RE: Blessed Windows Security Templates

From: Jannie Hanekom (j_hanekom_at_hotmail.com)
Date: 12/12/03

  • Next message: Harlan Carvey: "Re: Blessed Windows Security Templates"
    To: <focus-ms@securityfocus.com>
    Date: Fri, 12 Dec 2003 17:58:28 -0000
    
    

    Hi MG

    It's rather comprehensive, but in that type of setup you may want to have a
    look at Microsoft's "System Architecture" set of documents at
    http://www.microsoft.com/business/reducecosts/efficiency/consolidate/msa.msp
    x. (This used to be called "Microsoft Internet Data Center".)

    This consists primarily of a set of documents, so it won't give you a shiny
    GUI. However, with a bit of reading, anyone with a bit of sense can
    implement the suggestions.

    I've only used the v1.0 documents, so can't speak for v1.5 or v2.0 directly,
    but they were VERY comprehensive and battle-hardened and are separated into
    design blueprints and "reference" implementations, allowing you to use
    elements from both as you see fit. (Most notably the security documents
    will probably be of use to you.)

    Something else which may be useful is that the reference architecture uses
    the Microsoft/HP/EMC/Cisco hardware set, which is what you seem to be
    running SAP on. (That seems to be one of the more popular platforms for SAP
    on NT anyway.)

    The documents themselves are free, but Microsoft sells the automated tools
    they mention in the docs at a hefty price. However, you can get by just
    fine in most situations by performing some of the tasks manually or building
    your own (basic) tools.

    Hope that helps.

    Jannie

    -----Original Message-----
    From: RUSecure [mailto:rusecure@earthlink.net]
    Sent: 12 December 2003 02:07
    To: focus-ms@securityfocus.com
    Subject: Blessed Windows Security Templates

    Hello all,

    I have a special request from a client.

    My client is looking for anyone who will help bless the use of ANY security
    Template with use for Windows 2000 and a similar configuration as I will
    describe below. They would love to actually talk to someone as well if
    possible.

    I am on an SAP ITS Web front end engagement, so you can see why I am
    recommending they seriously harden their front-end and back-end Windows
    servers.

    So here is the configuration.

    Win2K SP4 running IIS 5.0.
    SAP ITS Wgate on the front end
    SAP Agate on the backend

    I have NOT hardened anything yet... And desperately want to using something
    the client can repeatedly reproduce for use within their organization.

    I am recommending they use a Commercial tool, but that will take time, so
    MMC and templates for now.

    I am suggesting they use one of the Center for Internet Security Templates
    (CIS - www.cisecurity.org) which are the NIST and NSA templates for the
    Wgate servers in the DMZ Agate servers as well.

    I want them to have the ability of checking the systems using the CIS tool
    and have some level of hardening. I also suggest since they do not use and
    security templates on standalone or through AD that they need to move to
    this direction for repeatability and basic security worthiness. They can use
    MMC to manage and apply these templates and command line it for reproduction
    and compliance.

    So has ANYONE used ANY template on a configuration similar to the one I
    listed ? It does NOT have to be SAP as any basic WEB front end using
    IISLockDown with a Static Web server and NOTHING else required except
    Insight Manager and SNMP and PcAnywhere.

    I recommended the following templates:

    Win2KSrvGold_r1.0.1.inf

    Or

    HISECWEB replacement Web_Secure.INF

    Or what comes with Win2K out of the box

    Hisecws.inf.

    Need I say the lack of use hardened servers is of great concern and they
    would desire to find someone that is actually using some "template.inf" to
    secure their environment.

    These servers are going on the Internet... !!!!!!!

    H E L P !

    Cheers,

    MG

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Harlan Carvey: "Re: Blessed Windows Security Templates"

    Relevant Pages

    • Re: Blessed Windows Security Templates
      ... > running SAP on. ... > Subject: Blessed Windows Security Templates ... > Wgate servers in the DMZ Agate servers as well. ...
      (Focus-Microsoft)
    • RE: Blessed Windows Security Templates
      ... It has templates for all types of NT/2000 servers. ... I am suggesting they use one of the Center for Internet Security Templates ... and have some level of hardening. ...
      (Focus-Microsoft)
    • RE: Blessed Windows Security Templates
      ... I am in a situation where the client has multiple standalone servers that ... I downloaded the secruity templates from MS ... I have a special request from a client. ... tool and have some level of hardening. ...
      (Focus-Microsoft)
    • Re: File System as a cache mechanism
      ... > In the journey of finding ways to scale our application with my current> hardware, I've been playing around with using our servers hard disk as a> means of caching information. ... Under load,> there is way too much % of CPU going to these "framework" items and as we> add web machines to the farm, the overall RPS for each machine drops. ... Up> until now, we've used Cache for these items, but we are now having> problems with memory consumption over these hundreds of templates. ...
      (microsoft.public.dotnet.framework.performance)
    • Re: Understanding security template INF structures
      ... templates and GPO, instead of having to go from machine to machine... ... good memories of roller skating on Ring My Bell... ... Manually editing security templates is unsupported, ...
      (microsoft.public.win2000.security)