http://www.windowsitpro.com/authors/author/author/5297712/rsscomment/5297712en-USSun, 27 May 2012 06:12:26 GMTSun, 27 May 2012 06:12:26 GMThttp://www.windowsitpro.com/article/group-policy/tips-for-tightening-user-account-security#commentsAnchorThu, 14 May 2009 03:55:10 GMT
I personally have worked and tuaght the concept of windows security sspecially on file systems and how SIDs and Security Descriptors are integrated. it is good. the only problem i see is allowing access to the SAM file when the computer is still booting. when an attacker have physical access to the computer with a bootable CD they can easily use softwares like ERD Commander to Enable and then reset the password of the local admin account. and usually its a (man-in-the-middle) attack.]]>AlaaThu, 14 May 2009 03:55:10 GMThttp://www.windowsitpro.com/article/group-policy/tips-for-tightening-user-account-security#commentsAnchorhttp://www.windowsitpro.com/article/group-policy/tips-for-tightening-user-account-security#commentsAnchorFri, 23 Feb 2007 05:06:56 GMT
Have not finished reading the article]]>StephenFri, 23 Feb 2007 05:06:56 GMThttp://www.windowsitpro.com/article/group-policy/tips-for-tightening-user-account-security#commentsAnchorhttp://www.windowsitpro.com/article/dns/segregate-your-dns-servers#commentsAnchorMon, 04 Dec 2006 10:49:20 GMT
What about reverse lookups? I implemented the procedure outlined in the article but am unable to query by ip.]]>KrisMon, 04 Dec 2006 10:49:20 GMThttp://www.windowsitpro.com/article/dns/segregate-your-dns-servers#commentsAnchorhttp://www.windowsitpro.com/article/permissions/use-guest-accounts-to-fight-malware#commentsAnchorTue, 13 Dec 2005 15:32:42 GMT
It says "See More Comments 1" but no way to get to it??]]>MarkTue, 13 Dec 2005 15:32:42 GMThttp://www.windowsitpro.com/article/permissions/use-guest-accounts-to-fight-malware#commentsAnchorhttp://www.windowsitpro.com/article/permissions/use-guest-accounts-to-fight-malware#commentsAnchorSun, 04 Dec 2005 13:40:43 GMT
The link mentioned above is: http://support.microsoft.com/default.aspx?scid=kb;en-us;300489 So in any case, as you can see I upgraded my usefulness rating for this article, partly because my statement [about guest profiles] was equally incorrect (neither yours nor mine were completely qualified), and partly because I did create a shortcut to open IE via runas.exe, much as you suggested. I have a DC/Server running here, so the throw-away profile thing limited its usefulness, but I dumped my usual settings to a .reg file, made them available via http. Loading that into the guest context via the browser improves its usability quite a bit. As for your question, do I feel safe? Well... I run two desktops, one priveleged and one not, thanks to a very cool program called NetExec (http://netexec.de/), Symantec Corp AV and MS Anti-spyware are protecting all machines. I also run a home-grown solution that blocks a configurable set of domains, via BIND, that lets us avoid a bunch of the disreputable and semi-reputable operators... I’ve got splashes of IPSEC here and there; access to our intranet is authenticated using certs. And a Cisco PIX firewall at the head-end of it all... With all the crud on the Internet these days, does anyone [that knows anything about it] feel truly safe? I like to think I’m quite a bit more safe than most home offices. I’m also fairly cautious, and very aware of my systems’ behaviors... I think I go to sufficient lengths to protect my tiny slice of the Net -- I feel safe enough... but the security job is never done. Haven’t had a virus since I brought NIMDA back from a co-location facility, so I think my track record speaks pretty well for my efforts. Apologies, Mark, if I offended you... hopefully we all learned something from this exchange. :-) -MM]]>MarkSun, 04 Dec 2005 13:40:43 GMThttp://www.windowsitpro.com/article/permissions/use-guest-accounts-to-fight-malware#commentsAnchorhttp://www.windowsitpro.com/article/permissions/use-guest-accounts-to-fight-malware#commentsAnchorSat, 03 Dec 2005 10:12:40 GMT
