Security Intrusion Stoppage - Open Source Solutions - Windows Audit Failures

Forums › IT Pro and developers › Security Intrusion Stoppage - Open Source Solutions - Windows Audit Failures - Event ID 4625

1 | 2 | 3 | 4

4271 posts

Uber Geek

Trusted

#2081671 30-Aug-2018 21:02

nunz:

IcI:

gbwelly: ... love it how half way through IcI waded into the battle.

Did I fan the flames? Or did somebody decide to bash it & not move on?

I applaud @nunz for finding a solution that fits within the constraints of his clients. I also applaud nunz for standing up & sharing that knowledge.
And yet, like Andib, MadEngineer & vulcannz seem to think, it seems utter madness to not only have the machines running, but also exposed onto the internet. Surely there must be a better way?
After vulcannz posted Reply # 2079508 on 27-Aug-2018 08:05 I was hoping to not comment on this thread. Maybe now is their time to resurface this old idea of mine & use it against me.

Respectfully - I cannot understand how it is utter madness to have machines exposed to the internet. the server 2012 I referenced is a mail server.Its job is to be exposed to the internet.

no it's not and because one does not simply place remote desktop services on the internet. you're just asking for trouble - it's like you think it's cool to be manually picking off every ip address that comes knocking. there are products out there that are designed with their #1 task to protect internal systems from external attacks and they do this job perfectly. you place products that are designed to handle the traffic of the internet in front of products that are not. that's not even mentioning egress traffic.

a mail server one does not simply place on the internet - instead you have a proper firewall followed by a proper mail filter service/appliance which then passes valid mail to your mail server.

how about a simile - you hate mosquitoes going up your nose and into your lungs as as you're riding your bike down the road yet refuse to wear a protective helmet cause you're a masochist that takes pleasure in spitting them back out.

You're not on Atlantis anymore, Duncan Idaho.

nunz

1421 posts

Uber Geek
Inactive user

#2081764 31-Aug-2018 08:13

MadEngineer:

nunz:

Respectfully - I cannot understand how it is utter madness to have machines exposed to the internet. the server 2012 I referenced is a mail server.Its job is to be exposed to the internet.

no it's not and because one does not simply place remote desktop services on the internet. you're just asking for trouble - it's like you think it's cool to be manually picking off every ip address that comes knocking. there are products out there that are designed with their #1 task to protect internal systems from external attacks and they do this job perfectly. you place products that are designed to handle the traffic of the internet in front of products that are not. that's not even mentioning egress traffic.

a mail server one does not simply place on the internet - instead you have a proper firewall followed by a proper mail filter service/appliance which then passes valid mail to your mail server.

how about a simile - you hate mosquitoes going up your nose and into your lungs as as you're riding your bike down the road yet refuse to wear a protective helmet cause you're a masochist that takes pleasure in spitting them back out.

1 - I dont place remote desktop services on the internet. I have a single remote access to the server. It is how you manage server 2012 instances when they are not local. MS recommends this and it is their product i am using. Unless there is another way to manage microsoft systems without some form of RDP (or vnc or similar) then i fail to see how it is possible to not have an internet accessible rdp port on the internet. Yes i could use a vpn - but that just exposes another port instead of the rdp one without adding much (as rdp is encrypted, certificate secured and certified by MS as suitable to do what I am doing).

2 - The mail service I am using includes filters but even if that wasn't the case at some point I have to have a machine on the internet that allows secured imap, pop, smtp, anctive sync access. If I just hand those off to another machine then again all I am doing is putting the same set of ports open on another machine - doubling my costs and doubling the attack surface on the internet.

If you can explain to me how I can run public mail services e.g. as a mini mail isp - without exposing the following ports on the internet then I would be glad to listen. As of yet all anyone says is get another machine to listen on those ports - which means another machine with an rdp connection to manage it, the same set of ports, double the costs and double the attack surface - while still facing attack on all the same ports. Unless of course you are advocating the machine shouldn't be Microsoft based and are suggesting a linux based system - of which I have many - also offering mail, web and other services. 20 plus years unhacked.

