Re: What server hardening are you doing these days?

From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa_at_pacbell.net)
Date: 11/11/05

  • Next message: Hindle, Dallas: "RE: Deny Logon by Domain Admin account to specific PC's or deny to all BUT specific PC's"
    Date: Thu, 10 Nov 2005 18:21:42 -0800
    To: "Brown, Sam" <sbrown@ashe.ucla.edu>
    
    

    Virtual Server..and in VMWare... the PtoV tool.

    I forget the Vserver tool but they both suck up the physical and make a
    virtual image.

    Brown, Sam wrote:
    > It will be nice if in a future version of Windows server if there was a
    > way to simulate major changes to the production environment. I am not
    > aware of such a method but am open to hear from this group. Thanks.
    >
    > Sam
    > -----Original Message-----
    > From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
    > [mailto:sbradcpa@pacbell.net]
    > Sent: Thursday, November 10, 2005 4:34 PM
    > To: Kurt Dillard
    > Cc: larobins@bellatlantic.net; matthew patton;
    > focus-ms@securityfocus.com
    > Subject: Re: What server hardening are you doing these days?
    >
    > Not to mention resources for the ISV side of the world [and this is a
    > mere tip of the iceburg]
    >
    > MVPs in the area of app security
    > Visual Developer - Security:
    > https://mvp.support.microsoft.com/communities/mvplist.aspx?Product=Visua
    > l+Developer+-+Security
    >
    > Spot the Bug!:
    > http://blogs.msdn.com/rsamona/default.aspx
    >
    > Living the "Least Privilege" Lifestyle, Part 4: Is Developing Secure
    > Software as an Administrator an Impossible Dream?:
    > http://www.informit.com/articles/article.asp?p=418859&f1=rss&rl=1
    >
    > Blogs....
    >
    > Anil John <http://www.securecoder.com/blog/> - Public Profile
    > <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
    > DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22b065ff6a-b3e9-4705-b
    > a2b-74e9ddaf5c17%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
    > arams%5e>
    > Dominick Baier <http://www.leastprivilege.com/> -Public Profile
    > <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
    > DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22d0eed383-8faf-40cd-b
    > f24-d4c27976e23b%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
    > arams%5e>
    > Don Kiely <http://www.sqljunkies.com/WebLog/donkiely/default.aspx> -
    > Public Profile
    > <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
    > DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%225b786265-b44e-441a-a
    > 7dc-223cbb51e2a8%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
    > arams%5e>
    > Keith Brown <http://pluralsight.com/blogs/keith/> - Public Profile
    > <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
    > DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22801dc9ce-60c2-4dad-8
    > d2d-c5e68c017cc4%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
    > arams%5e>
    > Kenny Kerr <http://weblogs.asp.net/kennykerr/> - Public Profile
    > <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
    > DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%220688bce3-3a8f-4a76-8
    > 876-976f29dc9e66%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
    > arams%5e>
    > Nicole Calinoiu <http://spaces.msn.com/members/calinoiu/> - Public
    > Profile
    > <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
    > DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22117327a2-d094-42a2-b
    > 749-933f6eed9278%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
    > arams%5e>
    > Robert Hurlbut <http://weblogs.asp.net/rhurlbut> - Public Profile
    > <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
    > DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%2218f87374-ed8c-4fea-b
    > b26-291f237e299a%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
    > arams%5e>
    > Rudolph Araujo
    > <https://www.threatsandcountermeasures.com/blogs/rudolph/> - Public
    > Profile
    > <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
    > DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22da2a7ecb-b899-41b6-9
    > e8e-7b3e02cd224f%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
    > arams%5e>
    > Valery Pryamikov <http://www.harper.no/valery/> - Public Profile
    > <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
    > DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%222d962143-71ef-4020-b
    > 88d-9f13bc99ccb8%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
    > arams%5e>
    >
    > Web Development: Increase the Security of Your Applications:
    > http://www.microsoft.com/events/series/securitywebappdev.mspx
    >
    > Secure Software Forum:
    > http://www.securesoftwareforum.com/index.html
    >
    >
    >
    > Kurt Dillard wrote:
    >
    >> Matthew,
    >> I can understand the frustration people had with NT 4, but your broad
    >> accusations seem... Well... Hmmmm.
    >>
    >> Have you seen these documents that I helped to author?
    >> Windows Server 2003 Security Guide:
    >> http://go.microsoft.com/fwlink/?LinkId=14845
    >> Windows XP Security Guide:
    >>
    > http://go.microsoft.com/fwlink/?LinkId=14839
    >
    >> Threats and Countermeasures: Security Settings in Windows Server 2003
    >> and Windows XP: http://go.microsoft.com/fwlink/?LinkId=15159
    >>
    >> And others from different teams:
    >> Exchange 2003 Hardening Guide:
    >>
    >>
    > http://www.microsoft.com/downloads/details.aspx?FamilyID=6a80711f-e5c9-4
    >
    >> aef-9a44-504db09b9065&displaylang=en
    >> Scenarios and Procedures for Microsoft Systems Management Server 2003:
    >> Security:
    >>
    >>
    > http://www.microsoft.com/downloads/details.aspx?FamilyID=3d81b520-a203-4
    >
    >> 376-a72d-fd34a6c4a44c&DisplayLang=en
    >> ISA Server 2004 Security Hardening Guide:
    >>
    >>
    > http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityharde
    >
    >> ningguide.mspx
    >> MOM 2005 security guide:
    >>
    >>
