"Think about it, that would be like me installing a base copy of SuSE 8.0 on my desktop, farting around the security options in YaST2 and not really knowing anything about the underlying OS."

Sort of like what Tim Mullen did in this very article, in describing RedHat, yes?

Incidentally, (as regards your battery of rather disjointed questions earlier on)...

1) Why on earth are you setting up "multiple forests" of domain trees (you, err, know what a 'forest' is, right?) on a tiny 200-user network? Unless it is a classroom or a real oddball arrangement, there is absolutely no need to set up that many independent domains (and a truckload of independent domain controllers to handle 'em all) just to make Win2k/3 secure on a 200-user network.

2) IPSec encrypts packets (mostly for VPN nets*), and does not "secure services" (else that nasty ol' Messenger Service spam would've been dealt with a long time ago by simply using IPSec instead of registry hacks, eh?) I'm also curious about this new and mysterious "protocol layer" you mention as well.

3) It would be fun to see how basic Win2k/3 security involves securing Exchange when most folks use a real mail server instead...

4) I'll believe that IIS is finally somewhat secure when all the infected IIS boxen out there quit polluting my Apache logs with Nimda scans.

5) In Win2k, two-way transitive trusts are set up by default - it takes some industrial-strength tweaking to change that. If Win2k3 is the same, then I wish you luck.

To summarize? If all that esoteric and mostly specialized crap you mentioned are "basic requirements for setting up a secure Windows 2000/3 AD environment", then I sincerely hope your "team" knows a whole lot more about Windows-based networking than you do.

*IPSec has an internal "transport" mode as well, but it's a full-on bandwidth-sucker. Wouldn't recommend it for networks that may be short on 100bT cards and hubs. It's also pretty useless in heterogenous (Novell, anyone?) environments as well, since MS hosed-up the Kerberos standard it was purportedly based on.

/P

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/157/19752#19752