[dba-Tech] Server Hardening? Really?

John Bartow john at winhaven.net
Tue Mar 5 14:36:32 CST 2013


Yea, I agree. What's the difference if you go on site or via a secure remote
connection? Just make sure you charge them for travel times, meals and other
expenses and so on. Eventually the customer will either change the policy or
accept that the cost of total paranoia is justified.

-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Dan Waters
Sent: Tuesday, March 05, 2013 1:31 PM
To: 'Discussion of Hardware and Software issues'
Subject: Re: [dba-Tech] Server Hardening? Really?

Hi John,

They do continue to support Aventail.  I can use it to connect to their
network to open a mapped folder on the server, but that's not much use when
trying to update/maintain Visual Studio, Access, or SQL Server.

It is actually their intention that no one be able to log into the server
remotely by any means.  To me this is a very ham-fisted and self-destructive
approach to security.

Dan

-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of John Bartow
Sent: Tuesday, March 05, 2013 1:24 PM
To: 'Discussion of Hardware and Software issues'
Subject: Re: [dba-Tech] Server Hardening? Really?

And they no longer allow that? If so they definitely needs to replace it
with something (that they support) that you can use.
jb

-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Dan Waters
Sent: Tuesday, March 05, 2013 12:52 PM
To: 'Discussion of Hardware and Software issues'
Subject: Re: [dba-Tech] Server Hardening? Really?

Hi Hans,

I should have said that I do connect using their VPN (Aventail) which does
require a username and password.  This is just for my access, and isn't
public from the web.

Thanks!
Dan

-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Hans-Christian
Andersen
Sent: Tuesday, March 05, 2013 11:32 AM
To: Discussion of Hardware and Software issues
Subject: Re: [dba-Tech] Server Hardening? Really?

I would generally agree that it is a bad idea to have remote desktop
accessible from the web. A better alternative is to set up a VPN or, at the
very least, using port knocking to secure the server better from malicious
background internet traffic. Another alternative, which I use, is a tool on
Linux called fail2ban, which monitors your logs for failed login attempts
and bans any IP's that failed to login 3 times in the firewall. Works like a
charm. But, I wouldn't allow any service that doesn't need to be public to
be accessible publicly in principle. It may seem safe today, but once a
zero-day exploit comes around... 

- Hans


 
On 2013-03-05, at 9:19 AM, "Dan Waters" <df.waters at comcast.net> wrote:

> One of my customers is a subsidiary of a larger company.  That company 
> has contracted with Computer Services Company (CSC) to provide 
> computer and network services.  (CSC was recently fired by the US Air 
> Force for not fulfilling a contract to provide a large software
> system.)
> 
> 
> 
> At my customer, CSC is doing what they call 'server hardening'.  A 
> consequence of this is that remote desktop access is no longer allowed
> - so I can no longer directly update or maintain the system I've built 
> for
them.
> Even my customer's employees have lost their remote access to this server.
> I have yet to figure out how to make this work.  BTW, the folks at my 
> customer have been infuriated by CSC's actions for a couple of years 
> now and they are angrier than I am.
> 
> 
> 
> So, I'd like to ask everyone if you believe that preventing remote 
> desktop access is appropriate for server hardening.  Or, what steps 
> could be done to provide equivalently secure remote access?
> 
> 
> 
> 
> 
> Thanks!
> 
> Dan Waters
> 
> 
> 
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com


_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com

_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com

_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com

_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com



More information about the dba-Tech mailing list