In a message dated 11/1/02, 2:50 PM Pacific Standard Time,
marcusnwnc.net wrote:

<<SANS institute has a Windows 2000 "Gold Standard", which is basically
a collection of the industry best practices for Windows 2000 server
security. However, they don't offer any auditing to certify that you've
met the standard.>>

The Gold Standard is actually designed specifically for Windows 2000
Professional...though you could extend the same concepts to Win2K
Server, you'd have to make some adjustments so it wouldn't be suitable
for use with Win2K Server 'as is'.

The Center for Internet Security (www.cisecurity.org) has developed a
freely available "scoring tool" that acts as a sort of basic
vulnerability scanner to ensure that you're compliant with the Gold
Standard recommendations, along with a few other basic security checks
(system fully patched, drives formatted with NTFS, etc.)

Note that the scoring tool is configurable - you can have it check your
system based on any set of security settings you define. It uses the
standard Windows security template (*.inf file) format, you just feed it
the name of the template you want to use.

Using the templates and CIS scoring tool (or even the built-in Microsoft
Security Configuration and Analysis tool, which is what CIS is based on)
would certainly not be as thorough as a formal audit, but might help
provide some assurance to your clients.

Regards,
Jennifer

• application/x-pkcs7-signature attachment: smime.p7s

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]