View previous topic :: View next topic |
Author |
Message |
secmog Just Arrived
Joined: 26 Jul 2005 Posts: 0
|
Posted: Tue Jul 26, 2005 4:25 am Post subject: Unneeded Software on Windows Servers |
|
|
Need official documentation on best practice of "NOT" installing unneeded software on Windows Servers.
|
|
Back to top |
|
|
capi SF Senior Mod
Joined: 21 Sep 2003 Posts: 16777097 Location: Portugal
|
Posted: Tue Jul 26, 2005 4:42 am Post subject: |
|
|
Ok.
|
|
Back to top |
|
|
darkog Just Arrived
Joined: 26 May 2005 Posts: 0 Location: Toronto, Ontario, Canada
|
Posted: Tue Jul 26, 2005 5:17 am Post subject: |
|
|
hi. it sounds like you are perhaps looking for a policy resource? try this link:
http://www.sans.org/resources/policies/
most of use refer to it and go on from there to other links included on page.
good luck.
|
|
Back to top |
|
|
secmog Just Arrived
Joined: 26 Jul 2005 Posts: 0
|
Posted: Tue Jul 26, 2005 6:02 am Post subject: |
|
|
Actually a fellow admin who thinks it's a good idea to install Administrative Tools, Support Tools and Resource Kit on all company Windows servers. I have some documentation but wanted more to reinforce the point...even though this should be a non-issue. Just want to follow best practice
|
|
Back to top |
|
|
darkog Just Arrived
Joined: 26 May 2005 Posts: 0 Location: Toronto, Ontario, Canada
|
Posted: Tue Jul 26, 2005 1:09 pm Post subject: |
|
|
i am confused. if i understand correctly, a fellow IT co-worker would like to install support tools (wininternals, ethereal, win resource kit tools, e.tc..) on users workstations and you would like to convince them not to?
i personally haven't seen any reports dealing with only giving users programs that they need and nothing else.
but off the top of my head i can say, most support tools are very small and install very simple. storing them on a network file share and running them off the file share is usually a non-issue and very convenient.
|
|
Back to top |
|
|
AdamV SF Mod
Joined: 06 Oct 2004 Posts: 24 Location: Leeds, UK
|
Posted: Tue Jul 26, 2005 2:18 pm Post subject: |
|
|
darkog wrote: |
if i understand correctly, a fellow IT co-worker would like to install support tools (wininternals, ethereal, win resource kit tools, e.tc..) on users workstations and you would like to convince them not to?
|
actually he said on windows servers, not workstations.
IMHO it depends what they are.
If they are actually running something like a service (eg a TFTP server, or VNC client for example) that is definitely a bad thing as it will increase the attack surface.
If they are just installed passively and have to be run then I would suggest they should only be installed where they are actually needed. By definition this means not many places since most can be run from an admin workstation instead. You should also secure the use of them using policues or nTFS permissions on the executables (or both!)
If a server is compromised and you have already provided lots of handy admin tools for an attacker to use, that helps them, but realistically if they have got to that stage it is likely they could do without basic MS tools anyway or install what they want. Again, it depends what they are - giving them a TFTP server to use, even if it is not running, is a bit too helpful.
As for resource kit I would be more inclined to only install specific components as and when required.
If by installed you mean copied to a share to be downloaded (which I don't think you do mean) then I see no issue here as long as that is secured properly and not everyone can just install stuff.
|
|
Back to top |
|
|
|