C
churchie
Created machine to Gold Level and can't join domain...any know registry
adjustments to change??
adjustments to change??
D
David H. Lipman
A public News Group is the *last* place to ask a questions like this one !!
You should read the documents located on both DISA and NIST web servers from a .GOV or .MIL
address.
http://csrc.nist.gov/pcig/
http://iase.disa.mil/
Dave
| Created machine to Gold Level and can't join domain...any know registry
| adjustments to change??
|
|
You should read the documents located on both DISA and NIST web servers from a .GOV or .MIL
address.
http://csrc.nist.gov/pcig/
http://iase.disa.mil/
Dave
| Created machine to Gold Level and can't join domain...any know registry
| adjustments to change??
|
|
S
Steve Clark [MSFT]
I can tell you that our hardening guides for Windows 2003 and Windows XP are
approved by the NSA and are in fact the recommended option over the DISA
guidance.
I'd try those first. The hair-pulling you save will be your own....
Threats and Countermeasures Guide:
http://www.microsoft.com/downloads/...93-147a-4481-9346-f93a4081eea8&DisplayLang=en
XP Security Guide:
http://www.microsoft.com/downloads/...bc-f434-4cc6-a5a7-09a8a229f118&DisplayLang=en
2003 Security Guide:
http://www.microsoft.com/downloads/...c1-0685-4d89-b655-521ea6c7b4db&DisplayLang=en
approved by the NSA and are in fact the recommended option over the DISA
guidance.
I'd try those first. The hair-pulling you save will be your own....
Threats and Countermeasures Guide:
http://www.microsoft.com/downloads/...93-147a-4481-9346-f93a4081eea8&DisplayLang=en
XP Security Guide:
http://www.microsoft.com/downloads/...bc-f434-4cc6-a5a7-09a8a229f118&DisplayLang=en
2003 Security Guide:
http://www.microsoft.com/downloads/...c1-0685-4d89-b655-521ea6c7b4db&DisplayLang=en
D
David H. Lipman
Yeah right !
I'd rather trust the folks at Mitre than Microsoft.
If Microsoft can "harden" the OS so well then why does the DoD CERT have to put out so many
IAVAs!
http://www.cert.mil
ftp://ftp.cert.mil/pub/bulletins/iava/iava_index.htm
{ that's right, you can't read this stuff can you
}
Dave
| I can tell you that our hardening guides for Windows 2003 and Windows XP are
| approved by the NSA and are in fact the recommended option over the DISA
| guidance.
|
| I'd try those first. The hair-pulling you save will be your own....
|
| Threats and Countermeasures Guide:
|
http://www.microsoft.com/downloads/...93-147a-4481-9346-f93a4081eea8&DisplayLang=en
|
| XP Security Guide:
|
|
http://www.microsoft.com/downloads/...bc-f434-4cc6-a5a7-09a8a229f118&DisplayLang=en
|
| 2003 Security Guide:
|
|
http://www.microsoft.com/downloads/...c1-0685-4d89-b655-521ea6c7b4db&DisplayLang=en
|
|
| | > Created machine to Gold Level and can't join domain...any know registry
| > adjustments to change??
| >
| >
|
|
I'd rather trust the folks at Mitre than Microsoft.
If Microsoft can "harden" the OS so well then why does the DoD CERT have to put out so many
IAVAs!
http://www.cert.mil
ftp://ftp.cert.mil/pub/bulletins/iava/iava_index.htm
{ that's right, you can't read this stuff can you
}Dave
| I can tell you that our hardening guides for Windows 2003 and Windows XP are
| approved by the NSA and are in fact the recommended option over the DISA
| guidance.
|
| I'd try those first. The hair-pulling you save will be your own....
|
| Threats and Countermeasures Guide:
|
http://www.microsoft.com/downloads/...93-147a-4481-9346-f93a4081eea8&DisplayLang=en
|
| XP Security Guide:
|
|
http://www.microsoft.com/downloads/...bc-f434-4cc6-a5a7-09a8a229f118&DisplayLang=en
|
| 2003 Security Guide:
|
|
http://www.microsoft.com/downloads/...c1-0685-4d89-b655-521ea6c7b4db&DisplayLang=en
|
|
| | > Created machine to Gold Level and can't join domain...any know registry
| > adjustments to change??
| >
| >
|
|
S
Steve Clark [MSFT]
Apparently you are misinformed.
I'd trust the NSA over MITRE *anyday* when it comes to infrastructure
protection recommendations.