    > http://www.microsoft.com/downloads/details.aspx?FamilyID=812b3089-18fe-4
    >
    >> 2ff-bc1e-d181ccfe5dcf&displaylang=en
    >>
    >> Have you seen links such as these?
    >> http://www.nsa.gov/snac/downloads_win2003.cfm?MenuID=scg10.3.1.1
    >> http://csrc.nist.gov/itsec/guidance_WinXP.html (check the
    >> acknowledgements page in the PDF file)
    >>
    >>
    > http://www.informationweek.com/story/showArticle.jhtml?articleID=1664042
    >
    >> 90
    >> http://www.eweek.com/article2/0,1895,1860574,00.asp
    >>
    >> If you're looking for mandatory access control, no general purpose
    >> commercial software supports that out of the box. MACs is, in my
    >> opinion, not viable for the vast majority of users and businesses. As
    >> for localsystem having full access to the file system, your comment
    >> suggests that you don't realize localsystem has full access to
    >>
    > virtually
    >
    >> everything. Its analogous to root on *nix. If you have data you want
    >>
    > to
    >
    >> protect from even localsystem you'll have to encrypt it and store the
    >> key separate from the computer.
    >>
    >> To reiterate Laura's request, do you have a specific suggestion?
    >>
    >> Kurt Dillard CISSP, ISSAP, CISM, MCSE
    >> Program Manager - Security Solutions
    >> Microsoft Federal
    >>
    >> -----Original Message-----
    >> From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
    >> Sent: Thursday, November 10, 2005 12:48 PM
    >> To: 'matthew patton'; focus-ms@securityfocus.com
    >> Subject: RE: What server hardening are you doing these days?
    >>
    >> I'm having a difficult time grokking what your actual assertion is
    >>
    > here.
    >
    >> What are you saying that Microsoft should have published that they
    >> haven't published? Have you looked at the default permissions in
    >>
    > Win2K3?
    >
    >> Have you looked at the changes in accounts related to Local System,
    >> Local Service and Network Service? I'm seeing a lot of vague
    >>
    > accusation
    >
    >> in your post, but not any explanation of what your point is.
    >>
    >> Laura
    >>
    >>
    >>
    >>> -----Original Message-----
    >>> From: matthew patton [mailto:pattonme@yahoo.com]
    >>> Sent: Thursday, November 10, 2005 10:40 AM
    >>> To: focus-ms@securityfocus.com
    >>> Subject: Re: What server hardening are you doing these days?
    >>>
    >>> I just love this bit from the MS release:
    >>>
    >>> <quote>
    >>> Because of these changes to the core operating system of Windows XP
    >>> and of Windows Server 2003, extensive changes to file permissions on
    >>> the root of the operating system are no longer required.
    >>>
    >>> Additional ACL changes may invalidate all or most of the application
    >>> compatibility testing that is performed by Microsoft. Frequently,
    >>> changes such as these have not undergone the in-depth testing that
    >>> Microsoft has performed on other settings. Support cases and field
    >>> experience has shown that ACL edits change the fundamental behavior
    >>>
    > of
    >
    >>>
    >>>
    >>
    >>
    >>> the operating system, frequently in unintended ways. These changes
    >>> affect application compatibility and stability and reduce
    >>> functionality, both in terms of performance and capability.
    >>> </quote>
    >>>
    >>> This is called FUD. Microsoft has not once BOTHERED to investigate
    >>>
    > and
    >
    >>>
    >>>
    >>
    >>
    >>> publish least privilege on their OS. Here in DoD land the
    >>> NSA/DISA/ArmedService' "hardening" guidelines are nearly silent on
    >>>
    > the
    >
    >>>
    >>>
    >>
    >>
    >>> matter of fixing the sad excuse that is windows filesystem security.
    >>> Mostly because M$ itself has never published anything. To be fair,
    >>> it's improved a little bit since NT4 but LocalSystem in particular
    >>>
    > has
    >
    >>>
    >>>
    >>
    >>
    >>> WAY too much access. Of course the vendor doesn't want you to change
    >>> anything. They can't be bothered to configure their OS correctly to
    >>> begin with.
    >>>
    >>> If M$ wanted to they could ship Vista with proper filesystem
    >>> permissions out of the box and nobody would notice. They just can't
    >>>
    > be
    >
    >>>
    >>>
    >>
    >>
    >>> bothered. Afterall, when you have such a disorganized OS going 16
    >>> different ways, and an ISV community that has for decades been
    >>>
    > getting
    >
    >>>
    >>>
    >>
    >>
    >>> away with murder, would you want to spend the time to figure out
    >>>
    > which
    >
    >>>
    >>>
    >>
    >>
    >>> in-house programmer was being an idiot and assuming he could just
    >>>
    > step
    >
    >>>
    >>>
    >>
    >>
    >>> all over the filesystem? Programmers are just plain sloppy.
    >>> They have no incentive to make security a priority. For all the PR
    >>> about M$'s new "we care about security" schtick, not a whole heck of
    >>>
    > a
    >
    >>>
    >>>
    >>
    >>
    >>> lot is going to change.
    >>>
    >>>
    >>> --------------------------------------------------------------
    >>> -------------
    >>> --------------------------------------------------------------
    >>> -------------
    >>>
    >>>
    >>>
    >>
    >>
    > ------------------------------------------------------------------------
    >
    >> ---
    >>
    >>
    > ------------------------------------------------------------------------
    >
    >> ---
    >>
    >>
    >>
    >>
    > ------------------------------------------------------------------------
    > ---
    >
    > ------------------------------------------------------------------------
    > ---
    >
    >>
    >>
    >
    >

    -- 
    Letting your vendors set your risk analysis these days?  
    http://www.threatcode.com
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: Hindle, Dallas: "RE: Deny Logon by Domain Admin account to specific PC's or deny to all BUT specific PC's"