The Center for Policy & Compliance (CP&C) regularly researches and delivers productized security, regulatory, and operational compliance knowledge via Compliance Toolkits. Each toolkit consists of a set of rule-based templates, reports and dashboards which easily plug into Server Configuration Manager (SCM) to ensure security and operational compliance within a focused area.

Freely available to our customers, CP&C compliance toolkits can be downloaded from our secure customer portal.

CP&C Compliance toolkits include:

Microsoft ActiveX Vulnerability Toolkit

Microsoft has recently issued a security advisory (972890) related to a vulnerability in the MPEG2TuneRequest ActiveX Control. For Windows XP and 2003 systems that may be affected, this compliance toolkit can identify the presence of several Registry settings (Kill-bits) that can mitigate the threat. Additional information on configuring these Kill-bits is available from Microsoft at http://support.microsoft.com/kb/972890.

Apple Security Configuration Guides for Mac 10.4 and 10.5

The Apple Security Configuration Guides for Mac OS X 10.4 and 10.5 include extensive sets of security configuration items for Mac OS X platforms. Categories of controls include hardware and global system settings, user account and preferences controls, data and storage protection, and application and services hardening. These packages will provide organizations with robust templates that allow for extensive reporting, configuration, and management of OS X 10.4 and 10.5 systems using controls prescribed by Apple.

Compliance DB Objects

To avoid import issues when using Configuration Content Wizard (CCW), the database objects tied to the dashboards and reports that were contained in the compliance packages have been separated and stored in a new db object package. The new package needs to be run only once in order to successfully run the dashboards and reports. The order in which the compliance packages are imported by CCW does not matter; however, the dashboards and reports depend on the objects included in the new db object package. This new package must be imported before attempting to run any compliance imported dashboard or report.
As of the 5.1.2 release, the database objects are embedded into the product. Please note you will only need to import the database objects if you are on 5.0 or 5.1.

COBIT

The Control Objectives for IT (CobIT) framework has been heavily leveraged for creating compliance-focused sets of controls within many organizations. This CobIT Compliance Toolkit for Windows is a comprehensive series of automated checks and controls that addresses a number of areas within the CobIT 4.x series. This package includes controls specific to file and system-level access controls, security management and asset discovery controls, audit control and automated access change monitoring, which ensures an organization's automated strategy for CobIT compliance will consistently meet the standard.

Conficker Detection

This package will assess Windows systems for the possible presence of the Conficker (aka Downadup) worm. The worm takes advantage of systems not patched with Microsoft patch MS08-067. This package checks for three specific system attributes: the presence of patch MS08-067, the Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\netsvcs\Parameters\"ServiceDll" = "[PathToWorm]", and the netsvcs service. In addition, this worm can take advantage of Windows' Autorun capability, allowing removable media to infect systems easily when inserted. This package will also check to see whether Autorun is enabled on your system. If disabling Autorun is allowed by your corporate policy, Configuresoft's CP&C recommends that you disable it to prevent attacks of this kind from occurring.

IE 8 Blocker Toolkit

The Internet Explorer 8 blocker toolkit can be implemented to prevent the installation of Microsoft's latest browser, IE8. This is accomplished by creating the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup\8.0 registry key with the entry and value "DoNotAllowIE80 = 1". This is supported on Windows 2000 and later systems.

Energy Savings Toolkit

The Green IT Energy Savings Toolkit is a package of reports that provides visibility into specific system attributes and settings that organizations can use to measure power consumption. This toolkit also includes Compliance templates to enforce power settings to enable monitor power-off, power down computers after shutdown and remove power options icon from the control panel to limit users ability to alter power settings. This package includes reports for processor utilization and server class identification. The server class report leverages IDC definitions for systems as high-end, mid-range, and volume servers; larger servers consume more power than lower-end volume servers.

PCI DSS

Comprehensive series of automated checks and controls that correlate and map to the requirements for security hardening as defined by VISA, Mastercard, American Express, Diners Club, Discover and JCB. This granular level approach includes access control, audit control and automated access change monitoring, which ensures an organization’s ability to consistently meet their internal standards.

CIS Benchmarks for Windows

Comprehensive sets of automated checks and controls that address a number of distinct Windows technical security settings for Windows 2000 (Professional and Server), XP, and 2003 Server platforms. The CIS Windows Toolkits are designed to provide Configuresoft customers with the ability to quickly assess the security configuration of Windows systems against CIS best practices by translating the guidelines into actionable, continuous compliance rules. These rules allow you to ensure that your actual enterprise security configuration settings correspond with the recommended hardening values.

CIS VMware ESX Server Benchmark

The CIS VMware ESX Server Benchmark Hardening Toolkit is a compilation of security configuration actions and settings that can be used to lock down, or "harden" VMware ESX Server systems in accordance with the CIS VMware ESX Server Benchmark v1.0, released October 18, 2007. This comprehensive series of controls addresses file permissions, user accounts, kernel settings, and a number of other specific ESX attributes that can be secured as part of an overall security and compliance strategy in virtual server environments.

CIS AIX Compliance Toolkit

The Center for Internet Security (CIS) configuration standards are among the most widely-recognized and generally accepted system and application hardening guidelines available. The CIS AIX Compliance Toolkit is a comprehensive sets of automated checks and controls that address a number of distinct technical security settings for the IBM AIX Unix platform. This toolkit is based on benchmark version 1.01, dated 10/21/2005, and supports AIX versions 5.3 and earlier.

CIS Red Hat Linux Compliance Toolkit

CIS Red Hat Linux Compliance Toolkit is a comprehensive sets of automated checks and controls that address a number of distinct technical security settings for Red Hat Linux version 5 platform.

