In light of how quickly the Zotob/etc. worms spread after MS05-039 was
released (6 days, was it?), I think it's safer to stick to
Microsoft-tested ACLs and templates and push down patches quickly. I
usually have all my machines patched the weekend after the patches come
out. I can do that because I don't mess with ACLs for an operating
system I don't fully understand.
Theoretically, I like the idea of perfect file ACLs and mandatory access
control. However, in the real world, security must be realistic to the
situation. All the file ACLs in the world can't help an unpatched
machine. MAC can't do much with a privilege-elevation exploit on a
system executable. I try to assess the risk based on what I see in the
real world, and #1 on that list is unpatched Windows boxes getting
owned. Since I don't let anyone but sys admins on my production servers,
file ACLs aren't as big of an issue.
What I'd like to see from Microsoft is executable whitelisting turned on
by default: no program runs unless it is part of the system or an admin
has explicitly installed it (and thus adding it to the whitelist). Since
regular users are denied write access to anything other than their own
directories we are halfway there.
Let me also say that I am not a raving Microsoft fanatic. If I can
accomplish my goals using a non-GUI Debian (that's a Linux distro for
the uninitiated =) ) server, I will. Unfortunately, Linux has a ways to
go when it comes to shared file access (Active Directory groups) and
centralized domain-wide policy management (Group Policy). I use the
product that is best suited for the need.
Derick Anderson
-----Original Message-----
From: Depp, Dennis M. [mailto:deppdm@ornl.gov]
Sent: Friday, November 11, 2005 7:06 AM
To: tux@911networks.com; Derick Anderson
Cc: focus-ms@securityfocus.com
Subject: RE: What server hardening are you doing these days?
While I agree the NSA guides are more secure. There is also
the Center for Internet Security http://www.cisecurity.org.
The problem with these templates is I'm not sure Microsoft
uses them when they do regression testing for hotfixes and
service packs. This means I have to do more complete testing
for hotfixes and service packs. This translates into longer
deployment time for a hotfix. Each organization has to
decide if the additional security of the NSA or CIS guides
provides is worth the additional problems in patch deployment.
Dennis
-----Original Message-----
From: Syv Ritch [mailto:tux@911networks.com]
Sent: Thursday, November 10, 2005 6:34 PM
To: Derick Anderson
Cc: focus-ms@securityfocus.com
Subject: Re: What server hardening are you doing these days?
Derick Anderson wrote:
I also stick to Microsoft best practices when it comes to Microsoft
servers, it's just safer that way. I haven't yet implemented the
Windows
2003 Security guide templates (for fear of breaking our production
environment) but I plan to do that after I've taken care of
some other
more basic issues (domain split, network split, user
lockdown, etc.).
Maybe you should reconsider. There is lot better than MS when
it comes to advising on security.
http://www.nsa.gov/snac/downloads_all.cfm
The NSA. They have both guides and templates. It actually
works and is far more secure than the MS advice.
--
Thanks
http://www.911networks.com
When the network has to work Cisco/Microsoft
--------------------------------------------------------------
----------
---
--------------------------------------------------------------
----------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
