Some semi-random thoughts and responses - All these "hardening" guides are something I get really weary of dealing with. For example, I once reviewed a book on this (I'm not saying which in public) that was guaranteed to leave the system nearly unusable, and featured hardening steps where the functionality needed to perform the step was disabled in a previous step.
I also remember when we did the OpenHack 4 contest, one member of our group went a bit overboard on the SQL server and left it where you couldn't administer it. So much of this stuff is guaranteed to break things. One thing that's nice is that the defaults have gotten so much better. I personally don't do much tweaking any more - doing stuff like disabling the LM hashes is a nice touch if you have only current systems. A comment about another post in the thread - if you think localsystem access to anything is an issue, I'd suggest you think through it further. Localsystem has the right to take ownership of anything, has backup and restore rights, and even if you took all that away, it would have the right to put it back. If you can't trust localsystem, you can't trust that computer, period. The various hardening guides are good, and do have the benefit of some testing, but before you go off default in a production environment, I'd do so step by step and evaluate carefully. Another favorite rant is that so many people worry about tweaking things when they actually have MUCH bigger problems. Do you have solid patch management? How about vulnerability assessment? A good host-based IDS system sprinkled throughout the network AND someone to pay attention to the data? A response team? Do you understand what services are running where, and with what privileges? A bunch of system service all running under the same super-high level domain account makes a network that's impossible to secure. It's about like tweaking out your car engine when all the wheels have been stolen. Once you have the fundamentals of security management in place, THEN worry about hardening, and then only do so in the context of understanding what _real_ threat you're addressing, and why the tweak helps. IMO, and most certainly not speaking as a representative of current or past employers. ------------------------------------------------------------- Insisting on perfect safety is for people who don't have the balls to live in the real world. Mary Shafer David LeBlanc - dleblanc(at)mindspring.com > -----Original Message----- > From: Laura A. Robinson [mailto:[EMAIL PROTECTED] > Sent: Friday, November 11, 2005 1:41 PM > To: 'Mike Dieroff' > Cc: [email protected]; [EMAIL PROTECTED]; 'Derick Anderson' > Subject: RE: What server hardening are you doing these days? > > Very well put, Mike. I think that when people haven't looked > at the guides, they may not realize that the bulk of what is > in them is informative rathter than a simple "do this...do > that" set of instructions. I personally believe that anybody > who is touching Win2K3, claims interest in security, yet > hasn't read the Microsoft Security Guidance documents should > spend a few days with those guides before making any > proclamations. One can't speak to that which one does not yet > know. :-) --------------------------------------------------------------------------- ---------------------------------------------------------------------------
