Discussion on:

10 security tips for all general purpose OSes

11. Test! Employing all these things are great but what about the impact to the user side of things? Whole disk encryption can be a performance killer.
Also, everything should be tested because its worse to THINK you are protected rather than knowing you are not.

12. Employ a centralised auditing system - Having a varitey of tools and systems which each do their own thing often means multiple logs. Ensure you have a centralised device that can gather and report on all of these things, Make sure its reviewed.

13. Along with disabling services have a look at Windows security templates. This can be a quick way to ensure identical lockdowns across all Windows servers

14. If using IIS don't forget the IIS lockdown tool.

13 & 14 are not for "all general purpose OSes". But your centralized auditing system tip is a good one - a tough one to implement, but a good one.

"13 & 14 are not for "all general purpose OSes"."

Neither are 2, 7, 8, 9, or 10 from the original article related to "general OSes". I don't even agree with this list regardless.

What's most important is to invest in a good Host-based firewall/IPS suite along with AV and forget about the "external firewall" the author is pushing. Dumb firewalls have thier uses, and are no different than NAT when it comes to protecting, but a good host-based IPS solution goes above and beyond any firewall. Cuts down on the stinking patching issues and as long as you keep them up-to-date, many of those other issues become mute.

The only one I have ever followed was disabling the unecessary services. I'll even take extra steps and disable things like the "server service" on my Windoze machines just because I don't need to share anything and there goes 50 other exploits you don't have to worry about.

"Neither are 2, 7, 8, 9, or 10 from the original article related to 'general OSes'."

How are they not related to general purpose OSes? Please elaborate.


"I don't even agree with this list regardless."

How do you disagree (aside from your obvious distaste for perimeter security)?


"What's most important is to invest in a good Host-based firewall/IPS suite along with AV and forget about the 'external firewall' the author is pushing."

I don't see how a host-based firewall obviates the need for an external filter for traffic. The further from the important systems and data in your care malicious activity is stopped, the better.


"Dumb firewalls have thier uses"

Who said anything about "dumb" firewalls? Perhaps you're not aware that many external, stand-alone firewall devices actually run some of the best software you can find for stateful "host-based firewalls" (in the form of pf, iptables, et cetera).


"no different than NAT"

I'm pretty sure you don't know much about firewalls, at this point.


"a good host-based IPS solution goes above and beyond any firewall"

Perhaps you're also unaware that a stateful firewall essentially is an IPS.

I'm in 100% agreement with Apotheon.

This does happen occasionally.

I thought the article was spot on. Security isn't taken seriously enough by most people regardless of the OS.

Nice article.

"Good God!"

While I am flattered by the comparison, I am not He.


"Nice article."

Thanks. I do my best.

Excellent response. I agree with your assessment of the previous poster's firewall experience.

One doesn't even have to pay top dollar for a firewall appliance to get the best software. I've used several from all levels, and I would have to say that there are some very good stateful firewalls on the market.

An external firewall is just one part of the layered approach necessary to protect systems and data.

Mnemonic: Like a cow's opinion, a moot point simply does not matter.

That's one of my biggest pet peeves in online discussion -- seeing someone post something about a "mute point". Argh.

I usually don't want to say anything about it, though, because the people saying "mute point" are usually the people completely missing my previous points, and in the process of correcting them on the matter I don't want to distract attention from the important meat of what I'm saying.

So . . . thanks for bringing it up.

Quick and dirty way of doing it is to setup something like Kiwi Sylog daemon or the free version of Splunk and get everything converted to syslog format and sent to that server.
Windows can send event logs in syslog format via a nice piece of software called SNARE.

Having a varitey of tools and systems which each do their own thing often means multiple logs.

There is a myriad of text manipulation software available to make multiple log files conveniently viewable. Better to pick the best security & monitoring tools on their technical merits, and deal with their log files as the simplistic chore in text formatting that they are. Too minor a problem to count at all where access control is concerned.

