+ Reply to Thread
Results 1 to 7 of 7
  1. Senior Member
    Join Date
    Apr 2009
    Posts
    5,015
    #1

    Default Windows Server 2008 Hardening guide

    Greetings All:

    I am looking for a decent Windows Server 2008 R2 hardening, specifically with IIS in mind. I need to through a server up by Tuesday for a developer and they want it hardened as good as possible. I am thinking of following an old 2003 guide I had and using the Mastering 2008 and IIS 7 book to help fill some gaps. Anyone have any other resources (free if possible).


    I was finally about to track down the old security guide:
    iase.iiie.disa.mil/stigs/downloads/.../windows_server_2008_security_guide.pdf
    Last edited by Bl8ckr0uter; 01-06-2011 at 06:49 PM.
    Reply With Quote Quote  

  2. SS -->
  3. Audentis Fortuna Iuvat veritas_libertas's Avatar
    Join Date
    Feb 2009
    Posts
    5,654

    Certifications
    eCPPT, GPEN, GWAPT, GCIH, CISSP, CCNA (expired), MCTS
    #2
    Currently working on: Resting
    Reply With Quote Quote  

  4. Senior Member kriscamaro68's Avatar
    Join Date
    Apr 2008
    Location
    Utah
    Posts
    1,149

    Certifications
    MCSA: 2012R2, MCS: Server Virtualization, MCTS-Win7, Security+, Server+, Net+, A+
    #3
    Quote Originally Posted by Bl8ckr0uter View Post
    Greetings All:

    I am looking for a decent Windows Server 2008 R2 hardening, specifically with IIS in mind. I need to through a server up by Tuesday for a developer and they want it hardened as good as possible. I am thinking of following an old 2003 guide I had and using the Mastering 2008 and IIS 7 book to help fill some gaps. Anyone have any other resources (free if possible).


    I was finally about to track down the old security guide:
    iase.iiie.disa.mil/stigs/downloads/.../windows_server_2008_security_guide.pdf

    Check this site out: CIS Benchmark Audit Tools

    If you become a member which is free then you can get access to their benchmark tool and scoring sheet on hardening.

    HTH
    Reply With Quote Quote  

  5. Senior Member rwmidl's Avatar
    Join Date
    Dec 2009
    Location
    World-wide Availability
    Posts
    768

    Certifications
    CISSP, CISM, MCSA:2008, MCITP:SA, MCTS x 4, MCSE W2K, MCSE: Security, MCSA W2K, MCSA: Security, MCP x Alot, Security +, ACIS, ACSS
    #4
    IIS 7 security guide/STIG isn't slated for release until March of this year:

    DoD Security Guides and Tools - Frequently Asked Questions

    That being said, you may want to utilize the general web server configuration guide

    http://iase.disa.mil/stigs/downloads..._v7r1_stig.zip

    for 2008 R2 it looks like the guide should be out sometime soon, but in the mean time the 2008 guide will be your best bet. I wouldn't use the 2003 guide, as I know we found a big change in the 2003 guide defined quite a few services, whereas 2008/Win 7 only defined a few (M$ and DISA are saying leave most "as is"). Also on the services front, just google "Black Viper" as he has done a really good job defining services needed depending on what "level" of server you need.
    CISSP | CISM | MCSA:2008 | MCITP:SA | MCSE:Security | MCSA:Security | Security + | MCTS | ACIS | ACSS
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #5
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Apr 2009
    Posts
    5,015
    #6
    Awesome suggestions guys!
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Apr 2009
    Posts
    5,015
    #7

    Default MSS policies hidden????

    So I am configuring a server based on the DISA STIG for 2k8. I don't have the gpo accelerator installed on this machine. Is there a way to show the MSS policies without using the gpo accelerator.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks