Domain: hsc.fr
Stories and comments across the archive that link to hsc.fr.
Comments · 9
-
Re:Fishy
How do I mount a Bitlocker volume in Linux?
-
Re:It's recycled
I know at least one other company that GPL'd a product that was nice but didn't excite enough monied clients : Solsoft GPL'd Net Security Master, an application-level proxy.
http://www.hsc.fr/societe/produits/index.html.en
I worked for Solsoft at the time
:-) -
Re:Transmission
Hi,
I installed Windows XP 64-bit edition through VMWare and saw similar results. I did manage to disable port 445 by disabling several services (setting them to Disable) and rebooting. I think all you need is Server and Workstation disabled (or at least not running) plus all dependencies, but I also had Remote Registry disabled. I'm pretty sure this is an RPC service, though, so it should be irrelevant.
I had the same results as you did regarding disabling port 135. I did a little more digging and found this page on the same site I referenced before: http://www.hsc.fr/ressources/breves/min_w2k3_net_s rv.html.fr
It has information on disabling rpc from listening on the public interface, though my cursory glance at the page didn't uncover a way to disable it completely. Run "netsh -c rpc" from the command prompt, then type "add 127.0.0.0" (not 127.0.0.1). When I did this and rebooted, port 135 was no longer showing up on my port scan.
That's not to say that you should have to muck around with arcane commands just to keep your computer from accepting connections from everyone and his brother, but this shows that it certainly does seem possible. -
Re:Transmission
The below references Windows XP SP2. It may work for earlier or later versions, but that's all I have to test with.
Disabling port 445 is easy--just disable the Server service.
Disabling port 139 (another common one on Windows) is almost as easy--you have to disable NetBIOS over TCP/IP in the WINS tab of the TCP/IP advanced properties.
135 is a serious pain in the ass to disable, but it's still possible. You have to muck around with the registry.
First, create the hierarchy here:
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Rpc\Linkage\
Value: Bind
Type: REG_MULTISZ
The value of Bind is a list of network interfaces to which RPC should bind. Leaving it blank means that it won't bind to any. You can install the loopback interface and bind to it, if you require RPC for anything. However RPC still binds to all interfaces by default, unless you add another registry key:
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\RpcSs\
Value: ListenOnInternet
Type: REG_SZ
The value should be N. A value of Y (the default, assumed value) means that it should bind to all interfaces.
I ran through these steps and used nmap to test:
Firewall off:
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Server/Computer Browser Service Off:
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
TCP/IP Advanced properties, WINS tab, "Disable NetBIOS over TCP/IP":
PORT STATE SERVICE
135/tcp open msrpc
And after making the registry changes and rebooting, all ports were closed.
Maybe that will help a little. I don't know how significant disabling RPC will be on a Windows box. I could still use the box for everything I do with it, however that's fairly minimal.
More information on all of this (basically, where I originally got most of this information), including references for the keys above, are at http://www.hsc.fr/ressources/breves/min_srv_res_wi n.en.html -
Locked down computers
I use pktfilter and good well configured software too secure Windows systems from 2000 and newer. See http://www.hsc.fr/ressources/outils/pktfilter/ind
e x.html.en For Linux I use Iptables and good well configured software to secure the system. And top of that if necessary I use gwateways to segment net and filter trafic, either per trafic type with source, destination, time (most are fine) and sometimes I use application proxies. However I do not like firewalls at all, these are just needed since we can't properly configure our software with poor quality. Same arguments applies for ant-virus. The thing with firewalls is not to block trafic securely, it is to pass trafic securely. And therefore we still need better configured software with better quality. 1000's of Cisco Pix firewall in a chain still can't secure a loousy public web server. Joakim Nordberg -
microsoft's cynism at its bestfirst there was an OS monoculture..
then by including its browser and mail client in their OS, and preventing by its maneuvers other products to have a chance (ie: being included by the OEM), microsoft forcibly extended its mono-culture to two other important vectors of virus and spywares...combined with:
- the numerous security fails discovered in these product in a regular fashion.. some of them very stupid and dangerous: attachment that open by itself and execute, by using audio/x-wav mime type.
- bad default settings: hidden extensions (what have they done to prevent double extension scam in OE ?), netbios and co active by default on the internet connexion..etc..
MS attempt to make money with antivirus/antispyware not only shows their opportunism but also their prevalent cynism.
i guess that a antivirus and antispyware mono-culture is what we needed
:/BTW for those poor fellows still using OS oses
;) there is a great paper about network services minimization on windows 2000/XP (also available in french) a good way to close some present and future security holes, thanks to herve schauer consultants. - the numerous security fails discovered in these product in a regular fashion.. some of them very stupid and dangerous: attachment that open by itself and execute, by using audio/x-wav mime type.
-
microsoft's cynism at its bestfirst there was an OS monoculture..
then by including its browser and mail client in their OS, and preventing by its maneuvers other products to have a chance (ie: being included by the OEM), microsoft forcibly extended its mono-culture to two other important vectors of virus and spywares...combined with:
- the numerous security fails discovered in these product in a regular fashion.. some of them very stupid and dangerous: attachment that open by itself and execute, by using audio/x-wav mime type.
- bad default settings: hidden extensions (what have they done to prevent double extension scam in OE ?), netbios and co active by default on the internet connexion..etc..
MS attempt to make money with antivirus/antispyware not only shows their opportunism but also their prevalent cynism.
i guess that a antivirus and antispyware mono-culture is what we needed
:/BTW for those poor fellows still using OS oses
;) there is a great paper about network services minimization on windows 2000/XP (also available in french) a good way to close some present and future security holes, thanks to herve schauer consultants. - the numerous security fails discovered in these product in a regular fashion.. some of them very stupid and dangerous: attachment that open by itself and execute, by using audio/x-wav mime type.
-
Re:I disagree
No, it's a sign that you are a realist. Whatever patches you download for windows, theres still the RPC ports open, and when know the trouble they've caused recently.
No. Most Microsoft server software is broken WRT to security and should not be used. RPC should not be active.
In addition to this, what if the user opens an attachment that just happens to be a trojan that captures their every key-stroke (including their personal banking passwords and/or credit card no's), connects to the internet and sends this information to the nefarious script kiddie who mailed it out.
Sounds nice, but it's a lost cause. There are zillions of ways to slip past "trojan catchers". One big hole is MSIE -- all you have to do is convince it (in one of many ways) to contact an outside system.
Sorry, but that's absolute bullshit. Operating systems are inherently complex pieces of software that will (despite developers best efforts) contain security vulnerabilities somewhere.
I'm not talking about operating systems (other than the networking stack). I'm talking about remote vulnerabilities. You should not be running flawed servers. The only thing a server should let a remote user do is try to authenticate (and yes, auth code should be well-reviewed code). -
Sendmail ???
Why sendmail ?
If RedHat wants to do some good, then put engineers into helping Wetse with his Postfix client.
Want to know why ?? Here are some slides to convince you. French only, sorry, but I think you should be able to understand most of it.
--
Why pay for drugs when you can get Linux for free ?