I have used Gold Disk a number of times. It is a good process to use for
analysis but be very careful of using it to automatically harden a server.
You have a very high likelihood of hosing the server, requiring a
reinstall. When a person is green there's a big tendency to automate
server hardening as much as possible, but experience teaches a person that
automation can only do so much. One can automate a semi-hardened template
that generically takes a first pass at security, but from then on a wise
person takes the controls and manually steers through the mine field of
server hardening. I have found that this process typically takes multiple
passes through the hardening process - testing after each pass - to ensure
the server is ready for prime time. Even then, a wise professional will
closely monitor and test the first few weeks of production to ensure
nothing was missed. It's tedious work to be sure but hackers are
tenacious, so we must be even more so. After all this then the new server
can join the rest of the pack for testing on a regular schedule.
Regards,
Keith Kooyman
This email may contain the thoughts and opinions of Keith Kooyman and does
not represent official Texas State Technical College Waco policy.
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
On Behalf Of Rob Riggins
Sent: Thursday, August 16, 2012 1:57 PM
To: security-basics (at) securityfocus (dot) com [email concealed]
Subject: Re: STIG Implementation
My advice with the Gold Disk is to definitely not run the automated
remediation process. Make the changes manually, because the remediation
process can break things. But of course, you can break things manually
too, but at least you will have an idea what you did, if you remediate
manually.
Gold Disk only reviews Windows and some installed components. The Gold
Disk is being phased out this year. You have two other choices: SCAP tools
and manual reviews.
What other components are on the server? You will need to review those
components with the corresponding STIGs too.
For STIG reviews, use the STIG Viewer. It will create checklists from
STIGs. After you manually run through the checklist items, you can create
an export file to upload to VMS (if that's where the results are going).
Will you upload the results into VMS?
I could write a tiny book on this. This process can be very frustrating if
you are doing it without someone guiding you.
Rob
On Tue, Jul 31, 2012 at 4:59 PM, <JNMiller1978 (at) gmail (dot) com [email concealed]> wrote:
>
> Hello All,
>
> I am new to the IA field and was wondering if anyone would like to
> share some of their experience with STIG Implementation. I am going
> through them manually no as I have not gained access to Gold Disk yet.
>
> ----------------------------------------------------------------------
> -- Securing Apache Web Server with thawte Digital Certificate In this
> guide we examine the importance of Apache-SSL and who needs an SSL
> certificate. We look at how SSL works, how it benefits your company
> and how your customers can tell if a site is secure. You will find out
> how to test, purchase, install and use a thawte Digital Certificate on
> your Apache web server. Throughout, best practices for set-up are
> highlighted to help you ensure efficient ongoing management of your
> encryption keys and digital certificates.
>
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4
> 42f727d1
> ----------------------------------------------------------------------
> --
>
Securing Apache Web Server with thawte Digital Certificate In this guide
we examine the importance of Apache-SSL and who needs an SSL certificate.
We look at how SSL works, how it benefits your company and how your
customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
analysis but be very careful of using it to automatically harden a server.
You have a very high likelihood of hosing the server, requiring a
reinstall. When a person is green there's a big tendency to automate
server hardening as much as possible, but experience teaches a person that
automation can only do so much. One can automate a semi-hardened template
that generically takes a first pass at security, but from then on a wise
person takes the controls and manually steers through the mine field of
server hardening. I have found that this process typically takes multiple
passes through the hardening process - testing after each pass - to ensure
the server is ready for prime time. Even then, a wise professional will
closely monitor and test the first few weeks of production to ensure
nothing was missed. It's tedious work to be sure but hackers are
tenacious, so we must be even more so. After all this then the new server
can join the rest of the pack for testing on a regular schedule.
Regards,
Keith Kooyman
This email may contain the thoughts and opinions of Keith Kooyman and does
not represent official Texas State Technical College Waco policy.
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
On Behalf Of Rob Riggins
Sent: Thursday, August 16, 2012 1:57 PM
To: security-basics (at) securityfocus (dot) com [email concealed]
Subject: Re: STIG Implementation
My advice with the Gold Disk is to definitely not run the automated
remediation process. Make the changes manually, because the remediation
process can break things. But of course, you can break things manually
too, but at least you will have an idea what you did, if you remediate
manually.
Gold Disk only reviews Windows and some installed components. The Gold
Disk is being phased out this year. You have two other choices: SCAP tools
and manual reviews.
What other components are on the server? You will need to review those
components with the corresponding STIGs too.
For STIG reviews, use the STIG Viewer. It will create checklists from
STIGs. After you manually run through the checklist items, you can create
an export file to upload to VMS (if that's where the results are going).
Will you upload the results into VMS?
I could write a tiny book on this. This process can be very frustrating if
you are doing it without someone guiding you.
Rob
On Tue, Jul 31, 2012 at 4:59 PM, <JNMiller1978 (at) gmail (dot) com [email concealed]> wrote:
>
> Hello All,
>
> I am new to the IA field and was wondering if anyone would like to
> share some of their experience with STIG Implementation. I am going
> through them manually no as I have not gained access to Gold Disk yet.
>
> ----------------------------------------------------------------------
> -- Securing Apache Web Server with thawte Digital Certificate In this
> guide we examine the importance of Apache-SSL and who needs an SSL
> certificate. We look at how SSL works, how it benefits your company
> and how your customers can tell if a site is secure. You will find out
> how to test, purchase, install and use a thawte Digital Certificate on
> your Apache web server. Throughout, best practices for set-up are
> highlighted to help you ensure efficient ongoing management of your
> encryption keys and digital certificates.
>
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4
> 42f727d1
> ----------------------------------------------------------------------
> --
>
--
Rob Riggins
Minneapolis, MN
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide
we examine the importance of Apache-SSL and who needs an SSL certificate.
We look at how SSL works, how it benefits your company and how your
customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f7
27d1
------------------------------------------------------------------------
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------
[ reply ]