Re: Microsoft plans tighter security measures in Windows XP SP2

[yossarian <yossarian () planet nl>]

Most of it appears to be tighten the defaults. Usefull, yes, but not very
new..

New is: "Interface restriction (exposed to developers, for example, through
a new registry key called RestrictRemoteClients) modifies the behavior of
all remote procedure call interfaces on the system and will, by default,
eliminate remote anonymous access to RPC interfaces on the system, with some
exceptions.". All I can say is better late than never, this should have
existed ages ago - this is not XP specific. In 2001 when the first RPC
issues appeared on NT4 and W2k, I had expected such a step.

The introduction of an ACL on DCOM: well, why not just disable DCOM? Most
users don't need it, it does not solve problems that could not be solved in
another way. The possibility for 'more granular control' for admins on DCOM
means that more things can be tightened, if you now what they are and have
time to do so in a few thousand or more PC's. Never had much trouble with
PC's that had DCOM completely disabled anyway. Not more security in this SP2
thingie, unless a raise in the TCO is acceptable - things can be secured.

ICF will be enabled by default but will no longer block RPC. Yeah, great.
Oh, it will have a 'shielded mode', to block all RPC till a fix for a new
vulnerability is found. Yeah, same as with previous remark - who really
needs RPC? Many admins have no time to use remote management and/or registry
features and just put a ghosts disk in a faulty machine - quick and
effective. IMHO most admins would not know what to do with the features
anyway, since the insight in what the machine is doing, and what might be
wrong, is completely lacking. Usually they can't be bothered, anyway. As far
s I can see, this feature will make systems more vulnerable (i.e. the ones
using ICF) since RPC will be open unless it is closed on ICF protected
boxes.

The application white list is an extension for ICF that has the same
problem, who knows what apps are valid, who is to manage the list of 'known
to be good' etc. Usually admins consider the Firewall a thing that just is,
and often it is managed by a specialized admin. Now every NT-admin will have
to know the working of an application firewall, and generally, of all the
installed software. This will raise the TCO, and if companies do not employ
more and more skilled support staff, the feature will just be in the way,
and ICF probably disabled.

My 0.02 cents: nice try, but next time go for less is more - less features
is more security, this is just another featuritis.



----- Original Message -----
From: "Helmut Hauser" <helmut.hauser () intraplan de>
To: <full-disclosure () lists netsys com>
Sent: Friday, October 31, 2003 2:26 PM
Subject: [Full-disclosure] Microsoft plans tighter security measures in
Windows XP SP2


> Very interesting MSDN Article:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwxp/html/
securityinxpsp2.asp
> Helmut Hauser
> Systemadministration EDV
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html