Windows XP security test

[lumpyporridge]

The fact is that most hacks are from vulnerable services running and social engineering, the latter is totally excluded by this methodology and were the services realistic? , web with cgi , database , dns ,smtp ,ssh.... Targetting many times occurs due to what services you are runing already which was also excluded in this test. Anyone can put any updated firewalled box with no vulnerable services running up and no one will hack it unless they are very leet or have friends who are. From a purely scientific pov All this proves is that pooh can run windows update and configure a firewall properly, probably as far as i can see so.

[pooh sun tzu]

Yup, apache was running with CGI, etc etc. You tend to forget that a server or computer does not have to have 40000000 services running. You run what is needed. The point of this exersize was to prove that a good firewall and an OS in the hands of a good admin, is unpenetrable. If you think you can do better, take a crack at it. But know that you won't be getting in. I'll make double sure my IDS autobans any scanning computers this time.

Yes, that's right, windows IDS So both of you can either continue whining aind complaining about "this doesn't prove anything wahhhh". Or take a shot at it.


properly configured firewall + updated services + properly configured services + proper IDS + proper admin observation == an near unpenetrable box

Of course this means a weakness of social eng. could exist, and they would sweet talk information out of me. Then again, would you be able to do it?


If you don't believe that algorithm, then why not let you two being the last ones who crack it. It's a very simple algorithm, and you need to put your keyboard where your mouth is. I know I did, and here I am now hosting this security test that has yet to be penetrated because of that above algorithm. My point was to prove in the proper hands of a knowledge admin, XP is untouchable. Prove me wrong, or don't comaplain about it not proving anything

[jehnx]

pooh sun tzu: I still disagree with ya mate. Let a few more members, myself included, mess with it. I don't think that anything is completely secure, ever, and I can almost guarantee you that if you put it back up with some of the more proficient seniors that you'll have a different outcome. Though, in the same sense, your point is proven in that the normal person can not break into a server, indeed.

Also, who all participated in this, do you know? I didn't see a list or anything anywhere.

[pooh sun tzu]

I will not be releasing the names of those who participated in it, unless they request it. But I can assure you, they were not "normal people", but those on AO who had actual skill.

I have sent you a PM, and will allow yet another person to have a shot at it.

[jehnx]

Hehe, thank you pooh, and I have replied to your PM. All pings timeout.. pfft. :-p

[mohaughn]

Pooh- I think you need to go back and re-read my post as you did not understand what I was trying to say. What was the need? If a person has any security knowledge they know that what you are saying is true. Which is exactly what my last post stated.

If you were trying to prove that a windows OS based on NT can be secured, was there really a need? Unfortunately, if someone doesn't believe that a windows OS can be secured, what you have presented here isn't really going to change their opinion. They already don't agree with what educational and government testing of the products have proven. Why expect a non-scientific test to prove anything?

To rephrase it a different way, if somebody doesn't already think that a windows OS can be properly secured, they are going to blow holes all in your testing method to not agree with you regardless of what you do or if anybody gets in or not. I never said I didn't agree with you. Although I really don't think there is such a thing as an inpenetrable system. You just have to make it so difficult that it isn't worth messing with.

[Maestr0]

Although these kinds of wargames are fun and I enjoy them thoroughly myself, its important to remember that this is a "rigged game" if you will. In this situation the Admin knows who is going to attack what box and gets to make up the rules (hardly a real life scenario), which in this case restrict the attacker to using technical attacks against one hardened machine running services of Pooh's choice so really only a 0-day exploit is likely to succeed,but as everyone knows security is like a chain, in that it is only as strong as the weakest link, meaning in a live situation an attacker is going to choose his own (weak) victim not Pooh's choosen (hardened) victim. Once the attacker has comprised the weakest member of the herd that machine can be used to leverage access within the domain/network to compromise network devices and other more difficult targets. The real question is not whether Windows can be hardened when properly locked down but rather can you maintain this level of security on ALL the machines on your network ALL the time (and fend off other techniques used to gain unauthorized access as well) , and that is where things get interesting.


-Maestr0

[pooh sun tzu]

Whine and complain however you want. 0 breakins, 0 DoS successful attacks, 0 firewall penetrations. Services running? Apache.
This can apply across any network as security and is a very simple thing. My guides of XP security explain exactally how I did it, which is quite easy to do across any network. Don't believe me? Thikg it was rigged? Too bad. A computer is a computer is a computer. I will harden each computer just as much as the next, because that is called 'being a good admin'
Let me also remind you what the rules where: Anything goes save DDoS. That's right. There were no restrictions, no "you can't do that!". I denyed DDoS because there is no defense for it save waiting for them to stop, thus vulnerable. This computer is exactally how my servers and other networked computers are secured, meaning nothing here was rigged. I'm sorry you feel that way. However, those who participated now view Windows security in a much better light (and mind you they are not complaining).
So, a normal XP, secured through my normal means, granting the attackers to do WHATEVER they wanted, and not defining firewall rules against their specific IP's. That's pretty damn non-rigged. Shall we even discuss that I turned off the windows IDS? God forbid it catches them port scanning and perma-bans their IP. Understand that I gave them plenty of opprotunuites, but in the end the only weak link in the entire bit was me. And good luck trying to SE me in any situation. Case stands, XP can be secured in a normal security situation to an unpenetrable degree. "Nothing is unpenetrable" is an old adagio formed by old-school scripties. Sorry guys, but I've seen that saying fail far too many times.

[mohaughn]

OK, so how much stuff do you have running on that web server? How many 3rd party web apps that you do not have the ability to do code audits on? Probably not much of anything. Any successful web attack that I have ever analyzed have usually come about because of one of three things:

1) misconfigured services- you have this base covered.
2) Out of date patches. Which is really addressed if you configure your systems properly anyways. But you have this covered
3) Bad code in web applications. There is no way that you can look through every line of code that exists in a web application. I know a company that tried to do it, Pilot Web Services, and they went out of business about three years ago because they couldn't keep their customers happy. Was their network secure, you bet. But was it usable? Not really. It took way to long to roll out new updates, and they flat out refused to allow some things to be used that the customer absolutely insisted on having. Bottom line, they lost their customers. If you would like to know a little more about Pilot do some research on the security expert Tom Wadlow. He has written a couple of very good books on secure network design, and he was the brains behind the network and IDS that Pilot built. He is an extremely brilliant security expert and someone that I agree wholeheartedly with on many different security topics.

So I ask again how can your test in anyway be compared to a real world environment? If you think you can build an inpenetrable system that can still function in a useful business fashion in every single case, you should take your own advice from another thread and, "Get off your high horse." Also think about the fact that you are not the only user on a normal corporate business system. Securing a home PC with one user, and a web server on it, is a lot different than trying to secure a carrier class network with over 70k users and hundreds of physical locations. If you try to argue this point, I will really begin to wonder if you have any administrative experience in a large corporate environment. I'm not saying that as a personnal attack, or trying to put myself in a higher position. It is just that securing a small network while fundamentally the same as securing a large one, is much different as they each have their own unique challanges and obstacles to overcome.

All you have done is try to argue with people about how good of an administrator you are, when people are trying to agree with you on some of your comments. Your eagerness to argue to no end is really becoming noticable to most of us.

Given the circumstances presented in this test can you build a really secure XP machine? Of course you can. You haven't proven a thing that isn't already known by most of the senior members on this system. Does that mean that you can always build a secure system in all circumstances? No, of course it doesn't. Like I said, the purpose of security isn't to build a inpenetrable system, because it doesn't exist. The purpose is to build something that is so difficult to penetrate that it isn't worth it. And I won't argue that with you. There are plenty of PhD's at AT&T Labs and other places of higher learning that agree with me, and I will continue to agree with them.

Whine and complain however you want.

I see no one here whining or complaining. And again I ask you to take your own advice from some of your other recent posts and realize that this is a discussion. Don't take it so personnal.

And as far as you little score card. I ask again how many people with access to 0day exploits have you let have a whack at your systems? I say that score card would read 0 as well. You have totally neglected to address that fact.

[pooh sun tzu]

"People who always seek to destroy things will find something wrong with everything". I ask you to reread the origonal parent post so you understand what I was proving: "That XP in the hands of a good admin can be locked down as secure as any other OS". That was proven, putting a lot of argments from the past to rest.

Can you not drop this old thread so we can move on and not end up hating one another?