For those individuals who have web hosting needs where security and uptime are paramount, the world is a very happy place. Most webhosts can offer uptime guarantees which are above 99%. This figure is enough to make any business owner smile. It does not, however, mean that all of those webhosts that offer this figure are equally reliable. There are other factors involved in webhosting which may not frequently manifest as advantages or disadvantages but, when they do come into play, can make the difference between suffering and surviving an absolute disaster.
Webhosts generally operate out of what's called a "server farm". If one were to visit one of these facilities, they would find racks upon racks of servers humming away and serving up their client's web pages. These farms have certain requirements to ensure that they're reliable and safe. Most importantly, they need to be protected from human and environmental security threats that could compromise the well-being of the sites hosted on them. This is not a simple endeavor and any reputable webhosting company will be more than happy to answer any questions related to their facility. If they're not willing to offer straight answers about their facility, look elsewhere.
A server farm should have a backup system that allows it to keep functioning in the event of a local power outage. This is a basic question to ask of any webhost. It should also be insulated from other environmental threats such as floods, hurricanes and tornadoes. This is a basic measure for any company which does most of its business online. If the site goes down, the business goes down and customers on the Internet are notoriously unforgiving of downtime. To avoid downtime, there is a technology called "fail-over" which means that, essentially, if one's primary server should fail that another will take up the work. Ask about this feature.
Be sure to ask about server security where one's users are concerned. Any webhosting company should be willing to provide a secure server-called an SSL connection-to any one of their clients. This is needed for any exchange of personal data or financial information. Make certain that one's webhost not only supports the sale and installation of this feature but that their technical support can help clients setup and maintain this technology if need be. Oftentimes, solid reliability in a webhost means skilled technical support!
Showing posts with label Server Security. Show all posts
Showing posts with label Server Security. Show all posts
Tuesday, September 22, 2009
Monday, June 29, 2009
How about a Microsoft Security Essentials for servers?
Desktop PCs can always be reimaged. It’s a pain, but downtime only affects one person. Servers, on the other hand, need to be up the vast majority of the time. Rebuilding servers affects lots of people, often in mission-critical ways. While most servers don’t spend much time browsing the web or receiving emails, some have quite a bit of exposure.
While every Windows server obviously needs anti-malware protection, terminal servers and others providing virtual desktops or remote access could clearly benefit from the real-time protection promised by Microsoft’s Morro project (now officially known as Microsoft Security Essentials). There are those, in fact, who see it as Microsoft’s responsibility to provide malware protection for all of its products, given their penchant for attracting malicious code.
Unfortunately, MSE is only available for Windows XP, Vista, and 7. No mention of servers. No Googling suggested that server support is in the pipeline. While Clamwin does a perfectly adequate job protecting servers, full-blown server anti-malware solutions aren’t cheap and, again, lack MSE’s near real-time updates.
Then again, would you entrust your mission critical servers to a Microsoft anti-malware solution? Take the survey and talk back below.
Should Microsoft provide a server anti-malware solution?
* Yes! I need to save the money and I want the real-time updates
* Yes they should, but I'd still use a 3rd-party solution
* No, Morro should stay consumer-oriented; I want a robust solution
* Who cares? That's what Clamwin is for
Source: zdnet
While every Windows server obviously needs anti-malware protection, terminal servers and others providing virtual desktops or remote access could clearly benefit from the real-time protection promised by Microsoft’s Morro project (now officially known as Microsoft Security Essentials). There are those, in fact, who see it as Microsoft’s responsibility to provide malware protection for all of its products, given their penchant for attracting malicious code.
Unfortunately, MSE is only available for Windows XP, Vista, and 7. No mention of servers. No Googling suggested that server support is in the pipeline. While Clamwin does a perfectly adequate job protecting servers, full-blown server anti-malware solutions aren’t cheap and, again, lack MSE’s near real-time updates.
Then again, would you entrust your mission critical servers to a Microsoft anti-malware solution? Take the survey and talk back below.
Should Microsoft provide a server anti-malware solution?
* Yes! I need to save the money and I want the real-time updates
* Yes they should, but I'd still use a 3rd-party solution
* No, Morro should stay consumer-oriented; I want a robust solution
* Who cares? That's what Clamwin is for
Source: zdnet
Sunday, June 14, 2009
Cloud computing security to grow in 2009
While enterprise users continue to spend a large percentage of their workday involved with messaging activities, the Internet remains a dangerous place for users. Websense, for example, reported that 57 percent of attacks are delivered via the Web. Commtouch found that SPAM accounted for 72 percent of all email traversing the Internet in the first quarter of 2009.
At the same time, today’s economic climate favors cost-effective solutions. IT expects to spend significantly less in 2009 than in 2008 on messaging. Nearly half (47 percent) of respondents expected IT spending to be lower in 2009 versus 18 percent who made similar projections last year.
As such, while server-based solutions will continue to dominate the messaging security market, cloud-based solutions will constitute a growing percentage of purchases. The number of respondents who deployed hosted security services grew by nine percentage points since last year. Over the next 12 months hosted anti-spam services, such as those offered by Kaspersky, Trend Micro and more recently Microsoft, are also expected to show their greatest growth.
Comprehensive security solutions will be particularly hot over the next 12 months. Although the vast majority of enterprises today deal with separate vendors for their various best-of-breed solutions, the number of respondents preferring a consolidated comprehensive centrally managed messaging security solution double while individual best of breed solutions dropped significantly.
At the same time, today’s economic climate favors cost-effective solutions. IT expects to spend significantly less in 2009 than in 2008 on messaging. Nearly half (47 percent) of respondents expected IT spending to be lower in 2009 versus 18 percent who made similar projections last year.
As such, while server-based solutions will continue to dominate the messaging security market, cloud-based solutions will constitute a growing percentage of purchases. The number of respondents who deployed hosted security services grew by nine percentage points since last year. Over the next 12 months hosted anti-spam services, such as those offered by Kaspersky, Trend Micro and more recently Microsoft, are also expected to show their greatest growth.
Comprehensive security solutions will be particularly hot over the next 12 months. Although the vast majority of enterprises today deal with separate vendors for their various best-of-breed solutions, the number of respondents preferring a consolidated comprehensive centrally managed messaging security solution double while individual best of breed solutions dropped significantly.
Tuesday, May 26, 2009
Steps to Maintain and Secure Your Computer
There are some basic steps for Computer Maintenance which helps the users to run computer smoothly:--
1. We should perform the "disk cleanup" task on the regular or weekly basis.
2. We should perform the "defrag" task on the monthly basis.
3. We should un-install all unwanted programs from your computer.
4. We should remove all the unwanted startups items by using the "msconfig" utility.
5. We should always delete all the temporary internet files like "temp, %temp% and prefetch files" from your computer.
6. We should perform "scan disk" task on the monthly basis.
7. We should take the back up of backup of some important files and registries before performing any task on computer.
8. We should keep at least 5% free space on the 'C' drive.
9. We have to use power button to make the computer off in critical conditions.
Now, I am providing some tips related to "Computer Security" that helps the users to run the computer without any virus threats. These are the following steps for the "Computer Security”:--
1. You should scan your computer by using any updated anti virus program.
2. You should install and download any anti-malware program like "Anti-malwarebytes" for the malwares issues.
3. You should update "Anti-malwarebytes" program over the specific time.
4. You should scan computer using the "Anti-malwarebytes" program.
5. You should follow the same procedure for "Superanti-spyware" program as we have done for "Anti-malwarebytes".
6. You should delete all the Internet temporary files like temp, %temp% and prefetch files.
Your computer will run smoothly and properly by following all these above troubleshooting steps. We can conclude that It is very necessary to have knowledge of the "Computer Maintenance and Security" and some support for the computer. These safety guidelines help the user to run the computer smoothly and properly. There are also some good companies which are providing the support like iYogi Technical Services Pvt. Ltd, IBM, Microsoft, Dell, HP and many more. We need to update all the security software on the regular basis.
1. We should perform the "disk cleanup" task on the regular or weekly basis.
2. We should perform the "defrag" task on the monthly basis.
3. We should un-install all unwanted programs from your computer.
4. We should remove all the unwanted startups items by using the "msconfig" utility.
5. We should always delete all the temporary internet files like "temp, %temp% and prefetch files" from your computer.
6. We should perform "scan disk" task on the monthly basis.
7. We should take the back up of backup of some important files and registries before performing any task on computer.
8. We should keep at least 5% free space on the 'C' drive.
9. We have to use power button to make the computer off in critical conditions.
Now, I am providing some tips related to "Computer Security" that helps the users to run the computer without any virus threats. These are the following steps for the "Computer Security”:--
1. You should scan your computer by using any updated anti virus program.
2. You should install and download any anti-malware program like "Anti-malwarebytes" for the malwares issues.
3. You should update "Anti-malwarebytes" program over the specific time.
4. You should scan computer using the "Anti-malwarebytes" program.
5. You should follow the same procedure for "Superanti-spyware" program as we have done for "Anti-malwarebytes".
6. You should delete all the Internet temporary files like temp, %temp% and prefetch files.
Your computer will run smoothly and properly by following all these above troubleshooting steps. We can conclude that It is very necessary to have knowledge of the "Computer Maintenance and Security" and some support for the computer. These safety guidelines help the user to run the computer smoothly and properly. There are also some good companies which are providing the support like iYogi Technical Services Pvt. Ltd, IBM, Microsoft, Dell, HP and many more. We need to update all the security software on the regular basis.
Tuesday, May 19, 2009
Red5 Media Server and Security
Here are the steps to configure SSL in existing Red5 application.
Software required on machine where Red5 server is installed:-
1: Open SSL //Open source SSL libraries required for compiling Stunnel
2: Stunnel //Open source SSL wrapper software uses open SSL works both on
Windows and Linux.
3: gcc // The GNU C compiler (although it always bundled with Linux
Machine, but I did not find it. Necessary if you are compiling the Open SSL and Stunnel from source. Not required if using RPM
Configuration needed on server machine:-
1:- Install the Open SSL (if windows use exe RPM or source for Linux machine can be downloaded from openssl website).
2:- Install Stunnel (if windows, use exe otherwise RPM or compilation from source is preferred, can be downloaded from stunnel website). Make sure that you already have compiled Open SSL in your machine before proceeding with the installation of Stunnel; otherwise it will fail to compile.
Under Linux the standard command to compile Stunnel from source are described below. For any update please always follow the installation instructions given their website.
machine# gzip -dc stunnel-VERSION.tar.gz tar -xvzf -
machine# cd stunnel-VERSION
machine# ./configure
machine# make
machine# make install
There are several configurations that differ based on your computer and environment. That can be read from the website itself.
3:- Running Stunnel
To run stunnel, you always require a configuration file. The process of making sample configuration file (stunnel.conf) is described below.
The sample configuration file used was like this:
sample.conf
; Sample stunnel configuration file by Sunil Gupta 2007
; Some options used here may not be adequate for your particular configuration
; Certificate/key is needed in server mode and optional in client mode
; The default certificate is provided only for testing and should not
; be used in a production environment
cert = /etc/stunnel/stunnel.pem
;chroot = /var/run/stunnel/
pid = /stunnel.pid
key = /etc/stunnel/stunnel.pem
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively you can use CRLfile
;CRLfile = crls.pem
; Some debugging stuff useful for troubleshooting
debug = 7
Output = /var/log/stunnel.log
foreground=yes
; Use it for client mode
; client = yes
; Service-level configuration
;[pop3s]
;accept = 995
;connect = 110
;[imaps]
;accept = 993
;connect = 143
;[ssmtp]
;accept = 465
;connect = 25
[rtmps - https]
TIMEOUTconnect=20
accept = 443
connect = 80
TIMEOUTclose = 20
; vim:ft=dosin
Finish
Note: - When you install Stunnel, you get a default sample file, which is not enough in most of the cases to run the flash application. The additions to configuration file I made are as follows.
Also the line having ; in the start denotes the commented portion in file.
cert = /etc/stunnel/stunnel.pem
key = /etc/stunnel/stunnel.pem
pem stands for 'privacy enhanced mail' used as a key format. The above two lines tells the location of pem files need to be generated. This will be configured by user. The above is the best location for Stunnel although you can change it to any desired location.
;Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
The above two lines are for better performance of Stunnel in our case.
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
The above line is a bug in a specific platform, since we are running it in Linux; we commented this line, although it could be needed in some case.
; Some debugging stuff useful for troubleshooting
debug = 7
Output = /var/log/stunnel.log
foreground=yes
The above lines are very important, Because Stunnel by default run in background mode. You will never be able to see if it is running. So better to put it in foreground, so that you can make sure that stunnel is running properly. Also the debug = 7 is very important since by default stunnel does not generate any log. You can direct him to generate log, so that you can debug your application by seeing all those log messages. The above mentioned log directory is default Linux directory where all system logs are generated.
; Use it for client mode
; client = yes
In the sample configuration file, you will always find this option un-commented leading to a different architecture, since we are running Stunnel in server mode not client mode, so we will comment this line.
[rtmps - https]
TIMEOUTconnect=20
accept = 443
connect = 80
TIMEOUTclose = 20
And the very last lines are mentioned above. In the sample configuration file, you will never find rtmps and it is not even mentioned anywhere in Stunnel. The default file contains only https, add rtmps like it is added here. Also accept port is 443, which is the default port used for secure communication and it is open like port 80 in all corporate firewalls in general. This port is to accept the connection from flash and to get the encrypted data. The connect port is 80; this is the port where stunnel will forward the decrypted data to red5 server.
The TIMEOUTconnect and TIMEOUTclose can be useful in some cases when the server where the data is being forwarded by Stunnel is delaying the connection. This is to make sure that connection is closed only when server is not responding at all. The value is in seconds (i.e. 20 sec.)
Now in order to run your application under secure connection, you require a certificate to be created on the machine where the Stunnel is installed. The procedure for creating a certificate and the possible directory to put this certificate is described below.
Use of certificate:-
When an SSL client connects to an SSL server, the server presents a certificate, essentially an electronic piece of proof that machine is who it claims to be. This certificate is signed by a 'Certificate Authority' (hereafter a CA) -- usually a trusted third party like Verisign. A client will accept this certificate only if
The certificate presented matches the private key being used by the remote end.
The certificate has been signed correctly by the CA. The client recognizes the CA as trusted.
Every stunnel server has a private key. This is contained in the pem file which stunnel uses to initialize its identity. If we notice above, we have given the reference of this pem file in the start of our configuration file under cert.
This private key is put in /usr/local/ssl/certs/stunnel.pem.
Note:-Under client mode we need not to have certificate in most of the cases, but if we are running it in server mode, we require a certificate. Since we are using server mode, I have generated a self certificate.
To make certificate:-
1: Go to /etc/stunnel directory and
2: Run the following command:-'
openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem
This creates a private key and self-signed certificate. More information on the options of this can be read from FAQ section of Stunnel website.
While executing the command, it will ask for some questions like Country, City, Company etc., Give the answer of those and it will generate the key and self certificate.
4:- Put your sample.conf file in /etc/stunnel directory where the .pem file was created earlier.
5:- Start Stunnel by issuing the command -
machine# stunnel stunnel.conf
If you are /etc/stunnel directory otherwise complete path of configuration file-
machine# stunnel /etc/stunnel/stunnel.conf
The above command will start the stunnel and you can verify the log from /var/logs/stunnel.log file.
Red5 server side changes:-
6:- Now stunnel is up and running, we need to change the Red5 configuration to accept the connection from Stunnel.
Go to red5 installation directory and search for conf folder where all red5 configuration files exist.
Open red5.properties file and under rtmps.host_port property put 443. The sample file can be like below.
rtmp.host_port = 0.0.0.0:1935
rtmp.threadcount = 4
debug_proxy.host_port = 0.0.0.0:1936
proxy_forward.host_port = 127.0.0.1:1935
rtmps.host_port = 127.0.0.1:443
http.host=0.0.0.0
http.port=5080
rtmpt.host=0.0.0.0
rtmpt.port=80
Flash client side changes:-
7:-Now we are done with server side, In order to run application under SSL, we need to change the client side protocol from rtmp to rtmps like below. And compile the flash client and run it on browser, a certificate will pop up, accept it and the application will run under SSL.
nc.connect ("rtmps://yourip/applicationname"); //used rtmps in place of rtmp
Source:http://ezinearticles.com/?Red5-Media-Server-and-Security&id=1226458
Software required on machine where Red5 server is installed:-
1: Open SSL //Open source SSL libraries required for compiling Stunnel
2: Stunnel //Open source SSL wrapper software uses open SSL works both on
Windows and Linux.
3: gcc // The GNU C compiler (although it always bundled with Linux
Machine, but I did not find it. Necessary if you are compiling the Open SSL and Stunnel from source. Not required if using RPM
Configuration needed on server machine:-
1:- Install the Open SSL (if windows use exe RPM or source for Linux machine can be downloaded from openssl website).
