-----Original Message-----
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[mailto:sbradcpa@pacbell.net]
Sent: Friday, November 11, 2005 1:31 PM
To: kbo@relayfix.tiscali.de
Cc: Kurt.Dillard@microsoft.com; larobins@bellatlantic.net;
pattonme@yahoo.com; focus-ms@securityfocus.com
Subject: Re: What server hardening are you doing these days?
Virtual Server..and in VMWare... the PtoV tool.
I forget the Vserver tool but they both suck up the physical
and make a virtual image.
Brown, Sam wrote:
It will be nice if in a future version of Windows server if
there was
a way to simulate major changes to the production
environment. I am
not aware of such a method but am open to hear from this
group. Thanks.
Sam
-----Original Message-----
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[mailto:sbradcpa@pacbell.net]
Sent: Thursday, November 10, 2005 4:34 PM
To: Kurt Dillard
Cc: larobins@bellatlantic.net; matthew patton;
focus-ms@securityfocus.com
Subject: Re: What server hardening are you doing these days?
Not to mention resources for the ISV side of the world [and
this is a
mere tip of the iceburg]
MVPs in the area of app security
Visual Developer - Security:
https://mvp.support.microsoft.com/communities/mvplist.aspx?Product=Vis
ua
l+Developer+-+Security
Spot the Bug!:
http://blogs.msdn.com/rsamona/default.aspx
Living the "Least Privilege" Lifestyle, Part 4: Is
Developing Secure
Software as an Administrator an Impossible Dream?:
http://www.informit.com/articles/article.asp?p=418859&f1=rss&rl=1
Blogs....
Anil John <http://www.securecoder.com/blog/> - Public Profile
<http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCM
TY
DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22b065ff6a-b3e9-4705
-b
a2b-74e9ddaf5c17%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSv
cP
arams%5e>
Dominick Baier <http://www.leastprivilege.com/> -Public Profile
<http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCM
TY
DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22d0eed383-8faf-40cd
-b
f24-d4c27976e23b%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSv
cP
arams%5e>
Don Kiely
<http://www.sqljunkies.com/WebLog/donkiely/default.aspx> -
Public Profile
<http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCM
TY
DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%225b786265-b44e-441a
-a
7dc-223cbb51e2a8%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSv
cP
arams%5e>
Keith Brown <http://pluralsight.com/blogs/keith/> - Public Profile
<http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCM
TY
DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22801dc9ce-60c2-4dad
-8
d2d-c5e68c017cc4%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSv
cP
arams%5e>
Kenny Kerr <http://weblogs.asp.net/kennykerr/> - Public Profile
<http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCM
TY
DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%220688bce3-3a8f-4a76
-8
876-976f29dc9e66%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSv
cP
arams%5e>
Nicole Calinoiu <http://spaces.msn.com/members/calinoiu/> - Public
Profile
<http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCM
TY
DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22117327a2-d094-42a2
-b
749-933f6eed9278%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSv
cP
arams%5e>
Robert Hurlbut <http://weblogs.asp.net/rhurlbut> - Public Profile
<http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCM
TY
DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%2218f87374-ed8c-4fea
-b
b26-291f237e299a%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSv
cP
arams%5e>
Rudolph Araujo
<https://www.threatsandcountermeasures.com/blogs/rudolph/> - Public
Profile
<http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCM
TY
DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%22da2a7ecb-b899-41b6
-9
e8e-7b3e02cd224f%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSv
cP
arams%5e>
Valery Pryamikov <http://www.harper.no/valery/> - Public Profile
<http://www.microsoft.com/communities/mvp/mvpdetails.mspx?Params=%7eCM
TY
DataSvcParams%5e%7earg+Name%3d%22guid%22+Value%3d%222d962143-71ef-4020
-b
88d-9f13bc99ccb8%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSv
cP
arams%5e>
Web Development: Increase the Security of Your Applications:
http://www.microsoft.com/events/series/securitywebappdev.mspx
Secure Software Forum:
http://www.securesoftwareforum.com/index.html
Kurt Dillard wrote:
Matthew,
I can understand the frustration people had with NT 4, but
your broad
accusations seem... Well... Hmmmm.
Have you seen these documents that I helped to author?
Windows Server 2003 Security Guide:
http://go.microsoft.com/fwlink/?LinkId=14845
Windows XP Security Guide:
http://go.microsoft.com/fwlink/?LinkId=14839
Threats and Countermeasures: Security Settings in Windows
Server 2003
and Windows XP: http://go.microsoft.com/fwlink/?LinkId=15159
And others from different teams:
Exchange 2003 Hardening Guide:
http://www.microsoft.com/downloads/details.aspx?FamilyID=6a80711f-e5c9
-4
aef-9a44-504db09b9065&displaylang=en
Scenarios and Procedures for Microsoft Systems Management
Server 2003:
Security:
http://www.microsoft.com/downloads/details.aspx?FamilyID=3d81b520-a203
-4
376-a72d-fd34a6c4a44c&DisplayLang=en
ISA Server 2004 Security Hardening Guide:
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityhar
de
ningguide.mspx
MOM 2005 security guide:
http://www.microsoft.com/downloads/details.aspx?FamilyID=812b3089-18fe
-4
2ff-bc1e-d181ccfe5dcf&displaylang=en
Have you seen links such as these?
http://www.nsa.gov/snac/downloads_win2003.cfm?MenuID=scg10.3.1.1
http://csrc.nist.gov/itsec/guidance_WinXP.html (check the
acknowledgements page in the PDF file)
http://www.informationweek.com/story/showArticle.jhtml?articleID=16640
42
90
http://www.eweek.com/article2/0,1895,1860574,00.asp
If you're looking for mandatory access control, no general purpose
commercial software supports that out of the box. MACs is, in my
opinion, not viable for the vast majority of users and
businesses. As
for localsystem having full access to the file system,
your comment
suggests that you don't realize localsystem has full access to
virtually
everything. Its analogous to root on *nix. If you have
data you want
to
protect from even localsystem you'll have to encrypt it
and store the
key separate from the computer.
To reiterate Laura's request, do you have a specific suggestion?
Kurt Dillard CISSP, ISSAP, CISM, MCSE
Program Manager - Security Solutions
Microsoft Federal
-----Original Message-----
From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
Sent: Thursday, November 10, 2005 12:48 PM
To: 'matthew patton'; focus-ms@securityfocus.com
Subject: RE: What server hardening are you doing these days?
I'm having a difficult time grokking what your actual assertion is
here.
What are you saying that Microsoft should have published that they
haven't published? Have you looked at the default permissions in
Win2K3?
Have you looked at the changes in accounts related to
Local System,
Local Service and Network Service? I'm seeing a lot of vague
accusation
in your post, but not any explanation of what your point is.
Laura
-----Original Message-----
From: matthew patton [mailto:pattonme@yahoo.com]
Sent: Thursday, November 10, 2005 10:40 AM
To: focus-ms@securityfocus.com
Subject: Re: What server hardening are you doing these days?
I just love this bit from the MS release:
<quote>
Because of these changes to the core operating system of
Windows XP
and of Windows Server 2003, extensive changes to file
permissions on
the root of the operating system are no longer required.
Additional ACL changes may invalidate all or most of the
application
compatibility testing that is performed by Microsoft. Frequently,
changes such as these have not undergone the in-depth
testing that
Microsoft has performed on other settings. Support cases
and field
experience has shown that ACL edits change the
fundamental behavior
of
the operating system, frequently in unintended ways.
These changes
affect application compatibility and stability and reduce
functionality, both in terms of performance and capability.
</quote>
This is called FUD. Microsoft has not once BOTHERED to investigate
and
publish least privilege on their OS. Here in DoD land the
NSA/DISA/ArmedService' "hardening" guidelines are nearly silent on
the
matter of fixing the sad excuse that is windows
filesystem security.
Mostly because M$ itself has never published anything. To
be fair,
it's improved a little bit since NT4 but LocalSystem in particular
has
WAY too much access. Of course the vendor doesn't want
you to change
anything. They can't be bothered to configure their OS
correctly to
begin with.
If M$ wanted to they could ship Vista with proper filesystem
permissions out of the box and nobody would notice. They
just can't
be
bothered. Afterall, when you have such a disorganized OS going 16
different ways, and an ISV community that has for decades been
getting
away with murder, would you want to spend the time to figure out
which
in-house programmer was being an idiot and assuming he could just
step
all over the filesystem? Programmers are just plain sloppy.
They have no incentive to make security a priority. For
all the PR
about M$'s new "we care about security" schtick, not a
whole heck of
a
lot is going to change.
--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------
----------------------------------------------------------------------
--
---
----------------------------------------------------------------------
--
---
----------------------------------------------------------------------
--
---
----------------------------------------------------------------------
--
---
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------
