Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersSecurity Intrusion Stoppage - Open Source Solutions - Windows Audit Failures - Event ID 4625
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 
vulcannz
436 posts

Ultimate Geek
+1 received by user: 136
Inactive user


  #2091093 15-Sep-2018 14:30
Send private message

nunz:

 

Um - Considering i am running Windows Firewall (WAFS) as well as third party security systems that check running processes, file activity, pay loads through the network etc - then you are saying I am doing the right thing? The third party covers off layer 6/7 mostly.  also by the time someone gets to use pop, smtpauth, imap, activesnch, rdp at layer 7 - they have already been authenticated and encrypted at layer 6. Layer 7 is just data handling and hands off network stuff to lower layers. It maybe network aware but securing that is not part of network security per se - its a different ball game to do with viruses, payloads and exploits.

 

 

 

 

WAF... Web Application Firewall. Windows Firewall is not a WAF.

 

So given you do not know what a WAF is, please just accept that you do not seem to understand what level 7 is when applied to network security as well.

 

I would suggest you spend some time looking up and learning what modern (layer 7) firewalls do (such as Sonicwall, Fortinet, Palo Alto Networks), what WAFs do (F5, Fortinet, Citrix, Sonicwall), and what email security systems do (Barricuda, SonicWall, Fortinet, TrustWave etc).

 

I'd also recommend reading up on what a threat surface is and how it would apply to the services you run.



MadEngineer
4591 posts

Uber Geek
+1 received by user: 2570

Trusted

  #2091111 15-Sep-2018 14:58
Send private message

nunz:

 

michaelmurfy:

 

nunz:

 

I'll bet my 30 plus years on networks, with no breaches, in some really shocking network regions, against your - whatever you have. You cant argue with demonstrated capability. Proof is in the pudding

 

Don't ever say statements like this. You're forwarding insecure ports and are running insecure software - it may have not happened yet but if you continue with both your attitude and practices it will. You should honestly listen to some members on here as they're in the security industry and do know what they're talking about.

 

Use this as an example: https://www.reddit.com/r/programming/comments/60jc69/company_with_an_httpserved_login_form_filed_a/

 

Namely this:

 

Him: "Hello?"
"Hey, I'm looking for a user by the name of dgeorge?"
Him: "I'm dev George."
"When the entire internet browser ecosystem warns you that your website is insecure, why didn't you listen?"
Him: "The website isn't insecure, it's very secure."
"It's not. An entire professional community is talking right now about how it's not secure."
Him: "No it's not, the website is fine."
"I'm trying to share facts with you right now."
hangs up

 

As you can see from that Reddit thread the whole site got totally pwned. Take it as a lesson, adjust your practices and stop trying to defend them. New threats are coming out every single day. 

 

 

I used to use VPN more actively - but found the ISPs failure to properly protect static IP addresses caused huge headaches. Had systems become un-connectable when ips changed. Also I'm regularly in places where bandwidth is limited. Tight and light is absolutely required.  VPN fails across satellite and other low bandwidth connections but RDP will hang in there (just)

 

The other problem with VPN is it generally connects you to a network, not a machine. While it can be tied to a single machine, most VPN isn't - which means a breach of vpn puts you as a full and active member of a network, not a person on a single machine like RDP. In many respect VPN is a new complete nightmare waiting to happen - exposing entire networks. From there taking control of many modern printers and using them as an exploitable door way is a simple step. People assume by using vpn you are safe, but that's old school thinking. Perimeter security from the outside in, not modern security from the inside out.

 

It's not the job of your ISP to protect a static IP unless you pay for a different kind of service.  If your VPN is failing over lower bandwidth connections then the connection isn't suitable. Reducing security just because someone's on dialup is stupid.

 

Your point about a VPN connecting you to a network vs a single machine is both contradicting itself and wrong.  A properly configured VPN only allows access to the required services. The rule is _everything_ is blocked unless explicitly allowed.  If your VPN exposes a whole network you're doing it wrong.




