On Sat, 20 Jul 2002 17:28:20 PDT, Scott Francis <darkuncle@darkuncle.net> said:
_Microsoft_ managed to get a security 'Gold Standard' for one of its products? This must be for some non-golden value of gold ...
Microsoft didn't do anything (take that as you may). The CIS and SANS crew did up their W2K benchmark - the news here is that the NSA, GSA, and NIST are all throwing their backing of it as a Good Thing. It's a *long* checklist of everything you need to do to W2K to beat it into submission security-wise. Basically, *after* you do everything on the list, it will require a *skilled* hacker or a script kiddie with an actual 0day exploit to 0wn you. I didn't get involved in that one, but I've been working on the Unixoid stuff with CIS and SANS. We make no claims that if you do everything on the checklist that you're secure - the claim is that *failure* to do everything is demonstrably *insecure*. Yes, you read it and every single item will strike you as "any sysadmin who didn't just fall out of a tree knows THAT". The oft-overlooked point is that most sysadmins DID just fall out of trees - often landing on their head in the process. Think of it as recognition that "Your Clue Must Be --->THIS<--- Tall To Ride The Internet". It's about time... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech