Re: What server hardening are you doing these days?
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa_at_pacbell.net)
Date: 11/11/05
- Previous message: Laura A. Robinson: "RE: Deny Logon by Domain Admin account to specific PC's or deny to all BUT specific PC's"
- In reply to: Brown, Sam: "RE: What server hardening are you doing these days?"
- Next in thread: matthew patton: "Re: What server hardening are you doing these days?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 10 Nov 2005 18:21:42 -0800 To: "Brown, Sam" <sbrown@ashe.ucla.edu>
Virtual Server..and in VMWare... the PtoV tool.
I forget the Vserver tool but they both suck up the physical and make a
virtual image.
Brown, Sam wrote:
> It will be nice if in a future version of Windows server if there was a
> way to simulate major changes to the production environment. I am not
> aware of such a method but am open to hear from this group. Thanks.
>
> Sam
> -----Original Message-----
> From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> [mailto:sbradcpa@pacbell.net]
> Sent: Thursday, November 10, 2005 4:34 PM
> To: Kurt Dillard
> Cc: larobins@bellatlantic.net; matthew patton;
> focus-ms@securityfocus.com
> Subject: Re: What server hardening are you doing these days?
>
> Not to mention resources for the ISV side of the world [and this is a
> mere tip of the iceburg]
>
> MVPs in the area of app security
> Visual Developer - Security:
> https://mvp.support.microsoft.com/communities/mvplist.aspx?Product=Visua
> l+Developer+-+Security
>
> Spot the Bug!:
> http://blogs.msdn.com/rsamona/default.aspx
>
> Living the "Least Privilege" Lifestyle, Part 4: Is Developing Secure
> Software as an Administrator an Impossible Dream?:
> http://www.informit.com/articles/article.asp?p=418859&f1=rss&rl=1
>
> Blogs....
>
> Anil John <http://www.securecoder.com/blog/> - Public Profile
> <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
> DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22b065ff6a-b3e9-4705-b
> a2b-74e9ddaf5c17%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
> arams%5e>
> Dominick Baier <http://www.leastprivilege.com/> -Public Profile
> <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
> DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22d0eed383-8faf-40cd-b
> f24-d4c27976e23b%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
> arams%5e>
> Don Kiely <http://www.sqljunkies.com/WebLog/donkiely/default.aspx> -
> Public Profile
> <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
> DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%225b786265-b44e-441a-a
> 7dc-223cbb51e2a8%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
> arams%5e>
> Keith Brown <http://pluralsight.com/blogs/keith/> - Public Profile
> <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
> DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22801dc9ce-60c2-4dad-8
> d2d-c5e68c017cc4%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
> arams%5e>
> Kenny Kerr <http://weblogs.asp.net/kennykerr/> - Public Profile
> <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
> DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%220688bce3-3a8f-4a76-8
> 876-976f29dc9e66%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
> arams%5e>
> Nicole Calinoiu <http://spaces.msn.com/members/calinoiu/> - Public
> Profile
> <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
> DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22117327a2-d094-42a2-b
> 749-933f6eed9278%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
> arams%5e>
> Robert Hurlbut <http://weblogs.asp.net/rhurlbut> - Public Profile
> <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
> DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%2218f87374-ed8c-4fea-b
> b26-291f237e299a%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
> arams%5e>
> Rudolph Araujo
> <https://www.threatsandcountermeasures.com/blogs/rudolph/> - Public
> Profile
> <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
> DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22da2a7ecb-b899-41b6-9
> e8e-7b3e02cd224f%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
> arams%5e>
> Valery Pryamikov <http://www.harper.no/valery/> - Public Profile
> <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
> DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%222d962143-71ef-4020-b
> 88d-9f13bc99ccb8%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
> arams%5e>
>
> Web Development: Increase the Security of Your Applications:
> http://www.microsoft.com/events/series/securitywebappdev.mspx
>
> Secure Software Forum:
> http://www.securesoftwareforum.com/index.html
>
>
>
> Kurt Dillard wrote:
>
>> Matthew,
>> I can understand the frustration people had with NT 4, but your broad
>> accusations seem... Well... Hmmmm.
>>
>> Have you seen these documents that I helped to author?
>> Windows Server 2003 Security Guide:
>> http://go.microsoft.com/fwlink/?LinkId=14845
>> Windows XP Security Guide:
>>
> http://go.microsoft.com/fwlink/?LinkId=14839
>
>> Threats and Countermeasures: Security Settings in Windows Server 2003
>> and Windows XP: http://go.microsoft.com/fwlink/?LinkId=15159
>>
>> And others from different teams:
>> Exchange 2003 Hardening Guide:
>>
>>
> http://www.microsoft.com/downloads/details.aspx?FamilyID=6a80711f-e5c9-4
>
>> aef-9a44-504db09b9065&displaylang=en
>> Scenarios and Procedures for Microsoft Systems Management Server 2003:
>> Security:
>>
>>
> http://www.microsoft.com/downloads/details.aspx?FamilyID=3d81b520-a203-4
>
>> 376-a72d-fd34a6c4a44c&DisplayLang=en
>> ISA Server 2004 Security Hardening Guide:
>>
>>
> http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityharde
>
>> ningguide.mspx
>> MOM 2005 security guide:
>>
>>
> http://www.microsoft.com/downloads/details.aspx?FamilyID=812b3089-18fe-4
>
>> 2ff-bc1e-d181ccfe5dcf&displaylang=en
>>
>> Have you seen links such as these?
