Re: Finally, a secure computer
From: Stephen L Nicoud (nicouds@hotmail.com)
Date: 03/17/03
- Next message: x y, mvp: "Re: Finally, a secure computer"
- Previous message: cablito@hotmail.com: "Re: memory used for inetinfo.exe"
- In reply to: Walter E.: "Re: Finally, a secure computer"
- Next in thread: x y, mvp: "Re: Finally, a secure computer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Stephen L Nicoud" <nicouds@hotmail.com> Date: Mon, 17 Mar 2003 09:02:43 -0500
I don't care about your data. I care if someone compromises your system and then uses your system to launch attacks against my and other systems.
"Walter E." <wer25@yahoo.com> wrote in message news:lBdda.28863$0r1.5280909@twister.socal.rr.com...
> Hi Karl, thank you for your thoughtful observations.
>
> I am merely offering my comments because I wonder if there is an element of
> paranoia in the security aspects of IIS administration.
>
> Of course, a great deal depends on the vulnerability of a system. If the
> security at the IBM website is compromised, it is a disaster. If the
> security at my "web" is compromised, I merely re-load a clean image or I
> reformat and the damage is repaired. Easier to fix than to prevent.
>
> I feel that this is the area that most persons do not pay sufficient
> attention to. They spend endless hours and efforts to protect a system that
> can easily be repaired if it is ever invaded. The chances of any hacker
> invading my system are practically nil because he would not get any kudos
> for this accomplishment. Therefore it is extremely unlikely that any hacker
> worth his salt would bother with my computer.
>
> Maybe MS would be better served to assign different levels of vulnerabillty
> to different types of systems. What is the point in fortifying a system that
> is not protecting anything of value? Instead, they insist that the owner of
> a tiny system served by IIS or the PWS protect himself with the same
> measures applicable to security measures necessary for the Dept. of Defense.
> This seems ridiculous.
>
> I installed Zone Alarm. The AVG Port Scan found Port 80 and 5000 open
> (because I was running IIS with http). After I installed the XP Firewall
> (ICF), all ports were invisible. I ran a port check on 10,000 plus ports (I
> forget which site I used). Maybe this has something to do with the nature of
> ICF which does not listen on ports but only opens to responses to messages
> that have previously gone out through a particular port. Anyway, it worked
> fine for my web server.
>
> I have been running IIS fully open for several days now. Just ran my virus
> checker and there is no problem.
>
> What you said is true: One can never know what ingenious hackers will come
> up with. However, we can only provide reasonable safeguards for our doors,
> commensurate with the potential damage. Therefore I am not seriously
> contemplating the installation of machine gun nests in the entry area of my
> home.
>
> There is a lot of hype, scare-mongering, sensationalism and paranoia in the
> field of computer protection. It might be helpful if potential threats could
> be evaluated in terms of their relevance to the vulnerability of a system.
>
> Thanks for your kind response
>
> Have a great day
>
> -
> Walter
> The Happy Iconoclast www.rationality.net
> -
>
> "Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
> news:#MHsRj#6CHA.3400@TK2MSFTNGP11.phx.gbl...
> > You've certainly got a good start, though
> >
> > 1) adding ICF to ZoneAlarm is probably not going to add extra security.
> > It's probably better to only run one software firewall [e.g. disable ICF]
> > since this is probably untested and unsupported;
> >
> > 2) you do want to confirm from time to time that your antivirus didn't
> have
> > trouble downloading updates [I'm not sure about AVG pro, but my AVG
> freeware
> > antivirus by default only downloads updates once a month, which probably
> > isn't enough, and also I'm not sure what happens if the download attempt
> > occurs when the internet connection isn't connected];
> >
> > 3) I don't know which port scanner you used, but usually they don't check
> > all ports, just the common ones. There are 130,000 TCP and UDP ports and
> it
> > takes quite a while to check them all. It may be adequate to just check
> > some and not all ports, but sites like www.grc.com just don't check enough
> > ports.
> >
> > 4) Note that both AVG and Zone Alarm can be disabled by trojans or stop
> > working for a variety of reasons.
> >
> > 5) Your configuration sounds pretty secure, though you never know what new
> > security vulnerabilities will be discovered later. What's secure today
> > might not be secure tomorrow. Also, I would never say that it's
> impossible
> > for a hacker to get into a system, just that it's unlikely.
> >
> > You didn't mention patches and hardening checklists. I would really
> > consider doing some of these for "defense in depth" in case your firewall
> or
> > antivirus fails to protect you at some future date.
> >
> > http://securityadmin.info/faq.htm#harden
> >
> > While you say that you would never open an email attachment, there are a
> > number of ways an attachment could run automatically if you're using
> Outlook
> > or OE with the preview pane open, or an email could download and run
> > malicious code from a web site even if there is no attachment on the
> email.
> >
> > There are other types of attacks that are uncommon, but theoretically
> > possible, such as 1) you or your computer is enticed to visit a web page
> > containing hostile code, 2) DNS cache poisoning is used to redirect you to
> > such a web site; 3) DNS trickery is used to make your AVG software or
> > another auto-update software to download and run malicious code from a web
> > server masquerading as an update server, etc.
> >
> > Last, your firewall is only as secure as its configuration. One thing
> that
> > disturbs me about ZoneAlarm is that the configuration changes dynamically
> > depending on whether the computer user accidentally clicks the wrong
> thing.
> > Any security setup that offers a choice to the computer operator and
> relies
> > on the human to make the correct decision 100% of the time is IMHO less
> than
> > 100% secure.
> >
> >
> > "Walter E." <wer25@yahoo.com> wrote in message
> > news:Avnca.13848$0r1.1575165@twister.socal.rr.com...
> > > I recently switched from win 98 and PWS4 to Win XP and IIS. I was
> > concerned
> > > about the inherent security problems with IIS. I only use the IIS for
> web
> > > design and uploading changes to my website.
> > >
> > > I seem to have resolved the problem as follows: I installed Zone Alarm
> Pro
> > > plus the WinXP Firewall.
> > > I also run AVG Pro virus checker.
> > >
> > > Now, when I run a port check of my computer with IIS running, I find
> that
> > > all of my ports are in "stealth" mode, including Port 80. IIS works fine
> > in
> > > uploading my website.
> > >
> > > Since my computer cannot be seen from the web, it seems impossible for
> any
> > > hackers or viruses to get in here. Am I deluding myself?
> > >
> > > --
> > > Walter
> > > The Happy Iconoclast www.rationality.net
> > > -
> > >
> > >
> >
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.459 / Virus Database: 258 - Release Date: 2/25/2003
> >
> >
>
>
- Next message: x y, mvp: "Re: Finally, a secure computer"
- Previous message: cablito@hotmail.com: "Re: memory used for inetinfo.exe"
- In reply to: Walter E.: "Re: Finally, a secure computer"
- Next in thread: x y, mvp: "Re: Finally, a secure computer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
