FIRST Best Practice Guide Library (BPGL)
Also maintained by FIRST: the FIRST Security Reference Index
It is a complicated, arduous, and time-consuming task for even experienced system administrators to know what a reasonable set of security settings is for any operating system. Thus, the FIRST Best Practice Guide Library intends to assist FIRST Team Members and public in general in configuring their systems securely by providing configuration templates and security guidelines.
Also, this initiative aims at recognizing FIRST members' work and promote it outside the FIRST community.
Note: The Best Practice Guides Library is based on documents and links submitted by FIRST members.
FIRST members are strongly encouraged to share their Best Practice guides or links to Web sites hosting Best Practice guides.
If you have something to share please click here.
Public Guides
Must not be copied or distributed without prior consent of FIRST
- Acceptable Use Policy Template
- CERT-in-a-box
- Checking Microsoft Windows Systems for Signs of Compromise
- Checking UNIX/LINUX Systems for Signs of Compromise
- CSIRT Case Classification (Example for enterprise CSIRT)
- CSIRT Setting up Guide
- CVSS based patch policy for enterprise (example)
- Guide to Tunneling Windows NT VNC traffic with SSH2
- IIS and NTS 4.0 Hardening Guide
- Online Forensics of Win32 System Guide
- Secure BGP Template
- Secure BIND Template
- Secure IOS Configuration Template
- SSH Public Key Configuration Windows NT/2000/XP Guide
- Windows 2000 / IIS 5.0 DMZ Hardening Guide
- Windows 2003 / IIS 6.0 DMZ Hardening Guidelines
FIRST Members-only Guides
Restricted to FIRST Members and must not be redistributed outside of FIRST
- Personal Digital Assistant (PDA) Security Configuration Guide
- Red Hat LINUX Security Configuration Guide
- Solaris 7 / 8 - Secure Configuration Guide
- Windows 2000: Certificate Services Security Configuration Guide
- Windows 2000 Internet Information Server 5.0 Security Configuration Guide
- Windows 2000 Security Configuration Guide
- Windows 2000: Terminal Services Security Configuration Guide
Existing Guides
Acceptable Use Policy Template
Cisco Systems
Gavin Reid (Cisco Systems), Devin Hilldale (Cisco Systems)
This document is an Acceptable Use Policy that can be used as template for organizations that are creating one. The purpose of this policy is to establish acceptable and unacceptable use of electronic devices and network resources in conjunction with its established culture of ethical and lawful behavior, openness, trust, and integrity.
http://www.first.org/resources/guides/aup_generic.doc
Format: application/msword
Last updated: November 03, 2006
Size: 101 Kb
CERT-in-a-box
GOVCERT.NL
The project 'CERT-in-a-Box' and 'Alerting service-in-a-Box' is an initiative of GOVCERT.NL to preserve the lessons learned from setting up GOVCERT.NL and 'De Waarschuwingsdienst', the Dutch national Alerting service.
The project aim is to help others starting a CSIRT or Alerting Service by:- Getting them up to speed faster
- Taking the benefits and not making the same mistakes
http://www.first.org/resources/guides/cert-in-a-box.zip
Format: application/zip
Size: 8.42 Mb
Note: also available for online navigation at http://www.first.org/resources/guides/cert-in-a-box/
Checking Microsoft Windows Systems for Signs of Compromise
University College London, Oxford University, UKERNA
Simon Baker (UCL Computer Security Team), Patrick Green (OxCERT), Thomas Meyer (JANET-CERT), Garaidh Cochrane (JANET-CERT)
http://www.ucl.ac.uk/cert/win_intrusion.pdf
Format: application/pdf
Checking UNIX/LINUX Systems for Signs of Compromise
Oxford University, University College London
Patrick Green (OxCERT), Simon Baker (UCL Computer Security Team)
One of the main aims of this document is to address the lack of documentation concerning concrete actions to be taken when dealing with a compromised *nix system. The document will try to be as generic as possible, so you may find tools for specific platforms are better suited. A secondary goal is an explanation of methods of examining this information via tools. Utilizing these tools we can then : investigate the system find the points of entry and type of compromise identify areas for further investigation and issues for attention.
http://www.ucl.ac.uk/cert/nix_intrusion.pdf
Format: application/pdf
CSIRT Case Classification (Example for enterprise CSIRT)
Gavin Reid (Cisco Systems), Dustin Schieber, Ivo Peixinho (CAIS/RNP)
It is critical that the CSIRT provide consistent and timely response to the customer, and that sensitive information is handled properly. This document provides the guidelines needed for CSIRT Incident Managers (IM) to classify the case category, criticality level, and sensitivity level for each CSIRT case. This information will be entered into the Incident Tracking System (ITS) when a case is created. Consistent case classification is required for the CSIRT to provide accurate reporting to management on a regular basis. In addition, the classifications will provide CSIRT IMs with proper case handling procedures and will form the basis of SLAs between the CSIRT and other Company departments.