Ports i need to expose and have remote access to manage are:

Port 80 - HTTP traffic and ActiveSync traffic - used to access the web interface
. This would also be the same port used by ActiveSync as well.
Port 443 -HTTPS traffic and ActiveSync traffic- used to access the web interface . This would also be the same port used by ActiveSync as well.
Port 25 - SMTP Port - Commonly used for SMTP traffic
Port 465 - SSL/TLS SMTP Port
Port 587 - Submission Port - Commonly used as an alternative port number for SMTP traffic (supports SSL/TLS)
Port 110 - POP Port - Used for POP connections made to the server
Port 995 - SSL/TLS POP Port.
Port 143 - IMAP Port - Used for IMAP connections made to the server
Port 993 - SSL/TLS IMAP Port.
Port 389 - LDAP Port - Used for LDAP connections to the server
Port 5222 - XMPP Port - Used for XMPP connections, also known as the chat feature

vulcannz

436 posts

Ultimate Geek
Inactive user

#2081868 31-Aug-2018 13:02

OK from a security guys perspective here is what I would ask:

For a start I'd ask why are IMAP and POP open, there is no need if you have the TLS versions running. And do you really need POP or IMAP at all given you have activesync?

Why is unencrypted LDAP open, sure maybe you have a need for LDAP but it should be TLS at least (assuming you are also restricting source IPs).

Does your mail server have DoS, DDoS, IPS and DHA protection?

How are you protecting activesync and HTTPS inbound connections from attack? (normally I would use a baby WAF with IPS, or SSL Decrypt with IPS)

And an open VPN is not the same as an open RDP session, they are vastly different. VPNs typically require MFA (PSK, username, password, policy) with brute force protection / cool off periods. RDP is a service, thus has a substantial attack surface, VPNs are typically very hardened and have a minimal (if any) attack surface. Even better if you have a portal solution (web ssl RDP) where you can deliver 2FA/token access.

nunz

1421 posts

Uber Geek
Inactive user

#2082594 1-Sep-2018 21:45

vulcannz:

OK from a security guys perspective here is what I would ask:

For a start I'd ask why are IMAP and POP open, there is no need if you have the TLS versions running. And do you really need POP or IMAP at all given you have activesync?

Why is unencrypted LDAP open, sure maybe you have a need for LDAP but it should be TLS at least (assuming you are also restricting source IPs).

Does your mail server have DoS, DDoS, IPS and DHA protection?

How are you protecting activesync and HTTPS inbound connections from attack? (normally I would use a baby WAF with IPS, or SSL Decrypt with IPS)

And an open VPN is not the same as an open RDP session, they are vastly different. VPNs typically require MFA (PSK, username, password, policy) with brute force protection / cool off periods. RDP is a service, thus has a substantial attack surface, VPNs are typically very hardened and have a minimal (if any) attack surface. Even better if you have a portal solution (web ssl RDP) where you can deliver 2FA/token access.

Not everyone runs the latest software. as such some legacy support is handy. There are some horrible photo copiers and other such systems out there with zero SSL support. acePayroll comes to mind. I've got at least 5 clients who need legacy connections.

Clients are being encouraged to upgrade to TLS / SSL connections - but not everyone has and until such time ... TLS will encrypt once the STARTTLS command is sent. TLS set up over port 25, 110, 143 and SSL over ports 465, 993, and 995.

http is encourage to step up to https where possible.

So far no need to deal with large scale attacks requiring a second system in place in front of the current one. Hosting routing deals with some of the DDOS, log watching software deals with dictionary and other similar attacks. I've got good fail overs in place to pick up any over flow issues. smartermail lets you run backup / failover and synchronised servers quite easily.

Adding WAF software to the server adds more load - straight up firewall rules deal with most of the crud.

Modern RDP uses TLS - securing it - and with proper cetrtificates to ensure MITM attacks are mitigated at some level - it is fairly secure. Add in sniffer software to kill dictionary attacks, slam anyone using a few of the standard user names, keep a short leash on bad passwords and kill all connections at the firewall except for two trusted ip addresses and it is fairly secure. By dropping packets other than from two ip addresses makes hacking a service that never sees the packets pretty hard. My only access when on the road is via two trusted pcs I have to log into or tunnel via - adding avpn on top of that is pure overkill.

The software mentioned above is a bit like tripwire on my linux boxes. If by some chance someone manages to get around the outer defences I get to know proactively.

vulcannz

436 posts

Ultimate Geek
Inactive user

#2082718 2-Sep-2018 12:13

nunz:

Not everyone runs the latest software. as such some legacy support is handy. There are some horrible photo copiers and other such systems out there with zero SSL support. acePayroll comes to mind. I've got at least 5 clients who need legacy connections.

....

Adding WAF software to the server adds more load - straight up firewall rules deal with most of the crud.

....

Modern RDP uses TLS - securing it - and with proper cetrtificates to ensure MITM attacks are mitigated at some level - it is fairly secure. Add in sniffer software to kill dictionary attacks, slam anyone using a few of the standard user names, keep a short leash on bad passwords and kill all connections at the firewall except for two trusted ip addresses and it is fairly secure. By dropping packets other than from two ip addresses makes hacking a service that never sees the packets pretty hard. My only access when on the road is via two trusted pcs I have to log into or tunnel via - adding avpn on top of that is pure overkill.

The software mentioned above is a bit like tripwire on my linux boxes. If by some chance someone manages to get around the outer defences I get to know proactively.

I've never heard of photocopiers using POP3 or IMAP. Only SMTP.

WAF runs external to servers. Firewalls are just traffic cops, most of the crud now happens at the application layer - and it doesn't sound like you are using anything to inspect at layer 7.

I'm sorry but you just don't get what people are saying. It's not about whether RDP is over TLS and is secure - it's that RDP presents an attack surface.

And I don't get the only accept connections from 2 IPs/PC's that you then login from on the road. It sounds like we're going deep down the rabbit hole. I'm gonna stop typing now.

nunz

1421 posts

Uber Geek
Inactive user

#2088101 12-Sep-2018 11:01

vulcannz:

nunz:

Not everyone runs the latest software. as such some legacy support is handy. There are some horrible photo copiers and other such systems out there with zero SSL support. acePayroll comes to mind. I've got at least 5 clients who need legacy connections.

....

Adding WAF software to the server adds more load - straight up firewall rules deal with most of the crud.

....

Modern RDP uses TLS - securing it - and with proper cetrtificates to ensure MITM attacks are mitigated at some level - it is fairly secure. Add in sniffer software to kill dictionary attacks, slam anyone using a few of the standard user names, keep a short leash on bad passwords and kill all connections at the firewall except for two trusted ip addresses and it is fairly secure. By dropping packets other than from two ip addresses makes hacking a service that never sees the packets pretty hard. My only access when on the road is via two trusted pcs I have to log into or tunnel via - adding avpn on top of that is pure overkill.

The software mentioned above is a bit like tripwire on my linux boxes. If by some chance someone manages to get around the outer defences I get to know proactively.

I've never heard of photocopiers using POP3 or IMAP. Only SMTP.

WAF runs external to servers. Firewalls are just traffic cops, most of the crud now happens at the application layer - and it doesn't sound like you are using anything to inspect at layer 7.

I'm sorry but you just don't get what people are saying. It's not about whether RDP is over TLS and is secure - it's that RDP presents an attack surface.

And I don't get the only accept connections from 2 IPs/PC's that you then login from on the road. It sounds like we're going deep down the rabbit hole. I'm gonna stop typing now.

nunz

1421 posts

Uber Geek
Inactive user

#2088133 12-Sep-2018 11:19

nunz:

vulcannz:

I've never heard of photocopiers using POP3 or IMAP. Only SMTP.

WAF runs external to servers. Firewalls are just traffic cops, most of the crud now happens at the application layer - and it doesn't sound like you are using anything to inspect at layer 7.

I'm sorry but you just don't get what people are saying. It's not about whether RDP is over TLS and is secure - it's that RDP presents an attack surface.

And I don't get the only accept connections from 2 IPs/PC's that you then login from on the road. It sounds like we're going deep down the rabbit hole. I'm gonna stop typing now.

Pop3 - used by high end photo copiers to allow people to print via email. Very common place in modern photo copiers. For example efax functionality. Email fax to photocopier which prints it like a normal fax.

Example here: https://condoroffice.co.uk/manuals/iradv33xx/contents/1T0002892823.html?search=pop3

Layer 7? Seriously - that's not even really on the network and is barely applicable to a mail server. what user applications does a mail server run? Antivirus, anti spam, checks for processes not running too high etc all fall into that category but not net work intrusion via a web browser or other user app on a mail server / web server. Besides which Windows has all sorts of checks in place to ensure no corruptions of programs occur and the anti virus solutions further amplify those checks.

As for RDP being a bad idea - take it up with Microsoft. It's their idea and if you can give me a better way to remote support a windows server than RDP - happy to hear it - but powershell etc just not up to the job right now. The firewall removes all connections except mine - so rdp is pretty dam safe at that point. No attack surface if you cant connect to it.

According to MS BPA my security posture is correct. No issues found. So if you have an argument with what I am doing, take it up with the real experts - Microsoft.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

vulcannz

436 posts

Ultimate Geek
Inactive user

#2090293 13-Sep-2018 18:04

nunz:

Layer 7? Seriously - that's not even really on the network and is barely applicable to a mail server. what user applications does a mail server run?

LOL ... wow...

nunz

1421 posts

Uber Geek
Inactive user

#2090640 14-Sep-2018 13:12

vulcannz:

nunz:

Layer 7? Seriously - that's not even really on the network and is barely applicable to a mail server. what user applications does a mail server run?

LOL ... wow...

and???? Elucidate oh wise one.

As we aren't using web browsers, ftp, gopher, or other similar apps - there is nothing reaching out in the user controlled space. it could be argued smtp, being layer 7 is reaching out - but as we are discussing user intrusions initiating from outside the device, layer 7 modeling is not applicable to this discussion. The entire discussion has been around stopping people initiating a session from outside the network. That doesn't happen at layer 7.

As you seem to have no idea how a person can attack RDP, that doesn't respond to their externally initiated requests, owing to all packets not originating from my two specific ip addresses being dropped - you are pulling cruft out of thin air.

As of yet you have not refuted Microsoft's process for connecting to remote desktops via RDP.

As for other externally initiated attacks - as you have no idea what systems i do have in place at osi layer 7, you are again throwing dust in the air, agrandising yourself while trying to make me look incompetent.

I'll bet my 30 plus years on networks, with no breaches, in some really shocking network regions, against your - whatever you have. You cant argue with demonstrated capability. Proof is in the pudding.

jhsol

102 posts

Master Geek

#2090970 15-Sep-2018 09:35

This thread is amazing lol.

Dont know if you can win this one Vulcan. The whole RDP thing was soooooo funny.

Nunz. People arent bagging on you because of tall poppy syndrome. They are bagging on you because you are giving out bad information. You are breaking about 500 IT security rules and trying to pass off your controls as risk mitigation when in fact you arent really reducing your risk at all (or not enough to justify risk mitigation in general).

The main one in general that everyone cant get their head around is the running of unsupported operating systems (XP, 2003) but then exposing them to the internet. Some examples of best practice that you are breaking can be found below

https://www.nzism.gcsb.govt.nz/ism-document/#3435 -> All of 12.x, but prob 12.4 in particular
CIS CSC 2.2 -> Ensure software is supported by vendor
ACSC Essential 8 -> You are at maturity level 0 (out of 5) for the control Patch Servers

I recommend running through the maturity model for the ACSC essential 8 for your environment and then post the results back here (I do have a maturity spreadsheet for the CIS CSC controls if you want) and if you are really keen try filling out the maturity model for NIST which you can download for free here. Probably a bit overkill for it, but the ACSC essential 8 is probably the minimum you want to try and comply with.

</fanflames>

michaelmurfy

meow
13240 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#2090980 15-Sep-2018 10:04

nunz:

I'll bet my 30 plus years on networks, with no breaches, in some really shocking network regions, against your - whatever you have. You cant argue with demonstrated capability. Proof is in the pudding

Don't ever say statements like this. You're forwarding insecure ports and are running insecure software - it may have not happened yet but if you continue with both your attitude and practices it will. You should honestly listen to some members on here as they're in the security industry and do know what they're talking about.

Use this as an example: https://www.reddit.com/r/programming/comments/60jc69/company_with_an_httpserved_login_form_filed_a/

Namely this:

Him: "Hello?"
"Hey, I'm looking for a user by the name of dgeorge?"
Him: "I'm dev George."
"When the entire internet browser ecosystem warns you that your website is insecure, why didn't you listen?"
Him: "The website isn't insecure, it's very secure."
"It's not. An entire professional community is talking right now about how it's not secure."
Him: "No it's not, the website is fine."
"I'm trying to share facts with you right now."
hangs up

As you can see from that Reddit thread the whole site got totally pwned. Take it as a lesson, adjust your practices and stop trying to defend them. New threats are coming out every single day.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

vulcannz

436 posts

Ultimate Geek
Inactive user

#2090996 15-Sep-2018 10:40

nunz:

As we aren't using web browsers, ftp, gopher, or other similar apps - there is nothing reaching out in the user controlled space. it could be argued smtp, being layer 7 is reaching out - but as we are discussing user intrusions initiating from outside the device, layer 7 modeling is not applicable to this discussion. The entire discussion has been around stopping people initiating a session from outside the network. That doesn't happen at layer 7.

....

As for other externally initiated attacks - as you have no idea what systems i do have in place at osi layer 7, you are again throwing dust in the air, agrandising yourself while trying to make me look incompetent.

I'll bet my 30 plus years on networks, with no breaches, in some really shocking network regions, against your - whatever you have. You cant argue with demonstrated capability. Proof is in the pudding.

OK, layer 7 doesn't exclusively belong to the client applications. Old school firewalls generally operate at Layer 3, handling packets and their flows. layer 7 describes where a firewall will examine packet contents. This can apply to application indentification, content inspection... and... threats. Threats can be clientside and server side threats. IPS and WAF are considered layer 7 services. IPS can protect a mail server from attacks against vulnerabilities, to an extent. But if you use encryption (TLS SMTP/POP/IMAP) then and IPS system cannot help, this is where a mail security (and commonly antispam solution) helps. It can sit upstream in a DMZ, act as a hardened device (as well as process mail for threats, prevent DHAs, DoS's etc).

Same sort of thing applies with activesync, I use a WAF/Activesync proxy upstream of my mail server to protect it.

Typically when a vulnerability is identified there is a significant gap between that and a patch being release, and then a patch being applied. Services like WAF and IPS usually have signatures deployed immediately giving you protection against exploits before patches are available.

And of course if you're not running such systems it's very difficult to identify of you have been breached. The bad guys are very good at obfuscating their back end comms.

nunz

1421 posts

Uber Geek
Inactive user

#2091037 15-Sep-2018 11:24

michaelmurfy:

nunz:

I'll bet my 30 plus years on networks, with no breaches, in some really shocking network regions, against your - whatever you have. You cant argue with demonstrated capability. Proof is in the pudding

Don't ever say statements like this. You're forwarding insecure ports and are running insecure software - it may have not happened yet but if you continue with both your attitude and practices it will. You should honestly listen to some members on here as they're in the security industry and do know what they're talking about.

Use this as an example: https://www.reddit.com/r/programming/comments/60jc69/company_with_an_httpserved_login_form_filed_a/

Namely this:

Him: "Hello?"
"Hey, I'm looking for a user by the name of dgeorge?"
Him: "I'm dev George."
"When the entire internet browser ecosystem warns you that your website is insecure, why didn't you listen?"
Him: "The website isn't insecure, it's very secure."
"It's not. An entire professional community is talking right now about how it's not secure."
Him: "No it's not, the website is fine."
"I'm trying to share facts with you right now."
hangs up

As you can see from that Reddit thread the whole site got totally pwned. Take it as a lesson, adjust your practices and stop trying to defend them. New threats are coming out every single day.

If the above 'experts' wanted to be taken seriously they shouldn't have started denigrating and advising on ZERO knowledge of my systems. That is what they did and when I run into knocking ignoramus bigots (which is what they are), then I don't take them too seriously. Only a fool gives advice on something they know nothing of - and that is exactly where this knocking discussion started - zero knowledge of my systems other than in is Microsoft and accessible from the internet. Zip, nada, zilch!

My security practices on my servers covers off most of the OSI layers where I have some level of control. My setting up of a basic Linux server document has 18 pages of tick sheets, mostly around security tightening. I've consulted with the best I can find re parts of it and read more - and then i follow a documented process to ensure consistent results.

MS systems give me the screaming heebies as I've spent years recovering, closing and fixing MS systems after they got pwned. I see MS as about as secure as a 16 year old innocent in Trumps bed chambers. Their products are notoriously insecure, unstable and resource heavy. i hate them from a security perspective but until recently had no choice if I wanted to offer decent ActiveSync (as a replacement for imap that fails too often). That's why I use every option I have to keep them as closed as possible, other than the bare basics required to offer services. That's why i sweep them with nmap, openvas, metaploit, etc from the outside and use MSBase Line Security, Retina CS and a few open source tools internally. I audit all my servers including Layer 7 sweeps on wordpress, apache, MSSSQL, MySQL, IIS etc as well as the OSI layers 2-5 sweeps using other tools. I then put paranoid checks like the tools mentioned above.

I am not lassez faire re security - I suspect I spend more effort than many of the knockers above ensuring it. I don't just stop up security, i proactively audit and test. I have an attack server specifically geared to test using OWASP suggestions. How many of them go to those lengths? Not many i suspect.

I'd love to adjust my practices - - so how do I make more secure a single port connection that only responds to my ip address and has all the security Microsoft puts around it behind that? And please don't say VPN - as all that does is wrap a layer of encryption around what is already an encrypted connection while adding more software which increases my attack surface and at the same time increases the complications of software which can go wrong and increases complexity. (and we all know complexity is the killer of security). An encrypted RDP connection, with security certs, across a reasonably trustworthy infrastructure, to a server that only responds to my ip address with extra checks thrown in to stop DDOS, dictionary etc. That's pretty secure.

I used to use VPN more actively - but found the ISPs failure to properly protect static IP addresses caused huge headaches. Had systems become un-connectable when ips changed. Also I'm regularly in places where bandwidth is limited. Tight and light is absolutely required. VPN fails across satellite and other low bandwidth connections but RDP will hang in there (just)

The other problem with VPN is it generally connects you to a network, not a machine. While it can be tied to a single machine, most VPN isn't - which means a breach of vpn puts you as a full and active member of a network, not a person on a single machine like RDP. In many respect VPN is a new complete nightmare waiting to happen - exposing entire networks. From there taking control of many modern printers and using them as an exploitable door way is a simple step. People assume by using vpn you are safe, but that's old school thinking. Perimeter security from the outside in, not modern security from the inside out.

The problem with this whole discussion, other than when I said " hey, here is a tool I find helpful " ,and had a bunch bunch of ignorant knockers making assumptions about my systems based on zero knowledge and start denegrating me based on their complete ignorance, is one of competence.

They say the only way to be safe is our way. And that's wrong. There is more than one way to do something and what I have put in place is known and trusted processes from 20 - 30 years on networks. Their assumptions are they know best and there is only one way to do something. I disagree based on experience. Can my experience lead to issues - yup, but so can their processes. Their systems and processes are as pwnable as mine - actually possibly more so as mine gives zero attack surface to work from as far as RDP goes (if you cant connect to the port, you cant attack it - other than DDOS and that's mitigated elsewhere. )

Their arguments are made from the idea there is one absolute truth, one way of doing things. No there is not. The tool referenced above isn't a security layer for stopping people, its a trip wire for if the unthinkable happens. It is paranoia not best practice and to piss on it when it could be another tool in their arsenal is plain stupid - especially when their best arguments re the tool are "it isn't Microsoft". Seriously?

I'm not adding a bunch of extra services,applications and tools to my server just because people who didn't take time to discover what I've done say i should. Either the MS firewall (which is a stateful, active firewall) is secure enough to restrict access to a moved RDP port to just me, or it isn't. MS says it is suitable and fit for purpose. I should trust MS more than a bunch of unknown knockers. The folks who advocate adding more software are stating (by implication) that MS is not fit for purpose. If that's the case it's time they switched to Linux or mac or Unix or AS400 or....

nunz

1421 posts

Uber Geek
Inactive user

#2091047 15-Sep-2018 11:48

vulcannz:

nunz:

As we aren't using web browsers, ftp, gopher, or other similar apps - there is nothing reaching out in the user controlled space. it could be argued smtp, being layer 7 is reaching out - but as we are discussing user intrusions initiating from outside the device, layer 7 modeling is not applicable to this discussion. The entire discussion has been around stopping people initiating a session from outside the network. That doesn't happen at layer 7.

....

As for other externally initiated attacks - as you have no idea what systems i do have in place at osi layer 7, you are again throwing dust in the air, agrandising yourself while trying to make me look incompetent.

I'll bet my 30 plus years on networks, with no breaches, in some really shocking network regions, against your - whatever you have. You cant argue with demonstrated capability. Proof is in the pudding.

OK, layer 7 doesn't exclusively belong to the client applications. Old school firewalls generally operate at Layer 3, handling packets and their flows. layer 7 describes where a firewall will examine packet contents. This can apply to application indentification, content inspection... and... threats. Threats can be clientside and server side threats. IPS and WAF are considered layer 7 services. IPS can protect a mail server from attacks against vulnerabilities, to an extent. But if you use encryption (TLS SMTP/POP/IMAP) then and IPS system cannot help, this is where a mail security (and commonly antispam solution) helps. It can sit upstream in a DMZ, act as a hardened device (as well as process mail for threats, prevent DHAs, DoS's etc).

Same sort of thing applies with activesync, I use a WAF/Activesync proxy upstream of my mail server to protect it.

Typically when a vulnerability is identified there is a significant gap between that and a patch being release, and then a patch being applied. Services like WAF and IPS usually have signatures deployed immediately giving you protection against exploits before patches are available.

And of course if you're not running such systems it's very difficult to identify of you have been breached. The bad guys are very good at obfuscating their back end comms.

Um - Considering i am running Windows Firewall (WAFS) as well as third party security systems that check running processes, file activity, pay loads through the network etc - then you are saying I am doing the right thing? The third party covers off layer 6/7 mostly. also by the time someone gets to use pop, smtpauth, imap, activesnch, rdp at layer 7 - they have already been authenticated and encrypted at layer 6. Layer 7 is just data handling and hands off network stuff to lower layers. It maybe network aware but securing that is not part of network security per se - its a different ball game to do with viruses, payloads and exploits.

You are now talking about whether or not i do upstream filtering for spam etc. That's not even been a discussion until now. The knockers are hassling me for accessing a Windows server via RDP. Who says i don't pre filter incoming SMTP or run Spam Assassin or have paid services checking all connections in my mail server?

Either MS WAFS is suitable to protect connections to an unknown port, from anyone connecting to it but my ip address, or its not. If its not then no windows server should ever be deployed anywhere without a firewall box physically sitting directly in front of it on the network. And yes i do have two firewalls before most windows servers - one on the router and one other - Linux based - but cant in this situation.

Layer 7 - I understand that covers off smtp, pop etc. That's at the same level as ftp and gopher which i mentioned. however they are data consumers and talk via interfaces to the network. Another discussion. The argument people are hammering me for is me connecting to my server via RDP.

nunz

1421 posts

Uber Geek
Inactive user

#2091049 15-Sep-2018 11:53

jhsol:

This thread is amazing lol.

Dont know if you can win this one Vulcan. The whole RDP thing was soooooo funny.

<fanflames>

Nunz. People arent bagging on you because of tall poppy syndrome. They are bagging on you because you are giving out bad information. You are breaking about 500 IT security rules and trying to pass off your controls as risk mitigation when in fact you arent really reducing your risk at all (or not enough to justify risk mitigation in general).

The main one in general that everyone cant get their head around is the running of unsupported operating systems (XP, 2003) but then exposing them to the internet. Some examples of best practice that you are breaking can be found below

https://www.nzism.gcsb.govt.nz/ism-document/#3435 -> All of 12.x, but prob 12.4 in particular
CIS CSC 2.2 -> Ensure software is supported by vendor
ACSC Essential 8 -> You are at maturity level 0 (out of 5) for the control Patch Servers
I recommend running through the maturity model for the ACSC essential 8 for your environment and then post the results back here (I do have a maturity spreadsheet for the CIS CSC controls if you want) and if you are really keen try filling out the maturity model for NIST which you can download for free here. Probably a bit overkill for it, but the ACSC essential 8 is probably the minimum you want to try and comply with.

</fanflames>

Actually no one has even discussed xp - its been bashing me for using RDP to connect to a 2012 server and a bunch of assumptions based on ignorance of how i run my systems.

Access to server 2003 / xp has so many layers before it to get through that if anyone gets that far they are welcome to it because they would be better IT folks than you and i could ever stop. There are two firewalls in front of those boxes to start with, plus a bunch of rules restricting who gets there, security and authentication - then access to the servers.

The directly exposed windows server is 2012 fully patched. If that is insecure then MS better get out of the server business.

1 | 2 | 3 | 4