That's good for most things, but virtual machines don't allow for testing of configuration on specific hardware. This is an issue we've run into quite a bit with some clustered Exchange environments.
Laura > -----Original Message----- > From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] > [mailto:[EMAIL PROTECTED] > Sent: Friday, November 11, 2005 1:31 PM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; > [EMAIL PROTECTED]; [email protected] > Subject: Re: What server hardening are you doing these days? > > Virtual Server..and in VMWare... the PtoV tool. > > I forget the Vserver tool but they both suck up the physical > and make a virtual image. > > Brown, Sam wrote: > > It will be nice if in a future version of Windows server if > there was > > a way to simulate major changes to the production > environment. I am > > not aware of such a method but am open to hear from this > group. Thanks. > > > > Sam > > -----Original Message----- > > From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] > > [mailto:[EMAIL PROTECTED] > > Sent: Thursday, November 10, 2005 4:34 PM > > To: Kurt Dillard > > Cc: [EMAIL PROTECTED]; matthew patton; > > [email protected] > > Subject: Re: What server hardening are you doing these days? > > > > Not to mention resources for the ISV side of the world [and > this is a > > mere tip of the iceburg] > > > > MVPs in the area of app security > > Visual Developer - Security: > > > https://mvp.support.microsoft.com/communities/mvplist.aspx?Product=Vis > > ua > > l+Developer+-+Security > > > > Spot the Bug!: > > http://blogs.msdn.com/rsamona/default.aspx > > > > Living the "Least Privilege" Lifestyle, Part 4: Is > Developing Secure > > Software as an Administrator an Impossible Dream?: > > http://www.informit.com/articles/article.asp?p=418859&f1=rss&rl=1 > > > > Blogs.... > > > > Anil John <http://www.securecoder.com/blog/> - Public Profile > > > <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCM > > TY > > > DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22b065ff6a-b3e9-4705 > > -b > > > a2b-74e9ddaf5c17%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSv > > cP > > arams%5e> > > Dominick Baier <http://www.leastprivilege.com/> -Public Profile > > > <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCM > > TY > > > DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22d0eed383-8faf-40cd > > -b > > > f24-d4c27976e23b%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSv > > cP > > arams%5e> > > Don Kiely > <http://www.sqljunkies.com/WebLog/donkiely/default.aspx> - > > Public Profile > > > <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCM > > TY > > > DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%225b786265-b44e-441a > > -a > > > 7dc-223cbb51e2a8%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSv > > cP > > arams%5e> > > Keith Brown <http://pluralsight.com/blogs/keith/> - Public Profile > > > <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCM > > TY > > > DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22801dc9ce-60c2-4dad > > -8 > > > d2d-c5e68c017cc4%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSv > > cP > > arams%5e> > > Kenny Kerr <http://weblogs.asp.net/kennykerr/> - Public Profile > > > <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCM > > TY > > > DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%220688bce3-3a8f-4a76 > > -8 > > > 876-976f29dc9e66%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSv > > cP > > arams%5e> > > Nicole Calinoiu <http://spaces.msn.com/members/calinoiu/> - Public > > Profile > > > <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCM > > TY > > > DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22117327a2-d094-42a2 > > -b > > > 749-933f6eed9278%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSv > > cP > > arams%5e> > > Robert Hurlbut <http://weblogs.asp.net/rhurlbut> - Public Profile > > > <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCM > > TY > > > DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%2218f87374-ed8c-4fea > > -b > > > b26-291f237e299a%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSv > > cP > > arams%5e> > > Rudolph Araujo > > <https://www.threatsandcountermeasures.com/blogs/rudolph/> - Public > > Profile > > > <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCM > > TY > > > DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22da2a7ecb-b899-41b6 > > -9 > > > e8e-7b3e02cd224f%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSv > > cP > > arams%5e> > > Valery Pryamikov <http://www.harper.no/valery/> - Public Profile > > > <http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCM > > TY > > > DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%222d962143-71ef-4020 > > -b > > > 88d-9f13bc99ccb8%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSv > > cP > > arams%5e> > > > > Web Development: Increase the Security of Your Applications: > > http://www.microsoft.com/events/series/securitywebappdev.mspx > > > > Secure Software Forum: > > http://www.securesoftwareforum.com/index.html > > > > > > > > Kurt Dillard wrote: > > > >> Matthew, > >> I can understand the frustration people had with NT 4, but > your broad > >> accusations seem... Well... Hmmmm. > >> > >> Have you seen these documents that I helped to author? > >> Windows Server 2003 Security Guide: > >> http://go.microsoft.com/fwlink/?LinkId=14845 > >> Windows XP Security Guide: > >> > > http://go.microsoft.com/fwlink/?LinkId=14839 > > > >> Threats and Countermeasures: Security Settings in Windows > Server 2003 > >> and Windows XP: http://go.microsoft.com/fwlink/?LinkId=15159 > >> > >> And others from different teams: > >> Exchange 2003 Hardening Guide: > >> > >> > > > http://www.microsoft.com/downloads/details.aspx?FamilyID=6a80711f-e5c9 > > -4 > > > >> aef-9a44-504db09b9065&displaylang=en > >> Scenarios and Procedures for Microsoft Systems Management > Server 2003: > >> Security: > >> > >> > > > http://www.microsoft.com/downloads/details.aspx?FamilyID=3d81b520-a203 > > -4 > > > >> 376-a72d-fd34a6c4a44c&DisplayLang=en > >> ISA