Configuration Standards
Hi
Does anyone have much experience with implementing CIS configuration standards? There is a choice between level 1 and level 2. I'm trying to understand what the difference is between them and where its applicable to apply level 1 or level 2. The research I have done thus far suggests that's level 2 is for high security (Possibly for a server that stores credit card data) This may not be applicable for standard member servers though. Level 2 can also impact the functionality of the server because its very locked down, so need to be careful when applying this.
I think level 2 may be applicable for us on servers that store customer data, or possibly external facing, but that's about it. All other servers I.E domain controllers, databases, exchange I think level 1 would be suitable.
Anybody have any advice?
Thanks
Does anyone have much experience with implementing CIS configuration standards? There is a choice between level 1 and level 2. I'm trying to understand what the difference is between them and where its applicable to apply level 1 or level 2. The research I have done thus far suggests that's level 2 is for high security (Possibly for a server that stores credit card data) This may not be applicable for standard member servers though. Level 2 can also impact the functionality of the server because its very locked down, so need to be careful when applying this.
I think level 2 may be applicable for us on servers that store customer data, or possibly external facing, but that's about it. All other servers I.E domain controllers, databases, exchange I think level 1 would be suitable.
Anybody have any advice?
Thanks
Comments
-
kiki162 Member Posts: 635 ■■■■■□□□□□For Level 1 settings are minimal recommendations that should be applied to say a server or database, and shouldn't cause any interuptions. Level 2 is going to be settings that may impact the functionally of your system. The idea is that you want to test these settings in an environment separate from your main one. You can easily setup a separate OU that's restricted to test settings out.
Regardless of the Level, you should always test out the settings to make sure that services or access isn't affected.
If you are trying to figure out the best way to implement these settings feel free to PM me, and I can go over stuff with you. -
636-555-3226 Member Posts: 975 ■■■■■□□□□□Level 1 is considered a good balance of security & convenience for most normal businesses. Level 2 is stricter and is more likely to break compatibility with certain apps.
My recommendation is to put Level 1 on everything and see how it goes. If it goes well, start to slowly deploy Level 2 (to everything) and see what breaks. Take out the settings that end up breaking things, but otherwise leave as much Level 1 & Level 2 in as you can. -
cjthedj45 Member Posts: 331 ■■■□□□□□□□For Level 1 settings are minimal recommendations that should be applied to say a server or database, and shouldn't cause any interuptions. Level 2 is going to be settings that may impact the functionally of your system. The idea is that you want to test these settings in an environment separate from your main one. You can easily setup a separate OU that's restricted to test settings out.
Regardless of the Level, you should always test out the settings to make sure that services or access isn't affected.
If you are trying to figure out the best way to implement these settings feel free to PM me, and I can go over stuff with you.
Hey thanks for the advice. Its much appreciated. Implementing these standard has been a real hardship at certain company's I have worked for. They wanted to use a manual process as Tripwire was to expensive. Looks like there are a few more tools on the markert now. We are considering using CIS CAT, or Nessus. What do you use? feel free to pm me if you prefer? -
cjthedj45 Member Posts: 331 ■■■□□□□□□□636-555-3226 wrote: »Level 1 is considered a good balance of security & convenience for most normal businesses. Level 2 is stricter and is more likely to break compatibility with certain apps.
My recommendation is to put Level 1 on everything and see how it goes. If it goes well, start to slowly deploy Level 2 (to everything) and see what breaks. Take out the settings that end up breaking things, but otherwise leave as much Level 1 & Level 2 in as you can.
Thanks for the advice and confirming what I thought. It sounds like a good plan. Get everything at level 1 and then focus in on some key assets for l2 -
kiki162 Member Posts: 635 ■■■■■□□□□□Nessus is always a good bet. You can always get free trials for many of these programs that do CIS compliance checks, I would recommend you test some out first, and see which one works best for your setup.