It will be nice if in a future version of Windows server if there was a
way to simulate major changes to the production environment. I am not
aware of such a method but am open to hear from this group. Thanks.
Sam
-----Original Message-----
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[mailto:[EMAIL PROTECTED]
Sent: Thursday, November 10, 2005 4:34 PM
To: Kurt Dillard
Cc: [EMAIL PROTECTED]; matthew patton;
[email protected]
Subject: Re: What server hardening are you doing these days?
Not to mention resources for the ISV side of the world [and this is a
mere tip of the iceburg]
MVPs in the area of app security
Visual Developer - Security:
https://mvp.support.microsoft.com/communities/mvplist.aspx?Product=Visua
l+Developer+-+Security
Spot the Bug!:
http://blogs.msdn.com/rsamona/default.aspx
Living the "Least Privilege" Lifestyle, Part 4: Is Developing Secure
Software as an Administrator an Impossible Dream?:
http://www.informit.com/articles/article.asp?p=418859&f1=rss&rl=1
Blogs....
Anil John <http://www.securecoder.com/blog/> - Public Profile
<http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22b065ff6a-b3e9-4705-b
a2b-74e9ddaf5c17%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
arams%5e>
Dominick Baier <http://www.leastprivilege.com/> -Public Profile
<http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22d0eed383-8faf-40cd-b
f24-d4c27976e23b%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
arams%5e>
Don Kiely <http://www.sqljunkies.com/WebLog/donkiely/default.aspx> -
Public Profile
<http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%225b786265-b44e-441a-a
7dc-223cbb51e2a8%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
arams%5e>
Keith Brown <http://pluralsight.com/blogs/keith/> - Public Profile
<http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22801dc9ce-60c2-4dad-8
d2d-c5e68c017cc4%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
arams%5e>
Kenny Kerr <http://weblogs.asp.net/kennykerr/> - Public Profile
<http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%220688bce3-3a8f-4a76-8
876-976f29dc9e66%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
arams%5e>
Nicole Calinoiu <http://spaces.msn.com/members/calinoiu/> - Public
Profile
<http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22117327a2-d094-42a2-b
749-933f6eed9278%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
arams%5e>
Robert Hurlbut <http://weblogs.asp.net/rhurlbut> - Public Profile
<http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%2218f87374-ed8c-4fea-b
b26-291f237e299a%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
arams%5e>
Rudolph Araujo
<https://www.threatsandcountermeasures.com/blogs/rudolph/> - Public
Profile
<http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22da2a7ecb-b899-41b6-9
e8e-7b3e02cd224f%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
arams%5e>
Valery Pryamikov <http://www.harper.no/valery/> - Public Profile
<http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCMTY
DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%222d962143-71ef-4020-b
88d-9f13bc99ccb8%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcP
arams%5e>
Web Development: Increase the Security of Your Applications:
http://www.microsoft.com/events/series/securitywebappdev.mspx
Secure Software Forum:
http://www.securesoftwareforum.com/index.html
Kurt Dillard wrote:
Matthew,
I can understand the frustration people had with NT 4, but your broad
accusations seem... Well... Hmmmm.
Have you seen these documents that I helped to author?
Windows Server 2003 Security Guide:
http://go.microsoft.com/fwlink/?LinkId=14845
Windows XP Security Guide:
http://go.microsoft.com/fwlink/?LinkId=14839
Threats and Countermeasures: Security Settings in Windows Server 2003
and Windows XP: http://go.microsoft.com/fwlink/?LinkId=15159
And others from different teams:
Exchange 2003 Hardening Guide:
http://www.microsoft.com/downloads/details.aspx?FamilyID=6a80711f-e5c9-4
aef-9a44-504db09b9065&displaylang=en
Scenarios and Procedures for Microsoft Systems Management Server 2003:
Security:
http://www.microsoft.com/downloads/details.aspx?FamilyID=3d81b520-a203-4
376-a72d-fd34a6c4a44c&DisplayLang=en
ISA Server 2004 Security Hardening Guide:
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityharde
ningguide.mspx
MOM 2005 security guide:
http://www.microsoft.com/downloads/details.aspx?FamilyID=812b3089-18fe-4
2ff-bc1e-d181ccfe5dcf&displaylang=en
Have you seen links such as these?
http://www.nsa.gov/snac/downloads_win2003.cfm?MenuID=scg10.3.1.1
http://csrc.nist.gov/itsec/guidance_WinXP.html (check the
acknowledgements page in the PDF file)
http://www.informationweek.com/story/showArticle.jhtml?articleID=1664042
90
http://www.eweek.com/article2/0,1895,1860574,00.asp
If you're looking for mandatory access control, no general purpose
commercial software supports that out of the box. MACs is, in my
opinion, not viable for the vast majority of users and businesses. As
for localsystem having full access to the file system, your comment
suggests that you don't realize localsystem has full access to
virtually
everything. Its analogous to root on *nix. If you have data you want
to
protect from even localsystem you'll have to encrypt it and store the
key separate from the computer.
To reiterate Laura's request, do you have a specific suggestion?
Kurt Dillard CISSP, ISSAP, CISM, MCSE
Program Manager - Security Solutions
Microsoft Federal
-----Original Message-----
From: Laura A. Robinson [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 10, 2005 12:48 PM
To: 'matthew patton'; [email protected]
Subject: RE: What server hardening are you doing these days?
I'm having a difficult time grokking what your actual assertion is
here.
What are you saying that Microsoft should have published that they
haven't published? Have you looked at the default permissions in
Win2K3?
Have you looked at the changes in accounts related to Local System,
Local Service and Network Service? I'm seeing a lot of vague
accusation
in your post, but not any explanation of what your point is.
Laura
-----Original Message-----
From: matthew patton [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 10, 2005 10:40 AM
To: [email protected]
Subject: Re: What server hardening are you doing these days?
I just love this bit from the MS release:
<quote>
Because of these changes to the core operating system of Windows XP
and of Windows Server 2003, extensive changes to file permissions on
the root of the operating system are no longer required.
Additional ACL changes may invalidate all or most of the application
compatibility testing that is performed by Microsoft. Frequently,
changes such as these have not undergone the in-depth testing that
Microsoft has performed on other settings. Support cases and field
experience has shown that ACL edits change the fundamental behavior
of
the operating system, frequently in unintended ways. These changes
affect application compatibility and stability and reduce
functionality, both in terms of performance and capability.
</quote>
This is called FUD. Microsoft has not once BOTHERED to investigate
and
publish least privilege on their OS. Here in DoD land the
NSA/DISA/ArmedService' "hardening" guidelines are nearly silent on
the
matter of fixing the sad excuse that is windows filesystem security.
Mostly because M$ itself has never published anything. To be fair,
it's improved a little bit since NT4 but LocalSystem in particular
has
WAY too much access. Of course the vendor doesn't want you to change
anything. They can't be bothered to configure their OS correctly to
begin with.
If M$ wanted to they could ship Vista with proper filesystem
permissions out of the box and nobody would notice. They just can't
be
bothered. Afterall, when you have such a disorganized OS going 16
different ways, and an ISV community that has for decades been
getting
away with murder, would you want to spend the time to figure out
which
in-house programmer was being an idiot and assuming he could just
step
all over the filesystem? Programmers are just plain sloppy.
They have no incentive to make security a priority. For all the PR
about M$'s new "we care about security" schtick, not a whole heck of
a
lot is going to change.
--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
