RE: Certification for Win2k Web Servers

From: disciple (marcus@nwnc.net)
Date: 11/01/02 

From: "disciple" <marcus@nwnc.net>
To: "Matt Hodge" <security@hodgefamily.org>, <focus-ms@securityfocus.com>
Date: Fri, 1 Nov 2002 16:49:57 -0600

SANS institute has a Windows 2000 "Gold Standard", which is basically a
collection of the industry best practices for Windows 2000 server security.
However, they don't offer any auditing to certify that you've met the
standard.

When it comes to actual auditing, there are a number of large, well
respected organizations which offer penetration testing and security
auditing (PWC, Lucent, Foundstone - don't know how large foundstone is).
The issue really is whether you can convince all of your customers to accept
the audit results from the single third party auditor. The NSA also offers
certifications in their Infosec Assessment Methodology. If you can find a
reputable vendor which has NSA certified analysts, that may be enough for
your customers.

Just my 2c.

-----Original Message-----
From: Matt Hodge [mailto:security@hodgefamily.org]
Sent: Friday, November 01, 2002 2:44 PM
To: focus-ms@securityfocus.com
Subject: Certification for Win2k Web Servers

I work at a company that offers web services to industries that are fairly
paranoid about security. With each customer we encounter they seem to
wince at hosting their data through our servers instead of hosting it
themselves. So we are repeatedly going through security audits of various
types. My question is this, are there any standards or companies that can
do an audit on a regular basis, who has enough standing in the community
that other companies will take their audit instead of doing their own? We
have already hired independent companies to do audits and we always turn
out fine but from a sales point of view it is becoming a major hurdle to
have to jump over each time. Thanks

Relevant Pages

  • RE: Certification for Win2k Web Servers
    ... the SANS gold standard training is in understanding and applying the recent ... composite security standard for Microsoft Windows 2000 Professional (not ... > Subject: RE: Certification for Win2k Web Servers ... > the audit results from the single third party auditor. ...
    (Focus-Microsoft)
  • Re: How secure is software X?
    ... in my opinion a software can either be secure or not secure. ... to classify security like that would be to condemn every ... How in-depth a fuzzing to we apply for this standard? ... For example, SMTP servers have a pretty standard interface, ...
    (Bugtraq)
  • Re: Windows 2000 Auditing Object Access
    ... One of the domain controllers is our File and Print server. ... server that I would like to audit files. ... In addition to that, several sub-categories under Security ... > you do it on an OU which contain your servers. ...
    (microsoft.public.windows.server.general)
  • Re: Need urgent help regarding security
    ... There is plenty of security info out there ... email from even a dozen servers is small. ... an OS version upgrade should not be taken lightly. ... Given that your root password was apparently found on the servers, ...
    (freebsd-questions)
  • [Full-Disclosure] w32.frethem.k@mm and good reading
    ... Script kiddies deface websites. ... only obfuscating your own perception of security. ... >> vulnerabilities in a particular operating system or server software ... >> Imagine a custom operating system used by only a few servers, ...
    (Full-Disclosure)