|
|
You're in the
iis security
group:Suggestions for utils to stop file changes on IIS server
iis security:
The server is running IIS 6.0, has the WS2k3 f/w enabled and is protected by
an SPI firewall, however, I'm still a bit paranoid. Anyone have good recommendations for reliable enterprise-class programs that can wrap another layer around the OS and let me know if/when files are changed or simply stop file change attempts? I looked at www.Sygate.com products but they have a min 25 license requirement for server products! TIA!
[quoted text, click to view]
<nospamjunketc@earthlink.net> wrote in message news:#IlFFAsXEHA.384@TK2MSFTNGP10.phx.gbl... > The server is running IIS 6.0, has the WS2k3 f/w enabled and is protected by > an SPI firewall, however, I'm still a bit paranoid. > > Anyone have good recommendations for reliable enterprise-class programs that > can wrap another layer around the OS and let me know if/when files are > changed or simply stop file change attempts? It sounds like you're saying that NTFS permission protection, strong though it is, is not going to be strong enough for your desires. Maybe what you need is a hard drive with a hardware write-protection jumper switch, so that you can set up your web site, shutdown your server, set the jumper to write-protect, then power it up. You would need to do some serious testing to make sure that you don't inadvertently store files that need to be written to on the read-only medium. And, of course, since there's going to be some writable component in your machine (even if it's only RAM), there's still a remote possibility that the machine could be exploited. An easier recommendation to follow would be to keep yourself aware of new security threats (http://www.microsoft.com/security is a very good place to start), patch as soon as you can (testing patches before rollout is often a good idea, we test thoroughly, but there's always a chance for interaction with any software or hardware or configuration that you have, but which isn't replicated in our testing lab), and look into running intrusion protection software - antivirus, IDS, etc. And keep regular backups, so that you can restore the site to pristine state if something does go wrong (note that "wrong" there includes hackers as well as physical accidents - dead hard drives, flooding, etc) Alun. ~~~~
[quoted text, click to view]
"Jeff Cochran" <jeff.nospam@zina.com> wrote in message news:40f80ea1.454133249@msnews.microsoft.com... > On Wed, 30 Jun 2004 09:33:46 -0700, <nospamjunketc@earthlink.net> > wrote: > > >The server is running IIS 6.0, has the WS2k3 f/w enabled and is protected by > >an SPI firewall, however, I'm still a bit paranoid. > > You mean those pesky Windows accounts and file/folder permissions > don't give you what you need? Along with auditing to see what's > changed? Plus shadow file copies so you can easily revert back? I think the key phrase here is "still a bit paranoid". Software is vulnerable to anything that can hack software. If an attacker can become admin, then your machine's software operations belong to him entirely. Hardware is vulnerable to anything that software can tell it to do (which isn't usually all that much), offset by the hardware's own limits and physical presence requirements. [For instance, yanking a cable stops a download, no matter how good the software is.] If setting NTFS permissions to make the web site read-only to everyone isn't going to be enough, then you've assumed already that your attacker can change those permissions as much as he wants - in other words, your attacker is expected to have compromised an admin account, or the account that owns the web site. Once that's happened, no software is going to protect you. However, software can certainly help to prevent an attack from reaching that stage, and there's all manner of intrusion detection software, site monitoring software, etc. One thing to consider is simply checking the content over the web every so often, to make sure it hasn't changed without authorisation. Alun. ~~~~
On Wed, 30 Jun 2004 09:33:46 -0700, <nospamjunketc@earthlink.net>
[quoted text, click to view] wrote: >The server is running IIS 6.0, has the WS2k3 f/w enabled and is protected by >an SPI firewall, however, I'm still a bit paranoid. > >Anyone have good recommendations for reliable enterprise-class programs that >can wrap another layer around the OS and let me know if/when files are >changed or simply stop file change attempts? You mean those pesky Windows accounts and file/folder permissions don't give you what you need? Along with auditing to see what's changed? Plus shadow file copies so you can easily revert back?
make an image that runs off a cdrom... voila! no more possibility of
changing files! [quoted text, click to view] "Alun Jones [MSFT]" <alunj@online.microsoft.com> wrote in message news:OcVND0tXEHA.2500@TK2MSFTNGP09.phx.gbl... > "Jeff Cochran" <jeff.nospam@zina.com> wrote in message > news:40f80ea1.454133249@msnews.microsoft.com... > > On Wed, 30 Jun 2004 09:33:46 -0700, <nospamjunketc@earthlink.net> > > wrote: > > > > >The server is running IIS 6.0, has the WS2k3 f/w enabled and is protected > by > > >an SPI firewall, however, I'm still a bit paranoid. > > > > You mean those pesky Windows accounts and file/folder permissions > > don't give you what you need? Along with auditing to see what's > > changed? Plus shadow file copies so you can easily revert back? > > I think the key phrase here is "still a bit paranoid". > > Software is vulnerable to anything that can hack software. If an attacker > can become admin, then your machine's software operations belong to him > entirely. > > Hardware is vulnerable to anything that software can tell it to do (which > isn't usually all that much), offset by the hardware's own limits and > physical presence requirements. [For instance, yanking a cable stops a > download, no matter how good the software is.] > > If setting NTFS permissions to make the web site read-only to everyone isn't > going to be enough, then you've assumed already that your attacker can > change those permissions as much as he wants - in other words, your attacker > is expected to have compromised an admin account, or the account that owns > the web site. Once that's happened, no software is going to protect you. > > However, software can certainly help to prevent an attack from reaching that > stage, and there's all manner of intrusion detection software, site > monitoring software, etc. One thing to consider is simply checking the > content over the web every so often, to make sure it hasn't changed without > authorisation. > > Alun. > ~~~~ > >
