RE: What server hardening are you doing these days?
From: Brown, Sam (sbrown_at_ashe.ucla.edu)
Date: 11/11/05
- Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: What server hardening are you doing these days?"
- Maybe in reply to: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "What server hardening are you doing these days?"
- Next in thread: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: What server hardening are you doing these days?"
- Reply: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: What server hardening are you doing these days?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 10 Nov 2005 18:20:08 -0800 To: <sbradcpa@pacbell.net>, <Kurt.Dillard@microsoft.com>
It will be nice if in a future version of Windows server if there was a
way to simulate major changes to the production environment. I am not
aware of such a method but am open to hear from this group. Thanks.
Sam
-----Original Message-----
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[mailto:sbradcpa@pacbell.net]
Sent: Thursday, November 10, 2005 4:34 PM
To: Kurt Dillard
Cc: larobins@bellatlantic.net; matthew patton;
focus-ms@securityfocus.com
Subject: Re: What server hardening are you doing these days?
Not to mention resources for the ISV side of the world [and this is a
mere tip of the iceburg]
MVPs in the area of app security
Visual Developer - Security:
https://mvp.support.microsoft.com/communities/mvplist.aspx?Product=Visua
l+Developer+-+Security
Spot the Bug!:
http://blogs.msdn.com/rsamona/default.aspx
Living the "Least Privilege" Lifestyle, Part 4: Is Developing Secure
Software as an Administrator an Impossible Dream?:
http://www.informit.com/articles/article.asp?p=418859&f1=rss&rl=1
Blogs....
Anil John <http://www.securecoder.com/blog/> - Public Profile
<http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22b065ff6a-b3e9-4705-b
a2b-74e9ddaf5c17%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
arams%5e>
Dominick Baier <http://www.leastprivilege.com/> -Public Profile
<http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22d0eed383-8faf-40cd-b
f24-d4c27976e23b%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
arams%5e>
Don Kiely <http://www.sqljunkies.com/WebLog/donkiely/default.aspx> -
Public Profile
<http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%225b786265-b44e-441a-a
7dc-223cbb51e2a8%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
arams%5e>
Keith Brown <http://pluralsight.com/blogs/keith/> - Public Profile
<http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22801dc9ce-60c2-4dad-8
d2d-c5e68c017cc4%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
arams%5e>
Kenny Kerr <http://weblogs.asp.net/kennykerr/> - Public Profile
<http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%220688bce3-3a8f-4a76-8
876-976f29dc9e66%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
arams%5e>
Nicole Calinoiu <http://spaces.msn.com/members/calinoiu/> - Public
Profile
<http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22117327a2-d094-42a2-b
749-933f6eed9278%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
arams%5e>
Robert Hurlbut <http://weblogs.asp.net/rhurlbut> - Public Profile
<http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%2218f87374-ed8c-4fea-b
b26-291f237e299a%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
arams%5e>
Rudolph Araujo
<https://www.threatsandcountermeasures.com/blogs/rudolph/> - Public
Profile
<http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22da2a7ecb-b899-41b6-9
e8e-7b3e02cd224f%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
arams%5e>
Valery Pryamikov <http://www.harper.no/valery/> - Public Profile
<http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%222d962143-71ef-4020-b
88d-9f13bc99ccb8%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
arams%5e>
Web Development: Increase the Security of Your Applications:
http://www.microsoft.com/events/series/securitywebappdev.mspx
Secure Software Forum:
http://www.securesoftwareforum.com/index.html
Kurt Dillard wrote:
> Matthew,
> I can understand the frustration people had with NT 4, but your broad
> accusations seem... Well... Hmmmm.
>
> Have you seen these documents that I helped to author?
> Windows Server 2003 Security Guide:
> http://go.microsoft.com/fwlink/?LinkId=14845
> Windows XP Security Guide:
http://go.microsoft.com/fwlink/?LinkId=14839
> Threats and Countermeasures: Security Settings in Windows Server 2003
> and Windows XP: http://go.microsoft.com/fwlink/?LinkId=15159
>
> And others from different teams:
> Exchange 2003 Hardening Guide:
>
http://www.microsoft.com/downloads/details.aspx?FamilyID=6a80711f-e5c9-4
> aef-9a44-504db09b9065&displaylang=en
> Scenarios and Procedures for Microsoft Systems Management Server 2003:
> Security:
>
http://www.microsoft.com/downloads/details.aspx?FamilyID=3d81b520-a203-4
> 376-a72d-fd34a6c4a44c&DisplayLang=en
> ISA Server 2004 Security Hardening Guide:
>
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityharde
> ningguide.mspx
> MOM 2005 security guide:
>
http://www.microsoft.com/downloads/details.aspx?FamilyID=812b3089-18fe-4
> 2ff-bc1e-d181ccfe5dcf&displaylang=en
>
> Have you seen links such as these?
