Security Basics mailing list archives

Re: Windows Server 2003

From: Tim Syratt <tims () syratt com>
Date: Thu, 11 Sep 2003 11:21:33 +1000 (EST)


Sean I agree 110%..
It's not just windows though.. you can't put ANY OS on the internet
without appropriate firewalling, patching and a local security policy
before you call it "safe". Even then, "safe" is only a temporary word.

I know as IT guru's it's SO easy to get caught up in the technical aspect
of building the information system, and then forgetting about the SOE
style policys and proceedures that you should have in place to back up
your firewall and system policys.

Regs,
Tim

On Wed, 10 Sep 2003, Sean Earp wrote:

Chris-

Well, "secure by default" means that it ships with NOTHING activated.
IIS, etc is turned off, and Internet Explorer is virtually unusable out
of the box (NO site is trusted, and you have to explicitly trust a site
to download, or do just about anything).

Is it more secure out of the box than Windows 2000?  Sure.  Is it
immune to common attack vectors such as Buffer overflows?  HECK NO!
Windows Server 2003 was fully vulnerable to the exploit that the
Blaster worm used, and according to news.com
<http://news.com.com/2100-1009_3-5074008.html?tag=fd_top>, two MORE
variations of the same security hole were just found, meaning that W2K3
Boxes with the last RPC patch installed are STILL FULLY VULNERABLE TO
COMPLETE TAKEOVER by a remote host.

Better than previous attempts?  Yes...   Secure? No.

Just my 2 cents...

-Sean


On Wednesday, September 10, 2003, at 05:37 AM, Chris Halverson wrote:

What does everyone think of the hype around Windows Server 2003 being

secure by default?   Has anyone implemented one in your environment?



---------------------------------------------------------------------------
Captus Networks
Are you prepared for the next Sobig & Blaster?
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Precisely Define and Implement Network Security
 - Automatically Control P2P, IM and Spam Traffic
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------



---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------

Current thread:

Re: Windows Server 2003, (continued)
- - - Re: Windows Server 2003 Steve (Sep 11)
    - Re: Windows Server 2003 Ansgar Wiechers (Sep 11)
    - Re: Windows Server 2003 Hendra Santosa (Sep 12)
    - Re: Windows Server 2003 Ansgar Wiechers (Sep 15)
    - Re: Windows Server 2003 Jimi Thompson (Sep 15)
- RE: Windows Server 2003 Chris Wanstrath (Sep 10)
  - Re: Windows Server 2003 Kevin L Keathley (Sep 11)
  - RE: Windows Server 2003 Joey Peloquin (Sep 11)
    - RE: Windows Server 2003 Davitt J. Potter (Sep 12)
- Re: Windows Server 2003 Sean Earp (Sep 10)
  - Re: Windows Server 2003 Tim Syratt (Sep 11)
- Re: Windows Server 2003 Jimi Thompson (Sep 11)
- Re: Windows Server 2003 Meritt James (Sep 11)
- Re: Windows Server 2003 @Lx (Sep 11)
- RE: Windows Server 2003 Robert Mezzone (Sep 10)
- FW: Windows Server 2003 Halverson, Chris (Sep 11)
  - Re: FW: Windows Server 2003 Tim Syratt (Sep 11)
- RE: Windows Server 2003 Doug Massey (Sep 11)
  - RE: Windows Server 2003 Larry Seltzer (Sep 11)
    - 'Shutdown Reason' in Windows 2000? (was: RE: Windows Server 2003) Alexander Suhovey (Sep 15)
- RE: Windows Server 2003 Halverson, Chris (Sep 11)

(Thread continues...)