Archives for Juha Jurvanen

Brute force attacker ökar

Brute force attacker ökar T konsult IT säkerhet

Brute force attacker ökar

Ett av de ämnen jag tidigare skrivit mycket kring är just kring att ordboksattacker eller brute force attacker ökar och är ett verkligen svårt problem att hantera. Principen bygger alltså på att en hackare försöker gissa sig till användarnamn och lösenord. Ofta är användarnamnet t.ex. en persons e-post adress eller i Windows domäner t.ex företaget\användarnamn och med den kunskapen har ju hackaren redan hälften av inloggningen.

Resten är lösenordet och om det är något vanligt lösenord eller en vanlig variation på det så kommer det inte ta lång tid för en hackare att faktiskt ta över personens konto.

Allt det här är naturligvis helt automatiserat dvs det sitter ingen  för hand och försöker skriva in användarnamn och lösenord utan hackarna använder olika script som kan testa tusentals kombinationer av lösenord samtidigt med olika resultat. De kanske lyckas bryta sig in, låsa användarnas konton, krascha servrar för överbelastning o.s.v.

Den här artikeln på Techworld ( https://techworld.idg.se/2.2524/1.698276/olovliga-inloggningsforsok) pekar också på att just den typen av attacker ökar och med all sannolikhet kommer fortsätta göra det.

Några av problemen med dessa attacker (förutom det alldeles uppenbara att hackaren faktiskt lyckas gissa rätt och då har tillgång till ert data) är att det tar maskinresurser, fyller bandbredd och är väldigt, väldigt svåra att hantera manuellt.
Tänk t.ex. när en attack kommer från 1000 eller 10 000 datorer samtidigt,. Att manuellt stoppa det i en brandvägg är inte realistisk och i vissa system som t.ex. i Windows domäner finns oftast ingen koppling mellan händelsen inloggning och brandvägg. Jag driftar, övervakar och hjälper företag så jag ser hundratals såna här attacker varje dag som pågår.

Att i efterhand kunna se vad som hänt är värdefullt för t.ex. polisanmälningar och historik men primärt behöver attackerna stoppas, sedan analyseras men att göra det manuellt är som sagt helt orealistiskt och behöver automatiseras.

Det finns lösningar, programvaror och sätt att automatiskt hantera de här frågorna på de flesta plattformar och system men det kräver lite eftertanke och planering, enligt min mening tid som är mycket väl investerad för att skydda era system mot brute force attacker.

Vill ni veta mer om hur man kan skydda sig mot detta i Windows, Linux, WordPress,Exchange Server osv , kontakta mig här
<

Kontakta JufCorp
backup disaster recovey konituitetsplanering IT säkerhet molntjänster syspeace kontakta JufCorp

Kontakta JufCorp AB för frågor inom backup / restore , Disaster Recovery, IT säkerhet, molntjänster och frågor kring intrångssäkerhet.

Boka ett gratis möte för att se hur jag kan hjälpa er eller beställ licenser för  F Secure PSB (övervakad antivirus till fast månadskostnad) eller Syspeace ?

Om ni hellre vill ringa direkt så nås jag på 0709 666 997

Ditt namn (obligatorisk)

Företag

Din epost (obligatorisk)

Telefon

Ämne (obligatorisk)

Ditt meddelande (obligatorisk)

När och hur vill ni bli kontaktade?
TelefonE PostPersonligt möteFörmiddagEftermiddagKväll

Vad gäller saken ? Välj en eller flera områden om du vill

Från när behöver ni hjälp ?

Skriv in nedanstående text för verifiering (obligatorisk)

captcha

 

Senaste uppdateringarna på JufCorps  FaceBook sida

 

1 years ago

JufCorp

"Vi har skapat ett verktyg för att skapa lokala ikoner för enheter , göra så att man högerklicka på filer/kataloger i rCloud och få ner dem direkt till den lokala enheten. De lokala enheterna heter alltid R: i Molnet och kan vara Windows, Android eller MAC. Filer hamna på lite olika ställen beroende på vilket du är uppkopplad med (Molnet känner av dynamiskt vilken enhet du är inloggad med dvs du kan vara inloggad med en Windows dator på jobbet och hemma med en Android och skicka filer till dem) [ 59 more words ]

www.jufcorp.com/wordpress/molntjansten-rcloud-office-forenklar-kopplingar-mot-lokala-enheter-med-...
...

View on Facebook

1 years ago

JufCorp

blog.redcloud.se/att-na-sina-program-i-molnet-med-en-webblasare/ #molntjänster #outsourcing #SaaS #visma ...

View on Facebook

1 years ago

JufCorp

Att använda den inbyggda Windows 10 Mail klienten mot rCloud Office för att synka e-post, lalender och kontakter. #molnet ...

View on Facebook

1 years ago

JufCorp

En videomanual för hur man installerar svenska molntjänsten rCloud Office från Red Cloud IT.

blog.redcloud.se/molntjansten-rcloud-office-pa-windows/
...

View on Facebook

1 years ago

JufCorp

Finska F Secure har hittat ytterligare en kritisk sårbarhet i Intels produkter. Denna sårbarhet har inget med de nyligen publicerade #Meltdown och #Spectre utan ligger i Intel Active Management Technology (AMT). Om en angripare har fysisk tillgång till datorn kan alla säkerhetsmekanismer kringås som antivirus, diskkryptering och datorn är helt oskyddad mot angriparen som därefter fjärrstyra, avlyssna, kopiera data osv. … [ 39 more words ]

www.jufcorp.com/wordpress/f-secure-hittar-ny-kritisk-sarbarhet-i-intels-produkter-infosec/
...

View on Facebook

 

Återstartsplaner för IT – Disaster Recovery på svenska

konsult inom backup It säkerhet molntjänster återsartsplaner för IT

Efter 20 år som IT konsult inom många olika områden är min erfarenhet att backuper och återstartsplaner för IT fortfarande är en eftersatt fråga. I sak har det inte förändrats mycket , trots molntjänster och förenklade metoder och hur många gånger det än diskuteras på möten blir det ändå eftersatt och uppskjutet.

Ända till den dagen något verkligen händer och de där backuperna behövs.

Backuper är för de flesta ett tråkigt ämne och sällan något som prioriteras, varken av IT avdelningen eller av ledningen men, tyvärr är ändå den krassa verkligheten att backuperna är något av det viktigaste ett företag eller organisation har.

En av de mest grundläggande frågorna varje IT chef och VD måste sälla sig är “Hur länge kan vi klara oss utan vår IT? Timmar ? Dagar ? Månader ?
Utan den tankegången kommer teknikerna och IT avdelning aldrig att ha ett mål att jobba mot för att skapa en användbar återstartsplan som följer den riktlinjen. Backuper och riktlinjer för återstartsplaner är alltid ledningens ansvar.

Förarbetet under den normala driften är väldigt viktig att tänka på .
Att inte kontinuerligt övervaka backuperna, testa att de innehåller vad de ska och ha ett öga på eventuella fel kan få väldiga konsekvenser.

Att inte ha planerat igenom hur en stor återställning av hela IT systemet ska gå till i förväg kan leda till en onödigt lång återstartsprocess i sökande efter dokumentation, backuper, hårdvara och kompetenta tekniker.

Att återställa enskilda filer på en server är inte en test av backuperna , det är i bästa fall bara ett test av läsbarheten på backuperna. Ett riktigt återstartstest (Disaster Recovery Test )  ska utgå från scenariot att hela servern eller hela servermiljön helt enkelt inte längre finns att tillgå.

Tekniker som skall återställa ska ha tillgång till backuperna, dokumentationen och hårdvara att återställa till. Det är allt. Ingen att ringa. Ingen att fråga. Syftet skall vara att ha en tillräckligt bra teknisk återstartsplan och kunna följa den så att företaget eller organisationen har tillgång till sina IT system inom den tid som krävs enligt IT policyn och företagets BCP (Business Continuity Plan ) och DRP (Disaster Recovery Plan) .

Här kommer många frågor in per automatik att tänka på.
Alla de här frågorna förutsätter att det redan är konstaterat att det är just backuperna som måste tas till .
För att komma fram till det beslutet krävs också en del planering innan och beslut att fatta baserat på vad som hänt (virusattack, brand, stöld, översvämning, terrorhot o.s.v. ) 

