You raise some good points. But you've missed my point, I think. I wasn't saying that the OS needs to be more secure. I was saying that security needs to be much more _manageable_, in terms of configuration, reporting and documentation.
It does us no good to have an OS that is, in theory, capable of being completely secure, if the administration requirements to keep it that way are impractical. To put that in everyday terms, if Microsoft gave us a more _manageable_ security environment, it would probably do much more for the overall security of all Microsoft server sites than weird and wonderful internal changes that screw up compatibility and make it hard the run the apps that are the whole point of having the servers in the first place. I used to say that the quality of security can be expressed as a ratio of how hard it is to do bad stuff versus how easy it is to do good stuff. If both are hard, or both are easy, it's still poor security. And if you don't have the tools to manage it, the odds are your security is going to waste your time, and it's not going to be nearly as good as it should be. The term "plausible deniability" comes to mind. /kenw > -----Original Message----- > From: David W. McSpadden [mailto:[EMAIL PROTECTED] > Sent: December-24-07 5:39 AM > To: NT System Admin Issues > Subject: Re: Real world security (was RE: Audit recommendation) > > Great theory. > I think Microsoft tried fixing the OS in Vista. The first thing all > the > admins did was find out how to dumb it down so they could 'use' it. > Instead > of making the software work with a somewhat patched OS they/we > unpatched it > so the software would have to 'work' with it. > I think a better understanding of each and every piece of software on > your > computers, as admins, is what is more required. The initial thread > started > off with a generic question about an Auditors requirement. Which has > produced a pretty much divided answer throughout this thread. 1 > stating we > should secure a network using this method and 2 stating we should > secure a > network using this other method. When in fact we should probably use > both. > But to use both we have to understand the implications on other > software > that may be installed at a later date. Documentation being the key and > transferral of knowledge a close second. Until we completely > understand > what it is we are doing and why we need to do it, theories aside, we > don't > need to do anything but be some script-kiddies punching bag. > ----- Original Message ----- > From: "kenw" <[EMAIL PROTECTED]> > To: "NT System Admin Issues" <[email protected]> > Sent: Saturday, December 22, 2007 11:39 AM > Subject: Real world security (was RE: Audit recommendation) > > > Following up to my own posting... > > This issue illustrates one of the concerns that I've had for years with > OS security, and not just with Windows (and I'll admit right now that > I'm not familiar with what Server 2008 will bring). > > It's one thing to claim that the OS can, in principle, be secure. It > is > something very different to claim that the OS can be managed securely > in > a real-world environment, at small sites, without dedicated security > staff and a lot of work. > > Now, the first reaction from a lot of people will be "quityerbitchin > and > learn to use the tools". Please hold off and listen. I have a case to > make. > > a) If the management tools are better, even the experts become more > effective. > > b) Real world computing is about a lot of things that are all > important. > Security is not even the most important -- in most cases, it's not the > reason the computers are there. It's a support function. People have > to balance their time. > > c) Fixing a problem at the source is more effective than fixing it at > millions of destinations. Fixing the OS is more effective than fixing > all the users. > > d) Reality is that there are always going to be a lot of computers, > especially at small sites, managed by varying degrees of doofusses. > Accept reality. Maybe that shouldn't be, but it is what it is. Blame > fixes nothing. > > e) Being more specific, in the case below, what could be done? Here > are > some suggestions: > > - tools that analyze security event logs and alert us to significant > issues. IF you have security auditing enabled, you are likely to be > inundated with a lot of crap from COM objects, etc. Trying to figure > out if you have a legitimate concern there, if it is even possible, can > take way too much time that the average small business owner will not > pay for, even if you have a reasonable suspicion something illegitimate > may have occurred. Never mind the tools, the documentation isn't even > very good. > > - tools that can tell you every place that usernames and passwords are > embedded or used, and how to manage them. OK, forget third party > software -- even the stuff from the OS vendor, like services, COM > objects, IIS, etc. > > - tools that will do something a little bit intelligent, like, say, > (see > the example below) alert you that there have been an unusual number of > failed logons lately, from suspicious sources, etc. > > - tools that analyze and summarize the filesystem security structure, > and help deal with it as a structure. > > - tools that help to determine what rights a given piece of software > actually needs to run, help remove those rights it doesn't, and help > highlight and analyze violations. > > - a way to restrict certain files from being opened by unprivileged > users except when using certain software (say, payroll accounting > software), without having to install that software with privileges > itself. Restricting simple file access by user group is not a > substitute. > > One of the things I do, for example, is configure the domain logon > script to log the details of every interactive logon and, for some > sites, send an email to the appropriate person every time someone logs > on with domain admin rights. Genius proof? Certainly not. Useful? > Damn right. > > Reality is that, by far, most security violations are not works of > genius, they're relatively easy to track and prevent. Security is like > insurance: it's a risk/exposure cost/benefit trade-off. > > Some of these things are currently done by third part security add-ons > and command-line "specialist" tools. They're certainly not provided > by, > say, Microsoft, in any friendly form. That's what distinguishes vendor > claims from real world security. Microsoft needs to pay more attention > to practical, real world security, especially for small sites. > > As Yogi Berra said, "In theory, theory and practice are the same, but > in > practice they're not." > > /kenw > > > > -----Original Message----- > > From: kenw [mailto:[EMAIL PROTECTED] > > Sent: December-22-07 8:23 AM > > To: NT System Admin Issues > > Subject: RE: Audit recommendation > > > > That's not the point. The current Windows backoff process relies on > > detection of an attack. Detection relies on multiple successive > > failures on the same user ID within a limited time. Attacks like the > > one I described prevent that by avoiding repetition of the same user > ID > > within a certain time period. The only thing in common between the > > attempts, with these, was the source IP. And, frankly, even that > could > > have been changed, as this was a distributed attack. > > > > At that point, any backoff reaction I can think of would effectively > > turn such an attack into a DDOS, because it gets difficult to > > distinguish an attack from a normal user logon failure. Let's see... > > an > > user is allowed, say, two user/password typos within, say, a day or > > two, > > or the account is locked out for a week...? > > > > /kenw > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > ______________________________________________________________________ > This email has been scanned by the MessageLabs Email Security System. > For more information please visit http://www.messagelabs.com/email > ______________________________________________________________________ > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