Perhaps the mistake we’ve all made is to refer to the ’guest account’ as if it’s a uniformly implemented construct -- apparently it’s anything but... To treat it as such is disingenuous at best. Much of what I do involves businesses and [NT] domains, so I tend to view things in that light. I just tested the Guest account across a range of scenarios on a set of virtuals. As it turns out, guest account profiles are removed upon logoff *only* if the machine is a member of a domain (but regardless of whether logged in to the domain or the local system.) XP Home in all cases does indeed retain its guest user profile across sessions (can’t join XP Home to a domain) and XP Pro behaves likewies if not joined to a domain. One thing kind of ugly is that it will even delete a previously created profile, right after the first login session. It does not suffix the profile of a guest account with the domain name, so if you had been using a guest account, and then joined a domain, you would loose that profile at the end of the first session. Amusingly, while testing XP Home I turned off the "welcome screen login" feature, and in so doing, I locked myself out of that virtual. it implicitly activated a minimum password length policy; the admin acct had a short password. :-) If it had a real machine, it would’ve been highly irritating -- I really don’t see the value of enforcing password rules when tendering credentials, especially with no provision to check/handle existing accounts that don’t comply when a rule is activated... but I digress. Also amusing [to me anyway] is a statement made by the MSDN aritcle (link below) to the effect that the guest account password cannot be changed. It’s true that XP Home offers no UI to change it, but it is surely possible, using NET.EXE. (In XP Pro, it’s flagged pwd never expires and user cannot change, but the settings can be changed just like any other account.) [more]]]>MarkSat, 03 Dec 2005 10:12:40 GMThttp://www.windowsitpro.com/article/permissions/use-guest-accounts-to-fight-malware#commentsAnchorhttp://www.windowsitpro.com/article/permissions/use-guest-accounts-to-fight-malware#commentsAnchorFri, 02 Dec 2005 17:13:20 GMT
I originally made a better distinction between the two but in the writing, rewriting, and editing process that did get a blurred. Unfortunately that does happen. I actually have several guest accounts, I use for different purposes, including the built-in guest account. I do appreciate feedback, even negative feedback, and I encourage you to poke holes in my ideas. Nevertheless, you shouldn’t be so hasty to call it a dumb article or assume that these techniques are invalid. I have tested them and they work quite well for me. In doing so, I am not vulnerable to most IE bugs because code running as a guest simply cannot do much. Even better, I feel much safer when I am forced to use a web browser on a sensitive server or when I must go to a web site I don’t quite trust. Do you feel safe? Mark Burnett]]>MarkFri, 02 Dec 2005 17:13:20 GMThttp://www.windowsitpro.com/article/permissions/use-guest-accounts-to-fight-malware#commentsAnchorhttp://www.windowsitpro.com/article/permissions/use-guest-accounts-to-fight-malware#commentsAnchorFri, 02 Dec 2005 17:13:12 GMT
I expect people to disagree with my sometimes unorthodox advice, but I am surprised with these particular comments. I am not suggesting everyone implement this, normally I do suggest disabling guest accounts. This advice won’t work for every situation, and it’s not the best for everyone; I simply present it as a new idea. It certainly will break a lot of things because many programs simply were never tested running as a guest. And yes, it might force you to change a few policies to get it to work correctly in your environment. Nevertheless, this article is not a suggestion I made carelessly or without any research. It is not full of holes and misinformation. It is a technique I have used successfully myself. It goes against Microsoft’s security advice and goes against what many others might say, but that certainly does not mean it is wrong! Is that now somehow a gauge of accuracy? Besides, this is not the first time I have gone against someone else’s security advice. This article is not a slip and is by no means unsubstantiated. And I still stand behind the advice. You must realize that using a guest account in itself is not bad. It is enabling it and forgetting it is there and letting hackers use it that is bad. And remember that much of the security advice we have for Windows nowadays was developed for Windows NT, not Windows 2003. Guest accounts in Windows NT had access to many things, this is not true in Windows 2003. In Windows NT the guest account was included in the Everyone group. Not anymore. Enabling a guest account--and I never said to use a weak password--by no means invites a break in. As for losing profiles, I find this quite useful for some purposes. But you are actually incorrect that all guests lose their profiles upon logout. That only applies to the built-in Guest account. I still have--and use--the profile for the guest account for IE I set up when writing this article. I originally made a better distinction between the two but in the wr]]>MarkFri, 02 Dec 2005 17:13:12 GMThttp://www.windowsitpro.com/article/permissions/use-guest-accounts-to-fight-malware#commentsAnchorhttp://www.windowsitpro.com/article/permissions/use-guest-accounts-to-fight-malware#commentsAnchorWed, 30 Nov 2005 10:48:14 GMT
