OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jean-Pierre Harvey (jean-pierre.harveyedivision.com.au)
Date: Tue May 22 2001 - 18:32:57 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Adriano,

    From my experience there are a few simple rules that will stop 90% of any attacks, even new ones. On all internet servers:

    Remove anything default that is not needed
    Remove *all* samples
    Secure the registry with ACLs
    Disable any services that are not required
    Ensure that all file system ACLs are the minimum required permissions only.

    These basic config changes will render many of the hacks that have been seen on IIS over the past twelve months useless. For example, the IIS Unicode attack does not work if the IIS anonymous user is not permitted to execute cmd.exe. Or, to qualify that further, the exploit is still there, but the attacker will only be able to access files and directories to which the IIS user has access, which should only be the web files and a few executables and dlls in the \winnt\system32\inetsrv directory. He/she could would still need to know the exact name of the file as well. The IIS printer hack is another example. We never use internet printing so I remove the ISAPI mapping and the /printer directory. It is hard to hack something that is not there.

    I can not think of an IIS related hack in the last 12 months that would potentially be able to break any of our IIS systems in any significant way because I follow the guidelines above.

    Having said all that, internet security is an often misunderstood concept. Security is not something you really have, all you really can do is buy yourself time. All systems are hackable with enough time, you just need to be able to make sure that you can make that time frame long enough so that your logs or detection systems start to show suspicios activity and then manually intervene.

    Please understand that I also believe in patching and updating systems to remove security flaws, but the simple things above will help buy you that precious time that it takes to hack a system.

    Regards
    JP

    -----Original Message-----
    From: Adriano Freire [mailto:ctovilox.com]
    Sent: Monday, May 21, 2001 2:09 AM
    To: FOCUS-MS
    Subject: Attacks, Attacks, Attacks

    Anybody can help us to report attacks? We've been aggressively being
    attacked from several servers (I believe Hacked Apache Servers), from
    Russia, Taiwan, etc. The attacks basically are Unicode attempts, Net bios
    requests, DoS and others. We until now are keeping ourselves ahead of the
    attacks applying the patches, SPs, but I am afraid one day they'll probably
    be ahead of us, and then...

    We have logs with everything, captured packets, ex*.log files, traces, etc.

    Adriano Freire, CTO
    http://Vilox.com