[dba-Tech] Server Hardening? Really?

Dan Waters df.waters at comcast.net
Tue Mar 5 13:31:18 CST 2013


Hi John,

They do continue to support Aventail.  I can use it to connect to their
network to open a mapped folder on the server, but that's not much use when
trying to update/maintain Visual Studio, Access, or SQL Server.

It is actually their intention that no one be able to log into the server
remotely by any means.  To me this is a very ham-fisted and self-destructive
approach to security.

Dan

-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of John Bartow
Sent: Tuesday, March 05, 2013 1:24 PM
To: 'Discussion of Hardware and Software issues'
Subject: Re: [dba-Tech] Server Hardening? Really?

And they no longer allow that? If so they definitely needs to replace it
with something (that they support) that you can use.
jb

-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Dan Waters
Sent: Tuesday, March 05, 2013 12:52 PM
To: 'Discussion of Hardware and Software issues'
Subject: Re: [dba-Tech] Server Hardening? Really?

Hi Hans,

I should have said that I do connect using their VPN (Aventail) which does
require a username and password.  This is just for my access, and isn't
public from the web.

Thanks!
Dan

-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Hans-Christian
Andersen
Sent: Tuesday, March 05, 2013 11:32 AM
To: Discussion of Hardware and Software issues
Subject: Re: [dba-Tech] Server Hardening? Really?

I would generally agree that it is a bad idea to have remote desktop
accessible from the web. A better alternative is to set up a VPN or, at the
very least, using port knocking to secure the server better from malicious
background internet traffic. Another alternative, which I use, is a tool on
Linux called fail2ban, which monitors your logs for failed login attempts
and bans any IP's that failed to login 3 times in the firewall. Works like a
charm. But, I wouldn't allow any service that doesn't need to be public to
be accessible publicly in principle. It may seem safe today, but once a
zero-day exploit comes around... 

- Hans


 
On 2013-03-05, at 9:19 AM, "Dan Waters" <df.waters at comcast.net> wrote:

> One of my customers is a subsidiary of a larger company.  That company 
> has contracted with Computer Services Company (CSC) to provide 
> computer and network services.  (CSC was recently fired by the US Air 
> Force for not fulfilling a contract to provide a large software
> system.)
> 
> 
> 
> At my customer, CSC is doing what they call 'server hardening'.  A 
> consequence of this is that remote desktop access is no longer allowed
> - so I can no longer directly update or maintain the system I've built 
> for
them.
> Even my customer's employees have lost their remote access to this server.
> I have yet to figure out how to make this work.  BTW, the folks at my 
> customer have been infuriated by CSC's actions for a couple of years 
> now and they are angrier than I am.
> 
> 
> 
> So, I'd like to ask everyone if you believe that preventing remote 
> desktop access is appropriate for server hardening.  Or, what steps 
> could be done to provide equivalently secure remote access?
> 
> 
> 
> 
> 
> Thanks!
> 
> Dan Waters
> 
> 
> 
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com


_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com

_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com

_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com



More information about the dba-Tech mailing list