Printable View
Hi! I barely know anything about how the internet works so please bear with me. :D
I've seen scam ads that say "Your computer may be broadcasting your IP address to attackers! Click here to correct this!". I don't click them, but it's made me wonder if there is any element of truth to that.
What can someone do if they know your IP address? Is it a bad thing for someone to know your IP address?
As I said, I'm a complete newb so I hope those questions even make sense! :p
In plain English, a computer's IP address is similar to a mailing address. In order to send information to it, one needs the address. It is something you need, but also something worth protecting because it's possible for someone to scan your system for vulnerabilities IF they have your IP address and that can be a very bad thing if you haven't updated Windows with all the patches and if you do not have a firewall. I also highly recommend anti-virus, anti-trojan (sometimes AV covers trojans/worms but can't remove them), and anti-spyware.
Here is the link to download Ad-aware. This is a very effective free (for personal use) spyware detection and removal tool.
At the bottom of this page is a link to download AVG free antivirus. Try to use a "junk" email address that you never use when you sign up for it. I also highly recommend Symantec's Norton Antivirus, which is excellent but you have to pay to use it. Whatever you use, keep your definitions up to date (on both antispyware and antivirus applications) and run a scan weekly.
Here is the link to download ZoneAlarm; a free, very user friendly firewall. There are better ones out there, but this one is pretty solid and especially user friendly. Again, I recommend Symantec's Norton Firewall if you want to shell out some cash.
I'm sure others will give their input on what they like best and what you should/shouldn't use soon. Good luck. ;)
Hi, and Welcome to AntiOnline!
I am assuming that you are using the Microsoft Windows Operating System and a broadband internet connection (DSL or Cable).
First, what you need to do is to turn off File and Printer Sharing for Microsoft Networks. To do this:
Go to the Start Menu, and Open Control Panel. You will see "Network and Internet Connections". Click this.
Next, you will see a screen that says "Pick a Task" and "or pick a Control Panel icon". Under the Control Panel Icons, you will see "Network Connections". Click on it.
Now, you will see some Icons. Open the one for "Local Area Connection" and select "Properties". On the next screen, unckeck the box next to "File and Printer Sharing for Microsoft Networks". Then click OK, and close the windows.
What is happening is that your computer is sending what are called NetBIOS broadcast packets. Disabling the file sharing will limit the amount of broadcasts that your computer sends.
(In all actuality, the ad you saw probably doesn't know that you are broadcasting your IP. It's there to make people who don't know if the computer is doing it or not click on the link to try to sell you something, or wose.)
I would recommend that you install a firewall other than the Windows Firewall that came with Windows XP as well. Make sure you have anti-virus software, and also get a malware/spyware scanner. I would also recommend an Intrusion Prevention System, like Prevx Home (free from www.prevx.com)
All good questions...
Check this site to see how vulnerable the information your boradcasting makes you.
http://www.grc.com/x/ne.dll?rh1dkyd2
The nice thing about the ShieldsUp site is the amount of easy to understand information available.
The ads warning you could be right but you were right not to click them. At least 50% are spyware and why pay for what you can get for free?
Start with ZonAlarm since you are new to the tech that runs the internet. Once you feel more confident go with Sygate Personal Firewall or any other fw that lets you make your own rules.
To honestly answer your question if someone really wants to hack your computer it can be done with or without the IP up front. However broadcasting your IP can allow rank amatures to run scripts against it at will.
I'm not saying that's a bad idea, but can you give me a specific example of what would happen to someone that doesn't? Afaik, unless you're on a LAN, it makes no difference. And then even if someone were on a LAN with those things enabled, how could one take advantage of it (other than sending a print command for X1000 sheets of blank paper...yes I've done it before). Or having access to files you may not know are being shared? Or unless you've set permissions so that people can *add* things to your shared folder(s), which would be very silly.Quote:
First, what you need to do is to turn off File and Printer Sharing for Microsoft Networks.
Pop ups.Quote:
I've seen scam ads that say "Your
computer may be broadcasting your IP address to
attackers! Click here to correct this!".
