Slashdot Mirror

Seriously, though, there does seem to be a lot of good, if occasionally basic, advice here. I remember going through the guides the NSA compiled (warning: obnoxious legalese popup) ages ago, and I see some of the same advice here, e.g. remove the OS/2 and POSIX subsystems, etc.

Wow! The NSA also thinks that Windows can be made pretty damn secure!!

Back to square one for that argument.

I'm almost certain that if they had the ability to tweak security in MS, they would do so.

They did, sort of, with the security guides, which are well-documented (if rather dry) explanations of how to use existing Windows functionality to improve security on the systems. Some of them are pretty clearly overkill for most people (minimum 12-character passwords and 4GB max size for each log file, for example), but they're generally pretty good use. Apparently, they had such an effect on Microsoft that MS wrote up a "Securing Windows Server 2003" document that was good enough that the NSA people decided that their own document wasn't needed. It's not a matter of laziness, either; they're still publishing and updating the other documents.

Still doesn't make Windows flawless, but it makes it a helluva lot better for those needing to lock things down.

Not quite. 300 pages to totally lock down a Cisco router regardless of its specific configuration or specification with explainations as to precisely why you want to make the changes and what might happen if you don't. There are also guides to Windows (various versions) and email security too. None for Linux yet, but I suppose that can be summarised as "Install NSA Secure Linux". ;) You can find them here, by the way - well worth a look at some point, even if you don't deal with the specific subject matter but in the same area.

I feel your pain, I've been there. When I took charge of our network, things changed quite a bit. I implemented the scheme recommended in the NSA guides, where you force a change every 90 days and disallow repeating of the last umpteen passwords (don't remember the exact number offhand). The theory is to encourage strong passwords by giving them enough time between changes so the users don't feel like they're having to remember a new password every other day. Our users are much happier, and they actually do use stronger passwords now.

The biggest problem we have now is people being too quick to offer up their passwords. I've started randomly asking people what their password is, and if they tell me, they get a lecture on how I will *never* need their password, and to never tell anyone and why, then I make them change it immediately. It pisses them off (don't do this to the company president), but they get the point very clearly. Most people now roll their eyes and walk away when I ask, so it seems to be working.

From the NSA Homepage(emphasis mine):

NSA has developed and distributed configuration guidance for Microsoft Windows NT and Windows 2000 in the form of configuration guides. These guides are currently being used throughout the government and by numerous entities as a security baseline for their Windows systems.

To assist our Windows XP user community, NSA has developed security configuration guidance for Windows XP, with the cooperation of other government agencies and industry partners who provided their expertise and extensive technical review. The configuration guide for Microsoft Windows XP is being posted on the NSA web site and is presented in two parts: ".INF" file and the configuration guide.

1) Book Mark this site. This is the first and best place to go when hacked and is a great source of education in general for victims of hacking.

2) You're right about the FBI. They are very limited in their scope of assistance. The only other victims they would take immediate action with are attacks on other State, local or US governmental sites (ie. State Funded Universities, Governmental offices, etc.)

3) Scan your logs on a regular basis.

4) Check this link out. This is the NSA'a recommendations on how to hammer down Cisco Routers, Windows 2K, XP, and NT4 Operating systems. These should be used as a guide as following all the steps in this manual would turn your machine(s) into bastion servers.

5) Be Prepared for the ISP not talking to or Working with you on this issue. Prodigy, Qwest, and Sprint used to be and in some cases are REALLY bad at this.

Dolemite
______________________

"Surviving Slashdot" by Oliver Clozoff

"Surviving Slashdot" Illstrates how to build a corporate network that accepts large numbers of incoming connections from stories posted at Slashdot.org, while still allowing employees to make network connections that they need. Techniques covered include round-robin DNS with different servers in different geographical locations, multiple HTTP servers with load balancing, and smooth transition over to a volume web host. like Conxion or cNet at a moment's notice without significant downtime. Other Anti-Slashdotting tactics also discussed.

instead of cutting and pasting above site click here

Probbably one of the best resources for tightening ANY Windows machine is the NSA's own guide(nsa2.www.conxion.com)
We have used this for our migrations and proved indespensible.

Why can't you just use the already provided NSA guidelines to secure your windows machine.

right, like i used the NSA group policy templates to secure some Win2k web servers without even a second thought. I knew they'd been widely used and there was nothing on the webserver I'd really care to hide from the Snoops so it wasn't a matter of trust on that level. Besides, things like group policy templates are easy to audit yourself.
I say so long as their tools are this transparent then bring them on, the more help the better.

Clarke spoke to reporters as well as government and corporate officials to announce government-wide standards for securing Microsoft's Windows 2000, the most commonly used operating system for government and corporate computers.

The Pentagon, the National Security Agency and other private and government organizations devised the standards.

Clarke spoke to reporters as well as government and corporate officials to announce government-wide standards for securing Microsoft's Windows 2000, the most commonly used operating system for government and corporate computers.

The Pentagon, the National Security Agency and other private and government organizations devised the standards.

