What is compliance testing? Its basically an audit of a system
carried out against a known criterion. A compliance test may come
in many different forms dependant on the request received but basically
ca be broken down into several different types:
Operating Systems and
Applications: A verification that an operating system and/or
applications are configured appropriately to the companies needs and
lockdown requirements, thus providing adequate and robust controls
to ensure that the Confidentiality, Integrity and Availability of the
system will not be affected in its normal day to day operation.
Management of IT and
Enterprise Architecture: A verification that the in-place IT
management infrastructure encompassing all aspects of system support
has been put in place. This is to ensure effective change
control, audit, business continuity and security procedures etc. have
been formulated, documented and put in place.
A verification that adequate security and business
continuity controls governing the connection to other systems, be they
Telecommunications, Intranets, Extranets and Internet etc. have been
put in place, have been fully documented and correspond to the stated
A normal compliance check will encompass some if not all of the types
listed above. I will mostly discuss the lockdown policies that can
be applied, (or have been applied), to the underlying operating system and applications.
There are a plethora of these about, some provided by vendors, some from
other respective parties. The ones listed below are just a sample
of what is available online, there are many more. They could be
consulted as a reference
and used as guidance by customers when you have performed
a Compliance Check but also possibly after a Vulnerability Assessment or
Penetration Test so that they can apply extra security measures to their
enterprise to enhance its security. With the ones quotes, I am
just detailing generic Security settings and recommendations that you
could apply and audit against, their are also country specific
human relations and statutory regulations that you also must adhere to
which these guides do not cover.
National Security Agency
The NSA has made
publicly available a number of lockdown guides in one of its many
initiatives to enhance awareness of the security issues effecting
today's operating systems, applications etc. These guides I have found
are generally easy to read, understand and in most cases give you a
step-by-step guide to implement.
They can be found from
The NSA currently covers the following and has a number of archived
Microsoft SQL Server
VoIP and IP Telephony
Web Servers and Browsers
Microsoft IE 5.5
The Australian Computer Emergency Response Team (AusCERT)
The AusCERT and the CERT®
Coordination Center (CERT/CC) have produced the UNIX Security Checklist v2.0
which details steps to be taken to
improve the security of most Unix Operating Systems. When carrying out
compliance checks on most *nix systems I generally tend to quote from
this lockdown and also the NSA guide when making recommendations to
enhance system security. This check sheet was written in 2002,
however, the majority of issues still affect most variants of *nix seen
out there in the wild.
This can be found
One cannot discuss the
security of a Microsoft system , without of course referring to the
vendor directly for advice and assistance. There are a number of
in-built inf security templates that ship today by default with all
flavours of the Operating System and a number of others that can be
obtained directly from Microsoft or from other noted third parties.
Active Directory and the application of policies make the use of such
templates an easy way to dynamically lock down a host. Microsoft
have released a number of security guides also:
Microsoft Windows 2000 Security Configuration Guide.
provides guidance to allow for the secure installation and configuration
of Win 2K in accordance with the Common Criteria Security Target (ST).
This provides a set of security requirements taken from the Common
Criteria (CC) for Information Technology Security Evaluation. It
is available from
here or for download from
Windows Server 2003 Security Guide.
This provides specific
recommendations about how to harden computers that run MS Win 2003 SP1
in three distinct enterprise environments— Legacy Client (LC) including
Windows NT 4.0 and Windows 98 clients, Enterprise Client (EC) in which
Windows 2000 is the earliest version of the os in use, and Specialized
Security – Limited Functionality (SSLF) environments where concern about
security is so great that significant loss of client functionality and
manageability is considered an acceptable trade-off to achieve maximum
security. It is available from
here and for download from
This provides specific recommendations about how to harden computers
that run Win XP SP2 in three distinct environments; Enterprise Client
(EC), Stand-Alone and Specialized Security – Limited Functionality.
It is available
here and can be downloaded from
Threats and Countermeasures guide.
This provides a reference to
all security settings that provide countermeasures for specific threats
against current versions of the Windows operating systems and should be
read in conjunction with all other guides. It is available from
here and can be downloaded from
Microsoft have been
very verbose and detailed when writing these guides and have made great
in roads in current years to make security a very important part of
their core business and customer perception.
This site provides a
number of guides, bench marks and tools to check that specific lockdowns
have been applied. There are currently guides for: