8

Long story short: I'm an engineer doing development, not administration. I have no direct access to the production server, so I can only tell the administration team the best configurations for security. However, as you all know, it's not as simple as a checklist, because you need to dig deeper and incorporate the configuration very well with your application logic. However, as of the time being I'm only capable of giving them checklists of configuration, I can't give them guidelines, I need to give them specific things, so I would need to use some sorta... checklists.

Where can I find an exhaustive list of configuration for IIS and SQLserver and the machines they need to reside on (separate machines, of course) and what kind of services to run, ports to open... etc

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
Orca
  • 491
  • 1
  • 5
  • 12

3 Answers3

8

The Center for Internet Security Benchmarks tend to be my go to source for hardening advice. They will, of course, need to be tailored to your environment, but I have found them to be fairly general purpose and easily modified. On the linked download page you will find both IIS and SQL Server documents.

As for the other half of your question, it seems like you're asking for additional hardening advice on the underlying operating system. If so, then see this question as a starting point - Windows Hardening. If that does not fit your needs, then I would suggest formulating a separate question specifically on that topic.

While hardening the underlying layers is good, you also need to be concerned with the web applications as well. The metrics that I've seen seem to indicate that compromises are shifting away from the OS and servers and focusing on the web apps themselves. So don't forget to look into that as well.

Community
  • 1
Scott Pack
  • 15,167
  • 5
  • 61
  • 91
  • That's the thing, the web app hardening I can do myself, and do pretty well, it's just that I needed a checklist for the administration team to follow. Thanks for the answer, I already have the CIS benchmarks, and by God they're great. I thought there were other very good resources to be recommended. – Orca Feb 26 '11 at 19:47
4

Another good resource can be found at the NIST National Checklist Program Repository. Available here are a bunch of baselines generated with the MS Security Compliance Manager Tool which can be used to quickly and easily measure a given config against their baselines. Baselines exist for many different MS techs.

If automation is valuable for you, I believe that the automated tool for checking against the CIS benchmarks may only be available for members who have paid some pretty significant fees.

TobyS
  • 1,597
  • 1
  • 12
  • 17
0

https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS7_Benchmark_v1.2.0.pdf is a good and very extensive document.

user857990
  • 903
  • 1
  • 9
  • 21