Matthew,
I can understand the frustration people had with NT 4, but your broad
accusations seem... Well... Hmmmm.
Have you seen these documents that I helped to author?
Windows Server 2003 Security Guide:
http://go.microsoft.com/fwlink/?LinkId=14845
Windows XP Security Guide: http://go.microsoft.com/fwlink/?LinkId=14839
Threats and Countermeasures: Security Settings in Windows Server 2003
and Windows XP: http://go.microsoft.com/fwlink/?LinkId=15159
And others from different teams:
Exchange 2003 Hardening Guide:
http://www.microsoft.com/downloads/details.aspx?FamilyID=6a80711f-e5c9-4
aef-9a44-504db09b9065&displaylang=en
Scenarios and Procedures for Microsoft Systems Management Server 2003:
Security:
http://www.microsoft.com/downloads/details.aspx?FamilyID=3d81b520-a203-4
376-a72d-fd34a6c4a44c&DisplayLang=en
ISA Server 2004 Security Hardening Guide:
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityharde
ningguide.mspx
MOM 2005 security guide:
http://www.microsoft.com/downloads/details.aspx?FamilyID=812b3089-18fe-4
2ff-bc1e-d181ccfe5dcf&displaylang=en
Have you seen links such as these?
http://www.nsa.gov/snac/downloads_win2003.cfm?MenuID=scg10.3.1.1
http://csrc.nist.gov/itsec/guidance_WinXP.html (check the
acknowledgements page in the PDF file)
http://www.informationweek.com/story/showArticle.jhtml?articleID=1664042
90
http://www.eweek.com/article2/0,1895,1860574,00.asp
If you're looking for mandatory access control, no general purpose
commercial software supports that out of the box. MACs is, in my
opinion, not viable for the vast majority of users and businesses. As
for localsystem having full access to the file system, your comment
suggests that you don't realize localsystem has full access to virtually
everything. Its analogous to root on *nix. If you have data you want to
protect from even localsystem you'll have to encrypt it and store the
key separate from the computer.
To reiterate Laura's request, do you have a specific suggestion?
Kurt Dillard CISSP, ISSAP, CISM, MCSE
Program Manager - Security Solutions
Microsoft Federal
-----Original Message-----
From: Laura A. Robinson [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 10, 2005 12:48 PM
To: 'matthew patton'; [email protected]
Subject: RE: What server hardening are you doing these days?
I'm having a difficult time grokking what your actual assertion is here.
What are you saying that Microsoft should have published that they
haven't published? Have you looked at the default permissions in Win2K3?
Have you looked at the changes in accounts related to Local System,
Local Service and Network Service? I'm seeing a lot of vague accusation
in your post, but not any explanation of what your point is.
Laura
-----Original Message-----
From: matthew patton [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 10, 2005 10:40 AM
To: [email protected]
Subject: Re: What server hardening are you doing these days?
I just love this bit from the MS release:
<quote>
Because of these changes to the core operating system of Windows XP
and of Windows Server 2003, extensive changes to file permissions on
the root of the operating system are no longer required.
Additional ACL changes may invalidate all or most of the application
compatibility testing that is performed by Microsoft. Frequently,
changes such as these have not undergone the in-depth testing that
Microsoft has performed on other settings. Support cases and field
experience has shown that ACL edits change the fundamental behavior of
the operating system, frequently in unintended ways. These changes
affect application compatibility and stability and reduce
functionality, both in terms of performance and capability.
</quote>
This is called FUD. Microsoft has not once BOTHERED to investigate and
publish least privilege on their OS. Here in DoD land the
NSA/DISA/ArmedService' "hardening" guidelines are nearly silent on the
matter of fixing the sad excuse that is windows filesystem security.
Mostly because M$ itself has never published anything. To be fair,
it's improved a little bit since NT4 but LocalSystem in particular has
WAY too much access. Of course the vendor doesn't want you to change
anything. They can't be bothered to configure their OS correctly to
begin with.
If M$ wanted to they could ship Vista with proper filesystem
permissions out of the box and nobody would notice. They just can't be
bothered. Afterall, when you have such a disorganized OS going 16
different ways, and an ISV community that has for decades been getting
away with murder, would you want to spend the time to figure out which
in-house programmer was being an idiot and assuming he could just step
all over the filesystem? Programmers are just plain sloppy.
They have no incentive to make security a priority. For all the PR
about M$'s new "we care about security" schtick, not a whole heck of a
lot is going to change.
--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
