Security Benchmarks for Workstations, Servers and Applications

We've all had to lock down a workstation, server or application for security/audit purposes and wondered where to start.  I recently stumbled across the Center for Internet Security (CIS) Benchmark program which provides vendor agnostic advice and tools on accessing and improving the security of servers and applications.   The CIS program can help public and private organisations to meet compliance standards for FISMA, PCI, HIPAA and a lot more.

Behind the scenes of CIS there is a group of IT security experts who give their time and knowledge to help provide the information and tools that can help to benefit the rest of the IT community.

The CIS provide a Java based assessment tool that you can run on your workstations or servers to assess the potential security holes within them.

Once you download the tool from their website and run it you are confronted by a list of current benchmark standards you can run against your device.  In this case I am running the tool against my Windows 10 workstation.

The next screen in the wizard is what profile you want to run against the device.  These are security profiles that you can choose from depending on what level of security you are looking to achieve. 

The next screen that you encounter is relating to how you would like the results reported to you.  You have several options to choose from, I've found the HTML report to be the most useful so far. 

Depending on what benchmarks and profiles you've asked to run the tool may take several minutes to generate. Once it has you will have a report that contains information on what your device has passed or failed on and what the implications of any failures are as well as some useful tips on how to resolve. 

For more information pop on over to the CIS website at https://www.cisecurity.org/