Re: Secure Your Server Wizard - Question to Jim Harrison
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Sat, 15 Dec 2001 09:17:46 -0800
Hi Gary,
I used the term "(don't)" because the vast majority of folks don't have a
full understanding of what each security wizard does to the system.
I wouldn't even be the one to say "I know that it will do to your system"
because it depends on too many other factors.
I could discuss what each setting in each .inf file accomplishes, but what
that means to your system may be something entirely different to mine.
The ISA team had good intentions and the right idea; make it easy to apply
an appropriate security template to a server that protects your network.
Unfortunately, many folks using wizards neither have nor want detailed
knowledge of what the wizard accomplishes while they're using it.
That's a dangerous mixture where security templates are concerned, as many
have discovered.
The ISA MMC might have popped up a "You better know exactly what applying
"XXX.inf" to your system will do before agreeing to this action." message,
but that's more oversight that malicious intent. Remember; this product is
aimed squarely at the LORG - Enterprise market. The folks in that arena
generally study and play with a new technology for an extended time before
putting it into production.
It's "available" to the SORG-MORG market because it's a totally kewl
product, but you can't target that broad a market spectrum without
dissatisfying someone.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the book!
----- Original Message -----
From: "Gary Anderson" <gary.anderson@xxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Saturday, December 15, 2001 05:29
Subject: [isalist] Secure Your Server Wizard - Question to Jim Harrison
http://www.ISAserver.org
Hi Jim,
On the Microsoft newsgroup, you answered a "Spoof Attack" thread like this:
====
Please detail your ISA setup (ipconfig /all)?
What rules / filters have you defined?
Have you used the "secure your sever" wizards (don't)?
====
Can you clarify the "Don't" for secure your server wizards?
I agree with you that these "wizards". They cause more problems than they
solve.
I know how the security works: basicdc.inf, securedc.inf, hisecdc.inf. I
also know that "setup security.inf" on a W2K is tighter than basicdc.inf.
Still, I'm surprised that an editor would secure an application firewall
through the application instead of instructing the system administrator to
do so by going through the underlaying OS.
Yesterday, I wasted three hours. Clean install of W2K, all of the Microsoft
updates, ISA Server and then the "Secure your server" Wizards. "You must
restart your computer" message. Ok. The machine never comes back. It
hangs on "Preparing Network Connections". Recover the OS and updates from
an image. Reinstall ISA without the "Secure your server" wizard step and
everyone works fine. (In fact, I even ran a vulnerability test from the
outside againt the machine. NMAP found a lot of filtered ports and detected
the W2K as XP RC1 or RC2. After one hour of attacks, NESSUS returned only
two minor advisories. The fact that it showed so many filtered ports didn't
make me happy but overall ISA Server's perimeter security in an "out of the
box" installation is very good.)
As far as I'm concerned ISA Server's "Secure Your Server" Wizard should be
called "Pull The Trigger and Put a Neat Hole in Your Foot" Wizard. A
definite candidate for the "Thanks, Bill!" award.
Gary Anderson
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
