Center for Internet Security Benchmarks

Document Date: March 9, 2006

  • See Server Registry requirements
  • Background Infomation on the CIS Benchmarks
  • Download Benchmark Documents

    • Background of the CIS Benchmarks

    The Center for Internet Security is the only distributor of consensus best practice standards for security configurations. The benchmarks enumerate security configuration settings and actions that "harden" your systems. They are unique because consensus among hundreds of security professionals worldwide has defined these particular configurations. These benchmarks are widely accepted by U.S. government agencies for FISMA compliance and by auditors for compliance with the ISO standard as well as GLB, SOx, HIPAA, FERPA and other the regulatory requirements for information security.

    A large group of user organizations, information security professionals, auditors and software vendors have defined consensus technical control specifications that represent a prudent level of due care and best-practice security configurations for computers connected to the Internet.

    The benchmarks should be used as a check on currently running systems and as a standard when configuring security settings for new systems. The scoring tool should be used on currently running systems in order to determine level of compliance with the benchmark but should be used with care on production systems. The scoring tool should be used on new systems to confirm that the benchmark configurations have been set.

    CIS Level-I Benchmarks – the prudent level of minimum due care

    Level-I Benchmark settings/actions meet the following criteria.

    1. System administrators with any level of security knowledge and experience can understand and perform the specified actions.
    2. The action is unlikely to cause an interruption of service to the operating system or the applications that run on it.
    3. The actions can be automatically monitored, and the configuration verified, by Scoring Tools that are available from the Center or by CIS-certified Scoring Tools

    Many organizations running the CIS scoring tools report that compliance with a CIS "Level-1" benchmark produces substantial improvement in security for their systems connected to the Internet.

    CIS Level-II Benchmarks – prudent security beyond the minimum level.

    Level-II security configurations vary depending on network architecture and server function. These are of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the operating systems and applications running in their particular environments.

    The Windows XP Professional and Windows Server 2003 Benchmarks: These benchmarks contain multiple "levels" within one document. The levels are:

    • Legacy: Settings in this level are designed for XP Professional/2003 Server systems that need to operate with older systems such as Windows NT, or in environments where older third party applications are required. The settings will not affect the function or performance of the operating system or of applications that are running on the system.
    • Enterprise Standalone: Settings in this level are designed for XP Professional/Server 2003 systems operating in a managed environment where interoperability with legacy systems is not required. It assumes that all operating systems within the enterprise are Windows 2000 or later, therefore able to use all possible security features available within those systems. In such environments, these Enterprise-level settings are not likely to affect the function or performance of the OS. However, one should carefully consider the possible impact to software applications when applying these recommended XP Professional technical controls.
    • Enterprise Mobile: These settings are nearly identical to the Enterprise Standalone settings, but with modifications appropriate for mobile users whose systems must operate both on and away from the corporate network. In environments where all systems are Windows 2000 or later, these Enterprise-level settings are not likely to affect the function or performance of the OS. However, one should carefully consider the possible impact to software applications when applying these recommended XP Professional technical controls.
    • Specialized Security - Limited functionality: Settings in this level are designed for XP Professional/2003 Server systems in which security and integrity are the highest priorities, even at the expense of functionality, performance, and interoperability. Therefore, each setting should be considered carefully and only applied by an experienced administrator who has a thorough understanding of the potential impact of each setting or action in a partiular environment.

    Here is further information on the CIS Benchmarks:  http://www.cisecurity.org/bench.html

    Download the Benchmark Documents

    As a member of Educause, VCU is granted the license to use the benchmarks and tools on university-owned systems. In addition, the benchmarks and tools may be used on systems owned by students, faculty and staff. The Center for Internet Security (CIS) requires that you agree to the CIS Terms of Use before downloading the CIS Benchmark Document and Scoring Tool for your system. The following are the benchmark security standards currently available for download from the CIS website:

    • Windows XP Professional
    • Windows 2000 Professional Level 1 and 2
    • Windows 2000 Server Level 1 and 2
    • Windows 2003 Server Domain Controller
    • Windows 2003 Server Member Server
    • Linux Level 1
    • Solaris Level 1 - version 2.5.1 and later
    • OS X Level 1
    • HP-UX Level 1
    • AIX Level 1
    • SQL Server 2000
    • Oracle 8i Level 1 and 2
    • Oracle for 9i and 10g
    • Apache Level 1 and 2
    • Cisco IOS Router/PIX Level 1 and 2
    • Bind

    Center for Internet Security Site

 

701 W. Broad St., Box 843059
Richmond, VA 23284
(804) 828-1177
RSS

 
VCU