[dba-Tech] Server Hardening? Really?

Hans-Christian Andersen hans.andersen at phulse.com
Tue Mar 5 15:55:09 CST 2013


I see.

Well, there could very well be legitimate reasons to be so heavy handed, but I imagine this would have to have been an agreement made between CSC and your customers parent company - their assumption being that the data or service there is so important that it cannot be trusted in your hands.

My own concern regarding this setup would be who watches the watchmen? Who is able to say whether they are doing a decent job? And, does the parent company have a mitigation plan if CSC messes up or their contract dissolves?

Also, you could make a point about "server hardening" by cutting the network cable on the server box. :p

- Hans


On 2013-03-05, at 10:52 AM, "Dan Waters" <df.waters at comcast.net> wrote:

> Hi Hans,
> 
> I should have said that I do connect using their VPN (Aventail) which does
> require a username and password.  This is just for my access, and isn't
> public from the web.
> 
> Thanks!
> Dan
> 
> -----Original Message-----
> From: dba-tech-bounces at databaseadvisors.com
> [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Hans-Christian
> Andersen
> Sent: Tuesday, March 05, 2013 11:32 AM
> To: Discussion of Hardware and Software issues
> Subject: Re: [dba-Tech] Server Hardening? Really?
> 
> I would generally agree that it is a bad idea to have remote desktop
> accessible from the web. A better alternative is to set up a VPN or, at the
> very least, using port knocking to secure the server better from malicious
> background internet traffic. Another alternative, which I use, is a tool on
> Linux called fail2ban, which monitors your logs for failed login attempts
> and bans any IP's that failed to login 3 times in the firewall. Works like a
> charm. But, I wouldn't allow any service that doesn't need to be public to
> be accessible publicly in principle. It may seem safe today, but once a
> zero-day exploit comes around... 
> 
> - Hans
> 
> 
> 
> On 2013-03-05, at 9:19 AM, "Dan Waters" <df.waters at comcast.net> wrote:
> 
>> One of my customers is a subsidiary of a larger company.  That company 
>> has contracted with Computer Services Company (CSC) to provide 
>> computer and network services.  (CSC was recently fired by the US Air 
>> Force for not fulfilling a contract to provide a large software 
>> system.)
>> 
>> 
>> 
>> At my customer, CSC is doing what they call 'server hardening'.  A 
>> consequence of this is that remote desktop access is no longer allowed 
>> - so I can no longer directly update or maintain the system I've built for
> them.
>> Even my customer's employees have lost their remote access to this server.
>> I have yet to figure out how to make this work.  BTW, the folks at my 
>> customer have been infuriated by CSC's actions for a couple of years 
>> now and they are angrier than I am.
>> 
>> 
>> 
>> So, I'd like to ask everyone if you believe that preventing remote 
>> desktop access is appropriate for server hardening.  Or, what steps 
>> could be done to provide equivalently secure remote access?
>> 
>> 
>> 
>> 
>> 
>> Thanks!
>> 
>> Dan Waters
>> 
>> 
>> 
>> _______________________________________________
>> dba-Tech mailing list
>> dba-Tech at databaseadvisors.com
>> http://databaseadvisors.com/mailman/listinfo/dba-tech
>> Website: http://www.databaseadvisors.com
> 
> 
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com
> 
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com



More information about the dba-Tech mailing list