locked
Services? RRS feed

  • Question

  • Why isn't the System Services group present in the 2003 Server baselines? I can't imagine that there is less need for controlling services in this OS then in eg 2008, rather the contrary.

     

    Regards

     

    Bosse

    Monday, February 14, 2011 5:15 PM

Answers

  • Bosse,

    We ran out of time and resources. We have much of the data in our internal database for SCM but we have not had enough time to fully incorporate system services in all of the baselines. We have to make trade offs, so we have services for the more recent server products (Windows Server 2008, Windows Server 2008 R2, Exchange 2007, and SQL 2008 R2) but not the older ones.

    thanks,

    Kurt


    Kurt Dillard http://www.kurtdillard.com
    • Proposed as answer by Kurt Dillard Wednesday, February 16, 2011 10:25 PM
    • Unproposed as answer by BosseS Friday, February 18, 2011 8:46 AM
    • Marked as answer by Jeff Sigman MSFT Friday, March 11, 2011 4:39 PM
    Wednesday, February 16, 2011 10:25 PM

All replies

  • Bosse,

    We ran out of time and resources. We have much of the data in our internal database for SCM but we have not had enough time to fully incorporate system services in all of the baselines. We have to make trade offs, so we have services for the more recent server products (Windows Server 2008, Windows Server 2008 R2, Exchange 2007, and SQL 2008 R2) but not the older ones.

    thanks,

    Kurt


    Kurt Dillard http://www.kurtdillard.com
    • Proposed as answer by Kurt Dillard Wednesday, February 16, 2011 10:25 PM
    • Unproposed as answer by BosseS Friday, February 18, 2011 8:46 AM
    • Marked as answer by Jeff Sigman MSFT Friday, March 11, 2011 4:39 PM
    Wednesday, February 16, 2011 10:25 PM
  • I see.

    I do think though that it is compromising that baselines are offered as highly secure (SSLF) and in line with NIST standards when large parts are not covered at all.

    A lager practical problem is that SCM do not permit me to add service restrictions to my customized baseline if they are not already there in the source baseline.

    Is this something that will be addressed and are there any plans for provision of authentic baselines for W2003?

    Do the XP baselines also suffer form incompleteness? Are there other things besides the 2003 services that are missing?

    Regards

    Bosse

     

    Thursday, February 17, 2011 10:40 AM
  • I don't want to come across as a bit of a prick here, but as a customer I'd prefer they spent time adding features and supporting newer/emerging products, and not bothering with products that are now approaching end of life.

    Thursday, February 17, 2011 11:10 PM
  • Kurt,

    The supplier is of course free to assess the market and select their customers. I my view I think it is a mistake to neglect the huge base of legacy systems in process control equipment, especially in infrastructure and energy transmission which I represent. This is an area which is firmly addressed by security demands and compliancy regulation.

    If Microsoft has decided not to bother about these products they should not provide security tools and baselines that are declared to accomplish things that they do not do.

    As we have selected SCM for baseline editing, versioning and storing I would be very happy to get my questions answered. Not least to be able to decide if the selection was wrong.

    Regards

    Bo Stråhle

    ABB Sweden

     

    Friday, February 18, 2011 8:25 AM
  • Bo, You're implying that I said something which I never said. I did not say or imply that "Microsoft has decided not to bother about these products." I think our ongoing investments into SCM for baselines that cover Windows XP and Windows Server 2003 demonstrate the opposite. I tried to explain the cost-benefit analysis, i.e., the tradeoffs that the team has to make when we have limited resources.

    We can't do everything that you and our other customers want us to do, so initially we tackle the things we believe will provide our customers with the most value. During subsequent projects we try to address issues that we skipped previously. Do I understand you correctly when I interpret what you mean is that "Microsoft shouldn't bother publishing SCM much less baselines for Windows Server 2003 because it doesn't include all of the system services for Windows Server 2003?" If that's what you mean then I disagree with you. The baselines offer tremendous value without the system services. Clearly you've spent a lot of time using SCM and reading the security guides, perhaps you overlooked the section called "Hardening with the Security Configuration Wizard" in the server security guides. We recommend that you use SCW to configure the system services appropriate for each server role. I don't know whether or not we'll add the system services to the Windows Server 2003 baselines in the next update, the program managers for the project haven't made that decision yet.

    We appreciate feedback from you and our other customers, I am trying to answer your questions in a straightforward manner.


    Kurt Dillard http://www.kurtdillard.com

    • Edited by Kurt Dillard Friday, February 18, 2011 5:13 PM Formatting fix
    Friday, February 18, 2011 5:03 PM
  • You said (quote):
    “as a customer I'd prefer they spent time adding features and supporting newer/emerging products, and not bothering with products that are now approaching end of life.”

    I said (quote):
    "If Microsoft has decided not to bother about these products they should not provide security tools and baselines that are declared to accomplish things that they do not do."

    I can’t really see how you can misinterpret this but I will make a last try to make myself clear:
    I think that Microsoft shall not release baselines (or any other software) with specifications that are not fulfilled.

    I am sorry to say that I am disappointed at this fuss but I honor your ambition to answer my questions in a straightforward manner.

    Bosse

    Monday, February 21, 2011 9:52 AM
  • Kurt,

    As I saw that Jeff made your initial answer into an answer I also saw that I made a regretful mistake in believing that SJB99's statement was yours.

    My sincere apologies for this.

    Kind regards

    Bosse

    Monday, March 14, 2011 9:27 AM
  • Bo;

    No problem! Thanks for all of your feedback, its been very valuable to Jeff and his team of developers.

    Kurt


    Kurt Dillard http://www.kurtdillard.com
    Monday, March 14, 2011 2:41 PM