Archives for Uncategorized

Syspeace, SHA-2 certificates and Windows Server 2003 | Syspeace

http://www.syspeace.com/news/syspeace,-sha-2-certificates-and-windows-server-2003/

#infosec Over 3.1 Million bruteforce attacks against #windowsserver #msexhange #Sharepoint #remotedesktop #Citrix blocked by #Syspeace

Syspeace , intrusion prevention for Windows servers,  has blocked,tracked and reported over 3.1 Million bruteforce and dictionary attacks targeted worldwide at Windows Servers running Remote Desktop , Exchange, Citrix, Sharepoint, SQL Server and other services.

image

#Syspeace stops due to license server inaccessable on #Windows Server 2003 #infosec

Syspeace service stops due to license server not reachable / inaccessibility on Windows Server 2003

We’ll actually update the troubleshooting section with info for Windows 2003 Servers but here’s why this can occur.

Apparently root certificates are not automatically updated on Windows Server 2003:

http://support.microsoft.com/kb/931125

> The automatic root update mechanism is enabled on Windows Server 2008 and later versions, but not on Windows Server 2003. Windows Server 2003 supports the automatic root update mechanism only partly. (This is the same as the support on Windows XP.) And because the root update package is intended for Windows XP client SKUs only, it is not intended for Windows Server SKUs. However, the root update package may be downloaded and installed on Windows Server SKUs, subject to the following restrictions.

> If you install the root update package on Windows Server SKUs, you may exceed the limit for how many root certificates that Schannel can handle when reporting the list of roots to clients in a TLS or SSL handshake, as the number of root certificates distributed in the root update package exceeds that limit. When you update root certificates, the list of trusted CAs grows significantly and may become too long. The list is then truncated and may cause problems with authorization. This behavior may also cause Schannel event ID 36885. In Windows Server 2003, the issuer list cannot be greater than 0x3000.

This can be resolved for Syspeace by manually installing the gd-class2-root.crt certificate from this page: https://certs.godaddy.com/anonymous/repository.pki

#infosec Is there a need for intrusion prevention for Windows Servers like #Syspeace?

Syspeace icon

Syspeace icon

What is a brute force attack or dictionary attack really and how would Syspeace help?

Essentially it is someone who is trying to guess the right combination of username and password to gain access into your serveers for example a Microsoft Exchange Serve and the OWA (Outlook Web Access), Terminal Server/RDS (Remote Desktop Server), Sharepoint, SQL Server, Citrix and so on.

The attacker uses automated software to try to guess the right combination to be able to login and steal data or to elevate their rights. One attack can render in thousands of login attempts, it can go on for hours or days and it is a heavy load for the server to handle that in regards of CPU, RAM, network traffic and so on.
Each login request has to validated and checked if it is legitimate or not.

A comparison of a brute force attack and the real world be be this (this is an excerpt from the Syspeace website)

Imagine that your company has a physical facility. If someone repeatedly tries to gain access with a fake key or invalid key card, you would expect that your security guards would notice and not let the intruder through

Aren’t there builtin protection into Windows Server against these attacks ?

In short. No.
The only built in mechanisms in Windows Servers are basically the ability to enforce strong passwords and to enable account lockout.

To enable strong passwords is a good thing, even if you’re running an intrusion prevention software for Windows like Syspeace.
If you have easy-to-guess passwords, it won’t really matter what protection you’re sunning since if a login is valid, no software would block it anyway. A valid username and password is always a valid login. So, please ensure you require users to use strong and complex passwords and allow for Syspeace to capture the attack.

The second method , ie. account lockout, might actaully do you more harm than good and here’s why.
If the system you’re protecting is for instance an Exchange Server or an RDS Server and it is probably facing he Intenet to provide service for your users or customers. To figure out a username doesn’t have to be that complicated fo an attacker. They’ll first try to understand the email policy naming convention, scavenge the Internet for metadata and the simply start trying to login using the email address as the username (since this is quite often a valid login name) and try guess to guess the password.

If you’ve enabled the Account Lockout Policy the affected users accounts will be constantly locked since the attacker will automate the attack and try thousands of time for each user they know are in the system.

If you’ve been hit with an attack and it is just from a single IP address, you’d probably just block it in the Windows Firewall (or the external firewall) and unlock the affected users accounts and that’s it. Hopefully you’d also report it.

Now, what if the attack is actually done from hundreds or thousands of computers at the same time ? Blocking them manually isn’t really an option is it ?
One simple and quick solution is to download the fully functional trial of Syspeace , install it and have Syspeace block, track and report the attack.

How can Syspeace help as an Intrusion Prevention for Windows Servers and do I set it up?

The idea behind Syspeace is the ease of use and independence from other software and appliances and also not to enforce a change in your network or infrastructure.

Some systems require you to change your entire infrastructure and put for instance a high performing proxy appliance or server in front of the network. Other systems are bundled with antivruses and other systems, requiring you use consultants and experts to get the systems running.

Syspeace is simply installed on the servers you want to protect. The installation process takes about 4-5 minutes maximum and that’s it. You’re done. The server is protected against brute force attacks. Out of the box.
Th Syspeace GUI is easy to understand and easy to manage. You don’t have to be a security expert to manage Syspeace.

If you want to move a Syspeace license from one server to antoher , that’s also easily done thanks to the floating licensing model within Syspeace. The length of the license can also vary so you’re not forced into buying a 1 year license if you don’t want to . You can a license fo 1 month. or 3 months, Whatever suits your needs.

The pricing of Syspeace is more or less equivavlent to an antivirus and it is a per-server based licensing so it’s not based up on the number of users you’re servicing. 1 license, 1 server. That’s it.

These are some of the features included in Syspeace

.

Secure login attempts on Windows server
The Windows server is secured by watching the result of the Logon process. If multiple logon attempts fails, actions can be taken. This works on Windows Server 2003 and on and is also automatically protection for Remote Desktop Services, Sharepoint, Exchange OWA, Citrix and basically anthing that renders an eventid of 4635 or eventid 529 (we do monitor more events also)

Secure login to Exchange Serevr SMTP connectors
The Exchange server is usually exposed by the OWA web site that is a part of Exchange. Syspeace not only protects the OWA but also logon attempts made by connectors.

Secure login to SQL Server
Many SQL-server installations expose a logon-possibility either by AD-integration or by logon by using SQL Authentication. Syspeace protects both methods

Multiple customizable rules
Syspeace can be tailored to fit your specific needs by customizing the rule-base. The rules are executed in real-time on all successful and unsuccessful logon attempts and appropriate measures are taken.

Send mail when a block is done
Whenever a block (rule) is entered in the firewall, you have the option to be notified by mail.

Send daily mail with aggregated intrusion information both as plain text and attached CSV file
Each day, there is a summary created that you can have mailed to you or the people that you see will benefit from it.

Send weekly mail with aggregated intrusion information both as plain text and attached CSV file
If the daily summary is too granular, a weekly summary is also available in the same way.

Uses local whitelist
Some computers should never be blocked in your environment. These computers can be listed in a local Whitelist so that Syspeace will never block these IP addresses.

Uses local blacklist

The local blacklist is a opportunity to force a block to a specific set of computers that you never want to connect to your server.

Uses global blacklist
Syspeace comes with a Global Blacklist. This list is maintained by Syspeace central servers and distributed once a day to your Syspeace installation. The Global Blacklist contains computers that have tried to break the security on many other sites that run Syspeace.

Searchable log of login/intrusion attempts
Syspeace have the ability to in a very easy way present information about who is attacking you and when it happened. The data is searchable, aggregated and presented in a matter of a few simple clicks.

View information on why a block was made
A block may be initiated from many different sources. Together with the block is also information stored about the origin. It is always possible to back track a block.

Access report to quickly find related information in the attempt log
The Access report takes the reporting to a new level. Here, it is possible to further aggregate and investigate what happens to your server.

Updates are free and new features are included. We’ve also released the ability write your own Syspeace Detectors thurough the Syspeace API to protect for instance a webapplication or write a special detector for your Windows applications.

Who should use Syspeace then ?

Syspeace isn’t targeted at any special types of environments or companies, we believe that Syspeace is a natural part to use for any server administrator, regardless of if you’re a Cloud Service provider or managing you own servers or if you’re an outsourcing company, hosting company or even if the servers are physical or virtual.
Syspeace can help in any scenario so the short answer is, any system admininstrator managing a Windows Server from Windows Server 2003 and on really.

It is not a “silver bullet” for security but a piece of the security puzzle we believ you’ll need to ensure the protection of your users or customers and it solves a problem easily that no one hasn’t really been able to handle earlier.

If yuu’re up for reading more about intrusion prevention for Windows Servers, please have a look at the earlier articles written here on this blog or have simply go to the Syspeace website for more information and download a trial.

Syspeace - intrusion prevention for Windows servers

Syspeace website

Block intrusion attempts against #windowsserver with Syspeace

http://www.syspeace.com/syspeace-protection/

#infosec Syspeace website maintenance now all done

Both the website and licensing site maintenance job is now done and everything is reachable as normal.

