SecurityFocus

Binding Windows Services to Specific Addresses Only May 03 2008 11:13PM
Christian Koerner (misk gmx net) (4 replies)

RE: Binding Windows Services to Specific Addresses Only May 09 2008 02:43PM
Maxime Ducharme (mducharme cybergeneration com)

RE: Binding Windows Services to Specific Addresses Only May 06 2008 08:24AM
Davies, Alan (GE Money) (AlanJ Davies ge com)

Hi Chris,

You best bet is to start here:

http://www.cisecurity.org/

That'll give you both templates based on best practice and a scoring tool to
sink your teeth into. There is indeed plenty more you can do, depending on
your environment, to harden Windows systems.

Obviously once deployed, you should also have a patching policy. AV and
HIDS are good. Proper change management, build policy, admin restriction,
etc. are the other "soft" bit that keep it the way you designed it.

alan

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of Christian Koerner
Sent: 04 May 2008 00:13
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Binding Windows Services to Specific Addresses Only

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello everybody!

When it comes to Windows hardening and in specific restricting Windows'
services, the only suggestions that I've found so far are:
*) disable unnecessary services
*) restrict network access through packet filtering

What else can be done and isn't it possible to bind Windows' services to a
specific address/interface, e.g. LAN.

Thanks in advance
Chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIHPGV6rqywW28g1IRAohNAKCQ9vfcx/N5vRr0bbbiBityYayO4wCgottt
+JClyFFafYzq0ojEA0AfS1c=
=2nbF
-----END PGP SIGNATURE-----
0? *?H?÷
?0?10 +0? *?H?÷
?§0?\0?Å ê0
*?H?÷
0¼10 UDE10UHamburg10UHamburg1:08U
1TC TrustCenter for Security in Data Networks GmbH1"0 UTC TrustCenter Class 2 CA1)0' *?H?÷
certificate (at) trustcenter (dot) de0 [email concealed]
980309115959Z
110101115959Z0¼10 UDE10UHamburg10UHamburg1:08U
1TC TrustCenter for Security in Data Networks GmbH1"0 UTC TrustCenter Class 2 CA1)0' *?H?÷
certificate (at) trustcenter (dot) de0 [email concealed]?0
*?H?÷
0?Ú8èí2)q?
¿?ÜÚÆ9¤©?/Õ?\h_PÆbõf½Ê?"ìªQ×=³Q²?N]ËI°ðLUåk-Ç?0?N?ÔÊí÷o¾Üàã¸Sò?ô
V?Z???Ñ´?V®M»¨KW¼þøX?ø)°{ÍxÉO¬?gñ?ûüW?W\O
£k0i0Uÿ0ÿ0Uÿ?03 `?H?øB&$http://www.trustcenter.de/guidelines0 `?H?øB0
*?H?÷
?Rû(ßÿu¼¾V?jtB$1?ùF±??Ï?,3¿?µ_zr¡?Î?ø?èù%ÊÚ??¬ë6m??46ôBð
øy.
H\«ÌQOxv Ù¬½*Ñi(?Ê6'?W[Ò\õÂ[«dctQô?¿Í(÷Mf§ð&x²fGpQd0?ú0?c
?oaÏ$ªym)0
*?H?÷
0¼10 UDE10UHamburg10UHamburg1:08U
1TC TrustCenter for Security in Data Networks GmbH1"0 UTC TrustCenter Class 2 CA1)0' *?H?÷
certificate (at) trustcenter (dot) de0 [email concealed]
070515144445Z
101231225959Z0V10 UUS1!0U
General Electric Company1$0"UGeneral Electric Company CA0?0
*?H?÷
0?Í,]#?Ügõø5ºLMèu^Þ²ñù6Ç?ª³wvÑý²Âï1?UïB?í_3c3Ü¥×>£xk?r
ø¿ø]HëÖßqy¿¬_¬8Z%?á 6

iÞ?Àcë-?ãòÈÐÈ¶×ÕÿhMdÊ,»5}*Ø\)»UÓÄð®tå£?a0?]0?+00L
+0?@http://www.trustcenter.de/certservices/cacerts/tcclass2-2011
.crt0/+0?#http://ocsp.tcclass2.trustcenter.de0Uÿ0ÿ0J
U C0A0? *?,0200+$http://www.trustcenter.de/guidelines0Uÿ
0U ¯%ºô·-ó*ÙÍW<ôQÎL?0>U70503 1 /?-http://www.trustcenter.de/crl/v2/t
cclass2.crl0
*?H?÷
aºñ£k?2¶ÛÉÔÎvÊÕòÄPî>ÁÀ_y"?F?<Bð[¸UÄ,Q_°FK_ºq?èúëüà+0Ã5F?
ùÓO ¤îX?eØ¦;Áµ?×-.pH!Û?b??æ?D?ÁÎ?AÂÛ;¾ª©&?)1Ñ~ó?¦&??yÔ?ýj0?E0?®
ô?hù&7«j{0
*?H?÷
0V10 UUS1!0U
General Electric Company1$0"UGeneral Electric Company CA0
080319112044Z
101219112044Z0?1!0U
General Electric Company10UGE Money10U 12303514810UAlan Davies1"0 *?H?÷
alanj.davies (at) ge (dot) com0 [email concealed]?0
*?H?÷
0?ÞWc ô÷án5@?¾³?
ânÞÀè¾uùF¬kÈYÓD£sh??ÁßcYWhÌÕ;?á³y@C´À+Ó$?Î6pv(^?L]#¸NÆ¥üÚ¼¢£mö¾n¯ôÝ~ÄÊ°?ðïº¥?^KÍs?¦SY«¿øAÈ8i½e
$?µéPki£?ä0?à0B+60402+0?&http://ocsp.ge.tcclass2
.trustcenter.de0áU#Ù0Ö¡Â¤¿0¼10 UDE10UHamburg10UHamburg1:08U
1TC TrustCenter for Security in Data Networks GmbH1"0 UTC TrustCenter Class 2 CA1)0' *?H?÷
certificate (at) trustcenter (dot) de [email concealed]??oaÏ$ªym)0Uÿð0U±t
}Ò#àp}4
¯È?íp0HUA0?0= ; 9?7http://www.trustcenter.de/crl/v2/tc_class2_L1_CA_GE
.crl0U%0++0U0alanj.davies (at) ge (dot) com0 [email concealed]
*?H?÷
Â?®s¡åT
ÝLvÔh¨9Å!ò°°mþ¿¾ÃéµLÕ§?W}ÿr^a1²?wÃ?Ð¬ U?ßù?þpj±#±s©?ÐÞgÂV«¨0
±C??¯c_®ÓÃæÅ?¡ã¹¯ã8å!6êÙ?â?Ë{×³&¯×<¡O?ð1?Ï0?Ë0i0V10 UUS1!0U
General Electric Company1$0"UGeneral Electric Company CAô?hù&7«j{0 + ?¼0 *?H?÷
1 *?H?÷
0 *?H?÷
1
080506082423Z0# *?H?÷
1Áñ?=ô?ù?ÝÛèÔ`?çV0g *?H?÷
1Z0X0
*?H?÷
0*?H?÷
?0
*?H?÷
@0+0
*?H?÷
(0+0
*?H?÷
0x +?71k0i0V10 UUS1!0U
General Electric Company1$0"UGeneral Electric Company CAô?hù&7«j{0z*?H?÷
1k i0V10 UUS1!0U
General Electric Company1$0"UGeneral Electric Company CAô?hù&7«j{0
*?H?÷
?Ý?æ={ö¶\¶aßÅÒwa=Þü7ÃW£ô½ÑhïØmk]¯í*õB_l?~¥258í¹³?_Ò5ÙïX?
^«?ÍfD%Å97E&=ÅiAµÝ?=?°Ýmôø¨À±óí8d÷Ñø ©e`ïv?4'®¹ ?ýüüs

[ reply ]

Re: Binding Windows Services to Specific Addresses Only May 05 2008 03:55PM
Steve Friedl (steve unixwiz net) (1 replies)

RE: Binding Windows Services to Specific Addresses Only May 09 2008 02:24PM
Wayne S. Anderson (wfrazee wynweb net) (1 replies)

RE: Binding Windows Services to Specific Addresses Only May 09 2008 05:43PM
Devin Ganger (DevinG 3sharp com) (1 replies)

RE: Binding Windows Services to Specific Addresses Only May 09 2008 10:23PM
Wayne S. Anderson (wfrazee wynweb net) (1 replies)

RE: Binding Windows Services to Specific Addresses Only May 13 2008 03:39AM
Ken Schaefer (Ken adOpenStatic com) (1 replies)

RE: Binding Windows Services to Specific Addresses Only May 21 2008 03:11AM
Wayne S. Anderson (wfrazee wynweb net)

Re: Binding Windows Services to Specific Addresses Only May 05 2008 03:07PM
Ali, Saqib (docbook xml gmail com)