Microsoft Windows Vista Community Forums - Vistaheads
Recommended Download



Welcome to the Microsoft Windows Vista Community Forums - Vistaheads, YOUR Largest Resource for Windows Vista related information.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so , join our community today!

If you have any problems with the registration process or your account login, please contact us.

Driver Scanner

Securing / Hardening Windows Vista Business

microsoft.public.windows.vista.security






Speedup My PC
Reply
  #1 (permalink)  
Old 06-22-2007
jose.cso@gmail.com
 

Posts: n/a
Securing / Hardening Windows Vista Business
Wondering if anyone has any documentation or point me in the right
direction (URLs) in order to gather some insight on securing/hardening
a Windows Vista Business workstation.

Any help into this matter would be appreciated.

José Carlos

Reply With Quote
Sponsored Links
  #2 (permalink)  
Old 06-22-2007
Jesper
 

Posts: n/a
RE: Securing / Hardening Windows Vista Business
Not sure what specific threats you are trying to mitigate, but the Windows
Vista Security Guide is fairly general, although quite too intrusive:
http://www.microsoft.com/downloads/d...displaylang=en

There are books starting to appear too, such as the most excellent "Windows
Vista Security". :-)
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"jose.cso@gmail.com" wrote:

> Wondering if anyone has any documentation or point me in the right
> direction (URLs) in order to gather some insight on securing/hardening
> a Windows Vista Business workstation.
>
> Any help into this matter would be appreciated.
>
> José Carlos
>
>

Reply With Quote
  #3 (permalink)  
Old 06-23-2007
DArnold
 

Posts: n/a
Re: Securing / Hardening Windows Vista Business
jose.cso@gmail.com wrote:
> Wondering if anyone has any documentation or point me in the right
> direction (URLs) in order to gather some insight on securing/hardening
> a Windows Vista Business workstation.
>
> Any help into this matter would be appreciated.


Vista is just another NT based O/S like Win 2K and XP. I know most of
the things in the link can be applied to Vista either directly or
indirectly knowing the basics of the NT based O/S(s).

http://labmice.techtarget.com/articl...ychecklist.htm
Reply With Quote
  #4 (permalink)  
Old 06-23-2007
Jesper
 

Posts: n/a
Re: Securing / Hardening Windows Vista Business
Some of that stuff is good, notably most of the stuff in the first section.
Although, on a physically secure stand-alone machine, having no password is
often more secure than having one.

Renaming the admin account is meaningless. Leaving it with the default name
makes it no easier at all to break into an insecure system, but it can break
apps if you rename it.

Replacing Everyone with Authenticated Users not only has absolutely no
impact on Security, it also will almost certainly break your system and
render it unsupported and unsupportable (see KB 885409
http://support.microsoft.com/kb/885409). Everyone and Users include the Guest
account, since INTERACTIVE is a member of Users. Authenticated Users do not
include guests, but as the Guest account is disabled by default, and the
vast majority of systems have no members of Guests, there is no functional
difference between Everyone and Authenticated Users on the vast majority of
systems, and hence no reason to make that change.

Preventing the last logged in user name from being displayed provides
security if your username is the primary secret stopping bad guys. Take a
moment and look at your business card. I bet it shows your username, with an
@-sign right after it. And, if you take your first initial and last name,
there are most usernames. In other words, hiding the last logged on username
doesn't help.

Disabling remote desktop breaks remote assistance and is generally
inadvisable unless you have no options other than to have extremely weak
passwords.

The firewall should be on if you have a network connection. Period.
Regardless of whether it is permanent or not.

Encrypting the local offline files cache in XP is totally meaningless. In
Vista it is not.

Encrypting the %temp% folder is not only not supported, it can't be done.

