Reducing Over 80% of Windows 2000
Professional Vulnerabilities with the
Consensus Security Benchmark Settings
Background
The following assertion has been widely publicized:
“Through 2005, 90
percent of cyber attacks will continue to exploit known security flaws for
which a patch is available or a preventive measure known.”
“Many recent cyber attacks could have been avoided if
enterprises were more focused on their security efforts, but users seem not to
learn from their mistakes”
·
Gartner Group,
If the first of these statements is indeed true, there exists the potential for a very significant improvement in system security if the available patches and known preventive measures are implemented. But, just what are these measures? A number of security configuration recommendations are available. Which one to use? Is one better than the others? Would it be helpful if a broad consensus was available on what constitutes at least a measurable baseline level of system security, so an organization could have an acceptable degree of confidence that they are making a wise choice?
The Public-Private Consensus Effort
In April 2002, representatives of the organizations with published security configuration guidelines for Windows 2000 Professional (NSA, NIST, DISA, CIS, and SANS) met to discuss the differences in their respective guidelines and to determine if it was possible to reach consensus on a common set. After an all-day effort, consensus was reached on all but 4 of over 300 detailed configuration and registry settings. During the following few weeks, the differences were debated and resolved, and during that period, representatives of GSA joined the consensus effort.
On
Recent Studies
Three studies have been conducted to quantitatively determine the impact of the consensus configuration security settings on system vulnerabilities. The first study used the CIS Level I Windows 2000 and Windows NT Benchmark settings available at the time and the other two used the Consensus Baseline Security Settings referred to above. All three studies used a Before and After approach, whereby at the beginning of the study, the system was assessed by a commercially available vulnerability scanner which produced a report of existing vulnerabilities. The Configuration Settings were then implemented and the a vulnerability scan repeated, reporting vulnerabilities remaining after system configuration.
The Solutionary
Study
This study was conducted by Solutionary, Inc, a security vendor member of the Center for Internet Security, on the Windows 2000 and Windows NT servers operated by HunTel, a midwestern Internet Service Provider. This study used the Level I Windows 2000 and Windows NT Benchmark settings that were available prior to publication of the Windows 2000 Professional Gold Standard Consensus Baseline Security Settings. The scores reported in the second figure were produced by the CIS Windows Scoring Tool, which scores a system’s compliance with the settings in the benchmark on a 1 to 10 scale, where 10 represents full compliance. A full report of this study may be found at the CIS website (http://www.cisecurity.org).
The National Security
Agency Study
The NSA utilized a popular commercial vulnerability scanner, which monitors a computer under evaluation and reports on over 2000 known vulnerabilities which it categorizes as being of High, Medium, or Low concern. The scanner reports on internal configuration settings, file and registry permissions, policy issues, and application level vulnerabilities. For the study, the vulnerability scanner was run against an out of the box configuration of Windows 2000 Professional and was then re-run after implementing the Windows 2000 Consensus Baseline Security Settings. As recommended in the guidelines, implementation of the settings included the installation of Windows 2000 Service Pack 3 and the cumulative patches for Internet Explorer and Windows Media Player.
The following figure illustrates the results from these tests.
% Reduction
96 90 50 91
The Mitre
Corporation Study
The MITRE Corporation performed an independent analysis of the value of the Windows 2000 Consensus Baseline Security Settings. The goal of this analysis was to identify the number of Common Vulnerabilities and Exposures (CVE) issues present in various configurations of Windows 2000 Professional. The end result was that with Windows 2000 Service Pack 2 installed, post SP2 hot fixes installed, and the Consensus Baseline Settings applied, 83% of the CVE vulnerabilities were eliminated.
This lower percentage reflects the fact that not all known vulnerabilities are included in the CVE database.
Conclusions
The data from the studies described above lead to the conclusion that the first portion of the Gartner statement is defensible. These findings also suggest that if organizations would implement the consensus configuration settings on their systems, the second portion of the Gartner statement would become less accurate over time. Security staffs who successfully have blocked over 80% of known vulnerabilities via proper operating system configuration and patching would be able to more effectively focus their energies on the smaller number of remaining vulnerabilities.
Some of these residual vulnerabilities are related to additional configuration settings that can be applied in high-risk environments when operationally feasible. However, most of the residual vulnerabilities are related to application level settings not covered by the operating system configuration recommendations. Implementing application-oriented configuration guidelines will reduce the remaining vulnerabilities even more.
Organizations may obtain not only the Windows security
benchmarks and associated scoring tool mentioned above, but as well for Sun
Solaris, HP-UX, and Linux systems and CISCO IOS Routers from the CIS website (http://www.cisecurity.org), free of
charge.