>> http://www.nsa.gov/snac/downloads_win2003.cfm?MenuID=scg10.3.1.1
>> http://csrc.nist.gov/itsec/guidance_WinXP.html (check the
>> acknowledgements page in the PDF file)
>>
>>
> http://www.informationweek.com/story/showArticle.jhtml?articleID=1664042
>
>> 90
>> http://www.eweek.com/article2/0,1895,1860574,00.asp
>>
>> If you're looking for mandatory access control, no general purpose
>> commercial software supports that out of the box. MACs is, in my
>> opinion, not viable for the vast majority of users and businesses. As
>> for localsystem having full access to the file system, your comment
>> suggests that you don't realize localsystem has full access to
>>
> virtually
>
>> everything. Its analogous to root on *nix. If you have data you want
>>
> to
>
>> protect from even localsystem you'll have to encrypt it and store the
>> key separate from the computer.
>>
>> To reiterate Laura's request, do you have a specific suggestion?
>>
>> Kurt Dillard CISSP, ISSAP, CISM, MCSE
>> Program Manager - Security Solutions
>> Microsoft Federal
>>
>> -----Original Message-----
>> From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
>> Sent: Thursday, November 10, 2005 12:48 PM
>> To: 'matthew patton'; focus-ms@securityfocus.com
>> Subject: RE: What server hardening are you doing these days?
>>
>> I'm having a difficult time grokking what your actual assertion is
>>
> here.
>
>> What are you saying that Microsoft should have published that they
>> haven't published? Have you looked at the default permissions in
>>
> Win2K3?
>
>> Have you looked at the changes in accounts related to Local System,
>> Local Service and Network Service? I'm seeing a lot of vague
>>
> accusation
>
>> in your post, but not any explanation of what your point is.
>>
>> Laura
>>
>>
>>
>>> -----Original Message-----
>>> From: matthew patton [mailto:pattonme@yahoo.com]
>>> Sent: Thursday, November 10, 2005 10:40 AM
>>> To: focus-ms@securityfocus.com
>>> Subject: Re: What server hardening are you doing these days?
>>>
>>> I just love this bit from the MS release:
>>>
>>> <quote>
>>> Because of these changes to the core operating system of Windows XP
>>> and of Windows Server 2003, extensive changes to file permissions on
>>> the root of the operating system are no longer required.
>>>
>>> Additional ACL changes may invalidate all or most of the application
>>> compatibility testing that is performed by Microsoft. Frequently,
>>> changes such as these have not undergone the in-depth testing that
>>> Microsoft has performed on other settings. Support cases and field
>>> experience has shown that ACL edits change the fundamental behavior
>>>
> of
>
>>>
>>>
>>
>>
>>> the operating system, frequently in unintended ways. These changes
>>> affect application compatibility and stability and reduce
>>> functionality, both in terms of performance and capability.
>>> </quote>
>>>
>>> This is called FUD. Microsoft has not once BOTHERED to investigate
>>>
> and
>
>>>
>>>
>>
>>
>>> publish least privilege on their OS. Here in DoD land the
>>> NSA/DISA/ArmedService' "hardening" guidelines are nearly silent on
>>>
> the
>
>>>
>>>
>>
>>
>>> matter of fixing the sad excuse that is windows filesystem security.
>>> Mostly because M$ itself has never published anything. To be fair,
>>> it's improved a little bit since NT4 but LocalSystem in particular
>>>
> has
>
>>>
>>>
>>
>>
>>> WAY too much access. Of course the vendor doesn't want you to change
>>> anything. They can't be bothered to configure their OS correctly to
>>> begin with.
>>>
>>> If M$ wanted to they could ship Vista with proper filesystem
>>> permissions out of the box and nobody would notice. They just can't
>>>
> be
>
>>>
>>>
>>
>>
>>> bothered. Afterall, when you have such a disorganized OS going 16
>>> different ways, and an ISV community that has for decades been
>>>
> getting
>
>>>
>>>
>>
>>
>>> away with murder, would you want to spend the time to figure out
>>>
> which
>
>>>
>>>
>>
>>
>>> in-house programmer was being an idiot and assuming he could just
>>>
> step
>
>>>
>>>
>>
>>
>>> all over the filesystem? Programmers are just plain sloppy.
>>> They have no incentive to make security a priority. For all the PR
>>> about M$'s new "we care about security" schtick, not a whole heck of
>>>
> a
>
>>>
>>>
>>
>>
>>> lot is going to change.
>>>
>>>
>>> --------------------------------------------------------------
>>> -------------
>>> --------------------------------------------------------------
>>> -------------
>>>
>>>
>>>
>>
>>
> ------------------------------------------------------------------------
>
>> ---
>>
>>
> ------------------------------------------------------------------------
>
>> ---
>>
>>
>>
>>
> ------------------------------------------------------------------------
> ---
>
> ------------------------------------------------------------------------
> ---
>
>>
>>
>
>
-- Letting your vendors set your risk analysis these days? http://www.threatcode.com --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Laura A. Robinson: "RE: Deny Logon by Domain Admin account to specific PC's or deny to all BUT specific PC's"
- In reply to: Brown, Sam: "RE: What server hardening are you doing these days?"
- Next in thread: matthew patton: "Re: What server hardening are you doing these days?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
