Security Basics mailing list archives

RE: secure sharepoint 2010 design

From: "Boyd, Chad" <CBoyd () madden com>
Date: Tue, 10 Aug 2010 19:56:55 +0000

My DC's are segmented from my workstations.
http://www.sans.org/reading_room/whitepapers/hsoffice/design-secure-network-segmentation-approach_1645 (PDF)

To be clear, proper network segmentation can be a pain to set up...and can be a bit expensive depending on the 
environment, but:
- Once it is set up, the security makes me sleep a bit better at night.
- If there's some crazy virus outbreak or compromise, it's a lot harder for an attacker to take down everything.

Why patch your systems?
If you're not going to worry about anything that comes from the outside, then who needs to patch? While you're at it, 
give everyone local admin rights.

Why use keycards or a secretary or video cameras in your buildings?
If you trust your employees and anyone on the street, why pay for all of that?

Why do you lock your car doors?
When you trust the person you locked in the front seat to never unlock the car, why worry?

A proper security strategy has to not only take into account outside attackers,  but also has to protect from insider 
threats. Employees download things they shouldn't, bring in crap-ware on USB drives, and in the event of a disgruntled 
one, can be downright malicious.


It's work. As security admins, that's what we're hired to do. The boss pays me to keep the network safe and running.
Occasionally he doesn't like my advice, but he listens to me, because it's my job to know about the bad stuff that 
happens on the web and to make sure that at the end of the month he can still make those payments to the bank.


Some of my guidance can seem over the top. How often have you been compromised?


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ansgar Wiechers
Sent: Tuesday, August 10, 2010 4:11 AM
To: security-basics () securityfocus com
Subject: Re: secure sharepoint 2010 design

On 2010-08-02 Paul Johnston wrote:

The question I would ask is: do existing similar systems in your 
company have a dedicated, firewalled network?

I think you'll find that somewhat more critical systems (e.g. your 
domain controllers) currently sit on the same network as all your 
workstations. While there is a security benefit in firewalling 
sharepoint, it's a bit moot if more critical systems are not 
firewalled.


If you take an actual look at which ports would have to be opened in a firewall for a DC to operate correctly, you'll 
understand that placing DCs behind firewalls is kinda pointless.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches becoming available."
--Jason Coombs on Bugtraq

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and 
who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell 
if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your 
Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing 
management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Re: secure sharepoint 2010 design Paul Johnston (Aug 03)
- Re: secure sharepoint 2010 design Francois Yang (Aug 03)
  - Message not available
    - Message not available
    - Re: secure sharepoint 2010 design Paul Johnston (Aug 09)
- RE: secure sharepoint 2010 design Boyd, Chad (Aug 03)
  - Message not available
    - RE: secure sharepoint 2010 design Boyd, Chad (Aug 09)
- Re: secure sharepoint 2010 design Brent Gardner (Aug 09)
  - Re: secure sharepoint 2010 design Paul Johnston (Aug 10)
- Re: secure sharepoint 2010 design Ansgar Wiechers (Aug 10)
  - RE: secure sharepoint 2010 design Boyd, Chad (Aug 10)
    - Re: secure sharepoint 2010 design Ansgar Wiechers (Aug 11)