| 9:12 pm on Jan 30, 2004 (gmt 0)|
|This is a half-truth; you're leading people in the wrong direction. |
It is not a half-truth and I am not leading people in the wrong direction. These viruses are worms and did not require intervention by users. Anti-virus software is one layer in a multi-layered security system which includes patching, firewalls, honeypots, intelligent management and so forth. Anti-virus software WILL protect a system which is not up-to-patch from Welchia and similar viruses. Not well but it does provide some level of protection.
I will reiterate. Not running anti-virus software
on ALL windows machines is asking for trouble. It does not matter how many fancy analogies you use, it is still asking for trouble. It doesn't matter how "cool" you think it is to say you don't have it and have never been infected, it's still not intelligent to be without.
| 10:32 pm on Jan 30, 2004 (gmt 0)|
I just happened across this from M$ [microsoft.com], may be useful, haven't read it.
| 11:35 pm on Jan 30, 2004 (gmt 0)|
|Anti-virus software WILL protect a system which is not up-to-patch |
Your server should never be in this state. Period. And your statement is still incorrect. Aberdeen Research just did a piece on this:
|The Internet worms of 2003 - W32/Blaster, MS/SQL, and Sobig (Welchia) - took advantage of common network channels and system vulnerabilities to deposit executable payloads on unprotected PCs and PC servers. These worms were able to gain access to resources on the local corporate network to subsequently infect other PCs and PC servers throughout the network. None of these worms were initially stopped with antivirus software. |
I agree with you that a well balanced plan includes mutliple levels of security, including network security (i'm 100% with you on this).
But I can't agree with you about anti-virus on a production-class machine. Let's agree to disagree. This topic's been beaten to death.
| 12:02 am on Feb 6, 2004 (gmt 0)|
|why whould you need an anti virus on your server? |
1) to protect against momentary stupidity
it is very stupid to have an anit virus software on a web server.
| 5:43 pm on Feb 9, 2004 (gmt 0)|
|Software firewalls are worse than useless as they give people a false sense of security. They increase the instability of machines, harrass users with too much data (often leading to them being disabled entirely) and don't to a particularly good job in the first place. |
What a load of FUD.
I happily use ZoneAlarm on my laptop and.. it doesn't "harrass" me. In fact it just sits there quietly doing its job protecting my computer. The only time it asks anything is when a new or changed program is being used to access the net - and that is something that I want to know about! it hasn't made my machine "unstable". It works just fine. No noticable changes at all really. it does a very good job actually. Sure, I dare say that in theory some uber-hacker could bust possibly through it - but it protects me from the script kiddies which account for well over 99% of the risk out there. its a lot easier to carry around in my laptop bag than a hardware firewall would be :)
To re-iterate: I would not recommend using a software firewall to protect servers or mission critical stuff, but for home PCs they are perfectly adequate and definitely not marketing hype.
| 4:54 pm on Feb 10, 2004 (gmt 0)|
not sure this is the place to ask or exactly how to ask but --
My site is on a virtual server with an ISP. It has been hit hard and continues to be hit with the MyDoom virus. It is spoofing my email and sending itself out. I use iMail online to keep up with email away from my primary computer. I have updated antivirus on all machines under my control. I don't open attachments unless I know from whom and what they are.
I asked the ISP to run an antivirus program on the server but they said no, that they can't run it on just one domain, they would have to run it on all virtual sites on the server.
This ISP has great value for the money but the support is less than helpful. I do have some administrative rights on my domain but do not understand the server side of things. Is there anything I can do to stop and clean up this virus?
| 4:54 pm on Feb 10, 2004 (gmt 0)|
Stunning thread! Thanks guys.
I just added a hardware firewall to my W2K Adv. server.
As mentioned above, not one hit making it through beyond the designated access points, rights.
I do not need AV as there is not mail server and I do not browse the web there. Again: it's a web server exlcusively.
But I certainly WILL spend some time disabling what I do not need like earlier in this thread, massive thanks!
| 5:26 pm on Feb 10, 2004 (gmt 0)|
MS 2000 server "lockdown tool"....it sounded....so safe...so right....
Boom! Blew up one box. Play carefully with this tool.
It's a bit of a Sawzall. Cutting into walls blindly with a Sawzall can lead to interesting results. When using a Sawzall always start by visiting your basement to determine what pipes, wires and ductwork is running upstairs, between the studs of the balloon construction walls of your house, the walls you are about to (blindly) cut through into in order place a through-the-wall air conditioner.... ;-)
Boom! Blew that one up too!
