I thought you might find the following, gleaned from a Microsoft web site white paper about "Myths of Security" amusing... But before you laugh too hard, remember the Dilbert bosses are all reading and believing this stuff.
Myth 4: Tweaks Are Necessary <snip> Even on highly exposed systems, most of the tweaks are not necessary. In eWeek's Open Hack IV competition in 2002 (see http://msdn.microsoft.com/library/en-us/dnnetsec/html/openhack.asp), we built what was probably the most protected network we have ever built. In all, we made only four registry tweaks, a couple of ACL changes, and set a password policy. The rest of the protection for those systems was based on proper network segmentation, a solid understanding of the threats, turning off unneeded services, hardening Web apps (see Writing Secure Code, 2nd edition, by Howard and LeBlanc [Redmond, WA: Microsoft Press, 2003]), and properly protecting Web servers and the computer running SQL Server. Of course, this was a specialized system with very limited functionality, but it still shows that less is often more. Proper understanding of the threats and realistic mitigation of those threats through a solid network architecture is much more important than most of the security tweaks we turn on in the name of security. <snip> So umm 4 registry changes, 2 customized ACLS, and a customized log in policy aren't tweeks. Ooops, my bad, the emperor IS wearing clothes! Tell the big lie often enough and it becomes truth. And, one question, how many critical updates would you have had to apply (not TWEEKS, of course) to keep this piece secure until now? Dan Sichel Network Engineer Ponderosa Telephone [EMAIL PROTECTED] (559) 868-6367 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/