Security Basics mailing list archives
RE: information harvesting from within the network
From: "Beauford, Jason" <jbeauford () EightInOnePet com>
Date: Fri, 20 May 2005 16:12:38 -0400
Within a Windows Environment, I'd recommend using the Microsoft Baseline Security Analyzer to identify the weak links in your Windows deployment. Nice thing about it is it give you the MS recommended resolutions. Things like denying Anonymous Enumeration. As far as GPO's go, in a University environment, your networked PC's are most likely not part of the domain, but rather just College students and therefore your GPO's will have no effect on their particular units. However, you should deploy GPO's to lockdown those PC's within your domain. Again, the MS BSA tool will help you ID some issues and supply solutions. http://www.microsoft.com/technet/security/tools/mbsahome.mspx If you need GPO recommendations, you can check Microsoft's site for Hardening Windows Clients in a Windows Server Environment, or there are NIST docs. Here are some links to get you going: http://www.microsoft.com/smallbusiness/gtm/securityguidance/articles/sec _winxp_pro_server_env.mspx http://www.microsoft.com/technet/security/smallbusiness/prodtech/windows 2000/sec_win2000_pro_server_env.mspx http://csrc.nist.gov/publications/nistpubs/index.html Good Luck! -JMB -----Original Message----- From: ddjjembe 2 [mailto:ddjjembe2 () hotmail com] Sent: Thursday, May 19, 2005 10:40 PM To: security-basics () securityfocus com Subject: information harvesting from within the network Background: I work in a university that has university typical security practices. Currently any authenticated user can scan the parts of the network with tools like LANguard or Nessus and obtain a considerable amount of information from them. Most of the computers in our network are windows computers. We also have departments with MACs and *nix machines. Goal: If possible, lock down the Windows computers with group policies and/or templates to disable this potential unauthorized information harvesting users and then restrict scanning ability to the security group with LDAP permissions. Am I on the right track here? I would like to achieve this without using a host based firewall. Group policies have large pool of settings to pick from. Narrowing it down to a few that disable at least portions would be appreciated. Thanks, ddjembe _________________________________________________________________ Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/
Current thread:
- information harvesting from within the network ddjjembe 2 (May 20)
- RE: information harvesting from within the network Jason Lopez (May 23)
- Re: information harvesting from within the network Alexander Klimov (May 23)
- <Possible follow-ups>
- RE: information harvesting from within the network Beauford, Jason (May 20)
- RE: information harvesting from within the network D Adler (May 23)
- RE: information harvesting from within the network Andrew Shore (May 23)
- Re: information harvesting from within the network Micheal Espinola Jr (May 24)
- Re: information harvesting from within the network Henry Anslinger (May 26)