Re: Securing against an internet based intrusion



Comments inline.

"Ari" <nomail@xxxxxxxx> wrote in message
news:uifvv1hqqrh0uijk7dqi7inl8jv6vhm8j7@xxxxxxxxxx
That is the job of a firewall to prevent a user from the internet from
trying to access your computer via a server service such as file and print
sharing or Remote Desktop. Most users do not have a need to offer such to
internet users and you can go to a self scan site like
http://scan.sygatetech.com/ to if there are any ports open to your network
that could expose a vulnerability. If you do have a need to provide access
to legitimate users from the internet then it is best to use a device like
an ipsec endpoint firewall or a VPN server that allows l2tp connections
only
as that would prevent a malicious user from trying to guess passwords
since
his "computer" could not authenticate to your VPN. L2tp/ipsec requires
certificate or pre shared key for computer authentication.


I don't know about VPN, but it sounds interesting. I did comment about
our current security in reply to Lanwench's post.

The scans at sygatetech came back negative, even without the software
firewall engaged, so I guess that hardware firewall in our DSL modem
is doing a fairly good job. The only scan I couldn't do was the ICMP
scan, which the website said isn't enabled at this time.

That is a huge plus if you have a firewall at the modem also. You need a
endpoint ipsec device or Windows Server to use VPN with ipsec. XP Pro can
take a single inbound connection as a pptp VPN server.


All that aside the operating system would record failed logon attempts and
assuming auditing of logon/account logon events was enabled in security
policy you would see the failed logon attempts recorded.

OK, I had no idea XP would log failed attempts, I'd like to know more
about this. Sounds like something many users should know about::>

I believe it is enabled by default. You can use Event Viewer to see the
security logs. You can use Local Security Policy [secpol.msc] in XP Pro only
to manage auditing under local policies/audit policy. The links below may be
helpful explaining in more detail.

http://support.microsoft.com/default.aspx?scid=kb;en-us;300549 --- works
same in XP Pro.
http://support.microsoft.com/default.aspx?scid=KB;en-us;q300958 --- ditto.


If account lockout
was enabled then the legitimate account could be locked out which can lead
to a denial of service as you mention.

OK, when you say 'IF', does that mean that it is an option to enable a
lockout if too many guesses are logged? I'd be willing to allow this
on my system as it appears that are many ways around the log in IF one
has physical access to the hardware. Does 'IF' mean I can enable a
lock out or is this option not available at all?

Yes you can use Local Security Policy in XP Pro or the net accounts command
in XP Pro and XP Home as explained in the link below. FYI if an
attacker has physical access to your computer password lockout will not
protect you as the user can resort to several methods to access your non
encrypted data including borrowing your hard drive which you may never even
know about. If that is a concern you need to physically secure your
computer to some degree which may be at minimum a sturdy computer case that
has locks the case and access to the drives/power switch and configure
cmos to boot only from system drive and password protect cmos settings.

http://support.microsoft.com/kb/q194739/



If you enforce strong and complex
password it is extremely unlikely that the attacker would gain access and
would probably quit after a short period of time. It is much slower and
more
difficult to try and crack passwords over the network that if a user has
direct physical access to the computer itself. In high security
environments implementation of ipsec [requiring computer authentication]
and/or something like smartcards and requiring their use can mitigate old
fashioned password attacks. Again a properly configured firewall ideally
at
the perimeter of the network is your best defense from such attacks ever
reaching your computer in the first place. The link below may be of
interest. --- Steve

http://www.microsoft.com/technet/security/topics/auditingandmonitoring/securitymonitoring/default.mspx

My passwords are proper and strong. I'll look over the link above
later tonight when the house is quieter.

Thanks,

Ari


.



Relevant Pages

  • security-basics Digest of: get.123_145
    ... VPN to ASP a security risk? ... Re: Multiple IPSec tunnels? ... Subject: Security NT Server ... VPN to ASP a security risk? ...
    (Security-Basics)
  • Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
    ... This set of steps is redundant in many places, and it's also enormously expensive, since you're using no less than three different expensive bits of networking hardware (AP, PIX, VPN Concentrator), in addition to a bunch of x86 server hardware, windows server licenses, and at least one ISA license. ... Your computers necessarily don't have full access to your network infrastructure when they aren't logged on, so GPOs, software updates, etc can't be applied at the times you want them to be applied. ... Turning on, enabling, and implementing every possible security setting and device you think of is not defence in depth, and will probably only have two effects - your users won't use your wireless network, and you'll burn so much cash you won't have any left to spend on *useful* security measures. ...
    (Full-Disclosure)
  • Re: Routing and Remote Access - Authentication Failure
    ... because the real client computer can tunel through it's local NAT router, ... travel the Intrenet, join the VPN and access the server, when this feature ... Their security system decided that the server was trying to steel ...
    (microsoft.public.windows.server.networking)
  • Error 792 - The L2TP connection attempt failed because security negociation timed out
    ... I recently set up a VPN access for my company employees. ... connection attempt failed because security negociation timed out". ... Peer Identity: ... So it seems that the VPN server does not send a correct computer certificate ...
    (microsoft.public.isaserver)
  • Re: vpn server in windows xp pro
    ... I have used PPTP on an XP Pro as VPN host as a test (using the new ... connection wizard to configure an incoming connection). ... > authenticating server. ... Unfortanetely the file server is a wxp pro. ...
    (microsoft.public.windows.server.networking)