RE: Re: Microsoft Security, baby steps ?

[Nick FitzGerald <nick () virus-l demon co uk>]

"Full-Disclosure" <fd () weevers net> wrote:

> In an corporate environment, you will have SUS or SMS running.
> If so, no need for internet access.

But, need for general network access to get to those machines.  thereby 
breaking the "no general network access until secure" rule.  You could 
have a second SUS/SMS setup mirroring the configs off the general 
netowrk ones and only allow that to synch off the general one when the 
test/setup network is not being used for anything else _and_ no 
"unfinished" boxes are attached to the test/setup network.

Also, in other "institutional" environments that are nmot strictly 
"corporate" that distinction can be _very_ hard to meet for such a 
setup (e.g. universities and the like).

> If you don't have this, just place a firewall on the box, or before the
> box.
> How hard can this be ? You do it the same way, as you would do before
> you
> would patch debian/*bsd/gentoo/ect/ect/ect.

Yeah, yeah.

It's easy to decide the level of exposure _you_ are comfortable with 
and I was not saying tat everyone should do it that way, just that that 
was a valid set of restrictions to have to work under.

> There is no real problem here. Don't blame microsoft if you can't come
> up with solutions to simple security "problems".

I was not blaming them for that.  I was balming them for their own 
failure (much like yours) to think outside their own level and realm of 
experience and/or their faiulure (much like yours) to acknowledge that 
there could be situations where the solution they were comfortable with 
was not acceptable.

Think outside the box dude -- oh wait, it seems you cannot see it, so I 
guess that is asking too much of you...


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html