Re: [fw-wiz] How to Secure Windows? was How to Save the World

From: Dave Piscitello (dave_at_corecom.com)
Date: 12/22/04

  • Next message: Barney Wolff: "Re: [fw-wiz] How to Secure Windows? was How to Save the World" 
    To: "Paul D. Robertson" <paul@compuwar.net>
Date: Wed, 22 Dec 2004 12:32:25 -0500

    On 21 Dec 2004 at 16:25, Paul D. Robertson wrote:

    > On Mon, 20 Dec 2004, Dave Piscitello wrote:
    >
    > > If you want a cheat *** - or a template on which to baseline what
    > > your organization ultimately decides is its security policy - then
    > > visit the Center for Internet Security (cisecurity.org), download
    > > the security benchmarking tool and dozen or so templates, and RTFM
    > > that accompanies it.
    >
    > That _would_ be useful, if it weren't for the fact that I can only use
    > it on a single computer. If, I wanted to use their tools as a
    > consultant, it'd cost me $11,000 per year! While that might be ok for
    > E&Y, it's a little steep for PDR ;)

    The tool is trivial and frankly, I don't think it's worth the trouble
    to scan PCs simply to see if you score a 10 - BTW, the best I could
    ever manage was an 9 something because a 10 means you don't actually
    use most of Windows:-).

    But the process of configuring a security policy they painstakingly
    describe using local policy editing and assessment via the MMC snap-
    in is instructive and helpful. I suspect you would find the security
    templates good guidelines, but not perfectly suited for what you
    want, and they can't very well charge you for templates NSA and
    others defined.

    > Any idea if you can make Windows *not* dynamically accept ARP entires
    > and rely only on static entries in the table?

    Not easily. Dynamic *and* static arp entries you create expire when
    you reboot, so you have to work around this.

    If you want a hack, you could run a script at startup that uses the
    DOS arp command to set static arp entries for all the entries you
    really want on your subnet, and also sets the unused IPs to a non-
    existent MAC or local MAC? Assuming you're on a "C" equivalent or
    splinter, it's a modest number of lines of script, yes?

    I thought to google this notion and found these folks suggested the
    same thing:

    http://www.kbeta.com/Ktips/TCPIPTroubleshooting.htm

    "For persistent static ARP cache entries, you must create a batch
    file run from the Startup group."

    Anyway, if you take the trouble to write the script,
    send me a copy:-)

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Barney Wolff: "Re: [fw-wiz] How to Secure Windows? was How to Save the World"
    • Quantcast