General discussion

Locked

Ed Bott's Microsoft Challenge--11/2/00

By ebott ·
What would you do if you were placed in charge of Microsoft's internal network? You've undoubtedly heard of the successful break-in that hackers in Eastern Europe staged against the Microsoft servers that hold the company's crown jewels--source codefor Windows, Office, and next-generation .Net services. Microsoft claims the hackers didn't get away with anything valuable, but this has to have been a wake-up call for the Redmond giant. TechRepublic members collectively have millions of years of experience managing mission-critical data. How would you protect critical data from unauthorized access? With tens of thousands of users, can you really restrict access using nothing but passwords? Here's your chance to tell Microsoft how to run a safe, secure network. Be creative, be outrageous, be blunt. Click here to add your input. But don't delay--this challenge closes at the end of the day on Thursday, November 9.

This conversation is currently closed to new comments.

31 total posts (Page 1 of 4)   01 | 02 | 03 | 04   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Ed Bott's Microsoft Challenge--11/2/00

by OTL In reply to Ed Bott's Microsoft Chall ...

For a little more security the is a key generator by Security Dynamics that generates a secure ID which must be in sync with your particular ID at the gateway, additional passwords can be added. The numbers are generated by logrithmic code by date.Unknown how often the password restarts in 1 year don't remember having the same one twice!

Collapse -

Ed Bott's Microsoft Challenge--11/2/00

by ebott In reply to Ed Bott's Microsoft Chall ...

The question was auto-closed by TechRepublic

Collapse -

Ed Bott's Microsoft Challenge--11/2/00

by parkerdv In reply to Ed Bott's Microsoft Chall ...

The only way to be total secure from any hacker from outside, is to remove all access to the net work from the net. Remove thoose segments from any part of the net work that has the ability to be accessed from the internet. Every day the prime jewels can be attacked, just not when but how is the question.

Collapse -

Ed Bott's Microsoft Challenge--11/2/00

by ebott In reply to Ed Bott's Microsoft Chall ...

The question was auto-closed by TechRepublic

Collapse -

Ed Bott's Microsoft Challenge--11/2/00

by erikdr In reply to Ed Bott's Microsoft Chall ...

Well,
Some major layers seem to be lacking from the security mechanism implemented by MS for remote access. Strange enough, the layers _can_ be implemented using offtheshelf MS technology but they are a nuisance for users (especially developers whowanna be quicker than quick...), so it's often a psychological / attitude problem also.
1. Implement better AUTHENTICATION. Userid/password might be enough for in-building access, it's not for remote access. Use some kind of challenge/response system with a 56 or 128-bit key. Even a worm can only see the challenges and responses, not the algorhythm inside the central CHAP server and the employee's authentication device (e.g. smartcard, standalone calculator, etc. etc.).
2. Implement better AUTHORISATION. What a user is permitted to do inside the building he's not automatically permitted to do from outside. E.g. changing any data (Windows source code?) from outside should be forbidden in most cases; the RAS solution, using ISA Server, canblock certain IP adresses when accessing remotely while those addresses are allowed from inside the building.

Hope this helps Bill & Steve :-)

<Erik> - The Netherlands

Collapse -

Ed Bott's Microsoft Challenge--11/2/00

by ebott In reply to Ed Bott's Microsoft Chall ...

The question was auto-closed by TechRepublic

Collapse -

Ed Bott's Microsoft Challenge--11/2/00

by Craig IT Mangaer In reply to Ed Bott's Microsoft Chall ...

If I were running a highly sophisticated software development company there are a few things I would do. First would be to seperate all PC's running and compiling code from the standard network both internal and external. Setup a station in those depts. for access to the rest of the network and internet for any research and internal external communications. Setup a system of two to three firewall layers running on seperate platforms with each layer limiting access ports to only those necessary to accomplish the information passing needed. NAT established at the perimeter goes without saying. DMZ Zones for all servers that are accessed by outside sources via the web. Anyone working in R&D would be behind at least two firewalls allowing access to all points external as needed but making their machines all but invisible from the outside world. In fact for an added layer of security, I would have them use a Terminal server for internet and email for external mail which could have special rules to forward their mail to an internal email system seperate from the first to keep all sensitive mail far from prying eyes, and to eliminate any possible linking back to R&D from external sources. All downloads from the internet and attachments in email would be brought in through a scanning point (an isolated PC) for "cleansing" prior to internal usage. Anyone caught trying to violate rules of conduct for downloading and bringing in outside code would be removed from R&D immediately with dismissal in most cases.

Collapse -

Ed Bott's Microsoft Challenge--11/2/00

by ebott In reply to Ed Bott's Microsoft Chall ...

The question was auto-closed by TechRepublic

Collapse -

Ed Bott's Microsoft Challenge--11/2/00

by MServino In reply to Ed Bott's Microsoft Chall ...

Have them use a 300 baud connection, there isn't a hacker in the world that would put up with that kind of wait. But more Seriously...

For starters I'd make sure the company wasn't using a Microsoft product for E-mail, it's the absolute favoriteof hackers , always has been always will be, too easy to work with using VB, while it adds to ease of use for the user it does the same for the hacker. Secondly, I make sure that those "Crown Jewels" weren't accessible over dial up, no modems 1 less hole. Require that anybody connecting remotely do it over a dedicated internet connection such as DSL with a Static IP adress so that the routers can filter out unauthorized users. Add in some VPN capabilities using highly secure 128 bit encryption on a hardware level, and they would have to have a firewall of their own. Make sure that anyone accessing the "Secure area" use Virus scanning software, and have them update it and run a full scan prior to connecting to the office each time the log in remotely. Run Anti-virus software on all proxy servers, 2 different kinds what one can't get maybe the other will. I'd also lock out access to any all ports not absolutely necessary over the net. If they can bring it down to 1 per server perfect. the FTP server only is accessible over the FTP Port etc. or better yet, the services are not available over their normal port but on that no one would suspect, high enough to avoid all those scans that hackers like to run. Also Secure ID which uses a constantly changing password isn't a bad Idea either. I mean after all when it comes to security is there ever really any overkill? Especially when your supreme target A number 1.


-Mike

Collapse -

Ed Bott's Microsoft Challenge--11/2/00

by ebott In reply to Ed Bott's Microsoft Chall ...

The question was auto-closed by TechRepublic

Back to Windows Forum
31 total posts (Page 1 of 4)   01 | 02 | 03 | 04   Next

Operating Systems Forums