Well, they can do a lot of stuff like they canQuote:
What can someone do if they know your IP
address?
do a simple 'WHOIS query' to see 'who' the IP
address belongs to. For example what ISP or
organization. They can map the IP address to
city and state (visual look that is) determine
who the ISP is, after that then they can
determine if they want to
1.) Scan to find open ports.
2.) Identify applications, servers, that are
running (based on the open ports they found)
3.) Code their own exploits or if they will find
exploits specific to those applications and
servers.
4. exploit.
5. Modify all log files.
6.Leave rootkit on system.
7. Own you because he/she has your IP address. Of course this is easier said than done. If your a home user with dial up I wouldn't worry about it to much. If you have a broadband connection (cable/ADSL) and have a static IP address then I would be a little concern. But if you have broadband with dynamic IP address leasing then I wouldn't worry about it as much. Just get a router and a software firewall, and AV software with Anti spyware software and keep your system up-to-date at all times you then should be okay for the time being. ;) j/k
keezel 576869746568617 is correct. Port 139 and others of NetBios are the ugly stepchild of vulnerabilites.
With common available tools even a secure network can be owned in half the time via these services. Think about your printing example when windows prints under what authority do you think it prints? And with that authority in your control what can you do besides print? Lots of fun stuff :)
Okay, let's just say that you have a Cable connection, and I am scanning IPs behind the ISP's router. I see your IP address, but I am not particuarly interested in your machine, until I see that TCP/UDP ports 135-139 and 445 are open. That's bad juju.
Your firewall will not filter the traffic that I am about to send to your computer, because (unless you have custom rules to block/filter traffic on these ports) it assumes the traffic is legit. I send a few packets to the computer to make sure it responds (called NetBIOS enumeration) from which I can get the computer's NetBIOS hostname.
Now depending on which patches you have installed (Which brings up another point...Make sure you turn on Automatic Updates), I can make a null connection to your computer. Now at this point, my access is extremely limited, and it is read only, but I AM IN YOUR COMPUTER! To make matters worse, I have a command prompt. Now I can attempt to spawn processes through application vulnerabilities (like the one that gave a user run as system rights back a few Norton Antivirus revisions ago), and get admin rights. Now, when I disconnect, I will have to do this all over again to regain root...but I'm not done yet.
Now I can use a program like User2Sid to get the SID and hash of the user "Administrator", so I can crack the password using LC4 or lophtcrack. If you rename the Administrator accout, that's OK, because I will run Sid2User just to make sure the user name and hash I crack are for SID 500, which is ALWAYS the SID for the admin account on a Windows box.
Now that I have that information, I copy your SAM datadase and disconnect, crack it, and reconnect using the admin account and password. Then I create my own hidden account, possibly installing a root kit or other trojan to use your computer as a zombie for DDOS attacks and the like.
Can you smell the bread burning?
Hell, nowdays a 13 year old script kiddie can just run a script to do almost all that in a fraction of the time it takes a real hacker. (Real hackers don't run scripts...THEY WRITE THEM!)
Basically, having those ports open on any connection that is directly connected to the internet is a BAD idea. In a corporate LAN, you should set the Firewall on the internet to explicitly deny those ports, bot inbount and outbound.
I'm working on a "Best Practice" firewall ruleset tutorial, and should have it published on AO in the next few days, if anyone is interested.
Ah, that's the jump I couldn't make in my mind. I didn't know how to get from the limited, read only access to actually having access to manipulate files on the system. Thank you.Quote:
I have a command prompt. Now I can attempt to spawn processes through application vulnerabilities (like the one that gave a user run as system rights back a few Norton Antivirus revisions ago), and get admin rights. Now, when I disconnect, O will have to do this all over again to regain root...but I'm not done yet.
What the hell? Do you make prank phone calls without the phone number? You're computer broadcasts an IP or it's not online or network.Quote:
Originally posted here by sandcraft
To honestly answer your question if someone really wants to hack your computer it can be done with or without the IP up front. However broadcasting your IP can allow rank amatures to run scripts against it at will.
