You may be wondering about the subtitle for this blog: "Life and Security at Microsoft". So far, I've covered a lot of life, but what about security?
I have joined a team called "Microsoft Solutions for Security". We are a relatively small but growing group at Microsoft dedicated to providing valuable security guidance. My team works very closely with Microsoft Consulting Services, the Security Center of Excellence, and most importantly Microsoft customers to create valuable security guidance documents. These documents cover a variety of topics. Some of the guidance we have created so far includes hardening guides (such as the Securing Windows XP guide at http://www.microsoft.com/security/guidance/prodtech/WindowsXP.mspx) and an anti-virus document (available for download at http://www.microsoft.com/downloads/details.aspx?FamilyId=F24A8CE3-63A4-45A1-97B6-3FEF52F63ABB&displaylang=en).
My goal in life is to provide Microsoft's customers (and everyone else for that matter) with quality security guidance that is directly applicable in their environments. And that is where you come in. If you have any security topics that you would like to see MSS cover in the future, please let me know what they are. I can't make any promises, but input from customers is what makes Microsoft tick.
I can be reached at email@example.com.
Here's one I'd like to see you cover: binding network services to specific interfaces. If you could bind things like LAN Manager protocols to the internal interface only (or localhost only for machines not in a domain or workgroup),the need for a firewall would be radically reduced...
I will pass this on to the appropriate team...
Please see page 278 of the Windows Server 2003 Security Guide (http://go.microsoft.com/fwlink/?LinkId=14845) for some advice on this topic. This advice is also applicable to other versions of Windows.
This will take care of things like NetBIOS and SMB. To limit various TCP/IP protocols (e.g., only allow FTP on the internal interface), you should be able to use IPSEC filtering. I know this feels a bit like a workaround, but it should get the job done.