Thursday, February 17, 2005

Windows Security Seminar 2005

My boss is in Poland on a personal matter, so I was volunteered to go the the Windows Security Seminar 2005 in his place.

Before I went my wife made me promise I'd keep my mouth shut.

Before I went my work collegues made me promise to keep my mouth shut.

Gad, what a reputation!

There were two parts to this, firstly there was the security thing and secondly they had a bit of a preview of SQLServer 2005.

Security


I spent a long time listening to adverts for Windows Server 2003 service pack 1 and Windows XP service pack 2, which when used together with proper firewalls set up will help protect your systems. I watched intently as the presenters showed us how to configure you fire wall with only thirty or so clicks of the mouse and a full knowledge of port numbers and hosting. I sat a watched them add extra ports to servers and enabled and disabled services through smart wizards that know what you are running on your server(Really, Windows can detect what software is currently running, smart huh?). All this to enhance the out of the box customer security experience (Not making that last phrase up by the way).


At the end of the day what did I find; Microsoft has placed a complex user interface to produce their equivalent of iptables. I could edit the settings in Notepad (like I would with iptables) but, as it is all in the windows registry, I can't. I need to use the wizards. Wizard training comes at a cost though (Hogwarts anyone?). Install XP SP2 and you don't need to be a network expert to secure your system, but if you want it to do anything nice and still be secure, you do still need a security expert.


I have broadband at home with one Linux box and two windows boxes. The XP box is running the XP firewall, the windows 2000 box is currently turned off as I have no desk to put it on and the linux box is running nothing. I use a hardware firewall. Originally I had dial up through a windows box, number of attacks - too many to mention. Via the hardware firewall to the same unprotected windows box - NONE. I counted them, twice!


To be fair, it looks like they have made major improvements to the security of their systems, but you need to upgrade everything to Windows Server 2003 SP1 and Windows XP SP2 to use them. Not all hardware can handle it, and it brings windows to the security level Unix users have enjoyed for a long time.


The worst attacks against any computer network is through social engineering. Try it, ring up some one in you organisation, tell them you are the help desk and need to install a patch for them and you need their password. Most of the time they will tell you! Ask them thier credit card details while you are at it.


To combat this you need to use social engineering as well, training and common sense rules.

A quick check list:


  • DO NOT open an attachment EVER, unless you are expecting it.

  • Never tell anyone your password. Any system admins who need to access you machine remotly will use their own account, it has a larger number of priviledges than yours.

  • Use strong passwords. IE if everybody knows you are a WWE fan, TheRock is not a good password.

  • Never write down a password, EVER!

  • Keep virus software up to date.

  • Use a anti-spybot tool.Spybot - search and destroy is pretty good.

  • Don't use compromised software (like outlook and IE). Instead Thunderbird and Firefox.

  • Ideally use Linux or Mac OSX or another Unix based operating system.

  • Use a good hardware firewall (if you have a network to protect, Cisco et al).

  • Just be a little bit careful, don't download everything a site tells you you need.

  • Never be afraid to ask.

  • Show hidden and system files in windows explorer (They are just flags and you can flag any file as a system file and viruses often do, as a very simple way of hiding them

  • Do not hide extensions for known file types. In outlook the I-Love-You attachment is shown as a text file if you hide the known extensions (i-love-you.txt), but as it really is if you unhide the extensions (i-love-you.txt.exe) which is a program.

  • In Outlook, turn off the preview window, as this automatically loads up IE for HTML e-mails and IE will automatically run VBScripts on a web page, so that old idea that you cannot get a virus simple downloading e-mail becomes invalid.


There are pricks out there who get off on how clever they are in "hacking" your computer. Most of them are "script kiddies" who compare to the true crackers of legend the way that a thug with a gun in a service station compares to a real cat burglar. Both do evil anti-social things, but at least one is an artist. Once the Windows security issues are solved properly the internet will speed up again and cracking will once again be the realm of the geeks in trench coats with no social life producing code that has to be (grudgingly admittedly) admired.



SQLServer 2005


The new version, has more bells and whistles than you can point a stick at. It does the same core stuff just as well and SQLServer 2000 and SQLServer 7.0, but now to administor the server you need Visual Studio! Am I missing something here? To me a database server should be a database server, nothing more, nothing less, definately not everything to everyone.


"You do not need the white coat brigade to get your reports anymore, just use our simple interface." says one presenter.


But you need to be trained to use that simple interface, management will then start coming back to the white coats to write their reports again. Why all this "increase you business" functionality bullshit? Mysql, that's why. It is simple, fast, easily maintained and free. A database server that serves data and nothing else, add a free web server (tomcat, apache) and maybe JBoss(Application server) if you really need it, throw in OpenOffice and, bingo, no more Microsoft products. You are free!(pun intended).

0 Comments:

Post a Comment

<< Home