In light of how quickly the Zotob/etc. worms spread after MS05-039 was released (6 days, was it?), I think it's safer to stick to Microsoft-tested ACLs and templates and push down patches quickly. I usually have all my machines patched the weekend after the patches come out. I can do that because I don't mess with ACLs for an operating system I don't fully understand.
Theoretically, I like the idea of perfect file ACLs and mandatory access control. However, in the real world, security must be realistic to the situation. All the file ACLs in the world can't help an unpatched machine. MAC can't do much with a privilege-elevation exploit on a system executable. I try to assess the risk based on what I see in the real world, and #1 on that list is unpatched Windows boxes getting owned. Since I don't let anyone but sys admins on my production servers, file ACLs aren't as big of an issue. What I'd like to see from Microsoft is executable whitelisting turned on by default: no program runs unless it is part of the system or an admin has explicitly installed it (and thus adding it to the whitelist). Since regular users are denied write access to anything other than their own directories we are halfway there. Let me also say that I am not a raving Microsoft fanatic. If I can accomplish my goals using a non-GUI Debian (that's a Linux distro for the uninitiated =) ) server, I will. Unfortunately, Linux has a ways to go when it comes to shared file access (Active Directory groups) and centralized domain-wide policy management (Group Policy). I use the product that is best suited for the need. Derick Anderson > -----Original Message----- > From: Depp, Dennis M. [mailto:[EMAIL PROTECTED] > Sent: Friday, November 11, 2005 7:06 AM > To: [EMAIL PROTECTED]; Derick Anderson > Cc: [email protected] > Subject: RE: What server hardening are you doing these days? > > While I agree the NSA guides are more secure. There is also > the Center for Internet Security http://www.cisecurity.org. > The problem with these templates is I'm not sure Microsoft > uses them when they do regression testing for hotfixes and > service packs. This means I have to do more complete testing > for hotfixes and service packs. This translates into longer > deployment time for a hotfix. Each organization has to > decide if the additional security of the NSA or CIS guides > provides is worth the additional problems in patch deployment. > > Dennis > > -----Original Message----- > From: Syv Ritch [mailto:[EMAIL PROTECTED] > Sent: Thursday, November 10, 2005 6:34 PM > To: Derick Anderson > Cc: [email protected] > Subject: Re: What server hardening are you doing these days? > > Derick Anderson wrote: > > > I also stick to Microsoft best practices when it comes to Microsoft > > servers, it's just safer that way. I haven't yet implemented the > Windows > > 2003 Security guide templates (for fear of breaking our production > > environment) but I plan to do that after I've taken care of > some other > > more basic issues (domain split, network split, user > lockdown, etc.). > > > > Maybe you should reconsider. There is lot better than MS when > it comes to advising on security. > > http://www.nsa.gov/snac/downloads_all.cfm > > The NSA. They have both guides and templates. It actually > works and is far more secure than the MS advice. > > -- > Thanks > http://www.911networks.com > When the network has to work Cisco/Microsoft > > -------------------------------------------------------------- > ---------- > --- > -------------------------------------------------------------- > ---------- > --- > > --------------------------------------------------------------------------- ---------------------------------------------------------------------------
