> You could always try the security templates made by the NSA for Win2k,
as I believe
> they apply ACLs to these system files specifically to stop a lot of
these attacks.
> Find them here ...http://www.nsa.gov/snac/win2k/download.htm. We make
and use our
> own where I work to stop a lot of these shenanigans.
>
> I haven't used them but, hey, it's the NSA so it HAS to be secure,
right? (to anyone > who is tapping this wire, it is just a joke!)

Actually, I spent two weeks doing a very detailed analysis and trial set
with these for work. They're a great starting point, but they have the
weakness of not touching anything except the C: drive. However, what
they do touch is considerable, and serves as a wonderful model for
locking down the rest of things. The only things that got changed were
the minimum character length (12+ character passwords aren't enjoyed by
most people) and a couple of logfile settings (the default is to allow
up to 4GB logs to prevent DoS while preserving evidence).

There's still a lot of lockdown to do, but even without scripts, with a
well-written plan and a little practice it can be done in about an hour
or so for a base installation, and perhaps another half-hour for various
services (Terminal Services, IIS, etc).

Jarrod

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]