The DISA stigs are very comprehensive. The only thing you have to be
careful about is going to far. I have used the os, database, and web
server stigs a lot, and the best way to do it the first time you try
is to incrementally apply the changes, then test the server and make
sure it still has the functionality you require. If you apply
everything and then try to work your way back, you are doomed. The
first time I did it, I would apply about 5-10 changes, test
functionality, if it worked, take a ghost image, and apply 5-10 more
changes. That way you can easily drop back to a working point.
Also, you need to really understand what you are doing with regards
to permissions and user rights if you are going to follow the stig.
Otherwise you will make changes that will block out functionality you
need, and it may be difficult to work backwards. Definitely try it a
few times on a non-production server first. Also, depending on the
environment(NT domain, AD, etc...) there are a couple of known
gotcha's with the protocols.
Good Luck,
Toby
On Nov 24, 2005, at 2:19 AM, hannibal blog wrote:
Hello
did anyone try the publicly available disa SRR availble at
http://iase.disa.mil/stigs/SRR/
what is the diference between the publicly available ones and those
reserved to .mil ?
What do u think about using them to audit a customer win 2k server ?
----------------------------------------------------------------------
--------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications
on your
website. Up to 75% of cyber attacks are launched on shopping carts,
forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down
servers are
futile against web application hacking. Check your website for
vulnerabilities
to SQL injection, Cross site scripting and other web attacks before
hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------
---------
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
