RE: On the topic of Windows Hardening
From: Laura A. Robinson (larobins_at_bellatlantic.net)
Date: 11/15/05
- Previous message: Marcos Marrero: "ISA Server or Firewall Appliance?"
- In reply to: Terry Browning: "Re: On the topic of Windows Hardening"
- Next in thread: M. Burnett: "More... On the topic of Windows Hardening"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 15 Nov 2005 12:29:31 -0500 To: "'Terry Browning'" <linux-focus@nihil.co.uk>, "'Peter Hyvonen'" <phyvonen@selfcharge.com>
Good point, Terry.
I still have to make another plug for the application compatibility toolkit.
(I don't work for Microsoft, I just think that it is one of Microsoft's
best-completely-underpublicized offerings.)
For those who haven't taken a look at it, it's worth evaluating:
http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/defaul
t.mspx (for XP SP2; I don't know if it's also for 2000/2003)
and
http://www.microsoft.com/downloads/details.aspx?FamilyID=7fc46855-b8a4-46cd-
a236-3159970fde94&DisplayLang=en plus
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnanchor/ht
ml/appcompat.asp (for Win2K, WinXP and Win2K3)
Laura
> -----Original Message-----
> From: Terry Browning [mailto:linux-focus@nihil.co.uk]
> Sent: Tuesday, November 15, 2005 9:44 AM
> To: Peter Hyvonen
> Cc: focus-ms@securityfocus.com
> Subject: Re: On the topic of Windows Hardening
>
> When loosening permissions to allow an application to run,
> don't just allow all users the extra permissions, or named
> users; create a new user group and give this new group the
> extra permissions, then give specific users membership of the group.
>
> The permissions for the group are tweaked to allow the
> application to run, and to keep the application running when
> the developers take yet more liberties with security in the
> future. It's also clearer, when looking at the permissions
> for a folder or file, to figure out why the permissions are
> so relaxed.
>
> Only those users who need the extra access will get it, and
> maintaining group membership becomes a separate task, which
> could be delegated to a different admin.
>
> Aside: Is there an SGID-like mechanism in Windows?
>
> Peter Hyvonen wrote:
> > Its there a way to 'fake' an administrator account? I ask
> because our
> > MRP software requires the user have complete local privliges (power
> > user accounts do not work) I've complained but changing MRP
> software
> > is not an option. We have alot of small fires because the
> users of the
> > MRP software have to be administrator on their own box. Thanks in
> > advance
> >
> > Pete Hyvonen
> > Systems Specialist
> > Self Charge Inc.
> >
> >
> ----------------------------------------------------------------------
> > -----
> >
> ----------------------------------------------------------------------
> > -----
> >
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Marcos Marrero: "ISA Server or Firewall Appliance?"
- In reply to: Terry Browning: "Re: On the topic of Windows Hardening"
- Next in thread: M. Burnett: "More... On the topic of Windows Hardening"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
