Protection needed: a rubber won't cut it this time

[ERage]

So I have rebuilt that bombed server that I posted a thread about earlier this week. I have a new question that I think deserves a new thread.

If you are trying to run a server within an orginization that has no idea what it is doing as far as network security is concerned (assume worst case scenario), how can you protect yourself. More specifically, I have a machine that get's mild traffic/use file, print, FTP, and Web server. The server resides on a domain that is controlled by another office. It has a fixed IP address that is totally public and viewable to the outside world. It also resides behind a firewall that is not configured to restrict any traffic over ports.

I strongly believe that these things contributed to the machine getting compromised to begin with but the computing services staff refuse any guilt. Furthermore they will not give me any insight into any current security settings/protocol that may be in place at the top level (routers, firewalls, or whatever). So assuming the worst case scenario, what would you do to protect this necessary machine?

Install a software firewall maybe? Is it worth getting a router/firewall piece of hardware to do the job on my end? I can only assume that firewall software on a server is going to wreak havoc on the services.

I've already built the machine from the ground up and the settings are as tight as I can make them. It is a Win 2000 SP4 Server, the bastards won't even authorize my dept to buy a copy of Win2k3

 

[Thorn Bird]

i thought you were going to tell me you were pregnant. bah.

 

[ERage]

i thought you were going to tell me you were pregnant. bah.

that wouldn't have a title "protection needed", that would say "coat-hanger needed"

 

[itburnswhenipee]

I guess a software firewall is about as good as you can do in this situation, but that really might be enough. Especially if you're able to create different rules for the private network.

 

[b_sinning]

Make sure all unneeded services are disabled. Run a port scanner on it so you know what ports are open if any. Make sure any type of guest account is disabled.

 

[snoogit]

I would only get a hardware firewall if you were on a large network. I'm guessing this is more of a small network (only assuming) or you just want to protect yourself form incoming dangers. In that case a software firewall should do the trick nicely.

 

[tre]

-disable unneeded services, don't install unneeded programs
-auto-updating antivirus
-software firewall
-do updates dammit
-require all passwords to be >8 characters, and not dictionary words.
-change admin password
-no anonymous/guest accounts
-maybe a host-based IDS/IPS
-hardware firewall with inbound NAT and antispoofing protection, and stateful packet inspection (I recommend Checkpoint on Nokia, but it's not cheap)
-after portscanning, check for vulnerabilities with a tool like Nessus

just a few things i constantly nag people about.

 

[djduquet]

I'll be honest: I can't help with your current problem but boy was I a little thrown off after reading the title to this thread.

 

[ERage]

-disable unneeded services, don't install unneeded programs
Done, it is a minimal build at this point. Seriously bare bones.

-auto-updating antivirus
Norton Corporate v.10 live update and full scan daily.

-software firewall
anyone have any favorite brand? Zone Alarm? give me an idea.

-do updates dammit
win auto update enabled.

-require all passwords to be >8 characters, and not dictionary words.
I now personally control all passwords, all are alpha, numeric, and at least 1 character
like !@#$%^&*

-change admin password
There is no "admin" login, my username is now the only admin login with
my own password.

-no anonymous/guest accounts
Already removed.

-maybe a host-based IDS/IPS
I don't understand this (I'm not really a server/admin guy so help me out)

-hardware firewall with inbound NAT and antispoofing protection, and stateful packet inspection (I recommend Checkpoint on Nokia, but it's not cheap)
I'd consider it but I'm thinking it may be unnecessary with the software
firewall in place.

-after portscanning, check for vulnerabilities with a tool like Nessus
I'll try it for sure.

 

[ERage]

I would only get a hardware firewall if you were on a large network. I'm guessing this is more of a small network (only assuming) or you just want to protect yourself form incoming dangers. In that case a software firewall should do the trick nicely.

This network has about 450 business users and upwards of 1500 student users. I do have the luxury of being able to hide behind a switch/firewall in the office that this server exists under if the need be.