Get over the ABM mentality, and start applying some practical knowledge
here. It will go a long way....
I'd trust the NSA over MITRE *anyday* when it comes to infrastructure
protection recommendations.
Get over the ABM mentality, and start applying some practical knowledge
here. It will go a long way....
S
Steve Clark [MSFT]
Oh, almost forgot, IAVA are about product vulns related to patching right?
System hardening is about reducing attack surface because of
MISCONFIGURATION (which is FAR more problematic than most people realize).
System hardening is about reducing attack surface because of
MISCONFIGURATION (which is FAR more problematic than most people realize).
D
David H. Lipman
Obviously I am taking pokes at Microsoft.
IAVA's are indeed related to patching vulnerabilities. Microsoft software has *far too
many.* Microsoft has disproportionate amount as compared to other OS's or software. Even
when Microsoft patches it isn't good enough because the patches need to be patched and
sometimes that patch needs to be patched.
Cases in point;
RPC/DCOM Buffer Overflow (patched 3 times in the past year)
JPEG/GDI+, after MS released a patch, it wasn't good enough and a few weeks later, new
patches were released.
And hardening is related to mitigating risks.
Sure I'd trust NSA docs. But who do you think is the contractor who wrote the NSA docs -
Mitre.
Dave
BTW:
MCSE -- Microsoft Can't Secure Enough
| Oh, almost forgot, IAVA are about product vulns related to patching right?
|
| System hardening is about reducing attack surface because of
| MISCONFIGURATION (which is FAR more problematic than most people realize).
|
|
|
| | > Yeah right !
| >
| > I'd rather trust the folks at Mitre than Microsoft.
| >
| > If Microsoft can "harden" the OS so well then why does the DoD CERT have
| > to put out so many
| > IAVAs!
| > http://www.cert.mil
| > ftp://ftp.cert.mil/pub/bulletins/iava/iava_index.htm
| > { that's right, you can't read this stuff can you }
| >
| > Dave
| >
| >
| >
| >
| > | > | I can tell you that our hardening guides for Windows 2003 and Windows XP
| > are
| > | approved by the NSA and are in fact the recommended option over the DISA
| > | guidance.
| > |
| > | I'd try those first. The hair-pulling you save will be your own....
| > |
| > | Threats and Countermeasures Guide:
| > |
| >
http://www.microsoft.com/downloads/...93-147a-4481-9346-f93a4081eea8&DisplayLang=en
| > |
| > | XP Security Guide:
| > |
| > |
| >
http://www.microsoft.com/downloads/...bc-f434-4cc6-a5a7-09a8a229f118&DisplayLang=en
| > |
| > | 2003 Security Guide:
| > |
| > |
| >
http://www.microsoft.com/downloads/...c1-0685-4d89-b655-521ea6c7b4db&DisplayLang=en
| > |
| > |
| > | | > | > Created machine to Gold Level and can't join domain...any know
| > registry
| > | > adjustments to change??
| > | >
| > | >
| > |
| > |
| >
| >
|
|
IAVA's are indeed related to patching vulnerabilities. Microsoft software has *far too
many.* Microsoft has disproportionate amount as compared to other OS's or software. Even
when Microsoft patches it isn't good enough because the patches need to be patched and
sometimes that patch needs to be patched.
Cases in point;
RPC/DCOM Buffer Overflow (patched 3 times in the past year)
JPEG/GDI+, after MS released a patch, it wasn't good enough and a few weeks later, new
patches were released.
And hardening is related to mitigating risks.
Sure I'd trust NSA docs. But who do you think is the contractor who wrote the NSA docs -
Mitre.
Dave
BTW:
MCSE -- Microsoft Can't Secure Enough
| Oh, almost forgot, IAVA are about product vulns related to patching right?
|
| System hardening is about reducing attack surface because of
| MISCONFIGURATION (which is FAR more problematic than most people realize).
|
|
|
| | > Yeah right !
| >
| > I'd rather trust the folks at Mitre than Microsoft.
| >
| > If Microsoft can "harden" the OS so well then why does the DoD CERT have
| > to put out so many
| > IAVAs!
| > http://www.cert.mil
| > ftp://ftp.cert.mil/pub/bulletins/iava/iava_index.htm
| > { that's right, you can't read this stuff can you
}| >
| > Dave
| >
| >
| >
| >
| > | > | I can tell you that our hardening guides for Windows 2003 and Windows XP
| > are
| > | approved by the NSA and are in fact the recommended option over the DISA
| > | guidance.
