In an effort to help standardize the process of establishing a common minimum level of security on government computers, the federal Center for Internet Security (CIS) is developing benchmark and scoring tools. These benchmarks are being created through a joint effort among several agencies, including NSA, DISA, NIST, GSA, and CIS. On July 17, 2002, the CIS published its first set of materials for Windows 2000 Professional.
The Windows 2000 Professional Operating System Benchmark - Consensus Baseline Security Settings (v1.0) is a PDF document that describes a Windows 2000 Professional minimum security baseline. This benchmark defines a prudent minimum due care level to establish standard basic security on a newly installed Windows 2000 Professional system. In addition to defining required security configurations, it also recommends or suggests means whereby security controls and improvements can be implemented.
The benchmark document is only part of the package that CIS created. They also distribute a software scoring tool that evaluates systems in light of this minimum security benchmark. The scoring tool assesses the security configuration of a system and generates multiple detailed reports that may be used to determine current compliance, and achieve complete compliance through application of appropriate measures.
Using these elements in concert can help any administrator to evaluate systems quickly and to establish minimum security before deploying
Many federal agencies are required to meet the standards defined in this benchmark immediately. These security benchmarks and tools are made available to the public to encourage business and personal IT communities to improve their IT security as well. The overall goal of these efforts is to improve computer security throughout the US, not just within government agencies, so the whole country becomes less susceptible to domestic and internal cybercrime.
I urge you take a look at these materials offered by CIS and to test a few of your systems using the scoring tool to see how your security policy (as implemented) measures up to recommended proper minimum security configurations for Windows 2000 Professional. Benchmarks and tools for numerous other operating systems are in development and will be released soon.
For more information and to download the benchmarks and tools, please see the Center for Internet Security (CIS) Web site.
Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.
This was first published in July 2002