Re: Microsoft plans tighter security measures in Windows XP SP2

[yossarian <yossarian () planet nl>]

> > -----Original Message-----
> > From: yossarian [mailto:yossarian () planet nl]
> > Sent: Friday, October 31, 2003 8:15 AM
> > To: full-disclosure () lists netsys com
> > Subject: Re: [Full-disclosure] Microsoft plans tighter
> > security measures in Windows XP SP2
> >
> > The introduction of an ACL on DCOM: well, why not just
> > disable DCOM? Most users don't need it, it does not solve
> > problems that could not be solved in another way.
>
> File and printer sharing is not needed?  Remote administration is not
> needed?  Maybe not in home use, but in corporate?

No, sorry Paul. Printers have their own IP address, file and printersharing
was introduced for small networks. But since the mid nineties a network
interface became standard in laserprinters- printersharing became a real non
issue. File sharing: not for workstations, unless you make backups of every
workstation. Not suitable for corporations, user data is corporate property,
needs a back up so MUST be on a server. It is impossible to secure a network
where file and printsharing is common (where is the sensitive info to
secure?) - my personal BOFH way is disable the server service on every
Workstation. And the browser service as well.

Remote administration may be needed, I just said it is rarely used, for
various reasons, the foremost being that the support staff don't know sh**t
about the inner workings of windows, MCP or not.
> > Many admins
> > have no time to use remote management and/or registry
> > features and just put a ghosts disk in a faulty machine -
> > quick and effective. IMHO most admins would not know what to
> > do with the features anyway, since the insight in what the
> > machine is doing, and what might be wrong, is completely
> > lacking.
>
> We have *students* using RA to get users' machine back up and running.
> If admins can't do that, they shouldn't be admins.  I seriously doubt
> admins would do this sort of work anyway.  This is basic tech support
> stuff.  Admins do remote connections to *servers*, not workstations
> (except for personal stuff).

What your students are doing is your problem, and I agree, admins don't do
this kind of work. But technical support in corporates is not done by
students, but by admins. And since it is all about TCO, put back the
standard image is the policy of choice.

BTW, how do you use RA to get a machine up and running? If it is down, so is
RA....

> > Usually they can't be bothered, anyway. As far s I
> > can see, this feature will make systems more vulnerable (i.e.
> > the ones using ICF) since RPC will be open unless it is
> > closed on ICF protected boxes.
> This makes no sense.  RPC is *already* open.  If ICF leaves it open,
> nothing has changed WRT RPC.  A great deal has changed WRT other things,
> however.  How do systems become more vulnerable by doing this?

Better you read the MS paper first, RPC is closed by ICF.
> > The application white list is an extension for ICF that has
> > the same problem, who knows what apps are valid, who is to
> > manage the list of 'known to be good' etc.
>
> This is the same thing Zone Alarm does.  I don't see too many average
> users struggling with the concept, do you?  Internet Explorer wants to
> access the Internet.  Do you want to allow this?  Yes!  An unknown
> application, "mytroj.exe", wants to access the Internet.  Do you want to
> allow this?  Huh?  NO!

Ask your tech staff: what is this DNS service wanting to connect, or any
weird ADS related service? Anyway, zonealarm is more common in small,
unprotected networks, have yet to see it in a corporate network.

> > Usually admins
> > consider the Firewall a thing that just is, and often it is
> > managed by a specialized admin. Now every NT-admin will have
> > to know the working of an application firewall, and
> > generally, of all the installed software.
>
> In AD you simply set the group policies and you're done.  This is a
> *good* thing, which will reduce work for admins and make the enterprise
> more secure.  For personal users, they will have a box that is truly a
> client and cannot be a server without their specific authorization.
> That is a good thing as well.  How many *nix distributions have the
> firewall enabled by default?  Not many that I know of.  You usually have
> to enable it during the install, and then you have to decide on a
> configuration for it.  Granted, RedHat (for example) makes that pretty
> easy, but you still have to agree to it.

Like I said before, disabling server and browser service is a lot easier.
Less is more, better not to need a application firewall at all.

> Instead of griping about this, you should be thankful that MS is finally
> starting to get a clue and moving in the right direction.

I have been supporting MS software since 1989. I am not saying that they are
not moving in the right direction when they start caring about security, but
they make the mistake nearly all programmers make: more features. And unlike
what has been said in this thread, users do not ask for more features,
unless it is a screensaver or a PDA connection. As an admin I use the Reagan
Rule: I Just Say No.

> > This will raise the
> > TCO, and if companies do not employ more and more skilled
> > support staff, the feature will just be in the way, and ICF
> > probably disabled.
> This will allow us, for the first time, to "deploy" personal firewalls
> to all our Windows desktops.  I think that's a good thing, don't you?
> We looked at several but couldn't afford them.  This allows us to deploy
> *and* control desktop firewalls which will provide another layer of
> protection for us at no additional cost other than the time spent
> writing the group policy, which I'm pretty sure the admins we have can
> do in a few minutes.

I don not see the need for personal firewalls on workstations, but alas with
n-tier models the concept of workstations is fading. It is the price of Fat
Client technology, which is rarely valid from a TCO point of view. Or from a
security point of view.

> > My 0.02 cents: nice try, but next time go for less is more -
> > less features is more security, this is just another featuritis.
> I obviously totally disagree.

So whats new? Obviously you have plenty of time to have your say in any
discussion in this list, and the best way to do that is to disagree.

> Paul Schmehl (pauls () utdallas edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/~pauls/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html