RE: What server hardening are you doing these days?

From: Derick Anderson (
Date: 11/11/05

  • Next message: James Eaton-Lee: "RE: What server hardening are you doing these days?"
    Date: Fri, 11 Nov 2005 08:35:15 -0500
    To: <>

    In light of how quickly the Zotob/etc. worms spread after MS05-039 was
    released (6 days, was it?), I think it's safer to stick to
    Microsoft-tested ACLs and templates and push down patches quickly. I
    usually have all my machines patched the weekend after the patches come
    out. I can do that because I don't mess with ACLs for an operating
    system I don't fully understand.

    Theoretically, I like the idea of perfect file ACLs and mandatory access
    control. However, in the real world, security must be realistic to the
    situation. All the file ACLs in the world can't help an unpatched
    machine. MAC can't do much with a privilege-elevation exploit on a
    system executable. I try to assess the risk based on what I see in the
    real world, and #1 on that list is unpatched Windows boxes getting
    owned. Since I don't let anyone but sys admins on my production servers,
    file ACLs aren't as big of an issue.

    What I'd like to see from Microsoft is executable whitelisting turned on
    by default: no program runs unless it is part of the system or an admin
    has explicitly installed it (and thus adding it to the whitelist). Since
    regular users are denied write access to anything other than their own
    directories we are halfway there.

    Let me also say that I am not a raving Microsoft fanatic. If I can
    accomplish my goals using a non-GUI Debian (that's a Linux distro for
    the uninitiated =) ) server, I will. Unfortunately, Linux has a ways to
    go when it comes to shared file access (Active Directory groups) and
    centralized domain-wide policy management (Group Policy). I use the
    product that is best suited for the need.

    Derick Anderson

    > -----Original Message-----
    > From: Depp, Dennis M. []
    > Sent: Friday, November 11, 2005 7:06 AM
    > To:; Derick Anderson
    > Cc:
    > Subject: RE: What server hardening are you doing these days?
    > While I agree the NSA guides are more secure. There is also
    > the Center for Internet Security
    > The problem with these templates is I'm not sure Microsoft
    > uses them when they do regression testing for hotfixes and
    > service packs. This means I have to do more complete testing
    > for hotfixes and service packs. This translates into longer
    > deployment time for a hotfix. Each organization has to
    > decide if the additional security of the NSA or CIS guides
    > provides is worth the additional problems in patch deployment.
    > Dennis
    > -----Original Message-----
    > From: Syv Ritch []
    > Sent: Thursday, November 10, 2005 6:34 PM
    > To: Derick Anderson
    > Cc:
    > Subject: Re: What server hardening are you doing these days?
    > Derick Anderson wrote:
    > > I also stick to Microsoft best practices when it comes to Microsoft
    > > servers, it's just safer that way. I haven't yet implemented the
    > Windows
    > > 2003 Security guide templates (for fear of breaking our production
    > > environment) but I plan to do that after I've taken care of
    > some other
    > > more basic issues (domain split, network split, user
    > lockdown, etc.).
    > >
    > Maybe you should reconsider. There is lot better than MS when
    > it comes to advising on security.
    > The NSA. They have both guides and templates. It actually
    > works and is far more secure than the MS advice.
    > --
    > Thanks
    > When the network has to work Cisco/Microsoft
    > --------------------------------------------------------------
    > ----------
    > ---
    > --------------------------------------------------------------
    > ----------
    > ---


  • Next message: James Eaton-Lee: "RE: What server hardening are you doing these days?"