System and Host Hardening Methodology
After you have performed a host assessment, you should have a clear understanding of how your environment is deployed. At this stage you are ready to perform remediation, such as updating versions and patches, configuring host controls, reducing permissions, and so on. But wait, this may be a case of the chicken or the egg-you should perform remediation in accordance with a hardened baseline. If your organization doesn't have a baseline, then one must be developed.
A secure baseline should attempt to follow best practice guidelines. Best practice involves running up-to-date versions of software, minimal services, protective software, users operating at the minimal level, and so on. Some people have the misperception that best practice can be rolled into one generic document or template defining how each setting should be configured. An example can be seen in the "hisec" template that Microsoft provides for servers. Many organizations realized quickly that a case of "high security" is not necessarily "best practice," as things quit working when they blindly applied the template. However, if you must meet C2 certification criteria, that level of security may not be restrictive enough. Detailed NSA guideline settings are available on their web site at http://www.nsa.gov/snac/ and http://www.nsa.gov/snac/support/download.htm.
