Windows is EASY and SECURE

["Daniel Sichel" <daniels () Ponderosatel com>]

I thought you might find the following, gleaned from a Microsoft web
site white paper about "Myths of Security" amusing... But before you
laugh too hard, remember the Dilbert bosses are all reading and
believing this stuff.

Myth 4: Tweaks Are Necessary
<snip>

Even on highly exposed systems, most of the tweaks are not necessary. In
eWeek's Open Hack IV competition in 2002 (see
http://msdn.microsoft.com/library/en-us/dnnetsec/html/openhack.asp), we
built what was probably the most protected network we have ever built.
In all, we made only four registry tweaks, a couple of ACL changes, and
set a password policy. The rest of the protection for those systems was
based on proper network segmentation, a solid understanding of the
threats, turning off unneeded services, hardening Web apps (see Writing
Secure Code, 2nd edition, by Howard and LeBlanc [Redmond, WA: Microsoft
Press, 2003]), and properly protecting Web servers and the computer
running SQL Server. Of course, this was a specialized system with very
limited functionality, but it still shows that less is often more.

Proper understanding of the threats and realistic mitigation of those
threats through a solid network architecture is much more important than
most of the security tweaks we turn on in the name of security.
<snip>

So umm 4 registry changes, 2 customized ACLS, and a customized log in
policy aren't tweeks. Ooops, my bad, the emperor IS wearing clothes!
Tell the big lie often enough and it becomes truth. And, one question,
how many critical updates would you have had to apply (not TWEEKS, of
course) to keep this piece secure until now?

Dan Sichel
Network Engineer
Ponderosa Telephone
daniels () ponderosatel com (559) 868-6367


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/