RE: What server hardening are you doing these days?

On Sun, 2005-11-13 at 10:47 -0800, Jim Harrison (ISA) wrote:
> Remember; all MS code is tested in the context of OOB deployment and
> MS-published security guidelines.  The minute you step out of those
> boxes, you're taking some not-so-insignificant risks upon yourself and
> your customers. 

I think the point here is, if you had been made aware of all the
ramifications involved when you make a change then you would be able to
manage that risk. 

If the vendor hasn't considered the fact that some users may want to
tighten beyond their recommendations that's a risk introduced by the
vendor. The user then has to choose to follow the vendors advice and
accept what the vendor defines as acceptable risk or to wing it based on
their own guesswork. This would not hold water in any risk analysis.

The advice you provide above "Do what we say and don't go any further"
isn't adequate from my perspective. Advice more manageable from a risk
point of view is "Do what we say and don't go any further, but if you do
here are the possible ramifications and you maybe want to prepare for
XYZ and in the future". This is what I'd consider sound risk based
security advice and what I'd like to see more of from all vendors, not
just MS - who I personally feel are getting closer to this.

-- 
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

"He who hingeth aboot, geteth hee-haw" Victor - Still Game

blog:  http://reboot-robot.net
sites: http://www.bsrf.org.uk - http://www.security-forums.com
ca:    https://www.cacert.org/index.php?id=3

smime.p7s
Description: S/MIME cryptographic signature