Matthew, It's sounding as though it has perhaps been a while since you updated your familiarity with the newer operating systems. When is the last time you denied Local System access to "certain files" (and I'm familiar with what it is of which you speak, but I haven't done that since NT4 in 1996 or so)? This isn't a challenge; it's an honest question.
Have you looked at IIS6 from an architectural standpoint? IIS 6 is an entirely different product than its predecessors. Completely rearchitected from the ground up, and not even close in terms of what resides where. You're pointing out issues that have long been fixed. I'd suggest taking a look at some of the links that people have provided, because among other things, some of them actually outline how significantly the OS defaults changed in Windows Server 2003. If we were debating NT 4 here, then the below might be valid. However, NT4 was released a decade ago, and we're now dealing with Windows Server 2003, which has been out for over two years. Windows Server 2003 is an entirely different animal, even down to things like kernel exception handling. Speaking for myself, I always like to test anything I assert before making statements, because sometimes I find out that my knowledge is outdated or lacking when I do so. Since you say you've not looked at all of the information provided by others, it's therefore a specious argument to say that none of them has bothered to address the basic, out of the box faults of the windows filesystem permissions". The reality is, Microsoft has addressed them. Start taking a deeper look, and read the Microsoft security guides. Seriously. You'll find that you've made some statements that just aren't true anymore. Laura > -----Original Message----- > From: matthew patton [mailto:[EMAIL PROTECTED] > Sent: Friday, November 11, 2005 2:00 AM > To: [email protected] > Subject: Re: What server hardening are you doing these days? > > ok, seems I need to clarify since several people have > responded with their bookmark collection of tips, cheats, > workarounds, papers, etc. > etc. etc. > > While not having looked at all of them, the point is none of > them has bothered to address the basic, out of the box faults > of the windows filesystem permissions, nor the culture of > permissiveness that permeates all things windows. It's one > band-aid after another. > > LocalSystem isn't 'root'. It's similar in some aspects, but I > can trash an NT box by denying LocalSystem permissions to > certain files. I can lock out the Administrator likewise. The > point is not that there aren't a zillion different guides to > living "more safely" with windows. The point is that on a > most rudimentary level, when you start with LocalSystem > having Full Control over the entire disk and there is NOT ONE > reason for it to be that way, you have a situation where > security wasn't thought thru. IIS has no business running as > LocalSystem for example. It should be fully capable of > running as a 'normal' user with maybe a couple of special > privs attached. The concept and implementation of 'sudo' has > been around for what, more than 10 years? > > How many of you throw the vendor documentation in the trash > and actually make the product run as an unprivileged user? > Say Oracle? or ColdFusion, or WEbsphere, BEA, etc? Think > about it. You have all these operating system components, 3rd > party "daemons", and who knows what all running as the same > user. And said user has full control permissions to > practically every file on the disk. So what that maybe there > are 30% fewer buffer overflows in the unholy number of > millions of lines of code. If the filesystem/registry > permissions are such that LocalSystem can't do jack, I don't > care so much if there are glaring problems. (not to imply I > condone sloppy coding) > > I have yet to find a guide that actually spelled out the REAL > permissions needed for LocalSystem. It needs 'read' to pieces > of the %system% tree and 'write' to a couple of files but > that's it. Mention to Microsoft that you've wholesale mucked > with their "anything goes" > permission set and they have a coronary and disavow any > notion of support. Why is that? Are they ignorant about what > their own product actually needs? Where is the security team > that has gone thru and redefined all permissions to what they > should be and told the programmers to go back and fix their code? > > The filesystem is the easy one. I don't have the interest or > the time to bother with the registry though in some respects > that's probably more important. > > -------------------------------------------------------------- > ------------- > -------------------------------------------------------------- > ------------- > --------------------------------------------------------------------------- ---------------------------------------------------------------------------
