Beruflich Dokumente
Kultur Dokumente
in Place Not In
Baseline Security Practices - The NIST Draft Checklist Program (csrc.nist.gov/publications/drafts.html) Place
There are two broad computer environments referred to respectively as SOHO (Small Office/Home Office)
and Enterprise. The specialized environments, which could be found alone or within either of the broader
environments, are High Security and Custom for systems and products that do not fit within the other environments
(Legacy is a typical Custom environment). The following sections describe the environments and their general threat
models and baseline technical security policies.
The SOHO (Small Office/Home Office) environment, also referred to as Standalone, describes small,
informal computer installations. This environment encompasses a wide variety of operational settings,
from a home computer used for occasional work purposes to a small branch office of a company in
another geographical area that is not managed remotely for technical or business reasons.
Use of hardware firewall appliances at Internet connections to block inbound connections and possibly to filter out
outbound traffic
Applications (e.g., antivirus software, Web browser, e-mail client) and operating system updates and patches
applied on regularly
Web and e-mail clients configured to filter and block traffic/messages that could contain malicious content
Encryption used for wireless network traffic and as appropriate for other traffic
Segmented internal networks with internal firewalls and other defense in depth techniques
The following general practices and controls are likely to be applicable to High Security systems:
Systems should generally process as few types of data as possible (e.g., do not combine multiple server
applications on the same system
The strongest possible authentication should be used (e.g., authentication token, biometrics, smart cards)
Security-related operating system and applications patches and updates should be tested and applied as soon as
as possible
Vulnerability assessment tools should be run against the systems on a frequent basis
System administrators should be highly skilled in the appropriate technologies
Custom Environments
Custom environments do not fit into the other predefined environments. They apply to an implementer's defined
environment and assume a specialized security target to satisfy the user's specific operational environment
Depending on the situation, a Custom environment may face any combination of local and remote Threats.
The potential impact of the threats should be determined by considering the threats that the system faces
and then considering what additional risk the system has because of the custom accommodations.