Keep in mind that hackers aren't always trying to hack specific computers. All they need to know is a system that might be vulnerable. When you visit some website then the webserver will start logging all kinds of information about who visited the site, when, where from and some indication of the webbrowser used. Now, if you use Internet Explorer then the webserver will know that you have a Windows system for sure. If you use another webbrowser then it's still likely that your webbrowser starts information about your operating system as part of it's User-agent. (Some browsers allow you to fake this information, though!)
Now, once your visit to some website has been logged, the owner of this website can check this log and filter all visits from Windows systems out of this log. He then has a list of possible vulnerable systems that he can all try to hack. As mentioned before, this is quite easy because of all the available scripting tools.
Now, the trick for such hackers is of course trying to lure as many visitors as possible to their system. This can be whatever is most popular at that moment. But they also have to be aware that if there's a lot of pages that a visitor can view then a single visitor might fill up a lot of the logs. But it actually doesn't matter what page the visitor is viewing on the webserver as long as they visit it at least once. One trick would be a simple banner on the webserver and make this banner part of other sites by linking from those other sites. For example, by adding them as part of a signature on many forums. The more hits the server gets from different clients, the more systems the hacker can start to examinate.
One other problem is of course that this could also happen with other operating systems than Windows. Hackers might also decide to target e.g. Linux systems. However, Windows systems are still a large majority of all systems that are used for webbrowsing. So that makes Windows a very popular target for attacks. It's not that Linux has less vulnerabilities. Windows is just a lot easier target to shoot at. Think of it this way... You see a mouse and an elephant. You have a huge gun and need to bring home some meat. Which would you prefer to shoot?
Katja is exactly right, get them to come to you.
As for gore...
Incorrect. Your gateway needs to boradcast if you want to receive traffic. That is the extent of it. You could have an externally facing gateway device following the TCP/IP RFC (RFC 793) to a T. The internal side could be all SSH tunnels to a proxy or MAC based routing. No broadcasting needed for either. Although both of these would be a headache to admin, need custom written applications, and lose much of the robustness of TCP/IP.Quote:
What the hell? Do you make prank phone calls without the phone number? You're computer broadcasts an IP or it's not online or network.
Sorry for going so far off topic... what was the original question again? ;)
Katja brings up an interesting point.
A hacker could have a website advertising Sony PSP games and the like. When you connect to the site, the webserver logs the IP and browser type, but then, it initiates a port scan and runs some OS detection scripts (just to make sure that you didn't change the browser header to masqurade as Windows with IE, when you are in fact running Fedora.
So now, the hacker has your IP, OS & Browser type & version, and a list of ports that you may be vulnerable on.
To make matters worse, you were browsing the site for a while, and found a game you liked. You click the buy button and enter your name, address, telephone number, and credit card information...
and you were required to register on the site before completing the order by creating an account with a user name and password (and of course provide an email address for verification). Consider that the average Windows user will use a variation of the same user name and password for everything.
When you place the order, the site gives you an error processing order, blah blah blah. Not only are you about to be hacked, but the hacker also phished enough information to do practically anything he/she wants to.
Now that's scary.
576869746568617 makes a good point too here. Especially when a site asks for a username and password, things can become a bit risky. Many people just can't remember dozens of different passwords so they tend to use the same one over and over again. So you give away your username and a password and the hacker just has to check if your password gives access to other things too.
Say, you're a member of this forum. You see a link to another site and follow it. You see a place where you can register yourself and you do so, using the same username and password as the one on AO. (Well, many here know that this is stupid, but newbies often make this mistake.) Now, the owner of this site can see his logs and read the forum that you came from and has a username and password. All he has to do is check if you used the same password on AO and if you did, he can take over your AO account!
And of course he also has the IP number of your computer and thus he can try if your password also works for the administrator account on your system.
This kind of hacking works best in large quantities. Maybe one in 500 visitors is this stupid but if your site attracts 10.000 visitors then you will have access to 20 systems! Phishing works in a similar way. Send a message to half a million people and if one in every 100.000 people take the bait, you will have 5 succesful attempts.
And security? Two guys were walking through the African savannah when a lion started to charge after them. One learned a valuable lesson there. You don't have to run faster than a lion in that case. You just have to run faster than the guy next to you.
The same is true about security. You don't need the ultimate protection. Your protection just has to be better than that of the others in your community. Use different passwords, use different account names and make sure you have at least some basic protection like an up-to-date virusscanner/anti-spyware kit and a good firewall.
