On Sat, 20 Jul 2002 Valdis.Kletnieks@vt.edu wrote:
I didn't get involved in that one, but I've been working on the Unixoid stuff with CIS and SANS. We make no claims that if you do everything on the checklist that you're secure - the claim is that *failure* to do everything is demonstrably *insecure*.
The CIS/W2Kpro checklist is not that. Failure to do everything on the W2K checklist is not "ispo facto" evidence a computer is insecure. Many items on the CIS/W2Kpro checklist are of the form if you aren't using this item, you should disable it. That is a good security practice. But it does not follow if you are using the item (i.e. its enabled), your machine is insecure. Unfortunately the CIS/W2Kpro scoring tool can't tell the difference. As a list of things to consider, and a free tool to check a computer's configuration, the CIS/W2Kpro checklist is a great addition to the security toolbox. Just don't try to push it too hard. Not following the CIS/W2Kpro checklist is not evidence of security malpractice. The puffery in the accompaning press releases and news articles was more than the CIS/W2Kpro checklist can support. A blast from the past. Internet security woes inflated, experts say By Gary H. Anthes OCT 16, 1995 http://www.computerworld.com/news/1995/story/0,11280,9990,00.html