From: MooseFET on
On Apr 10, 1:31 pm, David Brown
<david.br...(a)hesbynett.removethisbit.no> wrote:
[....]
I'm going to add a few comments.

> Second, make sure that the server has the minimal amount of data, no
> clear-text passwords, no financial or other compromising data, and
> minimal access to other systems on your network.  This limits your risks
> if you /do/ get broken into.

Also if you have other Windows machines on the network, place another
firewall in the system so that they can't be the source of the attack.
A user can have a virus which does anything. If the user can post
your valuable information, so can a virus.


> Third, make sure you have strong passwords, disable root logins (thus an
> attacker needs to guess user names as well as passwords), and move
> remote access (such as ssh) to a non-standard port.

Make your email names different from the login names so that
someone who has received an email won't know the login name for that
person.

[....]

> Fifth, don't run any unnecessary software on the server.  A web server
> has no need for a windowing system or application software.

I would have put the fifth earlier because it is so important.


> In your case, you are not going to get DOS'ed - you are not big enough
> to be of the slightest interest to attackers.  You are not going to be
> attacked by anyone serious - you have nothing worth stealing.  (I say
> this with complete confidence - if you /were/ big enough to be a target,
> you would have hired professionals to do the job.)

You can get attacked just by someone trying ideas out or teenagers.
Teenagers may not know a lot but they often have lots of time to try
out different ideas.

From: David Brown on
MooseFET wrote:
> On Apr 10, 1:31 pm, David Brown
> <david.br...(a)hesbynett.removethisbit.no> wrote:
> [....]
> I'm going to add a few comments.
>
>> Second, make sure that the server has the minimal amount of data, no
>> clear-text passwords, no financial or other compromising data, and
>> minimal access to other systems on your network. This limits your risks
>> if you /do/ get broken into.
>
> Also if you have other Windows machines on the network, place another
> firewall in the system so that they can't be the source of the attack.
> A user can have a virus which does anything. If the user can post
> your valuable information, so can a virus.
>

True enough - and you should therefore never let outside windows
machines onto your network. The only time our company ever suffered
from a worm was when someone had taken a laptop from home and attached
it to our network (breaking my rules to do so). The irony is that they
wanted to use our fast internet connection to download an update to
protect against said worm.

I find that having the firewall block all outgoing smtp traffic (except
from your internal mail server to your ISP's relay), with an alert
system for attempted smtp connections, is a quick way to find most
malware and to limit its damage.

>
>> Third, make sure you have strong passwords, disable root logins (thus an
>> attacker needs to guess user names as well as passwords), and move
>> remote access (such as ssh) to a non-standard port.
>
> Make your email names different from the login names so that
> someone who has received an email won't know the login name for that
> person.
>

That can be a good idea when you need higher security. But the majority
of attackers don't know anything about you except your ip address - they
will try common names such as "root" and "Administrator". It's a
different matter with directed attacks, in which case the attacker will
likely research some email addresses as likely login names.

> [....]
>
>> Fifth, don't run any unnecessary software on the server. A web server
>> has no need for a windowing system or application software.
>
> I would have put the fifth earlier because it is so important.
>

It is indeed important, but I didn't want to try to give an ordering.
This is only a few general points - the priority will depend on the
circumstances.

>
>> In your case, you are not going to get DOS'ed - you are not big enough
>> to be of the slightest interest to attackers. You are not going to be
>> attacked by anyone serious - you have nothing worth stealing. (I say
>> this with complete confidence - if you /were/ big enough to be a target,
>> you would have hired professionals to do the job.)
>
> You can get attacked just by someone trying ideas out or teenagers.
> Teenagers may not know a lot but they often have lots of time to try
> out different ideas.
>

I always consider teenagers to be the most dangerous of users!
From: MooseFET on
On Apr 11, 11:35 am, David Brown
<david.br...(a)hesbynett.removethisbit.no> wrote:
> MooseFET wrote:
> > On Apr 10, 1:31 pm, David Brown
> > <david.br...(a)hesbynett.removethisbit.no> wrote:
[....]
>
> True enough - and you should therefore never let outside windows
> machines onto your network.  The only time our company ever suffered
> from a worm was when someone had taken a laptop from home and attached
> it to our network (breaking my rules to do so).  The irony is that they
> wanted to use our fast internet connection to download an update to
> protect against said worm.

The last time I tried, Microsoft would not let you download the update
with
a virus free machine and then copy the file onto the down rev version
of
Windoz. You have no choice put to connect the down-rev machine to
the
outside world and let all the squirmy things get in while it tries to
get
updated to keep them out.

I may hold the record for the fastest infection of an XP machine. It
was
a new Dell. I connected it to the network and it was a goner before I
finished getting it registered. For a short while I had two PCs in
my
office somewhere I have the picture of the Dell in a garbage can in
front
of the IT guys office door. That is how I returned it to him.

I run Windows 98 in a virtual machine that has no network access. It
is a real pigs breakfast but for the few Windoz things I must do, it
is
a good option. Unfortunately you can't run XP that way because it
locks
up if it can't phone home or something.

My wife keeps here Windows machine fully updated with all the latest
virus blockers etc. Just to be safe, I reboot it in Linux from time
to
time and copy all the important information onto an external drive.
It is a good thing I've done that.


[....]
> >> Third, make sure you have strong passwords, disable root logins (thus an
> >> attacker needs to guess user names as well as passwords), and move
> >> remote access (such as ssh) to a non-standard port.
>
> > Make your email names different from the login names so that
> > someone who has received an email won't know the login name for that
> > person.
>
> That can be a good idea when you need higher security.  But the majority
> of attackers don't know anything about you except your ip address - they
> will try common names such as "root" and "Administrator".  It's a
> different matter with directed attacks, in which case the attacker will
> likely research some email addresses as likely login names.

I was thinking about an attack from someone who had a spam email
address
list. The user name and company name can be parsed out.

From: Michael A. Terrell on

MooseFET wrote:
>
> I may hold the record for the fastest infection of an XP machine. It
> was a new Dell. I connected it to the network and it was a goner
> before I finished getting it registered. For a short while I had two
> PCs in my office somewhere I have the picture of the Dell in a
> garbage can in front of the IT guys office door. That is how I
> returned it to him.


If you were on a corporate network and that happened, they need to
fire the entire IT department.


--
Lead free solder is Belgium's version of 'Hold my beer and watch this!'
From: Vladimir Vassilevsky on


Michael A. Terrell wrote:
> MooseFET wrote:
>
>>I may hold the record for the fastest infection of an XP machine. It
>>was a new Dell. I connected it to the network and it was a goner
>>before I finished getting it registered. For a short while I had two
>>PCs in my office somewhere I have the picture of the Dell in a
>>garbage can in front of the IT guys office door. That is how I
>>returned it to him.
>
>
>
> If you were on a corporate network and that happened, they need to
> fire the entire IT department.

You should apply common sense to the horror stories that linux fans are
telling about Windows XP.

VLV
 |  Next  |  Last
Pages: 1 2
Prev: JVC VN 900, 1973 amp
Next: Neotus ELM1700ND