|
|
Focus on Microsoft
Binding Windows Services to Specific Addresses Only May 03 2008 11:13PM Christian Koerner (misk gmx net) (4 replies) RE: Binding Windows Services to Specific Addresses Only May 09 2008 02:43PM Maxime Ducharme (mducharme cybergeneration com) RE: Binding Windows Services to Specific Addresses Only May 06 2008 08:24AM Davies, Alan (GE Money) (AlanJ Davies ge com) Re: Binding Windows Services to Specific Addresses Only May 05 2008 03:55PM Steve Friedl (steve unixwiz net) (1 replies) RE: Binding Windows Services to Specific Addresses Only May 09 2008 02:24PM Wayne S. Anderson (wfrazee wynweb net) (1 replies) RE: Binding Windows Services to Specific Addresses Only May 09 2008 05:43PM Devin Ganger (DevinG 3sharp com) (1 replies) Re: Binding Windows Services to Specific Addresses Only May 05 2008 03:07PM Ali, Saqib (docbook xml gmail com) |
|
Privacy Statement |
multi-tier web applications, SCW can break things. Even more so if you are
doing anything with non-default configurations.
My list was looking more towards principles rather than focusing on the
technical accomplishment of those points.
SCW is an excellent starting point for default services however I would
advise being careful applying it after a custom web application and also
MAKE SURE you have a lab environment or developer test with the SCW
configuration after it is applied. Build in time in your project schedule,
if applicable, for someone with appropriate experience to troubleshoot.
-W
Wayne S. Anderson
-----Original Message-----
From: Devin Ganger [mailto:DevinG (at) 3sharp (dot) com [email concealed]]
Sent: Friday, May 09, 2008 11:43 AM
To: wfrazee (at) wynweb (dot) net [email concealed]; 'Steve Friedl'; 'Christian Koerner'
Cc: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: Binding Windows Services to Specific Addresses Only
This is a great list, Wayne!
However, I've got one addition for you.
Wayne S. Anderson wrote:
> 3) Immediately review the service configuration and default
> accounts. If you don't need them, disable them, or in the
> case of services at least set them to manual so they do not
> run by default. With Windows default accounts, make sure that
> the steps that you can take, you have.
<snip>
> With the services, take the most restrictive approach possible.
> Remember, if something doesn't start, we can always restart
> whatever was stopped so its ok if something now fails to start.
> We just make the necessary adjustments and restart it and we
> know not to stop that particular service again ;) You ARE
> building the security for this server while it is in a build
> or pre-production stage..... right? You should be able to risk
> causing other service failures while you determine what services
> are necessary.
Don't forget that with Windows Server 2003 SP1 and later, the OS includes a
great tool for automating a lot of this work for you -- the Security
Configuration Wizard. You'll need to go into Add/Remove Programs, Add/Remove
Windows Components to ensure that it's installed on the system, but once you
do -- it's a great tool that allows you to define and manage security policy
for multiple systems.
--
Devin L. Ganger, Exchange MVP Email: deving (at) 3sharp (dot) com [email concealed]
3Sharp Phone: 425.882.1032
14700 NE 95th Suite 210 Cell: 425.239.2575
Redmond, WA 98052 Fax: 425.558.5710
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/
[ reply ]