Windows Hardening Defense Essay Example for Free

Windows Hardening Defense EssayWindows Hardening Defense, starts with the basics, Log in with least(prenominal) amount of privileges. Always use Firewall and AV. Monitor channels for security advisories and alerts. Know your system(s). Patch early and magic spell often, Unpatched Systems are the lowest of low hanging fruit. Have a patch policy documented and circumvent with it. Review patches as they are released and determine criticality based on the exploit, threat footprint for your system(s), and whether or not there is a POC or fully weapon exploit in the wild. When accomplishable, test patches onward rolling out in production on servers. Most clients should have automatic updates enabled for the OS and either practise listening on a socket or used with untrusted data (java, adobe, browsers, etc) Servers should be updated during maintenance windows if possible and depending on criticality (of threat and server). security measures Technical Implementation Guide is a C ompendium of denial Policies, Security Regulations and Best Practices for Securing an IA or IA-Enabled Device ( in operation(p) System, Network, Application Software, etc.) A Guide for Information Security. Mandated in DODD 8500.1, DODI 8500.2 and endorsed by CJCSI 6510.01, AR 25-2, and AFI 33-202. The goals of STIG are to provide Intrusion Avoidance, Intrusion Detection, Security Implementation Guidance, Response and Recovery. DISA STIGs offers configuration guides and checklists for Databases, Operating Systems, Web Servers, Etc Also provides mensuration findings and impact ratings CAT I, CAT II, CAT III. First draft November 2006 start release July 2008. 129 requirements covering computer programme Management, Design Development, Software Configuration Management, Testing and Deployment. ASD STIG applies to all DoD developed, architected, and administered applications and systems committed to DoD networks.Essentially anything plugged into DoD. Requirements passel be extreme ly broad APP3510 The Designer will find the application validates all user input. APP3540 The Designer will ensure the application is not insecure to SQL Injection. Requirements can be extremely specific APP3390 The Designer will ensure users musical scores are locked after three uncoiled unsuccessful logon attempts within one hour. Requirements can be esoteric APP3150 The Designer will ensure the application uses FIPS 140-2 validated cryptographic modules to implement encryption, key exchange,digital signature, and hash functionality. Requirements can be expensive APP2120 The Program Manager will ensure developers are provided with training on secure design and coding practices on at least an annual basis. Exploiting known vulnerabilities with PenTest apps it is very easy to discover if a server is vulnerable (Nessus, metasploit, etc.) SNMP hacking to reveal server uptime (for Windows it is OID 1.3.6.1.2.1.1.3.0) for critical always-on systems they may not have been rebooted fo r months/years.Easy to back-date in a vulnerability database and see which patches require a reboot and know for certain they arent properly applied. If you have an account on the server you can use net statistics server or net statistics workstation to determine uptime. Security compliance manager is the framework used for Stripping, Hardening, and Compliance purposes. Use this to make a Gold/ outgo image for mass distribution or for individual stand-alone machines. Explicit guides are defined for lot the registry and other file system settings. Templates for OS, Roles, Features, and Applications. With System Center 2012 you can apply industry standard compliance templates for PCI, FISMA, ISO, HIPAA, etc.The STIGs and NSA Guides are the configuration standards for DOD IA and IA-enabled devices/systems. STIGs are lists of all controls and what their values must be in order to be compliant. In process of migrating to using NISTs SCAP (Security Content Automation Protocol) to autom atize compliance monitoring. Newer auditing tools have SCAP integration already in place. DISA FSO Gold Disk was used for older systems (W2k8R1 and setting are last supported) for automated auditing. Citations http//www.disa.mil/ and http//iase.disa.mil/stigs/index.html