Re: What server hardening are you doing these days?

From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa_at_pacbell.net)
Date: 11/11/05

  • Next message: Hindle, Dallas: "RE: Deny Logon by Domain Admin account to specific PC's or deny to all BUT specific PC's"
    Date: Thu, 10 Nov 2005 18:21:42 -0800
    To: "Brown, Sam" <sbrown@ashe.ucla.edu>
    
    

    Virtual Server..and in VMWare... the PtoV tool.

    I forget the Vserver tool but they both suck up the physical and make a
    virtual image.

    Brown, Sam wrote:
    > It will be nice if in a future version of Windows server if there was a
    > way to simulate major changes to the production environment. I am not
    > aware of such a method but am open to hear from this group. Thanks.
    >
    > Sam
    > -----Original Message-----
    > From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
    > [mailto:sbradcpa@pacbell.net]
    > Sent: Thursday, November 10, 2005 4:34 PM
    > To: Kurt Dillard
    > Cc: larobins@bellatlantic.net; matthew patton;
    > focus-ms@securityfocus.com
    > Subject: Re: What server hardening are you doing these days?
    >
    > Not to mention resources for the ISV side of the world [and this is a
    > mere tip of the iceburg]
    >
    > MVPs in the area of app security
    > Visual Developer - Security:
    > https://mvp.support.microsoft.com/communities/mvplist.aspx?Product=Visua
    > l+Developer+-+Security
    >
    > Spot the Bug!:
    > http://blogs.msdn.com/rsamona/default.aspx
    >
    > Living the "Least Privilege" Lifestyle, Part 4: Is Developing Secure
    > Software as an Administrator an Impossible Dream?:
    > http://www.informit.com/articles/article.asp?p=418859&f1=rss&rl=1
    >
    > Blogs....
    >
    > Anil John <http://www.securecoder.com/blog/> - Public Profile
    > <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
    > DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22b065ff6a-b3e9-4705-b
    > a2b-74e9ddaf5c17%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
    > arams%5e>
    > Dominick Baier <http://www.leastprivilege.com/> -Public Profile
    > <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
    > DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22d0eed383-8faf-40cd-b
    > f24-d4c27976e23b%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
    > arams%5e>
    > Don Kiely <http://www.sqljunkies.com/WebLog/donkiely/default.aspx> -
    > Public Profile
    > <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
    > DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%225b786265-b44e-441a-a
    > 7dc-223cbb51e2a8%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
    > arams%5e>
    > Keith Brown <http://pluralsight.com/blogs/keith/> - Public Profile
    > <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
    > DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22801dc9ce-60c2-4dad-8
    > d2d-c5e68c017cc4%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
    > arams%5e>
    > Kenny Kerr <http://weblogs.asp.net/kennykerr/> - Public Profile
    > <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
    > DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%220688bce3-3a8f-4a76-8
    > 876-976f29dc9e66%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
    > arams%5e>
    > Nicole Calinoiu <http://spaces.msn.com/members/calinoiu/> - Public
    > Profile
    > <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
    > DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22117327a2-d094-42a2-b
    > 749-933f6eed9278%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
    > arams%5e>
    > Robert Hurlbut <http://weblogs.asp.net/rhurlbut> - Public Profile
    > <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
    > DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%2218f87374-ed8c-4fea-b
    > b26-291f237e299a%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
    > arams%5e>
    > Rudolph Araujo
    > <https://www.threatsandcountermeasures.com/blogs/rudolph/> - Public
    > Profile
    > <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
    > DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22da2a7ecb-b899-41b6-9
    > e8e-7b3e02cd224f%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
    > arams%5e>
    > Valery Pryamikov <http://www.harper.no/valery/> - Public Profile
    > <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
    > DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%222d962143-71ef-4020-b
    > 88d-9f13bc99ccb8%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
    > arams%5e>
    >
    > Web Development: Increase the Security of Your Applications:
    > http://www.microsoft.com/events/series/securitywebappdev.mspx
    >
    > Secure Software Forum:
    > http://www.securesoftwareforum.com/index.html
    >
    >
    >
    > Kurt Dillard wrote:
    >
    >> Matthew,
    >> I can understand the frustration people had with NT 4, but your broad
    >> accusations seem... Well... Hmmmm.
    >>
    >> Have you seen these documents that I helped to author?
    >> Windows Server 2003 Security Guide:
    >> http://go.microsoft.com/fwlink/?LinkId=14845
    >> Windows XP Security Guide:
    >>
    > http://go.microsoft.com/fwlink/?LinkId=14839
    >
    >> Threats and Countermeasures: Security Settings in Windows Server 2003
    >> and Windows XP: http://go.microsoft.com/fwlink/?LinkId=15159
    >>
    >> And others from different teams:
    >> Exchange 2003 Hardening Guide:
    >>
    >>
    > http://www.microsoft.com/downloads/details.aspx?FamilyID=6a80711f-e5c9-4
    >
    >> aef-9a44-504db09b9065&displaylang=en
    >> Scenarios and Procedures for Microsoft Systems Management Server 2003:
    >> Security:
    >>
    >>
    > http://www.microsoft.com/downloads/details.aspx?FamilyID=3d81b520-a203-4
    >
    >> 376-a72d-fd34a6c4a44c&DisplayLang=en
    >> ISA Server 2004 Security Hardening Guide:
    >>
    >>
