RE: What server hardening are you doing these days?

Matthew,
I can understand the frustration people had with NT 4, but your broad
accusations seem... Well... Hmmmm. 

Have you seen these documents that I helped to author?
Windows Server 2003 Security Guide:
http://go.microsoft.com/fwlink/?LinkId=14845
Windows XP Security Guide: http://go.microsoft.com/fwlink/?LinkId=14839
Threats and Countermeasures: Security Settings in Windows Server 2003
and Windows XP: http://go.microsoft.com/fwlink/?LinkId=15159

And others from different teams:
Exchange 2003 Hardening Guide:
http://www.microsoft.com/downloads/details.aspx?FamilyID=6a80711f-e5c9-4
aef-9a44-504db09b9065&displaylang=en
Scenarios and Procedures for Microsoft Systems Management Server 2003:
Security:
http://www.microsoft.com/downloads/details.aspx?FamilyID=3d81b520-a203-4
376-a72d-fd34a6c4a44c&DisplayLang=en
ISA Server 2004 Security Hardening Guide:
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityharde
ningguide.mspx
MOM 2005 security guide:
http://www.microsoft.com/downloads/details.aspx?FamilyID=812b3089-18fe-4
2ff-bc1e-d181ccfe5dcf&displaylang=en

Have you seen links such as these? 
http://www.nsa.gov/snac/downloads_win2003.cfm?MenuID=scg10.3.1.1
http://csrc.nist.gov/itsec/guidance_WinXP.html (check the
acknowledgements page in the PDF file)
http://www.informationweek.com/story/showArticle.jhtml?articleID=1664042
90 
http://www.eweek.com/article2/0,1895,1860574,00.asp

If you're looking for mandatory access control, no general purpose
commercial software supports that out of the box. MACs is, in my
opinion, not viable for the vast majority of users and businesses. As
for localsystem having full access to the file system, your comment
suggests that you don't realize localsystem has full access to virtually
everything. Its analogous to root on *nix. If you have data you want to
protect from even localsystem you'll have to encrypt it and store the
key separate from the computer. 

To reiterate Laura's request, do you have a specific suggestion?

Kurt Dillard   CISSP, ISSAP, CISM, MCSE
Program Manager - Security Solutions
Microsoft Federal

-----Original Message-----
From: Laura A. Robinson [mailto:larobins@bellatlantic.net] 
Sent: Thursday, November 10, 2005 12:48 PM
To: 'matthew patton'; focus-ms@securityfocus.com
Subject: RE: What server hardening are you doing these days?

I'm having a difficult time grokking what your actual assertion is here.
What are you saying that Microsoft should have published that they
haven't published? Have you looked at the default permissions in Win2K3?
Have you looked at the changes in accounts related to Local System,
Local Service and Network Service? I'm seeing a lot of vague accusation
in your post, but not any explanation of what your point is. 

Laura

> -----Original Message-----
> From: matthew patton [mailto:pattonme@yahoo.com]
> Sent: Thursday, November 10, 2005 10:40 AM
> To: focus-ms@securityfocus.com
> Subject: Re: What server hardening are you doing these days?
>
> I just love this bit from the MS release:
>
> <quote>
> Because of these changes to the core operating system of Windows XP 
> and of Windows Server 2003, extensive changes to file permissions on 
> the root of the operating system are no longer required.
>
> Additional ACL changes may invalidate all or most of the application 
> compatibility testing that is performed by Microsoft. Frequently, 
> changes such as these have not undergone the in-depth testing that 
> Microsoft has performed on other settings. Support cases and field 
> experience has shown that ACL edits change the fundamental behavior of

> the operating system, frequently in unintended ways. These changes 
> affect application compatibility and stability and reduce 
> functionality, both in terms of performance and capability.
> </quote>
>
> This is called FUD. Microsoft has not once BOTHERED to investigate and

> publish least privilege on their OS. Here in DoD land the 
> NSA/DISA/ArmedService' "hardening" guidelines are nearly silent on the

> matter of fixing the sad excuse that is windows filesystem security.
> Mostly because M$ itself has never published anything. To be fair, 
> it's improved a little bit since NT4 but LocalSystem in particular has

> WAY too much access. Of course the vendor doesn't want you to change 
> anything. They can't be bothered to configure their OS correctly to 
> begin with.
>
> If M$ wanted to they could ship Vista with proper filesystem 
> permissions out of the box and nobody would notice. They just can't be

> bothered. Afterall, when you have such a disorganized OS going 16 
> different ways, and an ISV community that has for decades been getting

> away with murder, would you want to spend the time to figure out which

> in-house programmer was being an idiot and assuming he could just step

> all over the filesystem? Programmers are just plain sloppy.
> They have no incentive to make security a priority. For all the PR 
> about M$'s new "we care about security" schtick, not a whole heck of a

> lot is going to change.
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------


------------------------------------------------------------------------
---
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
---------------------------------------------------------------------------