Q

Is there a published standard or guideline for system hardening?

When hardening a system, what specific standards or guidelines should information security pros adhere to? Security management expert Mike Rothman explains.

Is there a published standard or guideline for system hardening? ISO, ANSI, NIST, etc.?

In fact there are two. A few years ago, an independent non-profit called the Center for Internet Security was founded to help evangelize the need for secure configurations and define a series of benchmarks that would provide information (mostly free of charge) to practitioners on how to harden specific systems.

CIS uses a consensus model: a working group establishes best practices on how to harden specific systems and then takes feedback from many other constituents to define a set of recommendations. At last count there were more than 30 different products that have incorporated CIS benchmarks, including all the Windows OS versions, Red Hat Linux 5 (for RHEL 5), Mac OS X 10.5 (Leopard), Solaris 10, HP-UX, Oracle Database 9i/10g, Exchange Server 2007, several Cisco IOS routers, and many others.

The U.S. government also has an initiative to establish hardening guidance for certain systems. The Federal Desktop Core Configuration (FDCC) establishes the baseline for U.S. government desktops.

Many of the leading vulnerability-scanning products already support both CIS and FDCC. So it's possible to scan devices with these tools to pinpoint gaps in their configuration, right out of the box.

More on this topic

This was first published in July 2008

Dig deeper on Information Security Policies, Procedures and Guidelines

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close