Post History

Topics

• 15 Second Pitch
• Android
• Biometrics
• DNS
• Energy
• Imagery
• Internet
• IT Project
• mobile
• Network Maintenance
• Optimization
• Security
• Social Networking
• Technology
• Uncategorized
• Vulnerability
• Windows
• Windows Mobile
• Wireless
• world

Archives

• September 2011
• April 2010
• March 2010
• January 2010
• December 2009
• October 2009
• March 2009
• January 2009
• December 2008
• November 2008
• October 2008
• September 2008
• August 2008
• July 2008
• June 2008
• May 2008
• December 2007
• November 2007
• October 2007
• September 2007
• August 2007
• July 2007
• June 2007
• May 2007

Meta

• Log in

Sponsored Links

Text Link Ads
Advertise Here

Tips to secure your server (or pc)

By ryan | September 30, 2008

I know this has been covered a thousand times over throughout the web, but many people still forget how costly it can be to leave a susceptible serverr out there on the web. The same goes for everyday people and their desktops. So, I have compiled some tips from sources all over the web that give you a fighting chance on Wild World of the Web.

1. Patch off-line before you go online

If you’re still running XP like myself (or windows server as well), it will take a matter of minutes for your computer to become infiltrated from a fresh install. If your cleaning up and older computer and reinstalling, or have a new computer you’re about to setup, download your patches FIRST and put them on a CD or DVD. Then, before you connect that PC to the internet, install all patches. The goal is to be as secure as possible before you go online.

2. Implement Access Control

Administrator login privileges have access and control to your entire system. Only a few, ultra-trustworthy individuals should have administrator privileges and only they should know the password. On top of that, the default administrator login name is “Administrator”. Disable it! Delete it! Rename it! Just don’t leave the way it came! At least half of the initial break ins I have encountered were brute-force attacks on the default Administrator login. It would also be wise to disable the “Guest” account.

3. KISS

Keep it simple, stupid

Remember that old saying? The same goes here. A hackers wet dream is finding a system with multiple applications on it; like a web server also running an email server. While it is possible, it is best to keep them separate. You could consider virtualization even, and use different NIC cards to separate traffic and implement a firewall in front of the email server. Another reason for keeping servers simple is, sometimes applications conflict with each other leaving more loopholes susceptible to infiltration.

Keep instant messaging software off the machine. It is one more possible gateway for intruders.

Once you have dedicated your server to a single purpose, remove all unneeded files. Many software installations include sample files or scripts. If your not using it, get rid of it! Among the things that you’ll want to consider removing are unused network services, language compilers, and system development tools as well.

4. Install security software

This slightly deviates from the KISS ideology, but is for good reason. Adding an extra layer of protection by installing things such as anti-virus, anti-root kit, anti-spyware, filters and even a software firewall to keep out unwanted access always helps. There are many options out there both free and paid that will aid you in the fight to keep your machine clean.

Others also recommend it’s good idea to install intrusion detection and prevention software to guard against denial-of-service attacks and ensure the integrity of your system files, but this can get costly. If your some average Joe, this is probably overkill, but if you’re a company with extremely sensitive information, you should highly consider.

5. Quarantine your system

A good rule of thumb is to separate your system files from uploaded material by storing your system files on a separate partition or hard drive. Another option is to disallow uploads entirely. Either or, keeping your system files separate is a no-brainer.

6. Create smart passwords

The rule of thumb on passwords has long been at least eight characters. However, utilities can now attempt at least a million possible passwords per second; at that rate, an eight-character lowercase password can be cracked in 59 hours. Though there is no unbreakable password security, you can avoid being an easy target with these measures:

• Require user passwords to be at least 12 characters long and include uppercase and lowercase letters, numbers, and shift characters (such as @, &, or %).
• Don’t use so-called “dictionary words” as passwords. These include common misspellings, clever misspellings, expletives, slang, digital slang like ROFL (rolling on floor laughing), and commonly used foreign words.
• Don’t create a password by adding a number to the end of a previous password; however, adding numbers in the middle of the word is permissible.
• Don’t allow users to recycle previously used passwords.
• Don’t allow passwords that are derived from birthdays, anniversaries, pet names, or any other publicly available personal information.
• If your server OS has a feature requiring password changes after a selected time limit, use it.
• Do substitute letters with the above mentioned shift characters. The whole point is to still make something you can remember, yet harder than the average hacker can figure out. ex. th!r$tyc@t$

7.Use the logs

Log everything! Your server’s OS should have an app for logging event; and you should use it. Most of the time it is the only evidence you will have of attempted ( and successful) intrusions. They can also be used as evidence in legal proceedings.

Sometimes reviewing logs can be burdensome, and different utilities have various levels of detail. Most are configurable and if the built-in one isn’t cutting the cake for you, consider a third party log file analyzer, which will allow you more flexibility and variations of detail. Also archive your logs periodically.

8. Patch early and often

Just because a patch comes out for an OS to block malware, doesn’t mean the bad guys stop working. Many people leave unpatched computers out there (remember point 1, that’s why you server will get wrecked in minutes if you don’t pre-patch before going online).

You should set the OS and even individual software packages to download patches automatically, but NOT to install until given permission. In a small office (or at home), this will give you the opportunity to keep track of what patches have arrived — it’s a good idea to keep a notebook. In larger organizations, it gives the IT staff an opportunity to try out the patch on a test machine (an make sure it doesn’t bomb the system, …which happens) — this is particularly important if the organization relies on software written in-house.

9. Don’t ever get too comfortable

It is an ongoing battle to keep servers clean and healthy. Run periodic checks and never think you are 100% safe. Digital security is not a one-time project. Rather, it’s an ongoing task and it never gets any easier. In the normal course of events, you should be installing patches, studying logs, and responding to alerts. Although this does require time and resources, that’s trivial compared to what hackers can do to your business and the loss (both monetary and virtual) that can be incurred. For instance, a hacker that takes over your Web site could infect all site visitors with key-loggers and expose their banking passwords (Yes, that’s happened). Part of being vigilant involves keeping your eye on the weather, so to speak. There’s always a storm a brewin’…

Valuable security resources

resources to help keep you up to date with your on-going security struggle

• The U.S. Computer Emergency Readiness Team (CERT, part of the Department of Homeland Security) gives you access to CERT’s various security alerts, bulletins, and tips. You can get them as RSS or Atom feeds, or read the archives on the CERT site.
  http://www.us-cert.gov/cas/
• The National Vulnerability Database (produced by the National Institute of Standards and Technology) includes, among other things, a search engine for probing its list of more than 30,000 vulnerabilities, and security configuration checklists covering 153 products.
  http://nvd.nist.gov/
• Security Focus aggregates cyber-security news items from various sources and has a database of vulnerabilities
  http://www.securityfocus.com/
• Microsoft offers periodic security bulletins, concerning its products, through various formats.
  http://www.microsoft.com/technet/security/bulletin/notify.mspx
• Packet Storm Security: Information and computer security full disclosure web site
  http://packetstormsecurity.org
• SysAdmin, Audit, Network, Security (SANS) Institute, Internet Storm Center
  http://isc.sans.org/

Topics: Internet, Security, Windows | No Comments »

Copyright © 2007 Ryan Champagne :: Powered by lots and lots of caffeine
:: Entries (RSS) :: Comments (RSS) :: 28 queries. 0.411 seconds.