[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3FA289B9.7070808@venom600.org>
From: lists at venom600.org (Ben Nelson)
Subject: Microsoft plans tighter security measures in
Windows XP SP2
yossarian wrote:
> Most of it appears to be tighten the defaults. Usefull, yes, but not very
> new..
New or not, it is one of the major gripes I always hear from Sys Admins
in reference to MS software. No doubt, it should have happened a long
time ago, but....as they say....better late than never.
> The application white list is an extension for ICF that has the same
> problem, who knows what apps are valid, who is to manage the list of 'known
> to be good' etc. Usually admins consider the Firewall a thing that just is,
> and often it is managed by a specialized admin. Now every NT-admin will have
> to know the working of an application firewall, and generally, of all the
> installed software. This will raise the TCO, and if companies do not employ
> more and more skilled support staff, the feature will just be in the way,
> and ICF probably disabled.
The application firewall sounds like a good idea. Of course, it may
take a few iterations and some bug fixes to get it right and make it
easy to administer, but you've got to start somewhere and this also
seems to me like a step in the right direction. The ultimate fix would
be to promote better (and more secure code), but since this will also
protect 3rd party applications that MS has no control over it'll
definitely help. A little 'defense in depth' (hardly) ever hurts.
> My 0.02 cents: nice try, but next time go for less is more - less features
> is more security, this is just another featuritis.
I agree that 'less features is more security', but lets face
it....people (by people, I mean the general public) want features and MS
is in the business of making money. More features == more money for
them. I don't begrudge them this (I work for a software company
myself), so taking steps to make the additional features more secure (if
even by using sane defaults) is a good thing.
I have traditionally been an anti-MS bigot. However, I am always happy
to see vendors making an effort (however small it may seem) to improve
the security of the environment that they provide. I don't even own a
Windows machine, but if these 'enhancements' help mitigate the spread of
things like Blaster and SoBig.F, then I don't have to spend my time
going through a zillion IDS alerts and wasting CPU cycles on my
Unix-based MTA filtering out crap emails.
Powered by blists - more mailing lists