Don't broadcast info about Windows servers...
Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Don't broadcast info about Windows servers...

  1. #1
    Senior Member
    Join Date
    Nov 2002
    Posts
    482

    Exclamation Don't broadcast info about Windows servers...

    Any hacker who wants to attack your systems will start by trying to gather information about them. Your job is to make that as difficult as possible. Here are some tips to help you safeguard your Windows server information
    Just a page on how to stop hackers gaining knowledge about your computer

    Get it Here
    - Trying is the first step towards failure. the moral is never try.
    - It\'s like something out of that twilighty show about that zone.
    ----Homer J Simpson----

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    One of the best things you can do is turn off the default shares on the box.

    Windows NT and Windows 2000 open hidden shares on each installation for use by the system account. (Tip: You can view all of the shared folders on your computer by typing NET SHARE from a command prompt.) You can disable the default Administrative shares two ways. One is to stop or disable the Server service, which removes the ability to share folders on your computer. (However, you can still access shared folders on other computers.) When you disable the Server service (via Control Panel > Administration Tools > Services), be sure to click Manual or Disabled or else the service will start the next time the computer is restarted. The other way is via the Registry by editing HKeyLocal Machine\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters. For Servers edit AutoShareServer with a REG_DWORD Value of 0. For Workstations, the edit AutoShareWks. Keep in mind that disabling these shares provide an extra measure of security, but may cause problems with applications. Test your changes in a lab before disabling these in a production environment. The default hidden shares are:
    Share Path and Function
    C$ D$ E$ Root of each partition. For a Windows 2000 Professional computer, only members of the Administrators or Backup Operators group can connect to these shared folders. For a Windows 2000 Server computer, members of the Server Operators group can also connect to these shared folders
    ADMIN$ %SYSTEMROOT% This share is used by the system during remote administration of a computer. The path of this resource is always the path to the Windows 2000 system root (the directory in which Windows 2000 is installed: for example, C:\Winnt).
    FAX$ On Windows 2000 server, this used by fax clients in the process of sending a fax. The shared folder temporarily caches files and accesses cover pages stored on the server.
    IPC$ Temporary connections between servers using named pipes essential for communication between programs. It is used during remote administration of a computer and when viewing a computer's shared resources
    NetLogon This share is used by the Net Logon service of a Windows 2000 Server computer while processing domain logon requests.
    PRINT$ %SYSTEMROOT%\SYSTEM32\SPOOL\DRIVERS Used during remote administration of printers.

    If anyone is interested, I wrote a doc (comprised of info from many sources such as CERT, NSA, CC, etc) that will give you the ability to REALLY ratchet down a W32 server.

    Regards!
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Turning off shares on the box and closing all the ports is simply rubbish.... No offense intended.

    Any server that provides public services, (or any workstation for that matter), should be located behind a properly configured firewall that allows _only_ the ports required to run the service through to the server. So if you are running a web server and a mail server with no POP allowed from outside the firewall then the firewall should have only ports 80 and 25 allowed - everything else should be implicitly denied....period.

    Doing this means you can leave all your shares up - hell add a few more - you can run netmeeting, terminal services, telnet and anything else you like 'cos without compromising your firewall there isn't anything they can do to access the box in any other way than you have allowed. Of course, if you're firewall is compromised I'd say you're pretty much screwed anyhoo.....<s>

    All this chat about how to lock a box is simply second line defense and, since it is an added level of complexity, is more prone to mistakes. The first line of defense should always be the firewall - it's relatively simple, (or should be), and it's a single point of entry, (choke point), where all things must pass and be scrutinized. Without the firewall you are potentially open to so many more things that you will never be able to sleep at night for wondering what it is you might have overlooked.

    This, obviously, does not take into account attack from the inside - that's a whole different subject.......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Careful Tiger Shark, a firewall is not the end-all-be-all solution. If you are on your own personal network behind a firewall and are the only one on the network, then this is true; however, what if you are behind your corporate firewall or share the network with other people...Why should you turn off default shares, even with a firewall (and for that matter turn off any unneeded services)?

    The best recent example I can think of is Nimda...