  1. Var finns backuperna? Är de på tape? -Var finns banden? Är de krypterade och vem har lösnorden?
    På disk?  I princip är frågeställningarna de samma som på tape.
    Är det onlinebackuper? – Är de krypterade ? Hur mycket data är det totalt och hur mycket bandbredd har vi att tillgå ? Kommer själva återläsningen av data att ta för lång tid för allt data över den här bandbredden t.ex. 10 Mbits eller 100 Mbits ?
  2. Hur har backuperna tagits ?  Vilken backup programvara ha använts och hur får vi tag på den ? Hur återställer man backupservern i t.ex. Legato Networker eller Tivoli TSM för att ens kunna börja återläsa något från backuperna? Hur lång tid tar den initiala återställningen och har vi räknat in den tiden i vår DRP ? För t.ex. Legato kan en sån återställning handla om många, många timmar för man kanske måste scanna igenom varje tape och få in dem i databasen och i TSM är databasen kritisk för att kunna få tillbaka något alls från backuperna.
  3. Hur ser systemdokumentationen ut ?
    Hur var servrarna uppsatta med volymstorlekar, programvaror, operativsystem med service packs o.s.v. ? Många företag missar den här delen i sin återstartplan och det kan leda till ett alldeles onödigt tidsspill under återställningen . Dokumentationen är gammal eller direkt felaktig . Här behövs enkla och automatiserade system som uppdaterar systeminformationen dagligen. Administrativa lösenord behöver också finnas tillgängliga, i Wndows server världen även de lokala administrativa lösenorden och en uppdaterad IP plan kommer behövas.
  4. Till vad ska vi återläsa backuperna?De flesta företag organisationer har inte en dubblerad serverpark som bara står och väntar en katastrof och att veta till vilken hårdvara det faktiskt ska återläsas till är en viktigt fråga att tänka på alltså, hur får vi tag på reserv hårdvara eller ska vi återläsa allt till en virtuell miljö? Hur får vi tag  på en server som kan husera t.ex. 25 servrar med 4 GB RAM vardera minst och 50 GB disk utrymme?
  5. Vart ska vi göra den faktiska återläsningen? Om företaget eller organisationen drabbats av en större olycka kommer det troligen inte att gå att återställa miljön på samma ställe. Det måste finnas en plan för vart både personal och IT personal ska ta vägen för att ens kunna påbörja en återläsning och återuppbyggnad av IT miljön. Oavsett hur så måste förmodligen verksamheten återuppstå förr eller senare.
  6. Vem ska göra vad? Och i vilken ordning?Det här är också hemskt viktiga frågor. Vem eller vilka ska göra det rent praktiska med återläsningen ? Vem ska t.ex. meddela på hemsidan / twitter / press att ni råkat ut för ett haveri och meddela när ni beräknas vara i full drift igen ? På vilka siffror baseras den informationen dvs från tidigare krascher eller tidigare återstartstester eller bara en “allmän känsla” dvs mer eller mindre baserat på gissningar ?Finns det redan utsett i vilken ordning olika system och funktioner ska upp och vilka som är mest kritiska och viktigast att få upp först ? Vad IT avdelningen tycker är viktigt kanske inte alls är det viktigaste för företaget sett ur affärssynpunkt. Att förstå samspelet mellan olika system är kritiskt.Om ingen med kunskap om hur miljön var uppbyggd finns tillgänglig, kommer dokumentationen att vara en hjälp eller ett hinder för den externe konsulten som skall hjälpa till ? Att återläsa t.ex. en kraschad Microsoft Exchange Server med tillhörande Active Directory eller en komplicerad Oracle installation är inte alldeles självförklarande för den som aldrig gjort det innan. Allt går såklart att göra om backupen är korrekt taen men det kan ta många gånger längre tid än nödvändigt att vara igång igen. Jag har sett exempel där det handlat om veckoer innan systemn är uppe igen.
  7. Återställningen i sig – är den permanent eller tillfällig? Om återställningen gått bra så måste man ändå ha klart för sig om det är en tillfällig lösning man återställt sin miljö till och så fort man är i normal drift igen måste man börja planera för återgång till den riktiga miljön igen .

Det här är egentligen bara några av saker som jag vet man måste tänka på för sin verksamhet och framförallt, man måste ta sig tiden att göra det här jobbet , antingen internt eller att anlita en extern konsult som hjälper till med att strukturera upp arbetet och planeringen med nya ögon.

Kommentera gärna eller kom med synpunkter eller kontakta mig för vidare funderingar kring de här frågorna.

Ett möte kostar bara lite tid men kan ge så mycket mer

Juha Jurvanen – Senior IT konsult inom backup, IT säkerhet, servedrift och molntjänster .

Säkerhet på Windows Server – uppdaterad

Grundläggande säkerhet på Windows server – med lite nya länkar osv

backup disaster recovey kontinuitetsplaner IT säkerhet molntjänster syspeace

Det här inlägget är tänkt som en slags grundläggande “checklista” när man sätter upp säkerhet på Windows Server vid nyinstallation och driftssätting.

Kortfattat behövs alla saker i den här listan som ett minimum för att uppnå i vart fall en grundläggande säkerhet på Windows server.
Tyvärr kommer servern ändå inte vara fullständigt skyddad även om du följer alla steg. 

Absolut IT säkerhet finns helt enkelt inte men det här är i vart fall en lista för att göra ett antal grundläggande inställningar och steg.

 

Installerade programvaror

1. Se till att alla progranvaraor är uppdaterade med senaste säkerhetsuppdateringarna. Det här gäller operativsystemet, Exchange, SQL men även Adobe, Java och allt annat som finns installerat. Det här minskar risken för att råka ut för s.k. exploits som utnyttjar sårbarheter i programvaror. Kika på t.ex. PDQeploy som jag tycker funkat bra i större miljöer för distribution. 

Även F Secure har en Software updater som fungerat bra.
Det skyddar dock inte mot en riktig Zero Day attack dvs när en sårbarhet blivit publikt känd men leverantören av programmet ännu inte släppt en uppdatering som avhjälper felet.

För dem finns egentligen inget annat att göra än följa olika typer av säkerhetskanaler, läsa rekommendationer och hålla sig uppdaterad.

Antivirus

2. Se til att ha ett väl fungerande men inte allt för resurskrävande antivirus på samtliga system. Själv tycker jag om F Secures PSB lösning trots en del brister i software updater men den fungerar ändå väldigt väl för systemadministratörer. Kom ihåg att sätta upp larm på virusangrepp!

Fil och katalogrättigheter på servern

3. Se till att gå igenom alla katalog och filrättigheter ordentligt och vilka användare och grupper som har tillgång till vad. Tänk på att se till att användare , både interna och externa , endast ska kunna se det som de uttryckligen ska ha tillång till. Inget annat.
Ett exempel är t.ex. att begränsa åtkomst till diskar och dölja diskar på Terminal Server (kolla t.ex. TS Hide Drives). Att sätta upp rättigheter på fil och katalognivå är oerhört kraftfullt sätt att begränsa tillgången till data. Testa innan du tillåter användare att nå servern. Det är alltid svårare att och jobbigare att fixa till saker i eftehand när servern är i drift.
Tänk även på att inte tillåta programexekvering från “fel”  ställen t.ex %APPDATA% , %TEMP% o.s.v

Best practices, manualer .. var inte lat ..

4. Se till att följa “best practices” för alla applikationer och tjänster du sätter upp. Googla. Snacka med folk.

Ingen manual är komplett och programvarutillverkare tänker inte alltid på kringliggande saker som kan påverka säkerhet och kompabilitet. När du instalerat ett program, klicka runt i menyerna och se vad du kan göra (vilka kataloger kan du “browsa till”vid “öppna” , “spara” i o.s.v. ) . Testa både som administratör och en vanlig användare. Vilka rättigheter behövs och vilka kan “tajtas åt” ?

Slå på loggning på servern

5. Se till att ha loggning påslaget där det går. Många program och funktioner har inte det påslaget som standard men du kan inte felsöka det du inte ser och att försöka hitat ett intrång eller annat fel i efterhand kan vara hopplöst om inte omöjligt.

Övervakning och drift av servern

6. Se till att ha en väl fungerande övervakning och inventering på hela ditt nät. Själv är jag en förespråkare för Spiceworks som är gratis som man kan göra väldigt mycket med.
Om din server har olika typer av övervakningsagenter (ofta över SNMP)  som kommer från tillverkaren (vilket de flesta har) se till att installera dem.

De ger dig information om hur hårdvaran mår och larmar om olika typer av incidentter. Se till att också sätta upp larm från dem via mail till en funktionsbaserad maillåda dvs inte till en person. Se också till att ha en plan för incidenthantering på plats och utpekade ansvariga för olika typer av fel / incidenter.

Group policies och standardisering

7. Group policies dvs grupp principer. Oerhört kraftfullt verktyg om du sätter dig in i det.  Kommer att underlätta administration, säkerhetshantering och användarhantering väldigt mycket.

SSL och Internet

8. Om servern är nåbar från Internet (fast även gärna om den bara finns internt) , se till att ha giltiga SSL certifkat för alla tjänster som det ska kommuniceras med. Det är inte så dyrt man kan tro (nuförtiden finns även gratis SSL via Letsencrypt, även om det är lite komplicerat få det att fungera ) och det kommer underlätta också att få en del funktioner att fungera smärtfritt. Tänk dock på att bara installera ett SSL certifikat inte räcker, du måste också slå av en del svaga krypton o.s.v.

9.  Se över vilka HTTP headers du använder och säkra upp även dem med t.ex Strict Transport Security,  X-Content-Type-Options, X-Frame-Options, X-Xss-Protection, X-Permitted-Cross-Domain-Policies.

Slå av onödiga funktioner och tjänster , även i en testmiljö

10. Stoppa tjänster, funktioner och nätverksprotokoll som inte används. Minimiera attackytan för hackers, både interna och externa, men spara även prestanda i serven. Du slipper också onödigt tjattrig nätverkstrafik på nätet . Samma princip gäller för skrivare och arbetsstattioner.

Lösenordshantering och policies

11 Tvinga komplexa lösenord för alla användare. För lite tips om hur man kan komma ihåg dem har jag skrivit det här inlägget tidigare

Ett av de vanligaste sätten för hackers att ta sig in i system beror just på svaga lösenord som enkelt går att gissa sig till. Byt namn på administratören då kontot inte går att låsa i Windows. Här är det också viktigt att ha et fungerande intrångsskydd mot lösenordsattacker med Syspeace.

12. Använd en bra namnstandard för inloggningar. Använd inte bara t.ex. förnamnn@ertföretag.se eller något annat som är för uppenbart och enkelt. Ju svårare det är för en hacker att gissa sig till ett användarnamn desto fler försök kommer behövas för att ta sig in i systemet. Det finns olika typer av skydd för att hantera ordboksattacker / lösenordsattacker / bruteforce  o.s.v

Serverns backuper

13. Backuper, backuper och BACKUPER! Se till att ha fungerande backuper och rutiner för dem. Testa dem regelbundet , minst en gång om året. Att återläsa enskilda filer ur en backup är inte en återstartstest! Se även till att ha flera generationer av backuper och en IT policy som styr detta.

Att bara ha en eller två generationer att kunna falla tillbaka på vid ett haveri kan vara katastrof t.ex. om backupen av någion anledning är korrupt och inte går att använda eller om ni blivit hackade och ni måste få tillbaka systemet till ett tillfälle ni vet med säkerhet är OK dvs innan intrånget skedde.

Se till att ha MINST en fungerande generation av backuperna någon annastans än i samma lokaler där servern är utifall det brinner eller blir inbrott.
Att ha disksystem som RAID och andra failolver-lösningar kommer aldrig att ersätta backuper. Det finns även många olika typer av online backup lösningar och det handlar mer om pris och funktionalitet.

All hårdvara kan falera, både fysiskt och logiskt som t.ex korrupta filsystem.
Ett tips här är också att slå på regelbundna VSS snapshots på alla diskar .

Enkelt, stabilt och billigt sätt att ha flera generationer av data att tillgå men det är INTE en ersättning för backuper!

Scanna din server efter sårbarheter!

