(background: I'm one of those wierd people who believes that picking
the right tool for the job is more important than "running unix" or
"running NT". I'm much more familiar with security in UNIX
environments, but even with less experience in NT environments, it's
become obvious that security admins in general lack detailed knowledge
about NT. Part of this is that the relevant information isn't easily
available in the one place. On this point, I think Russ's idea is a
Good Thing. On the other side, I've experienced M$ support (spell
'oxymoron'), misleading technotes, etc. For an application which is as
business-critical as a firewall tends to be, these are part of _my_
considerations when searching for "the right tools", and hence U*X-type
solutions tend to win out. On with the show... )
> However, if we assume that I was able to get Microsoft to put together a CD
> that contained White Paper and technical information regarding Windows NT,
> what would you like to know about Windows NT to help you evaluate its
> impact on the security within your environment?
> A few assumptions;
> - it will not contain source code for any products which source code is not
> already publically available
Does this include Microsoft modifications to publically available source
code, in particular, encryption algorithms? What about code fragments
eg. for key exchange??
> - it will contain all available API specifications
> - it will contain RFC implementations and any MS-specific extentions to
> - it will contain information from 3rd party ISV's who offer security
It would be worthwhile breaking this down further... some NT products
which shall remain nameless O:-) just uze NT as a boot loader before
taking over the machine and having their wicked way. They don't use SAM
or take advantage of any of the other NT features which a "real" NT
package would do. Some areas which might be worthwhile:
* Single signon systems
* Remote access control
* Security management tools
> Some ideas;
> - The CD could come with a 60-day Windows NT Server/BackOffice evaluation,
> would that be useful?
> - There is a C2 configuration guide (manual), maybe it should be included
Might also be an idea to include technical information on the NT architecture
features which support C2 requirements, and which allow performance to
be maintained when running C2 (sic).
> - There is a Network Monitoring tool (Netmon), maybe it should be included
> - There are a variety of tools that are part of the Resource kits to add
> unix-like functionality to NT, maybe they should be included
> - More information could be given if the CD was available under NDA, would
> you prefer that?
*sigh* the people who know enough about NT to break it will already
have this information - if Beelzegates wants people to consider NT as a
basis for their security then maybe he should consider that as
security admins, we DON'T like being left behind by a vendor's
need to hide the information we need to do our job. Unless of
course he's throwing in the source code for NT :-ppp
> - The NT Knowledgebase includes articles about many issues relating to
> security problems, misconfigurations, and bugs, should that be included?
> - There are numerous SDK's for the various NT BackOffice products, would
> these be useful?
For an evaluation? probably not. The API's and documentation however
would be important to assessing the extent to which local customisations
etc. can be made.
> What kind of information, what format should it be in, and what level
> should it be positioned for?
Put it on two CD's - eval software on one CD and doco/papers/api references
etc on the second CD. If the doco isn't accessible then this whole
exercise would be wasted - something a little more than Knowledgebase
(ie. more indexing) would be a good start.
> Treat me like the university student asking for information about a thesus.
Russ, you should read the FAQ (http://www.whitehouse.gov), and get copies
of Cheswick and Bellovin's "Firewalls and Internet Seucirty", and
"Building Internet Firewalls" by Chapman and Zwicky. They will be very
helpful in writing your thesis. :-))))