This chapter focuses on host security. It does not make the distinction between "servers" or "desktops". With this standard we want to actively protect machines where we can and automatically detect any security violations. Users of a system should have distinct access to a system, not total access. Users should not be able to access any unapproved services of a host.

Once implemented administrators should be able to anwer questions about a machine without having to actually look at that machine. We want to keep the role of each host well defined and configure it just for that purpose. By keeping this simpler view of administration we ensure that there are no more moving parts of the machine then needed. There are fewer updates to worry about, less testing to do and fewer unexpected behaviors. Also note that for Intrusion Detection Systems we've impleneted a completely separate section for this. Please see the IDS portion of the CSI docs for more.