Skip to main content

MinSec Cookbooks

The cookbooks below are step-by-step guides to simplify adoption of the Minimum Security Standards on Moderate or High Risk servers.

Windows Servers

  1. Complete a Data Risk Assessment.
    1. Begin by submitting the DRA pre-screening form.
  2. Install BigFix for Servers.
    1. Subscribe to the service as a "BigFix for Servers Administrator" by submitting a Help ticket.
    2. Install BigFix for Windows Servers.
  3. Install the Splunk Universal Forwarder.
    1. Request a Splunk account by submitting a Help ticket.
    2. Install Splunk Universal Forwarder for Windows Servers.
  4. Request a Cardinal Protect System OR Privileged Access Workstation (PAW)
    1. Cardinal Protect and PAWs are only required for administering High Risk servers and applications.
  5. Install Duo for servers.
    1. Request your API keys and Duo API hostname by submitting a Help request.
    2. Deploy Two-Step Authentication for RDP on Windows Servers to your systems.
  6. Install CrowdStrike.
    1. Request an account by submitting a Help ticket.
  7. Configure your host-based firewall.
    1. Configure your firewall in default-deny mode, and permit only the minimum necessary services.
  8. Regularly scan for vulnerabilities with Qualys.
    1. Request a Qualys account by submitting a Help ticket.
    2. Sign in to the Qualys console to manage custom scans and reports.
  9. Review your compliance with the other MinSec standards.
    1. Apply high severity security patches within seven days of publish, and all other security patches within 90 days.
    2. Review and update your system inventory records in NetDB and SUSI.
    3. Enforce password complexity requirements and review your existing admin accounts, and their privileges.
    4. Physically protect your server
    5. Implement PCI DSS, HIPAA, FISMA, or export controls, as applicable.

Linux Servers

  1. Complete a Data Risk Assessment.
    1. Begin by submitting the DRA pre-screening form.
  2. Install BigFix for Servers.
    1. Subscribe to the service as a "BigFix for Servers Administrator" by submitting a Help ticket.
    2. Install BigFix for Linux Servers.
  3. Install the Splunk Universal Forwarder.
    1. Request a Splunk account by submitting a Help ticket.
    2. Install Splunk Universal Forwarder for Linux Servers.
  4. Request a Cardinal Protect system OR Privileged Access Workstation (PAW).
    1. Cardinal Protect and PAWs are only required for administering High Risk servers and applications.
  5. Install Duo for servers.
    1. Request your API keys and Duo API hostname by submitting a Help request.
    2. Deploy Duo Two-Step Authentication for SSH on Linux Servers to your systems.
  6. Install File Integrity Monitoring (OSSEC).
    1. Deploy OSSEC using BigFix
  7. Configure your host-based firewall.
    1. Configure your firewall in default-deny mode, and permit only the minimum necessary services.
  8. Regularly scan for vulnerabilities with Qualys.
    1. Request a Qualys account by submitting a Help ticket.
    2. Sign in to the Qualys console to manage custom scans and reports.
  9. Review your compliance with the other MinSec standards.
    1. Apply high severity security patches within seven days of publish, and all other security patches within 90 days.
    2. Review and update your system inventory records in NetDB and SUSI.
    3. Enforce password complexity requirements and review your existing admin accounts, and their privileges.
    4. Physically protect your server.
    5. Implement PCI DSSHIPAAFISMA, or export controls, as applicable.
Last modified