RE: Microsoft plans tighter security measures in Windows XP SP2

["Schmehl, Paul L" <pauls () utdallas edu>]

> -----Original Message-----
> From: yossarian [mailto:yossarian () planet nl] 
> Sent: Friday, October 31, 2003 8:15 AM
> To: full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] Microsoft plans tighter 
> security measures in Windows XP SP2
>
> The introduction of an ACL on DCOM: well, why not just 
> disable DCOM? Most users don't need it, it does not solve 
> problems that could not be solved in another way.

File and printer sharing is not needed?  Remote administration is not
needed?  Maybe not in home use, but in corporate?

> Many admins 
> have no time to use remote management and/or registry 
> features and just put a ghosts disk in a faulty machine - 
> quick and effective. IMHO most admins would not know what to 
> do with the features anyway, since the insight in what the 
> machine is doing, and what might be wrong, is completely 
> lacking.

We have *students* using RA to get users' machine back up and running.
If admins can't do that, they shouldn't be admins.  I seriously doubt
admins would do this sort of work anyway.  This is basic tech support
stuff.  Admins do remote connections to *servers*, not workstations
(except for personal stuff).

> Usually they can't be bothered, anyway. As far s I 
> can see, this feature will make systems more vulnerable (i.e. 
> the ones using ICF) since RPC will be open unless it is 
> closed on ICF protected boxes.
This makes no sense.  RPC is *already* open.  If ICF leaves it open,
nothing has changed WRT RPC.  A great deal has changed WRT other things,
however.  How do systems become more vulnerable by doing this?
 
> The application white list is an extension for ICF that has 
> the same problem, who knows what apps are valid, who is to 
> manage the list of 'known to be good' etc.

This is the same thing Zone Alarm does.  I don't see too many average
users struggling with the concept, do you?  Internet Explorer wants to
access the Internet.  Do you want to allow this?  Yes!  An unknown
application, "mytroj.exe", wants to access the Internet.  Do you want to
allow this?  Huh?  NO!

> Usually admins 
> consider the Firewall a thing that just is, and often it is 
> managed by a specialized admin. Now every NT-admin will have 
> to know the working of an application firewall, and 
> generally, of all the installed software.

In AD you simply set the group policies and you're done.  This is a
*good* thing, which will reduce work for admins and make the enterprise
more secure.  For personal users, they will have a box that is truly a
client and cannot be a server without their specific authorization.
That is a good thing as well.  How many *nix distributions have the
firewall enabled by default?  Not many that I know of.  You usually have
to enable it during the install, and then you have to decide on a
configuration for it.  Granted, RedHat (for example) makes that pretty
easy, but you still have to agree to it.

Instead of griping about this, you should be thankful that MS is finally
starting to get a clue and moving in the right direction.

> This will raise the 
> TCO, and if companies do not employ more and more skilled 
> support staff, the feature will just be in the way, and ICF 
> probably disabled.
This will allow us, for the first time, to "deploy" personal firewalls
to all our Windows desktops.  I think that's a good thing, don't you?
We looked at several but couldn't afford them.  This allows us to deploy
*and* control desktop firewalls which will provide another layer of
protection for us at no additional cost other than the time spent
writing the group policy, which I'm pretty sure the admins we have can
do in a few minutes.

> My 0.02 cents: nice try, but next time go for less is more - 
> less features is more security, this is just another featuritis.
I obviously totally disagree.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html