Myth 1: Security Guides Make Your System Secure
Hang on, why is this a myth? Is not the basic purpose of a security guide to make you secure? Yes, that is the general idea. The term secure connotes an end state. We will never actually get there. Security is a process, to be evaluated on a constant basis. There is nothing that will put you into a "state of security." Unfortunately many people (surely none of you readers though) seem to believe that if you just apply some hardening guide your system will now be secure. This is a fallacy for several reasons.
First, consider any of the recent worms, Sasser, Slammer Blaster, Nimda, Code Red, ILOVEYOU, and friends, etc., etc., ad infinitum ad nauseum. Not a single one of them would have been stopped by any security settings. That is because these worms all exploited unpatched vulnerabilities (for unpatched users). While most of the guides tell you that you need the patches applied, we have seen many systems that had the guides installed and whose owners therefore believed the patch was less important. If you are unsure of which patches to install, the proper answer is "all of them." Ideally, you should have more of a process around patch management, however. Few settings can prevent your network from getting attacked through unpatched vulnerabilities.
Second, The Rise and Fall of Your Network," was attacked. Would a guide have stopped that attack? No. There are a few things the attacker did that would have been more difficult but none of them would have stopped the attack. For instance, a security guide might have disabled anonymous enumeration so we would have had to use a domain account instead (which we had though). A guide might also have turned off storage of LM hashes, which would have made cracking passwords much harder. However, cracking passwords is, strictly speaking, unnecessary. That's it! That is all the guides would have stopped. None of the other methods of attack would have been stopped by what the security guides typically change.
This is largely because security guides are meant to be simplistic, whereas sophisticated attacks are complex. Security guides provide a great starting point, but to really improve your security you need to do a lot more. Generally, you need to resort to complex measures to stop complex attacks, and complex measures do not package well in the form of a security template.
A security guide does not make your system secure. At best, it provides an additional bit of security over the other things you have already done, or will already do, to the system. At worst, it compromises your security. For instance, a guide may very well compromise the availability portion of the Confidentiality-Integrity-Availability triad by destabilizing the system.
In this tutorial:
- Protecting Hosts
- Security Configuration Myths
- Myth 1: Security Guides Make Your System Secure
- Myth 2: If We Hide It, they Not Find It
- Myth 3: The More Tweaks, the Better
- Myth 4: Tweaks Are Necessary
- Myth 5: All Environments Should At Least Use <Insert Favorite Guide Here>
- Myth 6: "High Security" Is an End Goal for All Environments
- Myth 7: Start Securing Your Environment by Applying a Security Guide
- Myth 8: Security Tweaks Can Fix Physical Security Problems
- Myth 9: Security Tweaks Will Stop Worms/Viruses
- Myth 10: An Expert Recommended This Tweak as Defense in Depth
- Server Security Tweaks
- Software Restriction Policies
- Do Not Store LAN Manager Hash Value
- Anonymous Restrictions
- Security Identifiers (SIDs)
- Password Policies
- SMB Message Signing
- Networking LAN Manager Authentication Level
- TCP Hardening
- Restricted Groups
- Audit Settings
- Client Security Tweaks
- Firewalls
- IPsec Filters
- SafeDllSearchMode
- Local Administrator Account Control
- Limit Local Account Use of Blank Passwords to Console Logon Only
- Logon Events
- Allowed to Format and Eject Removable Media
- The Caution ListChanges You Should Not Make
- Crash on Audit Failure
- Clear Virtual Memory Page File
- Security Configuration Tools