It's rather comprehensive, but in that type of setup you may want to have a
look at Microsoft's "System Architecture" set of documents at
http://www.microsoft.com/business/reducecosts/efficiency/consolidate/msa
.msp
x. (This used to be called "Microsoft Internet Data Center".)
This consists primarily of a set of documents, so it won't give you a shiny
GUI. However, with a bit of reading, anyone with a bit of sense can
implement the suggestions.
I've only used the v1.0 documents, so can't speak for v1.5 or v2.0 directly,
but they were VERY comprehensive and battle-hardened and are separated into
design blueprints and "reference" implementations, allowing you to use
elements from both as you see fit. (Most notably the security documents
will probably be of use to you.)
Something else which may be useful is that the reference architecture uses
the Microsoft/HP/EMC/Cisco hardware set, which is what you seem to be
running SAP on. (That seems to be one of the more popular platforms for SAP
on NT anyway.)
The documents themselves are free, but Microsoft sells the automated tools
they mention in the docs at a hefty price. However, you can get by just
fine in most situations by performing some of the tasks manually or building
your own (basic) tools.
Hope that helps.
Jannie
-----Original Message-----
From: RUSecure [mailto:rusecure (at) earthlink (dot) net [email concealed]]
Sent: 12 December 2003 02:07
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Blessed Windows Security Templates
Hello all,
I have a special request from a client.
My client is looking for anyone who will help bless the use of ANY security
Template with use for Windows 2000 and a similar configuration as I will
describe below. They would love to actually talk to someone as well if
possible.
I am on an SAP ITS Web front end engagement, so you can see why I am
recommending they seriously harden their front-end and back-end Windows
servers.
So here is the configuration.
Win2K SP4 running IIS 5.0.
SAP ITS Wgate on the front end
SAP Agate on the backend
I have NOT hardened anything yet... And desperately want to using something
the client can repeatedly reproduce for use within their organization.
I am recommending they use a Commercial tool, but that will take time, so
MMC and templates for now.
I am suggesting they use one of the Center for Internet Security Templates
(CIS - www.cisecurity.org) which are the NIST and NSA templates for the
Wgate servers in the DMZ Agate servers as well.
I want them to have the ability of checking the systems using the CIS tool
and have some level of hardening. I also suggest since they do not use and
security templates on standalone or through AD that they need to move to
this direction for repeatability and basic security worthiness. They can use
MMC to manage and apply these templates and command line it for reproduction
and compliance.
So has ANYONE used ANY template on a configuration similar to the one I
listed ? It does NOT have to be SAP as any basic WEB front end using
IISLockDown with a Static Web server and NOTHING else required except
Insight Manager and SNMP and PcAnywhere.
I recommended the following templates:
Win2KSrvGold_r1.0.1.inf
Or
HISECWEB replacement Web_Secure.INF
Or what comes with Win2K out of the box
Hisecws.inf.
Need I say the lack of use hardened servers is of great concern and they
would desire to find someone that is actually using some "template.inf" to
secure their environment.
These servers are going on the Internet... !!!!!!!
It's rather comprehensive, but in that type of setup you may want to have a
look at Microsoft's "System Architecture" set of documents at
http://www.microsoft.com/business/reducecosts/efficiency/consolidate/msa
.msp
x. (This used to be called "Microsoft Internet Data Center".)
This consists primarily of a set of documents, so it won't give you a shiny
GUI. However, with a bit of reading, anyone with a bit of sense can
implement the suggestions.
I've only used the v1.0 documents, so can't speak for v1.5 or v2.0 directly,
but they were VERY comprehensive and battle-hardened and are separated into
design blueprints and "reference" implementations, allowing you to use
elements from both as you see fit. (Most notably the security documents
will probably be of use to you.)
Something else which may be useful is that the reference architecture uses
the Microsoft/HP/EMC/Cisco hardware set, which is what you seem to be
running SAP on. (That seems to be one of the more popular platforms for SAP
on NT anyway.)
The documents themselves are free, but Microsoft sells the automated tools
they mention in the docs at a hefty price. However, you can get by just
fine in most situations by performing some of the tasks manually or building
your own (basic) tools.
Hope that helps.
Jannie
-----Original Message-----
From: RUSecure [mailto:rusecure (at) earthlink (dot) net [email concealed]]
Sent: 12 December 2003 02:07
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Blessed Windows Security Templates
Hello all,
I have a special request from a client.
My client is looking for anyone who will help bless the use of ANY security
Template with use for Windows 2000 and a similar configuration as I will
describe below. They would love to actually talk to someone as well if
possible.
I am on an SAP ITS Web front end engagement, so you can see why I am
recommending they seriously harden their front-end and back-end Windows
servers.
So here is the configuration.
Win2K SP4 running IIS 5.0.
SAP ITS Wgate on the front end
SAP Agate on the backend
I have NOT hardened anything yet... And desperately want to using something
the client can repeatedly reproduce for use within their organization.
I am recommending they use a Commercial tool, but that will take time, so
MMC and templates for now.
I am suggesting they use one of the Center for Internet Security Templates
(CIS - www.cisecurity.org) which are the NIST and NSA templates for the
Wgate servers in the DMZ Agate servers as well.
I want them to have the ability of checking the systems using the CIS tool
and have some level of hardening. I also suggest since they do not use and
security templates on standalone or through AD that they need to move to
this direction for repeatability and basic security worthiness. They can use
MMC to manage and apply these templates and command line it for reproduction
and compliance.
So has ANYONE used ANY template on a configuration similar to the one I
listed ? It does NOT have to be SAP as any basic WEB front end using
IISLockDown with a Static Web server and NOTHING else required except
Insight Manager and SNMP and PcAnywhere.
I recommended the following templates:
Win2KSrvGold_r1.0.1.inf
Or
HISECWEB replacement Web_Secure.INF
Or what comes with Win2K out of the box
Hisecws.inf.
Need I say the lack of use hardened servers is of great concern and they
would desire to find someone that is actually using some "template.inf" to
secure their environment.
These servers are going on the Internet... !!!!!!!
H E L P !
Cheers,
MG
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]