Firewall Wizards mailing list archives
Re: How to Secure Windows? was How to Save the World
From: "Keith A. Glass" <salgak () speakeasy net>
Date: Mon, 13 Dec 2004 19:31:32 +0000
-----Original Message----- From: MHawkins () TULLIB COM [mailto:MHawkins () TULLIB COM] Sent: Monday, December 13, 2004 04:42 PM To: mjr () ranum com, firewall-wizards-admin () honor icsalabs com, fred () avolio com, firewall-wizards () honor icsalabs com Subject: [fw-wiz] How to Secure Windows? was How to Save the World Marcus, Oh how I wish we were back in the days of the 3270 controller and the Zilog Z80! But seriously, it has always been most annoying to me that with a few good books, the Internet, a few mentors and experience I have been able to keep very up to date and highly proficient at securing Unix (all flavors) and networks (all vendor flavors of routers, switches, firewalls etc) but Microsoft remains a black art where only third party vendors seem to be able to secure the platform. The books on Windows security are always generic rubbish and never give you the real nuts and bolts of how to actually secure Windows. The Internet searches invariably turn up generic how to's as well that stink. And I have not yet met a Windows admin who knows enough (or took it seriously enough)about securing Windows unless it was done with third party products (and I have worked for alot of great big companies and every year the Windows folks remain committed to third party products and don't know diddly about securing Windows themselves while the Unix and network folks get more and more professionally security savy and sophisticated). And trying to do it in the lab myself always pointed me back to the three problems above. All I want to do is have a standard cheat sheet to lock down the machine so that all those exe's that I don't want to run - CAN'T - and all those exe's that I do want to let run - CAN - but only under their own account and only in their own volume space! Is that too much to ask?
I **COULD** be snide and say: FDISK /MBR and install Linux or *BSD, but. . . 1. Shut down and disable the default IIS sites. ALWAYS create a new IIS instance, and NEVER take any defaults, with the exception of the remote username auto-generated for remote internet/web users. Yes, you NEED IIS with Win2000 and on, but you DON'T need the defaults. 2. Kill some of the other defaults: rename the Administrator account to something else, something non-obvious that looks like any other user account. Then rename the Guest account to "Administrator". . .and disable the account. 3. Implement complex passwords AND give them timeouts and a history check, preferably 10 passwords or more long. And REQUIRE Windows passwords to be 8 characters, no more, no less, to beat the people trying to hack the second half of the password hash. If the second hash is blank, that hacker is out of luck. 4. Patches: 'nuff said, but do NOT rely on automatic Windows Updates. Check Windows Update EVERY day, and NOTE the packages they thing you need. Then download and install them manually, AND ARCHIVE THEM OFFLINE. You'll need them for rebuilds and/or new boxes. Also, regularly use Shavlik's Hotfix Checker and the latest patch status XML from Microsoft. And boxes do NOT touch the Net until AT the current patchlevel, even behind a firewall. . . 5. Use a NON-WINDOWS firewall: configure it as tightly as you can. But putting a firewall on a Windows platform is an invitation to the entire world that says: "Hack me, I've got a blithering idiot/typical MCSE for an admin: he/she will never even notice that the box is owned. 6. Last, but not least: use the NSA Guides: http://www.nsa.gov/snac/ _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: How to Secure Windows? was How to Save the World, (continued)
- Re: How to Secure Windows? was How to Save the World Devdas Bhagat (Dec 13)
- Re: How to Secure Windows? was How to Save the World Kevin Sheldrake (Dec 14)
- Re: How to Secure Windows? was How to Save the World Dave Piscitello (Dec 21)
- Re: How to Secure Windows? was How to Save the World Paul D. Robertson (Dec 23)
- Re: How to Secure Windows? was How to Save the World Dave Piscitello (Dec 26)
- Re: How to Secure Windows? was How to Save the World Paul D. Robertson (Dec 27)
- Re: How to Secure Windows? was How to Save the World Barney Wolff (Dec 26)
- Re: How to Secure Windows? was How to Save the World Paul D. Robertson (Dec 27)
- Re: How to Secure Windows? was How to Save the World Paul D. Robertson (Dec 23)
- Re: How to Secure Windows? was How to Save the World Mark (Dec 26)
- Re: How to Secure Windows? was How to Save the World Paul D. Robertson (Dec 27)
- Re: How to Secure Windows? was How to Save the World Devdas Bhagat (Dec 13)