Gridding .NET

Security should also mean "easily securable"

If implementation of security has one major flaw is that it is difficult to install and configure.
Alas, Windows can be made VERY secure, just there are so many knobs to turn
that it is almost easier to learn voodoo or black magic.
Threfore most people don't bother, leaving Windows in it's default shipping configuration.
Alright, some install antivirus and personal firewalls.
What does securable mean? One just needs to look at how many castles were build in the middle age.
The castle was built on a rock or hill, so the attackers had to put in a maximum effort to get close.
If they wanted to enter though the main gate, they had to cross a slim bridge, where they would be easily intercepted.
The defenders really needed to closed the main entrance, perhaps lift the bridge and they were safe for a while.

Secure by design, secure by default, secure by deployment and even a fourth: secure by defendibility.
So to needs to be an OS, easily defendable by applying all the clever criteria, but also by making it more defendable.

The evil of wrong Windows base configurations

After reading one the few good articles of the TheRegister http://www.theregister.co.uk/2004/09/02/winxpsp2_security_review/
I have to wholehartedly agree with the article since I like to fiddle with my local policy settings on all machines I run. Its one the
most underused and least understood tecnologies in the Windows world.

Basically it allows following things:

setting account/password options (password strength, account lockout)
disable legacy components(like LAN manager authentication - LM & NTLM used on 9X Windows)
Hardware access
IPSEC filters
auditing
disabling configuration of network, IE, scheduling and other stuff
disabling command prompt and disallow lists of executables
disallow installation of programs
set ACLs
lockdown WMI
harden TCP/IP
and more stuff

I use the Windows Security Scoring Tool from http://www.cisecurity.org to build secure baselines for standalone and networked PCs and even servers sometimes. I' re read somewhere that even Dell ships some workstations with
such a baseline switched on. The CIS tool contains excellent templates which are recommended by organizations like NIST, NSA, DISA, SANS, and CIS

Why Windows update/Automatic Windows Update suck (part 3)

After seeing the latest developments and improvements I still have several issues with the Automatic Windows Update and the windows update site.

1) patch distribution of patches is still not good enough.
   I think that critical patches should be BUNDLED with the latest version of Windows Media, MSN Messenger, IE or even third party apps like Winzip and Adobe. 
2) critical (remote exploitable or currently expoited) patches are not prioritized in the automated download process nor in the sequence, nor in download urgency in respect to other security patches
3) patches are not supported by scripts, group policies, .reg registry files, IPSEC rules or configuration files which the user installs with a simple click, in which protective features such as firewall, automatic updates can be turned on and features like RPC, files sharing or ports turned off.

Myth debunking: Windows stability and reliability (99.999%)

Windows DOES have reliability and stability

Windows IS stable and reliable->

and you thought only a mainframe could do it:

http://www.unisys.com/about__unisys/news_a_events/04298410.htm
http://www.unisys.com/products/es7000__servers/availability/study.htm

same story about Windows stability http://www.computerworld.com/databasetopics/data/datacenter/story/0,10801,92859,00.html

XP SP2 RC1 issues

After playing with XP SP2 RC1 for a while I still have a few things which bother me.
I had a look at group policies typing gpedit.msc in the Run command.

I found following issues:

RPC policies are still undefined ie it still allows unauthenticated anonymous users to log in ... with the bad practices around I doubt it will be switched on

Automatic updates are not enabled -> users will be able to switch then off too easily

Anyone can push the right buttons to get these sorted?

links:

http://microsoft.weblogsinc.com/entry/5967532431807386/
http://www.drweb.de/weblog/weblog/index.php?p=28
http://weblogs.asp.net/jeffdav/archive/2004/03/22/94080.aspx
http://graemef.com/blog/archive/2004/03/23/652.aspx
http://weblogs.asp.net/pmarcucci/archive/2004/01/14/58628.aspx
http://weblogs.asp.net/jambrose/archive/2004/04/11/XPSP2RC1Firewall.aspx
http://radio.weblogs.com/0126569/2004/03/21.html
http://blogs.msdn.com/tonyschr/archive/2004/03/21/93430.aspx
http://weblogs.asp.net/brianjo/archive/2004/02/24/79229.aspx
http://weblogs.asp.net/mhawley/archive/2004/03/23/94860.aspx
http://dotnetjunkies.com/WebLog/d0m1/archive/2004/02/05/6635.aspx
http://blogs.msdn.com/tims/archive/2004/03/08/85898.aspx
http://blogs.bartdesmet.net/bart/archive/2004/02/27.aspx
http://blogs.geekdojo.net/adam/archive/2004/02/24/1200.aspx
http://e-oddie.com/blog/professional/archive/2004/05/09/292.aspx
http://weblogs.asp.net/David_Gristwood/archive/2004/05/25/141419.aspx

http://weblogs.asp.net/alexbarn/archive/2004/05/29/144349.aspx

http://weblogs.asp.net/despos/archive/2004/05/31/144809.aspx

Automatic updates registry hack - get your loved ones to patch and autoupdate Windows