And learn to ignore those messages like "Your computer may be broadcasting your IP address to attackers! Click here to correct this!". Basically, this is just another kind of scam where they try to scare you in using their product.
*sigh*
They can attempt to connect to your computer more effectively than without your IP address.Quote:
What can someone do if they know your IP address?
No.Quote:
Is it a bad thing for someone to know your IP address?
You are more likely to be scanned at random than by someone specifically looking for your system, consequently any effort spent "protecting" your IP address is effort not spent on useful methods of protection.Quote:
It is something you need, but also something worth protecting because it's possible for someone to scan your system for vulnerabilities IF they have your IP address and that can be a very bad thing if you haven't updated Windows with all the patches and if you do not have a firewall.
Why? What functionality do you feel the Windows firewall is lacking? Seems like, unless he is running a more sophistocated network than just a workstation or two to jusitfy a different firewall.Quote:
I would recommend that you install a firewall other than the Windows Firewall that came with Windows XP as well.
The bad thing about ShieldsUp is that it is complete and total garbage.Quote:
The nice thing about the ShieldsUp site is the amount of easy to understand information available.
Disabling this functionality just saves hassle... and users beyond the LAN can connect if these shares are open to the world.Quote:
I'm not saying that's a bad idea, but can you give me a specific example of what would happen to someone that doesn't? Afaik, unless you're on a LAN, it makes no difference.
This and all the subsequent steps can be done without all the WHOIS steps and completely at random.Quote:
1.) Scan to find open ports.
Um... I have no idea what this is supposed to mean, but you seem to think it is clever.Quote:
Port 139 and others of NetBios are the ugly stepchild of vulnerabilites.
I am not sure that a network which can be "owned in half the time" could be considered "secure." These services are no worse than any other services, they just tend to be more liberally configured by default.Quote:
With common available tools even a secure network can be owned in half the time via these services.
Unless you have any custom software/configurations that might get broken.Quote:
Make sure you turn on Automatic Updates
Oh my god! You mean like how right this very moment I am IN the Antionline computer?! Hell, I have have some write access here!Quote:
Now at this point, my access is extremely limited, and it is read onlly, but I AM IN YOUR COMPUTER!
So how did you get access to cmd.exe on the system in question? Oh you mean you have a command prompt on your own system? So what.Quote:
To make matters worse, I have a command prompt.
Like you could against the Antionline webserver or any other server...Quote:
Now I can attempt to spawn processes through application vulnerabilities
Or gain it for the first time, since Windows doesn't have a root account.Quote:
Now, when I disconnect, I will have to do this all over again to regain root.
Bleh... why bother...
Don't worry about your IP address... just focus on keeping your computer secure with the Microsoft Baseline Security Analyzer or such.
cheers,
catch
In my opinion keezel put it in the most easy to understand for someone who is just beggining to use or understand how the internet works. My explination to you is as follows:
Your IP address is your Home Address, the hacker is the theif. What is stopping the theif from entering through the backdoor? The lock. What is stopping the theif from breaking a window? The gates this would be considered the firewall. But say you accidently leave your back door open one night...that's a vulnerability.
Alright Catch...
I appreciate what you are trying to do... answer the guys question as simply as you can. Something I did not do. I instead offered some security advise to make his machine a wee bit more secure, and hopefully ease his mind.
I was also answering a question. A theoretical "What If" scenario. I did not intend for it to hijack the thread. Perhaps what I should have done was start another thread and referred those who were curious to that thread.
The process I described is a classic NetBIOS/Privilege Escalation Hack. It is well documented, and works unless proper security measures have been taken.
If you think I went into too much detail, don't kill the messenger...full diclosure is a good thing. It's easier to defend against something if you inderstand how it will attack you.
It IS a big deal, because while I was "in the computer" (not able to do any damage yet, as you point out)...
I was spawning processes (Yes, just like on a webserver, or anything else...This is not requred to pull off the hack, I was just trying to find an easier way into a system account)...
than cracking the administrator account for your computer (using the command line on my computer, which aparently was no big deal to you)...
In order to remotely log in to your computer as the administrator, using the remote logon service on your machine, giving me administrative access to your computer.
I know it is running because you have file and printer sharing enabled. (unless you baselined your computer and disabled that service).
Then I can make a remote registry connection to insert the lines that will execute the root kit that I just installed on your hard drive the next time you restart... or anything else I want.
Oh, and Windows does indeed have a "root" account. It's just not named root. I am using root in the context of "generically refering to the administrative user account of an operating system".
As for the Windows Firewall, I was just stating my opinion...take it for a grain of salt. I just think it is way too granular.
And, the Microsoft Baseline Security Advisor is a tool to use to get a BASELINE security configuration. For a home user, this relatively low security setup may be sufficient, but in a corporate LAN, more hardening should be done.
I whole-heartedly agree that shields up sucks. And I can understand the sigh, as it seems that I have hijacked the thread with my what-if scenario...
For that, I apologise.
By telling him what? Some imaginary attack that has been way over dramatized and too simplified at the same time.Quote:
I instead offered some security advise to make his machine a wee bit more secure, and hopefully ease his mind.
I don't think you went into too much detail... except that you really went into a lot of needless detail on an ancient attack. You didn't explain the themes of the attack, just the specifics... which are pretty useless against anything other than a system meeting a very specific (not to mention very bad) configuration.Quote:
If you think I went into too much detail, don't kill the messenger...full diclosure is a good thing. It's easier to defend against something if you inderstand how it will attack you.
Um... ok... I get the feeling by the context that you don't know exactly what this means.Quote:
I was spawning processes
Actually... most exploits do require the spawning of a new process... since most exploits launch and bind a shell. Really not a whole lot of point in an exploit that doesn't do this or something similar.Quote:
(Yes, just like on a webserver, or anything else...This is not requred to pull off the hack, I was just trying to find an easier way into a system account)...
Wow... this has become totally asinine. Not sure what using a command line has to do with magically cracking the admin account.Quote:
than cracking the administrator account for your computer (using the command line on my computer, which aparently was no big deal to you)...
I hardly think you need to bother with any of this, considering the system is so appallingly badly maintained.Quote:
Then I can make a remote registry connection to insert the lines that will execute the root kit that I just installed on your hard drive the next time you restart... or anything else I want.
Actually, no. Windows does NOT have a root account. Root accounts are superuser accounts which are defined as "an account which exists outside of the security policy." Neither the Administrator or SYSTEM accounts meet this criteria.Quote:
Oh, and Windows does indeed have a "root" account. It's just not named root. I am using root in the context of "generically refering to the administrative user account of an operating system".
This tool helps the administrator simply configure the system in line with the Microsoft security guidelines... it is clearly good enough for home users as well as small to medium-sized systems.Quote:
And, the Microsoft Baseline Security Advisor is a tool to use to get a BASELINE security configuration. For a home user, this relatively low security setup may be sufficient, but in a corporate LAN, more hardening should be done.
cheers,
catch
Ok...I'm trying not to take it personal here...but the part about me not knowing what I'm talking about was a little much. I admit, I don't know everything, and never have claimed that I did.
I realize that the attack is ancient, that I simplified it way to much, overdramatized it, blah blah.
I guess I'm old because I prefer to execute some of the needed tools to pull it off from the command line.
In retrospect, it was a really bad example to begin with, and the thread shouldn't have even gone there, nor should it have gone here.
And I will concede the root/admin thing...I
As for the Baseline Analyzer, I stand my ground. If I were to connect a laptop to a corporate network that was baselined using it, it would be ok as long as the perimeter firewall was properly configured. I guess I'm just paranoid. I also deal with computers that require far more stringent hardening than the analyzer provides.
I may not have as much experience as you, but don't assume that I don't know something, because if I didn't, I wouldn't have posted it in the first place. (I don't know, cause I don't know anything about you, havent read your profile, etc.), but do you have to nit pick the post to death? Unless you're just doing it to get me all frazzled cause it's funny (in which case, I'll be a good sport.)
Otherwise, this debate is pointless, because I don't like pissing contests.
Someone wanted an example, I gave them one. If you have a better example, then by all means, please post it (in another thread.)
Sorry about the defensiveness...I'm a Taurus!
I am curious what you think is lacking from the MBSA.Quote:
As for the Baseline Analyzer, I stand my ground. If I were to connect a laptop to a corporate network that was baselined using it, it would be ok as long as the perimeter firewall was properly configured. I guess I'm just paranoid. I also deal with computers that require far more stringent hardening than the analyzer provides.
My original post was out of frusteration at the heaps and heaps of crap in this thread... I only nit picked a few of your points.Quote:
do you have to nit pick the post to death?
cheers,
catch
Well, I have a special situation when it comes to computers on the LAN. They have to be what we call secure trusted workstations (if there really is such a thing that is networked!) I can't go into much detail, let's just say they are used to process intelligence, and anything else is classified, so that's about all I can say. (Seriously).
I guess my stance on the MBSA was because I still had my blinders on :p
And really, I am sorry for the defensiveness...It's just been rough here the last few days, and I guess I was using your post to vent. Not that any of the points you made were not vaild.
Seriously though, If you have a better NetBIOS exploit example, I wouldn't mind seeing at least a synopsis of what, how, why it works. Always looking to learn somthing! :D
I am gonna call bullshit on this.Quote:
Well, I have a special situation when it comes to computers on the LAN. They have to be what we call secure trusted workstations (if there really is such a thing that is networked!) I can't go into much detail, let's just say they are used to process intelligence, and anything else is classified, so that's about all I can say.
Windows is not approved (nor does it even have the tools) to process multi-level data, which means that all systems would have to be at the same level. This means that it pretty much doesn't matter what workstations you connect since there are no labels to be maintained. Not only that, but Windows' security policy is too anemic to prevent data from being exported beyond the system. (no "email", "print", or per object NIC access controls)
Additionally MBSA or some similar (TFM supporting) tool would be require to ensure that all systems are sufficiently current and configured correctly all from a central point.
The specifics of a given exploit are not needed in this thread. Suffice to say, file sharing, like any service especially any superflous services merely increases the system's exposed surface, requiring greater effort on the system custodian to maintain the system in a secure manner.Quote:
Seriously though, If you have a better NetBIOS exploit example, I wouldn't mind seeing at least a synopsis of what, how, why it works.
A lot of users like to try and discuss very specific exploits and fixes, unfortunately this linear analysis doesn't address unknown vulnerabilities. People need to learn to look at security more thematically (removing unneeded services rather than patching them / place subjects in compartments rather than auditing the code)
cheers,
catch
Actually, catch, I never said that I was processing multi-level. The Windows system will only process at a single level, which means multiple systems...one for Unclassified, one for Confidential, one for Secret...they can only be used to process data at a single classification level i.e.: a seperate domain, SUS Server, AV Server, and physical network for Secret, the same for Unclassified.
They do have print and email. The ones that process data above Unclassified are also on a closed network for the very reasons that you describe. But when configured in this manner, they are (reasonably) secure trusted workstations.
The Unclassified systems have an internet connection via NIPRNet. We even have to seperate the premise wiring and devices that interconnect the systems so that there is no less than 6 ft of seperation between devices that process data at different levels, because of crosstalk and the possibility of bleeding Secret data over onto the Unclass net.
Now, we even have DoD approved wireless network cards that are certified to transmit encrypted data at Secret and below. Never thought I'd see the day...
Most likely, unless the architecture of the Windows OS gets a radical re-design of the kernel, it will never be certified for multi-level data processing. It simply cannot do this securely in its present state.
I couldn't agree more...A lot of us (myself included at times) are guilty of that.Quote:
People need to learn to look at security more thematically (removing unneeded services rather than patching them / place subjects in compartments rather than auditing the code)
I think I'm beginning to like you...so persistant! :D
(pours catch a cold beer)
What can someone do if they know your postal address? :p Most of the possibilities for attack are men standing on giant's shoulders.
2600 ran an article on this a few years back. The 'hacker' was able to get a credit bureau to update someone’s record with just a persons name and address. Then they applied for a card with a company who used this bureau. They got the card without raising any red flags and then began receiving pre-approved cards for the person in the mail.Quote:
What can someone do if they know your postal address?
Nice huh? Of course the article didn't mention how much information the USPS keeps track of or how to get below their radar.
As for the interesting MBSA discussion going on… MBSA is a nice tool. It does have 'bugs' just like any other software. Do not rely on it exclusively. In some instances it will list a patch as installed that is not and/or list a patch as not installed that is actually installed. Related to this something I've seen on servers is a discrepancy between Windows Update and MBSA one says patch X, Y, and Z are missing while the other might say patch X and Y are missing and patch Z is installed. Again this is a thankfully a rare occurrence so the extra analysis to determine which one is wrong (sometimes both) is not a huge time sink.
As for recommending Shields Up I stand by that recommendation. The user asking the original question indicated his/her n00b status. The information presented on that site is in an easy to understand USA today type format. It may not cover security in depth or offer DOD level security recommendations but it does go step by step with hand holding how to disable file and print sharing, unused services, close unused ports, get a free firewall etc. Almost everything an n00b needs to get started.
Which is exactly my point. :-P Since the system cannot handle data at multiple levels, each system must be isolated on a same level network. This is a terrible solution for the simple fact that it does not take into consideration either sensitivity expiration or aggregation. (the idea that object is more sensitive than the sum of its parts) This architecture doesn't allow more sensitive objects to be supplemented with less sensitive objects and users cannot change their level of access without going to a different workstation. In fact... this architecture loses all the benefits of the B-L model.Quote:
Actually, catch, I never said that I was processing multi-level. The Windows system will only process at a single level, which means multiple systems...one for Unclassified, one for Confidential, one for Secret...they can only be used to process data at a single classification level i.e.: a seperate domain, SUS Server, AV Server, and physical network for Secret, the same for Unclassified.
While it is true that a few of these issues can be dealt with using a multi-level secure network processor, that does not effectively deal with all of the issues. Also, it stands to reason that if an organization were to use an MLS-NP that the same organization would have also selected a higher assurance workstation architecture.
For such isolated systems I can't see much of an increased need for security at the workstation level. True it would be wise to supplement MBSA with the NSA's Windows configuration guidelines and it should be noted that these two are not mutually exclusive. The MBSA is useful for assuring that the workstation are configured correctly, especially with regard to functionality beyond the scope of the domain's security policy.Quote:
They do have print and email. The ones that process data above Unclassified are also on a closed network for the very reasons that you describe. But when configured in this manner, they are (reasonably) secure trusted workstations.
Even in such an environment, MBSA is one of the (if not the) best tools a Windows admin can use.
Well, when the system doesn't have ANY implementation of labels MLS is clearly not even a question. The Trusted Systems people did a paper on this about nine years ago. The architecture of the NT line has changed very little in this time and the MLS requirements have not changed at all, so the document is still fairly valid. It is attached.Quote:
Most likely, unless the architecture of the Windows OS gets a radical re-design of the kernel, it will never be certified for multi-level data processing. It simply cannot do this securely in its present state.
cheers,
catch
edited to add:
No one is suggesting that this user needs "DOD level security", I do think however that tools like ShieldsUp build bad habits. It's one thing to suggest that to someone just looking to secure their own computer, it is something completely different to suggest that to someone who seems to have an honest desire to learn about computer security.Quote:
As for recommending Shields Up I stand by that recommendation. The user asking the original question indicated his/her n00b status. The information presented on that site is in an easy to understand USA today type format. It may not cover security in depth or offer DOD level security recommendations but it does go step by step with hand holding how to disable file and print sharing, unused services, close unused ports, get a free firewall etc. Almost everything an n00b needs to get started.
I agree. But I also see merit in recommending ShieldsUp! to a noob, you just have to do it right. It's a good starting point (it's where I started), but you should understand on the front end that so much of what Gibson spouts is grade A crap (which I didn't know when I started), and should only use GRC as a stepping stone to higher (and more consistently correct) learning sources.Quote:
No one is suggesting that this user needs "DOD level security", I do think however that tools like ShieldsUp build bad habits. It's one thing to suggest that to someone just looking to secure their own computer, it is something completely different to suggest that to someone who seems to have an honest desire to learn about computer security.