Recommendations by the German Federal Office for Information Security (BSI – Bundesamt für Sicherheit in der Informationstechnik) are obligatory for German government agencies, civil services and authorities (like recommendations of the NIST are relevant to American government agencies and authorities). They are often used as references and security best practices in other countries as well. Hence it is hard to understand why the recommendations on how to harden Windows Server 2008 based systems were published only some weeks ago and only on a preliminary draft basis (which is, obviously, better than nothing ;-)).
We at ERNW, however, did an overall baseline security approach of Windows Server 2008 R2 and Active Directory for a large German authority last year. The aim was to fullfil the requirements of the German Federal Office for Information Security without having precise technical guidelines by the BSI itself (from our side we do have guidelines of course ;-)). The hardened Windows Server 2008 R2 environment was then approved at the end of 2011 by the German BSI. Now we published the results of our overall approach in our latest newsletter [German language].
PS: There’s also a digitally signed version of the newsletter. (Because it is signed with a qualified certificate, the validation requires an appropriate validation software, for example SecSigner from SecCommerce – which is free software).Continue reading