Automatic Updates

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"RescheduleWaitTime"=dword:00000003
"NoAutoRebootWithLoggedOnUsers"=dword:00000000
"NoAutoUpdate"=dword:00000001
"AUOptions"=dword:00000004
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:0000000D

copy the Automatic Updates snippet above and save as .reg (Registry file) . Mail it to all your loved ones.

It will download and install patches automatically at 1 PM everyday

DISCLAIMER:  This applies only to versions of Windows which have automatic updates installe like W2K SP2 + SUS, W2K SP3+ and XP SP1+. I deny all responsability, liability etc etc ...

some posts about automatic updates

http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/05/07/13102.aspx
http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/05/11/13358.aspx

Windows patching - patch management

Following my rant here and here I tried to make a little list of tools and vendors:

FREE from Microsoft
http://windowsupdate.microsoft.com/
http://www.microsoft.com/windowsserversystem/sus/default.mspx

Other
http://www.microsoft.com/smserver/
http://www.securitybastion.com/
http://www.bigfix.com/
http://www.configuresoft.com/
http://www.citadel.com/
http://www.ecora.com/
http://www.gfi.com/
http://www.novadigm.com/
http://www.patchlink.com/
http://www.shavlik.com/
http://www.stbernard.com/

links to XP SP2

http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/05/07/13102.aspx
http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/05/11/13358.aspx

Why Windowsupdate/automatic update sucks (part 2)

1) only 3 configurations
2) not aggressive enough for exploited patches
3) far too easy for users to switch off
4) not integrated into IE/OE for user to see it
5) not disabling network access for unpatched PCs(although W2K03 SP1 will do quarantines)
6) badly categorized: emergency level(above critical) missing for wormed and remote exploitable bugs

More I will add later ....

links:

http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/05/07/13102.aspx
http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/05/11/13358.aspx

http://weblogs.asp.net/fbouma/archive/2004/05/07/127742.aspx
http://weblogs.asp.net/ptorr/archive/2004/04/13/112495.aspx
http://weblogs.asp.net/mroselius/archive/2003/03/10/3616.aspx
http://weblogs.asp.net/dburke/archive/2003/09/14/27543.aspx
http://weblogs.asp.net/jezell/archive/2003/08/13/23865.aspx
http://weblogs.asp.net/rudi_larno/archive/2004/04/06/108424.aspx
http://weblogs.asp.net/rich_crane/archive/2004/04/05/107516.aspx
http://weblogs.asp.net/PAndrew/archive/2004/02/18/75225.aspx
http://weblogs.asp.net/wallen/archive/2003/03/04/3396.aspx
http://weblogs.asp.net/pscott/archive/2003/02/06/681.aspx
http://weblogs.asp.net/lbarbieri/archive/2004/02/26/80097.aspx
http://weblogs.asp.net/tmarman/archive/2003/02/12/2295.aspx

Why Windows patching sucks (part 1)

1) no easy way to detect missing patches
2) no API to detect missing patches
3) no webservice with patching config info (well, hfnetchk has the xml file)
4) tools(like MBSA or URLSCAN) not bundled into popular downloads like IE, WMP, IM
5) no download manager to allow easy downloading

Other posts I about windows configuration/patching

http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/05/07/13102.aspx
http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/02/10/6974.aspx
http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/02/09/6877.aspx

Vulnerability Alert: man or machine?

Just a consideration, 80% of system vulnerabilities are due to misconfigurations ... no blame on system admins then :) 

about patching vulnerabilities

http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/05/07/13102.aspx
http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/05/11/13358.aspx

How MS patches it's 300.000 PCs

clock forward

http://www.directionsonmicrosoft.com/sample/DOMIS/update/2004/01jan/0104cpam.htm

Tweaking ... erm configuring Windows

no bested interests here, just what seems a cool product

http://techrepublic.com.com/5100-6313-5057219-1.html
http://techrepublic.com.com/5100-6313-5057219-2.html

Block port 1433/1434 and IPSEC links (good stuff!!)

http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/HTUseIPSec.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT18.asp

http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/05/07/13102.aspx
http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/05/11/13358.aspx