Security Library

FIRST Best Practice Guide Library (BPGL)

Also maintained by FIRST: the FIRST Security Reference Index

It is a complicated, arduous, and time-consuming task for even experienced system administrators to know what a reasonable set of security settings is for any operating system. Thus, the FIRST Best Practice Guide Library intends to assist FIRST Team Members and public in general in configuring their systems securely by providing configuration templates and security guidelines.

Also, this initiative aims at recognizing FIRST members' work and promote it outside the FIRST community.

Note: The Best Practice Guides Library is based on documents and links submitted by FIRST members.

FIRST members are strongly encouraged to share their Best Practice guides or links to Web sites hosting Best Practice guides.

If you have something to share please click here.

FIRST Members-only Guides

Restricted to FIRST Members and must not be redistributed outside of FIRST

  • Personal Digital Assistant (PDA) Security Configuration Guide
  • Red Hat LINUX Security Configuration Guide
  • Solaris 7 / 8 - Secure Configuration Guide
  • Windows 2000 Internet Information Server 5.0 Security Configuration Guide
  • Windows 2000 Security Configuration Guide
  • Windows 2000: Certificate Services Security Configuration Guide
  • Windows 2000: Terminal Services Security Configuration Guide

Existing Guides

Acceptable Use Policy TemplateReturn to TOC

Cisco Systems

Gavin Reid (Cisco Systems), Devin Hilldale (Cisco Systems)

This document is an Acceptable Use Policy that can be used as template for organizations that are creating one. The purpose of this policy is to establish acceptable and unacceptable use of electronic devices and network resources in conjunction with its established culture of ethical and lawful behavior, openness, trust, and integrity.

aup_generic.doc
Format: application/msword
Last updated: November 03, 2006
Size: 101 Kb

CERT-in-a-boxReturn to TOC

NCSC-NL (National Cyber Security Centre of The Netherlands)

The project 'CERT-in-a-Box' and 'Alerting service-in-a-Box' is an initiative of GOVCERT.NL/NCSC to preserve the lessons learned from setting up GOVCERT.NL and 'De Waarschuwingsdienst', the Dutch national Alerting service.

The project aim is to help others starting a CSIRT or Alerting Service by:

  • Getting them up to speed faster
  • Taking the benefits and not making the same mistakes

cert-in-a-box.zip
Format: application/zip
Size: 8.42 Mb

CSIRT Case Classification (Example for enterprise CSIRT) Return to TOC

Gavin Reid (Cisco Systems), Dustin Schieber, Ivo Peixinho (CAIS/RNP)

It is critical that the CSIRT provide consistent and timely response to the customer, and that sensitive information is handled properly. This document provides the guidelines needed for CSIRT Incident Managers (IM) to classify the case category, criticality level, and sensitivity level for each CSIRT case. This information will be entered into the Incident Tracking System (ITS) when a case is created. Consistent case classification is required for the CSIRT to provide accurate reporting to management on a regular basis. In addition, the classifications will provide CSIRT IM’s with proper case handling procedures and will form the basis of SLA’s between the CSIRT and other Company departments.

csirt_case_classification.html
Format: text/html
Last updated: November 17, 2004

CSIRT Setting up GuideReturn to TOC

European Network and Information Security Agency – Enisa

The document at hand describes the process of setting up a Computer Security and Incident Response Team (CSIRT) from all relevant perspectives like business management, process management and technical perspective. This document implements two of the deliverables described in ENISAs Working Programme 2006, chapter 5.1:

  • This document: Written report on step-by-step approach on how to set up a CERT or similar facilities, including examples. (CERT-D1)
  • Chapter 12 and external files: Excerpt of roadmap in itemised form allowing an easy application of the roadmap in practice. (CERT-D2)

http://www.enisa.europa.eu/cert_guide/

CVSS based patch policy for enterprise (example) Return to TOC

Cisco Systems Inc.

cvss-based-patch-policy.pdf
Format: application/pdf
Size: 13 Kb

Checking Microsoft Windows Systems for Signs of CompromiseReturn to TOC

University College London, Oxford University, UKERNA

Simon Baker (UCL Computer Security Team), Patrick Green (OxCERT), Thomas Meyer (JANET-CERT), Garaidh Cochrane (JANET-CERT)

http://www.ucl.ac.uk/cert/win_intrusion.pdf
Format: application/pdf

Checking UNIX/LINUX Systems for Signs of CompromiseReturn to TOC

Oxford University, University College London

Patrick Green (OxCERT), Simon Baker (UCL Computer Security Team)

One of the main aims of this document is to address the lack of documentation concerning concrete actions to be taken when dealing with a compromised *nix system. The document will try to be as generic as possible, so you may find tools for specific platforms are better suited.