 

[ERage]

I'll be honest: I can't help with your current problem but boy was I a little thrown off after reading the title to this thread.

It seems that I titled it well.

 

[snoogit]

This network has about 450 business users and upwards of 1500 student users. I do have the luxury of being able to hide behind a switch/firewall in the office that this server exists under if the need be.

I know the last place I worked at I was also part-tech person, and we connected our server up to the firewalled switch and it went fine.

 

[tre]

-maybe a host-based IDS/IPS
I don't understand this (I'm not really a server/admin guy so help me out)

-hardware firewall with inbound NAT and antispoofing protection, and stateful packet inspection (I recommend Checkpoint on Nokia, but it's not cheap)
I'd consider it but I'm thinking it may be unnecessary with the software
firewall in place.

IDS is Intrusion detection, IPS is intrusion prevention. They basically monitor your traffic for attack patterns, and an IPS blocks the attack inline, either by sending RST packets or implicitly blocking the attacking address.

A software firewall is not a save-all solution. By using inbound NAT, you can block IDS avoidance attacks using packet fragmentation. A proper (ie Checkpoint) hardware firewall can also block address spoofing attacks, and zero-day exlpoits. They can also ensure that the state of tcp connections is valid, ie using the proper syn, syn-ack, ack, etc. Software firewalls simply open up a port, which is but one layer on the OSI model, wheras a HW firewall does checks on several layers.

 

[Onnotangu]

all this server talk is arousing.

 

[reverendsaintjay]

Audit your File/Print shares as well. Win2k default share permissions typically included the 'Everyone' Group. With no NTFS perms applied to your shares, this gives anyone the ability to at least see what data you have out there.

Replace the 'everyone' group with 'Authenticated Users', meaning that they have to at least have logged in to the domain.

Lastly (for this post), If you can't protect your server, protect yourself. If infosec for this server is handled by a different group, make it their duty to monitor/maintain/repair said server in the case of an attack/compromise. If they can dump the sh*t work back to you when their clearly deficient protocols fail, they will never have a reason to revisit information security.

 

[b_sinning]

If that is a server at Savannah State you better also have bars on the windows and one of those hidden tags that set off a door alarm.

 

[ERage]

Audit your File/Print shares as well. Win2k default share permissions typically included the 'Everyone' Group. With no NTFS perms applied to your shares, this gives anyone the ability to at least see what data you have out there.

I've actually removed all print shares from this machine. the 2 printers it used to share have the capability of serving themselves on the network so they are now set up to do so. Users now attach to the unique IP of the printer and utilize a driver on their local machine rather than through the server.

Replace the 'everyone' group with 'Authenticated Users', meaning that they have to at least have logged in to the domain.

Everyone is nowhere to be found on this machine anymore, that was one of the first things I did.

Lastly (for this post), If you can't protect your server, protect yourself. If infosec for this server is handled by a different group, make it their duty to monitor/maintain/repair said server in the case of an attack/compromise. If they can dump the sh*t work back to you when their clearly deficient protocols fail, they will never have a reason to revisit information security.

This organization is sort of tricky, We have a totally incompetent Computing services staff so what we get is them at the helm but other offices create litttle mushroom villages of IT staff to handle local issues and setups. This of course creates a decentralized IT Organization, and we all know what that causes.

The security of this machine is still entrusted to the office that owns it and I have documented and they have signed off on exactly what I am to do. All I will do is get it uncompromised, back online and as secure as I can make it after that it is their responsibility. They are looking for a new hire with some experience to take over where the last guy left off.

 

[ERage]

If that is a server at Savannah State you better also have bars on the windows and one of those hidden tags that set off a door alarm.

'Tis already bolted and locked to the floor good sir

Edit: Which, conveniently, is the same method I used to lock down my gun safe.

 

[Mean Mr. Mustard]

NetNanny

 

[Onnotangu]

side question: what would be the quality programs to get to protect one's wifi laptop?