Re: Securing against an internet based intrusion
- From: Ari <nomail@xxxxxxxx>
- Date: Fri, 24 Feb 2006 21:36:17 -0500
That is the job of a firewall to prevent a user from the internet from
trying to access your computer via a server service such as file and print
sharing or Remote Desktop. Most users do not have a need to offer such to
internet users and you can go to a self scan site like
http://scan.sygatetech.com/ to if there are any ports open to your network
that could expose a vulnerability. If you do have a need to provide access
to legitimate users from the internet then it is best to use a device like
an ipsec endpoint firewall or a VPN server that allows l2tp connections only
as that would prevent a malicious user from trying to guess passwords since
his "computer" could not authenticate to your VPN. L2tp/ipsec requires
certificate or pre shared key for computer authentication.
I don't know about VPN, but it sounds interesting. I did comment about
our current security in reply to Lanwench's post.
The scans at sygatetech came back negative, even without the software
firewall engaged, so I guess that hardware firewall in our DSL modem
is doing a fairly good job. The only scan I couldn't do was the ICMP
scan, which the website said isn't enabled at this time.
All that aside the operating system would record failed logon attempts and
assuming auditing of logon/account logon events was enabled in security
policy you would see the failed logon attempts recorded.
OK, I had no idea XP would log failed attempts, I'd like to know more
about this. Sounds like something many users should know about::>
If account lockout
was enabled then the legitimate account could be locked out which can lead
to a denial of service as you mention.
OK, when you say 'IF', does that mean that it is an option to enable a
lockout if too many guesses are logged? I'd be willing to allow this
on my system as it appears that are many ways around the log in IF one
has physical access to the hardware. Does 'IF' mean I can enable a
lock out or is this option not available at all?
If you enforce strong and complex
password it is extremely unlikely that the attacker would gain access and
would probably quit after a short period of time. It is much slower and more
difficult to try and crack passwords over the network that if a user has
direct physical access to the computer itself. In high security
environments implementation of ipsec [requiring computer authentication]
and/or something like smartcards and requiring their use can mitigate old
fashioned password attacks. Again a properly configured firewall ideally at
the perimeter of the network is your best defense from such attacks ever
reaching your computer in the first place. The link below may be of
interest. --- Steve
http://www.microsoft.com/technet/security/topics/auditingandmonitoring/securitymonitoring/default.mspx
My passwords are proper and strong. I'll look over the link above
later tonight when the house is quieter.
Thanks,
Ari
.
- Follow-Ups:
- Re: Securing against an internet based intrusion
- From: Steven L Umbach
- Re: Securing against an internet based intrusion
- References:
- Securing against an internet based intrusion
- From: Ari
- Re: Securing against an internet based intrusion
- From: Steven L Umbach
- Securing against an internet based intrusion
- Prev by Date: Re: Is there a direct link to SP2 patch files?
- Next by Date: Re: Is there a direct link to SP2 patch files?
- Previous by thread: Re: Securing against an internet based intrusion
- Next by thread: Re: Securing against an internet based intrusion
- Index(es):
Relevant Pages
|
