3.5 Security Baselines
(Page 2 of 2)
Automatic Enforcement of Baselines
Some security auditing products take the idea of baselines one step further by allowing you to specify rules for your desired system configurations (and other security controls) within the auditing product, so that the tools can automatically scan for deviations from those baselines and report them to you.
One idea, which cant be repeated often enough, to those who are in the process of tightening the screws is the importance of testing and re-testing new configurations to make sure that you havent broken any critical network/system functionality as youve worked to increase security. Its somewhat sad to report this, but the software world is replete with packages (not named, to protect the guilty) that contain functions that just wont work if file system security is tightened, ordinary users arent assigned rights normally reserved for administrative users, etc. This is the kind of situation you want to discover on a Saturday morning, with a crew of volunteer users and a nice brunch delivery expected at 11am (so that the users can take a break, and your team can frantically work to adjust small things that didnt work properly during the first few hours of testing), not on the day that the company is trying to close the month. If you discover that you seem to be running one of these packages that just dont play nicely with a locked-down system, contact the vendor to see if they have any solutions or workarounds to the issue you find. If not, management needs to know about it, because a choice needs to be made, balancing security exposure with the importance of that package to the organization.
In the following sections, we look at the process of hardening (making resistant to attack) various types of server functionality typically available within an organizations network. Starting with the underlying OS/NOS level, since an application server wont be secure if the OS on which it runs is not secure, we continue by looking at common services often made available over the Internet such as web, email and ftp, and services generally used internally such as DHCP and directory services.
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.