Digital Bond is releasing today the Bandolier Baseline Security Audit Files for Windows 7 and Windows 2008R2 Member Server. Like other Bandolier Security Audit Files, these work with a compliance plugin in the Nessus Vulnerability Scanner to do a low impact audit of security configuration parameters.
The Bandolier Baselines Security Audit Files only cover the security settings in the operating system, and they are a starting point for the development of ICS vendor specific Bandolier Security Audit Files. The Bandolier Baselines were developed as follows:
- We took the Microsoft security guidance for Windows 7 and Windows 2008R2 Member Server as referenced in the NIST National Checklist Program Repository.
- We added our recommended settings where Microsoft provided no guidance.
- We modified a very small number of settings where the Microsoft recommendation was not appropriate for control systems.
A spreadsheet with all the additions and modifications to the Microsoft recommendations will be available shortly. There are 187 security configuration settings audited in the Windows 7 Baseline and 202 security configuration settings audited in the Windows 2008R2 Member Server Baseline.
In addition to being useful as a starting point for vendor specific audit files, the Bandolier Baselines can be used to audit security settings on ICS that don’t yet have a Bandolier Security Audit File. Remember they are audits so they don’t change anything or try to exploit any sub-standard security settings.
The Bandolier Baselines for Windows 7 and Windows 2008R2 operating systems are the first developed by Digital Bond. In the past we used the Tenable Security developed OS audit files, with their very kind permission and support.
Based on the number of security checks in other audit files, we believe these Bandolier Baselines are by far the most comprehensive auditing of the Microsoft security recommendations for Windows 7 and 2008R2. As always we welcome any comments or suggestions on these files.