> http://www.nsa.gov/snac/downloads_win2003.cfm?MenuID=scg10.3.1.1
> http://csrc.nist.gov/itsec/guidance_WinXP.html (check the
> acknowledgements page in the PDF file)
>
http://www.informationweek.com/story/showArticle.jhtml?articleID=1664042
> 90
> http://www.eweek.com/article2/0,1895,1860574,00.asp
>
> If you're looking for mandatory access control, no general purpose
> commercial software supports that out of the box. MACs is, in my
> opinion, not viable for the vast majority of users and businesses. As
> for localsystem having full access to the file system, your comment
> suggests that you don't realize localsystem has full access to
virtually
> everything. Its analogous to root on *nix. If you have data you want
to
> protect from even localsystem you'll have to encrypt it and store the
> key separate from the computer.
>
> To reiterate Laura's request, do you have a specific suggestion?
>
> Kurt Dillard CISSP, ISSAP, CISM, MCSE
> Program Manager - Security Solutions
> Microsoft Federal
>
> -----Original Message-----
> From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
> Sent: Thursday, November 10, 2005 12:48 PM
> To: 'matthew patton'; focus-ms@securityfocus.com
> Subject: RE: What server hardening are you doing these days?
>
> I'm having a difficult time grokking what your actual assertion is
here.
> What are you saying that Microsoft should have published that they
> haven't published? Have you looked at the default permissions in
Win2K3?
> Have you looked at the changes in accounts related to Local System,
> Local Service and Network Service? I'm seeing a lot of vague
accusation
> in your post, but not any explanation of what your point is.
>
> Laura
>
>
>> -----Original Message-----
>> From: matthew patton [mailto:pattonme@yahoo.com]
>> Sent: Thursday, November 10, 2005 10:40 AM
>> To: focus-ms@securityfocus.com
>> Subject: Re: What server hardening are you doing these days?
>>
>> I just love this bit from the MS release:
>>
>> <quote>
>> Because of these changes to the core operating system of Windows XP
>> and of Windows Server 2003, extensive changes to file permissions on
>> the root of the operating system are no longer required.
>>
>> Additional ACL changes may invalidate all or most of the application
>> compatibility testing that is performed by Microsoft. Frequently,
>> changes such as these have not undergone the in-depth testing that
>> Microsoft has performed on other settings. Support cases and field
>> experience has shown that ACL edits change the fundamental behavior
of
>>
>
>
>> the operating system, frequently in unintended ways. These changes
>> affect application compatibility and stability and reduce
>> functionality, both in terms of performance and capability.
>> </quote>
>>
>> This is called FUD. Microsoft has not once BOTHERED to investigate
and
>>
>
>
>> publish least privilege on their OS. Here in DoD land the
>> NSA/DISA/ArmedService' "hardening" guidelines are nearly silent on
the
>>
>
>
>> matter of fixing the sad excuse that is windows filesystem security.
>> Mostly because M$ itself has never published anything. To be fair,
>> it's improved a little bit since NT4 but LocalSystem in particular
has
>>
>
>
>> WAY too much access. Of course the vendor doesn't want you to change
>> anything. They can't be bothered to configure their OS correctly to
>> begin with.
>>
>> If M$ wanted to they could ship Vista with proper filesystem
>> permissions out of the box and nobody would notice. They just can't
be
>>
>
>
>> bothered. Afterall, when you have such a disorganized OS going 16
>> different ways, and an ISV community that has for decades been
getting
>>
>
>
>> away with murder, would you want to spend the time to figure out
which
>>
>
>
>> in-house programmer was being an idiot and assuming he could just
step
>>
>
>
>> all over the filesystem? Programmers are just plain sloppy.
>> They have no incentive to make security a priority. For all the PR
>> about M$'s new "we care about security" schtick, not a whole heck of
a
>>
>
>
>> lot is going to change.
>>
>>
>> --------------------------------------------------------------
>> -------------
>> --------------------------------------------------------------
>> -------------
>>
>>
>
>
>
------------------------------------------------------------------------
> ---
>
------------------------------------------------------------------------
> ---
>
>
>
------------------------------------------------------------------------
--- > ------------------------------------------------------------------------ --- > > > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: What server hardening are you doing these days?"
- Maybe in reply to: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "What server hardening are you doing these days?"
- Next in thread: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: What server hardening are you doing these days?"
- Reply: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: What server hardening are you doing these days?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
