[ISN] Draft guidance for securing servers

From: InfoSec News (alerts@private)
Date: Mon May 12 2008 - 01:24:21 PDT


By William Jackson

The National Institute of Standards and Technology is seeking comment on 
its draft guidelines for securing servers, released this week.

NIST Special Publication 800-123 [1], "Guide to General Server 
Security," makes recommendations for securing server operating systems 
and softwarein addition to maintaining a secure configuration with 
patches and software upgrades, security testing, log monitoring and 
backups of data and operating system files.

The document addresses common servers that use general operating systems 
and are deployed in outward- and inward-facing locations. The 
recommendations apply to a variety of typical servers, such as Web, 
e-mail, database, infrastructure management and file servers. Much of 
the content was derived from SP 800-44 Version 2, "Guidelines on 
Securing Public Web Servers," and SP 800-45 Version 2, "Guidelines on 
Electronic Mail Security."

Common security threats addressed include exploitation of software bugs 
to gain unauthorized access, denial-of-service attacks, exposure or 
corruption of sensitive data, unsecured transmission of data, use of a 
server breach to gain access to other network resources and use of a 
compromised server to launch attacks.

NIST recommended that security plans be considered from the initial 
planning stage because addressing security is more difficult after 
deployment. "Organizations are more likely to make decisions about 
configuring computers appropriately and consistently when they develop 
and use a detailed, well-designed deployment plan," the document said. 
It also advised agencies to consider human resources required for 
deployment and operational phases, including training requirements.

To ensure the security of a server and the supporting network 
infrastructure, NIST recommends:

    * Organizationwide information system security policy.
    * Configuration/change control and management.
    * Risk assessment and management.
    * Standardized software configurations that satisfy the information 
      system security policy.
    * Security awareness and training.
    * Contingency planning, continuity-of-operations and disaster 
      recovery planning.
    * Certification and accreditation.

In deployment server operating systems, default hardware and software 
configurations usually must be modified to achieve adequate security 
rather than maximum functionality and ease of use. "Because 
manufacturers are not aware of each organization's security needs, each 
server administrator must configure new servers to reflect their 
organization's security requirements and reconfigure them as those 
requirements change," NIST advised. "Using security configuration guides 
or checklists can assist administrators in securing systems consistently 
and efficiently."

Similar efforts are needed for server applications. "The overarching 
principle is to install the minimal amount of services required and 
eliminate any known vulnerabilities through patches or upgrades," the 
document said.

Comments on the draft should be e-mailed [2] by June 13, with the phrase 
"Comments SP 800-123" in the subject line.

[1] http://csrc.nist.gov/publications/drafts/800-123/Draft-SP800-123.pdf 
[2] 800-123comments (at) nist.gov

Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Mon May 12 2008 - 01:38:53 PDT