A secondary goal is an explanation of methods of examining this information via tools. Utilizing these tools we can then:

  • investigate the system;
  • find the points of entry and type of compromise;
  • identify areas for further investigation and issues for attention.

http://www.ucl.ac.uk/cert/nix_intrusion.pdf
Format: application/pdf

Cloud ComputingReturn to TOC

CPNI - Centre for the Protection of National Insfrastructure

http://www.cpni.gov.uk/Docs/cloud-computing-briefing.pdf
Format: application/pdf

Guide to Tunneling Windows NT VNC traffic with SSH2Return to TOC

Gavin Reid (Cisco Systems)

VNC is a GUI remote access program that allows full console access. It has clients and servers covering many different architectures. VNC alone has some inherent security issues. All communication is in plain text and the authentication scheme is very weak. However, by tunneling VNC over SSH we will fix both of these problems. SSH will encrypt all information over the wire and use NT's authentication which is much stronger than VNC's. The following document outlines the steps required to do this

vnc_ssh.zip
Format: application/zip
Last updated: December, 2001
Size: 1.09 MbNote: It is important to follow the steps exactly, as leaving out one part can have you incorrectly using straight VNC with all of its accompanying security risks.

IIS and NTS 4.0 Hardening GuideReturn to TOC

Gavin Reid (Cisco Systems)

This document aims to provide minimum security requirements to system administrators to install, setup, configure and harden a Windows NT server running a IIS server. It is applicable ONLY to NTS 4.0 running IIS 4.0. If any other application is running on the server to support its function (e.g., Cold Fusion), then that application must also be secured. Registry edit instructions are also found, as well as special hardening instructions for Securing Permissions, Firewall Access Control Lists, and SSHD.

nt40.zip
Format: application/zip
Last updated: July, 2001
Size: 1.08 MbNote: This hardening procedure should NOT be used on general-purpose NT servers on an internal LAN (e.g., file servers), as it removes several of the services that NT uses for default functionality. The steps in this guide should be performed on new installations only to avoid unpredictable results

Online Forensics of Win32 System GuideReturn to TOC

Gavin Reid (Cisco Systems)

The following document will attempt to outline how to take volatile data from a live system before evidence is possibly lost.

ofw32.zip
Format: application/zip
Last updated: January, 2004
Size: 1.36 Mb

Note: Do not redistribute without approval from gavreid@cisco.com Copyright 1992 - 2004 Cisco Systems, Inc.

SSH Public Key Configuration Windows NT/2000/XP GuideReturn to TOC

Gavin Reid (Cisco Systems)

This document outlines how to configure the SSH cleient & daemon for NT/W2K/XP to accept public key authentication. This was done on server version SSHServerSetup312.exe. This document uses version 3.2 of the client and server software from SSH.COM.

pki_ssh_w2k.zip
Format: application/zip
Last updated: August, 2002
Size: 646 Kb

Secure BGP TemplateReturn to TOC

Cymru Team

Rob Thomas

A secure BGP configuration template for use with Cisco routers

http://www.cymru.com/Documents/secure-bgp-template.html
Format: text/html
Last updated: August, 2004

Secure BIND TemplateReturn to TOC

Cymru Team

Rob Thomas

A secure BIND configuration and topology to help defend against BIND attacks

http://www.cymru.com/Documents/secure-bind-template.html
Format: text/html
Last updated: August, 2004

Secure IOS Configuration TemplateReturn to TOC

Cymru Team

Rob Thomas

A secure IOS configuration template for use with Cisco routers.

http://www.cymru.com/Documents/secure-ios-template.html
Format: text/html
Last updated: August, 2004

Windows 2000 / IIS 5.0 DMZ Hardening GuideReturn to TOC

Gavin Reid (Cisco Systems), Jay Ward

This guide was written to help System Administrators and Security personnel secure their IIS 5.0 servers running on Windows 2000.

w2k.zip
Format: application/zip
Last updated: October 08, 2004
Size: 1.47 Mb

Note: This guide was written for servers sitting in a DMZ only. You should not apply this guide to Domain Controllers, File Servers, Exchange Servers or any other server in your internal network as it WILL break it.

Windows 2003 / IIS 6.0 DMZ Hardening GuidelinesReturn to TOC

Jay Ward

This document aims to provide minimum security requirements to system administrators and users in order to harden a Windows 2003 system running IIS 6.0 for DMZ deployment.

w2k3.zip
Format: application/zip
Last updated: October 15, 2004
Size: 1.37 Mb

Note: This document is applicable ONLY to Microsoft Server 2003 running IIS 6.0. If any other application is running on the server to support its function (e.g., Cold Fusion), then that application must also be secured. The steps in this guide should be performed on new installations only to avoid unpredictable results. This hardening procedure should NOT be used on general-purpose NT servers on an internal LAN (e.g., file servers), as it removes several of the services that NT uses for default functionality.

Acknowledgements

FIRST gratefully acknowledges the moderators of the "best practices" page, Ian Cook & Gavin Reid, and all authors and maintainers involved.