[Dshield] Windoze Questions...

John Holmblad jholmblad at aol.com
Fri Feb 20 18:07:46 GMT 2004


Jon,

your point re reduction in the vulnerability<=>exploit interval is on 
the mark. I know of one potential alternative to Tripwire from ISS 
called Blackice.  I have not used ISS Blackice but I have seen it 
demonstrated and I  understand that it has  application control 
capability as well as a firewall and  IDS component. BlackIce can be 
licensed for desktop/notebook PC use as well as for server use:

    http://blackice.iss.net/product_pc_protection.php

Also with Windows XP you can implement software restriction policies 
using Group Policy to limit what can be executed based on 4 different 
criteria:

    -Hash rule (to detect changes in the object code detected by means 
of a cryptographic hash)
    -File path rule (to allow execution only from certain locations
    -Certificate rule (to require that the executable file be signed by 
a software publisher whose certificate is provided in the rule)
    -Internet zone rule (to require that the executable file have 
originated from a specific  Internet Zone as defined by Microsoft, i.e., 
Internet,
      Intranet, Trusted Sites, Restricted sites, My Computer)

With this component of Group Policy you can lock down your system very 
tightly if you choose in terms of permitted executables. These policies 
can be defined and deployed using Windows Group Policy for each computer 
manually using local Group Policy as would be the case with  systems 
that are not joined to an Active Directory based network, or, 
automatically by means of AD + GP update, with systems that are in 
joined to an Active Directory based network. Furthermore the policies 
can be defined for the computer as a whole or they can be defined for 
each user individually depending upon where the in the GP object the 
editing is performed.

In fact anyone running a windows XP pro system and perhaps even XP home 
can implement such a policy themselves by using local Group Policy. Log 
on with  administrator privileges open the mmc, add in the snap in for 
Local  Group Policy and then navigate to the following GP container:

    Local Computer Policy>Computer Configuration>Windows 
Settings>Security Settings>Software Restriction Policies

Here is a Microsoft  Technet article which provides a simple checklist 
for implementing a software restriction policy to help protect your 
computer against an e-mail virus as well as links to more information 
about software restriction policies:

     
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/SRP_check_k.asp

-- 

Best Regards,

 

John Holmblad

 

Televerage International

 

(H) 703 620 0672

(M) 703 407 2278

(F) 703 620 5388

 

www page:                      www.vtext.com/users/jholmblad

primary email address: jholmblad at aol.com

backup email address:  jholmblad at verizon.net

 

text email address:         jholmblad at vtext.com




More information about the list mailing list