NSA Security Configuration Guides

The National Security Agency (NSA) has graciously provided a wealth of resources to help in securing everything from third-party applications such as Adobe or Oracle to the Department of Defense (DoD) Bluetooth peripheral device security requirements. Because NSA is nonbiased in its goal to produce a secure platform for its customers, you can find a resource for just about any device you have installed and operating within your walls.

You can find a few of the Security Configuration Guides on the NSA site. NSA partnered with Microsoft, Defense Information Systems Agency (DISA), National Institute of Standards and Technology (NIST), U.S. Air Force, U.S. Navy, U.S. Marine Corps, U.S. Army, Department of Homeland Security, and the Office of Management and Budget for actual security setting decisions.

Cisco Systems

For Cisco devices you can find resources for securing and managing your routers, Layer 2 and Layer 3 switches, and Voice over IP (VoIP) Call Managers.

The Router Security Configuration Guide, which you can find at www.nsa.gov/ia/guidance/security_configuration_guides/cisco_router_guides.shtml, provides technical guidance for network administrators and security officers. It contains principles and guidance specific to ensuring you have a secure configuration for your IP routers. You can use the presented information to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.

Switches Configuration Guide

The NSA’s Cisco IOS Switch Security Configuration Guide, which you can find at www.nsa.gov/ia/guidance/security_configuration_guides/switches.shtml, provides technical guidance for secure configuration of switches, with detailed instructions. You can use the information presented to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic. This applies to both Layer 2 and Layer 3 switches.

VoIP/IP Telephony Security Configuration Guides

With the proliferation of Voice over Internet Protocol (VoIP) and IP Telephony (IPT) being installed and maintained throughout the U.S. government and private industry, it is more important than ever to make sure your Call Managers and Unified Communication environment is secure, stable, and functional. The Information Assurance Directorate, Systems and Network Analysis Center (SNAC) of the NSA has provided general guidance to make the implementation of Cisco Unified Communications Manager Express (CUCME) 7.0 and Cisco Call Manager. Then it follows up by giving advice on general security guidance of IP telephony systems and recommended IP telephony architectures for your organization in the following document: www.nsa.gov/ia/guidance/security_configuration_guides/voip_and_ip_telephony.shtml.

Microsoft Windows

You’ve all heard the complaints. From television, neighbors, co-workers, forums, chat rooms, strangers on planes, conferences, the co-author who is an Apple fan boy...the list goes on and on. Microsoft is unsecure and a pain to manage. Well...not necessarily. The earlier versions of Microsoft Windows were unsecure and a pain to manage. However, the programmers have learned from their mistakes, listened to the lessons learned, and taken the best parts of what other companies have done to their operating systems and incorporated them. Today, Microsoft can give you a platform that is as stable and more inherently secure right out of the box than anything that rivals it on the market. That being said, the NSA has taken the liberty of providing the IT-savvy person in charge of your IT infrastructure another tool. You can find some of the papers and security configuration guides the NSA offers at www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml#microsoft.

Microsoft Windows Applications

Microsoft includes several pieces of software in its default installation of its operating system. Things such as Wordpad, notepad, calculator, games (Solitaire, Minesweeper, and so on). Other than taking up valuable space on your hard drive, these programs are relatively unintrusive. However, there may be a reason to disallow certain pieces of software, and that is where a software restriction policy (SRP) comes in handy. It can be configured as a local computer policy or as a domain policy using Group Policy with Windows Server 2003 domains and later. The SRP enables administrators to control which applications are allowed to run on Microsoft Windows. By using this guide, administrators can configure SRP to prevent all applications in their domain from running except applications they explicitly allow. Using SRP as an application white-listing technique significantly increases the security posture of the domain by preventing some malicious programs from executing.

Microsoft Windows 7/Vista/Server 2008

The NSA has taken a different approach to the latest Microsoft operating systems. It considers the Special Security – Limited Functionality (SSLF) settings in Microsoft’s Windows 7 Security Guide to track closely with the security level represented in its own guidelines. It is the NSA’s belief that the guide it produces establishes the latest best practices for securing the product and recommends that traditional customers use the Microsoft Security Compliance Manager when securing Windows 7.

The NSA’s website provides several papers on the subject of Windows 7: Security Highlights, Center for Internet Security (CIS) Windows 7 Benchmark, and the Microsoft Security Compliance Manager.

Check out Microsoft Security Compliance Manager at http://technet.microsoft.com/en-us/library/cc677002.aspx.

Microsoft Windows XP/Server 2003

Microsoft also offers a security configuration guide on Server 2003 and Windows XP. This chapter does not cover these because these will be phased out of your environment soon; however, you should be aware that they are there, and if needed you can download them and implement ASAP. It would be a good start to make sure your current security posture on those two operating systems is worthy.

Apple

The recommendations in Apple’s Mac OS X Security Configuration for Version 10.5 Leopard and 10.6 Snow Leopard track closely with the security level historically represented in NSA guidelines. It is the NSA’s belief that the guide produced by the manufacturer establishes the best practices for securing the product and recommends that traditional customers of its security recommendations use the Apple guide when securing either version of the Mac OS X systems.

Its website (www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml#AppleMac) does provide some spectacular links to some resources for hardening your Mac OS X 10.5 and 10.6. We suggest you go and check them out.