Re: Biometrics

Thanks for reading.

1. More detail, please. Which ones do you have in mind that we haven't implemented?

2. There is no "internal safety" in the 9x code. If you connect a 9x computer to the Internet, it will get attacked. There are plenty of ways to boot a computer with an alternate operating system if you need to perform some kind of maintenance. (Note that as more and more people move to volume and drive encryption, there will be additional steps, especially around key archiving and recovery passwords.)

3. This is a typical recommendation for root certificate servers -- they are the sources of authority for identity and they don't need to be online, so keeping them disconnected and physically secure is sage advice. (And note that you can't really ever "prove" that someone isn't a spy -- you can't prove a negative.)

4. Most organizations achieve huge support cost savings by _standardizing_ on hardware. Per-machine custom twiddles add unnecessary complexity, which increases the likelihood making configuration mistakes, which attackers will then exploit. (The TPM chip, a hardware device that can store encryption keys among other things, provides a useful machine identity.)

5. Can't argue with that.

6. You're talking about honeypots and honeynets. They're interesting for learning about attacker behavior and motivations, but they aren't security devices.

7. I'm not sure why you insist that the current version of Windows is the same as NT. Over time we have rewritten much of the code. One example is the IP stack in Vista/2008 -- it's all new.

--
Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"Dan" <Dan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:A415E3B7-1750-44E6-8BDE-707D90A5EDB0@xxxxxxxxxxxxxxxx
I looked over your blog and like your points Steve. You certainly have a
great grasp of the security aspect of protecting computers. Now here is my
view:

1. Please implement all of your security protocols

2. Use Windows 98 Second Edition Machines as a safety internal protocol as
Chris Quirke, MVP suggests how the internal safety of 9x is awesome and makes
remote hacking difficult thus when someone does manage to hack a network they
cannot overcome the internal safety of the 9x operating system that has the
maintenance operating system of DOS that Chris Quirke, MVP maintains is
sorely lacking in Vista.
Consider the possibility of having one 98 Second Edition machine as a
Gateway to the Network.

3. Maintain certain machines as off-line only in locked and secure rooms
with minimal access and information only given on an as needed basis as is
done in the military and at defense companies like Raytheon after full
background checks and after enough time has passed that you can prove the
person is not a spy.

4. Implement the proper configuration and customize hardware options of all
machines so if a certain machine that is released in the market has been
compromised the security and safety of your network is not at risk.

5. Inform US-Cert (Department of Homeland Security in the States) of any
attempted and seriously probing of your network.

6. Ideally have special catching machines to attract high level hackers to
them for highly valued informaion via the proper protocol of bait and catch.

7. Have Fun and See How Many Hackers you can Catch and Remember this is
Truly all a Game of being able to one up the hackers --- ideally Microsoft
will soon have a 3rd source code that can finally put 9x and NT to rest and
have the best of safety and security within one source code but I wonder if
this is even possible but certainly Microsoft does need a new source code.

Thanks Again for all of your Advice and Your Great Blog and Feel Free to Let
Me Know My Shortcomings in the Debate --- I really appreciate your Feedback


.

Relevant Pages

  • Re: Biometrics
    ... great grasp of the security aspect of protecting computers. ... Use Windows 98 Second Edition Machines as a safety internal protocol ... Maintain certain machines as off-line only in locked and secure rooms ... have the best of safety and security within one source code but I wonder ...
    (microsoft.public.security)
  • Re: Biometrics
    ... > great grasp of the security aspect of protecting computers. ... Use Windows 98 Second Edition Machines as a safety internal> protocol ... > Gateway to the Network. ... Maintain certain machines as off-line only in locked and secure> rooms ...
    (microsoft.public.security)
  • Re: Biometrics
    ... keeping them disconnected and physically secure is sage advice. ... great grasp of the security aspect of protecting computers. ... Use Windows 98 Second Edition Machines as a safety internal protocol ... Maintain certain machines as off-line only in locked and secure rooms ...
    (microsoft.public.security)
  • Re: [Full-Disclosure] Gates: You dont need perfect code for good security
    ... on the internet trying to hack it and 20+K users pumping mail thru it 24x7. ... doesn't seem to matter when we talk about security so.. ... that it is indeed a secure product and that security is not just a marketing ... an ISP, the internet IS our internal network for many machines, as the world ...
    (Full-Disclosure)
  • Re: Newsgroup filtering with host server software
    ... I was given permission to hook my personal notebook in to the company network before I had anything to do with our IT department. ... Where I used to work the rule was that you were not allowed to have a mobile switched on in the office (security) so I don't know if they would have worked. ... the internet before it hit my inbox. ... Well, if something could be deemed sufficiently sensitive I would agree that only company machines should be able to access it, after all any other machine could log it even if it was encrypted in transit. ...
    (comp.security.firewalls)