I was 21 at the time. I thought I knew what I was doing.
That's changed, right? I'm older know...ya know..
Hey, it's a Sawzall. It even cuts cars.
P.S. Do not let your children play with this tool....the lockdown tool.....The Sawzall? My son loves it. Cut down a tree the other day. (Okay, he's 18.) It's good to see the next generation of men evolving. Tool Time!
| 8:31 pm on Feb 10, 2004 (gmt 0)|
Installing UrlScan [microsoft.com] also adds some extra defence - although not as important for Win 2003 as 2000 and NT.
| 9:04 pm on Feb 10, 2004 (gmt 0)|
|Anyone on a windows machine who does not have an up-to-date anti-virus product on every single machine is having the equivelent of anonymous unprotected sex at the local neighborhood gas station. |
Anyone relying on Anti-Virus software to safeguard their server is doing the equivalent of having anonymous protected sex (with a condom) at the local neighborhood gas station. And yes, sooner or later one will get through.
To limit the risk you need to cut yourself off from the gas station as much as possible with a hardware firewall, block yourself from specific vulnerabilities with MS Updates/Patches and keep up to date with the latest news. Also, as has already been mentioned, turn off/uninstall all services and programs that you don't need and never use outlook express on the server.
Anti-Virus software gives a false sense of security and that's why I don't use it.
We're all vulnerable and we should all remember that.
Other pointers: If you're using remote desktop for administration then block port 3389 (at the firewall) and have your firewall redirect another port (of your choosing) to port 3389 (say 6812). Then when you connect from your remote location connect using www.yoururl.com:6812
| 10:09 am on Feb 11, 2004 (gmt 0)|
Let me update with what I have done since this thread started.
1. I installed Avast server edition. But I found that it dosen't catch virus as they come in through the mail port.
2. So additionaly I installed their mail edition, which scans the pop3 port
3. I have been struggling with the "allowed" list of programs, but have been unable to make it live as I keep finding hidden .exe files that windows executes. Does anyone have a list of these?
4. However, no. 3 above does not prevent scripts from executing. Thus the AV is much required
5. I have not installed a seperate firewall, cause we found that the built in firewall in win 03 blocks all ports other than the HTTP ports and mail ports. Which is ok with us. What else is a firewall needed for?
6. We also run a daily scan on our servers used TREND, which we found very reliable against hacker tools & virus
7. We have subscribed to all the lists mentioned in this thread and that keeps us a step ahead of hackers & virus.
| 10:51 am on Feb 11, 2004 (gmt 0)|
Jake's reply in msg #:2 goes someway to opening your eyes at what you need to do, but itís a quick start up guide. Great post btw.
I'm quite surprise some of you consider your AVP (anti-virus protection) as the saviour of your OS (operating system) and any security vulnerabilities it may have then your AVP will just cover them.
Even having 1 AVP is not enough, you need a backup one to also cover any stones un-turned by your 1st AVP just in case, which often proves there is something lurking hidden.
But even having 2 AVP's is not enough you also need AT's (anti-trojan utilities) in the soup of a secure environment. An AT will weed out any of the most common sources of security breaches noted in recent times. If kept up to date, you can live a little more in peace knowing you got ur pulse on a Trojan attacks.
So you have 2 AVP's, 2 AT's no patches OS and think you covered. NOOOOO, an un-patched OS 'WILL BE' breached regardless! So patch it, but you got to tread carefully, coz M$ patches r well known to destroy a healthy OS specially Servers, so like any good SA (server admin) test the patches on a test server environment before going ahead on the live server. Jake mentions this.
A patches OS running double AT & AV protection and you think your home dry. Well NO, again Jake mentions of getting a good understanding of the services running on your server, which is ideal scenario, but what you really need to look out for is:
a. DO you need the service running NO/YES?
b. If the service is required what UDP/TCP Ports does it use &
c. Is there a specific vulnerability patch available for the Service that needs to be applied.
Once you know answers to those questions and weed out all unwanted services by setting to manual/disabled, you can go ahead and setting a Firewall rule policy, to allow Open/Close/Stealth ports to specific services using specific ports.
