Re: DACLS for software distribution points...



If you'll notice all of the risk and criticality notes in security bulletins are assuming that you have not made any such adjustments to your XP and 2k3 configurations.

Look at the last batch of patches and while the 2000's can' be nailed from anon connections... 2k3/XP's need authenticated connections to be nailed.

Thus ... one would be wise to either

1. Yell at vendors who force you to make such adjustments to XP and 2k3 (and go read the latest Howard/Lipner book on the Security Development Lifecycle to get even angrier at the reminders of all of my vendors who don't care about security or privacy)
2. Use your SA rights to just downgrade to 2000 and be done with it
3. Really document your network and understand that you can no longer read the Microsoft bulletins and use their risk rankings....

As the so called "buggy patch" of 05-051 taught us... if you are going to deviate from the default... make sure you now understand that you "own" that and it's up to you to understand and test for it.

Devin Ganger wrote:

At Thursday, July 06, 2006 5:38 PM, Susan Bradley, CPA aka Ebitz - SBS
Rocks [MVP] wrote:



In the 2k3 era the Everyone group is akin to the Authenticated users
anyway since Everyone in the 2k3 era does not include the anon users.



A minor quibble, since several folks have now all made this same
statement.

Windows XP and Windows Server 2003 do not include the Anonymous SID in
the Everyone group membership *out of the box* when in standlone mode.
However, this behavior can be configured through Group Policy or
registry, so you can't just assume that this is the case.

Those of you who doubt this are welcome to refer to KB 278259 for
details or read up on the "Network access: Let Everyone permissions
apply to anonymous users" Group Policy setting in Chapter 5 of the
Threats and Countermeasures Guide, which you can find online at:

http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgc
h05n.mspx




--
Letting your vendors set your risk analysis these days? http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down...
http://blogs.technet.com/sbs


---------------------------------------------------------------------------
---------------------------------------------------------------------------



Relevant Pages

  • RE: Why Easy To Use Software Is Putting You At Risk
    ... I do agree that the additions and changes to Solarius will make it more secure and that this is good. ... Why Easy To Use Software Is Putting You At Risk ... instead I would say that the view that security is ... Four Construction Workers Died after Crane Collapse in Toledo, ...
    (Security-Basics)
  • RE: Why Easy To Use Software Is Putting You At Risk
    ... Why Easy To Use Software Is Putting You At Risk ... Four Construction Workers Died after Crane Collapse in Toledo, ... The first issue to address is yes you found a vulnerability and it was ... a Security Discussion board, that is what we do here. ...
    (Security-Basics)
  • More food for thought
    ... Basic Risk Analysis ... I have taken a position that the professional security community in general ... has and will continue to fail because they are operating under the same ... storing those backups safely offsite in a secure location on a daily basis. ...
    (comp.os.ms-windows.nt.admin.security)
  • More food for thought
    ... Basic Risk Analysis ... I have taken a position that the professional security community in general ... has and will continue to fail because they are operating under the same ... storing those backups safely offsite in a secure location on a daily basis. ...
    (comp.security.misc)
  • [security bulletin] HPSBUX02108 SSRT061133 rev.7 - HP-UX running Sendmail, Remote Execution
    ... SUPPORT COMMUNICATION - SECURITY BULLETIN ... This bulletin will be revised as other versions of Sendmail become ... To determine if an HP-UX system has an affected version, ... Security Bulletins via Email: ...
    (Bugtraq)