http://www.first.org/resources/guides/csirt_case_classification.html
Format: text/html
Last updated: November 17, 2004
CSIRT Setting up Guide
European Network and Information Security Agency Enisa
The document at hand describes the process of setting up a Computer Security and Incident Response Team (CSIRT) from all relevant perspectives like business management, process management and technical perspective. This document implements two of the deliverables described in ENISAs Working Programme 2006, chapter 5.1:
- This document: Written report on step-by-step approach on how to set up a CERT or similar facilities, including examples. (CERT-D1)
- Chapter 12 and external files: Excerpt of roadmap in itemised form allowing an easy application of the roadmap in practice. (CERT-D2)
http://www.enisa.europa.eu/cert_guide/
CVSS based patch policy for enterprise (example)
Cisco Systems Inc.
http://www.first.org/cvss/cvss-based-patch-policy.pdf
Format: application/pdf
Size: 13 Kb
Guide to Tunneling Windows NT VNC traffic with SSH2
Gavin Reid (Cisco Systems)
VNC is a GUI remote access program that allows full console access. It has clients and servers covering many different architectures. VNC alone has some inherent security issues. All communication is in plain text and the authentication scheme is very weak. However, by tunneling VNC over SSH we will fix both of these problems. SSH will encrypt all information over the wire and use NT's authentication which is much stronger than VNC's. The following document outlines the steps required to do this
http://www.first.org/resources/guides/vnc_ssh.zip
Format: application/zip
Last updated: December, 2001
Size: 1.09 Mb
Note: It is important to follow the steps exactly, as leaving out one part can have you incorrectly using straight VNC with all of its accompanying security risks.
IIS and NTS 4.0 Hardening Guide
Gavin Reid (Cisco Systems)
This document aims to provide minimum security requirements to system administrators to install, setup, configure and harden a Windows NT server running a IIS server. It is applicable ONLY to NTS 4.0 running IIS 4.0. If any other application is running on the server to support its function (e.g., Cold Fusion), then that application must also be secured. Registry edit instructions are also found, as well as special hardening instructions for Securing Permissions, Firewall Access Control Lists, and SSHD.
http://www.first.org/resources/guides/nt40.zip
Format: application/zip
Last updated: July, 2001
Size: 1.08 Mb
Note: This hardening procedure should NOT be used on general-purpose NT servers on an internal LAN (e.g., file servers), as it removes several of the services that NT uses for default functionality. The steps in this guide should be performed on new installations only to avoid unpredictable results
Online Forensics of Win32 System Guide
Gavin Reid (Cisco Systems)
The following document will attempt to outline how to take volatile data from a live system before evidence is possibly lost.
http://www.first.org/resources/guides/ofw32.zip
Format: application/zip
Last updated: January, 2004
Size: 1.36 Mb
Note: Do not redistribute without approval from gavreid@cisco.com Copyright 1992 - 2004 Cisco Systems, Inc.
Secure BGP Template
Cymru Team
Rob Thomas
A secure BGP configuration template for use with Cisco routers
http://www.cymru.com/Documents/secure-bgp-template.html
Format: text/html
Last updated: August, 2004
Secure BIND Template
Cymru Team
Rob Thomas
A secure BIND configuration and topology to help defend against BIND attacks
http://www.cymru.com/Documents/secure-bind-template.html
Format: text/html
Last updated: August, 2004
Secure IOS Configuration Template
Cymru Team
Rob Thomas
A secure IOS configuration template for use with Cisco routers.
http://www.cymru.com/Documents/secure-ios-template.html
Format: text/html
Last updated: August, 2004
SSH Public Key Configuration Windows NT/2000/XP Guide
Gavin Reid (Cisco Systems)
This document outlines how to configure the SSH cleient & daemon for NT/W2K/XP to accept public key authentication. This was done on server version SSHServerSetup312.exe. This document uses version 3.2 of the client and server software from SSH.COM.
http://www.first.org/resources/guides/pki_ssh_w2k.zip
Format: application/zip
Last updated: August, 2002
Size: 646 Kb
Windows 2000 / IIS 5.0 DMZ Hardening Guide
Gavin Reid (Cisco Systems), Jay Ward
This guide was written to help System Administrators and Security personnel secure their IIS 5.0 servers running on Windows 2000.
http://www.first.org/resources/guides/w2k.zip
Format: application/zip
Last updated: October 08, 2004
Size: 1.47 Mb
Note: This guide was written for servers sitting in a DMZ only. You should not apply this guide to Domain Controllers, File Servers, Exchange Servers or any other server in your internal network as it WILL break it.
Windows 2003 / IIS 6.0 DMZ Hardening Guidelines
Jay Ward
This document aims to provide minimum security requirements to system administrators and users in order to harden a Windows 2003 system running IIS 6.0 for DMZ deployment.
http://www.first.org/resources/guides/w2k3.zip
Format: application/zip
Last updated: October 15, 2004
Size: 1.37 Mb
Note: This document is applicable ONLY to Microsoft Server 2003 running IIS 6.0. If any other application is running on the server to support its function (e.g., Cold Fusion), then that application must also be secured. The steps in this guide should be performed on new installations only to avoid unpredictable results. This hardening procedure should NOT be used on general-purpose NT servers on an internal LAN (e.g., file servers), as it removes several of the services that NT uses for default functionality.
Acknowledgements
FIRST gratefully acknowledges the moderators of the "best practices" page, Ian Cook & Gavin Reid, and all authors and maintainers involved.