| > |
| > | I'd try those first. The hair-pulling you save will be your own....
| > |
| > | Threats and Countermeasures Guide:
| > |
| >
http://www.microsoft.com/downloads/...93-147a-4481-9346-f93a4081eea8&DisplayLang=en
| > |
| > | XP Security Guide:
| > |
| > |
| >
http://www.microsoft.com/downloads/...bc-f434-4cc6-a5a7-09a8a229f118&DisplayLang=en
| > |
| > | 2003 Security Guide:
| > |
| > |
| >
http://www.microsoft.com/downloads/...c1-0685-4d89-b655-521ea6c7b4db&DisplayLang=en
| > |
| > |
| > | | > | > Created machine to Gold Level and can't join domain...any know
| > registry
| > | > adjustments to change??
| > | >
| > | >
| > |
| > |
| >
| >
|
|
S
Steve Clark [MSFT]
Uh, no.
Microsoft wrote the hardening guides they recommend. I am on that team, so
I know a little about them. I sit 2 doors down from one of the authors who
knows a good deal more about this than I do.
In relation to your comments about number of vulns, I think you need some
statics refresher courses.
I could take this opportunity to hijack this thread and have a long-winded
discussion about number of vulns vs install config vs product/OS, but I'll
save that for another discussion. I will say you can use even secunia's
numbers and quickly see that Windows vs RHEL shows we have FAR fewer vulns
than they do.
Does Microsoft have vulnerabilities? Yeah, we employ humans, and humans are
by no means perfect. Do we have more/less than other companies? That
really isn't the question to be asking. The question to ask is, do you have
sufficient process and technology to minimize the time between a patch being
released and you actually adopting it? If you don't, it doesn't matter
whether you run Windows 2003 or program on Commodore VIC-20's, you'll have
more problems than you could have if you managed to that better.
Microsoft wrote the hardening guides they recommend. I am on that team, so
I know a little about them. I sit 2 doors down from one of the authors who
knows a good deal more about this than I do.
In relation to your comments about number of vulns, I think you need some
statics refresher courses.
I could take this opportunity to hijack this thread and have a long-winded
discussion about number of vulns vs install config vs product/OS, but I'll
save that for another discussion. I will say you can use even secunia's
numbers and quickly see that Windows vs RHEL shows we have FAR fewer vulns
than they do.
Does Microsoft have vulnerabilities? Yeah, we employ humans, and humans are
by no means perfect. Do we have more/less than other companies? That
really isn't the question to be asking. The question to ask is, do you have
sufficient process and technology to minimize the time between a patch being
released and you actually adopting it? If you don't, it doesn't matter
whether you run Windows 2003 or program on Commodore VIC-20's, you'll have
more problems than you could have if you managed to that better.
D
David H. Lipman
Yes Steve. Microsoft is "on the team". Thank G-d, not the team leader ;-)
Microsoft's internal knowledge is valuable feedback to those who actually write the
standards.
I can put it this way. If I was to compare the number of vulnerabilities I have received
via CIAC and various CERTs over the past 12 months. I have received maybe one or two Novell
and too numerous to count Microsoft vulnerabilities.
I understand your responses. You work for Microsoft, they pay your bills, put your kids
through school, etc.
But hey, what do I know. I don't work for Microsoft nor am I employee of the US Government.
I'm just Dave on Verizon ;-)
Dave
| Uh, no.
|
| Microsoft wrote the hardening guides they recommend. I am on that team, so
| I know a little about them. I sit 2 doors down from one of the authors who
| knows a good deal more about this than I do.
|
| In relation to your comments about number of vulns, I think you need some
| statics refresher courses.
|
| I could take this opportunity to hijack this thread and have a long-winded
| discussion about number of vulns vs install config vs product/OS, but I'll
| save that for another discussion. I will say you can use even secunia's
| numbers and quickly see that Windows vs RHEL shows we have FAR fewer vulns
| than they do.
|
| Does Microsoft have vulnerabilities? Yeah, we employ humans, and humans are
| by no means perfect. Do we have more/less than other companies? That
| really isn't the question to be asking. The question to ask is, do you have
| sufficient process and technology to minimize the time between a patch being
| released and you actually adopting it? If you don't, it doesn't matter
| whether you run Windows 2003 or program on Commodore VIC-20's, you'll have
| more problems than you could have if you managed to that better.
