Mastodawn

Kaylin Trychon Dec 20, 2022

After acquiring a technology product, we've all had to find, and then implement the guidance in the product's hardening guide (or a third party's guide in some cases). You know, to change the unsafe defaults to safer ones.

What's your favorite example of a hardening guide (for an SMB or enterprise product) that clearly shows how dangerous the product was as it left the factory.

Links to the guide and some commentary would be most welcome! (Or you can DM me, if I can figure out how those work here)

Please boot for reach. 🔐🙏

sayrer Dec 20, 2022

@boblord Google Advanced Protection is the best one I know. It is such a giant pain. I even keep a separate insecure account so I can print stuff at Kinkos.

@sayrer That’s an example of security defaults that sometimes break things. I don’t think I’ll find too many examples of that. 😆

sayrer Dec 20, 2022

@boblord It's a net win, covered well in Reply All #130 (you won't learn anything, but it's a good user story). I will never go back.

Alex Dec 20, 2022

@boblord an attempt from the community a while ago was bettercrypto.org to make secure configurations for common tools easier discoverable to sysadmins.

@boblord I mean, my fave? The NT 3.5.1 C2 CC cert that excluded floppy drives.

@boblord But https://www.cisecurity.org/cis-benchmarks/ is sorta your point ?

@adamshostack Any hardening guide might provide some good examples but I’m hoping for a little more granular detail.
My fav is advice to change settings so users can’t add rando extensions that access email, shared drives, etc.

@boblord ahhh, a specific setting. Ummmm, autorun? 😇 Products that don't ship with auto-update on? Mastodon where users don't get prompted for 2fa? (https://shostack.org/blog/human-centered-podcast/)

... no wait. I've got it.

Shostack + Friends Blog > Human-Centered Security

Threat Modeling for UX Designers with Adam Shostack on Heidi Trost's podcast

@boblord Are you ready for the ultimate example in the universe?

@boblord @boblord The Death Star. Freaking moon-size battle station and the manufacturer's notes said "Some users may choose to deploy grates in ventilation shafts," and "Default trench configuration may aid small enemy fighters in navigating to vulnerable points."

As General Doldana tells us, the Empire doesn't consider a small, one man fighter to be any threat.

😂

Guillaume Ross Dec 21, 2022

@adamshostack @boblord my favorite guide is the one I wrote with Fleet, because we specify why we do X. Would be better if Workspace had easy APIs to make this terraformable but still.

https://fleetdm.com/handbook/security#google-workspace-security

🛟 Security | Fleet handbook

View the Fleet handbook.

Jesper Johansson Dec 21, 2022

@boblord @adamshostack The original NT 4 guide turned off the network stack. That was cool, but my favorite was one of the drafts DISA came up with when we were working on Win2K guides. It disabled a kernel component and would actually blue screen the box on boot. We managed to get it to not publish that way, but it was actually close.

@adamshostack 😆 I was hoping for modern examples but that’s fun also.

Fritz Adalis Dec 21, 2022

@boblord
Windows Restricted Traffic Limited Functionality Baseline
https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services

Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy

Learn how to minimize connections from Windows to Microsoft services, and configure particular privacy settings related to these connections.

Matt Sicker Dec 21, 2022

@boblord @tychotithonus Jenkins no doubt. I don’t think it defaults to many useful security settings besides hiding the checkbox to disable it

sparseMatrix ✅✅✅ 📻Dec 21, 2022

@boblord
Actually, the linux Samba Server, ca. 1998 comes to mind.

Eric Woodruff [MS MVP]

@boblord Azure AD before they started forcing security defaults on new tenants… not an MFA in sight… perhaps not specific to a hardening guide, but at Microsoft’s self-admitted low rate of customer MFA adoption.

Joshua Small Dec 21, 2022

@boblord I think if a hardening guide actually exists it's in the better class of products. I feel like most guides from vendors are the opposite - "support requirements" that usually involve disabling antivirus and so on.

Lucky Strike Dec 21, 2022

@boblord Not a guide per se, but pretty much every wifi router I've ever owned that came with "admin" user and "admin" password, and advice that the creds should be changed

~# sudohuman Dec 21, 2022

@boblord Perhaps not exactly what you're looking for but a hilarious piece of history related to being shipped vulnerable...
You will recall that Windows itself was shipped without any sort of firewall all the way up to XP SP2. Well, the devs at MS heard our cries that millions of PCs were now directly connected to DOCSIS modems, WAN IPs assigned by DHCP to OS TCP stacks and narry a port blocked. You could literally Network Neighborhood browse your public IP subnet. Many lulz were had by young InfoSec enthusiasts.
Anyway MS finally adds ICF, you know, for security. It was so secure in fact that preconfigured as it was deployed in the service pack, it blocked DHCP requests.
To my comrades who were with me in the phone trenches at cable ISPs, I hope you're doing ok. That was a tough few weeks. Our call volume went up 1000%, all DHCP server errors.
Configuring the firewall was outside our scope of support.
The fix to restore connectivity was to disable the firewall.

wslack Dec 21, 2022

@boblord I would say from personal experience, how easy it was/is to misconfigure EMRs and leak personal data.

Convinience so often trumps security.