You're not on Atlantis anymore, Duncan Idaho.

jhsol
102 posts

Master Geek
+1 received by user: 27


  #2091158 15-Sep-2018 17:07
Send private message

nunz:

 

Actually no one has even discussed xp - its been bashing me for using RDP to connect to a 2012 server and a bunch of assumptions based on ignorance of how i run my systems.

 

 

nunz:

 

I've got multiple Windows 2003, 2008, 2012 etc servers - on the internet.

 

 

nunz:

 

Windows xp machines - need remote access. Embedded XP running mitsubishi laster cutters, XP used for serial based DOS software that didn't survive upgrade to windows 7 or higher. Heavily locked down via front end firewall but need to be checked in case people get past systems.

 



vulcannz
436 posts

Ultimate Geek
+1 received by user: 136
Inactive user


  #2091199 15-Sep-2018 18:41
Send private message

 

The other problem with VPN is it generally connects you to a network, not a machine. While it can be tied to a single machine, most VPN isn't - which means a breach of vpn puts you as a full and active member of a network, not a person on a single machine like RDP. In many respect VPN is a new complete nightmare waiting to happen - exposing entire networks. From there taking control of many modern printers and using them as an exploitable door way is a simple step. People assume by using vpn you are safe, but that's old school thinking. Perimeter security from the outside in, not modern security from the inside out.

 

 

Crikey I missed that too. Nunz I'm sorry you know nothing about VPNs. They do not work in the ways you describe at all. 

nunz

1421 posts

Uber Geek
+1 received by user: 314
Inactive user


  #2092329 18-Sep-2018 09:32
Send private message

MadEngineer:

 

nunz:

 

 

 

I used to use VPN more actively - but found the ISPs failure to properly protect static IP addresses caused huge headaches. Had systems become un-connectable when ips changed. Also I'm regularly in places where bandwidth is limited. Tight and light is absolutely required.  VPN fails across satellite and other low bandwidth connections but RDP will hang in there (just)

 

The other problem with VPN is it generally connects you to a network, not a machine. While it can be tied to a single machine, most VPN isn't - which means a breach of vpn puts you as a full and active member of a network, not a person on a single machine like RDP. In many respect VPN is a new complete nightmare waiting to happen - exposing entire networks. From there taking control of many modern printers and using them as an exploitable door way is a simple step. People assume by using vpn you are safe, but that's old school thinking. Perimeter security from the outside in, not modern security from the inside out.

 

It's not the job of your ISP to protect a static IP unless you pay for a different kind of service.  If your VPN is failing over lower bandwidth connections then the connection isn't suitable. Reducing security just because someone's on dialup is stupid.

 

Your point about a VPN connecting you to a network vs a single machine is both contradicting itself and wrong.  A properly configured VPN only allows access to the required services. The rule is _everything_ is blocked unless explicitly allowed.  If your VPN exposes a whole network you're doing it wrong.

 

 

1 - It is my ISPs job to not screw with a static IP address - thats what we paid for. Businesses need static ip addresses otherwise they end up with running kludges with dynamic ip address providers and there is latency when an ip address changes, as one problem to start with. Also adds more attack surface, more things that can die, ore complexity and all those things are the killers of security and stability.

 

2 - Yes - my connection isn't stable. That's why VPN failed. also on satellite connections with >1000ms latency, often as high as 2500ms - vpn will never work. However rdp seems to. Its not reducing security. its getting something working that needs working.

 

3 - Not contradiciting - it was an acknowldgement that there are more than one way of setting up a VPN. Open VPN client allows you to connect a single machine using some port forwarding or a man in the middle proxy.   Fritzbox vpn just connects you to the network and doesn't allow much more in the way of closing down services. ditto most ipsec based firewalls on most routers that most small businesses use before they pay for third party firewalls.

 

Even if a vpn does limit services on a network the issue is you are still on a network and you are on that network inside the firewall. a VPN introduces traffic designed to be on osi layers lower than 7 and 6 where as RDP introduces a protocol on the network design to connect to a single program on a single machine and not work at a lower level of osi connectivity.    VPNs open a door inside the firewall that once you are in is way more exploitable at the lower osi layers.

