Windows XP security test

[mohaughn]

Don't worry. It would take a lot more than this to get me to hate someone. I know what the original point was, and I said from the beginning that I agree with you 100%. I have only been trying to get you to see my point that if somebody is of the notion that XP cannot be properly configured and secured, they are going to come up with countless ways to blow holes in your test. So while I'm sure the test was fun to put together, and you may have seen some interesting things, the linux blowhards that just love to hate Windows are going to continue to hate windows regardless of what you did. So I don't really think that the windows can't be secured argument is going to die anytime soon. People just love to hate the big guy, not sure why, but they do.

And yes I know this thread may be a week or two old, but I don't have the luxury of visiting this site everyday like many of you do. When I replied yesterday was the first time I had read your response to my post from a week ago.

[Soda_Popinsky]

If you ask me, this thread will never die, so I agree with mohaugn. If this thread is going to have any leverage in the "equality of the OS giants" argument, it should have more than 4 people test it for security. But then again, I have no clue what kind of time you have on your hands to take on such a project, it would be kind of a hassle, and nobody is paying you.

BTW I could only find evidence of about 4 people testing the server, maybe you have done more outside of the thread. Have you finished a final compilation of the whitepapers, or am I being impatient?

Like gore said, maybe you could continue with 2003 server to add some weight to the experiment, and try some different services, whatever. Maybe mix it up, add some more attackers, maybe at once?

Like I said, as a argument to support Microsoft, this thread will never die, and will be linked to forever. So maybe it would be a good idea to give it as much weight as possible.

Almost Cubbie season-
Soda

[pooh sun tzu]

I do agree with both of you, but let's be honest here and take it logically

Security is guarenteed in any OS according to 3 principles

1. An IDS is in place to defend against attackers, banning IPs at will.
2. An admin has properly updated and securly configured all running servces (no matter how many there are)
3. Information security policy to at least begin preventing SE.


Note that no matter what OS, if someone gets caught by my IDS get a nice big DROP for their IP since the IDS will ban that IP. I could of course run more services, but if each of my services are updated to the latest patch, secured in the deepest way possible, then they can only rely on 0 day exploits, which takes us back to #1 and #2. If an IDS or admin notices this activity (and 0 day exploits attempts) then it is only nessessary to ban that IP.

So what I am saying is yes, windows-haters will forever find something wrong with this test. But the basic facts of security remain, regardless of if I am running 100 services or 2. By following the base principles of security, an OS can be made secure Any OS. So we could do this test for Mac, Nix, etc etc etc... not because of programs/settings, but because we can understand how TCP/IP (and the system in general) works.

I'm trying to get that white paper together, but 3 out of the 4 atttackers have YET to respond to my pms for their logfiles.


edit: I have had some people ask how an IDS can detect 0day exploits without a signature. Here is my responce :

While the attack pattern is what sets off the IDS, an IDS (a good one) still monitors (or the firewall monitors) activity. While it is unknown activity it is still activity. Couple this with the logfiles generated by the service in question and you have a pretty good idea if someone is attempting an attack or not. So, it is more a firewall+IDS+logfile_review marriage than the IDS itself to handle and detect 0 day exploits

[mohaughn]

Poo- agreed. The other, and what I see as being the biggest issue, is an attack that masks itself as valid data. This is where I was talking about the type of web applications and the ability to do code verification on web applications. If I can get your web server to perform a buffer overflow, and in turn get that problem to execute commands. There is a potential that a very skilled attacker could do everything they want to your box just by passing http traffic. If you have an IDS monitoring a wide range of web applications, it could become very difficult to have an IDS detect those types of attacks. Although the level of sophistication required is high enough that you would probably have data of high value, and it would require more than just owning a web server to get at it. I don't see somebody with that type of skill going after web sites just to deface and shout out to their friends.

[pooh sun tzu]

This is where I was talking about the type of web applications and the ability to do code verification on web applications. If I can get your web server to perform a buffer overflow, and in turn get that problem to execute commands.

Apache has been installed on a seperate partition meant soley for server programs (See my XP security guide) along as being installed under a seperate user with limited administrative controls. It has very very limited access (the user apache runs under) and this means even more liminted restrictions to what it can call upon. I know there may be a way around that of course, but as you said above... if you make something -that- difficult...