Come on Alun, I had expected to receive productive, real-world suggestions,
not defensive, pie-in-the-sky, half-hearted, impractical blather from, of all people, a Microsoft employee. How's this for a retort... There are 500 web servers... Would you please spend your evenings checking each site to ensure nothing has changed. Don't forget about the weekends too! Not too easy, is it?! It obviously calls for a automated solution... [quoted text, click to view] "Alun Jones [MSFT]" <alunj@online.microsoft.com> wrote in message news:OcVND0tXEHA.2500@TK2MSFTNGP09.phx.gbl... > "Jeff Cochran" <jeff.nospam@zina.com> wrote in message > news:40f80ea1.454133249@msnews.microsoft.com... > > On Wed, 30 Jun 2004 09:33:46 -0700, <nospamjunketc@earthlink.net> > > wrote: > > > > >The server is running IIS 6.0, has the WS2k3 f/w enabled and is protected > by > > >an SPI firewall, however, I'm still a bit paranoid. > > > > You mean those pesky Windows accounts and file/folder permissions > > don't give you what you need? Along with auditing to see what's > > changed? Plus shadow file copies so you can easily revert back? > > I think the key phrase here is "still a bit paranoid". > > Software is vulnerable to anything that can hack software. If an attacker > can become admin, then your machine's software operations belong to him > entirely. > > Hardware is vulnerable to anything that software can tell it to do (which > isn't usually all that much), offset by the hardware's own limits and > physical presence requirements. [For instance, yanking a cable stops a > download, no matter how good the software is.] > > If setting NTFS permissions to make the web site read-only to everyone isn't > going to be enough, then you've assumed already that your attacker can > change those permissions as much as he wants - in other words, your attacker > is expected to have compromised an admin account, or the account that owns > the web site. Once that's happened, no software is going to protect you. > > However, software can certainly help to prevent an attack from reaching that > stage, and there's all manner of intrusion detection software, site > monitoring software, etc. One thing to consider is simply checking the > content over the web every so often, to make sure it hasn't changed without > authorisation. > > Alun. > ~~~~ > >
Hi,
you should look into a file integrity checker such as Tripwire for servers (http://www.tripwire.com/) which is an Enterprise-class tool. I'm planning to eval it in the near future as I manage sites that have as many as 2 million files. hth [quoted text, click to view] <nospamjunketc@earthlink.net> wrote in message news:%23IlFFAsXEHA.384@TK2MSFTNGP10.phx.gbl... > The server is running IIS 6.0, has the WS2k3 f/w enabled and is protected by > an SPI firewall, however, I'm still a bit paranoid. > > Anyone have good recommendations for reliable enterprise-class programs that > can wrap another layer around the OS and let me know if/when files are > changed or simply stop file change attempts? > > I looked at www.Sygate.com products but they have a min 25 license > requirement for server products! > > TIA! > >
[quoted text, click to view]
> From: <nospamjunketc@earthlink.net> > Come on Alun, I had expected to receive productive, real-world suggestions, > not defensive, pie-in-the-sky, half-hearted, impractical blather from, of > all people, a Microsoft employee. > > How's this for a retort... There are 500 web servers... Would you please > spend your evenings checking each site to ensure nothing has changed. Don't > forget about the weekends too! > > Not too easy, is it?! It obviously calls for a automated solution... Other people in this thread have already suggested possible automated solutions for you. I've suggested hardware solutions that would make it easier for you to trust that the information _cannot_ change, no matter how much you distrust the OS. A search for "Integrity Check" at your favourite web search engine should deliver up a half-dozen possibilities. Jeff Cochran's post started in the direction of "how secure is secure enough?", and I posted something more philosophical than directly addressed to your individual needs. Usenet threads do tend to diverge like that, because this is a public discussion system, rather than a support channel geared to solve your direct problem and nothing else. Feel free to ignore that portion of any discussion thread that doesn't address what you're looking for. I'm sorry that you felt my tone seemed "defensive" - I was aiming more for "realistic", acknowledging that if your basic assumption is that the OS cannot be trusted, then any software you install on that OS is similarly untrustable. Yes, it's philosophical, particularly in that it applies to all systems, not just those from Microsoft - if I'm being defensive at all, I'm defending the entire software industry, by noting that there are some limits to what software can do. Alun. ~~~~
I strongly recommend a file integrity checker. This is a very good way to
detect when your server has been hacked [in addition to monitoring firewall logs and using IDS such as snort]. However, tripwire for Windows is not free. Free alternatives for Windows include Osiris and SIM from www.gfi.com SIM is easy to use, when it works... but on some computers it doesn't work. [quoted text, click to view] "srock" <noone@localhost> wrote in message news:eyT%23353XEHA.4008@TK2MSFTNGP09.phx.gbl... > Hi, > > you should look into a file integrity checker such as Tripwire for servers > (http://www.tripwire.com/) which is an Enterprise-class tool. I'm planning > to eval it in the near future as I manage sites that have as many as 2 > million files. > > hth > > > <nospamjunketc@earthlink.net> wrote in message > news:%23IlFFAsXEHA.384@TK2MSFTNGP10.phx.gbl... > > The server is running IIS 6.0, has the WS2k3 f/w enabled and is protected > by > > an SPI firewall, however, I'm still a bit paranoid. > > > > Anyone have good recommendations for reliable enterprise-class programs > that > > can wrap another layer around the OS and let me know if/when files are > > changed or simply stop file change attempts? > > > > I looked at www.Sygate.com products but they have a min 25 license > > requirement for server products! > > > > TIA! > > > > > >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |