A set of security checklists have been developed and are available on a
DISA (Defense Information Systems Agency) Web site at the following URL:
The checklists provide direction on how to determine the exisiting security
configuration, and some information on why a particular configuration
setting has security significance. The following checklists are available:
Solaris 2.4 Security Checklist
HP-UX 10.X Security Checklist
Microsoft Windows NT 3.51 Security Checklist
SYBASE Security Checklist
Oracle Security Checklist
Informix Security Checklist
DCE Security Checklist
Applictions Security Checklist
I believe that the NT 4.0 security checklist is currently being written.
>> Date: Tue, 24 Jun 1997 14:44:39 -0700
>> From: "Alberto U. Begliomini" <aub @
>> I am looking for documentation, articles, and papers on how to make
>> a NT Web server, sitting on the perimeter network of a firewall, secure.
>> Also I am looking for tools on NT whose Unix equivalent are Tripwire,
>> Cops, Swatch, etc.
>> Basically, I would like to know how people make a NT server as secure as
>> a Unix server can be made, and which kind of tools are used to notify
>> the system administrators in case an attacker breaks in.
>> Any help is greatly appreciated.
>> Thanks --Alberto
>We've been using our Decaf product, which allows you to make any file,
>directory, device, or "directory tree" either read-only or inaccessible
>to any process you want. This condition is inherited by all the children
>of any such process, and is true no matter what the UID is (i.e., it
>applies to root the same as to other users).
>The bad news is that our Solaris 2.4, 2.5.1, and 2.6 (yes, we have the
>2.6 source here) are done, but our NT version is still in production
>for release this summer. I'll let you know when it's available.
>We've used it on the http daemon, inetd, and other network daemons. We've
>also been using it on login shells to make some users run restricted even
>if they should somehow know root's password or manage to break out of a
>setuid root program into a program of their choosing.
>Currently you can't use Decaf to limit access to a port number or to a
>network address or to an interface, so it can't do everything you are
>looking for, but our customers seem pretty happy about it. Decaf is
>currently being used to protect webservers, firewalls, and network servers.
>I think some people on this list have downloaded it from our webpage,
>but I don't recall seeing any comments about it, either pro or con.
>Any flames anyone?
>Also, check with the COAST guys at Purdue. I was over there a few months
>ago to do a colloquium for Gene Spafford's security group. Gene took me
>around to show me what they are doing and he mentioned some of the NT
>technology they are working on. They seem to be emphasizing the intruder
>detection aspects of security, and by now they may have what you are
>Paul McNabb Argus Systems Group, Inc.
>Vice President and CTO 1809 Woodfield Drive
com Savoy, IL 61874 USA
>FAX 217-355-1433 "Securing the Future"
Lead Engineer and Section Manager, Secure Distributed Computing
E-mail: karndt @
Phone: (703) 883-6821, FAX: (703) 883-1397
Wilson Building, Room 2D09
The MITRE Corporation
1820 Dolley Madison Boulevard
McLean, VA 22102-3481