Pau Lo
asked on
hardening policy and vulnerability management policy
By what names will hardening systems/applications and vulnerability management polcies be referred? Do you have such a policy at your companies or do these areas fit into an over arching policy, are they referred to as something else, or do they fit into the same policy? Do you have a comprehensive list of what security areas are covered by policy, I assume patch management is a 3rd but I guess there will be lots?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Breadtan - do your company have a defined, documented and implemented policy then around systems hardening? I.e. a piece of paper that says this is what the company has decided we do around this? Or is VA/PM/VM referenced in another policy?
ASKER
Or is it just done by IT, but no policy that says "thou must", just a case of "thou does"?
ASKER
I must confess I've seen patch management documented policies but I've never seen a vulnerability management policy?
ASKER
This is an interesting comment
"Remove All Unnecessary File Shares
Remove all unnecessary file shares on the system to prevent possible information disclosure and to prevent malicious users from using the shares as an entry to the local system."
That hints that even with access to just a share, it may be used to gain access to other resources on the server? Is that even possible?
"Remove All Unnecessary File Shares
Remove all unnecessary file shares on the system to prevent possible information disclosure and to prevent malicious users from using the shares as an entry to the local system."
That hints that even with access to just a share, it may be used to gain access to other resources on the server? Is that even possible?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Simply said that these policy at enterprise side is not totally lockdown of these services like file shares. It is to eliminate null shares or shares that is accessible for using simple credentials. There is definitely a defined policy at my it departmemt but yet tof these extend of enforcing lockout of user if they do not meet certain health checks. The server has segregated lan ands vulnerability scanning is not in placed as it is supposed. Minimally patch mgmt is there as expertise to train on performing vunerability scan will ideally be from internal experts of audit depart....too many variation and imvestment personally that I see hence balance amd getting cio key prioroty too build they alignment of they outcome of security posture for enterprise is an ever ongoing process and education
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Just to add more specific to security strategy planning for proactive and reactive response.
http://technet.microsoft.com/en-us/library/cc723491.aspx
Both patch and vulnerability mgmt is part of the security strategy policy enforcement to responses. The securitylist sp 80-115 and sp 80-53a are worth checking out
http://technet.microsoft.com/en-us/library/cc723491.aspx
Both patch and vulnerability mgmt is part of the security strategy policy enforcement to responses. The securitylist sp 80-115 and sp 80-53a are worth checking out
ASKER