RE: Blessed Windows Security Templates

From: Kurt Dillard (kurtdill_at_microsoft.com)
Date: 12/12/03

  • Next message: Jannie Hanekom: "RE: Blessed Windows Security Templates" 
    Date: Fri, 12 Dec 2003 09:25:15 -0800
To: <rusecure@earthlink.net>, <focus-ms@securityfocus.com>

    This is what you're looking for:

    Windows 2000 Security Hardening Guide
    (http://www.microsoft.com/downloads/details.aspx?FamilyID=15E83186-A2C8-
    4C8F-A9D0-A0201F639A56&DisplayLang=en)

    If 2003 or XP become part of the picture then please refer them to these
    guides:

    Windows Server 2003 Security Guide:
    http://go.microsoft.com/fwlink/?LinkId=14845
    Threats and Countermeasures: Security Settings in Windows Server 2003
    and Windows XP: http://go.microsoft.com/fwlink/?LinkId=15159
    Windows XP Security Guide: http://go.microsoft.com/fwlink/?LinkId=14839

    We worked closely with the NSA, NIST, FBI, & CIS on the 2003 guide, we
    are coordinating with them on XP & 2000 security settings too, take a
    look at this for NSA's endorsement:

    http://www.nsa.gov/snac/support/winserver03.htm

    Regards,

    Kurt Dillard, CISSP, MCSE, MCSA, CISM
    Program Manager
    Microsoft Solutions for Security
    Email: kurtdill@microsoft.com

    -----Original Message-----
    From: RUSecure [mailto:rusecure@earthlink.net]
    Sent: Thursday, December 11, 2003 6:07 PM
    To: focus-ms@securityfocus.com
    Subject: Blessed Windows Security Templates

    Hello all,

    I have a special request from a client.

    My client is looking for anyone who will help bless the use of ANY
    security Template with use for Windows 2000 and a similar configuration
    as I will describe below. They would love to actually talk to someone
    as well if possible.

    I am on an SAP ITS Web front end engagement, so you can see why I am
    recommending they seriously harden their front-end and back-end Windows
    servers.

    So here is the configuration.

    Win2K SP4 running IIS 5.0.
    SAP ITS Wgate on the front end
    SAP Agate on the backend

    I have NOT hardened anything yet... And desperately want to using
    something the client can repeatedly reproduce for use within their
    organization.

    I am recommending they use a Commercial tool, but that will take time,
    so MMC and templates for now.

    I am suggesting they use one of the Center for Internet Security
    Templates (CIS - www.cisecurity.org) which are the NIST and NSA
    templates for the Wgate servers in the DMZ Agate servers as well.

    I want them to have the ability of checking the systems using the CIS
    tool and have some level of hardening. I also suggest since they do not
    use and security templates on standalone or through AD that they need to
    move to this direction for repeatability and basic security worthiness.
    They can use MMC to manage and apply these templates and command line it
    for reproduction and compliance.

    So has ANYONE used ANY template on a configuration similar to the one I
    listed ? It does NOT have to be SAP as any basic WEB front end using
    IISLockDown with a Static Web server and NOTHING else required except
    Insight Manager and SNMP and PcAnywhere.

    I recommended the following templates:

    Win2KSrvGold_r1.0.1.inf

    Or

    HISECWEB replacement Web_Secure.INF

    Or what comes with Win2K out of the box

    Hisecws.inf.

    Need I say the lack of use hardened servers is of great concern and they
    would desire to find someone that is actually using some "template.inf"
    to secure their environment.

    These servers are going on the Internet... !!!!!!!

    H E L P !

    Cheers,

    MG

    ------------------------------------------------------------------------ 

    ---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Jannie Hanekom: "RE: Blessed Windows Security Templates"

    Relevant Pages

    • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
      ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
      (Securiteam)
    • [NT] Vulnerability in HTML Help Allows Code Execution (MS05-001)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ...
      (Securiteam)
    • Re: The Myth of the secure Mac
      ... OEM Windows XP Home goes for a bit under $100. ... >> secure than Home. ... Though this really has nothing to do with security. ... Microsoft counts on third-party developers to provide more ...
      (comp.sys.mac.advocacy)
    • SecurityFocus Microsoft Newsletter # 149
      ... MICROSOFT VULNERABILITY SUMMARY ... EveryBuddy Long Message Denial Of Service Vulnerability ... Intellitactics Network Security Manager ... Windows operating systems. ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #120
      ... Strengthening Network Security: FREE Guide Network security is a ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows File Protection Signed File Replacement... ... PlatinumFTPServer Information Disclosure Vulnerability ...
      (Focus-Microsoft)