Clearing the pagefile at shutdown is a valid countermeasure if the attacker
you are worried about is the Chinese/North Korean/U.S./U.K./Russian/SomeOther
Intelligence agency. It is highly, no, make that entirely, unlikely that a
run-of-the-mill attacker that has stolen your machine is going to wade
through a 2 billion byte binary file with a hex editor on the off chance that
there (a) is anything interesting in there, (b) Windows or the other app that
put it there did not encrypt it, and (c) he actually manages to recognize it.
On the other hand, if you like shutdowns to take 15-30 minutes, then clearing
the pagefile at shutdown is a good way to ensure they do.

The auditing settings are not only broken in that there are no failed system
events (uh, dude, I tried to shutdown but failed because it took too long to
clear the pagefile); if you set the audit settings in this guide you will
generate somewhere around 1,000 events per _second_ on a default system. Go
ahead. Tell me when you find any interesting ones. It is somewhat comical
(tragicomical really) that this checklist has absolutely nothing about
actuallly _looking_ at your logs. Generate thousands of events, but have no
log management system in place. That doesn't sound like it makes anyone any
more secure.

Disabling the default shares is totally, utterly, completely, entirely
meaningless. An attacker that has an admin account already can turn them back
on in half a second. An attacker that doesn't have an admin account can't use
them anyway. Why take the app compat hit from turning them off to get
absolutely no gain, not to mention that if you took the advice above and
turned on the firewall, they are impervious anyway. Defense in Depth is a
reasoned strategy by which you protect a system against meaningful and
realistic threats on multiple levels. It is not a phrase to justify dangerous
tweaks that you can't justify any other way.

The part about disabling boot from floppy or CDROM just made me laugh. The
author first of all has missed the crucial point that if the bad guy has
physical access to your system, it ain't your system any longer. Second, he
(she?) does not understand what the "restrict floppy access..." security
settings do. If you (a) enable those settings, AND (b) there is a floppy/CD
in the drive, AND (c) you have manually created a share for that drive (there
is none by default), AND (d) the share permits the attacker to map it, AND
(e) there is someone currently logged on locally, THEN, and only then can
remote users not use the shares across the network. As soon as you log off,
the shares are remotely accessible again.

Please do yourselves a favor: don't implement security guides from third
parties, at least not without a complete understanding of the impact of the
changes they recommend. The vast majority of third party security guides will
render your system unstable in one or more respects. I have seen some that
will prevent users from logging on, and one that caused the system to
self-destruct if it was turned off for seven days. There is plenty of
trustworthy documentation from Microsoft. Use that. And, before you do,
analyze who you are trying to protect yourself from.

If your objective is to secure your home computer, turn on the firewall,
install an anti-malware program, create a separate account to administer your
system, make sure your day-to-day account is a non-admin, and enable Windows
Update to auto-install patches. You're done.

If the enemy is some foreign intelligence service, hire folks that are true
experts in system hardening and don't trust random documents on the web,
written by people who do not have an obvious interest in your system being
secure, nor an obvious skillset to bring to bear on a risk management
problem, not to mention absolutely no idea what risks you are facing and the
threats that are meaningful to you. If there were a "one-size-fits-all"
security configuration, don't you think Microsoft would have shipped the
system that way in the first place?

---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"DArnold" wrote:

> jose.cso@gmail.com wrote:
> > Wondering if anyone has any documentation or point me in the right
> > direction (URLs) in order to gather some insight on securing/hardening
> > a Windows Vista Business workstation.
> >
> > Any help into this matter would be appreciated.

>
> Vista is just another NT based O/S like Win 2K and XP. I know most of
> the things in the link can be applied to Vista either directly or
> indirectly knowing the basics of the NT based O/S(s).
>
> http://labmice.techtarget.com/articl...ychecklist.htm
>

Reply With Quote
  #5 (permalink)  
Old 06-23-2007
Mr. Arnold
 

Posts: n/a
Re: Securing / Hardening Windows Vista Business
I don't know why you have written War and Peace about this.

It's a good article if someone understands the security aspects of the NT
based O/S and in general an understanding on the NT based O/S, which I do
have that understanding.