#infosec Syspeace website and licensing server maintenance

Today ( 30th of June 2014) ,we’ll be doing some maintenance on the Syspeace website and backend systems so there will be shorter periods of time when the systems can’t be reached.

#infosec #Syspeace has blocked over 3 Million #bruteforce attacks

Today, we reached a new milestone for Syspeace. We have now blocked, tracked and reported over 3 Million #bruteforce attacks against #windowsserver #msexhange #Sharepoint #remotedesktop #Citrix #SQLserver worldwide!

www.syspeace.com

image

#infosec #security About using #Syspeace against #DDoS attacks for #sysadmin

Syspeace - intrusion prevention for Windows servers

Syspeace website

Syspeace and DDoS attacks

We had a discussion the other day about Syspeace and if it would help in a DDoS attack.

Essentially a DDoS attack is about overloading a server with massive traffic thus making it unreachable for the services the way it is supposed to be. Here is a another blog post about

This can be accomplished in numerous ways.

If for instance 10 000 computers in a botnet are targeted at downloading a specific image or file from a public website without a login, Syspeace would not be the tool for you. Not at the moment anyway. Syspeace is designed to monitor failed login attempts and handle them by custom rules to protect your Windows servers by completely blocking the attacking address in the local firewall. This will protect your server on all ports soo if you other services running on it, they would also be blocked for the attacker.

DOS/DDoS by using Brute force / dictionary attacks and how Syspeace would react

The two different methods in the brute force/dictioanry attack department would be the following.

Single login attempt method

If the same 10 000 copmuters try to login to your server (an Exchange weblogin, RDS/ Terminal Server, Sharepoint, Citrix and so on ) with a brute force / dictionary attack the server would stop responding due to the overload on CPU/RAM and the network would also be filled.

If each and one of these 10 000 computers only tries once to login , Syspeace wouldn’t react since that would esseantially mean that all logins (or IP addresses essentialy) would be blocked at the first thus disabling anyone to login.

If you’re a hosting provider or outsouring provider and you have a number of customers at static IP addresses you could whitelist the customers IP addresses and set up a Syspeace rule to block at one failed login and in that manner have the attacka partially handled by Syspeace.
However, if you’re a Cloud Service provier this won’t work in reality since your customers could be coming from any IP address anywhere.

Multiple login attempt method

The second method would be to have each and everyone of these 10 000 computers constantly trying to login multiple times and such an attack would be blocked by Syspeace.

Bare in mind though, this would not sort out the network being flooded but it would help you protect your server from crashing due to overloaded CPU/RAM usage and it would buy you time to contact your ISP and see if they can help you mitigate the attack (with specific tools or increasing your bandwidth for instance)

To a certain extent , the Syspeace Global Blacklist would probably also have you preemptively protected against some of the IP addresses attacking you already.

If you don’t have Syspeace at all it’s not unlikely you’ll also be having a lot of user accounts locked out if you you’re trying to use lockout policies. Here’s a previous blogpost on why that is

Future features in Syspeace

One of the things we’ve already released are public APIs for customers with their own applications, webapplications and loginforms so we enable them to use the Syspeace engine to easily handle brute force attacks. For more information on how to implement it on your website or appliaction , please refer to the Syspeace Detector API page

We do have some ideas on how also to have Syspeace help in the first scenario (1 login/computer attack) but we’ll get back to you on that after we’ve implemented quite a few new more features and functions that’s already in our roadmap.

To have your Windows servers protected against malicious login attempts and have it set up in minutes without changing your infrasctructure , please visit the Syspeace download page

By Juha Jurvanen

#infosec Moving #Syspeace licenses between servers

The Syspeace licensing model is a flexible and easy to use model.

The license you used for the free trial is automatically converted into a live a license when you purhase a license. You don’t need to reconfigure.

You decide for youself if you want use Syspeace for a year at a time or for example 2 months and on how many servers you want to divide the number of computerdays.

You can use the same licensenumber on multiple servers and the central licensing server keeps track of licensing for you and you can easily extend you existing license.

If you need to move the license from one server to another, simply start the Syspeace GUI, find the reset license button and reset. Install Syspeace on the new server and you’re good to go.
Another way is to simply stop the Syspeace service on the old server and install on the new server, using the same licensenumber.

All updates and new, generic detectors are free to download for valid licensesowners and trialusers.

If you’re hosting servers or have many servers the easiest approach is probably to have one Syspeace account and use the same license for all servers but if you’re managing multiple external servers you’d probably want to have a separate Syspeace account for each customer for instance ACME @ YourCompany.
This way you’ll easily keep track of the administrative part with your invoicing.

By Juha Jurvanen @ JufCorp