Re: Bringing new NT4 installation up to snuff
From: Curtis Anderson (nedfla@hotmail.com)
Date: 01/30/03
- Next message: Ricky Wilson: "Re: User Accounts Keep Locking Out"
- Previous message: John Brock: "Re: Bringing new NT4 installation up to snuff"
- In reply to: John Brock: "Re: Bringing new NT4 installation up to snuff"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Curtis Anderson" <nedfla@hotmail.com> Date: Thu, 30 Jan 2003 13:04:31 -0600
John Brock <jbrock@panix.com> uttered:
> It sounds though that HFNetChk is a *Microsoft*
> command line utility that you can download from this company's
> site, while HFNetChkLT is an expanded version with a GUI and
> automatic application of patches (rather than just letting you know
> what is missing). Is that right? Is HFNetChk also available from
> Microsoft's site?
Sort of. MS distributed an older version of HFNetchk, and also continues to
distibute the updates to their own XML data file. There are some
limitations with the version MS uses, plus the fact dev work has stopped on
it. Shavlik created the EXE that's available from MS, but they are
continuing dev work on it. I think the MS version is 3.32 and the current
Shavlik version is 3.86. I use the Shavlik version exclusively as I have to
support NT TSE and the version MS distributes does not understand NT TSE.
Shavlik also distributes their own XML file, which is basically all the
stuff the MS XML file includes, plus some additional products, like (IIRC)
MDAC and Media Player. The EXE from Shavlik aims at their own XML file to
get the lastest version, as does HFNetChkLT. I haven't played much with
HFNetChkLT but to me it seems to run HFNetChk under the covers, then parse
the output and go get the updates for you. Kind of an "easier to deal with"
method for those that aren't real fans of manual procedures. I have over
200 NT/NT_TSE/Win2K boxes to support so I'd rather manually do it once, then
update the network install point myself so I'm certain of what I'm putting
on the servers. I can also test a patch in the lab before it gets
"automagically" put onto any particular box. But I'm a little bit of a
control freak from that perspective ;-)
> And can you tell me how this functionality differs
> from what seems to be available from the Windows Update page at
> http://windowsupdate.microsoft.com? Is there any reason to avoid
> Windows Update?
Not much, from a security perspective. WU also includes various system
updates not necessarily related to security, which is the focus of HFNetChk.
I personally don't use WU unless I absolutely have to; I have built enough
automated systems in my time to know that they can't be trusted ;-) Plus,
see my "control freak" comment above :-)
> I checked my SP6A CD, which I bought direct from MS, and IE 5.00
> is definitely on it. It's a separate install though -- I applied
> it after applying SP6A. Now I'm wondering if I should try to
> uninstall it before installing something higher.
Ah, that was where my comment came from. You're right, it ships on the
SP6a CD but it is not put on as *part* of SP6a.
Uninstall or upgrade it, your choice really. Though if you uninstall it
before updating then the system reverts to IE 2.0 so there is less disk
clutter left behind (in case you decide to uninstall IE 5.5/6 later, the
system keeps a copy of the previous IE around).
> OK, you are recommending IE 6 over IE 5.5, and telling me that both
> are usable on a machine even slower than mine.
Well usable, but don't expect the kind of response from a 486 that you're
likely experiencing with Netscape (probably 3.x?) on a Solaris platform :-)
Or are you on a Sparc 1 or something? In that case it's probably going to
be roughly similar.
> Yep, I noticed later that different downloads named q324929.exe
> seemed to have different file sizes. This seems strange though;
> I thought the general industry practice was that every driver or
> update file should have a unique name.
LOL! Yes it is but MS kinda "forgot" that with the NT updates, and IE
updates. FWIW they're a lot better with Win2K/XP/IE6 patch file naming
conventions. I guess enough people gave them flak about it.
> I have looked for NT security
> measures on the Web, and what I have found seems to be much more
> complicated than those recommended for 95/98 (long lists of services
> to be turned off, renaming admin accounts, dealing with things like
> disk shares, and so on).
Well, the OS is a lot more complicated than Win9x so that kind of goes with
the territory.
> Can you give me any simple NT security
> recommendations
Rename the admin account, create a dummy one named "Administrator" with a
strong password (and disabled anyway). Stops quite a few of the script
kidie attacks cold since they're not bright enough to check SIDs and they
haven't gotten that far into the machine to enumerate them anyway.
Put a strong password on your real Admin account. Ideally this will look
like line noise off a modem and have mixed case letters, and numbers in it
as well. If you're OK with it, drop in some punctuation and extended ASCII
characters too. Lengths of 10 characters or more makes it awfully hard/time
consuming to crack with things like l0phtcrack or John the Ripper.
Disable any unnecessary account(s).
Don't do dippy things like expose a Domain Controller to the Internet.
You're just asking for penetration attempts.
After SP3 + has been installed run SYSKEY and encrypt the SAM with it.
DO enable "RestrictAnonymous" as per MS Q-article
http://support.microsoft.com/default.aspx?scid=kb;EN-US;143474
Use a firewall.
> What security measures have you taken on your
> own machine?
Well I build them behind firewalls, for one thing, then open up the ports to
them only after they've been fully configured and patched. :-)
Got a spare 486/lowend Pentium with 2 or 3 NICs? http://www.ipcop.org is a
nice free Linux-based firewall; I've used it on DSL and cable modem setups,
works like a champ, though you will have to do a little reading to get
familiar with the guts of it.
> I did download the free version of ZoneAlarm, but I haven't installed
> it yet, and it's not clear to me whether this is something I should
> do in addition to other security measures or if ZoneAlarm will take
> care those other measures once I install it.
I only ran a software firewall for a short time before getting ticked with
having to configure a &#$%ing rule for every damn thing I wanted to do.
ZoneAlarm, Symantec Desktop Firewall, Tiny Personal Firewall, and Sygate
each lasted about 3 days before getting booted off the system. I also have
11 PCs at home (wife, kids, dev boxes, web servers) so it makes more sense
for me to centralize my firewall admin onto the IPCop machine. I am
fanatical about running Norton AV (or your favourite AV product) and
*keeping* *it* *updated* though; there's only so much a firewall can protect
you from.
Hope that helps,
Curtis
- Next message: Ricky Wilson: "Re: User Accounts Keep Locking Out"
- Previous message: John Brock: "Re: Bringing new NT4 installation up to snuff"
- In reply to: John Brock: "Re: Bringing new NT4 installation up to snuff"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
