Existing Guides

• Acceptable Use Policy Template

  Cisco Systems

  Gavin Reid (Cisco Systems), Devin Hilldale (Cisco Systems)

  
  

  This document is an Acceptable Use Policy that can be used as template for organizations that are creating one. The purpose of this policy is to establish acceptable and unacceptable use of electronic devices and network resources in conjunction with its established culture of ethical and lawful behavior, openness, trust, and integrity.

  
  

  http://www.first.org/resources/guides/aup_generic.doc

  Format: application/msword

  Last updated: November 03, 2006

  Size: 101 Kb

  
  

• CERT-in-a-box

  GOVCERT.NL

  The project 'CERT-in-a-Box' and 'Alerting service-in-a-Box' is an initiative of GOVCERT.NL to preserve the lessons learned from setting up GOVCERT.NL and 'De Waarschuwingsdienst', the Dutch national Alerting service.
  The project aim is to help others starting a CSIRT or Alerting Service by:
  

  • Getting them up to speed faster
  • Taking the benefits and not making the same mistakes

  
  

  http://www.first.org/resources/guides/cert-in-a-box.zip

  Format: application/zip

  Size: 8.42 Mb

  
  

  Note: also available for online navigation at http://www.first.org/resources/guides/cert-in-a-box/

  
  

• Checking Microsoft Windows Systems for Signs of Compromise

  University College London, Oxford University, UKERNA

  Simon Baker (UCL Computer Security Team), Patrick Green (OxCERT), Thomas Meyer (JANET-CERT), Garaidh Cochrane (JANET-CERT)

  
  

  http://www.ucl.ac.uk/cert/win_intrusion.pdf

  Format: application/pdf

  
  

• Checking UNIX/LINUX Systems for Signs of Compromise

  Oxford University, University College London

  Patrick Green (OxCERT), Simon Baker (UCL Computer Security Team)

  
  

  One of the main aims of this document is to address the lack of documentation concerning concrete actions to be taken when dealing with a compromised *nix system. The document will try to be as generic as possible, so you may find tools for specific platforms are better suited. A secondary goal is an explanation of methods of examining this information via tools. Utilizing these tools we can then : • investigate the system • find the points of entry and type of compromise • identify areas for further investigation and issues for attention.

  
  

  http://www.ucl.ac.uk/cert/nix_intrusion.pdf

  Format: application/pdf

  
  

• CSIRT Case Classification (Example for enterprise CSIRT)

  Gavin Reid (Cisco Systems), Dustin Schieber, Ivo Peixinho (CAIS/RNP)

  
  

  It is critical that the CSIRT provide consistent and timely response to the customer, and that sensitive information is handled properly. This document provides the guidelines needed for CSIRT Incident Managers (IM) to classify the case category, criticality level, and sensitivity level for each CSIRT case. This information will be entered into the Incident Tracking System (ITS) when a case is created. Consistent case classification is required for the CSIRT to provide accurate reporting to management on a regular basis. In addition, the classifications will provide CSIRT IM’s with proper case handling procedures and will form the basis of SLA’s between the CSIRT and other Company departments.

  
  

  http://www.first.org/resources/guides/csirt_case_classification.html

  Format: text/html

  Last updated: November 17, 2004

  
  

• CSIRT Setting up Guide

  European Network and Information Security Agency – Enisa

  The document at hand describes the process of setting up a Computer Security and Incident Response Team (CSIRT) from all relevant perspectives like business management, process management and technical perspective. This document implements two of the deliverables described in ENISAs Working Programme 2006, chapter 5.1:

  • This document: Written report on step-by-step approach on how to set up a CERT or similar facilities, including examples. (CERT-D1)
  • Chapter 12 and external files: Excerpt of roadmap in itemised form allowing an easy application of the roadmap in practice. (CERT-D2)

  
  

  http://www.enisa.europa.eu/cert_guide/

  
  

• CVSS based patch policy for enterprise (example)

  Cisco Systems Inc.

  http://www.first.org/cvss/cvss-based-patch-policy.pdf

  Format: application/pdf

  Size: 13 Kb

  
  

• Guide to Tunneling Windows NT VNC traffic with SSH2

  Gavin Reid (Cisco Systems)

  
  

  VNC is a GUI remote access program that allows full console access. It has clients and servers covering many different architectures. VNC alone has some inherent security issues. All communication is in plain text and the authentication scheme is very weak. However, by tunneling VNC over SSH we will fix both of these problems. SSH will encrypt all information over the wire and use NT's authentication which is much stronger than VNC's. The following document outlines the steps required to do this

  
  

  http://www.first.org/resources/guides/vnc_ssh.zip

  Format: application/zip

  Last updated: December, 2001

  Size: 1.09 Mb

  
  

  Note: It is important to follow the steps exactly, as leaving out one part can have you incorrectly using straight VNC with all of its accompanying security risks.

  
  

• IIS and NTS 4.0 Hardening Guide

  Gavin Reid (Cisco Systems)

  
  

  This document aims to provide minimum security requirements to system administrators to install, setup, configure and harden a Windows NT server running a IIS server. It is applicable ONLY to NTS 4.0 running IIS 4.0. If any other application is running on the server to support its function (e.g., Cold Fusion), then that application must also be secured. Registry edit instructions are also found, as well as special hardening instructions for Securing Permissions, Firewall Access Control Lists, and SSHD.

  
  

  http://www.first.org/resources/guides/nt40.zip

  Format: application/zip

  Last updated: July, 2001

  Size: 1.08 Mb

  
  

  Note: This hardening procedure should NOT be used on general-purpose NT servers on an internal LAN (e.g., file servers), as it removes several of the services that NT uses for default functionality. The steps in this guide should be performed on new installations only to avoid unpredictable results

  
  

• Online Forensics of Win32 System Guide

  Gavin Reid (Cisco Systems)

  
  

  The following document will attempt to outline how to take volatile data from a live system before evidence is possibly lost.

  
  

  http://www.first.org/resources/guides/ofw32.zip

  Format: application/zip

  Last updated: January, 2004

  Size: 1.36 Mb

  
  

  Note: Do not redistribute without approval from gavreid@cisco.com Copyright 1992 - 2004 Cisco Systems, Inc.

  
  

• Secure BGP Template

  Cymru Team

  Rob Thomas

  
  

  A secure BGP configuration template for use with Cisco routers

  
  

  http://www.cymru.com/Documents/secure-bgp-template.html

  Format: text/html

  Last updated: August, 2004

  
  

• Secure BIND Template

  Cymru Team

  Rob Thomas

  
  

  A secure BIND configuration and topology to help defend against BIND attacks

  
  

  http://www.cymru.com/Documents/secure-bind-template.html

  Format: text/html

  Last updated: August, 2004

  
  

• Secure IOS Configuration Template

  Cymru Team

  Rob Thomas

  
  

  A secure IOS configuration template for use with Cisco routers.

  
  

  http://www.cymru.com/Documents/secure-ios-template.html

  Format: text/html

  Last updated: August, 2004

  
  

• SSH Public Key Configuration Windows NT/2000/XP Guide

  Gavin Reid (Cisco Systems)

  
  

  This document outlines how to configure the SSH cleient & daemon for NT/W2K/XP to accept public key authentication. This was done on server version SSHServerSetup312.exe. This document uses version 3.2 of the client and server software from SSH.COM.

  
  

  http://www.first.org/resources/guides/pki_ssh_w2k.zip

  Format: application/zip

  Last updated: August, 2002

  Size: 646 Kb

  
  

• Windows 2000 / IIS 5.0 DMZ Hardening Guide

  Gavin Reid (Cisco Systems), Jay Ward

  
  

  This guide was written to help System Administrators and Security personnel secure their IIS 5.0 servers running on Windows 2000.

  
  

  http://www.first.org/resources/guides/w2k.zip

  Format: application/zip

  Last updated: October 08, 2004

  Size: 1.47 Mb

  
  

  Note: This guide was written for servers sitting in a DMZ only. You should not apply this guide to Domain Controllers, File Servers, Exchange Servers or any other server in your internal network as it WILL break it.

  
  

• Windows 2003 / IIS 6.0 DMZ Hardening Guidelines

  Jay Ward

  
  

  This document aims to provide minimum security requirements to system administrators and users in order to harden a Windows 2003 system running IIS 6.0 for DMZ deployment.

  
  

  http://www.first.org/resources/guides/w2k3.zip

  Format: application/zip

  Last updated: October 15, 2004

  Size: 1.37 Mb

  
  

  Note: This document is applicable ONLY to Microsoft Server 2003 running IIS 6.0. If any other application is running on the server to support its function (e.g., Cold Fusion), then that application must also be secured. The steps in this guide should be performed on new installations only to avoid unpredictable results. This hardening procedure should NOT be used on general-purpose NT servers on an internal LAN (e.g., file servers), as it removes several of the services that NT uses for default functionality.

  
  

Acknowledgements

FIRST gratefully acknowledges the moderators of the "best practices" page, Ian Cook & Gavin Reid, and all authors and maintainers involved.