|
|
|
| | > Obviously I am taking pokes at Microsoft.
| >
| > IAVA's are indeed related to patching vulnerabilities. Microsoft software
| > has *far too
| > many.* Microsoft has disproportionate amount as compared to other OS's
| > or software. Even
| > when Microsoft patches it isn't good enough because the patches need to be
| > patched and
| > sometimes that patch needs to be patched.
| >
| > Cases in point;
| > RPC/DCOM Buffer Overflow (patched 3 times in the past year)
| > JPEG/GDI+, after MS released a patch, it wasn't good enough and a few
| > weeks later, new
| > patches were released.
| >
| > And hardening is related to mitigating risks.
| >
| > Sure I'd trust NSA docs. But who do you think is the contractor who wrote
| > the NSA docs -
| > Mitre.
| >
| > Dave
| > BTW:
| > MCSE -- Microsoft Can't Secure Enough
| >
| >
| >
| > | > | Oh, almost forgot, IAVA are about product vulns related to patching
| > right?
| > |
| > | System hardening is about reducing attack surface because of
| > | MISCONFIGURATION (which is FAR more problematic than most people
| > realize).
| > |
| > |
| > |
| > | | > | > Yeah right !
| > | >
| > | > I'd rather trust the folks at Mitre than Microsoft.
| > | >
| > | > If Microsoft can "harden" the OS so well then why does the DoD CERT
| > have
| > | > to put out so many
| > | > IAVAs!
| > | > http://www.cert.mil
| > | > ftp://ftp.cert.mil/pub/bulletins/iava/iava_index.htm
| > | > { that's right, you can't read this stuff can you }
| > | >
| > | > Dave
| > | >
| > | >
| > | >
| > | >
| > | > | > | > | I can tell you that our hardening guides for Windows 2003 and
| > Windows XP
| > | > are
| > | > | approved by the NSA and are in fact the recommended option over the
| > DISA
| > | > | guidance.
| > | > |
| > | > | I'd try those first. The hair-pulling you save will be your own....
| > | > |
| > | > | Threats and Countermeasures Guide:
| > | > |
| > | >
| >
http://www.microsoft.com/downloads/...93-147a-4481-9346-f93a4081eea8&DisplayLang=en
| > | > |
| > | > | XP Security Guide:
| > | > |
| > | > |
| > | >
| >
http://www.microsoft.com/downloads/...bc-f434-4cc6-a5a7-09a8a229f118&DisplayLang=en
| > | > |
| > | > | 2003 Security Guide:
| > | > |
| > | > |
| > | >
| >
http://www.microsoft.com/downloads/...c1-0685-4d89-b655-521ea6c7b4db&DisplayLang=en
| > | > |
| > | > |
| > | > | | > | > | > Created machine to Gold Level and can't join domain...any know
| > | > registry
| > | > | > adjustments to change??
| > | > | >
| > | > | >
| > | > |
| > | > |
| > | >
| > | >
| > |
| > |
| >
| >
|
|
Microsoft's internal knowledge is valuable feedback to those who actually write the
standards.
I can put it this way. If I was to compare the number of vulnerabilities I have received
via CIAC and various CERTs over the past 12 months. I have received maybe one or two Novell
and too numerous to count Microsoft vulnerabilities.
I understand your responses. You work for Microsoft, they pay your bills, put your kids
through school, etc.
But hey, what do I know. I don't work for Microsoft nor am I employee of the US Government.
I'm just Dave on Verizon ;-)
Dave
| Uh, no.
|
| Microsoft wrote the hardening guides they recommend. I am on that team, so
| I know a little about them. I sit 2 doors down from one of the authors who
| knows a good deal more about this than I do.
|
| In relation to your comments about number of vulns, I think you need some
| statics refresher courses.
|
| I could take this opportunity to hijack this thread and have a long-winded
| discussion about number of vulns vs install config vs product/OS, but I'll
| save that for another discussion. I will say you can use even secunia's
| numbers and quickly see that Windows vs RHEL shows we have FAR fewer vulns
| than they do.
|
| Does Microsoft have vulnerabilities? Yeah, we employ humans, and humans are
| by no means perfect. Do we have more/less than other companies? That
| really isn't the question to be asking. The question to ask is, do you have
| sufficient process and technology to minimize the time between a patch being
| released and you actually adopting it? If you don't, it doesn't matter
| whether you run Windows 2003 or program on Commodore VIC-20's, you'll have
| more problems than you could have if you managed to that better.