I have been in the IT field since 1971 and have worn many hats, from tech
support, Operations Manager, network admin, to .Net Programmer, many hats.

I started on the MS platform in 1994, and I am still going strong.

Not to be out of line here, but I don't think there is too much you can tell
me about the NT based O/S.

I appreciate your comments, but they were way too long. I lost interest
after the first paragraph, sorry.

Reply With Quote
  #6 (permalink)  
Old 06-23-2007
Jesper
 

Posts: n/a
Re: Securing / Hardening Windows Vista Business
I've written war and peace about this because almost every time I've seen
someone use advice like this they have ended up destroying thousands of
systems.

And, I am sorry you've lost interest in learning.
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"Mr. Arnold" wrote:

> I don't know why you have written War and Peace about this.
>
> It's a good article if someone understands the security aspects of the NT
> based O/S and in general an understanding on the NT based O/S, which I do
> have that understanding.
>
> I have been in the IT field since 1971 and have worn many hats, from tech
> support, Operations Manager, network admin, to .Net Programmer, many hats.
>
> I started on the MS platform in 1994, and I am still going strong.
>
> Not to be out of line here, but I don't think there is too much you can tell
> me about the NT based O/S.
>
> I appreciate your comments, but they were way too long. I lost interest
> after the first paragraph, sorry.
>
>

Reply With Quote
  #7 (permalink)  
Old 06-23-2007
Mr. Arnold
 

Posts: n/a
Re: Securing / Hardening Windows Vista Business

"Jesper" <Jesper@discussions.microsoft.com> wrote in message
news:A3CD1C31-FB04-4643-83DB-B851D01FC0A0@microsoft.com...
> I've written war and peace about this because almost every time I've seen
> someone use advice like this they have ended up destroying thousands of
> systems.
>
> And, I am sorry you've lost interest in learning.


I learned everything I needed to know from the best at
comp.security.firewalls where I have frequented and have given advise, since
2001.

Like I have told you, I am no fool and have done this for many years. There
is nothing in that link, if someone knows what he or she is doing with the
NT based O/S, that's going to lead to someone to destroying the O/S. It's
totally ridiculous that you have even brought it up.

And right now, I am going through the MCTS 70-528 Training Kit book for the
exam, with two more books to go through for the MCPD. I hold two MCP(s) in
MS technologies since year 2000.

So, you see I never stop learning. Why do you think I am still around at the
age that I am at, being in the industry since 1971 and out gunning the
young guns in the profession, if I am not always on the leading edge of
learning new technology.

It's just that you are talking about stuff I already know, which is of no
interest to me, because of that reason.

Sorry, but that's just the way it is.

Reply With Quote
  #8 (permalink)  
Old 06-23-2007
Magnus
 

Posts: n/a
Re: Securing / Hardening Windows Vista Business
I don't know if you checked the link that Jesper posted earlier. But there is
a resemblance between Jesper's name and the author of the book called
"Windows Vista Security: Securing Vista Against Malicious Attacks". If Jesper
gives a tip about security, usually people listens.

"Mr. Arnold" wrote:

>
> "Jesper" <Jesper@discussions.microsoft.com> wrote in message
> news:A3CD1C31-FB04-4643-83DB-B851D01FC0A0@microsoft.com...
> > I've written war and peace about this because almost every time I've seen
> > someone use advice like this they have ended up destroying thousands of
> > systems.
> >
> > And, I am sorry you've lost interest in learning.