Let’s not forget that Microsoft’s best practices advise disabling the account. Many trusted security policy sites also recommend denying privileges to the Guests group and Guest account. While I think the intent with the article was good, the approach is completely wrong and against accepted security practices.]]>RichardWed, 30 Nov 2005 10:48:14 GMThttp://www.windowsitpro.com/article/permissions/use-guest-accounts-to-fight-malware#commentsAnchorhttp://www.windowsitpro.com/article/permissions/use-guest-accounts-to-fight-malware#commentsAnchorTue, 29 Nov 2005 10:28:10 GMT
I concur with Mr. McGinty’s comments. I lot of misinformation and holes in this document. I would pull the article if I were the editor. It’s unfortunate that an otherwise excellent author, Mark Burnett would let something like this slip out, unsubstantiated. Must have been the tryptophan in the turkey. - Eric Stockwell]]>ERICTue, 29 Nov 2005 10:28:10 GMThttp://www.windowsitpro.com/article/permissions/use-guest-accounts-to-fight-malware#commentsAnchorhttp://www.windowsitpro.com/article/permissions/use-guest-accounts-to-fight-malware#commentsAnchorWed, 23 Nov 2005 13:43:23 GMT
This is a really dumb article. For one thing, enabling the Guest account with a weak password invites a breakin, and its needless. A better plan would be to create a new user, add it to the Guests group, and remove it from the Users group. An identical security context is thus created without exposing a well-known built-in account. More importantly, much of the premise of this article is based on fiction. When a guest account logs out, everything in it’s profile goes away, including all of HKEY_CURRENT_USER, and everything in the profile directory. You can login as a guest as many times as you want, and change every setting under the sun, but as soon as you log out, it’s all gone. Since the whole profile is vaporized on logout, suggesting that a guest account would be suitable for email or IM is just plain stupid. Guest accounts retain no settings, they are allowed zero storage that persists beyond the session. It has been that way since at least Windows 2000. And another thing, on my system the user Deny Logon Locally is set for Guest (but not Guests,) so to make your suggestion even minimally work, I’d have to edit local policy. I wish the "rate this article" less useful scale went into negative numbers, this little farce doesn’t deserve a 1, but that was the lowest available choice. Question: don’t your writers check these things out before writing a bunch of hooey, and subsequently looking stupid? Might want to give it some thought. There’s already a large volume of misinformation out there; why you choose to carelessly add to that I can’t even imagine. -Mark McGinty]]>MarkWed, 23 Nov 2005 13:43:23 GMThttp://www.windowsitpro.com/article/permissions/use-guest-accounts-to-fight-malware#commentsAnchorhttp://www.windowsitpro.com/article/file-systems/the-power-of-security-templates#commentsAnchorTue, 03 May 2005 14:51:42 GMT
Fantastic]]>Anonymous User Tue, 03 May 2005 14:51:42 GMThttp://www.windowsitpro.com/article/file-systems/the-power-of-security-templates#commentsAnchorhttp://www.windowsitpro.com/article/security/setting-up-network-access-quarantine-control#commentsAnchorFri, 21 Jan 2005 11:41:28 GMT
The idea here is great, but not a single businesses I know of or have worked for use RRAS for remote access. Most use hardware Firewalls with VPN capabilities or dedicated hardware VPN devices. That makes the whole thing pretty much impractical. It would be great if Microsoft could develop this to work with such devices. Sounds like we’ll have to wait for Longhorn for that though.]]>CHADFri, 21 Jan 2005 11:41:28 GMThttp://www.windowsitpro.com/article/security/setting-up-network-access-quarantine-control#commentsAnchorhttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorWed, 15 Dec 2004 07:18:16 GMT
