Archive for the ‘Security’ Category

In the Trenches » Another Tech Chat – Affects of zotab and patch management

Monday, August 22nd, 2005

In the Trenches » Another Tech Chat – Affects of zotab and patch management

Particapated in another tech chat!

Havnt been blogging much cause I cant blog from work, and evenings are WoW..


Wednesday, August 17th, 2005

Originally uploaded by Jemimus.
Update fun at work today, trying desperately to get 50 windows 2000 servers up to some kinds of descent patch level.

ITT: Using Security Templates and the SCW in Windows Server 2003

Friday, August 12th, 2005

I finally got my nerve together and recorded an Admin-to-Admin segment for the In The Trenches podcast

Article here:
Listen to the episode here:

Here are the notes for my segment:

Using Security Templates


  • Enforcing security policy onto a Workstation or Server
  • Setting software restriction policy (name, hash, path)
  • Setting secured groups
  • Enforcing NTFS permissions
  • Enforcing Registry Permissions
  • Enforcing the status of Services

Pre-defined Security Templates:


  • Compatws.inf – This is required by older applications that need to have weaker security to access the Registry and the file system.
  • DC security.inf – This is used to configure security of the Registry and File system of a computer that was upgraded from Windows NT to Windows 2000/2003.
  • Hisecdc.inf – This is used to increase the security and communications with the domain controllers.
  • Hisecws.inf – This is used to increase security and communications for the client computers and member servers.
  • Notssid.inf – This is used to weaken security to allow older applications to run on Windows Terminal Services.
  • Ocfiless.inf – This is for optional components that are installed after the main operating system is installed. This will support services such as Terminal Services and Certificate Services.
  • Securedc.inf – This is used to increase the security and communications with the domain controllers, but not to the level of the High Security DC security template.
  • Securews.inf – This is used to increase security and communications for the client computers and member servers.
  • Setup security.inf – This is used to reapply the default security settings of a freshly installed computer.

More security templates can be downloaded with the Windows Serverv2003 Security Guide:

Add your own registry settings:

All security settings are in fact just registry settings. Add your own by editing the Sceregvl.inf file.

See the link to the MS article in show notes.

Group Policy:

Import into GPO’s Remember when modeling security settings, that Domain controller have their own local security settings set, like SMB signing.

MMC Snap ins:

  • Security Templates

Always make copies of the predefined templates to a different location

  • Security Configuration and Analysis

The Security “Database” , importing security Templates, and analyzing against the local system

Other usefull snapins for working on security templates with Group Policy:

  • Group Policy Management Console
  • Resultant Set of Policy
  • Local Policy

Service Pack 1 Security Configuration Wizard

Why did we need it?

Before we had Seperate management interfaces for:

  • Security settings and all the things the Templates covered
  • IIS Security
  • Windows Firewall Settings
  • Registry settings (required you to make your own ADM files and security template)
  • IP Security policy (GPO-centric)

SCW combined all these things, and adds advantages:

  • Everything combined into a single XML file ( easy to read and edit )
  • Can export to GPO or apply directly locally and remotely.
  • Import Security Templates
  • Can scan current system comfig and create baseline

Overlap in functionality:

  • CWS doesnt support NTFS and registry security
  • Templates dont cover IIS, IP Sec? or Firewall.

Neither SCW nor Security Templates cover the other features of Group or Local policy: Administrative Templates

You will need them BOTH to create a secure enviroment… use GPO’s as the end-result. Inport Security Templates into CWS files during creation, CWS settings take presedence. If used seperately, then you have to keep an eye on GPO presedence.


How to apply predefined security templates in Windows Server 2003;en-us;816585

HOW TO: Analyze System Security in Windows Server 2003

HOW TO: Define Security Templates By Using the Security Templates Snap-In in Windows Server 2003

How to Add Custom Registry Settings to Security Configuration Editor

Group Policy Home

Security Configuration Wizard for Windows Server 2003

Windows Server 2003 Security Guide

Security Park – It is the employer not the employee who is the weakest link in a companies IT security

Tuesday, June 21st, 2005

Security Park – It is the employer not the employee who is the weakest link in a company###s IT security

It is the employer not the employee who is the weakest link in a company’s IT security

SurfControl has today announced the results of a new UK survey that uncovers an alarming level of complacency by employers when it comes to combating spyware in the workplace. The poll found that 21.3 percent of all respondents’ employers did not prohibit the use of Instant Messaging to contact friends, Web-based email, recreational surfing, downloading free software, personal online banking, storing personal files, sharing free music/video files, playing online games, running CD-Rom/DVD media or the use of USB flash drives on work PCs.

Read more


Well I agree with the sentiment.. well some of the sentiment, if not all of what they claim are ‘threats’.

One has to bare in mind who sponsored this report, and who is presenting the news: Surfcontrol; and they have a rather large stake in this kind of discussion.

Litterally anything can be a threat if you look hard enough. I would not call IM-ing friends a threat. I might call file-transfer via IM a threat, but not much of one…    Use of USB drives?  Well its the same issue: not being able to fully control what files pass in and out of your network.

At the moment, with the current state of affairs when it comes to files and file-systems, I would say its just about impossible to lock down your network to stop foreign files from entering your network. They trick is to mitigate what threat they do pose. AV on the desktop is one part of that, a strickt and enforced lockdown policy of the desktop enviroment is another..  and the same can be said for permiter defenses…

Its that old cost vs usability vs security arguement. You can have a little of all three, but not all at the max level. People use IM and play games to give themselves a little distraction, which I believe is a healthy thing, in moderation. Not to mention IM being the perfect productivity tools if used for work purposes.

USB sticks? Well they have taken the place of floppies. I often see people resulting to USB sticks if its the easiest alternative for getting to their data. Shutting off access to USB may mitigate some of the foreign-file threat, but I dont think it stands in relation to the added support costs you incurr, or the effect it has on worker morall. Instead, perhaps you should be focussing on giving your users what they need: Easy (and secure) access to their files; remove their reason for trying to work around the system.

And what the hell is wrong with ‘Web-based email’, ‘recreational surfing, personal online banking’. How is this a security threat? yah sure.. downloading trojans perhaps .. spyware? Mabe.. .  .. how about a software restriction policy then? If you run windows 2000 and up, you already have the mechnism to impliment it…  just a case of doing it.
How about locking down Internet Explorer? Turn of ActiveX via group policy.. its not perfect.. but its a start! Think about running Firefox on desktops yet…  might be worth considdering!

I am against the view that Surfcontrol seems to take, that any freedom you give employees, both online and off, is always a bad thing.  Try turning off all net access in your company, and lets see what it does for morale? Work should be a place you want to go to, or at the very least, not mind going to, so that means employees should be giving at least some thought to distraction and relaxation, finding that balance of productivity and fun. Blanket blocks on certain activities are not the awnser, a far more nuanced approach is needed that combines and weighs out those important ellements in the way that best suits your companies needs: cost vs usability vs security. » Blog Archive » Podcast with Robert Kloosterhuis

Wednesday, March 23rd, 2005 » Blog Archive » Podcast with Robert Kloosterhuis

Oh I almost forgat about this! I am featured on the latest security news podcast!
Its basicly a recorded Skype call.