A security configuration checklist (also called a lockdown, hardening guide, or benchmark) is a series of instructions for configuring a product to a particular operational environment. Checklists can comprise templates or automated scripts, patches or patch descriptions, Extensible Markup Language (XML) files, and other procedures. Checklists are intended to be tailored by each organization to meet its particular security and operational requirements. Some checklists also contain instructions for verifying that the product has been configured properly. Typically, checklists are created by IT vendors for their own products; however, checklists are also created by other organizations with the necessary technical competence, such as academia, consortia, and government agencies. The use of well-written, standardized checklists can markedly reduce the vulnerability exposure of IT products. Checklists can be particularly helpful to small organizations and to individuals with limited resources for securing their systems.
NIST maintains the National Checklist Repository, which is a publicly available resource that contains information on a variety of security configuration checklists for specific IT products or categories of IT products. The repository, which is located at http://checklists.nist.gov/, contains metadata that describes each checklist. The repository also hosts copies of some checklists, primarily those developed by the federal government, and has pointers to the other checklists’ locations. Users can browse and search the repository’s metadata to locate a particular checklist using a variety of criteria, including the product category, vendor name, and submitting organization. Having a centralized checklist repository makes it easier for organizations to find the current, authoritative versions of security checklists and to determine which ones best meet their needs.
This document is intended for users and developers of security configuration checklists. For checklist users, this document makes recommendations for how they should select checklists from the NIST National Checklist Repository, evaluate and test checklists, and apply them to IT products. The document also provides general information to users about threats and fundamental technical security practices for associated operational environments. For checklist developers, this document sets forth the policies, procedures, and general requirements for participation in the NIST National Checklist Program (NCP).
Major recommendations made in this document for checklist users and developers include the following:
(1) Organizations should apply checklists to operating systems and applications to reduce the number of vulnerabilities that attackers can attempt to exploit and to lessen the impact of successful attacks.
When selecting checklists, checklist users should carefully consider the degree of automation and the source of each checklist.
(2) Checklist users should customize and test checklists before applying them to production systems.
(3) Checklist users should take their operational environments into account when selecting checklists, and checklist developers should target their checklists to one or more operational environments.
(4) NIST strongly encourages IT product vendors to develop security configuration checklists for their products and contribute them to the NIST National Checklist Repository.
CLICK HERE to read or download the complete Guide to IPsec VPNs document from NIST’s website.
CLICK HERE to read or download the complete National Checklist Program For IT Products—Guidelines For Checklist Users And Developers document from NIST’s website.