 

As for the first wall in a firewall being block all (both in and out) . Of course - the second rule is open a port for remote admin access from the location you deem safe and allow admin protocol to talk on that port. That's after you have removed root / admin / administrator access to remote access services of all types (and killed those users, replacing them with a lesser known and safe log in name) and set up your security keys and changed the default ports so low level dipsticks don't drown you in zombie traffic and removed password only access for remote admin stuff. . Then you restart the firewall and lock everything out. Its step 3 or 4 on the 18 page list of stuff to do on my linux boxes. I'ld love to apply that on windows firewalls but there is so much com and network centric talking to self that it is more problematic.

 

Why is it people seem to think or assume I'm a dumb ass that doesn't know the basics. I was on the internet, networks and systems way before half of geekzone was born. Again 30 plus years unhacked.

 

As for rdp being inherinetly unsafe. Where is your proof of this? You are arguing against Microsoft, the very provider of the skills and certs you seem to thing me not having makes me less competent. Certifications are book lerned skills generally. I've seen many certified folks tell me their way was right then walk into a heap of problems when ignoring advice quietly given.

 

 

 

Let me summarize something here:

 

                  RDP      VPN

 

Open Port      Y           Y

 

Encrypted:     Y          Y

 

Uses certs      Y          Y

 

Allows access to wider network by defualt

 

                    N          Y

 

Adds complexity

 

                  Little        Lots

 

MS Approved    Y          ?

 

Works on high latency low bandwidth

 

                     Y           N

 

Understood by almost al Ms technicians

 

                    Y           N - generally needs to be specific product skilled and certified.

 

 

 

If anyone can answer how my remote rdp, on a moved port, that only responds from two IP addresses can be found, diagnosed as being rdp, hacked and misused from any location other than those two  addresses I would be glad to hear from them. Especially when there is auto lock out for root / admin / administrator / <business name> / support and a number of other common names as well as 3 strikes (or tighter) missed pasword lock outs.

 

If not - then stop criticizing something you cant fault.

 

 

 

 

 

 

nunz

1421 posts

Uber Geek
+1 received by user: 314
Inactive user


  #2092348 18-Sep-2018 09:50
Send private message

vulcannz:

 

nunz:

 

Um - Considering i am running Windows Firewall (WAFS) as well as third party security systems that check running processes, file activity, pay loads through the network etc - then you are saying I am doing the right thing? The third party covers off layer 6/7 mostly.  also by the time someone gets to use pop, smtpauth, imap, activesnch, rdp at layer 7 - they have already been authenticated and encrypted at layer 6. Layer 7 is just data handling and hands off network stuff to lower layers. It maybe network aware but securing that is not part of network security per se - its a different ball game to do with viruses, payloads and exploits.

 

 

 

 

WAF... Web Application Firewall. Windows Firewall is not a WAF.

 

So given you do not know what a WAF is, please just accept that you do not seem to understand what level 7 is when applied to network security as well.

 

I would suggest you spend some time looking up and learning what modern (layer 7) firewalls do (such as Sonicwall, Fortinet, Palo Alto Networks), what WAFs do (F5, Fortinet, Citrix, Sonicwall), and what email security systems do (Barricuda, SonicWall, Fortinet, TrustWave etc).

 

I'd also recommend reading up on what a threat surface is and how it would apply to the services you run.

 

 

 

 

Well shag me sideways with a bristle brush - it turns out I do know what a WAF is and it turns out there is one in my server 2012 r2 server. Stop arging with Ms documents, you are making yourself look ignorant unless Ms MVPs also don't know what a WAF is

 

https://www.helloitsliam.com/2014/12/16/windows-server-2012-r2-web-application-firewall/  

 

Not only does Ms provide stateful inspection I also run third party security software providing full stateful inspection and spam filtering and domain trustworthyness and .. So again Stop assuming stuff. I've got subscriptions to five different security / filtering / security services. But you didn;t know that as you ASSUMED stuff and then fire off both barrels without knowledge. That's not polite and it makes you look less competent. Ask , dont assume.

