Windows Hardening Defense Essay Example for Free

Windows Hardening Defense EssayWindows Hardening Defense, starts with the basics, Log in with least amount of privileges. Always use Firew alone and AV. Monitor channels for security advisories and alerts. cognize your system(s). Patch early and patch often, Unpatched Systems argon the lowest of low hanging fruit. Have a patch policy documented and stick with it. Review patches as they are released and determine criticality based on the act upon, threat footprint for your system(s), and whether or not there is a POC or fully weapon exploit in the wild. When possible, test patches before rolling out in production on legions. Most clients should engage automatic updates enabled for the OS and any coating audience on a socket or used with untrusted data (java, adobe, browsers, etc) Servers should be updated during maintenance windows if possible and depending on criticality (of threat and server).Security Technical Implementation sop up is a Compendium of DOD Policies, Secur ity Regulations and Best Practices for Securing an IA or IA-Enabled Device (Operating System, Network, Application Software, etc.) A Guide for Information Security. Mandated in DODD 8500.1, DODI 8500.2 and endorsed by CJCSI 6510.01, AR 25-2, and AFI 33-202. The goals of STIG are to provide Intrusion Avoidance, Intrusion Detection, Security Implementation Guidance, Response and Recovery. DISA STIGs offers configuration guides and checklists for Databases, Operating Systems, Web Servers, Etc Also provides standard findings and impact ratings goofball I, CAT II, CAT III. First draft November 2006 first release July 2008. 129 requirements covering Program Management, Design Development, Software Configuration Management, Testing and Deployment. ASD STIG applies to all DoD developed, architected, and administered applications and systems connected to DoD networks. basically anything plugged into DoD. Requirements contribute be extremely broad APP3510 The Designer will ensure the appli cation validates all user input. APP3540 The Designer will ensure the application is not vulnerable to SQL Injection. Requirements can be extremely specific APP3390 The Designer will ensure users accounts are locked after three consecutive unsuccessful logon attempts in spite of appearance one hour. Requirements can be esoteric APP3150 The Designer will ensure the application uses FIPS 140-2 validated cryptographic modules to implement encryption, key exchange,digital signature, and hash functionality. Requirements can be expensive APP2120 The Program Manager will ensure developers are provided with training on secure design and coding practices on at least an annual basis. Exploiting known vulnerabilities with PenTest apps it is very easy to discover if a server is vulnerable (Nessus, metasploit, etc.) SNMP hacking to reveal server uptime (for Windows it is OID 1.3.6.1.2.1.1.3.0) for critical always-on systems they may not have been rebooted for months/years. subdued to back-date in a vulnerability database and see which patches require a reboot and know for certain they arent properly applied. If you have an account on the server you can use net statistics server or net statistics workstation to determine uptime. Security compliance manager is the framework used for Stripping, Hardening, and Compliance purposes. Use this to tally a Gold/Master image for mass distribution or for individual stand-alone machines. Explicit guides are defined for hardening the registry and some other file system settings. Templates for OS, Roles, Features, and Applications. With System Center 2012 you can apply industry standard compliance templates for PCI, FISMA, ISO, HIPAA, etc.The STIGs and NSA Guides are the configuration standards for DOD IA and IA-enabled devices/systems. STIGs are lists of all controls and what their values must be in order to be compliant. In process of migrating to using NISTs SCAP (Security Content Automation Protocol) to automate compliance monitor ing. Newer auditing tools have SCAP integration already in place. DISA FSO Gold Disk was used for older systems (W2k8R1 and Vista are last supported) for automated auditing. Citations http//www.disa.mil/ and http//iase.disa.mil/stigs/index.html