[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [ISSForum] Desktop Protector and Application Protection



Andrew, your article about AC was very interesting.
Now I try to customize RS DesktopProtector 7.0, how can I do this?
protect.ini is binary file in case of RSDP.

Does anybody know how to implement features, described in articles below in
case of RSDP? Does anyboby have any experience in customizing RSDP AC?
Any feedback will be welcome.
Thank you all.
---
Best regards, Sergey V. Soldatov.
tel/fax +7 095 745 89 50 (2663)


                                                                                                                    
              "Andrew Plato"                                                                                        
              <aplato@xxxxxxxxxxx>             To:       "Cunningham, Chris, R." <CCunningham@xxxxxxxxxxxxxxxxxxx>, 
              Sent by:                          <issforum@xxxxxxx>                                                  
              issforum-admin@xxxxxxx           cc:                                                                  
                                               Subject:  RE: [ISSForum] Desktop Protector and Application           
                                                Protection                                                          
              09.12.2003 21:16                                                                                      
                                                                                                                    
                                                                                                                    




I wrote a white paper on Hardening Windows 2k that specifically
addresses the problems with "Application Protection" oriented firewall
(http://www.anitian.com/corp/papers/Hardening_Win2k.pdf)

Honestly, in the hundreds of RSDP/BlackICE installs I've done over the
years now, I don't think I've ever had a single customer use the
application protection (AP).  AP is a nice idea that is just too
difficult to implement properly in a distributed environment.
Furthermore, how are users to know if "SVCHOST.DLL" is a legit or not
program. I don't even know that and I'm a security guy.

The real problem is how often stuff changes in Windows. If you've ever
run tripwire on a Windows box is appalling how often core operating
system files change.

AP is the "ZoneAlamification of BlackICE." And Zone is a perfectly okay
product for a single home user. But for a distributed corp with a help
desk that must take boneheaded calls from users every hour, AP and
products like Zone are a flippin' nightmare. I've had a dozen or more
customer throw away their Zone installations after quickly realizing
that AP type products are too difficult to use in a Windows environment.


One concept that I have used is to put RSDP into "learning mode". That
is have it log every time an application changes but not actually block
it. This is an unsupported feature, and not terribly easy to implement,
but I wrote a white paper on that as well.

See http://www.anitian.com/corp/papers/BI%20AC%20tweaking.pdf

___________________________________
Andrew Plato, CISSP
President/Principal Consultant
Anitian Enterprise Security

503-644-5656 Office
503-644-8574 Fax
503-201-0821 Mobile
www.anitian.com
___________________________________

-----Original Message-----
From: Cunningham, Chris, R. [mailto:CCunningham@xxxxxxxxxxxxxxxxxxx]
Sent: December 09, 2003 5:29 AM
To: issforum@xxxxxxx
Subject: [ISSForum] Desktop Protector and Application Protection


Does anyone have any whitepapers or personal insight into managing
application protection on Desktop Protector.  We are considering the use
of this, but a wary of the time it may take to manage the checksums of
application and OS binaries, especially if the patching schedule
continues at its current pace.

Any help would be appreciated.

Thanks,

Chris



*************************************************************
This e-mail and any files transmitted with it may
contain confidential and/or proprietary information.
It is intended solely for the use of the individual
or entity who is the intended recipient.
Unauthorized use of this information is prohibited.
If you have received this in error, please contact
the sender by replying to this message and delete
this material from any system it may be on.
*************************************************************
~~


_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo

_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo







_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.