The two main points I am getting from Tim Mullen's piece are: (1) Sasser is proof that it does not take that much skill to create some serious devastation in Windows environment; (2) Microsoft's reward program worked in one case, and one feels generous about it, at least one case. And it will work under the conditions that the Sasser worm's author was caught. That's probably the most anyone can say at this point.

In the meantime, I will make two general points: (1) if it's hard to configure, them it's hard to secure, and it's hard to keep secure because it's hard to audit; (2) if you can't audit it efficiently, then you can't keep it secure efficiently. The great thing about Active Directory is that it enables the setting up of desktop settings from a single location: efficient to secure, efficient to audit (better to audit one server and a random desktop than all 500 desktops); (3) Any consideration of security must incorporate concerns about scalability. If settings can be set from a single location, then the scalability issue of security is taken care of. If not, we have an ongoing issue.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/242/26291#26291