RE: What server hardening are you doing these days?

From: Derick Anderson (danderson_at_vikus.com)
Date: 11/11/05

  • Next message: James Eaton-Lee: "RE: What server hardening are you doing these days?"
    Date: Fri, 11 Nov 2005 08:35:15 -0500
    To: <focus-ms@securityfocus.com>
    
    

     
    In light of how quickly the Zotob/etc. worms spread after MS05-039 was
    released (6 days, was it?), I think it's safer to stick to
    Microsoft-tested ACLs and templates and push down patches quickly. I
    usually have all my machines patched the weekend after the patches come
    out. I can do that because I don't mess with ACLs for an operating
    system I don't fully understand.

    Theoretically, I like the idea of perfect file ACLs and mandatory access
    control. However, in the real world, security must be realistic to the
    situation. All the file ACLs in the world can't help an unpatched
    machine. MAC can't do much with a privilege-elevation exploit on a
    system executable. I try to assess the risk based on what I see in the
    real world, and #1 on that list is unpatched Windows boxes getting
    owned. Since I don't let anyone but sys admins on my production servers,
    file ACLs aren't as big of an issue.

    What I'd like to see from Microsoft is executable whitelisting turned on
    by default: no program runs unless it is part of the system or an admin
    has explicitly installed it (and thus adding it to the whitelist). Since
    regular users are denied write access to anything other than their own
    directories we are halfway there.

    Let me also say that I am not a raving Microsoft fanatic. If I can
    accomplish my goals using a non-GUI Debian (that's a Linux distro for
    the uninitiated =) ) server, I will. Unfortunately, Linux has a ways to
    go when it comes to shared file access (Active Directory groups) and
    centralized domain-wide policy management (Group Policy). I use the
    product that is best suited for the need.

    Derick Anderson

    > -----Original Message-----
    > From: Depp, Dennis M. [mailto:deppdm@ornl.gov]
    > Sent: Friday, November 11, 2005 7:06 AM
    > To: tux@911networks.com; Derick Anderson
    > Cc: focus-ms@securityfocus.com
    > Subject: RE: What server hardening are you doing these days?
    >
    > While I agree the NSA guides are more secure. There is also
    > the Center for Internet Security http://www.cisecurity.org.
    > The problem with these templates is I'm not sure Microsoft
    > uses them when they do regression testing for hotfixes and
    > service packs. This means I have to do more complete testing
    > for hotfixes and service packs. This translates into longer
    > deployment time for a hotfix. Each organization has to
    > decide if the additional security of the NSA or CIS guides
    > provides is worth the additional problems in patch deployment.
    >
    > Dennis
    >
    > -----Original Message-----
    > From: Syv Ritch [mailto:tux@911networks.com]
    > Sent: Thursday, November 10, 2005 6:34 PM
    > To: Derick Anderson
    > Cc: focus-ms@securityfocus.com
    > Subject: Re: What server hardening are you doing these days?
    >
    > Derick Anderson wrote:
    >
    > > I also stick to Microsoft best practices when it comes to Microsoft
    > > servers, it's just safer that way. I haven't yet implemented the
    > Windows
    > > 2003 Security guide templates (for fear of breaking our production
    > > environment) but I plan to do that after I've taken care of
    > some other
    > > more basic issues (domain split, network split, user
    > lockdown, etc.).
    > >
    >
    > Maybe you should reconsider. There is lot better than MS when
    > it comes to advising on security.
    >
    > http://www.nsa.gov/snac/downloads_all.cfm
    >
    > The NSA. They have both guides and templates. It actually
    > works and is far more secure than the MS advice.
    >
    > --
    > Thanks
    > http://www.911networks.com
    > When the network has to work Cisco/Microsoft
    >
    > --------------------------------------------------------------
    > ----------
    > ---
    > --------------------------------------------------------------
    > ----------
    > ---
    >
    >

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: James Eaton-Lee: "RE: What server hardening are you doing these days?"

    Relevant Pages

    • Re: Windows update and EFS
      ... >you use windows update all temporally installation files are created ... Not even Microsoft seems to grasp the complicated semantics of "copying vs. ... This again brings up the issues regarding ACLs and inherited ACLs under NTFS. ... Not what you'd like to see in your system directory. ...
      (NT-Bugtraq)
    • Re: AVR Tx Rx direkt koppeln
      ... aus unternehmenspolitischen Gründen bei Microsoft nicht erwünscht. ... schnell entsprechend moderner Anforderungen weiter zu entwickeln. ... Plug&Play, es gibt ACLs und es gibt directory services, aber das paßt ... NT beherrscht Hardlinks genauso wie symbolische Links. ...
      (de.sci.electronics)
    • =?iso-8859-1?q?Re:_ext_ACLs_werden_gel=F6scht?=
      ... welche eine unterschiedliches Handling in Samba zur Folge ... Dieses Spezialverhalten muß die Sambagroup ... wie es Microsoft vorprogrammiert hat. ... Aufruf mach die ACLs also sticky, ...
      (de.comp.os.unix.networking.samba)
    • RE: Unexpected PolicyException thrown on System config file
      ... I guess you are about to suggest that I add the IIS User ... >there interesting ACLs there? ... >Microsoft Developer Support ... >| documented and I can find no documentation that helps ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: 114,000 viruses? Guess Again.
      ... Even if what you were saying had any truth to it, no, because what you're accusing Microsoft of doing is much more subjective than what Apple is doing. ... deliberately made victims of everyone they sell Windows to. ... They are safer because they follow the unix philosophies, which are to make things as simple and legible as possible and to not give common users privileges that are more dangerous than useful. ...
      (comp.sys.mac.advocacy)