Home page logo
/

basics logo Security Basics mailing list archives

RE: information harvesting from within the network
From: "Beauford, Jason" <jbeauford () EightInOnePet com>
Date: Fri, 20 May 2005 16:12:38 -0400

Within a Windows Environment, I'd recommend using the Microsoft Baseline
Security Analyzer to identify the weak links in your Windows deployment.
Nice thing about it is it give you the MS recommended resolutions.
Things like denying Anonymous Enumeration.

As far as GPO's go, in a University environment, your networked PC's are
most likely not part of the domain, but rather just College students and
therefore your GPO's will have no effect on their particular units.
However, you should deploy GPO's to lockdown those PC's within your
domain.

Again, the MS BSA tool will help you ID some issues and supply
solutions.

http://www.microsoft.com/technet/security/tools/mbsahome.mspx


If you need GPO recommendations, you can check Microsoft's site for
Hardening Windows Clients in a Windows Server Environment, or there are
NIST docs.

Here are some links to get you going:

http://www.microsoft.com/smallbusiness/gtm/securityguidance/articles/sec
_winxp_pro_server_env.mspx

http://www.microsoft.com/technet/security/smallbusiness/prodtech/windows
2000/sec_win2000_pro_server_env.mspx

http://csrc.nist.gov/publications/nistpubs/index.html

Good Luck!

-JMB

-----Original Message-----
From: ddjjembe 2 [mailto:ddjjembe2 () hotmail com] 
Sent: Thursday, May 19, 2005 10:40 PM
To: security-basics () securityfocus com
Subject: information harvesting from within the network


Background:
I work in a university that has university typical security practices.  
Currently any authenticated user can scan the parts of the network with 
tools like LANguard or Nessus and obtain a considerable amount of 
information from them.   Most of the computers in our network are
windows 
computers.  We also have departments with MACs and *nix machines.

Goal:
If possible, lock down the Windows computers with group policies and/or 
templates to disable this potential unauthorized information harvesting 
users and then restrict scanning ability to the security group with LDAP

permissions.  Am I on the right track here?

I would like to achieve this without using a host based firewall.

Group policies have large pool of settings to pick from.  Narrowing it
down 
to a few that disable at least portions would be appreciated.

Thanks,

ddjembe

_________________________________________________________________
Don't just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]