2:- Install Stunnel (if windows, use exe otherwise RPM or compilation from source is preferred, can be downloaded from stunnel website). Make sure that you already have compiled Open SSL in your machine before proceeding with the installation of Stunnel; otherwise it will fail to compile.
Under Linux the standard command to compile Stunnel from source are described below. For any update please always follow the installation instructions given their website.
machine# gzip -dc stunnel-VERSION.tar.gz tar -xvzf -
machine# cd stunnel-VERSION
machine# ./configure
machine# make
machine# make install
There are several configurations that differ based on your computer and environment. That can be read from the website itself.
3:- Running Stunnel
To run stunnel, you always require a configuration file. The process of making sample configuration file (stunnel.conf) is described below.
The sample configuration file used was like this:
sample.conf
; Sample stunnel configuration file by Sunil Gupta 2007
; Some options used here may not be adequate for your particular configuration
; Certificate/key is needed in server mode and optional in client mode
; The default certificate is provided only for testing and should not
; be used in a production environment
cert = /etc/stunnel/stunnel.pem
;chroot = /var/run/stunnel/
pid = /stunnel.pid
key = /etc/stunnel/stunnel.pem
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively you can use CRLfile
;CRLfile = crls.pem
; Some debugging stuff useful for troubleshooting
debug = 7
Output = /var/log/stunnel.log
foreground=yes
; Use it for client mode
; client = yes
; Service-level configuration
;[pop3s]
;accept = 995
;connect = 110
;[imaps]
;accept = 993
;connect = 143
;[ssmtp]
;accept = 465
;connect = 25
[rtmps - https]
TIMEOUTconnect=20
accept = 443
connect = 80
TIMEOUTclose = 20
; vim:ft=dosin
Finish
Note: - When you install Stunnel, you get a default sample file, which is not enough in most of the cases to run the flash application. The additions to configuration file I made are as follows.
Also the line having ; in the start denotes the commented portion in file.
cert = /etc/stunnel/stunnel.pem
key = /etc/stunnel/stunnel.pem
pem stands for 'privacy enhanced mail' used as a key format. The above two lines tells the location of pem files need to be generated. This will be configured by user. The above is the best location for Stunnel although you can change it to any desired location.
;Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
The above two lines are for better performance of Stunnel in our case.
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
The above line is a bug in a specific platform, since we are running it in Linux; we commented this line, although it could be needed in some case.
; Some debugging stuff useful for troubleshooting
debug = 7
Output = /var/log/stunnel.log
foreground=yes
The above lines are very important, Because Stunnel by default run in background mode. You will never be able to see if it is running. So better to put it in foreground, so that you can make sure that stunnel is running properly. Also the debug = 7 is very important since by default stunnel does not generate any log. You can direct him to generate log, so that you can debug your application by seeing all those log messages. The above mentioned log directory is default Linux directory where all system logs are generated.
; Use it for client mode
; client = yes
In the sample configuration file, you will always find this option un-commented leading to a different architecture, since we are running Stunnel in server mode not client mode, so we will comment this line.
[rtmps - https]
TIMEOUTconnect=20
accept = 443
connect = 80
TIMEOUTclose = 20
And the very last lines are mentioned above. In the sample configuration file, you will never find rtmps and it is not even mentioned anywhere in Stunnel. The default file contains only https, add rtmps like it is added here. Also accept port is 443, which is the default port used for secure communication and it is open like port 80 in all corporate firewalls in general. This port is to accept the connection from flash and to get the encrypted data. The connect port is 80; this is the port where stunnel will forward the decrypted data to red5 server.
The TIMEOUTconnect and TIMEOUTclose can be useful in some cases when the server where the data is being forwarded by Stunnel is delaying the connection. This is to make sure that connection is closed only when server is not responding at all. The value is in seconds (i.e. 20 sec.)
Now in order to run your application under secure connection, you require a certificate to be created on the machine where the Stunnel is installed. The procedure for creating a certificate and the possible directory to put this certificate is described below.
Use of certificate:-
When an SSL client connects to an SSL server, the server presents a certificate, essentially an electronic piece of proof that machine is who it claims to be. This certificate is signed by a 'Certificate Authority' (hereafter a CA) -- usually a trusted third party like Verisign. A client will accept this certificate only if
The certificate presented matches the private key being used by the remote end.
The certificate has been signed correctly by the CA. The client recognizes the CA as trusted.
Every stunnel server has a private key. This is contained in the pem file which stunnel uses to initialize its identity. If we notice above, we have given the reference of this pem file in the start of our configuration file under cert.
This private key is put in /usr/local/ssl/certs/stunnel.pem.
Note:-Under client mode we need not to have certificate in most of the cases, but if we are running it in server mode, we require a certificate. Since we are using server mode, I have generated a self certificate.
To make certificate:-
1: Go to /etc/stunnel directory and
2: Run the following command:-'
openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem
This creates a private key and self-signed certificate. More information on the options of this can be read from FAQ section of Stunnel website.
While executing the command, it will ask for some questions like Country, City, Company etc., Give the answer of those and it will generate the key and self certificate.
4:- Put your sample.conf file in /etc/stunnel directory where the .pem file was created earlier.
5:- Start Stunnel by issuing the command -
machine# stunnel stunnel.conf
If you are /etc/stunnel directory otherwise complete path of configuration file-
machine# stunnel /etc/stunnel/stunnel.conf
The above command will start the stunnel and you can verify the log from /var/logs/stunnel.log file.
Red5 server side changes:-
6:- Now stunnel is up and running, we need to change the Red5 configuration to accept the connection from Stunnel.
Go to red5 installation directory and search for conf folder where all red5 configuration files exist.
Open red5.properties file and under rtmps.host_port property put 443. The sample file can be like below.
rtmp.host_port = 0.0.0.0:1935
rtmp.threadcount = 4
debug_proxy.host_port = 0.0.0.0:1936
proxy_forward.host_port = 127.0.0.1:1935
rtmps.host_port = 127.0.0.1:443
http.host=0.0.0.0
http.port=5080
rtmpt.host=0.0.0.0
rtmpt.port=80
Flash client side changes:-
7:-Now we are done with server side, In order to run application under SSL, we need to change the client side protocol from rtmp to rtmps like below. And compile the flash client and run it on browser, a certificate will pop up, accept it and the application will run under SSL.
nc.connect ("rtmps://yourip/applicationname"); //used rtmps in place of rtmp
Source:http://ezinearticles.com/?Red5-Media-Server-and-Security&id=1226458
Wednesday, May 13, 2009
How to Extract IDs and Security Policy from Windows Servers?
Windows server security is main concern because server is the heart of a small business. So its better to provide good server security. So we have to review in short span of time all server security.
Check password policy set in the Windows Operating System i.e. password is required, no expiration, minimum password length. Weak or IDs without passwords are an open invitation for intruder to hack into your computer systems.
Step 1 How to extract IDs and Security Policies From the Windows Server.
a) I use a neat free tool called Somarsoft ACL.
b) Install the tool and Run DumpSec program.
c) Extract the permissions of user, group, file system, registry, password policy and other information you find useful.
Step 2 Cross check the IDs with the Administrator
a) Once you have extracted these information, cross check with the administrator if all the IDs and password policy extracted from the tool are valid and necessary.
b) Delete or disable the unnecessary IDs and enforce the stronger password policy.
c) Further ensure that only IDs that are absolutely required are active and enforce a strong password policy using Windows Active Directory. e.g. complex alphanumeric password, 180 days password expiration. As for PC make sure the administrator password is changed and only known by yourself/office administrator.
d) Everyone else should use basic IDs.
e) Activate password for the screen saver to lock the PC screen when there is no activity for say 10 minutes.
f) Educate all users on the importance of computer security.
g) One of the reminders I usually highlight is do not share passwords and do not stick the password in front of the computer monitor for all to view.
Source: Ezine
Monday, April 13, 2009
Microsoft pushes back Forefront security
Forefront Server Security for Exchange (messaging security) and Threat Management Gateway (the next version of what used to be called ISAS, Microsoft's enterprise firewall and caching software) are now expected to arrive in Q4 2009.
Management console and Forefront Security for SharePoint (portal security) are penciled in for arrival only in the first half of 2010. Forefront Client Security 2.0 (endpoint security - anti-malware and firewall - for corporate PCs) has also been delayed till the first half of next year.
In a posting on the Forefront security blog, Microsoft said the delay was needed to add improved behavior-based anti-malware protection and to improve integration with third-party security applications. The security giant expects to ship a second beta of Stirling and a release candidate prior to the final release.
Microsoft said its behavior-based anti-malware protection, which it calls Dynamic Signature Service, will help "deliver more comprehensive endpoint protection for zero day attacks" by complementing existing "advanced heuristics, dynamic translation and real time application scanning for kernel level malware with a sophisticated approach to on-demand threat mitigation".
Knock-on effects of that rather than a desire to add behavior-based detection, a term that has more to do with marketecture than technology, strike us as a more plausible reason for the delay.
Blocking malware based on what it does, rather than by recognizing its signature, is an easy enough concept to grasp but one that's frequently mired in rival marketing claims. Some vendors describe heuristic and generic detection, which many of the leading anti-virus engines have incorporated for years, as behavior-based while other make a differentiation and say the technology is the next leap forward.
Microsoft is serious about sales of security server software, and we've met several enthusiastic resellers and corporate users of ISAS over the years.
Source From: http://www.theregister.co.uk/2009/04/07/ms_forefront_postponed/
Management console and Forefront Security for SharePoint (portal security) are penciled in for arrival only in the first half of 2010. Forefront Client Security 2.0 (endpoint security - anti-malware and firewall - for corporate PCs) has also been delayed till the first half of next year.
In a posting on the Forefront security blog, Microsoft said the delay was needed to add improved behavior-based anti-malware protection and to improve integration with third-party security applications. The security giant expects to ship a second beta of Stirling and a release candidate prior to the final release.
Microsoft said its behavior-based anti-malware protection, which it calls Dynamic Signature Service, will help "deliver more comprehensive endpoint protection for zero day attacks" by complementing existing "advanced heuristics, dynamic translation and real time application scanning for kernel level malware with a sophisticated approach to on-demand threat mitigation".
Knock-on effects of that rather than a desire to add behavior-based detection, a term that has more to do with marketecture than technology, strike us as a more plausible reason for the delay.
Blocking malware based on what it does, rather than by recognizing its signature, is an easy enough concept to grasp but one that's frequently mired in rival marketing claims. Some vendors describe heuristic and generic detection, which many of the leading anti-virus engines have incorporated for years, as behavior-based while other make a differentiation and say the technology is the next leap forward.
Microsoft is serious about sales of security server software, and we've met several enthusiastic resellers and corporate users of ISAS over the years.
Source From: http://www.theregister.co.uk/2009/04/07/ms_forefront_postponed/
Friday, January 30, 2009
How to Apply Security on a Windows Server 2003-based cCuster Server
1. You must test the deployment of a security template in a lab environment before you deploy it in a production environment if the following conditions are true:
* The Default Domain Policy setting has been changed.
* The cluster server nodes already exist in the domain.
* The cluster server nodes have received domain policies from a Group Policy object (GPO).
Typically, GPOs are implemented by making changes to registry keys on the computers where these GPOs are applied. Many of the changes to the registry that are made by a GPO are not removed or returned to their default settings if the GPO is no longer applied. Therefore, even when a GPO is no longer applied, this does not guarantee that the effects of the GPO are successfully reversed.
2. Before you configure the Domain policies on your computer to use the No Override option, you must determine how the reconfigured Domain policies will affect the cluster server nodes. Typically, reconfigured Domain policies affect the cluster server nodes in several ways. For example, if you configure the Domain policies on your computer to use the No Override option, the No Override option may generate the following behavior:
* User rights that the cluster service account needs are removed.
* The cluster service account is removed from the local administrators group because of a Restricted Groups policy.
* Strict LAN Manager authentication levels are implemented.
* More restrictive remote procedure call (RPC) authentication policies are imposed.
3. If the No Override option is not configured for use by the Domain policies, you must configure a separate organizational unit (OU) for the cluster server nodes with inheritance blocked. If inheritance is blocked, policies from the domain are not applied to the OU. If the No Override option is selected on a domain level policy, the setting on the OU has no effect.
4. Before you join the cluster server nodes to the domain, you must pre-stage the computer accounts in an OU where inheritance is blocked. This prevents the cluster server nodes from picking up policies that are applied to the default Computers container in the Active Directory directory service.
Note You must not modify the default cluster OU policy now.
5. After you have joined the cluster server nodes to the domain, you must configure and verify the basic cluster server functionality. Then, you must apply more restrictive security settings by using the security template. Alternatively, configure an OU GPO, and then import the template after you make modifications and export the template.
Note We recommend that you do not modify the default GPO for a container. Create a new policy instead. Modify the new policy that you have created, or import a security template into this new policy.
6. Before you install an additional cluster resource or individual program, you must confirm that the cluster functionality works correctly with the security settings that you have applied. Additionally, you must review the security guidelines and the hardening procedures of each cluster server resource and of each program that you want to install.
For example, to view the Microsoft Exchange Server 2003 Security Hardening Guide, visit the following Microsoft TechNet Web page:
7. Apply the hotfix that is described in the following Knowledge Base article to each cluster server node before you apply the security settings that are included in the template:
890761 (http://support.microsoft.com/kb/890761/ ) You receive an "Error 0x8007042b" error message when you add or join a node to a cluster if you use NTLM version 2 in Windows Server 2003
Notes
* Hotfix 890761 is included in Windows Server 2003 Service Pack 1.
* If Hotfix 890761 is not applied to the cluster server nodes, you must modify both the LAN Manager authentication process and RPC security in the security template.
8. After you apply the hotfix that is described in step 7, load the template into the Security Configuration and Analysis snap-in. Then, verify the configuration and the functionality of each cluster server node.
9. After you complete step 8, you may have to change the Cluster Service and Distributed Transaction Coordinator Service settings in the template. Both of these settings are set to Disabled in the template. Reset them to Enabled. The Distributed Transaction Coordinator Service setting is specifically mentioned here because this service frequently must be clustered.
10. Restart the cluster servers. The cluster server services now function correctly.
Source: http://support.microsoft.com/kb/891597
* The Default Domain Policy setting has been changed.
* The cluster server nodes already exist in the domain.
* The cluster server nodes have received domain policies from a Group Policy object (GPO).
Typically, GPOs are implemented by making changes to registry keys on the computers where these GPOs are applied. Many of the changes to the registry that are made by a GPO are not removed or returned to their default settings if the GPO is no longer applied. Therefore, even when a GPO is no longer applied, this does not guarantee that the effects of the GPO are successfully reversed.
2. Before you configure the Domain policies on your computer to use the No Override option, you must determine how the reconfigured Domain policies will affect the cluster server nodes. Typically, reconfigured Domain policies affect the cluster server nodes in several ways. For example, if you configure the Domain policies on your computer to use the No Override option, the No Override option may generate the following behavior:
* User rights that the cluster service account needs are removed.
* The cluster service account is removed from the local administrators group because of a Restricted Groups policy.
* Strict LAN Manager authentication levels are implemented.
* More restrictive remote procedure call (RPC) authentication policies are imposed.
3. If the No Override option is not configured for use by the Domain policies, you must configure a separate organizational unit (OU) for the cluster server nodes with inheritance blocked. If inheritance is blocked, policies from the domain are not applied to the OU. If the No Override option is selected on a domain level policy, the setting on the OU has no effect.
4. Before you join the cluster server nodes to the domain, you must pre-stage the computer accounts in an OU where inheritance is blocked. This prevents the cluster server nodes from picking up policies that are applied to the default Computers container in the Active Directory directory service.
Note You must not modify the default cluster OU policy now.
5. After you have joined the cluster server nodes to the domain, you must configure and verify the basic cluster server functionality. Then, you must apply more restrictive security settings by using the security template. Alternatively, configure an OU GPO, and then import the template after you make modifications and export the template.
Note We recommend that you do not modify the default GPO for a container. Create a new policy instead. Modify the new policy that you have created, or import a security template into this new policy.
6. Before you install an additional cluster resource or individual program, you must confirm that the cluster functionality works correctly with the security settings that you have applied. Additionally, you must review the security guidelines and the hardening procedures of each cluster server resource and of each program that you want to install.
For example, to view the Microsoft Exchange Server 2003 Security Hardening Guide, visit the following Microsoft TechNet Web page:
7. Apply the hotfix that is described in the following Knowledge Base article to each cluster server node before you apply the security settings that are included in the template:
890761 (http://support.microsoft.com/kb/890761/ ) You receive an "Error 0x8007042b" error message when you add or join a node to a cluster if you use NTLM version 2 in Windows Server 2003
Notes
* Hotfix 890761 is included in Windows Server 2003 Service Pack 1.
* If Hotfix 890761 is not applied to the cluster server nodes, you must modify both the LAN Manager authentication process and RPC security in the security template.
8. After you apply the hotfix that is described in step 7, load the template into the Security Configuration and Analysis snap-in. Then, verify the configuration and the functionality of each cluster server node.
9. After you complete step 8, you may have to change the Cluster Service and Distributed Transaction Coordinator Service settings in the template. Both of these settings are set to Disabled in the template. Reset them to Enabled. The Distributed Transaction Coordinator Service setting is specifically mentioned here because this service frequently must be clustered.
10. Restart the cluster servers. The cluster server services now function correctly.
Source: http://support.microsoft.com/kb/891597
Friday, January 23, 2009
Microsoft Updates Critical SMB Server Flaws
Microsoft issued a single SMB server security update Tuesday, patching critical flaws in the Server Message Block (SMB) that could be exploited by an attacker to access sensitive data or create a new account with full user rights.
The update addressed two critical remote code execution vulnerabilities and a denial-of-service flaw in the way the server handles SMB packets. An attacker could pass a message with malicious code to a computer running the server service. Microsoft said an attacker would not require authentication to exploit the flaw.
Paul Henry, security and forensic analyst at patch management vendor Lumension Security Inc., called the update some "fine tuning" of an earlier update issued by Microsoft. Microsoft bulletin MS08-068 addressed Windows authentication protocols affecting the SMB server. The SMB mishandled the challenge/response procedure, allowing an attacker who exploits it properly to gain access to files and assign full user rights.
"It's rated critical but [Microsoft is] saying that there's a very low likelihood of exploit code being generated for it," Henry said. "The critical rating follows the legacy products but it drops to a medium with Vista and Windows Server 2008. The code base for [Windows Server] 2008 and Vista is showing its strength."
Henry said the update should be relatively easy to deploy, but it will require a restart. The last SMB update caused some problems for administrators who attempted to deploy a workaround. Some had printers and other devices fail, Henry said.
Eric Schultze, chief technology officer at patch management vendor Shavlik Technologies LLC, said the update should be a high priority. In a statement, Schultze said the vulnerabilities are similar to what prompted the Blaster and Sasser worms a few years ago.
"We expect to see a worm released for this in the very near future," he said. "The only pre-requisite for this attack to be successful is a connection from the attacker to the victim over the NetBIOS (File and Printer Sharing) ports (TCP 139 or 445). By default, most computers have these ports turned on."
As a workaround, users can block TCP ports 139 and 445 at the firewall, although blocking those ports can halt important applications or services, Microsoft said.
"Remote attackers, even without a username and password, can take advantage of this issue and execute any commands they wish on the vulnerable server," Alfred Huger, vice president of Symantec Security Response wrote in an email message.
In Microsoft's MS09-001 bulletin, it said the flaws could be exploited remotely and rated it as critical for Microsoft Windows 2000, Windows XP, and Windows Server 2003, and moderate for all supported editions of Windows Vista and Windows Server 2008.
Source: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1344842,00.html
The update addressed two critical remote code execution vulnerabilities and a denial-of-service flaw in the way the server handles SMB packets. An attacker could pass a message with malicious code to a computer running the server service. Microsoft said an attacker would not require authentication to exploit the flaw.
Paul Henry, security and forensic analyst at patch management vendor Lumension Security Inc., called the update some "fine tuning" of an earlier update issued by Microsoft. Microsoft bulletin MS08-068 addressed Windows authentication protocols affecting the SMB server. The SMB mishandled the challenge/response procedure, allowing an attacker who exploits it properly to gain access to files and assign full user rights.
"It's rated critical but [Microsoft is] saying that there's a very low likelihood of exploit code being generated for it," Henry said. "The critical rating follows the legacy products but it drops to a medium with Vista and Windows Server 2008. The code base for [Windows Server] 2008 and Vista is showing its strength."
Henry said the update should be relatively easy to deploy, but it will require a restart. The last SMB update caused some problems for administrators who attempted to deploy a workaround. Some had printers and other devices fail, Henry said.
Eric Schultze, chief technology officer at patch management vendor Shavlik Technologies LLC, said the update should be a high priority. In a statement, Schultze said the vulnerabilities are similar to what prompted the Blaster and Sasser worms a few years ago.
"We expect to see a worm released for this in the very near future," he said. "The only pre-requisite for this attack to be successful is a connection from the attacker to the victim over the NetBIOS (File and Printer Sharing) ports (TCP 139 or 445). By default, most computers have these ports turned on."
As a workaround, users can block TCP ports 139 and 445 at the firewall, although blocking those ports can halt important applications or services, Microsoft said.
"Remote attackers, even without a username and password, can take advantage of this issue and execute any commands they wish on the vulnerable server," Alfred Huger, vice president of Symantec Security Response wrote in an email message.
In Microsoft's MS09-001 bulletin, it said the flaws could be exploited remotely and rated it as critical for Microsoft Windows 2000, Windows XP, and Windows Server 2003, and moderate for all supported editions of Windows Vista and Windows Server 2008.
Source: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1344842,00.html
Wednesday, November 26, 2008
Planning for Print Server Security
Planning for print server security is vital in order to protect your organization’s resources. As with any production server, you need to protect the physical print server and safeguard access to data stored on the server. Consequently, your security plan must address three areas:
Locate your print servers in a physically secure location that only designated individuals can access. Allowing unauthorized access to your print servers risks harm to the system. In addition, consider to what extent you also need to restrict physical access to network hardware. The details of implementing these security measures depend on your physical facilities as well as your organization’s structure and policies.
Securing the Print Environment
Windows Server 2003 adds new Group Policy settings that affect how clients connect to print servers on the network. Two of these policy settings are particularly useful for security.
Allow print spooler to accept client connections This Group Policy setting, which is configured on the server, determines how clients access the print server over the network. If an individual with administrative credentials creates shared printers for use by managed clients, the spooler automatically allows connections upon creation of the first shared printer. If a virtual spooler resource is created on a clustered server, the spooler likewise automatically allows connections. If no shared printers or virtual spooler resources already exist, you might need to enable this policy setting by using the Computer Management snap-in from a remote computer. To administer print services on a server running Windows Server 2003, log on to the server locally, or log on remotely through a Remote Desktop session.
Point and Print restrictions This Group Policy setting, which is configured on client computers, determines the print servers to which the client can connect. To provide a higher level of security for managed workstations, this policy setting controls a client computer’s ability to connect to and install a printer driver from specified print servers. By default, managed clients can use Point and Print only with servers that are within their forest. An administrator can use this policy to add additional servers to the list of trusted print servers. Alternatively, administrators can disable this policy to enable managed clients to connect to any accessible print server and install a printer driver from it.
Using Printer Permissions to Control Access to Shared Printers
Even if the physical server is in a secure room, the print server might still be accessible through remote administration tools. Therefore, you need to implement methods for restricting access to remote administration of print servers. You can restrict access to a print server by setting printer permissions.
Source: /technet.microsoft.com/en-us/library/cc780641.aspx
- Physical location
- Group Policy settings
- Printer permissions
Locate your print servers in a physically secure location that only designated individuals can access. Allowing unauthorized access to your print servers risks harm to the system. In addition, consider to what extent you also need to restrict physical access to network hardware. The details of implementing these security measures depend on your physical facilities as well as your organization’s structure and policies.
Securing the Print Environment
Windows Server 2003 adds new Group Policy settings that affect how clients connect to print servers on the network. Two of these policy settings are particularly useful for security.
Allow print spooler to accept client connections This Group Policy setting, which is configured on the server, determines how clients access the print server over the network. If an individual with administrative credentials creates shared printers for use by managed clients, the spooler automatically allows connections upon creation of the first shared printer. If a virtual spooler resource is created on a clustered server, the spooler likewise automatically allows connections. If no shared printers or virtual spooler resources already exist, you might need to enable this policy setting by using the Computer Management snap-in from a remote computer. To administer print services on a server running Windows Server 2003, log on to the server locally, or log on remotely through a Remote Desktop session.
Point and Print restrictions This Group Policy setting, which is configured on client computers, determines the print servers to which the client can connect. To provide a higher level of security for managed workstations, this policy setting controls a client computer’s ability to connect to and install a printer driver from specified print servers. By default, managed clients can use Point and Print only with servers that are within their forest. An administrator can use this policy to add additional servers to the list of trusted print servers. Alternatively, administrators can disable this policy to enable managed clients to connect to any accessible print server and install a printer driver from it.
Using Printer Permissions to Control Access to Shared Printers
Even if the physical server is in a secure room, the print server might still be accessible through remote administration tools. Therefore, you need to implement methods for restricting access to remote administration of print servers. You can restrict access to a print server by setting printer permissions.
Source: /technet.microsoft.com/en-us/library/cc780641.aspx
Wednesday, November 12, 2008
Understanding the Roles of Server 2003 Security Policies
Windows domains rely on policy-based security mechanisms, but Windows security policy deployment can be confusing to the uninitiated. What's the difference between the local security policy, domain security policy and domain controller security policies? When and how do you use each? How do you use site GPOs and OU GPOs for best security, and how do they all interact together? What security policy tools are included with the operating system and how is each used? This article will provide an overview of the roles of Server 2003 security policies and how to use them to secure your systems and network.
Policy-based Security: What does it Mean?
A security policy can be defined as a set of rules and practices that govern how an organization manages and protects its assets (which can include facilities, equipment, infrastructure or information). IT security focuses on the protection of:
Policy-based security, then, begins by defining the organization’s philosophy and priorities in regard to protection of the above. This is the management definition of “security policy.” Application of the rules and practices outlined in the policy statement is then accomplished via the technical definition of “security policy.”
In this context, a security policy is a template used to select and configure the various security mechanisms supported by the operating system or application. Modern Windows operating systems support many different types of security policies, which are configured through the Group Policy interface.
Server 2003 Security Policies
Security policies that can be configured through the Server 2003 GUI and command line tools include:
Group Policy Objects
Security settings can be applied through Group Policy Objects (GPOs) at various levels of the Active Directory hierarchy. A GPO is essentially a collection of policy settings that affect users and computers, and which is associated with an Active Directory container object (site, domain, OU) or local computer. One GPO can be linked to multiple containers or multiple GPOs can be linked to a single container. Group policies are inherited by child objects and are applied from highest to lowest. Group policies are processed in the following order:
Group Policy information for all but local policies is stored in Group Policy containers and in the Group Policy template. The Group Policy container is an area in the Active Directory. The Group Policy templates are folders located in the \Policies folder within the SysVol folder on the domain controllers. Each template folder contains a file named Gpt.ini in its root, which stores information about the GPO. The domain in which each GPO (except those for local policies) is stored is the storage domain. A GPO can be linked to domains other than the one in which it’s stored.
Via:windowsecurity.com
Policy-based Security: What does it Mean?
A security policy can be defined as a set of rules and practices that govern how an organization manages and protects its assets (which can include facilities, equipment, infrastructure or information). IT security focuses on the protection of:
- Computer systems/software
- Network connectivity
- Sensitive or confidential information
Policy-based security, then, begins by defining the organization’s philosophy and priorities in regard to protection of the above. This is the management definition of “security policy.” Application of the rules and practices outlined in the policy statement is then accomplished via the technical definition of “security policy.”
In this context, a security policy is a template used to select and configure the various security mechanisms supported by the operating system or application. Modern Windows operating systems support many different types of security policies, which are configured through the Group Policy interface.
Server 2003 Security Policies
Security policies that can be configured through the Server 2003 GUI and command line tools include:
- Account policy: allows you to define password requirements (length, complexity, maximum age, history), lockout parameters (number of permitted logon attempts, duration of lockout) and Kerberos key policies (how long the keys are valid).
- Audit policy: allows you to set up security auditing and define which events will be logged (for example, failed/successful logon attempts, access to specific resources, etc.).
- Cryptographic policy: allows you to control the algorithms used by TLS/SSL.
- Domain policy: allows you to add and remove computers and create trusts between domains.
- Firewall policy: allows you to set standard policies for Windows Firewall for all the computers within a domain or OU.
- IPsec policy: allows you to configure the use of Internet Protocol Security (IPsec) to encrypt data in transit over the network.
- EFS policy: allows you to define whether EFS can be used to encrypt files and folders on NTFS partitions.
- Disk quota policy: allows you to enable/disable and define defaults for disk quotas, and specify what happens when a quota limit is reached.
- PKI policy: allows you to define support for PKI policies regarding auto-enrollment for digital certificates issued by the Windows Server 2003 certification authority.
- Smart card usage policy: allows you to require smart cards to be used for Windows logon to provide multi-factor authentication.
Group Policy Objects
Security settings can be applied through Group Policy Objects (GPOs) at various levels of the Active Directory hierarchy. A GPO is essentially a collection of policy settings that affect users and computers, and which is associated with an Active Directory container object (site, domain, OU) or local computer. One GPO can be linked to multiple containers or multiple GPOs can be linked to a single container. Group policies are inherited by child objects and are applied from highest to lowest. Group policies are processed in the following order:
- Local GPO (applies to the local computer only). This is accessed via the Local Security Policy interface described above.
- Site GPO (applies to all users and computers in all domains in the site). These are accessed and edited through the Group Policy tab on the Properties sheet of a site, which you access by right clicking the site in the Active Directory Sites and Services administrative tool.
- Domain GPO (applies to all users and computers in the domain). These are accessed via the Active Directory Users and Computers tool or the Group Policy Management console as described above.
- OU GPO (applies to all users and computers in the OU, and in any OUs nested within the OU). These are accessed through the Group Policy tab on the Properties sheet of the OU, which you access by right clicking the OU in the Active Directory Users and Computers MMC.
Group Policy information for all but local policies is stored in Group Policy containers and in the Group Policy template. The Group Policy container is an area in the Active Directory. The Group Policy templates are folders located in the \Policies folder within the SysVol folder on the domain controllers. Each template folder contains a file named Gpt.ini in its root, which stores information about the GPO. The domain in which each GPO (except those for local policies) is stored is the storage domain. A GPO can be linked to domains other than the one in which it’s stored.
Via:windowsecurity.com
Friday, November 7, 2008
How to check Your Web Server Security
Sometimes actions performed by the attacker on the server may affect its functionality. So its always advisable to check server’s security to avoid attack on the server. Always check the resources of server which might be affected.
You can check the CPU usage by firing top command and look for the application or scripts that consume your CPU
For strange processes you can check with ps -awux command.
Check /tmp directory and /var/tmp directory for scripts and binaries copied there.
The attacker might use the server to host IRC bot like psybnc or eggdrop which connects to port 6667 when a server is compromised . You can if any of your applications connect to that port with sockstat:
#sockstat | grep 6667
If there’s not much traffic on your server you could use netstat command to see if suspect connections are made.
#netstat -a
Install and run regularly an rootkit finder application (for e.g /usr/ports/security/rkhunter).
Source:blog.eukhost.com/
Friday, October 31, 2008
10 Important Steps to Secure Server
Sometimes it is possible that your server is compromised, but the actions made by attacker do not affect your server functionality, so you may never find that your machine was compromised.
So, is good from time to time to check your server security, to see if any strange activities/processes are in your system.
Following are the ways to secure your server:-
1) Use a Firewall
Make absolutely sure that your server has a firewall running all the time. A firewall is like a screen door to your porch. It blocks out flies, rodents and other pests but you can still walk out and use your BBQ. If someone ever were to get into your server, which is very very likely, the first thing they're going to try and do is upload something to start a daemon or their own service like an IRC server or use a port to launch attacks to other systems. A firewall with egress and ingress protection can stop both incoming and outgoing attacks even when you're not aware of it. We recommend using APF on Linux systems or TinyFirewall on Windows Servers. These are software firewalls so there's no extra monthly cost like a hardware firewall. For very busy systems a hardware firewall is recommended so it takes the burden off your system CPU/RAM and resources to do the work.
2) Update your kernel and OS
Make sure your server is using current, updated software. Use the stable version which has been tested more than any beta and update as soon as possible. An old kernel can lead to an easy target for your server. If you're not sure then ask your provider for the latest update.
3) Monitor Logs
Do you know what logs record which activities? How often are they updated and rotated? LogWatch is a great tool to email you the daily reports of your systems activity of anything it determines unusual, EG repeated failed logins. Besides using this you should check your logs manually to see what’s up. Tail –f /var/log/messages and view your Apache logs as well. Apache Log Files Explained
4) Backups
I still never understand why no one backs up their data yet you spend hundreds of hours working on your website or application then you absolutely must have a second hard drive for backups or use a remote back up system or a combination of these. Second Hard Drive Means Life or Death
5) Limit Access to a Minimum
Do not give users more access than the absolute minimum they require. Never give them shell access, restrict file access to a bare minimum and leave other services turned off by default until specifically requested and you determine that its safe to do so.
6) Lock down PHP and use Mod_Security with Apache
PHP is actually a large security risk but there are a few things to do to help lock it down. CGI has Suexec,which helps runs proccesess as the user and PHP has something similar called PHPSuexec but there are a few downfalls. You should also use open_base directory protection, have safe_mode on system wide, turn off register_globals, enable_dl and allow_url_open to help lock things down further.
You can use server wide protection with mod_security, a web server filter that can watch all requests to see if they match a rule and react by logging, denying the request or other programs. I highly recommend this on Apache based servers and can be extremely useful in blocking attacks and stopping hackers before they do any damage. Securing Safe Mode , Installing Mod_Security
7) Lock /tmp /var/tmp and /dev/shm partitions
On Linux each partition can have certain access restrictions. Since /tmp /var/tmp and /dev/shm are world writable directories they’re often home to uploads, sessions storage and hacker executables. Since anyone can read-write-excute anything from these directories it becomes a major security concern. With /etc/fstab however you can limit what can be done in these locations. If you see defaults beside the /tmp line remove it and replace it with noexec,nosuid this will stop any executables from being allowed to run. Do the same for /dev/shm and make /var/tmp and shortcut (symbolic link) to /tmp. Securing Your TMP Partition
8) Intrusion Detection System (IDS)
An intrusion detection system or IDS is like a burglar alarm on your server. It keeps a record of which files were changed when and alerts you of anything new or altered. This is critical because hackers usually try to replace binary applications like ps, top, netstat and others. This means when you run this new version of ps or top to see processes running they make it so it actually HIDES their hacker software, even though its running it won’t show up. Some IDS systems include TripWire, Snort and AIDE. Installing Chkrootkit
9) Review Processes Running and Remove Extra Software
You can’t protect a system if you don’t know what’s on it. If a hacker adds an extra process that you see in PS but you wouldn’t notice if you didn’t know what should be there usually. Know what runs on your system and why which user. How does Perl or Apache run, under which user? You can check your processes usually with top or ps auxfww which gives you a tree view. Check these every time you login to your server. Getting started with Shell (SSH) , Common Shell Commands
10) Keep an Eye on the Servers Performance
Know what speed your server is running at and how much bandwidth it uses on a daily basis. If an attacker compromises your system and you don’t know you’ll probably notice the system responding slowly or using a lot of bandwidth. If you don’t know what your system is usually like how will you notice something out of the ordinary.
Via: webhostgear.com/314.html
So, is good from time to time to check your server security, to see if any strange activities/processes are in your system.
Following are the ways to secure your server:-
1) Use a Firewall
Make absolutely sure that your server has a firewall running all the time. A firewall is like a screen door to your porch. It blocks out flies, rodents and other pests but you can still walk out and use your BBQ. If someone ever were to get into your server, which is very very likely, the first thing they're going to try and do is upload something to start a daemon or their own service like an IRC server or use a port to launch attacks to other systems. A firewall with egress and ingress protection can stop both incoming and outgoing attacks even when you're not aware of it. We recommend using APF on Linux systems or TinyFirewall on Windows Servers. These are software firewalls so there's no extra monthly cost like a hardware firewall. For very busy systems a hardware firewall is recommended so it takes the burden off your system CPU/RAM and resources to do the work.
2) Update your kernel and OS
Make sure your server is using current, updated software. Use the stable version which has been tested more than any beta and update as soon as possible. An old kernel can lead to an easy target for your server. If you're not sure then ask your provider for the latest update.
3) Monitor Logs
Do you know what logs record which activities? How often are they updated and rotated? LogWatch is a great tool to email you the daily reports of your systems activity of anything it determines unusual, EG repeated failed logins. Besides using this you should check your logs manually to see what’s up. Tail –f /var/log/messages and view your Apache logs as well. Apache Log Files Explained
4) Backups
I still never understand why no one backs up their data yet you spend hundreds of hours working on your website or application then you absolutely must have a second hard drive for backups or use a remote back up system or a combination of these. Second Hard Drive Means Life or Death
5) Limit Access to a Minimum
Do not give users more access than the absolute minimum they require. Never give them shell access, restrict file access to a bare minimum and leave other services turned off by default until specifically requested and you determine that its safe to do so.
6) Lock down PHP and use Mod_Security with Apache
PHP is actually a large security risk but there are a few things to do to help lock it down. CGI has Suexec,which helps runs proccesess as the user and PHP has something similar called PHPSuexec but there are a few downfalls. You should also use open_base directory protection, have safe_mode on system wide, turn off register_globals, enable_dl and allow_url_open to help lock things down further.
You can use server wide protection with mod_security, a web server filter that can watch all requests to see if they match a rule and react by logging, denying the request or other programs. I highly recommend this on Apache based servers and can be extremely useful in blocking attacks and stopping hackers before they do any damage. Securing Safe Mode , Installing Mod_Security
7) Lock /tmp /var/tmp and /dev/shm partitions
On Linux each partition can have certain access restrictions. Since /tmp /var/tmp and /dev/shm are world writable directories they’re often home to uploads, sessions storage and hacker executables. Since anyone can read-write-excute anything from these directories it becomes a major security concern. With /etc/fstab however you can limit what can be done in these locations. If you see defaults beside the /tmp line remove it and replace it with noexec,nosuid this will stop any executables from being allowed to run. Do the same for /dev/shm and make /var/tmp and shortcut (symbolic link) to /tmp. Securing Your TMP Partition
8) Intrusion Detection System (IDS)
An intrusion detection system or IDS is like a burglar alarm on your server. It keeps a record of which files were changed when and alerts you of anything new or altered. This is critical because hackers usually try to replace binary applications like ps, top, netstat and others. This means when you run this new version of ps or top to see processes running they make it so it actually HIDES their hacker software, even though its running it won’t show up. Some IDS systems include TripWire, Snort and AIDE. Installing Chkrootkit
9) Review Processes Running and Remove Extra Software
You can’t protect a system if you don’t know what’s on it. If a hacker adds an extra process that you see in PS but you wouldn’t notice if you didn’t know what should be there usually. Know what runs on your system and why which user. How does Perl or Apache run, under which user? You can check your processes usually with top or ps auxfww which gives you a tree view. Check these every time you login to your server. Getting started with Shell (SSH) , Common Shell Commands
10) Keep an Eye on the Servers Performance
Know what speed your server is running at and how much bandwidth it uses on a daily basis. If an attacker compromises your system and you don’t know you’ll probably notice the system responding slowly or using a lot of bandwidth. If you don’t know what your system is usually like how will you notice something out of the ordinary.
Via: webhostgear.com/314.html
Thursday, October 16, 2008
Securing Windows 2003 Server System
If your server is running Windows 2003 Server Edition, you need to make a few changes to help keep your server and client machines safe. This page is written with the assumption that you're a system administrator running an on-campus server; some of the following resources may not be available from off campus.
Essentials
Source:cites.illinois.edu/security/by_os/win2k3srv.html
Essentials
- Keep your system and software up to date:
- This is one of the easiest, most effective things you can do to keep your computer secure. You can either update manually with Windows Update, or configure your systems to download updates automatically from the campus WSUS server, which provides critical Microsoft patches from an on-campus location. You can choose whether the WSUS server prompts you to confirm installations or whether patches are automatically installed.
- Install antivirus software:
- The vast majority of viruses are designed to affect Windows systems. The University of Illinois at Urbana-Champaign provides free site-licensed antivirus software that is configured to automatically update itself and protect your system.
- If you are a campus system administrator, you can also use ePolicy Orchestrator to coordinate distributing antivirus updates from your server to the client machines that you supervise. More information about ePolicy Orchestrator is available from the CITES Security Services Archive and requires Bluestem authentication to identify yourself as a campus system or network administrator. The list is maintained through Contact Manager. If you need to be added to the list of people authorized for access to the archive, but aren't listed in Contact Manager, contact securitysupport@uiuc.edu.
- Install anti-spyware software:
- Many of the nuisance-level problems afflicting Windows computers are caused by spyware rather than viruses. Spyware can cause effects ranging from a noticeable slowing of your computer to pop-ups and hijacked web browsers; spyware can also be malicious, reporting personal information from credit cards to passwords to other unauthorized websites. Fortunately, the campus has site-licensed anti-spyware software for students, faculty, and staff. For more information, see the CITES Anti-spyware pages.
- Install Service Pack 1 (SP1) and the Security Configuration Wizard (SCW):
- Microsoft's Service Pack 1 offers several security enhancements and tools for Windows 2003 Server administrators. The two most significant enhancements are the inclusion of a server firewall and the Security Configuration Wizard (which must be installed after Service Pack 1). To install SCW after installing Service Pack 1, go to Add or Remove Programs -> Add/Remove Windows Components and select the Security Configuration Wizard check box. After this, the Security Configuration Wizard will be available in the Administrative Tools section of the Control Panel.
- The Security Configuration Wizard provides a centralized way to check your server's security, to make changes as required (including managing the firewall), and to roll back changes if anything doesn't behave as expected. The graphical user interface allows you to administer one server, and a command line option (scw.exe) allows you to create group policy objects which can be used on many computers.
- Use "Manage Your Server" to enable only the services you need
- Windows 2003 Server introduces a more secure method of controlling access to your server. By default, all of the potential server services are turned off until you enable them. The "Manage Your Server" tool, found in Programs -> Administrative Tools, provides a central location to track which services are enabled. It provides roles for your server -- for example, a DNS server role, a web server role, an email server role -- and allows you to decide how many of these roles are enabled.
- Use both campus firewall and server firewall protection:
- A properly configured server firewall can be very effective in reducing the amount of network traffic that is allowed to reach your server and systems connected to it. With the release of Windows Server 2003's Service Pack 1 (described above), you can enable and administer a firewall on your server with a few clicks. You can also take advantage of campus firewall protection by joining your server to one of the available firewall groups; see Campus Firewalls for more information.
- Choose a good password:
- Any computer that will have multiple users or be attached to a network needs to have good password protection for each user. Password tips and advice can be found in the CITES Guide to Passwords.
Source:cites.illinois.edu/security/by_os/win2k3srv.html
Monday, September 29, 2008
McAfee Announces Comprehensive Virtualised Server Security Suite
Virtualisation gives organizations the ability to consolidate servers to share physical resources including processors, memory, and disk space. Companies are quickly adopting virtualisation to increase infrastructure utilisation, reduce hardware cost, improve operational efficiencies and simplify deployment.
McAfee Inc. has announced McAfee Total Protection for Virtualisation, which extends security across virtual and physical environments. McAfee provides customised protection for virtual environments including online and offline virtual machines, so that enterprises can safely benefit from the full potential of virtualisation technology.
“Over the next five years, more than half of server workloads will be virtualised, but awareness of server virtualisation risks remains low,” said Gartner Fellow and Vice President, Neil MacDonald. “Security must be incorporated into virtual systems from their inception -- not addressed later as an afterthought.”
McAfee Total Protection for Virtualisation delivers:-
McAfee Total Protection for Virtualisation is a comprehensive virtualised server security suite that includes the following core components:-
Total Protection for Virtualisation will be available in Q4. Pricing is per physical server host, and covers all virtual machines deployed on that server.
Source:securitypark.co.uk/security_article262060.html
McAfee Inc. has announced McAfee Total Protection for Virtualisation, which extends security across virtual and physical environments. McAfee provides customised protection for virtual environments including online and offline virtual machines, so that enterprises can safely benefit from the full potential of virtualisation technology.
“Over the next five years, more than half of server workloads will be virtualised, but awareness of server virtualisation risks remains low,” said Gartner Fellow and Vice President, Neil MacDonald. “Security must be incorporated into virtual systems from their inception -- not addressed later as an afterthought.”
McAfee Total Protection for Virtualisation delivers:-
- Stronger Protection - comprehensive, layered protection for all virtual machines against malware, rootkits, spyware, bots, spam, zero-day threats, vulnerabilities, data loss, data exposure, and more
- Lower Costs – single management console and automatic updates reduce time and resources required for secure virtualisation management for improved operational efficiencies
- Simplified Compliance – automated compliance reports and integration with McAfee and third-party compliance tools enable better compliance for virtual environments
McAfee Total Protection for Virtualisation is a comprehensive virtualised server security suite that includes the following core components:-
- McAfee VirusScan Enterprise and McAfee VirusScan Enterprise for Linux - continuous on-access scanning for superior protection from viruses, worms, and other malicious code
- McAfee VirusScan Enterprise for Offline Virtual Images - first and only security solution to scan, clean, and update offline virtual machines without bringing them online
- McAfee AntiSpyware Enterprise - unique on-access scanning to identify, proactively block, and safely eliminate spyware and other potentially unwanted programs
- McAfee Host Intrusion Prevention for server - combines signature and behavioral IPS protection, firewall, and application control to stop known and zero-day attacks.
- McAfee ePolicy Orchestrator - centralised management console is the only integrated security and risk management platform for both physical and virtual environments.
Total Protection for Virtualisation will be available in Q4. Pricing is per physical server host, and covers all virtual machines deployed on that server.
Source:securitypark.co.uk/security_article262060.html
Wednesday, August 6, 2008
Google's Send Mail Server Security Certificate Expires
It appears that Google's Gmail SMTP (send mail) server might have let their secure certificate expire. I personally just got notified that the smtp.gmail.com server was not secure, due to the certificate expiring. Here is a screen capture:-
So, it seems like it just expired just minutes ago. I asked others to confirm the issue and they said they are getting the same error.
Scott Hodge did twit about a month ago about the same issue. But this is the first time I am seeing this issue and the certificate clearly shows that it expired just minutes ago.
Postscript: A Google spokesperson told for a short time this morning, some Gmail users sending mail via POP and IMAP saw a notification on their mail clients that the SMTP certificate had expired. We identified the problem and fixed it promptly. We know how important Gmail is for our users, and we apologize for any inconvenience this may have caused.
Small Business Computer Support and Microsoft Exchange Server Support will always be provided by the Microsoft Certified Techs 24x7..
So, it seems like it just expired just minutes ago. I asked others to confirm the issue and they said they are getting the same error.
Scott Hodge did twit about a month ago about the same issue. But this is the first time I am seeing this issue and the certificate clearly shows that it expired just minutes ago.
Postscript: A Google spokesperson told for a short time this morning, some Gmail users sending mail via POP and IMAP saw a notification on their mail clients that the SMTP certificate had expired. We identified the problem and fixed it promptly. We know how important Gmail is for our users, and we apologize for any inconvenience this may have caused.
Small Business Computer Support and Microsoft Exchange Server Support will always be provided by the Microsoft Certified Techs 24x7..
Monday, July 7, 2008
Microsoft Home Server
The Small Business Technology blog talks about Microsoft Home Server. While this server is designed for the home, it also will work for the small business that only has a couple of computers.
Home Server fills a niche that previously was not being served. Microsoft does offer Small Business Server and while it is designed for companies with under 75 employees, it is more sophisticated than most starts up need or may need for many years.
One of the nice features in Home Server is that it will monitor the health of your pc and insure that such important items as your security software is up to date. In addition you can set it up to automatically back up files for your pc's every day so that you do not lose any important data.
Another nice feature is that you can remotely access your information. For example say you are on a business trip, you can access reports, invoices, order forms or any other data you might need without having to download everything to your mobile device or laptop.
For small start ups this may be a good tool to deal with your small network until your needs become greater.
Wednesday, July 2, 2008
Windows Server Security Guide
The Windows Server 2003 Security Guide provides specific recommendations about how to harden computers that run Microsoft Windows Server 2003 with Service Pack 1 (SP1) in three distinct enterprise environments—one in which older operating systems such as Windows NT 4.0 and Windows 98 must be supported, one in which Windows 2000 is the earliest version of the Windows operating system in use, and one in which concern about security is so great that significant loss of client functionality and manageability is considered an acceptable trade off to achieve maximum security. These three environments are respectively referred to as the Legacy Client (LC), Enterprise Client (EC), and Specialized Security – Limited Functionality (SSLF) environments throughout this guide.
Guidance about how to harden computers in these three environments is provided for a group of distinct server roles. The countermeasures that are described and the tools that are provided assume that each server will have a single role. If you need to combine roles for some of the servers in your environment, you can customize the security templates that are included in the download able version of the guide to create the appropriate combination of services and security options. The server roles that are referenced in this guide include the following:
| |
| |
| |
| |
| |
| |
| |
|
Significant efforts were made to make this guidance well organized and easily accessible so that you can quickly find the information that you need and determine which settings are suitable for the computers in your organization. Although this guide is intended for enterprise customers, much of the information that it contains is appropriate for organizations of any size.
Subscribe to:
Posts (Atom)
