Security Management (March 2005) - Security Myths
Security Management(March 2005) - Security Myths
By Jesper M. Johansson and Steve Riley
This is the first article in a two-part series based on Jesper and Steve's new book, "Protect Your Windows Network." The book will be released in late May from Addison-Wesley.
For more information, see:
"Security configuration changes and guides have been around for about 10 years in the Windows world, longer in other areas. The original Windows NT 4.0 guides that were published by the U.S. National Security Agency and the SANS Institute were basically just lists of changes, with a little bit of rationale behind each setting but no overall cohesiveness. They were a response to a demand for what we call the “big blue ‘secure-me-now’ button.” The problem is that such a button does not exist. If it did, the vendor would ship it.
There is a lot at stake in security configuration guidance. First, it is easy to understand why people are clamoring for it. Everyone can see the benefit in turning on some setting and blocking an attack. In some environments, doing so is not even an option. A system must be configured in accordance with some security configuration or hardening guide to be compliant with security policy. In other environments security configuration guidance is strongly encouraged. Before you start making security tweaks, however, we feel that it is very important that you understand some of the fundamental problems with them. These are what we call the myths.
To avoid sounding like we hate security guides (which we do not), we want to point out that the authors have taken part in authoring, co-authoring, or editing almost all the commonly available guides for Windows in the past 10 years. Guides that are done right are valuable, but to do them right you must understand what they cannot do. That is why the myths are important.
This section is somewhat (OK, very) cynical. Take it with a grain of salt and laugh at some of the examples we give. Do not lose sight, however, of the message we are trying to get across: These are myths. If you are careful to avoid falling into the trap of believing them, you will be able to focus your efforts on the things that make a real difference instead of being lured like so many others into staring at a single tree and failing to see the security forest...."