14. Scanna din server med olika verktyg efter sårbarheter och tips för att öka säkerheten.

Här några bra länkar jag själv använder ofta

https://www.gravityscan.com      – Scannar sårbarheter, felaktiga länkar och headers osv  Främst för WordPress och Joomla osv

https://www.ssllabs.com/ssltest/   – Kontrollera att du slagit av svaga krypton och använder ditt SSL certifikat korrekt 

https://tools.pingdom.com/ –  Hastighet på hemsidan med mera, bra tips om laddningshastigheter och vad som tynger ner osv

http://www.kitterman.com/spf/validate.html   – Kontrollera att du satt upp ditt SPF record korrekt

https://mxtoolbox.com/diagnostic.aspx  – Diverse tester av mailservrar som Open Relay o.s.v. 

https://www.microsoft.com/en-us/download/details.aspx?id=7558    – Microsoft Baseline Security Analyzer

Testa ladda ner KALI Linux och testkör de olika verktygen från den.

Brandväggar och kommunikationer

15. Tänk igenom hur serven kommunicerar med omvärlden vad gäller brandväggar och routing i nätet. Ha även den lokala brandväggen påslagen i Windows, trots att den står bakom en extern brandvägg.

Brute force prevention . Skydd mot ordboksattacker, lösenordsattacker på Windows Server

16. Automatisk intrångshantering med t.ex Syspeace. I Windows går det INTE att automatiskt hantera lösenordsattacker på ett vettigt sätt. De inbyggda mekanismerna kan t.o.m. göra mer skada än nytta. Att installera ett system som Syspeace löser mycket av problematiken direkt och är oerhört enkelt att installera och konfigurera. Det finns flera liknande produkter dock som t.ex Cyberarms. Ur ett administrativt perspektiv så saknar tyvärr Cyberarms en del viktig funktionalitet som t.ex information om varifrån (land, DNS namn osv) attacken kom.

17. Det här hör på sätt och vis ihop med punkt 13 om backuper men se till att ha en vettig återstartsplan om något händer.

WordPress på IIS Server

18. Den här hör såklart ihop med om servern är nåbar från Internet lite längre upp och det är ett helt jätteområde i sig men några grundläggande tips är att se till att alltid uppdatera själva WordPress, alla plugins och teman, din PHP  och att installera plugins som t.ex. Wordfence . Även olika typer av cachning och URL rewrite kommer bhöva installeras och sättas upp.

 

Kontakta mig för möte, frågor eller konsulthjälp kring de här frågorna ? 

 

Mitigation strategies for securing server environments

This is a good start for mitigation planning for various attack scenarios.

I did not compile this list myself and the original can be found here . I might add a few thing in here but is very good strat indeed. Well done
https://www.asd.gov.au/infosec/top-mitigations/mitigations-2017-table.htm

Den här listan är en väldigt bra början för att planera och förhindra olika typer av attacker och hantera säkerhetsaspekter från olika synvinklar.

För hjälp med frågor som dessa, kontakta mig gärna här

 

backup / restore , Disaster Recovery, IT säkerhet, molntjänster och Syspeace mitigation strategies

MITIGATION STRATEGIES

Mitigation strategies summary

Relative security effectiveness rating Mitigation strategy Potential user resistance Upfront cost (staff, equipment, technical complexity) Ongoing maintenance cost (mainly staff)
Mitigation strategies to prevent malware delivery and execution
Essential Application whitelisting of approved/trusted programs to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers. Medium High Medium
Essential Patch applications e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest version of applications. Low High High
Essential Configure Microsoft Office macro settings to block macros from the Internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate. Medium Medium Medium
Essential User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the Internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers. Medium Medium Medium
Excellent Automated dynamic analysis of email and web content run in a sandbox, blocked if suspicious behaviour is identified e.g. network traffic, new or modified files, or other system configuration changes. Low High Medium
Excellent Email content filtering. Whitelist allowed attachment types (including in archives and nested archives). Analyse/sanitise hyperlinks, PDF and Microsoft Office attachments. Quarantine Microsoft Office macros. Medium Medium Medium
Excellent Web content filtering. Whitelist allowed types of web content and websites with good reputation ratings. Block access to malicious domains and IP addresses, ads, anonymity networks and free domains. Medium Medium Medium
Excellent Deny corporate computers direct Internet connectivity. Use a gateway firewall to require use of a split DNS server, an email server, and an authenticated web proxy server for outbound web connections. Medium Medium Low
Excellent Operating system generic exploit mitigation e.g. Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET). Low Low Low
Very good Server application hardening especially Internet-accessible web applications (sanitise input and use TLS not SSL) and databases, as well as applications that access important (sensitive or high-availability) data. Low Medium Medium
Very good Operating system hardening (including for network devices) based on a Standard Operating Environment, disabling unneeded functionality e.g. RDP, AutoRun, LanMan, SMB/NetBIOS, LLMNR and WPAD. Medium Medium Low
Very good Antivirus software using heuristics and reputation ratings to check a file’s prevalence and digital signature prior to execution. Use antivirus software from different vendors for gateways versus computers. Low Low Low
Very good Control removable storage media and connected devices. Block unapproved CD/DVD/USB storage media. Block connectivity with unapproved smartphones, tablets and Bluetooth/Wi-Fi/3G/4G devices. High High Medium
Very good Block spoofed emails. Use Sender Policy Framework (SPF) or Sender ID to check incoming emails. Use ‘hard fail’ SPF TXT and DMARC DNS records to mitigate emails that spoof the organisation’s domain. Low Low Low
Good User education. Avoid phishing emails (e.g. with links to login to fake websites), weak passphrases, passphrase reuse, as well as unapproved: removable storage media, connected devices and cloud services. Medium High Medium
Limited Antivirus software with up-to-date signatures to identify malware, from a vendor that rapidly adds signatures for new malware. Use antivirus software from different vendors for gateways versus computers. Low Low Low
Limited TLS encryption between email servers to help prevent legitimate emails being intercepted and subsequently leveraged for social engineering. Perform content scanning after email traffic is decrypted. Low Low Low
Mitigation strategies to limit the extent of cyber security incidents
Essential Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing. Medium High Medium
Essential Patch operating systems. Patch/mitigate computers (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions. Low Medium Medium
Essential Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive or high-availability) data repository. Medium High Medium
Excellent Disable local administrator accounts or assign passphrases that are random and unique for each computer’s local administrator account to prevent propagation using shared local administrator credentials. Low Medium Low
Excellent Network segmentation. Deny network traffic between computers unless required. Constrain devices with low assurance e.g. BYOD and IoT. Restrict access to network drives and data repositories based on user duties. Low High Medium
Excellent Protect authentication credentials. Remove CPassword values (MS14-025). Configure WDigest (KB2871997). Use Credential Guard. Change default passphrases. Require long complex passphrases. Medium Medium Low
Very good Non-persistent virtualised sandboxed environment, denying access to important (sensitive or high-availability) data, for risky activities e.g. web browsing, and viewing untrusted Microsoft Office and PDF files. Medium Medium Medium
Very good Software-based application firewall, blocking incoming network traffic that is malicious/unauthorised, and denying network traffic by default e.g. unneeded/unauthorised RDP and SMB/NetBIOS traffic. Low Medium Medium
Very good Software-based application firewall, blocking outgoing network traffic that is not generated by approved/trusted programs, and denying network traffic by default. Medium Medium Medium
Very good Outbound web and email data loss prevention. Block unapproved cloud computing services. Log recipient, size and frequency of outbound emails. Block and log emails with sensitive words or data patterns. Medium Medium Medium
Mitigation strategies to detect cyber security incidents and respond
Excellent Continuous incident detection and response with automated immediate analysis of centralised time-synchronised logs of permitted and denied: computer events, authentication, file access and network activity. Low Very
high
Very
high
Very good Host-based intrusion detection/prevention system to identify anomalous behaviour during program execution e.g. process injection, keystroke logging, driver loading and persistence. Low Medium Medium
Very good Endpoint detection and response software on all computers to centrally log system behaviour and facilitate incident response. Microsoft’s free SysMon tool is an entry-level option. Low Medium Medium
Very good Hunt to discover incidents based on knowledge of adversary tradecraft. Leverage threat intelligence consisting of analysed threat data with context enabling mitigating action, not just indicators of compromise. Low Very
high
Very
high
Limited Network-based intrusion detection/prevention system using signatures and heuristics to identify anomalous traffic both internally and crossing network perimeter boundaries. Low High Medium
Limited Capture network traffic to and from corporate computers storing important data or considered as critical assets, and network traffic traversing the network perimeter, to perform incident detection and analysis. Low High Medium
Mitigation strategies to recover data and system availability
Essential Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes. Low High High
Very good Business continuity and disaster recovery plans which are tested, documented and printed in hardcopy with a softcopy stored offline. Focus on the highest priority systems and data to recover. Low High Medium
Very good System recovery capabilities e.g. virtualisation with snapshot backups, remotely installing operating systems and applications on computers, approved enterprise mobility, and onsite vendor support contracts. Low High Medium
Mitigation strategy specific to preventing malicious insiders
Very good Personnel management e.g. ongoing vetting especially for users with privileged access, immediately disable all accounts of departing users, and remind users of their security obligations and penalties. High High High

 

 

For questions or help within these areas, please feel free to contact me here

Syspeace vs Cyberarms – Bruteforce prevention for Windows Servers

IT konsult backuper, It konsult säkerhet, IT konsult syspeace, IT konsult återstartsplaner, It konsult Active DirectoryA few years back I had an idea about a Host Intrusion Prevention System for Windows servers. I did try to write a proof of concept myself and I did have a pretty good idea of how it should work and what mistakes to avoid. I ran into a Swedish development company by coincidence and I told them about my idea, showed them som proofs of concepts and we decided to create this product together and that’s what eventually became Syspeace.

We had a perfectly fine collaboration for a few years but sad to say I’m no longer associated with Syspeace. In short , after an intial contract for 3 years  for a certain percentage of gross sales , they suddenly decided that I wouldn’t get any money whatsoever for any sales of Syspeace after that. Simple as that. Yay me. Not really what I had in mind when presenting the idea and putting that work into it and still, stupidly enough , I kind of was under the impression that we’d continue the same way as the first contract was written, both practically and in spirit.. Yep. Admittedly bitter about it. I loved the idea, I love the product (although there are improvemens that need to be made in my humble opinion. The idea is even good enough to actually bring some revenue and if we would’ve stayed on terms, I would’ve been perfectly fine. Still, lesson learned. Don’t be so trusting.

