RE: information harvesting from within the network

[D Adler <dadler_grd-secfoc () yahoo com>]

I would have to agree with Jason that a GPO is going
to be of little use to you. You'll be better off with
a IDS/IPS system that can shut down the network port
of the suspicious machine when it detects unusual
behavior . If you are a cisco shop, cisco is making
inroads in this direction. I am certain there are
other solutions available as well, I am just not as
familliar with them. 

regards,
dave


--- "Beauford, Jason" <jbeauford () EightInOnePet com>
wrote:
> Within a Windows Environment, I'd recommend using
> the Microsoft Baseline
> Security Analyzer to identify the weak links in your
> Windows deployment.
> Nice thing about it is it give you the MS
> recommended resolutions.
> Things like denying Anonymous Enumeration.
>
> As far as GPO's go, in a University environment,
> your networked PC's are
> most likely not part of the domain, but rather just
> College students and
> therefore your GPO's will have no effect on their
> particular units.
> However, you should deploy GPO's to lockdown those
> PC's within your
> domain.
>
> Again, the MS BSA tool will help you ID some issues
> and supply
> solutions.
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
> If you need GPO recommendations, you can check
> Microsoft's site for
> Hardening Windows Clients in a Windows Server
> Environment, or there are
> NIST docs.
>
> Here are some links to get you going:
http://www.microsoft.com/smallbusiness/gtm/securityguidance/articles/sec
> _winxp_pro_server_env.mspx
http://www.microsoft.com/technet/security/smallbusiness/prodtech/windows
> 2000/sec_win2000_pro_server_env.mspx
http://csrc.nist.gov/publications/nistpubs/index.html
> Good Luck!
>
> -JMB
>
> -----Original Message-----
> From: ddjjembe 2 [mailto:ddjjembe2 () hotmail com] 
> Sent: Thursday, May 19, 2005 10:40 PM
> To: security-basics () securityfocus com
> Subject: information harvesting from within the
> network
>
>
> Background:
> I work in a university that has university typical
> security practices.  
> Currently any authenticated user can scan the parts
> of the network with 
> tools like LANguard or Nessus and obtain a
> considerable amount of 
> information from them.   Most of the computers in
> our network are
> windows 
> computers.  We also have departments with MACs and
> *nix machines.
>
> Goal:
> If possible, lock down the Windows computers with
> group policies and/or 
> templates to disable this potential unauthorized
> information harvesting 
> users and then restrict scanning ability to the
> security group with LDAP
>
> permissions.  Am I on the right track here?
>
> I would like to achieve this without using a host
> based firewall.
>
> Group policies have large pool of settings to pick
> from.  Narrowing it
> down 
> to a few that disable at least portions would be
> appreciated.
>
> Thanks,
>
> ddjembe
_________________________________________________________________
> Don't just search. Find. Check out the new MSN
> Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>