Focus on Microsoft
RE: Binding Windows Services to Specific Addresses Only May 22 2008 01:18PM
Wayne S. Anderson (wfrazee wynweb net)
Absolutely.

Hence " SCW is an excellent starting point for default services" in my
original post on the subject :)

Any time that you put security measures in place, you need to plan in time
to be able to debug them. Network flows can be implemented incorrectly,
you could be missing firewall rules at the host or network gateway level,
permissions could be blocking your app from accessing necessary data or
program components, local security policy could be set to prohibit necessary
functionality.

Building in that security debug time is an important step, whether you are
using SCW or any other security tool. But, absolutely, if you are securing
a windows server environment, you will want to make sure that SCW is in your
security toolbox.

Wayne S. Anderson
http://www.linkedin.com/in/wayneanderson

-----Original Message-----
From: Devin Ganger [mailto:DevinG (at) 3sharp (dot) com [email concealed]]
Sent: Wednesday, May 21, 2008 1:27 PM
To: wfrazee (at) wynweb (dot) net [email concealed]; 'Ken Schaefer'; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: Binding Windows Services to Specific Addresses Only

All you're arguing for is, "If SCW doesn't have specific XML files for your
applications, be sure to review settings and test before using it in
production." That's great advice no matter which security tools and
methodology you're using, but it doesn't change the fact that SCW is a great
place to *start* in hardening a Windows Server 2003 SP1 + box.

--
Devin L. Ganger, Exchange MVP Email: deving (at) 3sharp (dot) com [email concealed]
3Sharp Phone: 425.882.1032
14700 NE 95th Suite 210 Cell: 425.239.2575
Redmond, WA 98052 Fax: 425.558.5710
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/

> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Wayne S.
> Anderson
> Sent: Tuesday, May 20, 2008 8:11 PM
> To: 'Ken Schaefer'; focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: Binding Windows Services to Specific Addresses Only
>
> Localized port proxies, custom service implementations, etc. E.g.
> application with traffic acceptance on a web server hosted on a
> standardized
> port which then subsequently communicates using a non-web
> communication
> stream.
>
> SCW can only anticipate what it KNOWS to look for. As a result
> when you are
> using custom applications, you have to have an understanding of
> security
> concepts and apply that dynamically to the specifics of your
> environment.
>
> I have seen SCW break custom and boutique web apps that have
> secondary
> processes which handle other portions of processing or
> communication for the
> overall programmatic system.
>
> Wayne S. Anderson
> http://www.linkedin.com/in/wayneanderson
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
> Behalf Of Ken Schaefer
> Sent: Monday, May 12, 2008 9:39 PM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: Binding Windows Services to Specific Addresses Only
>
> Can you elaborate on what types of things SCW can break for a
> "custom web
> app" or a "multitier app" (as opposed to any other type of app?)
>
> Obviously if you start removing extension mappings, or you disable
> NTLM,
> then certain pieces of IIS functionality no longer work. But that's
> reasonably obvious. What other types of gotchas as there?
>
> Cheers
> Ken
>
> > -----Original Message-----
> > From: listbounce (at) securityfocus (dot) com [email concealed]
> > [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Wayne S.
> Anderson
> > Sent: Saturday, 10 May 2008 8:24 AM
> > To: 'Devin Ganger'; 'Steve Friedl'; 'Christian Koerner'
> > Cc: focus-ms (at) securityfocus (dot) com [email concealed]
> > Subject: RE: Binding Windows Services to Specific Addresses Only
> >
> > The only thing with using SCW in such a way is that if you are
> doing
> > multi-tier web applications, SCW can break things. Even more so
> if you
> > are
> > doing anything with non-default configurations.
> >
> > My list was looking more towards principles rather than focusing
> on the
> > technical accomplishment of those points.
> >
> > SCW is an excellent starting point for default services however I
> would
> > advise being careful applying it after a custom web application
> and
> > also
> > MAKE SURE you have a lab environment or developer test with the
> SCW
> > configuration after it is applied. Build in time in your project
> > schedule,
> > if applicable, for someone with appropriate experience to
> troubleshoot.
> >
> > -W
> >
> > Wayne S. Anderson
> >
> > -----Original Message-----
> > From: Devin Ganger [mailto:DevinG (at) 3sharp (dot) com [email concealed]]
> > Sent: Friday, May 09, 2008 11:43 AM
> > To: wfrazee (at) wynweb (dot) net [email concealed]; 'Steve Friedl'; 'Christian Koerner'
> > Cc: focus-ms (at) securityfocus (dot) com [email concealed]
> > Subject: RE: Binding Windows Services to Specific Addresses Only
> >
> > This is a great list, Wayne!
> >
> > However, I've got one addition for you.
> >
> > Wayne S. Anderson wrote:
> >
> > > 3) Immediately review the service configuration and default
> > > accounts. If you don't need them, disable them, or in the
> > > case of services at least set them to manual so they do not
> > > run by default. With Windows default accounts, make sure that
> > > the steps that you can take, you have.
> >
> > <snip>
> >
> > > With the services, take the most restrictive approach possible.
> > > Remember, if something doesn't start, we can always restart
> > > whatever was stopped so its ok if something now fails to start.
> > > We just make the necessary adjustments and restart it and we
> > > know not to stop that particular service again ;) You ARE
> > > building the security for this server while it is in a build
> > > or pre-production stage..... right? You should be able to risk
> > > causing other service failures while you determine what
> services
> > > are necessary.
> >
> > Don't forget that with Windows Server 2003 SP1 and later, the OS
> > includes a
> > great tool for automating a lot of this work for you -- the
> Security
> > Configuration Wizard. You'll need to go into Add/Remove Programs,
> > Add/Remove
> > Windows Components to ensure that it's installed on the system,
> but
> > once you
> > do -- it's a great tool that allows you to define and manage
> security
> > policy
> > for multiple systems.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus