>>>>> On Tue, 4 Feb 2003 12:08:48 -0800, Brian Hatch <bugtraq@ifokr.org> said: > I fail to see how adding security that doesn't have a performance > or stability cost is ever a bad thing. Agreed. I'm not sure, however, that David's idea doesn't have an affect on stability. Not the stability of a single server but on an environment consisting of many servers. I'm not Windows wizard, but I'll accept from everything I've already read in this thread that rebasing on a single system will not have a negative impact on it. However I question how will it scale to several tens of servers, which is my problem? Is there an easy way to automate it such that it is done after patch application? Considering how difficult and/or expensive, take your pick, it is to apply patches in an automated fashion on Windows systems I suspect not. Moreover, I gather that for the solution to be effective, each system should be rebased differently requiring even more planning to get it right even if automation were easy. This should not be taken as an indictment of the idea, just asking that when implementing security solutions on individual machines, the keepers of security should consider the issues of scale that we sysadmins have to deal with. Thanks, -- Dave Goldberg Associate Department Head, G06A: Advanced Technical Computing Center The Mitre Corporation \ MS K331 \ 202 Burlington Rd. \ Bedford, MA 01730 dsg@mitre.org \ 781-271-3887