One company I worked for once upon a time, ConXioN Corp, has a very real statement on their opening page from a major customer:

"ConXioN has not been down in 5 years." And that was in 2001, they still haven't had a hit.

This is simply a matter of consideration and design. No $19.95/month mom&pop ISP is going to put the effort needed into ensuring such uptimes, things like that take redundancy and forward thinking, and that costs money.

While I was at NASA, the network and servers there also had better than 5-9's availability, because the people who ran those servers and that network took the time to care. For us it wasn't a matter of profit, it was a matter of pride.

So while I agree with those who poo-poo that "nothing is so important" that it needs to be up 100% of the time, and I also agree with the reality that there will be downtime of any system at some point, really impressive uptimes are not just possible, they can and do happen anywhere that uptime is a prioroty.

Long Uptimes are simply a matter of design.

Bob-

Conxion probably won't be too happy with them using the name "Connexion" with regards to an Internet service. Lawyers everywhere rejoice.

A lot more useful than any regulation or a thousand laws IMO.

The NSA has been saying this for a while now.

CERT has been saying this for a while now

Most CCNA's know just enough to get RIP running - and security in cisco manuals doesnt go much beyond passwords and locking your telco closet. They do publish more extensive book son the subject - for a price of course.

Im all for this - hopefully itll force companies to pay more for qualified network engineers. As it stands right now theyre paid 35k their first year out - thats pathetic for the amount of training required to put together large secure networks.

While they can make "under-the-hood" changes legally with Linux, they are limited to suggestions on how to configure Microsoft products. More flexibility.

Besides, every software solution Uncle Sam doesn't have to pay for saves taxpayer dollars, and no Congressman can be against that. Even NASA takes lowest bidder, and they do do rocket science!

Maybe if the URL is put inside an href tag like this it will be OK. Then you can right click on the link, use "Copy Link to Clipboard" or whatever, and paste it into wherever you're going to download from.

...because service pack 2 just got discovered yesterday. It does weigh in at 100 megs (it contains SP1 as well), but apparently it's worth it: only a few networking issues have been reported (things involving authentication with other servers on the LAN and such), and it gives a certain speed boost to many games (on Quake3, I ran a timedemo on a demo that never yielded above 43 frames per second before; with SP2 installed, the average was 49.2). If you have any Windows 2000 boxes running where you work or live, I recommend at least checking out SP2. It's ready to be downloaded (east coast west coast), though I haven't seen Microsoft's Win2K downloads page updated yet. The general concensus is that its benefits far outweigh its detriments.

...because service pack 2 just got discovered yesterday. It does weigh in at 100 megs (it contains SP1 as well), but apparently it's worth it: only a few networking issues have been reported (things involving authentication with other servers on the LAN and such), and it gives a certain speed boost to many games (on Quake3, I ran a timedemo on a demo that never yielded above 43 frames per second before; with SP2 installed, the average was 49.2). If you have any Windows 2000 boxes running where you work or live, I recommend at least checking out SP2. It's ready to be downloaded (east coast west coast), though I haven't seen Microsoft's Win2K downloads page updated yet. The general concensus is that its benefits far outweigh its detriments.

Download links are:
Client and server source code
Server Linux binaries

From personal experience, Interbase is perfect for a tight budget situation where you need to server a medium-size userbase.

--
Kiro

Download links are:
Client and server source code
Server Linux binaries

From personal experience, Interbase is perfect for a tight budget situation where you need to server a medium-size userbase.

--
Kiro

Thought this was interesting... I wanted to see if the other bits were there just not linked.. So.. rip off the end of the URL to the pdf file, and get:

http://radiant.www.conxion.com/

Pretty funny, I thought.

Here's the text:

You are not permitted to view the contents of this directory.

If you have gotten here by mistake, then please use your back button and follow the correct link for The Plant download.

If you have gotten here on purpose, remember -- don't steal from the blind newsboy.

---

There is no patch, there is no spoon.

I totaly believe that its ones inate right to slef-defense if being attacked. This right though should be limited to self-defense in a physical manner if that is how you are being attacked. Being attacked on the net and fighting back in this manner just doesn't seem like the correct thing to do. As an ISP/IT company Conxion has a responsibility to handle the attack through the appropriate channels. If a US citizen cannot legally do this type of thing then why should the fact that Conxion is a major corporation shouldn't make it acceptable. Especially troubling is this little blurb: "Conxion was so proud of having given the attackers a dose of their own medicine that it issued a press release about the incident." My first thought after reading the press release was DUH! you just comitted a crime and then made a public announcement regarding your actions. This alone should be enough evidence to take some form af action against Conxion based on thier own admission. One should not stoop to an act of terrorism as a form of retaliation. You would think that a company with such strong Microsoft affiliations ought to be weary (after all the DOJ/monopoly actions) of doing such a thing. Two wrongs don't make a right...no matter how good it feels.

That's an amazing feat considering most of their files are redirected for download on alternate servers (aka conxion.com).