RE: Blessed Windows Security Templates

• Previous message: Jannie Hanekom: "RE: Blessed Windows Security Templates"
• Maybe in reply to: RUSecure: "Blessed Windows Security Templates"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: rusecure@earthlink.net, focus-ms@securityfocus.com
Date: Mon, 15 Dec 2003 15:08:23 +0100

Hi there,

I am in a situation where the client has multiple standalone servers that
needed to be hardened, and although different to your setup you could use
the following method.

I downloaded the secruity templates from MS
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
prodtech/win2000/win2khg/06tmplts.asp and the document describing the
changes. Following that I read though the entire document adding settings
that I thought where relevant above the recommended settings of the template

Eventually I ended up with my own hybrid security template, which suited my
needs perfectly. I must stress that with testing it took me the better part
of a week.

Regards
Spark88

-----Original Message-----
From: RUSecure [mailto:rusecure@earthlink.net]
Sent: 12 December 2003 02:07
To: focus-ms@securityfocus.com
Subject: Blessed Windows Security Templates

Hello all,

I have a special request from a client.

My client is looking for anyone who will help bless the use of ANY
security Template with use for Windows 2000 and a similar configuration
as I will describe below. They would love to actually talk to someone
as well if possible.

I am on an SAP ITS Web front end engagement, so you can see why I am
recommending they seriously harden their front-end and back-end Windows
servers.

So here is the configuration.

Win2K SP4 running IIS 5.0.
SAP ITS Wgate on the front end
SAP Agate on the backend

I have NOT hardened anything yet... And desperately want to using
something the client can repeatedly reproduce for use within their
organization.

I am recommending they use a Commercial tool, but that will take time,
so MMC and templates for now.

I am suggesting they use one of the Center for Internet Security
Templates (CIS - www.cisecurity.org) which are the NIST and NSA
templates for the Wgate servers in the DMZ Agate servers as well.

I want them to have the ability of checking the systems using the CIS
tool and have some level of hardening. I also suggest since they do not
use and security templates on standalone or through AD that they need to
move to this direction for repeatability and basic security worthiness.
They can use MMC to manage and apply these templates and command line it
for reproduction and compliance.

So has ANYONE used ANY template on a configuration similar to the one I
listed ? It does NOT have to be SAP as any basic WEB front end using
IISLockDown with a Static Web server and NOTHING else required except
Insight Manager and SNMP and PcAnywhere.

I recommended the following templates:

Win2KSrvGold_r1.0.1.inf

Or

HISECWEB replacement Web_Secure.INF

Or what comes with Win2K out of the box

Hisecws.inf.

Need I say the lack of use hardened servers is of great concern and they
would desire to find someone that is actually using some "template.inf"
to secure their environment.

These servers are going on the Internet... !!!!!!!

H E L P !

Cheers,

MG

---------------------------------------------------------------------------
---------------------------------------------------------------------------

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Jannie Hanekom: "RE: Blessed Windows Security Templates"
• Maybe in reply to: RUSecure: "Blessed Windows Security Templates"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]