Home page logo
/

basics logo Security Basics mailing list archives

RE: information harvesting from within the network
From: D Adler <dadler_grd-secfoc () yahoo com>
Date: Fri, 20 May 2005 16:01:28 -0700 (PDT)

I would have to agree with Jason that a GPO is going
to be of little use to you. You'll be better off with
a IDS/IPS system that can shut down the network port
of the suspicious machine when it detects unusual
behavior . If you are a cisco shop, cisco is making
inroads in this direction. I am certain there are
other solutions available as well, I am just not as
familliar with them. 

regards,
dave


--- "Beauford, Jason" <jbeauford () EightInOnePet com>
wrote:
Within a Windows Environment, I'd recommend using
the Microsoft Baseline
Security Analyzer to identify the weak links in your
Windows deployment.
Nice thing about it is it give you the MS
recommended resolutions.
Things like denying Anonymous Enumeration.

As far as GPO's go, in a University environment,
your networked PC's are
most likely not part of the domain, but rather just
College students and
therefore your GPO's will have no effect on their
particular units.
However, you should deploy GPO's to lockdown those
PC's within your
domain.

Again, the MS BSA tool will help you ID some issues
and supply
solutions.


http://www.microsoft.com/technet/security/tools/mbsahome.mspx


If you need GPO recommendations, you can check
Microsoft's site for
Hardening Windows Clients in a Windows Server
Environment, or there are
NIST docs.

Here are some links to get you going:


http://www.microsoft.com/smallbusiness/gtm/securityguidance/articles/sec
_winxp_pro_server_env.mspx


http://www.microsoft.com/technet/security/smallbusiness/prodtech/windows
2000/sec_win2000_pro_server_env.mspx


http://csrc.nist.gov/publications/nistpubs/index.html

Good Luck!

-JMB

-----Original Message-----
From: ddjjembe 2 [mailto:ddjjembe2 () hotmail com] 
Sent: Thursday, May 19, 2005 10:40 PM
To: security-basics () securityfocus com
Subject: information harvesting from within the
network


Background:
I work in a university that has university typical
security practices.  
Currently any authenticated user can scan the parts
of the network with 
tools like LANguard or Nessus and obtain a
considerable amount of 
information from them.   Most of the computers in
our network are
windows 
computers.  We also have departments with MACs and
*nix machines.

Goal:
If possible, lock down the Windows computers with
group policies and/or 
templates to disable this potential unauthorized
information harvesting 
users and then restrict scanning ability to the
security group with LDAP

permissions.  Am I on the right track here?

I would like to achieve this without using a host
based firewall.

Group policies have large pool of settings to pick
from.  Narrowing it
down 
to a few that disable at least portions would be
appreciated.

Thanks,

ddjembe


_________________________________________________________________
Don't just search. Find. Check out the new MSN
Search! 

http://search.msn.click-url.com/go/onm00200636ave/direct/01/




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault