Re: CIS Security Baseline
From: Matt Scarborough (vexversa@verizon.net)
Date: 08/10/02
- Next message: Cody: "Windows 2k Server l- lsass.exe - error"
- Previous message: Steve Duff [MVP]: "Re: Outgoing multicasts to 224.0.0.x (protocol 46) every 4 seconds; What's this?"
- In reply to: Leon: "Re: CIS Security Baseline"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Matt Scarborough <vexversa@verizon.net> Date: Fri, 09 Aug 2002 22:43:00 +0000
I believe the standard method is to use secedit from the command line. It has an
/overwrite switch that may help for some settings like permissions.
In the absence of a complete template that sets default settings for all specific
Registry values, such as DWORD "0x0" everywhere we need or expect a setting of "0x0"
to enforce a specific behavior, there is really no alternative than auditing all of
the possible settings. That task is huge, as would be a complete template.
There is really nothing preventing some previous program or template from setting
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash\Foobar\Snacks=4,1
on Windows 2000 systems. An Administrator or a custom template maker or Microsoft have
no way of knowing that setting was added or why it was added. As such, neither can
they query and remove the setting for fear of negative consequences.
Again, this is why these Security Configuration Editor templates are designed to be
applied incrementally to clean systems. There is simply no way of knowing what
positive *or* negative effect an arbitrary template downloaded from a well meaning
vendor and applied to a system will have.
Matt Scarborough 2002-08-09
(PS: Who else noticed SP3 added new templates in %WINDIR%\Security\Templates?)
On Fri, 9 Aug 2002 12:28:01 +1000, Leon wrote
<OW5tCx0PCHA.2684@tkmsftngp12>
> Hi Matt,
>
> That leads to a fairly fundamental question- should MS have configured the
> only way policies can be applied is incrementally? This can cause problems
> like the ones you mentioned and others. My local machine inevitably becomes
> a test machine for changes, but I have no way without rigorous record
> keeping of knowing exactly what the incremental results will be, only what
> is being changed (OK can analyse through SCE but this isn't simple when
> comparing entire registry), and more importantly in my opinion, no simple
> way of getting it back to a known state.
>
> Applying an incremental template on top of another can simply create
> unexpected results.
>
> I would think a solution to a lot of this is simply an additional option in
> the Security Configuration Editor-
> Apply configuration fully, or Apply configuration incrementally.
>
> Obviously to Apply fully, any template would need to have all possible
> settings included, but the SCE could check for this before applying it.
>
> This would provide a simple way to quickly and easily get multiple machines
> into a known, standard state. It would also provide an easier way to
> rollback changes at any point down the track, to get it back to a certain
> state without needing to analyse the impact of yet another additional
> incremental template.
>
> Is this a reasonable idea, or able I missing something?
- Next message: Cody: "Windows 2k Server l- lsass.exe - error"
- Previous message: Steve Duff [MVP]: "Re: Outgoing multicasts to 224.0.0.x (protocol 46) every 4 seconds; What's this?"
- In reply to: Leon: "Re: CIS Security Baseline"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
