Re: Preventing exploitation with rebasing

[David S Goldberg <dsg () mitre org>]

> > > > > On Tue, 4 Feb 2003 12:08:48 -0800, Brian Hatch <bugtraq () ifokr org> said:

> I fail to see how adding security that doesn't have a performance
> or stability cost is ever a bad thing.

Agreed.  I'm not sure, however, that David's idea doesn't have an
affect on stability.  Not the stability of a single server but on an
environment consisting of many servers.  I'm not Windows wizard, but
I'll accept from everything I've already read in this thread that
rebasing on a single system will not have a negative impact on it.
However I question how will it scale to several tens of servers, which
is my problem?  Is there an easy way to automate it such that it is
done after patch application?  Considering how difficult and/or
expensive, take your pick, it is to apply patches in an automated
fashion on Windows systems I suspect not.  Moreover, I gather that for
the solution to be effective, each system should be rebased
differently requiring even more planning to get it right even if
automation were easy.  This should not be taken as an indictment of
the idea, just asking that when implementing security solutions on
individual machines, the keepers of security should consider the
issues of scale that we sysadmins have to deal with.

Thanks,
-- 
Dave Goldberg
Associate Department Head, G06A: Advanced Technical Computing Center
The Mitre Corporation \ MS K331 \ 202 Burlington Rd. \ Bedford, MA 01730
dsg () mitre org \ 781-271-3887