Anyaway, this post isn’t about that really. Not getting into how I feel about that but I’m sure you can imagine. There’s another post that kind of relates to that here and my view on a product such as Syspeace.

Anyway, a German competitor called Cyberarms with their product IDDS did however actually manage to release their product just a couple of months prior to us. Our product was still in a testing phase at the time. Out of loyalty and so on, of course I stuck to using Syspeace but there were always a few things that bothered me.
For instance, when running SSL on RDP connections, the eventid 4625 in the Windows Securitylog didn’t record the source IPaddress, thus making it impossible for Syspeace to block anything. Using SSL on RDP connections and so on makes stuff fareasier if you’re hosting Terminal Servers (Remotdesktop Servers and RemoteApp servers) in regards to network security, error messages to clients and so on. It just helps you out a lot having valid SSL certificates.

Syspeace worked perfectly fine for blocking attacks when the source IP address was recorded but otherwise not.
There are a few workarounds and I have written about them earlier but none of them are really good and there are pros and cons to them. This lack of functionality (meaning Syspeace not blocking all attempts but merely the ones containing the source IP address) was always a big problem and it was intended to be fixed but they never really got around to doing so.
I’m sure they will but it has taken a long time though.

As of December 2016, Cyberarms decided to release their software as Open Source (my understanding is that they couldn’t find new investors for continuing but I don’t know really ) so of course I got curious and decided to take it for a spin.

The blocking works fine. It blocks IP addresses with their SSL/TLS agent perfectly fine and it’s free to use so why not use it?

Well. A few things to consider here though and you really might want to think about them before implementing Cyberarms IDDS on larger scale.

Syspeace vs Cyberarms

First of all , the notification email you get from Cyberarms contains far too little information for it to be useful in a datacenter environment or at a Cloud Service provider. If you’re simplt protecting your PC at home, sure but if your’re mmanaginfg a larger server environment it will become a nightmare.

If you get an email simply saying “The IP address xxx.xxx.xxx.xxx has been locked” and you get a few hundred of those, it’s not very useful to you as a sysadmin I’m afraid.

You need to quickly be able to see Geopgraphical information and the login name used in order to know whether it’s an actual attempt to use valid usernames and access data or if it’s just an automated “background noice attack”. With that said, do not underestimate those background nice attacks since they do use up resources like CPU and RAM on your servers. They can also be an attempt to hide other kinds of hacking attacks simply by “hiding in the noice”.

Another thing that Cyberarms lacks is an automatic “Reset on success” feature which in essence means that if you have a customer connecting to your services from behind a firewall and someone at the customer side mistypes their password, the IP address will be blocked. Works as designed in both Cyberarms and Syspeace.

In Syspeace though , there is a default mechanism for also keeping track of succesful logins and with some builtin logic, actuallynot banning the IP address if someone else succeeds with their login attempt from behind that same firewall. The toought behind it is of course to minimize false positives and hopefully not blocking your customers from your services. It’s not foolproof but it works well enough.

In Sypeace, the rules you can set are also more flexible including parameters such as a time window. This is very useful for you to catch “slow grinding” attempts meaning hackers that want to stay under the radar for products such as Syspeace and Cyberarms.

Cyberarms does not have access reports built in to it like it’s built into Sysepace which from time to time can be very useful for a sysadmin.

When you starting up Cybrarms intiially, no agents are activated by default so there’s more of a “how-to” tip for you.

Cyberarms doesn’t not support Windows Server 2003, while Syspeace does.

Syspeace does have an unfortunate built in flaw at the moment making it’s database grow above it’s limit of 4 GB in some scenarios but I’m sure that will be sorted too.
Whether Syspeace (or Cyberarms for that matter) would work on Nano installations and GUIless servers is another quiestion. My guess is that they bort need to be rewritten. None of them support a central managemant interface wich would be nice to have so you don’t have to RDP yourself to each server to make changes. I’m sutre there will be such a feature in either on of them though.

Still, Cyberarms does a good job at finding attacks and here’s how I’ve started using the two in conjunction.

In all honesty, my dream scenario would have been for the two to join forces, getting the best from each product and build a great product together. In fact, I’m sure an even greater product can be built for these things and and adjacent things  so if anyone’s up a for it, I’m game.I have quite a few ideas for new functionality and features for such a product already..or who knows,I might even end up being a part of the Syspeace team again.

Since IDDS is now Open Source I guess I could sit down and amp it up with the features I want to have in it but truth told, I’m not a good developer really. I have ideas and I know how it should work but getting to the actual coding would just take to much time for me.

Anyway … Here’s how I’m using both of them at the same time for now anyway
I have the set the block rules higher in Cyberarms than in Syspeace, therefore giving Syspeace the chance to do the initial blocking and getting better emails sent to me.

Below is an example of an email alert sent by Syspeace.

Blocked address 182.184.78.244 (SERVER-C7BF2B28) [Pakistan] 2017-02-20 10:10:00 Rule used:
Type of block: Windows login
Rule name: Catch All Login
Trigger window: 5.00:30:00
Occurrences: 5
Lockout time: 04:00:00
Previous observations of this IP address:
2017-02-20 06:09:59 *****\administrator
2017-02-20 06:09:57 *****\administrator
2017-02-20 06:09:55 *****\administrator
2017-02-20 06:09:52 *****\administrator
2017-02-20 06:09:50 *****\administrator

I’ve set Cyberarms to block after a higher number of intrusion attempts than Syspeace , getting it to catch those SSL/TLS

attacks since Syspeace can’t handle them at the moment.

Below is an example of the alert sent from Cyberarms.
Client with IP address 155.207.18.189 was hard locked

As you can see, the Cyberarms email doesn’t really provide me with any useful information as a sysadmin meaning for me to actually deal with it, I need to manually find out from where the attack originated, what username was used in order to decide whether it’s serious or not. Of course I could probably write something in .Net utilizing the Cyberarms logfile to get better notifications with more information but that shlould be built into the software really looking more like the Syspeace alerts.

The Syspeace notification isn’t prefect either but it is far better. I would also like to see what port was targeted and what process was targeted, i.e the running .exe.
That would be a quicker way for me as a Sysadmin to determine what’s really going on.

They both have Daily Reports and Weekly Reports so I thought I’d also incklude one of each from the same server and the same time window. I think you’ll noticed the difference and ralize why the SSL/TLS functionality is so crucial to have in place

Syspeace Report for week 2017-02-13 – 2017-02-19

— All Week ——

IP address Times Host name and country
——————– —– ——————————-
23.236.77.157 1 XS2323677157; United States (US)
47.34.65.227 1 47-34-65-227.dhcp.stls.mo.charter.com; United States (US)
52.14.84.148 6 ec2-52-14-84-148.us-east-2.compute.amazonaws.com; United States (US)
73.37.131.61 1 c-73-37-131-61.hsd1.mn.comcast.net; United States (US)
89.247.148.40 1 i59f79428.versanet.de; Germany (DE)
119.59.80.66 1 119-59-80-66.rdns.afghan-wireless.com; United States (US)
151.54.163.83 1 ; Italy (IT)
183.250.25.70 1 ; China (CN)
185.94.99.245 1 ; Iran, Islamic Republic of (IR)
189.26.112.234 2 corporativo.gvt.net.br; Brazil (BR)
193.34.9.171 1 nlink.nesso.ru; Russian Federation (RU)
202.104.33.34 1 ; China (CN)
203.146.142.62 1 ; Thailand (TH)
213.87.96.182 1 host.mrdv-1.mtsnet.ru; Russian Federation (RU)
213.136.87.8 1 vms8.riseforce.net; Germany (DE)
222.184.121.194 1 ; China (CN)
222.209.233.89 1 89.233.209.222.broad.cd.sc.dynamic.163data.com.cn; China (CN)

//  I Have removed the hourly breakdown opart from this report here //

Generated 2017-02-20 00:04:58 for machine ***.****.** by Syspeace v2.5.2.0

 