>
> I learned everything I needed to know from the best at
> comp.security.firewalls where I have frequented and have given advise, since
> 2001.
>
> Like I have told you, I am no fool and have done this for many years. There
> is nothing in that link, if someone knows what he or she is doing with the
> NT based O/S, that's going to lead to someone to destroying the O/S. It's
> totally ridiculous that you have even brought it up.
>
> And right now, I am going through the MCTS 70-528 Training Kit book for the
> exam, with two more books to go through for the MCPD. I hold two MCP(s) in
> MS technologies since year 2000.
>
> So, you see I never stop learning. Why do you think I am still around at the
> age that I am at, being in the industry since 1971 and out gunning the
> young guns in the profession, if I am not always on the leading edge of
> learning new technology.
>
> It's just that you are talking about stuff I already know, which is of no
> interest to me, because of that reason.
>
> Sorry, but that's just the way it is.
>
>

Reply With Quote
  #9 (permalink)  
Old 06-24-2007
Mr. Arnold
 

Posts: n/a
Re: Securing / Hardening Windows Vista Business

"Magnus" <Magnus@discussions.microsoft.com> wrote in message
news:ED5B60BA-D6BA-4526-BD48-6769FC41E069@microsoft.com...
>I don't know if you checked the link that Jesper posted earlier. But there
>is
> a resemblance between Jesper's name and the author of the book called
> "Windows Vista Security: Securing Vista Against Malicious Attacks". If
> Jesper
> gives a tip about security, usually people listens.


And I am telling you I don't need it. I can't make it any clearer than that.
I don't need it.

You tell him to put out a book about how to secure the Win 2k3 server O/S,
including the registry, file system, user accounts, Web applications and
IIS7 to face the Internet, then he might get my attention.

But when it comes to the Windows NT based O/S for the workstations,
including Vista, I don't need any help --- sorry. And I am offended that he
made the post.

Now, I got nothing ageist the guy, and for the clueless, what he has to
offer may help them in someway, but there is nothing he can do for me or
tell me --- sorry.

Reply With Quote
  #10 (permalink)  
Old 07-03-2007
Glenn Fincher [MSFT]
 

Posts: n/a
Re: Securing / Hardening Windows Vista Business
"Mr. Arnold" <MR. Arnold@Arnold.com> wrote in message
news:%23VbSV0etHHA.4572@TK2MSFTNGP02.phx.gbl...
>
> "Magnus" <Magnus@discussions.microsoft.com> wrote in message
> news:ED5B60BA-D6BA-4526-BD48-6769FC41E069@microsoft.com...
>>I don't know if you checked the link that Jesper posted earlier. But there
>>is
>> a resemblance between Jesper's name and the author of the book called
>> "Windows Vista Security: Securing Vista Against Malicious Attacks". If
>> Jesper
>> gives a tip about security, usually people listens.

>
> And I am telling you I don't need it. I can't make it any clearer than
> that. I don't need it.
>


Mr. Arnold,

When Dr. Jesper Johansson gives a Windows security post, it might be worth
your while to sit back and listen, instead of attempting to tout your own
deep knowlege. Until August 2006, Jesper was a Senior Security Strategist
in the Security Technology Unit at Microsoft. He now serves a similar role
as Principal Security Program Manager at a little internet company known as
Amazon.com. His Phd. in MIS likely trumps your "two MCP's since 2001".
Others in this newsgroup have probably had the pleasure to hear Jesper speak
at many Microsoft TechEd's as well as other similar events for the many
years he was at Microsoft, and his depth of knowledge in computer security
and Windows security specifically is legendary.

So, please, sir, show a little respect.

Thank you,

Glenn Fincher - v-glennf AT microsoft.com

Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Mozilla eyes hardening Firefox against ANI exploits Steve Security News 0 04-05-2007 16:28
Windows Services Hardening for my seti@home =?Utf-8?B?c2QzMjE=?= microsoft.public.windows.vista.security 0 02-13-2007 18:38
Hardening Vista Firewall ? SD_JH843 microsoft.public.windows.vista.security 5 01-14-2007 18:06




All times are GMT +1. The time now is 04:32.




Driver Scanner - Free Scan Now

Vistaheads.com is part of the Heads Network. See also XPHeads.com , Win7Heads.com and Win8Heads.com.


Design by Vjacheslav Trushkin for phpBBStyles.com.
Powered by vBulletin® Version 3.6.7
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.6.0 RC 2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120