This requires a Firewall, which comes in 2 flavours - Hardware and Software Firewalls. For those of you new to firewalling, I suggest either telling your ISP to provide you will firewalling protection or if its down to u get ur self a software one, that way you can see what ports the firewall will block/allow by notifying you 1st for a decision. Your learn fast this way.
For the experience Firewall users you will have the understanding of the most common ports in use on a server and what rules to apply to those, you also have a clear understanding, the key advantages/disadvantages between Soft'/Hardware firewalls.
Ultimately a Hardware firewall is the 1st choice, why? well because all attacks will be stopped at the 1st point of defence 'the hardware firewall'. If the barrier is hard enough to withstand it. Hence your server will never see any attacks land on it compared to a software firewall which will go into action after the attack has landed on the server.
Oh watch out for Netbios port, has provent to be a big pain for trojan attacks, so unless your server is serving NT4/Win9X clients/servers, disable it.
1. 2 x Anti-Virus products from 2 different vendors.
2. 2 x Anti-Trojan products from 2 different vendors.
3. A health patched Operating System
4. Block all ports except those that need to be open/closed.
5. Keep a close eye on it, can cost you your job.
| 11:40 am on Feb 11, 2004 (gmt 0)|
can you recommend 2 good anti-trojan products?
does anyone have a list of all .exe that win03 runs on start-up?
is there a way within win03 to define the ports for blocking?
I have one additional suggestion: keep all sensitive data on a seperate server. Ultimately, many people hack a server to obtain credit card info of customers, or email addrssses, or other critical data. If you keep this data locked & hidden, this will reduce the lure of repeated attempts.
| 11:58 am on Feb 11, 2004 (gmt 0)|
I've IM/sticked you my suggestions.
| 1:08 pm on Feb 11, 2004 (gmt 0)|
I'd love to have recomendations for AV, AT for Win2K Server, any link with reviewed options?
| 7:51 pm on Feb 11, 2004 (gmt 0)|
One recommendation, on top of all the others here: before running the IIS lockdown tool, go into IIS Manager and backup the current server configuration (IIS Manager, Right click on the web site, Backup/Restore Configuration). This will save you a heap of trouble if the IIS lockdown tool messes things up.
I sure wish I'd done that two weeks ago when it basically restored my web server's settings to the day I installed Windows 2000 and I had to recreate all of the web sites.
| 2:39 am on Feb 12, 2004 (gmt 0)|
Xoc, just to add that in Win2K and NT4, if you do the right-click thing, that only makes a backup which can be restored to the CURRENT install on the CURRENT machine of Windows/IIS.
If you want a portable backup, you'll want to use Microsoft's IIS MetaEdit [support.microsoft.com] tool.
| 2:59 pm on Feb 12, 2004 (gmt 0)|
I use this site to try to find out what a program running in the background does:
I also use a free utility called Startup which alerts you if a program you are installing wants to add an Icon to the System Tray. Mostly i refuse the request as i hate all the clutter building up. It also alerts you to changes to the Registry. I can't find the web-site for this program at the moment.
| 12:17 am on Feb 16, 2004 (gmt 0)|
How to secure your Windows server?
Only two options, really.
a). Remove Ethernet drivers, or;
b). Format disk and install another O/S.
| 3:02 am on Feb 16, 2004 (gmt 0)|
Some important points -
1. If you run w2k3 on NO ACCOUNT run IIS Lockdown, you dont need it, it's for windows 2000 and anything it would do is already done on IIS 6.0
2. If you cant get a hardware firewall get a professional server firewall - and these mostly are NOT cheap. For w2k3 insist your software firewall is using stateful inspection, best I have seen so far is Visnetic. Expect to pay at least a couple of hundred bucks for it.
3. If you think zone alarm is a good firewall then you have no right running a server in the first place.
4. If you think running any kind of anti-virus software on a server is a good idea you have no right running a server in the first place.
5. If you run anything like Ensim or any hosting control panels check every time - and I mean EVERY time - that they have OK'd a patch before you put it on.
6. Turn off Windows automatic update and do it yourself, you will save yourself a lot of heartache thinking your box is safe when it probably isnt.
| 7:06 pm on Feb 16, 2004 (gmt 0)|
|5. If you run anything like Ensim or any hosting control panels check every time - and I mean EVERY time - that they have OK'd a patch before you put it on. |
Do you mean, before running a Microsoft patch, you should check if Ensim has specifically ok'd it?