"Better to pick the best security & monitoring tools on their technical merits, and deal with their log files as the simplistic chore in text formatting that they are. Too minor a problem to count at all where access control is concerned."

I tend to figure that anyone who thinks that dealing with superficially differing text formats requires something akin to a vertically integrated vendor stack is someone who hasn't heard of Perl -- or perhaps even regular expressions.

Yes thats right but not many people know about tools out there that can do this therefore there needs to be more education via sites like this.

I've been meaning to tidy up my TR Workspace until it's a useful repository of security-related tools and info. One more reason to get on that.

SmoothWall Express makes a very good free software firewall that will run on almost any old discarded computer.

http://www.smoothwall.org/

This is the source of the majority of MS xploits, MS products are designed around trust everything instead of the secure trust nothing.

Absolutely. Hence I'd suggest using the NSA lockdown checklists and security templates.

MS Windows is built to operate with a trust everything model. making it work with a trust nothing model will cripple most people's productivity until they get used to the higher restrictions and wha is required to work with them.

A trust nothing on a windows box would mean anything downloaded would need to be virus scanned, adware scanned, spyware scanned, before it could be run. When run, it would have to be sandboxed to the point of requiring constant input from the user to allow it to do anything. Then you could stop malware.


The *nix operating systems are closer to a trust nothing, but even they have some trust in some things / accounts.
[ userid 0 / root being trusted ]

You can operate a trust nothing model with a "sensibly" locked down desktop.
Your downloads and av scanning can be handed off to something like a bluecoat proxy appliance or similar. IPS can be used to detected threats on the network and so on.
That way you can have LESS loading on the workstation in form of agents that consume CPU and put that loading onto your network appliances.

Now, I admit that this breaks down when you have a mobile workforce.

"Now, I admit that this breaks down when you have a mobile workforce."

It also breaks down if you take -Q's advice, above, and just use a local IPS and malware scanning strategy for security, ignoring any and all other means of securing your system. I of course think your solution makes a lot of sense (and have used similar strategies myself) -- but I'm sure -Q would have a huge problem with your suggestion.

Strong passwords are a good security practice but hard to implement im my company. Locking down all unused services on all servers and putting all systems behind a firewall (I use m0n0wall with great success) has worked well for me. also make sure you block SMTP port 25 for all outgoing LAN access or you can end up getting your IP blocked. As far as testing your network what programs do you suggest? i've used nmap but it just scans ports is there some other that you recommend?

First of all I'd suggest a proper pen test from a reputable company.
If the budget isn't there for it then metasploit is quite scary in what it can do and exploit.
GRC can do a simple firewall scan to see what ports are open and internally you should be using GPO's and templates to lock down your machines as much as possible.

Along with Metasploit and nmap, if you can run it (I think it's *nix only) Nessus is fairly good, it'll give you a list of open ports and vulnerable services (it doesn't give you everything, and should only be used as *part* of pen-testing) link: http://www.nessus.org/

A program that generates a random string of characters, of user-defined length, is not very difficult to write & post to an Intranet or Internet location.
It is also not difficult to password-protect an Excel spreadsheet which contains all of a user's passwords, and is editable only with the one password that the user's "remember". There are also open-source programs which incorporate all that functionality in a single program.

"not difficult to password-protect an Excel spreadsheet which contains all of a user's passwords, and is editable only with the one password that the user's 'remember'."

True . . . but it's also not difficult enough to crack security on software like Excel, or to fill up RAM and unnecessary swaths of hard drive "space", when you do it that way. Much better to use some OpenPGP-based encryption utility like GnuPG, perhaps wrapped with a shell script or a Perl or Ruby script to give it that "application" feel, where security breaches and software bloat are much more difficult to imagine.

I've been meaning to start tinkering with Perl. That looks like a good mini-project to get me familiar with a bit of its syntax.

Most of this is common sense

Some are good
Would like to add

1 Work with the people who will be using the systems/network

Teach them good security

Explain why they cannot do the risky stuff

2 Lose the fortress mindset even the best security can break down

There is always someone who will do the most stupid things in any company or group

Col