RE: Naming Conventions of Servers and Security

From: Dan.Hemphill@mwhse.com
Date: 02/07/02


From: Dan.Hemphill@mwhse.com
To: CSNOW@ddpwa.com, jwichman@junebox.com, security-basics@securityfocus.com
Date: Thu, 7 Feb 2002 13:15:24 -0500 

It could be beneficial to name them incorrectly, but could also be a
logistical nightmare. Naming an Exchange server FTP1, for example, could
really through a hacker for a loop after he enumerates the resources.

I would say it's not recommended unless the organization is extremely small.

-----Original Message-----
From: Snow, Corey [mailto:CSNOW@ddpwa.com]
Sent: Wednesday, February 06, 2002 1:09 PM
To: 'jwichman@junebox.com'; security-basics@securityfocus.com
Subject: RE: Naming Conventions of Servers and Security

Interesting question. I never considered that the name of a server would be
a potential security risk, but I never name my servers by their function
anyway. I usually pick a theme and name them that way. These days, I use the
character names from my favorite SF television show.

I would tend to agree that in principle, naming a computer after its
function would be a potential risk, because if an attacker could gain
enough access to enumerate network resources, it would be simple to identify
those targets which should be focused on. It would certainly simplify the
"recon" phase of any sophisticated attack.

I would not recommend a naming scheme like the one you show below, for those
reasons. Besides, giving servers silly names is part of the fun of being in
IT. ;-) For desktops, some organizations name them after the person who uses
it, but that means the name must be changed every time the box changes
hands. If you use asset tags on your equipment, maybe naming desktops using
that data is a good way to go.

Regards,

Corey Snow

> -----Original Message-----
> From: jwichman@junebox.com [mailto:jwichman@junebox.com]
> Sent: Tuesday, February 05, 2002 8:41 AM
> To: security-basics@securityfocus.com
> Subject: Naming Conventions of Servers and Security
>
>
> I have a question about naming conventions.
>
> What is the security communities recommendation on naming
> servers? Is it
> safe to name a server by the function the server provides?
> We are currently
> looking at renaming our entire domain since there are 4 or 5 different
> naming conventions currently being used. So far I have been told that
> naming a server AABCCC## (where A = Company Division B = Type
> of device [ S
> = Server, N = Network D = Desktop] C = placement of server
> [DMZ or PRD or
> STG]) is weak security because an attacker would have useful
> knowledge about
> the server. I feel most attackers would perform some recon
> of the network
> and have that information before they went in to attack mode anyway.
>
> I realize that it could be easier for an attacker to gain
> information about
> the server, but what about the folks who have to work on the
> server? If a
> server was to go down or be attacked I would rather know
> immediately from
> the name what I could be dealing with or how critical it is
> to the company
> that the server is down.
>
> Please send me your humble opinions.
>
> Thanks
>
> Jeff Wichman
>
>

#########################################################
The information contained in this e-mail and subsequent attachments may be
privileged,
confidential and protected from disclosure. This transmission is intended
for the sole
use of the individual and entity to whom it is addressed. If you are not
the intended
recipient, any dissemination, distribution or copying is strictly
prohibited. If you
think that you have received this message in error, please e-mail the sender
at the above
e-mail address.
#########################################################