Compliance Testing

What is compliance testing?  Its basically an audit of a system carried out against a known criterion.  A compliance test may come in many different forms dependant on the request received but basically ca be broken down into several different types:

• Operating Systems and Applications: A verification that an operating system and/or applications are configured appropriately to the companies needs and lockdown requirements, thus providing adequate and robust controls  to ensure that the Confidentiality, Integrity and Availability of the system will not be affected in its normal day to day operation.

• Systems in development: A verification that the intended system under development meets the configuration and lockdown standards requested by the customer.

• Management of IT and Enterprise Architecture: A verification that the in-place IT management infrastructure encompassing all aspects of system support has been put in place.  This is to ensure effective change control, audit, business continuity and security procedures etc. have been formulated, documented and put in place. 

• Interconnection Policy:  A verification that adequate security and business continuity controls governing the connection to other systems, be they Telecommunications, Intranets, Extranets and Internet etc. have been put in place, have been fully documented and correspond to the stated customer requirements. 

A normal compliance check will encompass some if not all of the types listed above.  I will mostly discuss the lockdown policies that can be applied, (or have been applied), to the underlying operating system and applications.  There are a plethora of these about, some provided by vendors, some from other respective parties.  The ones listed below are just a sample of what is available online, there are many more.  They could be consulted as a reference and used as guidance by customers when you have performed a Compliance Check but also possibly after a Vulnerability Assessment or Penetration Test so that they can apply extra security measures to their enterprise to enhance its security.  With the ones quotes, I am just detailing generic Security settings and recommendations that you could apply and audit against, their are also country specific human relations and statutory regulations that you also must adhere to which these guides do not cover.   

National Security Agency

The NSA has made publicly available a number of lockdown guides in one of its many initiatives to enhance awareness of the security issues effecting today's operating systems, applications etc. These guides I have found are generally easy to read, understand and in most cases give you a step-by-step guide to implement.

They can be found from here.

The NSA currently covers the following and has a number of archived security guides:

Applications  

Database Servers    

• Oracle9i  

• Oracle 10g 

• Microsoft SQL Server 

Operating Systems

• Apple Mac OS X  

• Apple Server Operating Systems  

• Microsoft Windows NT  

• Microsoft Windows XP

• Microsoft Windows 2000

• Microsoft Windows Server 2003

• Sun Solaris 8

• Sun Solaris 9 

Routers     

Switches

VoIP and IP Telephony

Web Servers and Browsers

• Microsoft IIS

• Microsoft IE 5.5  

• Netscape       

Wireless

The Australian Computer Emergency Response Team (AusCERT)

The AusCERT and the CERT^® Coordination Center (CERT/CC) have produced the UNIX Security Checklist v2.0 which details steps to be taken to improve the security of most Unix Operating Systems. When carrying out compliance checks on most *nix systems I generally tend to quote from this lockdown and also the NSA guide when making recommendations to enhance system security.  This check sheet was written in 2002, however, the majority of issues still affect most variants of *nix seen out there in the wild.

This can be found here.

Microsoft

One cannot discuss the security of a Microsoft system , without of course referring to the vendor directly for advice and assistance.  There are a number of in-built inf security templates that ship today by default with all flavours of the Operating System and a number of others that can be obtained directly from Microsoft or from other noted third parties.  Active Directory and the application of policies make the use of such templates an easy way to dynamically lock down a host.  Microsoft have released a number of security guides also:

Microsoft Windows 2000 Security Configuration Guide.

This provides guidance to allow for the secure installation and configuration of Win 2K in accordance with the Common Criteria Security Target (ST).  This provides a set of security requirements taken from the Common Criteria (CC) for Information Technology Security Evaluation.  It is available from here or for download from here.

Windows Server 2003 Security Guide.

This provides specific recommendations about how to harden computers that run MS Win 2003 SP1 in three distinct enterprise environments— Legacy Client (LC) including Windows NT 4.0 and Windows 98 clients, Enterprise Client (EC) in which Windows 2000 is the earliest version of the os in use, and Specialized Security – Limited Functionality (SSLF) environments where concern about security is so great that significant loss of client functionality and manageability is considered an acceptable trade-off to achieve maximum security.  It is available from here and for download from here.

Windows XP Security Guide. 

This provides specific recommendations about how to harden computers that run Win XP SP2 in three distinct environments; Enterprise Client (EC), Stand-Alone and Specialized Security – Limited Functionality.  It is available from here and can be downloaded from here.

The Threats and Countermeasures guide.

This provides a reference to all security settings that provide countermeasures for specific threats against current versions of the Windows operating systems and should be read in conjunction with all other guides.  It is available from here and can be downloaded from here.

Microsoft have been very verbose and detailed when writing these guides and have made great in roads in current years to make security a very important part of their core business and customer perception.

CISSecurity.org

This site provides a number of guides, bench marks and tools to check that specific lockdowns have been applied.  There are currently guides for:

Operating Systems:

• Windows XP Professional SP1/SP2

• Windows Server 2003

• Windows 2000 Professional

• Windows 2000 Server

• Windows NT

• Mac OS X

• FreeBSD

• Solaris 10

• Solaris 2.5.1 - 9.0

• Red Hat Linux

• SUSE Linux

• Slackware Linux

• HP-UX

• AIX

• Novell OES:NetWare

Network Devices:

• Wireless Networks

• Cisco IOS Router

• Cisco PIX 

Applications:

• Exchange Server 2003

• Oracle Database 8i

• Oracle Database 9i/10g

• Apache Web Server

• SQL Server 2000

• BIND

• Novell eDirectory