Cyberarms Weekly Report
Week of 2017-2-13
Installation Information
Server: ****
Events per Agent
Agent name Intrusion attempts Soft locks Hard locks
TLS/SSL Security Agent 1238 215 82
Windows Base Security Agent 133 0 1
Total 1371 215 83
Intrusion attempts by IP address
Client IP Intrusion attempts
1.192.144.148 1
104.43.19.172 1
118.69.171.47 1
146.185.239.117 1
149.3.47.190 1
169.50.7.234 1
200.2.192.186 1
207.225.237.110 1
208.44.83.36 1
209.249.81.231 1
211.72.12.36 1
212.175.49.50 1
212.92.127.126 1
213.89.246.166 1
217.208.101.73 1
217.23.11.249 1
217.8.84.31 1
223.25.241.88 1
37.0.20.79 1
39.109.11.209 1
5.150.237.244 1
50.193.208.177 1
50.203.20.67 1
54.243.236.34 1
68.44.212.144 1
70.169.12.6 1
75.71.25.220 1
78.188.193.185 1
8.21.216.2 1
80.82.77.34 1
82.80.252.200 1
83.137.55.249 1
85.105.245.147 1
88.99.8.164 1
91.121.64.15 1
91.200.12.75 1
91.215.120.225 1
92.51.70.248 1
94.43.33.178 1
96.80.87.202 1
98.101.132.98 1
104.185.131.1 2
12.201.134.132 2
173.226.255.254 2
185.56.82.58 2
197.242.149.19 2
208.184.124.150 2
216.162.88.19 2
216.236.16.89 2
217.34.0.133 2
5.175.0.111 2
63.253.50.210 2
66.229.43.193 2
68.15.114.164 2
76.71.75.79 2
83.69.223.227 2
85.72.58.154 2
96.80.60.1 2
98.112.92.39 2
108.242.76.81 3
178.208.128.131 3
206.252.196.162 3
210.109.189.218 3
217.34.0.135 3
75.127.164.214 3
90.168.232.247 3
108.60.96.19 4
117.218.128.22 4
12.30.90.162 4
208.78.220.145 4
208.81.109.6 4
23.102.44.152 4
38.88.150.106 4
40.85.92.80 4
52.187.36.243 4
52.228.35.94 4
52.228.40.215 4
52.228.42.136 4
66.64.166.178 4
66.84.140.17 4
91.183.212.73 4
144.139.207.212 5
212.83.168.244 5
213.136.87.8 5
216.162.88.62 5
217.148.113.118 5
217.91.224.26 5
222.184.121.194 5
23.235.162.34 5
23.236.77.157 5
52.228.46.46 5
67.55.103.188 5
73.37.131.61 5
85.93.93.116 5
89.30.240.164 5
98.103.178.186 5
119.59.80.66 6
183.250.25.70 6
185.94.99.245 6
189.26.112.234 6
202.104.33.34 6
203.146.142.62 6
212.170.198.61 6
213.87.96.182 6
222.209.233.89 6
46.185.117.106 6
89.247.148.40 6
108.58.0.234 7
109.73.46.130 7
12.199.176.194 7
121.161.141.239 7
151.54.163.83 7
155.133.82.102 7
159.122.106.114 7
159.253.26.77 7
169.50.22.186 7
185.130.226.42 7
185.93.183.218 7
185.94.193.75 7
190.145.28.67 7
193.34.9.171 7
193.86.185.50 7
198.23.210.133 7
199.167.138.110 7
201.161.36.162 7
201.18.18.151 7
211.52.64.52 7
213.136.79.237 7
218.60.57.131 7
27.254.150.30 7
35.156.247.241 7
35.157.110.187 7
47.88.33.114 7
5.122.136.4 7
5.196.215.194 7
59.175.128.108 7
64.110.25.6 7
69.166.130.134 7
79.120.40.185 7
83.110.74.36 7
84.55.94.211 7
89.185.246.67 7
89.185.246.79 7
89.185.246.95 7
91.218.112.173 7
94.102.51.124 7
94.107.233.189 7
94.142.142.156 7
121.175.229.89 8
125.227.100.10 8
141.255.188.47 8
155.133.82.50 8
185.109.255.12 8
185.109.255.13 8
213.124.64.27 8
31.44.191.8 8
47.34.65.227 8
47.90.16.194 8
52.233.26.114 8
62.210.244.44 8
65.61.102.251 8
76.70.18.47 8
80.82.79.228 8
83.136.86.179 8
104.160.176.45 9
109.228.26.93 9
114.34.79.103 9
116.125.127.101 9
170.161.62.42 9
172.245.222.8 9
173.10.107.141 9
173.74.198.161 9
178.159.36.150 9
185.159.145.26 9
194.61.64.252 9
198.27.119.249 9
207.233.75.39 9
212.86.108.191 9
23.249.224.189 9
31.145.15.3 9
37.46.255.63 9
37.75.11.86 9
40.139.95.146 9
5.135.7.98 9
5.39.222.19 9
50.243.143.129 9
52.174.36.251 9
52.187.37.144 9
52.232.112.92 9
58.221.59.22 9
78.154.13.222 9
91.211.2.20 9
95.154.22.236 9
144.130.57.185 10
50.247.156.86 10
74.95.221.25 10
194.17.59.90 11
93.174.93.162 11
118.34.230.5 12
213.179.6.49 12
43.254.126.10 12
103.54.250.94 13
174.4.72.229 13
146.0.74.126 14
203.128.240.130 14
5.39.223.166 14
2.139.204.18 17
74.203.160.89 17
93.115.85.228 17
185.159.36.122 18
195.154.52.156 18
24.249.158.60 18
31.184.197.6 18
52.14.84.148 19
185.70.186.140 21
119.145.165.86 23
91.211.2.109 54
Total 1371
Soft locks by IP address
Client IP Soft locks
108.58.0.234 1
109.73.46.130 1
12.199.176.194 1
12.201.134.132 1
121.175.229.89 1
144.130.57.185 1
155.133.82.102 1
155.133.82.50 1
159.122.106.114 1
159.253.26.77 1
169.50.22.186 1
173.226.255.254 1
185.130.226.42 1
185.93.183.218 1
185.94.193.75 1
190.145.28.67 1
193.86.185.50 1
197.242.149.19 1
198.23.210.133 1
199.167.138.110 1
201.161.36.162 1
201.18.18.151 1
208.184.124.150 1
211.52.64.52 1
213.136.79.237 1
216.162.88.19 1
217.34.0.133 1
218.60.57.131 1
27.254.150.30 1
35.156.247.241 1
35.157.110.187 1
43.254.126.10 1
47.88.33.114 1
47.90.16.194 1
5.122.136.4 1
5.196.215.194 1
59.175.128.108 1
62.210.244.44 1
63.253.50.210 1
64.110.25.6 1
66.229.43.193 1
68.15.114.164 1
68.44.212.144 1
69.166.130.134 1
76.71.75.79 1
79.120.40.185 1
83.110.74.36 1
84.55.94.211 1
89.185.246.67 1
89.185.246.79 1
89.185.246.95 1
91.218.112.173 1
93.174.93.162 1
94.102.51.124 1
94.107.233.189 1
94.142.142.156 1
96.80.60.1 1
98.112.92.39 1
104.160.176.45 2
108.60.96.19 2
109.228.26.93 2
114.34.79.103 2
116.125.127.101 2
12.30.90.162 2
141.255.188.47 2
146.0.74.126 2
170.161.62.42 2
172.245.222.8 2
173.10.107.141 2
173.74.198.161 2
178.159.36.150 2
185.109.255.12 2
185.109.255.13 2
185.159.145.26 2
194.61.64.252 2
198.27.119.249 2
2.139.204.18 2
206.252.196.162 2
207.233.75.39 2
208.78.220.145 2
208.81.109.6 2
212.86.108.191 2
213.124.64.27 2
217.34.0.135 2
23.102.44.152 2
23.249.224.189 2
31.145.15.3 2
31.44.191.8 2
37.46.255.63 2
37.75.11.86 2
38.88.150.106 2
40.139.95.146 2
40.85.92.80 2
5.135.7.98 2
5.39.222.19 2
5.39.223.166 2
50.243.143.129 2
50.247.156.86 2
52.14.84.148 2
52.174.36.251 2
52.187.36.243 2
52.187.37.144 2
52.228.35.94 2
52.228.40.215 2
52.228.42.136 2
52.232.112.92 2
52.233.26.114 2
58.221.59.22 2
65.61.102.251 2
66.64.166.178 2
66.84.140.17 2
78.154.13.222 2
80.82.79.228 2
83.136.86.179 2
91.211.2.20 2
95.154.22.236 2
118.34.230.5 3
185.70.186.140 3
24.249.158.60 3
119.145.165.86 4
185.159.36.122 4
195.154.52.156 4
31.184.197.6 4
93.115.85.228 4
91.211.2.109 12
Total 215
Hard locks by IP address
Client IP Hard locks
104.160.176.45 1
104.43.19.172 1
108.60.96.19 1
109.228.26.93 1
114.34.79.103 1
116.125.127.101 1
118.34.230.5 1
118.69.171.47 1
119.145.165.86 1
12.201.134.132 1
12.30.90.162 1
170.161.62.42 1
172.245.222.8 1
173.10.107.141 1
173.226.255.254 1
173.74.198.161 1
178.159.36.150 1
185.159.145.26 1
194.61.64.252 1
197.242.149.19 1
198.27.119.249 1
2.139.204.18 1
200.2.192.186 1
207.225.237.110 1
207.233.75.39 1
208.184.124.150 1
208.78.220.145 1
208.81.109.6 1
209.249.81.231 1
212.86.108.191 1
216.162.88.19 1
217.34.0.133 1
217.34.0.135 1
223.25.241.88 1
23.102.44.152 1
23.249.224.189 1
31.145.15.3 1
37.46.255.63 1
37.75.11.86 1
38.88.150.106 1
40.139.95.146 1
40.85.92.80 1
5.135.7.98 1
5.39.222.19 1
50.193.208.177 1
50.203.20.67 1
50.243.143.129 1
50.247.156.86 1
52.174.36.251 1
52.187.36.243 1
52.187.37.144 1
52.228.35.94 1
52.228.40.215 1
52.228.42.136 1
52.232.112.92 1
54.243.236.34 1
58.221.59.22 1
63.253.50.210 1
66.64.166.178 1
66.84.140.17 1
68.15.114.164 1
78.154.13.222 1
8.21.216.2 1
91.211.2.20 1
93.115.85.228 1
95.154.22.236 1
96.80.60.1 1
98.101.132.98 1
98.112.92.39 1
185.159.36.122 2
195.154.52.156 2
31.184.197.6 2
52.14.84.148 2
91.211.2.109 6
Total 83
To configure reporting options, please use the IDDS administration software on your server.

With that said, I would recommend people using both of them in order to minimize brute force and dictionary attacks against Windows servers.

Should you need assistance or have questions, please feel free to contact me here

Securing Windows Server with a baseline security

JufCorp AB hjälper företag och föreningar med frågor inom backup / restore , Disaster Recovery, IT säkerhet, molntjänster och Syspeace

Securing Windows Server with a baseline security

In short, to have an acceptable baseline security for any Windows server you need to think all of the things below in this list.
Sadly enough, even if you follow all of these steps, you’re still not secured forever and ever. There’s no such thing as absolute security.  That’s just the way it is but you might use this as some kind of checklist and also the links provided in this post.

 

Securing Windows Server with an acceptable baseline security

  • 1. Make sure all of your software is updated with all security patches. This includes the Windows operating system but also Adobe, Java,Office and any software really. This reduces the risk for so called 0day attacks or your server being compromised by software bugs.
  • 2. Make sure you have a good and not too resource intensive antivirus running on everything. Personally I’m a fan of F Secure PSB for Servers and Workstations for lots of reasons. It’s not just a pretty logo. If you need licenses or assistance, please feel free to contact me here
  • 3. Verify you have thought your file and directory access structure and that users and groups are only allowed to use and see what they’re supposed to. Setting file permissions is a very powerful tool to secure your server and crucial.
  • 4. Always make sure to read best practices for securing applications and servers and Google for other ideas also. No manual is the entire gospel.
  • 5. Enable logging. If you don’t know what’s happeing, you can’t really react to it can you ? It also makes any troubleshooting hopeless in restrospect.
  • 7. Have a good monitoring and inventory system in place such as the free SpiceWorks and I also recently discovered Sitemonitoring at Sourceforge that I liked. Unfortunately Sitemonitoring only works for HTTP responses , I’d love to also have it work for pure port monitoring.
  • 8. If your server has any monitoring agents from the manufacturer such as HP Server Agents, then install them and set them up with notifications for any hardware events to be prepared incas of hardware failures. If possible, also have spare parts readu for the common failures such as hard drives and PSu (Power Supply Units)
  • 9. Use Group Policies. It’s an extermely powerful tool once you start using it and it will make you day to day operations much easier.
  • 10. If your server is reachable from the Internet, use valid SSL certificates. They’re not that expensive and any communications should be encrypted and secured as fa as we’re able.
    Yes, think Mr. Snowden.Think NSA. There’s a few more things to consider when installing SSL on servers such as disabling weak cryptos and testing you´v done so correctly. I like using SSL Labs free test.
  • 11. Disable any unused services and network protocols. They can be a point of entry and for the unused network protocols, you bascially fill your local network with useless chatter that comsume bandwidth. This also goes for workstations and printers and so on.
  • 12. Enforce complex password policies! You won’t be well-liked but that’s not what you get paid for.
    If people are having trouble remembering passwords the have all over the world, maybe you could have them read this blog post I wrote about rememebering complex passwords
    and on the topic of online passwords and identities, they migh also want to read this post about protecting your online identity  also.
  • 13. Use a good naming standard for user logins. Not just their first name as login or something too obvious. Here’s an old blog post (still on the Syspeace Blog site though )  on why
  • 14. Backups! Backups! and again. BACKUPS!!
    Make sure you have good backups (and test them at least once a year for a complete disaster revovery scenario) and make sure you have multiple generations of them in case any of them is corrupted, preferrably stored offsite in some manner in case of a fire, theft or anything really.For day to day operations and generation management I highly recommend using the builtin VSS snapshot method but never ever have it instead of backups.
    You can also use the built in Windows Server backup for DR as described here
  • 15. You need to have an automatic intrusion protection against brute force and dictionary attacks with Syspeace since the “classic” methods do not get the job done. Here’s an older blog post on why . I you don’t have the time to read the article then simply download the free Syspeace trial or contact me for licenses and consulting regarding Brute force prevention

If you’re up for it, I’ve written a few other related posts here:

Securing your datacenter part 1 – Physical aspects
and
Securing your datacenter part II – Networking

There’s also a third one but to be honest , I can’t remember where I published it. This is one of the reasons I’m moving basically everyting I’ve written to my own website instead . Easier to maintain .
Keep it simple and easy is alway a good approach. 🙂

By Juha Jurvanen @ JufCorp

Securing your datacenter – Physical aspects

Securing your datacenter - Juha Jurvanen JufCorp AB

A basic guide to securing your datacenter- part 1

This blog post is intended only as a basic guide to securing your datacenter and it’s a repost with some new stuff added into it. I also wrote a couple of follow ups to it that I will repost later.

It is not intended to be the gospel of security since, well.. let’s be honest, there is no such thing as absolute security.

As an example, in Sweden there was a case where a computer was locked in a vault, with no network access whatsoever and only a few people had access to it and still, it leaked information to foreign countries. Yes . a computer controlled by the military.

Absolute computer security is a myth and a beautiful dream. With that said, system administrators can still do a lot to make more difficult to access data and prevent attacks and sabotage to their systems.
Let’s start off with physical aspects .

The actual georgraphic location

Where is your server actually located and who has physical access to it?

Resetting administrator passwords or root passwords

Once you gain physical access to a sever, there are numerous way of accessing the data. The root password or Active Directory Domain Administrator password or NDS Admin password can be easily reset (yes, the sentence “easily reset” is used loosely) with a USB stick and booting the server. Have look a at for instance HIren’s Boot CD, Burglar for NDS or just play around with Google and search for terms such as “Reset administrator password”, “decrypt password” and so on .
You’ll be amazed when you realize how easy it actually is. Personally, I always carry with me some USB stick that enables me to boot up any system and “have my way with it”
So, we need to secure the server from outside access. The data center must be protected with card keys, cameras and access control. We need to who and why they are in the data center in the first place.For instance, a janitor or cleaning staff tends to have complete access due to what they do. Many companies hire outside help to get these kinds of jobs done.

Sabotage and disrupted data services

If I wanted to gain access to server, I would try to infiltrate one of those subcontractors to get a job as a let’s say janitor, and try to gain access to the data center somehow and from there, I can basically do what ever I wanted with the servers.
Maybe my goal wouldn’t be to steal data but to kill the data operations by corrupting the filesystems on the servers (for instance just “piping” data into various files from command prompt or hding files behind other files ), randomly switch disks on RAID systems or just put small holes in network cables to cause network errors, trigger an EMP in the data center and so on .
There would be numerous ways to disrupt the data operations, once i gained access to the data center or servers room.

Information theft

If I’m out to steal data, I would probably not target the servers themselves but instead I’d start looking for backup tapes or backup disks. Far too many companies have their backups in the same location as the servers themselves and since the backups usually are not encrypted , I’d go for stealing a complete backup set, go home and start doing a scan of the tapes to figure out what backup software was used and then do a complete restore of it all.
The backups are most likely to contain the data I’m after, although probably a maximum of 24 hours old but from them I can gain access to all kinds of information about the operations and crack administrative passwords for the server systems and so on . In the comfort of my own data center. or my couch.
This way would of require some skill of Disaster Recovery scenarios and how to get data back from backups but I’m fairly sure I’m not he only one in the world who has the expertise in those matters.

Backups are always a weak point from several aspects.

You need to know who has access to them , at all times.
If you are company that for instance have your backups shipped to another location on a daily basis or weekly, you need to know that people handling them haven’t been compromised. It wouldn’t take that long for anyone with the proper skills do clone your tapes or disks en route to their destination and you would have no way of telling they’d been cloned. In that scenario, all of your critical data would be in the wild, without you actually knowing it.

If you are using any kind of online backup service, remember to choose your encryption password wisely and be extremely restrictive with who has the password. A lot of backup software do not let you change the encryption password without doing the first backup all over again, thus doubling your usage of space and your costs.
Still , I highly recommend you use an encryption password for several reasons.
If you don’t use it, it’s just pure laziness and fear of administrative hassle and that’s just not an excuse. The risk of people at your online backup provider being able to access your data is of course also an obvious risk. Do you know these people and how could you be absolutely certain that they aren’t poking around in your data and maybe giving it to your competitors?

If you are thinking about online backups there are a few very essential questions you should ask yourself but we’ll get back to that later in another post.
Do not use the same encryption password as you have for Root / Administrator / Admin . That´s just crazy talk. Use a password generator to create a unique password. This is also very much valid for tape backups or backups on NAS / disk. Always encrypt your backups with password and be very, very restrictive with who has the password.

If an employee quits your company or an outside consultant quits his project and he / she has had knowledge of the password, change it.

If you’re doing a planned Disaster Recovery test for instance, change the administrative passwords right after the DR test , thus not enabling anyone to reuse what they’ve found out during the test
During the actual DR test, you should be there and be the one that actually types in the encryption password for the backups, not any outside technicians or consultants , not even the online backup service provider or your Disaster Recovery Service Provider. You , and you alone should be the one that has those passwords.
I’ll will return to backup questions and stuff regarding DR plans and so further down the line in some upcoming blog post
So, the conclusion is, always know who and why people are in proximity of your servers and NEVER let anyone be there alone without supervision and here’s a few more pointers.

A short cheatsheet for datacenters

  1. Always have you data center locked and secured from unauthorized access, If you have the means, also have it secured against an EMP attack from the outside. Of course, I haven’t even touched the subjects but be sure your data center has all the necessary fire prevention/extinction equipment in place, UPS backups and , if possible, also an outside source for generating current in case the UPS or battery runs out of current. There should also be a system in place for protecting you servers against spikes in current.
    Be sure to know where water pipes are running in the building so you don’t place your server directly underneath one.
  2. Don’t keep cardboard or any other kind of flammable materials in the data center. Be sure to take them with you when you’ve set up a new server or switched disks. Don’t be lazy. The cost of laziness can be extreme.
  3. In the data center, always have your servers locked in cabinets that requires keys and access card to gain physical access to keyboards and stuff. Also remember to protect the cabling and the back of the servers! Never have a server logged on the console. Be sure to have all cabling to the and from the firewall and the internet access secured.
  4. If you’re “expecting company” i.e. external consultant and so on, be sure to think abut NOT having different kinds of network maps, administrative passwords and different kinds of information in plain sight for anyone to see. I’ve seen it hundreds of times, the IT department having their entire IT operations and information of their systems on white boards or on print on documents next to their workstations. It’s very quick and easy to take a picture of it with a cell phone and once you understand the infrastructure you can also start exploring weak points in it.
    Sure , it makes their lives easier but as one might gather, it also makes the life of the attacker easier. Knowledge is a powerful weapon, especially when it comes to data protection
  5. Don’t have software laying around in the data center with software keys and stuff on them . All it takes is a mobile phone for someone to coy your license keys thus possibly putting you in an awkard situation having to explain to Microsoft for instance how come that your Volume License keys are a bit too easy to find on Piratebay, thus putting you n the risk of your licenses becoming invalid and bringing your server operations to a halt , or at least a shoer disruption.
  6. Know where your backups are, at all times. Have them encrypted. If using online backup services, be sure to use an encryption key and , if possible, be sure to have restrictions on the online backup service providers end on to and from where backups and restores are allowed
  7. Do not allow mobile phones in the data center due to the risk of people photographing your equipment or software license keys or using the mobile phones to copy data via USB cables and stuff.
  8. If possible, disable any USB ports on your servers. This can be done in the BIOS (and of course also have a sysmtem password for accessing the BIOS, a unique one for each server ) or you can physically kill it by putting glue or semothing in there (I haven’t tried that myself so do try at your own risk .. )
  9. If you are sharing a data center with others, there is no need for you to have your company logo or anything revealing the servers are yours. Keep it as anonymous as possible. There is also no need for you to tell anyone where your servers are physically located (although it can be fairly easy for anyone to fin out using traceroute commands and so on ),
  10. Be sure to have a Disaster Recover Plan (DRP ) / Business Continuity Plan (BCP) if your site is compromised or an accident should occur. Also in this case, treat the secondary DR location as mission critical data. Far too often, the secondary site is forgotten and poorly updated.
  11. Once again, do not underestimate the powers of social engineering. Although it’s not hacking in the usual sense, it’s merely good acting but it can still be as harmful as I’m trying to point out here

So, there’s a few tips anyway and that’s just the start really. It’s not a complete recipe for securing your physical environment and I’m sure I’ve missed out loads of stuff but it’s a start anyways.

