MG,

It sounds like you're on the right track. However,
there are some things you should be aware of...

Recommending a solution for this client is going to be
difficult at best, and time-consuming at the very
least. Why is that? Well, no one on this list knows
what the business needs of the client are. Just
saying that they're using SAP doesn't provide enough
information.

What you may want to do is review their needs with
them, and then tailor the templates as necessary. In
the case of the NSA template, for example, users won't
be able to log into the system. Blindly installing
templates can have undesired effects.

Harlan

--- RUSecure <rusecure (at) earthlink (dot) net [email concealed]> wrote:
> Hello all,
>
> I have a special request from a client.
>
> My client is looking for anyone who will help bless
> the use of ANY
> security Template with use for Windows 2000 and a
> similar configuration
> as I will describe below. They would love to
> actually talk to someone
> as well if possible.
>
> I am on an SAP ITS Web front end engagement, so you
> can see why I am
> recommending they seriously harden their front-end
> and back-end Windows
> servers.
>
> So here is the configuration.
>
> Win2K SP4 running IIS 5.0.
> SAP ITS Wgate on the front end
> SAP Agate on the backend
>
> I have NOT hardened anything yet... And desperately
> want to using
> something the client can repeatedly reproduce for
> use within their
> organization.
>
> I am recommending they use a Commercial tool, but
> that will take time,
> so MMC and templates for now.
>
> I am suggesting they use one of the Center for
> Internet Security
> Templates (CIS - www.cisecurity.org) which are the
> NIST and NSA
> templates for the Wgate servers in the DMZ Agate
> servers as well.
>
> I want them to have the ability of checking the
> systems using the CIS
> tool and have some level of hardening. I also
> suggest since they do not
> use and security templates on standalone or through
> AD that they need to
> move to this direction for repeatability and basic
> security worthiness.
> They can use MMC to manage and apply these templates
> and command line it
> for reproduction and compliance.
>
> So has ANYONE used ANY template on a configuration
> similar to the one I
> listed ? It does NOT have to be SAP as any basic
> WEB front end using
> IISLockDown with a Static Web server and NOTHING
> else required except
> Insight Manager and SNMP and PcAnywhere.
>
> I recommended the following templates:
>
> Win2KSrvGold_r1.0.1.inf
>
> Or
>
> HISECWEB replacement Web_Secure.INF
>
> Or what comes with Win2K out of the box
>
> Hisecws.inf.
>
> Need I say the lack of use hardened servers is of
> great concern and they
> would desire to find someone that is actually using
> some "template.inf"
> to secure their environment.
>
> These servers are going on the Internet... !!!!!!!
>
> H E L P !
>
> Cheers,
>
> MG
>
>
>
------------------------------------------------------------------------
---
>
------------------------------------------------------------------------
---
>

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---

[ reply ]