Personally I us the Windows Server 2003 Security Guide at
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w20
03hg/. If it is not in there I am very cautious about applying the
change. There is also a windows XP security guide at
http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/de
fault.mspx. I made one change that was not in either guide. The change
was from a reputable source and claimed this should have no impact on
end users. This was a modification to the behavior of IE to fix an
unpatched vulnerability. I did test the change, but not well enough.
Shortly after rolling out the change to our entire organization, one of
our applications stopped working. This was a third part application.
We had rolled it out using a custom adiminstrative template. The roll
back required another modification using a custom template. Again
testing was not totally complete. It took several weeks before we
finally removed this from all the PCs in our domain.
Dennis
-----Original Message-----
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[mailto:sbradcpa@pacbell.net]
Sent: Wednesday, November 09, 2005 4:23 PM
To: focus-ms@securityfocus.com
Subject: What server hardening are you doing these days?
Steve Riley's WebLog : When security breaks things:
http://blogs.technet.com/steriley/archive/2005/11/08/414002.aspx
Are folks doing additional hardening to their servers these days and if
so, what guidance are you using?
Interesting blog post about the impact of such hardening and not
supported ACL adjusting.
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