    > http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityharde
    >
    >> ningguide.mspx
    >> MOM 2005 security guide:
    >>
    >>
    > http://www.microsoft.com/downloads/details.aspx?FamilyID=812b3089-18fe-4
    >
    >> 2ff-bc1e-d181ccfe5dcf&displaylang=en
    >>
    >> Have you seen links such as these?
    >> http://www.nsa.gov/snac/downloads_win2003.cfm?MenuID=scg10.3.1.1
    >> http://csrc.nist.gov/itsec/guidance_WinXP.html (check the
    >> acknowledgements page in the PDF file)
    >>
    >>
    > http://www.informationweek.com/story/showArticle.jhtml?articleID=1664042
    >
    >> 90
    >> http://www.eweek.com/article2/0,1895,1860574,00.asp
    >>
    >> If you're looking for mandatory access control, no general purpose
    >> commercial software supports that out of the box. MACs is, in my
    >> opinion, not viable for the vast majority of users and businesses. As
    >> for localsystem having full access to the file system, your comment
    >> suggests that you don't realize localsystem has full access to
    >>
    > virtually
    >
    >> everything. Its analogous to root on *nix. If you have data you want
    >>
    > to
    >
    >> protect from even localsystem you'll have to encrypt it and store the
    >> key separate from the computer.
    >>
    >> To reiterate Laura's request, do you have a specific suggestion?
    >>
    >> Kurt Dillard CISSP, ISSAP, CISM, MCSE
    >> Program Manager - Security Solutions
    >> Microsoft Federal
    >>
    >> -----Original Message-----
    >> From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
    >> Sent: Thursday, November 10, 2005 12:48 PM
    >> To: 'matthew patton'; focus-ms@securityfocus.com
    >> Subject: RE: What server hardening are you doing these days?
    >>
    >> I'm having a difficult time grokking what your actual assertion is
    >>
    > here.
    >
    >> What are you saying that Microsoft should have published that they
    >> haven't published? Have you looked at the default permissions in
    >>
    > Win2K3?
    >
    >> Have you looked at the changes in accounts related to Local System,
    >> Local Service and Network Service? I'm seeing a lot of vague
    >>
    > accusation
    >
    >> in your post, but not any explanation of what your point is.
    >>
    >> Laura
    >>
    >>
    >>
    >>> -----Original Message-----
    >>> From: matthew patton [mailto:pattonme@yahoo.com]
    >>> Sent: Thursday, November 10, 2005 10:40 AM
    >>> To: focus-ms@securityfocus.com
    >>> Subject: Re: What server hardening are you doing these days?
    >>>
    >>> I just love this bit from the MS release:
    >>>
    >>> <quote>
    >>> Because of these changes to the core operating system of Windows XP
    >>> and of Windows Server 2003, extensive changes to file permissions on
    >>> the root of the operating system are no longer required.
    >>>
    >>> Additional ACL changes may invalidate all or most of the application
    >>> compatibility testing that is performed by Microsoft. Frequently,
    >>> changes such as these have not undergone the in-depth testing that
    >>> Microsoft has performed on other settings. Support cases and field
    >>> experience has shown that ACL edits change the fundamental behavior
    >>>
    > of
    >
    >>>
    >>>
    >>
    >>
    >>> the operating system, frequently in unintended ways. These changes
    >>> affect application compatibility and stability and reduce
    >>> functionality, both in terms of performance and capability.
    >>> </quote>
    >>>
    >>> This is called FUD. Microsoft has not once BOTHERED to investigate
    >>>
    > and
    >
    >>>
    >>>
    >>
    >>
    >>> publish least privilege on their OS. Here in DoD land the
    >>> NSA/DISA/ArmedService' "hardening" guidelines are nearly silent on
    >>>
    > the
    >
    >>>
    >>>
    >>
    >>
    >>> matter of fixing the sad excuse that is windows filesystem security.
    >>> Mostly because M$ itself has never published anything. To be fair,
    >>> it's improved a little bit since NT4 but LocalSystem in particular
    >>>
    > has
    >
    >>>
    >>>
    >>
    >>
    >>> WAY too much access. Of course the vendor doesn't want you to change
    >>> anything. They can't be bothered to configure their OS correctly to
    >>> begin with.
    >>>
    >>> If M$ wanted to they could ship Vista with proper filesystem
    >>> permissions out of the box and nobody would notice. They just can't
    >>>
    > be
    >
    >>>
    >>>
    >>
    >>
    >>> bothered. Afterall, when you have such a disorganized OS going 16
    >>> different ways, and an ISV community that has for decades been
    >>>
    > getting
    >
    >>>
    >>>
    >>
    >>
    >>> away with murder, would you want to spend the time to figure out
    >>>
    > which
    >
    >>>
    >>>
    >>
    >>
    >>> in-house programmer was being an idiot and assuming he could just
    >>>
    > step
    >
    >>>
    >>>
    >>
    >>
    >>> all over the filesystem? Programmers are just plain sloppy.
    >>> They have no incentive to make security a priority. For all the PR
    >>> about M$'s new "we care about security" schtick, not a whole heck of
    >>>
    > a
    >
    >>>
    >>>
    >>
    >>
    >>> lot is going to change.
    >>>
    >>>
    >>> --------------------------------------------------------------
    >>> -------------
    >>> --------------------------------------------------------------
    >>> -------------
    >>>
    >>>
    >>>
    >>
    >>
    > ------------------------------------------------------------------------
    >
    >> ---
    >>
    >>
    > ------------------------------------------------------------------------
    >
    >> ---
    >>
    >>
    >>
    >>
    > ------------------------------------------------------------------------
    > ---
    >
    > ------------------------------------------------------------------------
    > ---
    >
    >>
    >>
    >
    >

    -- 
    Letting your vendors set your risk analysis these days?  
    http://www.threatcode.com
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: Hindle, Dallas: "RE: Deny Logon by Domain Admin account to specific PC's or deny to all BUT specific PC's"

    Relevant Pages

    • Re: A Happy Birthday to Dear Sam Ramey
      ... From: www.Handelmania.com - view profile ... Rating: ... I first met Sam when he started singing with our Paterson,New Jersey ... Opera Company around 1970.(Paul Plishka,our first "leading basso" was ...
      (rec.music.opera)
    • Re: Cannot Use System Infomation Function
      ... Thanks, Sam. ... > "Can't collect information Access denied to Windows Management ... > Instumentation server on this computer. ... >> My profile has administrator privileges. ...
      (microsoft.public.windowsxp.general)
    • Re: Cannot logon to "(local machine)"
      ... Everything pointed to the "logon locally" ... User accounts however are ... "authenticated" either locally or on the network's SAM, ... account, which created the local profile on my machine, that I could just ...
      (microsoft.public.win2000.group_policy)
    • Re: get oringal name for a renamed file
      ... Perhaps - Explore to your Profile in Documents & Settings. ... Look in the "My Recent Documents" folder, ... > Sam wrote: ...
      (microsoft.public.windowsxp.general)