Re: Security myths
From: Alun Jones [MSFT] (alunj_at_online.microsoft.com)
Date: 03/18/05
- Next message: Alainna Wonders: "Complex Password policy doesn't set under the CP Applet..works fine from MMC"
- Previous message: Mike Adams: "Re: Certificate Server Web Server Template Please help"
- In reply to: Karl Levinson, mvp: "Re: Security myths"
- Next in thread: Karl Levinson, mvp: "Re: Security myths"
- Reply: Karl Levinson, mvp: "Re: Security myths"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 18 Mar 2005 07:16:51 -0800
The version of Windows that you are describing was Windows 2000 Server - and
Windows Server 2003 is even more secure out of the box (a similar design
today might have to 'tweak' by enabling features, rather than tweak security
settings on). More details on the OpenHack competition's Windows
configuration can be found at
http://msdn.microsoft.com/library/en-us/dnnetsec/html/openhack.asp
Alun.
~~~~
-- Software Design Engineer, Internet Information Server (FTP) This posting is provided "AS IS" with no warranties, and confers no rights. "Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message news:OKid9m7KFHA.484@TK2MSFTNGP15.phx.gbl... > > > "Greg R" <webworm12@yes.hotmail.com> wrote in message > news:7l9f31pf530msf4fkfl08k4moqj3lks86e@4ax.com... >> Security myths. >> http://www.microsoft.com/technet/community/columns/secmgmt/sm0305_2.mspx >> >> I disagree with number one. That like telling people to throw out >> Steve(grc.com) and others advice. > > Steve Gibson isn't perfect. He does makes mistakes and gives bad advice > in > places. > > I think it is interesting that you mention Steve Gibson, because both > Steve > and the article you linked above make statements that run counter to many > security experts and commonly recognized best practices. I think it is > good > to counter the experts some of the time, if you're right and can defend > your > decision, but if you do it too much and too often, you're probably in the > wrong. > >> Look at myth number four. I strongly disagree with it. I think >> tweaks are needed. Even Microsoft recommended some tweaks > > Tweaks have always been necessary in the past because MS software by > default > has had insecure settings in the past. [Microsoft says this is because > that is what most customers wanted, and they do have a point.] The need > for > tweaks may have changed now that their most modern software releases have > settings that are pretty secure by default. It is useful to note that > they > successfully hardened a Windows box for a hacking contest using only four > registry changes, I think that is the point to take away here, that some > tweaks do nothing for security but waste your valuable time that could be > spent really securing things. On the other hand, making registry tweaks > takes relatively little time and is relatively harmless, and some of those > tweaks do have a small effect on security, so arguing too strongly against > tweaks could be making a mountain out of a molehill. > >
- Next message: Alainna Wonders: "Complex Password policy doesn't set under the CP Applet..works fine from MMC"
- Previous message: Mike Adams: "Re: Certificate Server Web Server Template Please help"
- In reply to: Karl Levinson, mvp: "Re: Security myths"
- Next in thread: Karl Levinson, mvp: "Re: Security myths"
- Reply: Karl Levinson, mvp: "Re: Security myths"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