|
|
|
| | > Obviously I am taking pokes at Microsoft.
| >
| > IAVA's are indeed related to patching vulnerabilities. Microsoft software
| > has *far too
| > many.* Microsoft has disproportionate amount as compared to other OS's
| > or software. Even
| > when Microsoft patches it isn't good enough because the patches need to be
| > patched and
| > sometimes that patch needs to be patched.
| >
| > Cases in point;
| > RPC/DCOM Buffer Overflow (patched 3 times in the past year)
| > JPEG/GDI+, after MS released a patch, it wasn't good enough and a few
| > weeks later, new
| > patches were released.
| >
| > And hardening is related to mitigating risks.
| >
| > Sure I'd trust NSA docs. But who do you think is the contractor who wrote
| > the NSA docs -
| > Mitre.
| >
| > Dave
| > BTW:
| > MCSE -- Microsoft Can't Secure Enough
| >
| >
| >
| > | > | Oh, almost forgot, IAVA are about product vulns related to patching
| > right?
| > |
| > | System hardening is about reducing attack surface because of
| > | MISCONFIGURATION (which is FAR more problematic than most people
| > realize).
| > |
| > |
| > |
| > | | > | > Yeah right !
| > | >
| > | > I'd rather trust the folks at Mitre than Microsoft.
| > | >
| > | > If Microsoft can "harden" the OS so well then why does the DoD CERT
| > have
| > | > to put out so many
| > | > IAVAs!
| > | > http://www.cert.mil
| > | > ftp://ftp.cert.mil/pub/bulletins/iava/iava_index.htm
| > | > { that's right, you can't read this stuff can you
}| > | >
| > | > Dave
| > | >
| > | >
| > | >
| > | >
| > | > | > | > | I can tell you that our hardening guides for Windows 2003 and
| > Windows XP
| > | > are
| > | > | approved by the NSA and are in fact the recommended option over the
| > DISA
| > | > | guidance.
| > | > |
| > | > | I'd try those first. The hair-pulling you save will be your own....
| > | > |
| > | > | Threats and Countermeasures Guide:
| > | > |
| > | >
| >
http://www.microsoft.com/downloads/...93-147a-4481-9346-f93a4081eea8&DisplayLang=en
| > | > |
| > | > | XP Security Guide:
| > | > |
| > | > |
| > | >
| >
http://www.microsoft.com/downloads/...bc-f434-4cc6-a5a7-09a8a229f118&DisplayLang=en
| > | > |
| > | > | 2003 Security Guide:
| > | > |
| > | > |
| > | >
| >
http://www.microsoft.com/downloads/...c1-0685-4d89-b655-521ea6c7b4db&DisplayLang=en
| > | > |
| > | > |
| > | > | | > | > | > Created machine to Gold Level and can't join domain...any know
| > | > registry
| > | > | > adjustments to change??
| > | > | >
| > | > | >
| > | > |
| > | > |
| > | >
| > | >
| > |
| > |
| >
| >
|
|
S
Steve Clark [MSFT]
Yeah, and before MS I was a CCIE and tasked with knowing networks inside and
out. I also spent years as an Officer of Marines and as an employee in a
certain government agency that has made headlines the last couple of years.
Like many here, my experience transcends my tenure at Microsoft.
Don't confuse employee with inductee.
As far as standards go, nobody is the "leader" per se: many intiate, but
conformance is by consent, not ipso-facto.
I don't have any stats on Novell (they aren't widely adopted enough to be
tracked with any degree of statistical significance more than likely) but
typically we get posed head to head with UNIX, LINUX, and the like. We do
quite nicely compared to them.
Whether you have one vuln, or one million, it's the one you don't patch that
will likely get you pwn3d. That's why I place more value in patch
management and flaw remediation than others.
out. I also spent years as an Officer of Marines and as an employee in a
certain government agency that has made headlines the last couple of years.
Like many here, my experience transcends my tenure at Microsoft.
Don't confuse employee with inductee.
As far as standards go, nobody is the "leader" per se: many intiate, but
conformance is by consent, not ipso-facto.
I don't have any stats on Novell (they aren't widely adopted enough to be
tracked with any degree of statistical significance more than likely) but
typically we get posed head to head with UNIX, LINUX, and the like. We do
quite nicely compared to them.
Whether you have one vuln, or one million, it's the one you don't patch that
will likely get you pwn3d. That's why I place more value in patch
management and flaw remediation than others.