Server 2004 Security Hardening Guide: > >> > >> > > > http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityhar > > de > > > >> ningguide.mspx > >> MOM 2005 security guide: > >> > >> > > > http://www.microsoft.com/downloads/details.aspx?FamilyID=812b3089-18fe > > -4 > > > >> 2ff-bc1e-d181ccfe5dcf&displaylang=en > >> > >> Have you seen links such as these? > >> http://www.nsa.gov/snac/downloads_win2003.cfm?MenuID=scg10.3.1.1 > >> http://csrc.nist.gov/itsec/guidance_WinXP.html (check the > >> acknowledgements page in the PDF file) > >> > >> > > > http://www.informationweek.com/story/showArticle.jhtml?articleID=16640 > > 42 > > > >> 90 > >> http://www.eweek.com/article2/0,1895,1860574,00.asp > >> > >> If you're looking for mandatory access control, no general purpose > >> commercial software supports that out of the box. MACs is, in my > >> opinion, not viable for the vast majority of users and > businesses. As > >> for localsystem having full access to the file system, > your comment > >> suggests that you don't realize localsystem has full access to > >> > > virtually > > > >> everything. Its analogous to root on *nix. If you have > data you want > >> > > to > > > >> protect from even localsystem you'll have to encrypt it > and store the > >> key separate from the computer. > >> > >> To reiterate Laura's request, do you have a specific suggestion? > >> > >> Kurt Dillard CISSP, ISSAP, CISM, MCSE > >> Program Manager - Security Solutions > >> Microsoft Federal > >> > >> -----Original Message----- > >> From: Laura A. Robinson [mailto:[EMAIL PROTECTED] > >> Sent: Thursday, November 10, 2005 12:48 PM > >> To: 'matthew patton'; [email protected] > >> Subject: RE: What server hardening are you doing these days? > >> > >> I'm having a difficult time grokking what your actual assertion is > >> > > here. > > > >> What are you saying that Microsoft should have published that they > >> haven't published? Have you looked at the default permissions in > >> > > Win2K3? > > > >> Have you looked at the changes in accounts related to > Local System, > >> Local Service and Network Service? I'm seeing a lot of vague > >> > > accusation > > > >> in your post, but not any explanation of what your point is. > >> > >> Laura > >> > >> > >> > >>> -----Original Message----- > >>> From: matthew patton [mailto:[EMAIL PROTECTED] > >>> Sent: Thursday, November 10, 2005 10:40 AM > >>> To: [email protected] > >>> Subject: Re: What server hardening are you doing these days? > >>> > >>> I just love this bit from the MS release: > >>> > >>> <quote> > >>> Because of these changes to the core operating system of > Windows XP > >>> and of Windows Server 2003, extensive changes to file > permissions on > >>> the root of the operating system are no longer required. > >>> > >>> Additional ACL changes may invalidate all or most of the > application > >>> compatibility testing that is performed by Microsoft. Frequently, > >>> changes such as these have not undergone the in-depth > testing that > >>> Microsoft has performed on other settings. Support cases > and field > >>> experience has shown that ACL edits change the > fundamental behavior > >>> > > of > > > >>> > >>> > >> > >> > >>> the operating system, frequently in unintended ways. > These changes > >>> affect application compatibility and stability and reduce > >>> functionality, both in terms of performance and capability. > >>> </quote> > >>> > >>> This is called FUD. Microsoft has not once BOTHERED to investigate > >>> > > and > > > >>> > >>> > >> > >> > >>> publish least privilege on their OS. Here in DoD land the > >>> NSA/DISA/ArmedService' "hardening" guidelines are nearly silent on > >>> > > the > > > >>> > >>> > >> > >> > >>> matter of fixing the sad excuse that is windows > filesystem security. > >>> Mostly because M$ itself has never published anything. To > be fair, > >>> it's improved a little bit since NT4 but LocalSystem in particular > >>> > > has > > > >>> > >>> > >> > >> > >>> WAY too much access. Of course the vendor doesn't want > you to change > >>> anything. They can't be bothered to configure their OS > correctly to > >>> begin with. > >>> > >>> If M$ wanted to they could ship Vista with proper filesystem > >>> permissions out of the box and nobody would notice. They > just can't > >>> > > be > > > >>> > >>> > >> > >> > >>> bothered. Afterall, when you have such a disorganized OS going 16 > >>> different ways, and an ISV community that has for decades been > >>> > > getting > > > >>> > >>> > >> > >> > >>> away with murder, would you want to spend the time to figure out > >>> > > which > > > >>> > >>> > >> > >> > >>> in-house programmer was being an idiot and assuming he could just > >>> > > step > > > >>> > >>> > >> > >> > >>> all over the filesystem? Programmers are just plain sloppy. > >>> They have no incentive to make security a priority. For > all the PR > >>> about M$'s new "we care about security" schtick, not a > whole heck of > >>> > > a > > > >>> > >>> > >> > >> > >>> lot is going to change. > >>> > >>> > >>> -------------------------------------------------------------- > >>> ------------- > >>> -------------------------------------------------------------- > >>> ------------- > >>> > >>> > >>> > >> > >> > > > ---------------------------------------------------------------------- > > -- > > > >> --- > >> > >> > > > ---------------------------------------------------------------------- > > -- > > > >> --- > >> > >> > >> > >> > > > ---------------------------------------------------------------------- > > -- > > --- > > > > > ---------------------------------------------------------------------- > > -- > > --- > > > >> > >> > > > > > > -- > Letting your vendors set your risk analysis these days? > http://www.threatcode.com > > > -------------------------------------------------------------- > ------------- > -------------------------------------------------------------- > ------------- > > > --------------------------------------------------------------------------- ---------------------------------------------------------------------------
