lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <190DFDD2F99A65469B4B15D3658C0D2BC5AC0D@ptc6.ponderosatel.com>
From: daniels at Ponderosatel.com (Daniel Sichel)
Subject: Windows is EASY and SECURE

  
I thought you might find the following, gleaned from a Microsoft web
site white paper about "Myths of Security" amusing... But before you
laugh too hard, remember the Dilbert bosses are all reading and
believing this stuff.

Myth 4: Tweaks Are Necessary
<snip>

Even on highly exposed systems, most of the tweaks are not necessary. In
eWeek's Open Hack IV competition in 2002 (see
http://msdn.microsoft.com/library/en-us/dnnetsec/html/openhack.asp), we
built what was probably the most protected network we have ever built.
In all, we made only four registry tweaks, a couple of ACL changes, and
set a password policy. The rest of the protection for those systems was
based on proper network segmentation, a solid understanding of the
threats, turning off unneeded services, hardening Web apps (see Writing
Secure Code, 2nd edition, by Howard and LeBlanc [Redmond, WA: Microsoft
Press, 2003]), and properly protecting Web servers and the computer
running SQL Server. Of course, this was a specialized system with very
limited functionality, but it still shows that less is often more.

Proper understanding of the threats and realistic mitigation of those
threats through a solid network architecture is much more important than
most of the security tweaks we turn on in the name of security.
<snip>

So umm 4 registry changes, 2 customized ACLS, and a customized log in
policy aren't tweeks. Ooops, my bad, the emperor IS wearing clothes!
Tell the big lie often enough and it becomes truth. And, one question,
how many critical updates would you have had to apply (not TWEEKS, of
course) to keep this piece secure until now?

Dan Sichel
Network Engineer
Ponderosa Telephone
daniels@...derosatel.com (559) 868-6367



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