http://www.gcn.com/online/vol1_no1/46239-1.html
By William Jackson
GCN.com
05/08/08
The National Institute of Standards and Technology is seeking comment on
its draft guidelines for securing servers, released this week.
NIST Special Publication 800-123 [1], "Guide to General Server
Security," makes recommendations for securing server operating systems
and softwarein addition to maintaining a secure configuration with
patches and software upgrades, security testing, log monitoring and
backups of data and operating system files.
The document addresses common servers that use general operating systems
and are deployed in outward- and inward-facing locations. The
recommendations apply to a variety of typical servers, such as Web,
e-mail, database, infrastructure management and file servers. Much of
the content was derived from SP 800-44 Version 2, "Guidelines on
Securing Public Web Servers," and SP 800-45 Version 2, "Guidelines on
Electronic Mail Security."
Common security threats addressed include exploitation of software bugs
to gain unauthorized access, denial-of-service attacks, exposure or
corruption of sensitive data, unsecured transmission of data, use of a
server breach to gain access to other network resources and use of a
compromised server to launch attacks.
NIST recommended that security plans be considered from the initial
planning stage because addressing security is more difficult after
deployment. "Organizations are more likely to make decisions about
configuring computers appropriately and consistently when they develop
and use a detailed, well-designed deployment plan," the document said.
It also advised agencies to consider human resources required for
deployment and operational phases, including training requirements.
To ensure the security of a server and the supporting network
infrastructure, NIST recommends:
* Organizationwide information system security policy.
* Configuration/change control and management.
* Risk assessment and management.
* Standardized software configurations that satisfy the information
system security policy.
* Security awareness and training.
* Contingency planning, continuity-of-operations and disaster
recovery planning.
* Certification and accreditation.
In deployment server operating systems, default hardware and software
configurations usually must be modified to achieve adequate security
rather than maximum functionality and ease of use. "Because
manufacturers are not aware of each organization's security needs, each
server administrator must configure new servers to reflect their
organization's security requirements and reconfigure them as those
requirements change," NIST advised. "Using security configuration guides
or checklists can assist administrators in securing systems consistently
and efficiently."
Similar efforts are needed for server applications. "The overarching
principle is to install the minimal amount of services required and
eliminate any known vulnerabilities through patches or upgrades," the
document said.
Comments on the draft should be e-mailed [2] by June 13, with the phrase
"Comments SP 800-123" in the subject line.
[1] http://csrc.nist.gov/publications/drafts/800-123/Draft-SP800-123.pdf
[2] 800-123comments (at) nist.gov
Received on Mon May 12 03:24:21 2008