Windows Hardening Defense, starts with the basics, Log in with least amount of privileges. Always use Firewall and AV. Monitor channels for security advisories and alerts. Know your system(s). Patch early and patch often, Unpatched Systems are the lowest of low hanging fruit. Have a patch policy documented and stick with it. Review patches as they are released and determine criticality based on the exploit, threat footprint for your system(s), and whether or not there is a POC or fully weapon exploit in the wild. When possible, test patches before rolling out in production on servers. Most clients should have automatic updates enabled for the OS and any application listening on a socket or used with untrusted data (java, adobe, browsers, etc…) Servers should be updated during maintenance windows if possible and depending on criticality (of threat and server).
Security Technical Implementation Guide is a Compendium of DOD Policies, Security Regulations and Best Practices for Securing an IA or IA-Enabled Device (Operating System, Network, Application Software, etc.) A Guide for Information Security. Mandated in DODD 8500.1, DODI 8500.2 and endorsed by CJCSI 6510.01, AR 25-2, and AFI 33-202. The goals of STIG are to provide Intrusion Avoidance, Intrusion Detection, Security Implementation Guidance, Response and Recovery. DISA STIGs offers configuration guides and checklists for: Databases, Operating Systems, Web Servers, Etc… Also provides standard “findings” and impact ratings CAT I, CAT II, CAT III. First draft November 2006; first release July 2008. 129 requirements covering: Program Management, Design & Development, Software Configuration Management, Testing and Deployment. ASD STIG applies to “all DoD developed, architected, and administered applications and systems connected to DoD networks”.
Essentially anything plugged into DoD. Requirements can be extremely broad: APP3510: The Designer will ensure the application validates all user input. APP3540: The Designer will ensure the application is not vulnerable to SQL Injection. Requirements can be extremely specific: APP3390: The Designer will ensure users accounts are locked after three consecutive unsuccessful logon attempts within one hour. Requirements can be esoteric: APP3150: The Designer will ensure the application uses FIPS 140-2 validated cryptographic modules to implement encryption, key exchange, digital signature, and hash functionality. Requirements can be expensive: APP2120: The Program Manager will ensure developers are provided with training on secure design and coding practices on at least an annual basis. Exploiting known vulnerabilities with PenTest apps it is very easy to discover if a server is vulnerable (Nessus, metasploit, etc.) SNMP hacking to reveal server uptime (for Windows it is OID 188.8.131.52.184.108.40.206.0) for critical always-on systems they may not have been rebooted for months/years.
Easy to back-date in a vulnerability database and see which patches require a reboot and know for certain they aren’t properly applied. If you have an account on the server you can use “net statistics server” or “net statistics workstation” to determine uptime. Security compliance manager is the framework used for Stripping, Hardening, and Compliance purposes. Use this to make a Gold/Master image for mass distribution or for individual stand-alone machines. Explicit guides are defined for hardening the registry and other file system settings. Templates for OS, Roles, Features, and Applications. With System Center 2012 you can apply industry standard compliance templates for PCI, FISMA, ISO, HIPAA, etc.
The STIGs and NSA Guides are the configuration standards for DOD IA and IA-enabled devices/systems. STIGs are lists of all controls and what their values must be in order to be compliant. In process of migrating to using NIST’s SCAP (Security Content Automation Protocol) to automate compliance monitoring. Newer auditing tools have SCAP integration already in place. DISA FSO Gold Disk was used for older systems (W2k8R1 and Vista are last supported) for automated auditing. Citations: http://www.disa.mil/ and http://iase.disa.mil/stigs/index.html#