Several years ago, most cyber security practices maintained a series of easy, straight forward windows scripts that could be run to extract security configurations or execute hardening. The difficulty we’ve encountered a lot of is that readily accessible scripts that are regularly maintained are now the remit of venture capital backed software as a service models that will charge an arm and a leg to access them, and will also demand the installation of custom tools that are excessive in size and do not allow code review for fear of intellectual property loss.
In our backlog of research projects has been an activity to write a bunch of scripts, which our new awesome team member, Elias covered off on. The scripts are based on the Standard Technical Implementation Guidelines (STIGs) published by the US Defence Information Systems Agency (DISA). The guidelines are a vetted, prescriptive set of guidelines that allow us as a consultancy to provide measurable and meaningful guidance to our clients. We elected to go with the STIGs over the CIS standards largely based on copyright; as it is our intention to publish these for community use, CIS guidelines might be a little more difficult.
As our tooling also leverages internal OS tools, there’s no need to install any additional code or software, and as the scripts are open, individuals are able to review these prior to execution (don’t trust everything you download from the internet).
At this stage we’ve only built scripts for Windows Server 2012, Windows Server 2016, Microsoft SQL Server 2016 and Red Hat Enterprise Linux 7, however we’re keen to keep building more out, as well as a tool for parsing output for our reporting processes.
The scripts are available here: https://github.com/eennebt/STIG-SCRIPTS
If you have any questions or would like to know more about our activities, feel free to email us at [email protected]