On Friday 04 Oct 2002 2:28 am, Sleepy_all_day wrote: > Peoples, > I have been having a few issues with a Windows NT system and the > mountain of insecurities associated. I am now looking at alternative > solutions that should help secure the system.
There is no difference between a properly configured windows PC and a properly configured Linux (or any other OS) PC. Install all patches, remove all unwanted (unnecessary) software and remove all unnecessary services. This applies to ANY system, and is possible on ANY system. Don't do this on ANY system and they are insecure. Next, secure the filesystem with appropriate Access Control. Again applies to ANY system. The mountain of insecurities are normally exploited because the insecure applications are being run when not needed on systems that haven't been configured in the most appropriate way for their use. Sometimes they are not even running, just there - a malicious user can then run and exploit the application if they gain access through some other place even though you yourself may have no need of it. > The best thought I have come up with so far is to put the Windows NT > Server with MS Sql on it behind a Linux box. But, also removing the > internet ip addressing of the Windows NT server and giving it local ip > addressing. IE moving from 61.X.X.X to 192.168.X.X. Linux too has it's insecurities (yes, mountains of them!) - they tend to be patched quicker, but they are there. You have many problems here that simply port redirecting using another potentially misconfigured server is not going to solve. The linux box needs to be adequately secured in the same way that the NT server needs to be. > The Windows NT Server is mainly used on ports 919, 1433, and 3140. > Does anyone see a problem installing Port Forwarding on the Linux box > redirecting these ports. With the added defence of an IP Tables > firewall this should remove almost all possibilities to exploit the > server providing the Linux server is not breached. I can't see what that will achieve. You are simply going to pass a malicious request to the open ports straight through the linux box and onto the server. The server will respond in exactly the same way as it would for a direct connection. Even if you have also placed egress filtering on the Linux firewall (and that won't stop everything as I've just learnt :]) you are still going to be in trouble. For example, I want to attempt to connect to the database using username="sa" and a blank password (M$ nice default). All I need is a copy of query analyzer and your IP address. I connect to your SQL port on the linux box which scratches its head and says "Ooo. Better forward this to the SQL server, I have a rule for that.". The SQL server sees a request from query analyser and, provided username and password are valid, authenticates the user. I now have a connection *through* your linux box to your NT server. The linux box may as well not be there. This solution doesn't stop anything. It just means you have potentially 2 hosts to compromise, possibly halving the work the attacker has to do. > I still wish to run the security updates on the Windows NT Server > and the MS SQL Server however i need a long term solution which will > resolve the difficulties that we are currently experiencing. I personally think that your architecture is fundamentally flawed in many ways. The SQL box should NEVER be visible from the internet. There is no need. Wrap it using a properly designed web application (removing the sample directories, etc.) on a properly configured web server (lots of articles on this - g00gle is everyone's friend!). Have the SQL server on a separate box if possible where only the web application can talk to it, and then use stored procedures (properly designed) to connect from the web application to the SQL database. That way you can simply do port forwarding for port 80 and block the SQL ports. More work, but if properly designed infinitely more secure in my opinion. > So what do you think ?? If you don't know by now :) I'm sure I'm off the mark on some points, hell I may even have misinterpretted some of your comments, but this is my 2cents. mike. -- sigsegv in MikeysCerebellum ... core dumped
