Please enable JavaScript.
Coggle requires JavaScript to display documents.
:star: G3 Secure Configs HW (This includes detecting (new listening ports,…
:star: G3 Secure Configs HW
:checkered_flag:
G3-1
Establish standard secure configurations
of operating systems
and software applications.
Standardized images should represent hardened versions of
the underlying operating system
and the applications installed on the system.
These images should be validated and refreshed
on a regular basis
to update their security configuration in light of
recent vulnerabilities
and attack vectors.
:checkered_flag:
G3-2
Follow strict configuration management
building a secure image that is used
to build all new systems that are deployed in the enterprise.
Any existing system that becomes comprimised
should be re-imaged with the secure build.
Regular updates or exceptions to this image
should be integrated into the organization's change management processes.
Images should be created for
workstations
servers
and other system types used by the organization.
:checkered_flag:
G3-4
Deploy system configuration management tools, such as
Active Directory Group Policy Objects for Microsoft Windows systems
or Puppet for UNIX systems
that will automatically enforce and redeploy configutration settings
to systems at regularly scheduled intervals.
They should be capable of triggering redeployment of configuration settings
on a scheduled
manual
or event-driven basis.
:checkered_flag:
G3-5
Implement and test an automated configuration monitoring system
that verifies all remotely testable secure configuration elements
and alerts when unauthorized changes occur.
This includes detecting
new listening ports
new administrative users
changes to group and local policy objects (where applicable)
and new services running on a system.
Whenever possible use tools compliant
with the Security Content.
:checkered_flag:
G3-6
Perform all remote administration of
servers
workstation
network devices
and similar equipment over secure channels.
Protocols such as
telnet
VNC
RDP
or others that do not actively support strong encryption
should only be used if they are performed over a secondary encryption channel, such as
SSL
TLS
or IPSEC.
:checkered_flag:
G3-7
Store the master images on securely configured servers
validated with integrity checking tools capable of continuous inspection
and change management to ensure that
only authorized changes to the images are possible.
Alternatively, these master images can be stored
in offline machines, air gapped from the production network
with images copied via secure media
to move them between the image storage servers
and the production network.