In order to encourage safer security practices for Windows 7 and Windows Server 2008, Center for internet Security (CIS) has released new consensus security configuration standards for these widely used operating systems that power both personal computers and business systems. The CIS benchmarks provide detailed how-to guidelines to ensure that the remote attack surface of the systems are reduced, sensitive activities are logged, and the overall security posture of the systems are sound.
The Center for Internet Security (CIS) announced the public release of its consensus security benchmarks for Microsoft Windows® 7 and Microsoft Windows Server®2008. The new benchmarks provide prescriptive controls guides for securely configuring these widely used operating systems that power both personal computers and business systems. The benchmarks are available as free downloads at http://www.cisecurity.org.
“Security configuration benchmarks for the Microsoft Windows platform continue to be in high demand by our community,” said Blake Frantz, chief technology officer for CIS. “The CIS benchmarks provide detailed how-to guidelines to ensure that the remote attack surface of the system is reduced, sensitive activities are logged, and the overall security posture of the system is sound.”
Windows 7 is Microsoft’s new operating system for desktop and mobile computers and has acquired approximately 10 percent of the desktop market share to date. Microsoft has reported that over 140
million licenses have been distributed. Windows Server 2008 is the Microsoft operating system most extensively used by enterprises for their IT services and business systems.
Joe McGinley, Information Security Director for SITA, a worldwide leader in air transport communications and information technology solutions, says “the Microsoft Windows 7 and Microsoft Windows Server 2008 benchmarks are additional examples of how CIS supports companies with adopting latest market ‘technology’ while maintaining a secure and robust environment. Having a sound foundation upon which to build a secure solution is absolutely critical and is a core requirement in the development process of airline solutions and product offerings from SITA.”
“SITA's objectives are aligned with widely accepted security standards, such as ISO 27002 and the Payment Card Industry (PCI). The CIS benchmarks help to meet basic requirements in each of these standards and are, in fact, called out by example as possible controls. The CIS benchmarks help to mitigate the exposure and impact of negative events that could affect the confidentiality, integrity, and availability of the company’s and customer’s data and information processing capabilities. Building secure solution and systems demonstrates to the Air Transport Industry (ATI) that protecting customer data is critical to SITA - and this is the reason for the company to leverage the CIS expertise and provided resources,” added McGinley.
The CIS benchmarks for Microsoft Windows 7 and Windows Server 2008 provide recommendations in 13 security categories including:
• Account Policies
• Audit Policy
• Detailed Audit Policy
• Event Log
• Windows Firewall
• Windows Update
• User Account Control (UAC)
• User Rights
• Security Options
• Terminal Services
• Internet Communication
• Additional Security Settings
• User Policies
The CIS Public-Private Collaboration Process
CIS benchmarks are developed through a consensus review process involving hundreds of volunteer subject matters experts. Consensus participants provide perspective form a diverse set of backgrounds including consulting, software development, audit and compliance, security research, security operations, government and legal.
By using the benchmarks, security professionals save tens of thousands of dollars in developing custom policies and avoid reinventing the wheel. Further, they enable compliance with the configuration requirements of standards such as PCI and ISO, and regulations such as FISMA, GLBA, HIPAA and Sarbanes-Oxley.
The Center for Internet Security (CIS) is a non-profit organization that helps enterprises reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls, and provides enterprises with resources for measuring information security status and making rational security investment decisions. CIS develops and distributes consensus-based benchmarks for secure configuration of operating systems, software applications and network devices. The consensus security configuration benchmarks are downloaded more than one million times a year, and are globally accepted as user-originated, de facto standards. More than 150 leading corporations, government entities, universities and security organizations are CIS members. For more information, visit http://www.cisecurity.org