Tilted Forum Project Discussion Community - View Single Post

tcp · 04-23-2010, 11:53 AM

I'm not an expert with Windows servers but you need to look at your security policy and ban repeated failed login attempts. You should also probably limit the user accounts that can be accessed via RDC and secure their passwords or set up key-based access. Also, if you haven't already done so, you need to secure your file system and give accounts only the access they need so that exploits are less likely to work. By default, a lot of the critical directories in your machine are user-writable. You should also probably being running network services under less-privileged accounts.

There are a lot of security auditing tools that you can use to get the basics down. You can probably ask for help on a security mailing list if you need help along the way, maybe SecurityFocus . After you get some new measures in place, try to stay on top of security bulletins and the latest methods people are adopting.

Regarding IP banning, there are IPs that are known to be running constant probes but I don't think ISPs bother to block most of them. Also, even if you block every IP range from foreign countries, the next attack still might come from somewhere unexpected. Since he is already being targeted, the attacker might be interested enough to just proxy his attack after he gets blocked. Setting up your firewall to drop unsolicited packets is a good general rule though and will work for some services. An ACL will only be particularly effective if you are willing to deny all except the list of subnets that you maintain, for at least some of your services. You may also look into port knocking for a more advanced way to limit your exposure.

04-23-2010, 11:53 AM	#3 (permalink)
tcp Crazy	I'm not an expert with Windows servers but you need to look at your security policy and ban repeated failed login attempts. You should also probably limit the user accounts that can be accessed via RDC and secure their passwords or set up key-based access. Also, if you haven't already done so, you need to secure your file system and give accounts only the access they need so that exploits are less likely to work. By default, a lot of the critical directories in your machine are user-writable. You should also probably being running network services under less-privileged accounts. There are a lot of security auditing tools that you can use to get the basics down. You can probably ask for help on a security mailing list if you need help along the way, maybe SecurityFocus . After you get some new measures in place, try to stay on top of security bulletins and the latest methods people are adopting. Regarding IP banning, there are IPs that are known to be running constant probes but I don't think ISPs bother to block most of them. Also, even if you block every IP range from foreign countries, the next attack still might come from somewhere unexpected. Since he is already being targeted, the attacker might be interested enough to just proxy his attack after he gets blocked. Setting up your firewall to drop unsolicited packets is a good general rule though and will work for some services. An ACL will only be particularly effective if you are willing to deny all except the list of subnets that you maintain, for at least some of your services. You may also look into port knocking for a more advanced way to limit your exposure.