I hope you you liked this post and I’d love to hear you thoughts on it and if you want me to write a few others on the matters of securing your server operations, I was thinking in the lines of brute force protection, change management, 0day attacks, certificate management , password policies, protecting web servers and so on , You get the picture 🙂

// Juha Jurvanen

Contact me

Senior consultant in backup, IT security, server operations and cloud

Sad to see Cyberarms fail

Sad to see Cyberarms fail

konsult inom backup It säkerhet molntjänster återsartsplaner för IT

Today, I had a look at the Cyberarms website since I of course like to see what’s going on out there. I liked some of their ideas and I did see potential in there.

To my surprise they have decided to quit developing Cyberams and also to completely halt their operations apart from licensing renewals.

Their deficit is 250 000 euro so that saddens me of course when any business venture fails.
It’s never just a job for people in my line of work and as a business owner I do know what the owners and CEO and everyone is going through. It’s absolutely horrible with sleepless nights, feeling of failure and everything.
To develop a product and a software, especially for a new kind of thinking in terms of security, and actually getting system administrators, CEOs, CTOs and so on to realize actually that it needs to be in place isn’t easy and it’s very important to keep track of costs and also to know that development is moving forward as expected.
It’s not always a good thing to be some of the first in their field. Especially to try to make it commercially. Having the right people , business plan and everything is crucial.

Still, the need for a good and stable brute force prevention software for Windows Servers is still just as valid and important as ever. If not even more, considering all the private and public cloud solutions that are emerging. For instance, remember, Syspeace was born out of necessity from the Cloud Service rCloud Office at Red Cloud IT in Sweden.

Cyberarms will release their source code to customers with more than 250 licenses so there is always the possibility that it will be developed further but most likely only for the use at those customers inhouse and for their own needs.
To uphold a software and keep developing it when written by someone else can be very time consuming indeed and as a developer you also need to get new ideas from the guys who had the original idea.
Even though the person with the idea isn’t the same one who actually writes the code, that person is still often the one with the vision and ideas for the next level and what it should actually be.

For obvious reasons I am prone to using Syspeace but it still made me sad to see Cyberarms fail.

In the case of Cyberarms, one of the unfortunate miscalculations was that there was a free version that blocked x amount of attacks per day. The rest weren’t blocked.
For some system administrators, that was enough (I don’t really see why that would be enough . I mean , let’s block these three attacks but let these other 50 keep going but .. anyway …. ) so Cyberarms basically gave away a semi-full protection thus not getting the licenses sold needed to be able to further develop the product and to keep marketing and staff and etc.

This was also discussed in the Syspeace team as a possible way to reach out to new customers but we decided to make it a fully functional trial instead since we did see the risk in what happened to Cyberarms would happen to Syspeace too i.e. people only using the free version and being content with the semi-full functionality.

So, as sad I am to see them go, hopefully this might at least have more users and sysadmins to have a look at Syspeace for Windows Server protection. Regardless if it’s RDP, Citrix, SQL, Exchaneg OWA and more. If it’s reachable, people will try to brute force it.
The problem is there and now there’s one less security software to choose from to protect from it.

Juha Jurvanen

NTLM settings and other fun labs searching for missing IP adresses in eventid 4625 or trying to get RemoteAPP to work well with RD Client on iPad, Android and even Windows!

konsult inom backup It säkerhet molntjänster återsartsplaner för IT

Using SSL causes mssing IP adresses in eventid 4625 and to get them back .. disable NTLM ? Nope. Not really an option

Today I took me a lab day to actually sit down and spend time with the NTLM settings and the RDWEB and try it out on various platforms and do some more or less scientific testing.
In short, I’äm not impressed by how Micropsoft has actually implemented parts of ther stuff..

I used Windows 10, RD Client for IOS and RD Client for Android. The server infrastructure was a Windows Server 2008 R2 with valid SSL certficates for all services.

The underlying problem is basiaclly that if you use an SSL certificate for your RDP connections , failed logins aren’t correctly dispalyd , i.e. your missing IP adresses in eventid 4625. (When not using an SSL certficate , it is recorded but then your users and customers get a lot of warnings when connecting to your servers and some things just donät work very well sucha as the Webfeed for RD Web)

Syspeace is a Host Intrusion Prevention Software that uses this inormation about the source IP address to block brute force attacks against Windows Servers.

One way around this is to disable incoming NTLM traffic and sure enought , all IP addresses are recorded.

The downside is .. only “full” RDP connections will work meaning that for instance connections to a server desktop works fine but if you’re really into RemoteAPP (and that’s the way I want to go and a lot of tekkies with me) you’ll be running into problems.
And, by th way.. frankly, full desktop session don’t work either from IOS (at least remote Desktop Client 8.1.13 and my iPad, they do from Android though, same server, same username and so on)

Not even Windows really working correctly when disabling NTLM ?

I also did some testing for fun by creating a .wcx file and oddly enough. In order to get that to actually work with Windows 10 (and I’m guessing it’s the same for Windows 7 and so on ) , It just refuses to connect to the RemoteApp service if incoming NTLM is disabled.
I can howerver start a normal Desktop Session against the server so, what I would claim is that the fault is actually within RD Web and the way it handles authentication, requiring some parts to be using NTLM.
The usual RD Web login interface works so far that I can login and see the resources but I can’t start any applications from it. No errors, nothing.
If enabling NTLM, I can start the applications just fine. Once again. NTLM has to be enabled in order for full functionality 🙁

So, basically, if I change the policy settings for the RD Server not to allow incoming NTLM traffic in order to be able to actually handle a bruteforce attack and also keep track of failed logins with informaion that’s actually useful for me as a sysadmin and CSO

These are by the way the settings I’m referring to

Computer Configuration\Windows Settings\Security Settings\Security Options

– Network security: LAN Manager authentication level — Send NTLMv2 response only. Refuse LM & NTLM
– Network security: Restrict NTLM: Audit Incoming NTLM Traffic — Enable auditing for all accounts
– Network security: Restrict NTLM: Incoming NTLM traffic — Deny all accounts

Regardless of how I try, I can’t get it to work to actually add remoteapp resources (or Remote Resource Feed) neither Windows 10, nor IOS, nor Android.

So, what are the implications of this ? Does it matter ? Do we need the source IP address in 4625?

First of all, the way this is handled within Windows Server is an absolut nightmare and frankly, just usesless and I can’t see any reason for Microsoft developers to leave the IP address out when using SSL certificates or at least have another entry in the eventlog for it containg useful information.
It’s not possible to handle brute force attacks natievly within Windows Server as I’ve written about many times earlier.

The biggest problem is of course that if someone tries to bruteforce your server, then how will you stop the attack ? How do you gather evidence ?
If your’e running a larger server environment and hosting customers and so on , you’ll have no way of knowing what attempts are legitimate customers and user and which ones aren’t really.
You can hardly shut down your services can you ?

At the moment , I don’t have a good solution to this problem. Syspeace catches lots and lots of bruteforce attacks for me but these ones it can’t since it doesn’t have any IP address to block.
I’m just hoping for Microsft to actually solve this on the server side since that would be the easiest fix for them I’d say.
Of course they also neeed to get the RDP clients working for all platforms but basically it should be working with NTLM2 at least and also to log the failed logon request correctly if using an SSL certficate. Anthing else is just pure madness and stupidity to be honest and someone should get fired for not thinking ahead.

By Juha Jurvanen @ JufCorp

The anatomy of hacking attacks and a few countermeasures

konsult inom backup It säkerhet molntjänster hacking attacks

Various hacking attacks against servers and users

First of all, there are multiple types of hacker attacks and they all have different purposes.
There are also many different types of hackers and they all have cool names like “White hat” hackers and “Black hat” hacker.
The White Hat ones are usually the security experts hired at a company to check and verify the IT security measures at other companies.
The Black Hat hackers are not. They’re the ones to be afraid of.
I’m neither of them. I’m simply a consultant and the best of these guys know far more about theses things than I do but still, I thought I’d run through a few common attacks targeted to accomplish various things.

There are many reasons why an attacker wants to hack you.

It could be hacktivism and political reasons or an attempt to gain access to your server to be able to use it for hacking others (basically they want access to your CPU, RAM and disk to hide stolen data and tools, mine for Bitcoins or whatever and to have an IP address to use, not leading back to their own).
There’s a few very cool and easy ways to hide files on servers that ar more or less impossible to find such as hiding a file “behind” another file and so on.

Of course in some cases it can also be about trying to steal company secrets (industrial espionage), possibly a former (or current for that matter, internal data theft and hacking is far more common than you’d expect) discontent employee looking to sabotage or looking for revenge or in some cases, just for the fun of it to see if it can be done.

The pre-run. Checking out your site, server with portscans and bruteforce atttacks

First of all, any hacker will need to know what you’re running and what it looks like. “Know thy enemy” so to speak.
Usually a portscan of your servers will reveal quite a lot of information and there are loads of tools to do this, quietly, undetected and efficiently such as nmap or even Google actually.

In order to make it a bit more difficult for them I’d suggest you have your firewall correctly configured for blocking portscans, your servers on a DMZ and also to hide any banner revealing what software you’re running and what version. This can’t be done with all software I’m afraid but the ones that you can, please consider doing so.
For a hacker to know exactly what you’re running will only make his/her life much easier since all they do is to start
looking for any known vulnerabilities and so called exploits to that software and version.
Usually software developers have released a patch but unfortunately, a lot of software never gets updated in time due to the old “if it works, don’t fix it” attitude among a lot of server tekkies and hosting providers.

