Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: What server hardening are you doing these days?

from [matthew patton] Network Security [Permanent Link]
Subject: Re: What server hardening are you doing these days?
Date: Thu, 10 Nov 2005 07:39:54 -0800 (PST) 
I just love this bit from the MS release:

<quote>
Because of these changes to the core operating system of Windows XP and
of Windows Server 2003, extensive changes to file permissions on the
root of the operating system are no longer required.

Additional ACL changes may invalidate all or most of the application
compatibility testing that is performed by Microsoft. Frequently,
changes such as these have not undergone the in-depth testing that
Microsoft has performed on other settings. Support cases and field
experience has shown that ACL edits change the fundamental behavior of
the operating system, frequently in unintended ways. These changes
affect application compatibility and stability and reduce
functionality, both in terms of performance and capability.
</quote>

This is called FUD. Microsoft has not once BOTHERED to investigate and
publish least privilege on their OS. Here in DoD land the
NSA/DISA/ArmedService' "hardening" guidelines are nearly silent on the
matter of fixing the sad excuse that is windows filesystem security.
Mostly because M$ itself has never published anything. To be fair, it's
improved a little bit since NT4 but LocalSystem in particular has WAY
too much access. Of course the vendor doesn't want you to change
anything. They can't be bothered to configure their OS correctly to
begin with.

If M$ wanted to they could ship Vista with proper filesystem
permissions out of the box and nobody would notice. They just can't be
bothered. Afterall, when you have such a disorganized OS going 16
different ways, and an ISV community that has for decades been getting
away with murder, would you want to spend the time to figure out which
in-house programmer was being an idiot and assuming he could just step
all over the filesystem? Programmers are just plain sloppy. They have
no incentive to make security a priority. For all the PR about M$'s new
"we care about security" schtick, not a whole heck of a lot is going to
change.


---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: What server hardening are you doing these days?, Derick Anderson
Next by Date:  RE: What server hardening are you doing these days?, Laura A. Robinson
Previous by Thread:  What server hardening are you doing these days?, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Next by Thread:  RE: What server hardening are you doing these days?, Laura A. Robinson
Indexes:  [Date] [Thread] [Top] [All Lists]