When security breaks things

re: When security breaks things

Andrew Dugdell — Wed, 09 Nov 2005 01:27:13 GMT

Yes, Virtualization is your friend. And there are some great tools like VSMT and VirtualServer to take identical copies of prod servers for (patching/hardening) testing.

But we can rollback to default security

Bryan — Wed, 09 Nov 2005 10:23:49 GMT

... without the RGE of a system rebuild.

Of course the magic words for doing this are 'security configuration editor', or for commandline junkies, 'secedit.exe'. And Steve, imho all you MS guys should be pimping this tool a little more often; it rocks!

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/b1007de8-a11a-4d88-9370-25e244560587.mspx has the exact instructions.

I totally agree on the "don't tweak every little thing" deal. But it's a hard sell.

re: When security breaks things

Steve Riley — Wed, 09 Nov 2005 20:38:37 GMT

SCE won't work in this way without initially having a template that reflects the default ACLs, which you'll first need to remember to create after you initially build a system. And be sure to use the right command switches. SCE /GENERATEROLLBACK -- the switch that seems to be the one to use -- compares the computer's current state with a template you specify and generates a "rollback" template which you can then use to undo the new template. But /GENERATEROLLBACK doesn't support file and registry permissions. Better would be to use SECEDIT /EXPORT /MERGEDPOLICY /CFG <filename>.INF which captures the system's complete current state into a brand new template, including ACLs.

re: When security breaks things

Bryan — Wed, 09 Nov 2005 22:32:09 GMT

When you add SCE to your MMC, also be sure to add the 'Security Templates'. This maps to %windir%\security\templates, where 'setup security.inf' is located. Apply that template, and viola, you are back to the out-of-box settings. This and several other templates come standard with Windows 2000/XP/2003 - no need to generate it. It comes with a long list of file and registry permissions. I can't say for sure how complete that list is ...

I've used this successfully several times in Win2k, XP, and 2003. It works ... or so I thought! Is there something you know that we don't know? ;)

re: When security breaks things

Bryan — Wed, 09 Nov 2005 22:37:32 GMT

Ah. Seems I used the wrong link before; my bad. Here's the proper 'return to security defaults' link:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/dd766d48-ed09-45a3-aa5e-cf0a64a7fb88.mspx

re: When security breaks things

Steve Riley — Wed, 09 Nov 2005 23:16:00 GMT

Ah yes, there is the hammer otherwise known as "setup security.inf." The important bit to remember is to specify the /REGKEYS and /FILESTORE switches so that *only* the permissions are reset, and not reapply all the default settings in the entire template.

re: When security breaks things

fatman — Thu, 10 Nov 2005 18:08:18 GMT

Hello,

It would be nice to know precisely what Microsoft test on in terms of systems. This includes applications installed on those systems as well - oftentimes, the impact of installing a patch to the OS has unforseen consequences on apps which run on that system.

So, what apps do you test OS patches with, please? E.g. Office XP, Office 2003, what 3rd party apps etc.

This info would be really useful for our own testing plans.

re: When security breaks things

Ted — Thu, 10 Nov 2005 21:47:20 GMT

If additional changes takes away urgent need of patching of every "Black Tuesday" why i should not do it? Those changes are done because of *need* of keeping data safe.

Check then patch else warn then exit

infosec amateur — Fri, 11 Nov 2005 07:37:59 GMT

Patch program executes

Examine prevailing permissions in/under %WINDIR% folder and compare with required set

If permissions in/under %WINDIR% folder are suitable apply patch and then exit

else display message to screen referring to permissions issue and stop process

re: When security breaks things

infosec amateur — Fri, 11 Nov 2005 07:39:48 GMT

re: When security breaks things

Brant Gurganus — Fri, 11 Nov 2005 09:43:39 GMT

I came here from Jesper's blog. While it may not be good to mess with the ACLs of operating system files, and it is impossible to test combinations of ACLs thoroughly, it is still not an excuse for addressing the issues when they do arise. Humans are not the only things that change ACLs. Software can do it as well.

re: When security breaks things

Steve Riley — Sat, 12 Nov 2005 03:12:47 GMT

That's a good point, Brant. Simply put, no third-party software should ever change ACLs in %WINDIR%. I'm not sure whether this now part of the logo requirements, so I will check. I do know that logoed software is no longer allowed to store user info in the HKLM registry hive or write to %WINDIR%, would be good to add the no-ACL-change requirement if it isn't already there.

re: When security breaks things

Juhani Kantola — Tue, 03 Jan 2006 12:46:21 GMT

There's one thing you probably didn't test: how the patch (MS05-051) behaves when applying it to a XP installation CD (slipstreaming it). I'm used to building an automatic unattended installation cd with XP SP2 and all possible updates.

It's a great way to install new workstations, I even have Office 2003 and Adobe CS2 installing on one single go.

MS05-051 breaks the installation CD completely, which probably has something to do with the ACL , which might not be "compatible" when applying this hotfix with a "slipstreaming" method.

I'm assuming that slipstreaming hotfixes into installation media should *is* supported, since MS provides instructions on how to do it and every hotfix has switches which make is possible. Am I wrong?

But I can't test! My boss won't let me

Steve Riley on Security — Wed, 04 Oct 2006 02:36:37 GMT

Yesterday I mentioned that there's no substitute for doing your own testing of updates. I mentioned virtualization

When security breaks things

re: When security breaks things

But we *can* rollback to default security

re: When security breaks things

re: When security breaks things

re: When security breaks things

re: When security breaks things

re: When security breaks things

re: When security breaks things

Check then patch else warn then exit

re: When security breaks things

re: When security breaks things

re: When security breaks things

re: When security breaks things

But I can't test! My boss won't let me

But we can rollback to default security