, you cannot download the SRR scripts. You can certainly use Google to locate what claim to be the SRR scripts for your operating system, but you can't tell if they really are the real ones or not.
See the vulnerability scanners listed on my network security auditing page.
TARA, the Tiger Analytical Research Assistant, is an automated system administrator's assistant.
COPS has been a standard auditing tool, although it's getting awfully old.
Titan automatically changes your system configuration to increase security, possibly breaking some functionality.
Bastille takes you through a series of questions, educating you along the way, possibly making configuration changes to increase security.
There used to be a number of these types of tools, but they have disappeared. The Windows Security Configuration and Analysis Snap-In is one of the few tools available.
Windows Server 2003 has a Security Configuration Wizard.
Password cracking tools have clever rules implementing what users once thought were really keen ways to build passwords. Assume your threats have Crack, with the most up-to-date Crack rule sets, dictionaries of terms specific to your organization (e.g., phone directory, list of project and product names, building names, etc), and possibly huge dictionaries in several languages.
Click here for everything you would want to know about passwords on Unix, MacOS, and Windows — how they work, how they're stored, and how to break them! That section got to be awfully big, so it's in its own two-page document.
More tool FTP sites:
My how-to-secure-Linux-and-BSD page is at: http://www.cromwell-intl.com/security/linux-hardening.html
|
|
|
|||||||||
|
|||||||||
|
| © Bob Cromwell Feb 2012. Created with /bin/vi and ImageMagick, hosted on OpenBSD with Apache. Root password available here, privacy policy here. |
