Re: Why not NT?

Anonymous Sun, 20 Jun 1999 09:46:38 -0700
-----Original Message-----
From: Ng Pheng Siong <[EMAIL PROTECTED]>
To: Don Kelloway <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED] <[EMAIL PROTECTED]>; John
Wiltshire <[EMAIL PROTECTED]>; [EMAIL PROTECTED]
<[EMAIL PROTECTED]>
Date: Sunday, June 20, 1999 4:50 AM
Subject: Re: Why not NT?


>On Sat, Jun 19, 1999 at 08:58:47PM -0400, Don Kelloway wrote:
>> 4. Apply the appropriate registry tweaks to tighten it further.
>
>URL(s) appreciated.


This is an area left to the experience of the admin who's familar with NT...

>> 6. Click TCP/IP protocol, don't use WINs, don't use LMHOSTS, don't use
DNS.
>
>Where goes your web server, mail server, etc.? In front or behind the
>firewall?


Behind the firewall, preferably on the DMZ...

>> 9. Then go to Control Panel | Services and set the Startup option for
>> everything 'cept Event Log, Plug and Play, and RPC to "disabled". Reboot
>
>What OS functionality requires RPC, given that you are building a
>hardened host? (I seem to recall MS RPC has some nice, ah, security-
>unfriendly features.)


None, but when the rest of the above has been applied, RPC (port 135) is
useless to/from the PC.

>I'd imagine plug-and-play should be off.


Yes, it can. As long as none of the hardware installed relies upon it.

>> 10. Install a firewall, one that binds it's *own* IP stack to the
external
>> NIC.
>
>But leave the internal NIC bound to MS's stack? If the vendor's stack
>is good enough for the external NIC, it is good enough for the internal
>NIC, no?


Yes, the internal NIC is still bound to the MS IP stack. But when everything
has been followed above, there is no IP connectivity to/from the internal
NIC, only through it. Although, we could disable the internal NIC as well...

>What make a vendor's stack inherently more secure than MS's? If the stack
>is less used than MS's, it has had less opportunities to shake out its
>bugs. (Instead of a chorus, it might give you a crescendo. ;-)


Maybe the vendor specifically designed the stack with the purpose of being
used for the basis of a firewall?

>Cheers.
>--
>Ng Pheng Siong <[EMAIL PROTECTED]>


Although it's down the street from me, I never drink there. Besides I prefer
to start my day with Cheerios. <grin>

Best Regards, Donald Kelloway
http://www.commodon.com


-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
Re: Why not NT?

Reply via email to