 

Also how do you get a hardware firewall in front of a VPS / VDS unless you have physical access? I dont see many people doing that on droplets, amazon instances or most other stuff. do you put a full WAf in front of your Azure / MS exchange instances? or any other cloud services? If so would love to hear how you do that without physical access. THen how do you get small business clients to pay for that? The cost of a vds or co-hosting or etc etc is pretty high over head on a single server.

 

 

 

Most of the stuff you referenced above is a physical device. and yes - where there is physical access i put (normally) at least two firewalls in place. One for pure physical and port filtering and the other doing the spam, domain checking, anti virus etc etc before handing off to a windows box which is also firewalled, secured and with the type of software I posted about letting me know if stuff got inside the network. (so far they haven't).

 

 

 

 

 

 

 

 

 

 

 

 

 

 

HP

 
 
 
 

Shop now for HP laptops and other devices (affiliate link).
nunz

1421 posts

Uber Geek
+1 received by user: 314
Inactive user


  #2092367 18-Sep-2018 10:11
Send private message

vulcannz:

 

 

The other problem with VPN is it generally connects you to a network, not a machine. While it can be tied to a single machine, most VPN isn't - which means a breach of vpn puts you as a full and active member of a network, not a person on a single machine like RDP. In many respect VPN is a new complete nightmare waiting to happen - exposing entire networks. From there taking control of many modern printers and using them as an exploitable door way is a simple step. People assume by using vpn you are safe, but that's old school thinking. Perimeter security from the outside in, not modern security from the inside out.

 

 

Crikey I missed that too. Nunz I'm sorry you know nothing about VPNs. They do not work in the ways you describe at all. 

 

 

 

 

Ever used a fritzbox vpn? It gives you access to the entire network. AS does most ipsec vpns in standard routers used by many small businesses.

 

Ever used open vpn locked down to a single machine instance and using an outgoing proxy for connectivity? It gives you access to one pc.

 

so tell me where I went wrong?   how is a device that serves up a lan ip onto a remote device outside the firewall not putting it on the network? As soon as a device has an ip address in the lan subnet it is on the network. After that you lock stuff down but the first step, unless you give them a lan ip with a subnet mask allowing access to only one other ip address (and that's a tough thing to do especially if you are serving more than one remote device lan ip addresses) is put them on the lan subnet.

 

VPNS for many businesses give access to 1 or more RDP pcs, printers, servers, file services, third party applications running network services such as sap or other MRP / ERP / CRM type systems. That means they are on the network at more than just a lan ip level. They also have routing and switching to other devices which means they can be accessed which makes them potentially hackable.

 

Instead of pouring scorn, why not stop knocking and take some time to ellucidate, teach some knowledge - or is it you only know how to knock and don't know anything at all?

 

Your statement that a VPN never gives access to just one pc or a VPN never gives access to a network is ridiculous. Unless you consider a VPN only the part that negotiates a hardened tunnel through the WAN / Internet and are being picky and saying dhcp and other stuff is not part of the VPN.

 

BTW you are also arguing with Wikipaedia if you think it doesn't give access to the network:

 

 

 

 

"A virtual private network extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Wikipedia"

 

 

 

 

 

 

Either ellucidate or stop knocking.

 

 

nunz

1421 posts

Uber Geek
+1 received by user: 314
Inactive user


  #2092369 18-Sep-2018 10:15
Send private message

jhsol:

 

nunz:

 

Actually no one has even discussed xp - its been bashing me for using RDP to connect to a 2012 server and a bunch of assumptions based on ignorance of how i run my systems.

 

 

nunz:

 

I've got multiple Windows 2003, 2008, 2012 etc servers - on the internet.

 

 

nunz:

 

Windows xp machines - need remote access. Embedded XP running mitsubishi laster cutters, XP used for serial based DOS software that didn't survive upgrade to windows 7 or higher. Heavily locked down via front end firewall but need to be checked in case people get past systems.

 

 

 

you quoted MY statements only - now go back to post two - where the discussion on how stupid it is to put rdp on the internet started.

 

You haven't shown one instance of someone discussing XP. and as I said they are all locked down by security in front of them .....

