Re: [fw-wiz] How to Secure Windows? was How to Save the World
From: Dave Piscitello (dave_at_corecom.com)
To: "Paul D. Robertson" <firstname.lastname@example.org> Date: Wed, 22 Dec 2004 12:32:25 -0500
On 21 Dec 2004 at 16:25, Paul D. Robertson wrote:
> On Mon, 20 Dec 2004, Dave Piscitello wrote:
> > If you want a cheat sheet - or a template on which to baseline what
> > your organization ultimately decides is its security policy - then
> > visit the Center for Internet Security (cisecurity.org), download
> > the security benchmarking tool and dozen or so templates, and RTFM
> > that accompanies it.
> That _would_ be useful, if it weren't for the fact that I can only use
> it on a single computer. If, I wanted to use their tools as a
> consultant, it'd cost me $11,000 per year! While that might be ok for
> E&Y, it's a little steep for PDR ;)
The tool is trivial and frankly, I don't think it's worth the trouble
to scan PCs simply to see if you score a 10 - BTW, the best I could
ever manage was an 9 something because a 10 means you don't actually
use most of Windows:-).
But the process of configuring a security policy they painstakingly
describe using local policy editing and assessment via the MMC snap-
in is instructive and helpful. I suspect you would find the security
templates good guidelines, but not perfectly suited for what you
want, and they can't very well charge you for templates NSA and
> Any idea if you can make Windows *not* dynamically accept ARP entires
> and rely only on static entries in the table?
Not easily. Dynamic *and* static arp entries you create expire when
you reboot, so you have to work around this.
If you want a hack, you could run a script at startup that uses the
DOS arp command to set static arp entries for all the entries you
really want on your subnet, and also sets the unused IPs to a non-
existent MAC or local MAC? Assuming you're on a "C" equivalent or
splinter, it's a modest number of lines of script, yes?
I thought to google this notion and found these folks suggested the
"For persistent static ARP cache entries, you must create a batch
file run from the Startup group."
Anyway, if you take the trouble to write the script,
send me a copy:-)
firewall-wizards mailing list