Great theory.
I think Microsoft tried fixing the OS in Vista. The first thing all the
admins did was find out how to dumb it down so they could 'use' it. Instead
of making the software work with a somewhat patched OS they/we unpatched it
so the software would have to 'work' with it.
I think a better understanding of each and every piece of software on your
computers, as admins, is what is more required. The initial thread started
off with a generic question about an Auditors requirement. Which has
produced a pretty much divided answer throughout this thread. 1 stating we
should secure a network using this method and 2 stating we should secure a
network using this other method. When in fact we should probably use both.
But to use both we have to understand the implications on other software
that may be installed at a later date. Documentation being the key and
transferral of knowledge a close second. Until we completely understand
what it is we are doing and why we need to do it, theories aside, we don't
need to do anything but be some script-kiddies punching bag.
----- Original Message -----
From: "kenw" <[EMAIL PROTECTED]>
To: "NT System Admin Issues" <[email protected]>
Sent: Saturday, December 22, 2007 11:39 AM
Subject: Real world security (was RE: Audit recommendation)
Following up to my own posting...
This issue illustrates one of the concerns that I've had for years with
OS security, and not just with Windows (and I'll admit right now that
I'm not familiar with what Server 2008 will bring).
It's one thing to claim that the OS can, in principle, be secure. It is
something very different to claim that the OS can be managed securely in
a real-world environment, at small sites, without dedicated security
staff and a lot of work.
Now, the first reaction from a lot of people will be "quityerbitchin and
learn to use the tools". Please hold off and listen. I have a case to
make.
a) If the management tools are better, even the experts become more
effective.
b) Real world computing is about a lot of things that are all important.
Security is not even the most important -- in most cases, it's not the
reason the computers are there. It's a support function. People have
to balance their time.
c) Fixing a problem at the source is more effective than fixing it at
millions of destinations. Fixing the OS is more effective than fixing
all the users.
d) Reality is that there are always going to be a lot of computers,
especially at small sites, managed by varying degrees of doofusses.
Accept reality. Maybe that shouldn't be, but it is what it is. Blame
fixes nothing.
e) Being more specific, in the case below, what could be done? Here are
some suggestions:
- tools that analyze security event logs and alert us to significant
issues. IF you have security auditing enabled, you are likely to be
inundated with a lot of crap from COM objects, etc. Trying to figure
out if you have a legitimate concern there, if it is even possible, can
take way too much time that the average small business owner will not
pay for, even if you have a reasonable suspicion something illegitimate
may have occurred. Never mind the tools, the documentation isn't even
very good.
- tools that can tell you every place that usernames and passwords are
embedded or used, and how to manage them. OK, forget third party
software -- even the stuff from the OS vendor, like services, COM
objects, IIS, etc.
- tools that will do something a little bit intelligent, like, say, (see
the example below) alert you that there have been an unusual number of
failed logons lately, from suspicious sources, etc.
- tools that analyze and summarize the filesystem security structure,
and help deal with it as a structure.
- tools that help to determine what rights a given piece of software
actually needs to run, help remove those rights it doesn't, and help
highlight and analyze violations.
- a way to restrict certain files from being opened by unprivileged
users except when using certain software (say, payroll accounting
software), without having to install that software with privileges
itself. Restricting simple file access by user group is not a
substitute.
One of the things I do, for example, is configure the domain logon
script to log the details of every interactive logon and, for some
sites, send an email to the appropriate person every time someone logs
on with domain admin rights. Genius proof? Certainly not. Useful?
Damn right.
Reality is that, by far, most security violations are not works of
genius, they're relatively easy to track and prevent. Security is like
insurance: it's a risk/exposure cost/benefit trade-off.
Some of these things are currently done by third part security add-ons
and command-line "specialist" tools. They're certainly not provided by,
say, Microsoft, in any friendly form. That's what distinguishes vendor
claims from real world security. Microsoft needs to pay more attention
to practical, real world security, especially for small sites.
As Yogi Berra said, "In theory, theory and practice are the same, but in
practice they're not."
/kenw
-----Original Message-----
From: kenw [mailto:[EMAIL PROTECTED]
Sent: December-22-07 8:23 AM
To: NT System Admin Issues
Subject: RE: Audit recommendation
That's not the point. The current Windows backoff process relies on
detection of an attack. Detection relies on multiple successive
failures on the same user ID within a limited time. Attacks like the
one I described prevent that by avoiding repetition of the same user
ID
within a certain time period. The only thing in common between the
attempts, with these, was the source IP. And, frankly, even that
could
have been changed, as this was a distributed attack.
At that point, any backoff reaction I can think of would effectively
turn such an attack into a DDOS, because it gets difficult to
distinguish an attack from a normal user logon failure. Let's see...
an
user is allowed, say, two user/password typos within, say, a day or
two,
or the account is locked out for a week...?
/kenw
~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