 

The only windows box directly on the internet without stuff in front of it is one Server 2012 box running mail services and that's the one I am getting bashed for accessing via rdp (limited to two ip addesses, with security, changed ports, etc in place)

 

 

 

 

jhsol
102 posts

Master Geek
+1 received by user: 27


  #2092435 18-Sep-2018 11:56
Send private message

Well, last post from me. Its pretty clear you are stuck in your ways and unable to take onboard constructive criticism. This thread should probably be locked and if everyone else agrees, no one should be following Nunz advice for IT. 

 

I admit that you are probably a skilled linux technician and a capable IT engineer in general, however when it comes to making IT decisions from a business perspective you probably want to take a step back. Whilst I wont bother going through all your posts highlighting the inacuracies in your statements I am going to just highlight the following standouts.

 

Nunz:

 

Let me summarize something here:

 

                  RDP      VPN

 

Open Port      Y           Y

 

Encrypted:     Y          Y

 

Uses certs      Y          Y

 

Allows access to wider network by defualt

 

                    N          Y

 

Adds complexity

 

                  Little        Lots

 

MS Approved    Y          ?

 

Works on high latency low bandwidth

 

                     Y           N

 

Understood by almost al Ms technicians

 

                    Y           N - generally needs to be specific product skilled and certified.

 

 

This part is really really wrong and really makes it standout just how little your understanding is on at least VPN principles. If you are stating that setting up a VPN is complex then it really highlights your lack of understanding across the Microsoft Server feature stack, Firewalls (hardware in particular) as well as how networking concepts in general (Note VPN does not allow access to wider network by default).

 

RDP

 

In regards to your whole getting bashed by everyone for opening up RDP to the outside world, it is considered best practice to not do this. Yes you have put in some steps to reduce the attack, but the better method for reducing the risk is to not expose the business to the risk at all. This fact is what stood out from post 1 which highlighted to the rest of the IT community here that you are not qualified to be giving advice to the wider public. 

 

RDP has had many many many security vulnerabilities over the years and whilst MS has attempted to fix them as they come along the fact that there could still be undisclosed vulnerabilities out there means you are open to those risks. On top of that RDP is not secure by default. We dont know if you have NLA enabled, whether you have updated OS patches run monthly etc or whether your network is segmented or not but your comments make it seem like you go for ease of implementation over secure by default. My honest opinion is that you just enabled RDP because you either couldnt be bothered or didnt have the skills to set up a VPN (RRAS is built in to Server 2012 R2 by the way) or even an RDP gateway by the sounds of it. I could be wrong, but I havent had much evidence from the posts from you in this thread. 

 

Summary

 

Lets just agree that you disagree with everyone else here. Thats ok. How you run your environment is up to you since you are the one that has to deal with the support. I feel sorry for the businesses you support but thats not my problem at the end of the day. I have my own clients to worry about. However if possible please refrain from offering advice to the wider public as your advice on this topic so far has been quite wrong. 

 

 

MadEngineer
4591 posts

Uber Geek
+1 received by user: 2570

Trusted

  #2092557 18-Sep-2018 13:58
Send private message

That’s because a frtizbox is a domestic router. Of course it’s going to provide a VPN service suitable only in a domestic situation :D




You're not on Atlantis anymore, Duncan Idaho.

michaelmurfy
meow
13581 posts

Uber Geek
+1 received by user: 10914

Moderator
ID Verified
Trusted
Lifetime subscriber

  #2092560 18-Sep-2018 14:10
Send private message

@nunz like I, and many others have said you should take criticism from others. Nothing posted here was an attack towards you, it was all you defending your actions instead of taking them on board. The IT industry works fast and even I get told I am often incorrect, take it on board and go with it. It seems like you're pretty stuck in your ways which is not a good thing at all. Please understand many of the users who have posted in this thread have very good experience with what you're dealing with and have actually posted some good content but you've defended every single post and changed your story multiple times. You're honestly not going to survive in the IT industry if you don't take criticism and adjust for emerging threats and new best practises.

 

I really hope you change your attitude towards these things for the sake of your customers. As there is nothing more to add I am locking this thread.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

1 | 2 | 3 | 4 
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright