Standards and guidelines for system hardening


Standards and guidelines for system hardening

Is there a published standard or guideline for system hardening? ISO, ANSI, NIST, etc.?

Security expert Mike Rothman:
In fact there are two. A few years ago, an independent non-profit called the Center for Internet Security was founded to help

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Safe Harbor

evangelize the need for secure configurations and define a series of benchmarks that would provide information (mostly free of charge) to practitioners on how to harden specific systems.

CIS uses a consensus model: a working group establishes best practices on how to harden specific systems and then takes feedback from many other constituents to define a set of recommendations. At last count there were more than 30 different products that have incorporated CIS benchmarks, including all the Windows OS versions, Red Hat Linux 5 (for RHEL 5), Mac OS X 10.5 (Leopard), Solaris 10, HP-UX, Oracle Database 9i/10g, Exchange Server 2007, several Cisco IOS routers, and many others.

The U.S. government also has an initiative to establish hardening guidance for certain systems. The Federal Desktop Core Configuration (FDCC) establishes the baseline for U.S. government desktops.

Many of the leading vulnerability-scanning products already support both CIS and FDCC. So it's possible to scan devices with these tools to pinpoint gaps in their configuration, right out of the box.

This was first published in July 2008

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.