This may be better answered by someone who works for the US Federal Government (which I don't). I can't say that I have built anything exclusively to any NIST standards but have found many of them to be extremely valuable. I have found the NIST guides to be a very valuable resource (some more than others). When building new systems I have found the following guides to be very useful (I usually take bits and pieces from each - and best of all, all are free):
NIST Guides NSA Guides (this is a great place to start when looking for security guidance around Cisco routers and switches.) CIS Benchmarks Microsoft Security Guidelines (for Microsoft OSes and products of course) Tim, you make want to check out some of these. You did not say whether you were deploying IIS or Apache. You will find references for both from the resources listed. You can also find a lot of guides online. There are also several good books around Apache Security. Unfortunately, I have not come across many good books dedicated to IIS security. You may want to check out the IIS resource kit from Microsoft Press. Jody _____ From: [email protected] [mailto:[email protected]] On Behalf Of Michael Dickey Sent: Friday, October 30, 2009 11:19 AM To: PaulDotCom Security Weekly Mailing List Subject: [Pauldotcom] do you follow nist docs? I don't want to usurp Tim's post, but with the mention of NIST, it brings up a question I've always had. Does anyone truly adhere to and build systems based off NIST docs? I'm not talking "inspired by" builds that take a handful of the settings and use them, but actually building to the specs such that you can say your build guide is NIST? This is a bit of a sanity check for me, as I'm skeptical. Don't get me wrong, I'm not dissing NIST! They make for great reading! (Usually.)
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