Another thing is to move all default pages and scripts (or delete them if you’re not using them) to make a bit more difficult to figure out what you’re actually running and how it is setup. Have for instance 404 error messages redirected to the start page or Google or your worst competitor and also 403 errors ..

DoS attacks and DDoS attacks and also hiding behind them.

A DoS attack is a “Denial of Service” attack which means that your server is in some way attacked and made to stop servicing your clients / users or customers the way it’s supposed to, for instance your webmail / OWA or a webshop or RDP services.

This can be accomplished in many ways. A DDoS attack is a DoS attacked but with the difference that it is a Distributed DOS attack meaning there are a lot of more computers involved in doing the attack.
These attacks often have the main purpose of taking a website down by overloading it really.

If you’ve got a web server servicing for instance a webshop and a hackergroup for some reason don’t like you, they’ll get a few hundred thousand computers around the world to ask for a specific document or picture on your website, thus overloading it so it can’t really service your customers since the server is busy handling the bogus requests.

It is not uncommon also for a hacker to hide behind these attacks to try and find out what kind of countermeasures you have in place such as Syspeace. The idea behind it is basically to became invisible in all the log noise a DDoS attack generates.

Worst case, hacking attacks such as this can actually go on for weeks and it has happened often. That is also simply an extortion. “If you pay us this and this much , your webshop will be back online again, otherwise not”. For some companies this of course could be an absolute disaster, imagine for instance around the Christmas sales.

Now, it might sound impossible to find a few hundred thousand computers to get such an attack underway. It’s not. They’re out there in botnets spread over VPS and physical machines and they’re for hire even. Including a trial run and with support.
Brave new world ..

There are ways to handle these attacks. For instance increasing the service capacity on the server, increasing you bandwidth and also have a talk with your ISP on how to mitigate the attacks if they have solutions in place for it. You could also have for instance a powerful SNORT server in front of the firewall to get rid of some of the traffic. You should also have Syspeace in place for handling the bruteforce atatcks

Poorly updated applications or neglected updates and 0day exploits

If a server is poorly updated and the application/website is sensitive for instance that the hacker simply adds some code against the webaddress trying to browse the file system on the server then this can also render in a DOS attack or even worse, the attacker gets hold of the users and administrator/ root passwords. Once they’ve got that, your pretty much ..well. you won’t be having a good day. Basically you need to make sure your webserver is always correctly updated, and you also need to make sure that the underlying file system can’t be reached from the outside more than absolutely necessary.
Make sure you checked every directory and path on the website and what actually is reachable, writeable and browsable. If you’ve got pages you don’t want indexed then hadndle that in the robots.txt or have them secured behind a user login page.If you’re running a Wordporess site, make sure you hav alarma set up for outdated plugins, changes to files and so on and and make sure to deal with it asap.

Unfortunately, from time to time there are also so called 0day exploits out in the wild and those are very hard to defend yourself against. If get alerted that there is one in the wild for your environment, please keep alert and stay on your toes until a patch is released and follow any best practices released by the vendor! This can also fall under the category viruses and trojans further down.

SQL Injections and badly formatted requests

If the website uses a SQL Server / MySQL or has any input form to validate or gather something, please make sure that the application strips away any characters that could make your server vulnerable to SQL Injections since the SQL Server is usually run with administrative rights making the SQL Server injections being run with high privileges and accessing the operating system.

If you don’t know how the application is written, please contact the developers of it and ask them and have them verify this.

For any part of the website where there are input forms, makes sure that all input is validated in terms of what characters are used and how long the input is.
If a website is poorly written and poorly validated, a memory buffer overflow can occur which basically means that the input is so large or strangely formatted that the server will stop working or even give the attacker access to the servers operating system by overwriting stuff in the RAM in a way that it’s not supposed to.

Viruses, rootkits and trojans.

If an attacker has been able to lure your users to a site that contains infected code (sometimes also called drive by hacking) and the web browser or plugins to it (Java, Adobe, Flash and so on) are sensitive to that particular infections you user might come down with an infected computer.
Depending on what actually has been infected and why the consequences vary of course.

This is often done by sending emails with links to websites or trying to get user to plug in an infected USB stick into their PC.

I’ve heard of companies that have been affected with a virus rendering them unable to work since nobody was allowed to even plug in their computers to the work networks until they could be sure they’d got rid of it. In this case it was a lot of computers so I think it took them 3 week until people actually could start working again, 3 weeks without any work. That’s a costly thing for any company.The same standstill could also come from a ransom virus, basically encrypting all your files and you’ll have to pay money to get the right decryption password.

The way to minimize such a horrible standstill is to make sure that ALL of your devices connecting to the network are properly updated with antivirus products (please do not use the free ones ..ever!) but also you need to make sure that any other software is properly updated . Java, Flash, and the operating system itself .
This also goes for workstations connecting from home and so on or otherwise you might be in for a bad day. You should also be very restrictive when it comes to letting users use USB drives and stuff. They might be infected with something.

MITM – Man in the Middle, proxies and easedropping

If you’ve got a corporate network, you want to know what devices actually are on it and why. If someone for instance sets up a computer and has all of the corporate traffic routed through (by acting a proxy) , all of your communicating is being copied and this can be done in various ways. The same goes actually for you if you’re using public WiFi hot spots which I would never recommend anyone really using. To intercept data isn’t very difficult unfortunately, especially if it isn’t protected by valid certificates.
You need to use valid SSL certificates and there’s no reason to use anything lower that 2048 encryption and you must also disable weak cipher and other stuff before your SSL is correctly set up. Check your configuartion against for instance on Qualsys SSL Labs.
Also make sure that all communications are secured within your network.

Brute force and dictionary attacks.

I’ve written loads and loads on this earlier so I won’t linger on it. A brute force or dictionary attack is basically someone trying to get access to your server by guessing the username and correct password using a large list of common passwords or a dictionary and simply trying them one by one (well, thousands at a time really since its’s automated).

To protect your servers and user you need to have a intrusion prevention system in place. For Windows Servers I recommend using Syspeace (and you can also use Sysepace for protecting web applications you’ve protected through the Syspeace API) and on Linux servers I’d have a look at fail2ban. You should also use and enforce complex passwords.

Anything that comes with a default password for logins (routers, switches, printers and so on) should have the password changed from default!
These are always sensitive to brute force attacks and there are sites on web listing thousandfs of default passwords out there

You should also have a very strict policy to immediately block an employees account as soon as they’re no longer with the company and you should be very careful with what user rights you grant your users since they can easily be misused.
You should also have software in place for managing mobile phones and other devices that your employees have and the ability to wipe them clean if they get stolen or if you suspect internal mischief from an employee.

On site data theft and social engineering.

Well. In a sense , it’s not hacking but it’s more fooling people. Not the initial part anyway.
Basically someone turns up, claiming to be from the phone company, a cleaning company, your IT support company or anything that makes sense and they want access to the data center, server room to “fix” something. This is also referred to as social engineering. First the hacker finds out as much as possible about the company they’re attacking and then use that information to gain access to workstations or servers within the company,

Once they’ve actually gained access, they’ve got USB sticks to insert into workstations or servers , either loading a software into them such as trojans or keyloggers or just something that elevates rights or maybe they’re simply after just copying the data.
It all depends on how much time they have and if they’re alone. In some scenarios it might even just be a trick for them to gain access to backup tapes since all the companys data is on them .
They could also bribe janitors, cleaning staff and so on to steal backup tapes for them since they far too often will have access to the datcenters and they’re
not that highly paid.

There are a lot of tools that can simply put on a USB stick, boot up the server and you can reset administrator passwords, overwrite systemfiles (or plant a trojan or destroy them to render the server unbootable) , steal data and so on and a lot of them are surprisingly user friendly like for instance Hiren’s BootCD

A variation of this is of course people phoning someone up, claiming to be from the IT departement or Microsoft or somewhere, wanting to “help you” with a problem and asking for remote access to your computer. Once they gain access, they’ll do same things. Plant a trojan or a virus or a keylogger and the basically own the computer.

To protect your company data please always make sure you know who and why people are on site, never have anyone come near servers without supervision or the users workstations and if possible, disable any USB ports and always use password protected screen savers.

Every device on your network must also have a good antivirus running in case someone still manages to put an infected USB stick into the workstation.
Also make sure you talk the users about the hazards of giving anyone access to their computer.

If you suspect you’ve been hacked. What to do. Contingency planning

First of all, try to verify that you have been hacked and also try to find out when. In some cases you’ll have to revert to backups taken BEFORE you we’re hacked to be sure that you don’t restore a root kit or something.
This also means your backup plans and DRP plans need to take these scenarios into account so don’t be cheap with the number of generations you actually save.
You might need something from 6 months ago.

Try to find out what happened, when it happened, how it happened and have it fixed before you allow access to the server again. There’s no sense in setting the same flawed server up again. It will only be hacked again,

Don’t be afraid to make it a matter for the police. They need to know about it and they want log files and any documentation you may have.

When you get the server up and running again (or preferably before you’ve been hacked) make sure to have monitoring set up for the server. If it’s a website for instance, you want to be alerted if anything changes on in the html code for website for instance, or if the site is responding slowly (this doesn’t have to mean you’ve been attacked but could point to other problems also such as disk problems, misconfigured server settings or ..well..anything really. In any case you want to look into it.)

So , these were only a few methods and there a loads and loads more of them .

I’ve written a few other blog articles on securing servers, data centers and on brute force prevention and here’s a few links to previous articles. Most of are copied from older blogs and I do admit I haven’t nor proofread them nor formatted them for this site yet. I will. Eventually.

Articles by Juha Jurvanen on securing your server environments

Securing server environments – Part I – Physical aspects

Securing server environments – part II – Networking

Securing your Windows servers and MSExchange with an acceptable baseline security | Syspeace – Brute force and dictionary attack prevention for Windows servers

Windows Server intrusion prevention for Cloud providers and hosting providers

Should you need consulting or ideas on these questions or on backup/restore or on building cloud services / migrating to cloud services ,
I’m reachable by clicking the link below.

Juha Jurvanen – Senior IT consultant at JufCorp”>By Juha Jurvanen – Senior IT consultant at JufCorp