Michael Howard - When does threat modeling come into play?

Very interesting presentation.  I really like how he presents an example of how one group works together with another, the W2K03 group, to address issues preemptively. 

I have always worked under the assumption that you don't browse from any server, much less a DC.  But as Michael points out, you have to throw out all those assumptions and work in a "worst case scenario" frame of mind in order to build better and more secure apps.

I agree that browsing the internet on a DC or any other server is something you just don't do. And implementing a high security default in IE is certainly a good way to lower the risk of it, but why not go all the way and disable internet access via IE (or any other browser) on server systems completely? No "good admin" would use it anyway and it certainly would make life easier for those companies whose admins do.

Fox:
   I agree in priciple w/ your comments.  A "good admin" should never surf the internet.  But the point of turning on all those settings is to mitigate any potenial security leaks while still keeping basic functionality.  Plus adding the ability to remove the security if the admin so desires.  Security is by it's very nature a battle between functionality and safety with a delicate balance being redefined continiously.

I felt the presentation was a little cursory overall and stated a lot of obvious and uninteresting points.  I wonder how much prep work goes into each of these interviews...both by the interviewer and interviewee

I simply can't agree with this;  While I do believe Michael's intentions are ultimately to make things safer for the end user, "turning it off" doesn't help us.  Many of us need these components to work.

I would much rather see fixes for these problems rather than an "ignore it and it'll go away" approach.

You seriously NEED to browse the internet on a server? Or even on a DC?

I agree that turning off features rather than fixing security problems in them is not the right way to go. But disabling unnecessary features to increase security is something I'd definitely support.

And I didn't understand this to be Microsoft's way of dealing with security issues in general but just as an example how you can minimize the possible area of attack. Especially as in this case (admin surfing the internet on a PDC) you don't even need a bug or a security problem to mess things up - the admin is doing all that on his own.

The problem is simply not limited to servers though;  Internet explorer vulnerabilities have plauged every version of windows.  They are possibly the single largest flaw in the windows operating system where most viruses and worms make their entree.

In my opinion, not enough has been done to fix these problems, some of which have existed in Internet Explorer for quite a long time now.

On a server shutting everything off is not a big deal, but on a desktop it's a really big deal, and desktops are the ones spreading many of the annoying worms we have to deal with today.

Last time I checked.. the most up-to-date and current source for patches was windowsupdate.microsoft.com.. an internet site..

Don't get me wrong.. I think the security lockdown mode of IE on W2k3 server is a very necessary feature, but it is difficult to draw the line on what's "good" and "bad" in all possible scenarios..

continuing your line of thinking, why not deny access from the DC to any ip which is external to the domain? not allow installs of any application on the DC since any application could pose a security risk. Don't allow remoting or terminal services to a DC since it could be a untrusted user from inside the network..  

there are any number of scenarios where doing these things would just complicate matters and not make things any more secure -- maybe even less..


it is still incumbent upon the admin to make sound decisions -- simply taking away IE doesn't solve much as it would just frustrate the admin and he/she would probably find a reg hack or download and install another browser..

the probably best way is to keep features intact, secure by default, and have the user be the determining factor on what should or shouldn't be done...

With a simple problem comes a simple solution: If you really need to browse on the server with all the functionality enabled, then just take a remote session to a workstation or use vmware or other virtual machine. Why such sandbox solution doesn't come as default is beyond me.

Many people seem shocked that anyone would browse the web from a domain controller -- yet my wife does it every day.

Being an unfunded researcher, I run my development out of my living room.  When I needed a server, my wife graciously lent me the unused cycles on her desktop machine.  So she surfs on the server, and I code against it -- and everything works.  Pure programming (and marital) bliss.

The point is not that I was able to come up with a bizzare scenerio where it happens.  The fact is that the threat model suggested it, and an appropriate mitigation was in place.  The threat model found an odball what-if that happened to be real and reasonable in a context that I am sure the server 2003 team never anticipated and handled it in a secure and transparent way.

The fact that I chose to override the security is not the point either.  It wouldn't be the end of the world if our three computer domain bites the dust, but it might be if she can't surf!  I appriciated the reminder that surfing from a server is usually unwise.  I appriciate the software allowing me to overide that recommendation in a situation when it didn't apply.

John Melville, MD wrote:

The fact that I chose to override the security is not the point either.  It wouldn't be the end of the world if our three computer domain bites the dust, but it might be if she can't surf!  I appriciated the reminder that surfing from a server is usually unwise.  I appriciate the software allowing me to overide that recommendation in a situation when it didn't apply.

I can't agree more with above. I would suggest that the more that is locked down the better!!

The admin(s) is responsible - it's not always MS fault... if it's locked down to begin with there is much less room for mistakes, i.e. not locking down a port you didn't know was open or even aware off!

Thank youaaaa

شات - شات كتابي - منتديات - مركز تحميل - شات فلسطين - دردشة فلسطين - ماسنجر - فيديو كليب - دليل مواقع

There's not a problem to see the <a href="http://www.genuinewriting.com">write my essay</a>  service, just because there're several of them in web. However, students should chose a distinguished service to order high quality term papers.