Re: [fw-wiz] How to Secure Windows? was How to Save the World
From: Dave Piscitello (dave_at_corecom.com)
Date: 12/20/04
- Previous message: Adam Shostack: "Re: [fw-wiz] Re: How to Save The World (was: Antivirus vendor conspiracy theories)"
- In reply to: MHawkins_at_TULLIB.COM: "[fw-wiz] How to Secure Windows? was How to Save the World"
- Next in thread: Paul D. Robertson: "Re: [fw-wiz] How to Secure Windows? was How to Save the World"
- Reply: Paul D. Robertson: "Re: [fw-wiz] How to Secure Windows? was How to Save the World"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: MHawkins@TULLIB.COM Date: Mon, 20 Dec 2004 09:19:07 -0500
If you want a cheat *** - or a template on which to baseline what
your organization ultimately decides is its security policy - then
visit the Center for Internet Security (cisecurity.org), download the
security benchmarking tool and dozen or so templates, and RTFM that
accompanies it.
Basically, using Active Directory and group policy object definition,
you can lock down W2K or XP very nicely based on these templates,
including services, file system, local administration, IE settings,
auditing/event logging and more. You can also develop policy for
locking down internet-facing servers on Win2000 and W2k3. If you're
not running AD, you can apply the same template as a local security
policy using secpol.msc or create a Group template and apply it to
individual systems using the group policy msc.
If you want the 1000-word abstract versions, visit my Windows 2000
resources page at http://hhi.corecom.com/windowsxpresources.htm
FWIW, I use the NSA gold template on a windows 2000 laptop, locked
down everything recommended and tried like hell to break into the box
with no success (perhaps more an indication of my pen-testing
limitations and the power of a paranoid security policy than Windows
security, but...)
On 13 Dec 2004 at 11:42, MHawkins@TULLIB.COM wrote:
> All I want to do is have a standard cheat *** to lock down the
> machine so that all those exe's that I don't want to run - CAN'T - and
> all those exe's that I do want to let run - CAN - but only under their
> own account and only in their own volume space! Is that too much to
> ask?
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Adam Shostack: "Re: [fw-wiz] Re: How to Save The World (was: Antivirus vendor conspiracy theories)"
- In reply to: MHawkins_at_TULLIB.COM: "[fw-wiz] How to Secure Windows? was How to Save the World"
- Next in thread: Paul D. Robertson: "Re: [fw-wiz] How to Secure Windows? was How to Save the World"
- Reply: Paul D. Robertson: "Re: [fw-wiz] How to Secure Windows? was How to Save the World"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
