CU Boulder Minimum Security Standards Implementation Guide for CSRs & System Administrators

The steps below will help ensure that your system complies with the CU-Boulder minimum security standards. These steps are based on the CERT Security Knowledge in Practice method and will also help ensure both security and survivability. Additional information on SKiP can be found at http://www.cert.org/archive/pdf/SKiP.pdf and a summary is provided below:

Mission, Policy, and Guidelines

While it seems obvious that understanding the mission of a system is critical to ensuring a secure configuration, all too often administrators install every possible option on a system. It is also important to understand University policies and guidelines before you start the acquisition and installation of a new system. Click here for IT Policies.

Harden & Secure

Systems and software as shipped by vendors more likely have vulnerabilities which require patching or configuration. The recommended principles below will form a strong foundation helping to harden and secure systems (network servers, user workstations). Remember if you system is a critical system or contains sensitive information additional hardening steps will be necessary (see the additional resources for more help).

Always remember to build and patch your system before connecting it to the network

• Windows
  • Only install required components. Do not install items like simple TCP/IP services, Internet Information Server, WINS, etc. unless they are needed
  • Configure Windows Auto Update
  • Use System Policy Templates
  • Disable unnecessary services in the services control panel and registry
  • Enable Windows XP or 2003 firewall
  • Enable IP Security Policies
  • Disable IIS ftp and smtp services if IIS is needed
  • Disable or wrap unencrypted services (e.g., MSSQL)
• Unix & Linux
  • Disable unnecessary services in inet.d or xinet.d.
  • Disable or use an SSL wrapper for unencrypted services (e.g., telnet, ftp)
  • Protect the system with a host based firewall
    • Solaris & FreeBSD IPF instructions
    • RedHat iptables instructions
• Macintosh OS X
  • Only turn on services in Sharing that you absolutely need. If there is a service listed that you don’t need, turn it off.
  • Make sure to check for security updates often with Software Update. You can have updates scheduled and downloaded automatically if you like.
  • Enable the built-in Firewall in Sharing. Only open ports that you know you specifically need for a particular service.
  • Use an SSL wrapper for application traffic that otherwise would be clear-text.

Other practices include the creation of a computer deployment plan (network services, users/user privileges, access enforcement, intrusion detection, backup/recovery, network connections), securely configuring network service clients, and using a tested model configuration for workstations.

Prepare & Characterize

The only way to detect a security incident is to understand "What is normal operation?"

• Windows
  • Run the Microsoft Baseline Security Advisor
  • Use Sysinternals Tools to create a snapshot of your system.
  • Configure logging and understand what the typical log output looks like.
  • Always make sure your system state data is stored in a protected location.
• Unix & Linux
  • Install Tripwire to create system snapshot.
  • Configure logging and understand what the typical log output looks like.
  • Determine what processes are listing on what ports with lsof.
  • Take a hardware snapshot with dmesg.
  • Always make sure your system state data is stored in a protected location.
• Macintosh OS X
  • Configure logging and understand what the typical log output looks like.
  • Run the Verify Disk Permissions function of Disk Utility from time to time to see how application permissions may change and what the ideal permissions are.
  • Use Activity Viewer or Process Viewer to view process information or disk activity.

Detect

Once you understand what "normal" is you can discover problems by monitoring transactions performed by some asset (such as looking at the logs produced by a firewall system or a public web server).

• Windows
  • Install log monitoring software. Monitoring Windows networks means regularly checking (at least) three event logs and other application logs on each machine. This can lead to hours each day spent watching logs – not so different from watching paint dry, and waiting for it to drip.
  • Enable extended logging for your IIS web/FTP server and move the location of your log files.
• UNIX & Linux
  • Monitoring and responding to tripwire alerts.
• Macintosh OS X
  • Monitor the log files. Log files may be stored in /var/log or /Library/Logs/. Use the Console application to make this process much less tedious.
  • Run the Verify Disk Permissions function of Disk Utility and note any unusual notifications.

Respond

Problems or security incidents will always occur so it is important to know how you will respond to incidents before they happen. Additional details can be found in the ITS incident response page.

Improve

Remember the adage "Fool me once shame on you. Fool me twice shame on me!" It is important to learn from incidents and improve systems and processes. Identify lessons learned, periodically re-harden the system, securely retire systems by wiping drives.

Additional Security Resources

Windows Security

• ITS Windows 2000 Security Best Practices
• SANS Windows 2000 Security Step by Step PDF (restricted to the Boulder Campus)
• SANS Windows NT Security Step by Step PDF (restricted to the Boulder Campus)
• Microsoft Internet Information Server (IIS) Security
• Microsoft 2003 Security
• Microsoft Windows Client Security

Linux

• SANS Securing Linux Part 1 step-by-step PDF (restricted to the Boulder Campus)
• SANS Securing Linux Part 2 step-by-step PDF (restricted to the Boulder Campus)
• ITS Red Hat Linux Best Practices
• Securing and Optimizing Linux
• Linux Security Guide

Sun Solaris

• SANS Securing Solaris PDF (restricted to the Boulder Campus) Security Checklist
• Sun Security Bulletins
• Security Patches

Macintosh

• securemac.com
• Apple Security Update Page
• cert.org

Contact Information
Campus IT Security Office
(303) 735-HELP
security@colorado.edu