CIS Solaris Compliance Toolkit

The CIS Solaris Compliance Toolkit is a comprehensive sets of automated checks and controls that address a number of distinct technical security settings for the Sun Solaris platform. This toolkit is based on benchmark version 4.0, dated 11/1/2007, and supports Solaris 10 updates 11/06 and 8/07 as well as several previous versions.

CIS SUSE Linux Compliance Toolkit

The CIS SUSE Linux Compliance Toolkit is a comprehensive sets of automated checks and controls that address a number of distinct technical security settings for SUSE Enterprise Linux platforms. This toolkit addresses configuration settings for most SUSE Linux Enterprise Server versions up to SLES 10 SP1. The toolkit includes checks for system and kernel information, services enabled, file system settings and permissions, authentication and authorization, users and groups, and others.

CIS HP-UX Compliance Toolkit

The CIS HP-UX Compliance Toolkit is a comprehensive sets of automated checks and controls that address a number of distinct technical security settings for the HP-UX platform. This toolkit is based on benchmark version 1.4.2, dated 6/3/2008, and supports HP-UX versions 11.11, 11.23, and 11.31 as well as several previous versions.

SOX

Comprehensive series of automated checks and controls that correlate and map with the COSO/COBiT framework, supported by best practices as defined by NIST. This granular level approach includes access control, audit control and automated access change monitoring, which ensures an organization's ability to consistently meet the SOX regulation.

HIPAA

Comprehensive series of automated checks and controls that correlate and map to the Department of Human Health and Services, along with best practices as defined by NIST. This granular level approach includes access control, audit control and automated access change monitoring, which ensures an organization’s ability to consistently meet the HIPAA regulation.

GLBA

Comprehensive series of automated checks and controls that correlate and map to technical controls required by Graham-Leach-Bliley. This granular level approach includes access control, audit control and automated access change monitoring, which ensures an organization's ability to consistently meet the GLBA regulation.

FISMA Compliance Toolkit for Windows, UNIX/Linux and Virtual Computing

Comprehensive series of automated checks and controls that correlate and map to industry best practices, along with mandates defined by NIST 800-53. This granular level approach includes access control, audit control and automated access change monitoring, which ensures an organization’s ability to consistently meet FISMA compliance.

DISA Compliance Toolkit for Windows, UNIX/Linux and Virtual Computing

The DISA Security Technical Implementation Guides (STIG) template is a comprehensive series of automated checks and controls for security hardening as developed by DISA and the NSA and endorsed and published by NIST. This granular level approach includes access control, audit control and automated access change monitoring, which ensures an organization’s ability to consistently meet their internal standards.

ISO17799/27001

Compliance template provides organizations with the ability to quickly assess the security configuration of Windows NT4, 2000, 2003, XP and Vista systems against ISO recommended best practices. The template translates the ISO 17799\27001 guidelines into actionable, continuous compliance rules to ensure your actual enterprise security configuration settings correspond with the recommended hardening guidelines.

Microsoft Hardening Guidelines

Compliance template provides organizations with the ability to quickly assess the security configuration of Windows 2000, 2003, XP and Vista systems against Microsoft recommended best practices. The template translates the Microsoft Windows Security and Hardening Guide into actionable, continuous compliance rules to ensure your actual enterprise security configuration settings correspond with the recommended hardening guidelines.

Microsoft Windows 2008 Server Hardening Guidelines for Domain Controllers

The Microsoft Windows 2008 Server Hardening Guidelines package for Domain Controllers is designed to provide Configuresoft customers with the ability to quickly assess the security configuration of Windows 2008 domain controller servers against Microsoft recommended best practices. The toolkit translates the Microsoft Windows Server 2008 Security Guide into actionable, continuous compliance rules to ensure your actual enterprise security configuration settings correspond with the recommended hardening value. This toolkit provides specific guidance for hardening Active Directory Domain services, as well as guidance on disabling and hardening traditional services such as DNS, DHCP, and Terminal Services. Also included are guidelines for securing general Windows Server 2008 platform controls that enable proper file and system-level access controls, network services protection, and many others.

NERC/FERC

Comprehensive series of automated checks and controls that addresses a number of requirements within the eight CIP standards. This package includes controls specific to file and system-level access controls, security management and asset discovery controls, audit control and automated access change monitoring, which ensures an organization's automated strategy for NERC/FERC compliance will consistently meet the standard.

FFIEC Compliance Toolkit

The Federal Financial Institutions Examination Council has created a number of guidelines applicable to the finance and banking industries. In July 2006, the FFIEC released its Information Security booklet, intended to help banking and financial organizations comply with Gramm-Leach-Bliley standards such as 501(b) and develop a process for assessing and securing computing assets. The FFIEC Compliance Toolkit is a comprehensive series of automated checks and controls that addresses a number of requirements within the Information Security handbook. This package includes controls specific to file and system-level access controls, security management and asset discovery controls, audit control and automated access change monitoring, which ensures an organization's automated strategy for FFIEC compliance will consistently meet the standard.

FDCC Compliance Toolkit for Windows

The Federal Desktop Core Configuration (FDCC) template is a comprehensive series of automated checks and controls for Windows XP and Windows Vista desktop systems that directly aligns with the FDCC mandate defined by the Office of Management and Budget (OMB). This granular level approach includes access control, audit control and automated access change monitoring, which ensures an organization’s ability to consistently meet FDCC compliance.

VMware Hardening Guidelines

Comprehensive series of automated checks and controls that correlate and map to VMware Infrastructure 3 Security Hardening guide. Template allows organizations to evaluate access controls, file permissions, networking components, audit and security policy controls, as well as performing automated access change monitoring for virtual machines, VMware Service Console, ESX Server host and VirtualCenter components.