IDS mailing list archives
RE: SIM Tools, and endpoint security.
From: "Drew Simonis" <simonis () myself com>
Date: Wed, 25 May 2005 12:44:20 -0500
Hi Drew, I'm referring to Windows File Protection - http://support.microsoft.com/kb/310747/EN-US/ This is configurable via Group Policy and offers 100% protection of system files on the intended target.
Back in the day, I remember being able to trick SFC into replacing with the wrong file. I suppose this has been fixed?
..add to this Windows XP SP2, then you've got a pretty rock solid workstation base that is not open to infection (as the firewall doesn't allow anything in), and maintains integrity of system files (so malicious code can't take over the system).
I don't agree with this statement. There are a few key assumptions. First, you assume that the only way to become infected is via the network. That is obviously false, as all of our email worms show. But, even if it were true, most workstations allow inbound file sharing via CIFS, which is a common attack vector and propogation method. So, client firewalls don't offer nearly the protection one might wish for unless configured correctly (not often done in large enterprises). In addition, the problem with the Windows file checker is that it doesn't allow for checking of arbitrary other programs. So, we have yet another windows only solution, which is to be expected. However, it doesn't equate to 100% protection nor does it obviate the need to install 3rd party tools that offer broader coverage. Anyway, malware doesn't need to monkey with the system files to take over the system.
There's quite a lot more to Microsoft's OS security that often gets overlooked, and many sysadmins are steered away from this with clever marcoms and end up buying 3rd party applications to fill the gap. My point is, be 100% sure that what you've got cannot do what you want, before you go and buy something else! ;)
All said, a good point. I'd add to be sure what you want before looking for products. -Ds -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- RE: SIM Tools, and endpoint security. THolman (May 19)
- <Possible follow-ups>
- RE: SIM Tools, and endpoint security. Drew Simonis (May 24)
- RE: SIM Tools, and endpoint security. THolman (May 24)
- RE: SIM Tools, and endpoint security. Bill Royds (May 28)
- RE: SIM Tools, and endpoint security. Drew Simonis (May 28)