John Bartow
john at winhaven.net
Tue Mar 5 14:36:32 CST 2013
Yea, I agree. What's the difference if you go on site or via a secure remote connection? Just make sure you charge them for travel times, meals and other expenses and so on. Eventually the customer will either change the policy or accept that the cost of total paranoia is justified. -----Original Message----- From: dba-tech-bounces at databaseadvisors.com [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Dan Waters Sent: Tuesday, March 05, 2013 1:31 PM To: 'Discussion of Hardware and Software issues' Subject: Re: [dba-Tech] Server Hardening? Really? Hi John, They do continue to support Aventail. I can use it to connect to their network to open a mapped folder on the server, but that's not much use when trying to update/maintain Visual Studio, Access, or SQL Server. It is actually their intention that no one be able to log into the server remotely by any means. To me this is a very ham-fisted and self-destructive approach to security. Dan -----Original Message----- From: dba-tech-bounces at databaseadvisors.com [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of John Bartow Sent: Tuesday, March 05, 2013 1:24 PM To: 'Discussion of Hardware and Software issues' Subject: Re: [dba-Tech] Server Hardening? Really? And they no longer allow that? If so they definitely needs to replace it with something (that they support) that you can use. jb -----Original Message----- From: dba-tech-bounces at databaseadvisors.com [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Dan Waters Sent: Tuesday, March 05, 2013 12:52 PM To: 'Discussion of Hardware and Software issues' Subject: Re: [dba-Tech] Server Hardening? Really? Hi Hans, I should have said that I do connect using their VPN (Aventail) which does require a username and password. This is just for my access, and isn't public from the web. Thanks! Dan -----Original Message----- From: dba-tech-bounces at databaseadvisors.com [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Hans-Christian Andersen Sent: Tuesday, March 05, 2013 11:32 AM To: Discussion of Hardware and Software issues Subject: Re: [dba-Tech] Server Hardening? Really? I would generally agree that it is a bad idea to have remote desktop accessible from the web. A better alternative is to set up a VPN or, at the very least, using port knocking to secure the server better from malicious background internet traffic. Another alternative, which I use, is a tool on Linux called fail2ban, which monitors your logs for failed login attempts and bans any IP's that failed to login 3 times in the firewall. Works like a charm. But, I wouldn't allow any service that doesn't need to be public to be accessible publicly in principle. It may seem safe today, but once a zero-day exploit comes around... - Hans On 2013-03-05, at 9:19 AM, "Dan Waters" <df.waters at comcast.net> wrote: > One of my customers is a subsidiary of a larger company. That company > has contracted with Computer Services Company (CSC) to provide > computer and network services. (CSC was recently fired by the US Air > Force for not fulfilling a contract to provide a large software > system.) > > > > At my customer, CSC is doing what they call 'server hardening'. A > consequence of this is that remote desktop access is no longer allowed > - so I can no longer directly update or maintain the system I've built > for them. > Even my customer's employees have lost their remote access to this server. > I have yet to figure out how to make this work. BTW, the folks at my > customer have been infuriated by CSC's actions for a couple of years > now and they are angrier than I am. > > > > So, I'd like to ask everyone if you believe that preventing remote > desktop access is appropriate for server hardening. Or, what steps > could be done to provide equivalently secure remote access? > > > > > > Thanks! > > Dan Waters > > > > _______________________________________________ > dba-Tech mailing list > dba-Tech at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-tech > Website: http://www.databaseadvisors.com _______________________________________________ dba-Tech mailing list dba-Tech at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-tech Website: http://www.databaseadvisors.com _______________________________________________ dba-Tech mailing list dba-Tech at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-tech Website: http://www.databaseadvisors.com _______________________________________________ dba-Tech mailing list dba-Tech at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-tech Website: http://www.databaseadvisors.com _______________________________________________ dba-Tech mailing list dba-Tech at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-tech Website: http://www.databaseadvisors.com