Windows Server 2008 Hardening guide
Bl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
Greetings All:
I am looking for a decent Windows Server 2008 R2 hardening, specifically with IIS in mind. I need to through a server up by Tuesday for a developer and they want it hardened as good as possible. I am thinking of following an old 2003 guide I had and using the Mastering 2008 and IIS 7 book to help fill some gaps. Anyone have any other resources (free if possible).
I was finally about to track down the old security guide:
iase.iiie.disa.mil/stigs/downloads/.../windows_server_2008_security_guide.pdf
I am looking for a decent Windows Server 2008 R2 hardening, specifically with IIS in mind. I need to through a server up by Tuesday for a developer and they want it hardened as good as possible. I am thinking of following an old 2003 guide I had and using the Mastering 2008 and IIS 7 book to help fill some gaps. Anyone have any other resources (free if possible).
I was finally about to track down the old security guide:
iase.iiie.disa.mil/stigs/downloads/.../windows_server_2008_security_guide.pdf
Comments
-
veritas_libertas
Member Posts: 5,746 ■■■■■■■■■■
-
kriscamaro68
Member Posts: 1,186 ■■■■■■■□□□
Bl8ckr0uter wrote: »Greetings All:
I am looking for a decent Windows Server 2008 R2 hardening, specifically with IIS in mind. I need to through a server up by Tuesday for a developer and they want it hardened as good as possible. I am thinking of following an old 2003 guide I had and using the Mastering 2008 and IIS 7 book to help fill some gaps. Anyone have any other resources (free if possible).
I was finally about to track down the old security guide:
iase.iiie.disa.mil/stigs/downloads/.../windows_server_2008_security_guide.pdf
Check this site out: CIS Benchmark Audit Tools
If you become a member which is free then you can get access to their benchmark tool and scoring sheet on hardening.
HTH -
rwmidl
Member Posts: 807 ■■■■■■□□□□
IIS 7 security guide/STIG isn't slated for release until March of this year:
DoD Security Guides and Tools - Frequently Asked Questions
That being said, you may want to utilize the general web server configuration guide
http://iase.disa.mil/stigs/downloads/zip/unclassified_web_server_v7r1_stig.zip
for 2008 R2 it looks like the guide should be out sometime soon, but in the mean time the 2008 guide will be your best bet. I wouldn't use the 2003 guide, as I know we found a big change in the 2003 guide defined quite a few services, whereas 2008/Win 7 only defined a few (M$ and DISA are saying leave most "as is"). Also on the services front, just google "Black Viper" as he has done a really good job defining services needed depending on what "level" of server you need.CISSP | CISM | ACSS | ACIS | MCSA:2008 | MCITP:SA | MCSE:Security | MCSA:Security | Security + | MCTS -
dynamik
Banned Posts: 12,312 ■■■■■■■■■□
Good advice on CIS and DISA.
Also check out:
Download details: Microsoft Security Compliance Manager
Secure Windows Server
(specifically Configure Web Server Security (IIS 7)) -
Bl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
So I am configuring a server based on the DISA STIG for 2k8. I don't have the gpo accelerator installed on this machine. Is there a way to show the MSS policies without using the gpo accelerator.
