Bob Lord πŸ” Dec 20, 2022

After acquiring a technology product, we've all had to find, and then implement the guidance in the product's hardening guide (or a third party's guide in some cases). You know, to change the unsafe defaults to safer ones.

What's your favorite example of a hardening guide (for an SMB or enterprise product) that clearly shows how dangerous the product was as it left the factory.

Links to the guide and some commentary would be most welcome! (Or you can DM me, if I can figure out how those work here)

Please boot for reach. πŸ”β€‹πŸ™β€‹

Show threadAdam Shostack  Dec 21, 2022
@boblord I mean, my fave? The NT 3.5.1 C2 CC cert that excluded floppy drives.
Show threadAdam Shostack  
@boblord But https://www.cisecurity.org/cis-benchmarks/ is sorta your point ?
Dec 21, 2022 at 12:35amWeb
Show threadBob Lord πŸ” Dec 21, 2022
@adamshostack Any hardening guide might provide some good examples but I’m hoping for a little more granular detail.
My fav is advice to change settings so users can’t add rando extensions that access email, shared drives, etc.
Show threadAdam Shostack  Dec 21, 2022

@boblord ahhh, a specific setting. Ummmm, autorun? πŸ˜‡β€‹ Products that don't ship with auto-update on? Mastodon where users don't get prompted for 2fa? (https://shostack.org/blog/human-centered-podcast/)

... no wait. I've got it.

Shostack + Friends Blog > Human-Centered Security

Threat Modeling for UX Designers with Adam Shostack on Heidi Trost's podcast

Show threadAdam Shostack  Dec 21, 2022
@boblord Are you ready for the ultimate example in the universe?
Show threadAdam Shostack  Dec 21, 2022

@boblord @boblord The Death Star. Freaking moon-size battle station and the manufacturer's notes said "Some users may choose to deploy grates in ventilation shafts," and "Default trench configuration may aid small enemy fighters in navigating to vulnerable points."

As General Doldana tells us, the Empire doesn't consider a small, one man fighter to be any threat.

πŸ˜‚

Show threadGuillaume RossDec 21, 2022

@adamshostack @boblord my favorite guide is the one I wrote with Fleet, because we specify why we do X. Would be better if Workspace had easy APIs to make this terraformable but still.

https://fleetdm.com/handbook/security#google-workspace-security

πŸ›Ÿ Security | Fleet handbook

View the Fleet handbook.

Show threadJesper JohanssonDec 21, 2022
@boblord @adamshostack The original NT 4 guide turned off the network stack. That was cool, but my favorite was one of the drafts DISA came up with when we were working on Win2K guides. It disabled a kernel component and would actually blue screen the box on boot. We managed to get it to not publish that way, but it was actually close.