On Sun, 2005-11-13 at 10:47 -0800, Jim Harrison (ISA) wrote: > Remember; all MS code is tested in the context of OOB deployment and > MS-published security guidelines. The minute you step out of those > boxes, you're taking some not-so-insignificant risks upon yourself and > your customers.
I think the point here is, if you had been made aware of all the ramifications involved when you make a change then you would be able to manage that risk. If the vendor hasn't considered the fact that some users may want to tighten beyond their recommendations that's a risk introduced by the vendor. The user then has to choose to follow the vendors advice and accept what the vendor defines as acceptable risk or to wing it based on their own guesswork. This would not hold water in any risk analysis. The advice you provide above "Do what we say and don't go any further" isn't adequate from my perspective. Advice more manageable from a risk point of view is "Do what we say and don't go any further, but if you do here are the possible ramifications and you maybe want to prepare for XYZ and in the future". This is what I'd consider sound risk based security advice and what I'd like to see more of from all vendors, not just MS - who I personally feel are getting closer to this. -- With Regards.. Barrie Dempster (zeedo) - Fortiter et Strenue "He who hingeth aboot, geteth hee-haw" Victor - Still Game blog: http://reboot-robot.net sites: http://www.bsrf.org.uk - http://www.security-forums.com ca: https://www.cacert.org/index.php?id=3
smime.p7s
Description: S/MIME cryptographic signature