    Say you have a web server on the inside of your network and it becomes infected or say one of your 'stupid users' clicks on an email attachment or browses to an infected site without the proper antivirus solution and they are now infected...Your nice little firewall now does nothing for you. You essentially have a hard shell on the outside and a soft gooey center and once something malicious enters your network, bad things could happen very fast because you haven't taken the proper precautions in turning off uneeded services and locking down your box (essentially a domino effect using trust relationships (which is what a share is)). In the case of Nimda, it liked to spread over shares, through domains, and the like. Now your default shares get targeted by your coworkers box...maybe you have your virus signatures up to date and are ok...maybe it is a new virus and you are not.

    Regardless, if you take the time to properly administer your box, turning off uneeded services, setting proper permissions, removing default shares, you will not be nearly as at risk from other 'stupid users' or even insiduous insider attacks. IMHO, it is at the height of irresponsibility to not take the steps to properly lock down your OS (note I said OS and not just windows). Lastly, by turning off unnecessary services and removing shares, you also free up CPU and memory on your own system and get better perfomance.

    A firewall is a good step, a firewall can buy you alot of protection, but you have to be sure that you don't have a good hardened perimeter, only to have your entire network infected/compromised due to a soft interior.

    I kind of rushed the explanation (busy at work), so if that didn't make much sense I can elaborate further. This topic is kind of one of my pet peeves because I can't tell you how much grief I have had to go through after a huge swath of network becomes infested/falls like dominos because people didn't do the 'obvious things' to lock down their box...

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Neb: I thought I covered your response in my last sentence.......

    The point of my "rant" was that all this talk of "locking" your box lulls individuals into the sense that they don't need a firewall - that they can, with a little time, adequately secure a box open to the public. Frankly, and in deference to you with regard to it not being the be-all and end-all of security, a properly configured firewall is the _single_ item in your security "checklist" that gives the "biggest bang for the buck"..... period. I agree it does not even come close to making you Bulletproof and has no effect on malware/viruses that "legally" ingress but it keeps the masses out quickly and reliably.

    There are a million cable/dsl connected computers out there right now where, those that have even thought about it, have decided that they can save on the expense of a firewall because they can see all this stuff about "locking your boxes". What percentage do you think might actually have the skill, understanding and diligence to do it successfully both initially and in the long term? My guess is in the fractions of one percent. Yet, for $80 they can go out and purchase a hardware device that covers the majority of their a$$ immediately.

    I am not so concerned with the corporate chaps - they hire in people to cover this - or they should do..... It's all those individuals that get the impression that they can do without a firewall and that if they follow someone elses instructions they can be secure for the forseeable future.... IMO, that's naive.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Perhaps I should be a bit more clear. Firewalling is a given. In an enterprise environment, it is good practice to lock down workstations. 75% of attacks originate on the inside. In my case, the network was in such bad shape when I started here, the inside/outside was a gray area. My approach will give you significant protection against casual "hobbyist" hackers and the obvious worms and trojans that seem to creep into the network.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    Senior Member
    Join Date
    Nov 2002
    Posts
    482
    Woah, i can see the tension. better stay outa this one Darren.

    Just make sure that when the claws really come out that they dont get me :P
    - Trying is the first step towards failure. the moral is never try.
    - It\'s like something out of that twilighty show about that zone.
    ----Homer J Simpson----

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Hoss: I did understand your intent however I firmly believe that whenever we talk about locking a box we should have a mandatory rider that sits at the bottom of each message stating that these measures are specifically for implementation on "corporate" boxes already protected by a properly configured firewall and accessible from within by unknown "entities".

    Frankly, I see too many people on the security sites I visit that would take information such as this as being all the protection they might need and just go without a firewall. I actually see it as some kind of a responsibility to make sure that things are done "properly" if, for no other reason than, it would provide the skiddies with a few less points of attack if we could get more cable/dsl type users to buy a damned firewall - preferably a hardware one, (software ones are too easy to disable and forget about......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    $66 - Linksys BEFSR41 - EtherFast Cable/DSL Router with 4-Port Switch is what I use at home. This is a great little product, especially for those who use ISPs who bridge their cable modems. I don't have to mention why bridge mode cable modems are a bad thing ;-)
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Hoss: Linksys BEFSR41 is what I use at home..... funny old thing.....

    It's also what I make all my users with cable or dsl connections at home buy before i will give them access to work's network across the internet..... I've sold enough of them now I think linksys should be giving me a commisiion.....<s>
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •