Re: Attempted hacks on my Win 2k Web Server
From: Rainer Gerhards (rgerhards@adiscon.com)
Date: 03/07/03
- Previous message: Dave Stoneham: "File access Rights"
- In reply to: Mat G: "Attempted hacks on my Win 2k Web Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Rainer Gerhards" <rgerhards@adiscon.com> Date: Fri, 7 Mar 2003 12:05:46 +0100
Mat,
this may help.. may not. In similar environments, we use the ms loopback
adapter to create a second (virtual) nic on the machine, with private
address space. Then we set up rras and make it a vpn server. Then we bind
all windows services to the private address and only iis to the external
one. Then we use the rras filters to restrict traffic on the external nic to
just http (or smtp, ftp if you need).
Of course, it is not the same as using a firewall, but experience shows that
these simple measures make you much more secure on such a leased machine
without loosing functionality. Anyhow, our concept is still that those
external machines should be considered "lost machines" which you expect to
quickly build from scratch (hint: script it!) if an intruder succeeds. I
suggest to never have the VPN open to an internal network for longer than
somebody needs to work with the leased server. We do some monitoring of the
event and iis logs to detect successfuly intrusions (if any) and hope to
have a 80 % chance of detecting such intrusions should they happen.
BTW: experience with specifically-setup, weakly protected machines (de-facto
kind of "honeypot configuration") show that you are able to receive alerts
after a successful intrusion. We were very curios about this and thus
prooved if it could work. Again, we expect this to work in 80% of the
cases..
Experience also shows that the above configuration helps much, but of
course, it is not a really secure config ;)
Just my 2 cents...
Rainer Gerhards
http://www.monitorware.com/
"Mat G" <djmg2@lycos.co.uk> schrieb im Newsbeitrag
news:4d46a596.0303060354.f2118ff@posting.google.com...
> I look after two web servers for our company (one Win 2k IIS5 and one
> RaQ4 Linux Apache) and it is a big learning curve for me (even though
> I have been a standard network admin for 5 years now!)
>
> I have no hardware firewall (although the money has been promised for
> one soon) but am getting increasingly alarmed by the small number of
> attempts at password guessing that is going on.
>
> Should I be alarmed? The administrator and other key passwords are
> very long and use characters from each of the four groups (lower case,
> upper case, numerals and non-alphanumerical characters).
>
> I cannot enforce a strong lockout policy as the Internet guest account
> keeps getting locked out and therefore makes our web sites on that
> server, unaccessible.
>
> I have renamed the Administrator account to a random name and created
> a user called 'administrator' but I see they have detected the name. I
> have also turned off default shares (IPC$, C$ ADMIN$ and so on).
>
> I connect and remote control the server via PCAnywhere and made the
> big mistake of downloading and installing a demo version of Sygate
> personal firewall, yet when I restarted the server, I couldn't control
> or even PING it as the firewall was doing its job! I had to get the
> dedicated server company to go in and disable the service so I could
> get back in. I may try (on an internal machine) installing Zone Alarm
> and seeing if I could use this.
>
> Or do you advise I do anything else (in TCP/IP security etc..)
>
> Any advice would be greatly appreciated.
>
> Many Thanks,
> Mat G
> United Kingdom
- Previous message: Dave Stoneham: "File access Rights"
- In reply to: Mat G: "Attempted hacks on my Win 2k Web Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
