Archives de la liste de diffusion ptafflist

Divertissement et sécurité NT

 
 

Divertissement et sécurité NT

  • Canada
  • Windows
  • Mozilla Thunderbird
Bonjour,

Si vous voulez vous divertir et vous instruire, je vous suggère la
lecture de la NT security FAQ (anglais)
http://web.it.kth.se/~rom/ntsec.html

Quelques bijoux:

Since most large applications (such as back office and development
components) bring their own versions of "system" DLLs, service packs has
to be applied after each and every "system update", where the term
"system update" is not clearly defined. Any action that replaces any
component updated by a service pack or hotfix has to be followed by
applying latest SP and all hotfixes. Remember that adding hardware often
install new software, which may have to be updated by SP and/or hotfix.

Another thing on the subject is language or locale. If you are running a
non US version of NT, you will not be able to apply all of the hotfixes.
Some of them are not language dependent, while others refuse to install
on anything else but a US version. If you have the option to do so, run
US version of NT at least on your servers. By doing so, you will have
the option of installing a hot fix dealing with a security problem
immediately when it's released and not have to wait for the next SP to
appear. Not to mention that you'd have to wait for the next SP to be
ported to your language, which of course may take a while, the time
depending on what language you are using.

A problem with this is that the initial password (on a WS account) is
poorly chosen (unicode(machine-name)). This means that anybody that can
listen in to the network at the time of a domain join will be able to
calculate the session key used to encrypt the channel, and by this can
get hold of the user credentials of anybody doing a network logon from
that particular machine. The password is changed as soon as the machine
is rebooted after joining the domain and then periodically changed every
7:th day, but the new password is communicated through -- guess what --
the now not so secure channel, so as long as the listener keeps his ear
on the wire, he will have the session key. No known solution, but the
algorithm for encrypting the new password is not published (yet).

Cordialement,

--
Stefan "Mitch" Michalowski
a.k.a. DjDelovsky
Email: mitch(à)ptaff.ca
PGP Key: http://screamerone.zapto.org/k.asc
 

 

Propulsé par xhtmail