mailing list archives
RE: information harvesting from within the network
From: "Beauford, Jason" <jbeauford () EightInOnePet com>
Date: Fri, 20 May 2005 16:12:38 -0400
Within a Windows Environment, I'd recommend using the Microsoft Baseline
Security Analyzer to identify the weak links in your Windows deployment.
Nice thing about it is it give you the MS recommended resolutions.
Things like denying Anonymous Enumeration.
As far as GPO's go, in a University environment, your networked PC's are
most likely not part of the domain, but rather just College students and
therefore your GPO's will have no effect on their particular units.
However, you should deploy GPO's to lockdown those PC's within your
Again, the MS BSA tool will help you ID some issues and supply
If you need GPO recommendations, you can check Microsoft's site for
Hardening Windows Clients in a Windows Server Environment, or there are
Here are some links to get you going:
From: ddjjembe 2 [mailto:ddjjembe2 () hotmail com]
Sent: Thursday, May 19, 2005 10:40 PM
To: security-basics () securityfocus com
Subject: information harvesting from within the network
I work in a university that has university typical security practices.
Currently any authenticated user can scan the parts of the network with
tools like LANguard or Nessus and obtain a considerable amount of
information from them. Most of the computers in our network are
computers. We also have departments with MACs and *nix machines.
If possible, lock down the Windows computers with group policies and/or
templates to disable this potential unauthorized information harvesting
users and then restrict scanning ability to the security group with LDAP
permissions. Am I on the right track here?
I would like to achieve this without using a host based firewall.
Group policies have large pool of settings to pick from. Narrowing it
to a few that disable at least portions would be appreciated.
Don't just search. Find. Check out the new MSN Search!