Full Disclosure mailing list archives
RE: Microsoft plans tighter security measures in Windows XP SP2
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Fri, 31 Oct 2003 10:35:22 -0600
-----Original Message----- From: yossarian [mailto:yossarian () planet nl] Sent: Friday, October 31, 2003 8:15 AM To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Microsoft plans tighter security measures in Windows XP SP2 The introduction of an ACL on DCOM: well, why not just disable DCOM? Most users don't need it, it does not solve problems that could not be solved in another way.
File and printer sharing is not needed? Remote administration is not needed? Maybe not in home use, but in corporate?
Many admins have no time to use remote management and/or registry features and just put a ghosts disk in a faulty machine - quick and effective. IMHO most admins would not know what to do with the features anyway, since the insight in what the machine is doing, and what might be wrong, is completely lacking.
We have *students* using RA to get users' machine back up and running. If admins can't do that, they shouldn't be admins. I seriously doubt admins would do this sort of work anyway. This is basic tech support stuff. Admins do remote connections to *servers*, not workstations (except for personal stuff).
Usually they can't be bothered, anyway. As far s I can see, this feature will make systems more vulnerable (i.e. the ones using ICF) since RPC will be open unless it is closed on ICF protected boxes.
This makes no sense. RPC is *already* open. If ICF leaves it open, nothing has changed WRT RPC. A great deal has changed WRT other things, however. How do systems become more vulnerable by doing this?
The application white list is an extension for ICF that has the same problem, who knows what apps are valid, who is to manage the list of 'known to be good' etc.
This is the same thing Zone Alarm does. I don't see too many average users struggling with the concept, do you? Internet Explorer wants to access the Internet. Do you want to allow this? Yes! An unknown application, "mytroj.exe", wants to access the Internet. Do you want to allow this? Huh? NO!
Usually admins consider the Firewall a thing that just is, and often it is managed by a specialized admin. Now every NT-admin will have to know the working of an application firewall, and generally, of all the installed software.
In AD you simply set the group policies and you're done. This is a *good* thing, which will reduce work for admins and make the enterprise more secure. For personal users, they will have a box that is truly a client and cannot be a server without their specific authorization. That is a good thing as well. How many *nix distributions have the firewall enabled by default? Not many that I know of. You usually have to enable it during the install, and then you have to decide on a configuration for it. Granted, RedHat (for example) makes that pretty easy, but you still have to agree to it. Instead of griping about this, you should be thankful that MS is finally starting to get a clue and moving in the right direction.
This will raise the TCO, and if companies do not employ more and more skilled support staff, the feature will just be in the way, and ICF probably disabled.
This will allow us, for the first time, to "deploy" personal firewalls to all our Windows desktops. I think that's a good thing, don't you? We looked at several but couldn't afford them. This allows us to deploy *and* control desktop firewalls which will provide another layer of protection for us at no additional cost other than the time spent writing the group policy, which I'm pretty sure the admins we have can do in a few minutes.
My 0.02 cents: nice try, but next time go for less is more - less features is more security, this is just another featuritis.
I obviously totally disagree. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Microsoft plans tighter security measures in Windows XP SP2 Helmut Hauser (Oct 31)
- Re: Microsoft plans tighter security measures in Windows XP SP2 yossarian (Oct 31)
- Re: Microsoft plans tighter security measures in Windows XP SP2 Ben Nelson (Oct 31)
- Re: Microsoft plans tighter security measures in Windows XP SP2 Georgi Guninski (Oct 31)
- <Possible follow-ups>
- RE: Microsoft plans tighter security measures in Windows XP SP2 Schmehl, Paul L (Oct 31)
- Re: Microsoft plans tighter security measures in Windows XP SP2 yossarian (Oct 31)
- Re: Microsoft plans tighter security measures in Windows XP SP2 Kenton Smith (Oct 31)
- Microsoft plans tighter security measures in Windows XP SP2 Jason Freidman (Oct 31)
- Re: Microsoft plans tighter security measures in Windows XP SP2 yossarian (Oct 31)
- Re: Microsoft plans tighter security measures in Windows XP SP2 yossarian (Oct 31)