Re: Short List of Security Questions
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Thu, 13 Jul 2006 19:07:33 -0700
I will float a baloon toward a partial response . . .
"dw85745" <dw85745_NOT@xxxxxxxxxxxxx> wrote in message
news:uvwH21tpGHA.516@xxxxxxxxxxxxxxxxxxxxxxx
As a Programmer and an End User one of my biggest frustrations is getting
"WHAT YOU SHOULD DO" Security Information related to Windows
I can write code all day long, but when it comes to securing Windows I
knock
my head against the wall.
And the code you write is defensively secure code ??
If so it is only so because you have done your homework over time.
Configuring a system has similar requirements.
A short list of my questions are:I take this to mean Windows 2000 Professional, and Windows XP (Home and
For each OS (Win98 through XP) and each version (Home and Pro):
Pro).
Any DOS family OS is, intrinsicaly, not securable, and NT 4 and earlier are
not
capable of resisting what today's networked environment can throw at them.
1) Is default best?Best? You mean better? Compared to??
One can always configure one of the OSs to which I have limited these
comments
better relative to their security stance than they are found in their
install default state.
This is largely because the install defaults must be a best guess of what
fits well for
99% of the reasonably sane use cases that exist. They are sort of a lowest
common
denominator, except one factored so that it does not lower the bar below
some
"its the right thing" or "it really is in your better interests" threshold.
What is better can only be determined relative to both the reference and the
usages that are to be made of the system. For example, if that XP Pro is to
act as
the house's little fileserver, then having the firewall on with no
exceptions is not right.
However, defining the defaults to be otherwise and allow unrestricted file
and print
sharing would not be right.
No matter what OS you use, where do you get a detailed explanation
regarding
what all the switches do in Internet Explorer and whether you should set
them or not. The #$%^% poor explanation you get when you right click on
the
checkbox is useless as far as I'm concerned.
Search for the Internet Exlorer Administration Kit if you want the detailed
docs.
Else, use something else.
2) How do you keep an installed program from having access to other
programs or other parts of the system in a standalone home computer (here
I
refer to file permissions and other security measures) ?
Programs (with specific exceptions now in the .Net runtime era) do not have
access to anything. The accounts running the programs have or are denied
the accesses, even when those accesses are done by the programs.
Hence, you segment the machine's resources based on the principals that
you want to segregate from one resource/capability and the other.
You need a plan based on what you want "protected" and what is a "don't
care" so that you may focus your effort on what is important. Then normally
one defines custom groups that are used to make grants (and sometimes
denials)
strategically in order to carve off areas of resource/capability to only
specific
groups of accounts. There is more that may be done, like software
restriction
policies, etc. but those measures are advanced and normally used to build
upon
an initial basis built with basic control via grants of permissions and
rights.
3) Win98 had a big problem with NetBEUI. Do other windows OSes have thisI don't know, never used NetBEUI and always shut if off and uninstalled it
type of or similar issues?
if I found it installed. In all versions of OS to which my comments are
limited
one has to go well out of one's way to install NetBEUI and I can think of no
good reason why one would do so.
4) After I go to Windows Update and download the security patches, whatToday you get mostly incremental code that is patched into the binaries to
changes have been made to my system ?
version them to the new, safe versions. One also gets updates to the client
end of autoupdate, the most recent malicious software remover, and lately
genuine Windows check code, . Beyond these you are offered non-critical,
non-security updates/upgrades (ex. the latest .Net frramework, the latest
MediaPlayer), and updated drivers for hardware from vendors that have
elected to participate in the means of distribution (that offer has also
been
made to software vendors, but until just recently I do not recall seeing any
releases for non-MS software).
5) What are the security differences between Home Edition and Pro
Editions
(IMHO MS needs to include all security capability in Home as well as Pro)?
Very little. The difference are more in configurability.
Home does not have EFS, does not let one shift out from "simple file
sharing" mode,
has a slightly more restricted amount of concurrent network connections
allowed,
does not allow for direct editing of the local group policy, has some of the
utilities
removed, etc. etc.
Under all of these differences the code is the same. Some defaults are
different,
and some of these cannot be made to be otherwise; some things are ripped
out,
but what code is there is the same in both versions.
--------------------------------------------------------------
If anyone knows of an EXCELLENT book or a website that explains this by
OS,
it would be appreciated.
Thanks
l
.
- References:
- Short List of Security Questions
- From: dw85745
- Short List of Security Questions
- Prev by Date: Re: Remote Desktop and Terminal Services
- Next by Date: Re: Short List of Security Questions
- Previous by thread: Short List of Security Questions
- Next by thread: Re: Short List of Security Questions
- Index(es):
Relevant Pages
|
