It will be nice if in a future version of Windows server if there was a way to simulate major changes to the production environment. I am not aware of such a method but am open to hear from this group. Thanks.
Sam -----Original Message----- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [mailto:[EMAIL PROTECTED] Sent: Thursday, November 10, 2005 4:34 PM To: Kurt Dillard Cc: [EMAIL PROTECTED]; matthew patton; [email protected] Subject: Re: What server hardening are you doing these days? Not to mention resources for the ISV side of the world [and this is a mere tip of the iceburg] MVPs in the area of app security Visual Developer - Security: https://mvp.support.microsoft.com/communities/mvplist.aspx?Product=Visua l+Developer+-+Security Spot the Bug!: http://blogs.msdn.com/rsamona/default.aspx Living the "Least Privilege" Lifestyle, Part 4: Is Developing Secure Software as an Administrator an Impossible Dream?: http://www.informit.com/articles/article.asp?p=418859&f1=rss&rl=1 Blogs.... Anil John <http://www.securecoder.com/blog/> - Public Profile <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22b065ff6a-b3e9-4705-b a2b-74e9ddaf5c17%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP arams%5e> Dominick Baier <http://www.leastprivilege.com/> -Public Profile <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22d0eed383-8faf-40cd-b f24-d4c27976e23b%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP arams%5e> Don Kiely <http://www.sqljunkies.com/WebLog/donkiely/default.aspx> - Public Profile <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%225b786265-b44e-441a-a 7dc-223cbb51e2a8%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP arams%5e> Keith Brown <http://pluralsight.com/blogs/keith/> - Public Profile <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22801dc9ce-60c2-4dad-8 d2d-c5e68c017cc4%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP arams%5e> Kenny Kerr <http://weblogs.asp.net/kennykerr/> - Public Profile <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%220688bce3-3a8f-4a76-8 876-976f29dc9e66%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP arams%5e> Nicole Calinoiu <http://spaces.msn.com/members/calinoiu/> - Public Profile <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22117327a2-d094-42a2-b 749-933f6eed9278%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP arams%5e> Robert Hurlbut <http://weblogs.asp.net/rhurlbut> - Public Profile <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%2218f87374-ed8c-4fea-b b26-291f237e299a%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP arams%5e> Rudolph Araujo <https://www.threatsandcountermeasures.com/blogs/rudolph/> - Public Profile <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22da2a7ecb-b899-41b6-9 e8e-7b3e02cd224f%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP arams%5e> Valery Pryamikov <http://www.harper.no/valery/> - Public Profile <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%222d962143-71ef-4020-b 88d-9f13bc99ccb8%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP arams%5e> Web Development: Increase the Security of Your Applications: http://www.microsoft.com/events/series/securitywebappdev.mspx Secure Software Forum: http://www.securesoftwareforum.com/index.html Kurt Dillard wrote: > Matthew, > I can understand the frustration people had with NT 4, but your broad > accusations seem... Well... Hmmmm. > > Have you seen these documents that I helped to author? > Windows Server 2003 Security Guide: > http://go.microsoft.com/fwlink/?LinkId=14845 > Windows XP Security Guide: http://go.microsoft.com/fwlink/?LinkId=14839 > Threats and Countermeasures: Security Settings in Windows Server 2003 > and Windows XP: http://go.microsoft.com/fwlink/?LinkId=15159 > > And others from different teams: > Exchange 2003 Hardening Guide: > http://www.microsoft.com/downloads/details.aspx?FamilyID=6a80711f-e5c9-4 > aef-9a44-504db09b9065&displaylang=en > Scenarios and Procedures for Microsoft Systems Management Server 2003: > Security: > http://www.microsoft.com/downloads/details.aspx?FamilyID=3d81b520-a203-4 > 376-a72d-fd34a6c4a44c&DisplayLang=en > ISA Server 2004 Security Hardening Guide: > http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityharde > ningguide.mspx > MOM 2005 security guide: > http://www.microsoft.com/downloads/details.aspx?FamilyID=812b3089-18fe-4 > 2ff-bc1e-d181ccfe5dcf&displaylang=en > > Have you seen links such as these? > http://www.nsa.gov/snac/downloads_win2003.cfm?MenuID=scg10.3.1.1 > http://csrc.nist.gov/itsec/guidance_WinXP.html (check the > acknowledgements page in the PDF file) > http://www.informationweek.com/story/showArticle.jhtml?articleID=1664042 > 90 > http://www.eweek.com/article2/0,1895,1860574,00.asp > > If you're looking for mandatory access control, no general purpose > commercial software supports that out of the box. MACs is, in my > opinion, not viable for the vast majority of users and businesses. As > for localsystem having full access to the file system, your comment > suggests that you don't realize localsystem has full access to virtually > everything. Its analogous to root on *nix. If you have data you want to > protect from even localsystem you'll have to encrypt it and store the > key separate from the computer. > > To reiterate Laura's request, do you have a specific suggestion? > > Kurt Dillard CISSP, ISSAP, CISM, MCSE > Program Manager - Security Solutions > Microsoft Federal > > -----Original Message----- > From: Laura A. Robinson [mailto:[EMAIL PROTECTED] > Sent: Thursday, November 10, 2005 12:48 PM > To: 'matthew patton'; [email protected] > Subject: RE: What server hardening are you doing these days? > > I'm having a difficult time grokking what your actual assertion is here. > What are you saying that Microsoft should have published that they > haven't published? Have you looked at the default permissions in Win2K3? > Have you looked at the changes in accounts related to Local System, > Local Service and Network Service? I'm seeing a lot of vague accusation > in your post, but not any explanation of what your point is. > > Laura > > >> -----Original Message----- >> From: matthew patton [mailto:[EMAIL PROTECTED] >> Sent: Thursday, November 10, 2005 10:40 AM >> To: [email protected] >> Subject: Re: What server hardening are you doing these days? >> >> I just love this bit from the MS release: >> >> <quote> >> Because of these changes to the core operating system of Windows XP >> and of Windows Server 2003, extensive changes to file permissions on >> the root of the operating system are no longer required. >> >> Additional ACL changes may invalidate all or most of the application >> compatibility testing that is performed by Microsoft. Frequently, >> changes such as these have not undergone the in-depth testing that >> Microsoft has performed on other settings. Support cases and field >> experience has shown that ACL edits change the fundamental behavior of >> > > >> the operating system, frequently in unintended ways. These changes >> affect application compatibility and stability and reduce >> functionality, both in terms of performance and capability. >> </quote> >> >> This is called FUD. Microsoft has not once BOTHERED to investigate and >> > > >> publish least privilege on their OS. Here in DoD land the >> NSA/DISA/ArmedService' "hardening" guidelines are nearly silent on the >> > > >> matter of fixing the sad excuse that is windows filesystem security. >> Mostly because M$ itself has never published anything. To be fair, >> it's improved a little bit since NT4 but LocalSystem in particular has >> > > >> WAY too much access. Of course the vendor doesn't want you to change >> anything. They can't be bothered to configure their OS correctly to >> begin with. >> >> If M$ wanted to they could ship Vista with proper filesystem >> permissions out of the box and nobody would notice. They just can't be >> > > >> bothered. Afterall, when you have such a disorganized OS going 16 >> different ways, and an ISV community that has for decades been getting >> > > >> away with murder, would you want to spend the time to figure out which >> > > >> in-house programmer was being an idiot and assuming he could just step >> > > >> all over the filesystem? Programmers are just plain sloppy. >> They have no incentive to make security a priority. For all the PR >> about M$'s new "we care about security" schtick, not a whole heck of a >> > > >> lot is going to change. >> >> >> -------------------------------------------------------------- >> ------------- >> -------------------------------------------------------------- >> ------------- >> >> > > > ------------------------------------------------------------------------ > --- > ------------------------------------------------------------------------ > --- > > > ------------------------------------------------------------------------ --- > ------------------------------------------------------------------------ --- > > > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