I hope not, I run MS patches all the time and never checked with Ensim
| 7:18 pm on Feb 16, 2004 (gmt 0)|
Yes that is exactly what I mean, otherwise could soon find out that Ensim has stopped working and you are unable to recover it because you cant take the patch off. It's happened to me.
Sign up with the Ensim newsletter, if any patch is out that will balls up Ensim they usually let you know about it.
| 8:18 pm on Feb 16, 2004 (gmt 0)|
Thanks, that is good to know.
| 8:41 pm on Feb 16, 2004 (gmt 0)|
You don't have to disable the administrator account just rename it. You might even change the port that your SMTP server uses. I lock down everything on the firewall except the http, and smtp port. I have some other ports open but have them restricted to my static IP. I can do thing remotly by just using the VPN so that it thinks I am at that IP. I have my log reports locked down to my IP as well.
| 10:16 pm on Feb 26, 2004 (gmt 0)|
one good thing to do is have the source code for your web server independently audited for security holes by several different organizations. This insures any security holes will be found by the good guys before the bad guys.
| 12:32 am on Mar 6, 2004 (gmt 0)|
blah blah NAV etc... boring.
To answer the original question be sure to do the following for .Net sites:
1) In your web.config, be sure to on custome error messages and define a custom error page. Otherwise, a hacker could try to break your site and possibly reveal your source code
2) Don't leave your .vb files on the server since that could potentially show source code if you didn't do step 1 or it somehow got turned off for debugging and you didn't turn it back on
3) Make sure you have tracing off in the web.config. Keeping tracing on allows any random user to view the last x transactions on your server by simply going to /trace.vxd
4) Make sure the physical file access to your project is only read/read list permissions. If the everyone group has full access, then any exploit could potentially lead to the hacker modifying your files.
5) Delete/rename the administrator account because most hacker's tools will try to brute force attack to guess the password
6) Enable a login policy that disables the account after x bad login attemps. This will help with number 5.
7) Make sure you aren't running ftp or front page extensions! If you have to run ftp, make sure it's only open for your IP address and closed to the public. For general port scanning of the server, you can try https://grc.com/x/ne.dll?bh0bkyd2 if you can get on the server and browse the internet.
There's probably a 100 more. Linux zealots would have you believe that it's more secure than windows, but don't believe the hype. There are just as many exploits for unix/linux, it's just not as trendy to talk about them though. Ever see on the homepage of cnn.com that latest sftp vulernablity?
| 10:59 pm on Apr 9, 2004 (gmt 0)|
with my continution of this subject, I have been recommended the following security set-up by my hosting company:
1. Allow us to set up a client based VPN - This would allow you to do all your administration over a secured tunnel. The setup fee for this is 250$US and the monthly fee is 125$. If this were setup we could close all ports to your server except 80, 443, and 25.
2. Add an IDS (Intrusion Detection System) to protect your environment. This is a piece of equipment that works in conjunction with your firewall to detect intrusions or compromises. Upon a detection an attacker would be blocked and logged. The set-up fee for this is $1500 and the monthly fee is $1650.
The problem with this solution is that it is extremely costly.
The steps we have taken so far are:
1. Install a Cisco PIX 506 firewall.
2. Lock down public ports.
3. Lock down SSH - This will make it so that SSH is only accessible from a very few IPs - clearly this will help to only allow access to a few individuals.
4. Lock down VNC; VNC communicates via clear text, and should not be used unless absolutely necessary.
5. Lock down Terminal Services - Although terminal services communication is encrypted, we have locked it it down to a few IPs to prevent it from being brute forced.
6. We also locked down SQL server.
Do you feel that we should go in for the expensive solution recommended by our hosting company? Or do you think that the steps we have taken 1-6 are sufficient?
| 7:40 pm on Apr 12, 2004 (gmt 0)|
Further to my above post, I have gone ahead and locked down all ports to work for a single I.P., except for HTTP & HTTPS.
will report back with what happens.
| 8:05 pm on Apr 12, 2004 (gmt 0)|
Well, I wouldn't pay those kinds of figures. The steps you are taking should be sufficient for most purposes.
| 8:10 pm on Apr 12, 2004 (gmt 0)|
Another item: read the NSA security documents on the nsa.gov website. They have thorough documents on security all windows related services.
| This 60 message thread spans 2 pages: < < 60 ( 1  ) |