I work with patchlink, is a great tool. if you need to use in several computers the solution is change de computer name, and re install agent it... ]]>Anonymous User Wed, 15 Dec 2004 07:18:16 GMThttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorhttp://www.windowsitpro.com/article/file-systems/10-steps-to-secure-frontpage-server-extensions#commentsAnchorFri, 19 Nov 2004 15:40:41 GMT
Item 7 in list is truncated]]>Anonymous User Fri, 19 Nov 2004 15:40:41 GMThttp://www.windowsitpro.com/article/file-systems/10-steps-to-secure-frontpage-server-extensions#commentsAnchorhttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorThu, 28 Oct 2004 11:13:58 GMT
This blows]]>Anonymous User Thu, 28 Oct 2004 11:13:58 GMThttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorhttp://www.windowsitpro.com/article/file-systems/the-power-of-security-templates#commentsAnchorFri, 11 Jun 2004 08:43:45 GMT
Very informative article.]]>Said Faiq Fri, 11 Jun 2004 08:43:45 GMThttp://www.windowsitpro.com/article/file-systems/the-power-of-security-templates#commentsAnchorhttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorWed, 26 May 2004 17:36:19 GMT
1) SUS Blows!! All it does it give you your very own copy of http://v4.windowsupdate.microsoft.com/en/default.asp. If you’re looking for something more than "Critical Updates" and "Recommended Updates" look somewhere else. 2) Most products either have a prohibitive price tag or a prohibitive feature set. If someone wanted to cash in, they’d have a product with a good feature set, some purchasable add ons (like a good help desk system) and sell it for cheap.]]>Jimi Thompson Wed, 26 May 2004 17:36:19 GMThttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorhttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorTue, 11 May 2004 00:07:31 GMT
Just a quick response to Brandon Pack’s comment....you can use Patchlink with Ghost....there are instructions on the Patchlink site.]]>Joe Crowe Tue, 11 May 2004 00:07:31 GMThttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorhttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorMon, 03 May 2004 11:10:07 GMT
the computer business is finished and is for losers nowadays...i’m going to law school]]>anonynous Mon, 03 May 2004 11:10:07 GMThttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorhttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorFri, 16 Apr 2004 03:03:27 GMT
I missed the editor’s choice. Assume you had to pick one product after your comparison, which product would it be? Come on – don’t be so shy! Thanks for putting this article and details together. Overall this is a very helpful document.]]>Michael K Fri, 16 Apr 2004 03:03:27 GMThttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorhttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorThu, 08 Apr 2004 12:54:46 GMT
I wanted to post a message about PatchLink I didn’t see in the article. It is a great solution, but you cannot use their agent system on multiple computers when those computers were imaged using Norton Ghost, PowerQuest DeployCenter, etc. All computers will hash to the same unique identifier in their system.]]>Brandon Pack Thu, 08 Apr 2004 12:54:46 GMThttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorhttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorTue, 23 Mar 2004 10:51:25 GMT
I use Service Pack Manager 2000 (Gravity Storm Software) works well. Very fast scanning, no agents to install.]]>LeonardTue, 23 Mar 2004 10:51:25 GMThttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorhttp://www.windowsitpro.com/article/security/scripting-ipsec-policies#commentsAnchorWed, 03 Mar 2004 13:50:02 GMT
Seems that Web Listing 2 contains an typo: The last line netsh ipsec static add rule name="Incoming WWW Traffic" policy="Web Server Policy" filterlist="Incoming HTTP Filters" kerberos=no filteraction=Permit should probably read at the end: filterlist = "HTTP Protocol" referencing the named filterlist in the first line.]]>Samuel Wüthrich Wed, 03 Mar 2004 13:50:02 GMThttp://www.windowsitpro.com/article/security/scripting-ipsec-policies#commentsAnchorhttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorMon, 09 Feb 2004 22:33:15 GMT
I may have missed this feature in the products, but I see a need for a "exclusion list" of servers requiring specific sign off before patching. Many of the servers that I have to patch are FDA Validated machines requiring testing on QA machines before ANY patching. The Validated servers require very specific Change Management protocols before changing anything on the production systems. I see this as an important feature for any organization that supports FDA Validated systems.]]>RONALD LEEMon, 09 Feb 2004 22:33:15 GMThttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorhttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorMon, 09 Feb 2004 07:59:43 GMT
I’ve been running HFNetChk Pro for quite a while now, and while it works OK, I still get frustrated with Office patches, especially Office 2K. We have some mixed version clients due to custom Access DBs, and it’s virtually impossible to update both versions of office at the same time. From what I see in forums for other products, this is not limited to HFNetChk, but is common on all patch management systems. The requirement for source files from install media is frustrating. Hopefully MS can address this soon... Nice article, though. I plan on evaluating Patchlink since I need an app that’s more scalable. I’d also like to work with a console that’s multi-threaded, too...]]>Charlie Kaiser Mon, 09 Feb 2004 07:59:43 GMThttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorhttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorFri, 19 Dec 2003 00:49:02 GMT
Good job. I have just started patch management in our company and it is a big task, with articals like above everything becomes more clear everyday. Thank You for thinking of us.]]>Madeleine Fri, 19 Dec 2003 00:49:02 GMThttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorhttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorWed, 17 Dec 2003 08:16:24 GMT
Excellent work. This market needed some more definition. The thoroughness of the feature sets and non-biased presentation is a credit to your publication. Thank you for setting a new standard.]]>T Wadsworth Wed, 17 Dec 2003 08:16:24 GMThttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorhttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorSat, 13 Dec 2003 04:43:51 GMT
This is an excellent article. I was browsing the net to search for a Microsoft Patch Management Products and accidentally hit this page. I got the information I was looking for except that the article does not have anything about the Microsoft Software Update Services. Good Article indeed... Thanks Author. Regards, ]]>C Mugilan Sat, 13 Dec 2003 04:43:51 GMThttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorhttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorFri, 12 Dec 2003 13:02:10 GMT
We have been evaluating a product called Novadigm Patch Manager. Is there a reason why some of the more main stream products were not included in your evaluation? Thank you for your time.]]>Monique Ludwig Fri, 12 Dec 2003 13:02:10 GMThttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorhttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorThu, 11 Dec 2003 22:29:42 GMT
Is there any reason why Microsofts SUS, SMS, and BSA weren’t included in the review?]]>SteveThu, 11 Dec 2003 22:29:42 GMThttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorhttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorWed, 03 Dec 2003 12:24:38 GMT
A vague narrative of truisms and "what esle is new" commments about patching, mixed with some useful details. A comparison table of specific features for each package would be much better.]]>Milton F. Lopez Wed, 03 Dec 2003 12:24:38 GMThttp://www.windowsitpro.com/article/administration-tools2/enterprise-patch-management-for-windows#commentsAnchorhttp://www.windowsitpro.com/article/file-systems/the-power-of-security-templates#commentsAnchorThu, 21 Aug 2003 11:52:29 GMT
Great article. I have been looking for a good translation of the security template field. Thanks.]]>Linda Card Thu, 21 Aug 2003 11:52:29 GMThttp://www.windowsitpro.com/article/file-systems/the-power-of-security-templates#commentsAnchorhttp://www.windowsitpro.com/article/permissions/ntfs-permissions-for-iis-web-servers#commentsAnchorMon, 21 Apr 2003 18:43:57 GMT
HI, This tutorial is good. I download the code and test in my win 2000 server. My question is that whether I can assign NTFS permission to users in member server, not the user from domain. Thanks ]]>Ganyu Qu Mon, 21 Apr 2003 18:43:57 GMThttp://www.windowsitpro.com/article/permissions/ntfs-permissions-for-iis-web-servers#commentsAnchor