Re: BEFVP41 -2003 SBS Help Please
From: MarkC (mark_at_mrccit_nospam.com)
Date: 08/18/04
- Next message: Neil Jarman: "Re: need to add second mail address - SBS 2003"
- Previous message: Neil Jarman: "Re: public folder not getting email"
- In reply to: Jeff Middleton [SBS-MVP]: "Re: BEFVP41 -2003 SBS Help Please"
- Next in thread: Lino: "Re: BEFVP41 -2003 SBS Help Please"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 18 Aug 2004 09:43:36 -0400
Thanks Jeff! I'm going to keep your reply and laminate it. Really! As I
said to Lino there are many reasons and you have clearly articulated the top
reasons. My favorite is the account lockout policy and the fact the SBS
will notify you when a lockout occures. This happened on one of my SBS
servers yesterday.
Thank you for sharing your wisdom and time with the group!
MarkC
"Jeff Middleton [SBS-MVP]" <jeff@cfisolutions.com> wrote in message
news:%23oCq7JShEHA.592@TK2MSFTNGP11.phx.gbl...
> Couple of things to keep in mind about exposed ports, VPN, and security
> concerns:
>
>
> + 1723 is authentication, it doesn't pass the data stream. Therefore, you
> only get to talk to the authentication code. It's very small amount of
code,
> not likely to be hacked, rarely has it been mentioned in vulnerabilities
> (read:bugs, buffer overruns, etc.) It's not likely to be "busted open".
> + VPN data travels on a GRE port opened only on demand following
> authentication, and it's fully encrypted if you follow best practices, and
a
> point to point link that is hard to fake or intercept as a stream in
> real-time.
> + 1723 is an authentication port, if someone authenticated, they get in.
> That's the purpose of the port. Therefore, you want to make sure that you
> use strong passwords for any account you grant Dial-in/Logon Remote
> permissions.
> + With Windows as the authenticator, password guessing on 1723 can be
> prevented by policy which disables logon for a period of time after 3 or
10
> bad attempts. This can be set differently for Dial-in than for local
logon.
> + If you prevent a hacker from having more than a couple of tries, they
> can't dictionary attack without triggering Security Audit alerts you can
> monitor.
> + As always, web security isn't accomplished by simply locking every port
> out that is possible, it requires monitoring the use of any open ports.
> Detection and Auditing are not options, they are part of the security
> concept.
>
> The biggest risk of VPN exposed ports is that someone will use a much
lower
> level security breach to gain a username/password combo, then return to
try
> it on the VPN. For instance, if you don't properly protect your Exchange
> server from relay, you can have username guessing performed against it by
a
> hacker simply attempting relay mail by authenticating with a username the
> know or suspect is good. When the email finally relays, they know they
have
> found a username/password match. If that same user has VPN rights, then
they
> have an authcode for the VPN.
>
> The way you prevent that from happening to you is with best practices:
>
> + Monitor exposed authentication ports and processes, or lock them down.
> + Change passwords frequently on user/pass combos that are exposed to
> public, and highspeed connection authentications (that could be dictionary
> attacked). This shortens the time cycle required to guess and breach in a
> slow attack method.
> + Beat your users into submission. Do not share passwords or use them in a
> casual manner. Don't use your phone number. Don't use one as your secret
> word at the bank, the gym, your house alarm, your AOL account, your PC at
> work, you VCR....and above all, don't write it down where people can
glance
> at it and steal it.
> + Monitor exposed authentication methods for inappropriate activity
> + Did I mention monitoring?
>
>
>
>
> "1723 port Attacked Lino" <1723 port Attacked
> Lino@discussions.microsoft.com> wrote in message
> news:28F47CA1-1746-4EDD-9CA1-6901DD725892@microsoft.com...
> > Mark,
> > Is there any way that port 1723 could be attacked from Internet/Public
> > network. Example by using Nmap from from Linux or Win version some "bad
> guy"
> > out there could see the PPTP is open not filter... I have not try to
> attack
> > my self. therefore I'm not confident to implement this method.. could
you
> help
> > (As you know Hping2 program these is not thing you could hide your port
or
> > how many interfaces/NIC have in the server if has Public IP address)
> > Lino
> >
> > "MarkC" wrote:
> >
> > > You are better off using the SBS to manage the vpn sessions for many
> > > reasons.
> > > MarkC
> > >
> > >
> > > "Lino" <Lino@discussions.microsoft.com> wrote in message
> > > news:08794185-41A9-42A2-88AB-8FAFBEAFB6D5@microsoft.com...
> > > > Please comment:
> > > > Method 1: VPN Internet User --> Linksys VPN --> SBS 2003
> > > > Figure: on VPN Box enable PPTP Pass Through and Port Forwarding 1723
> to
> > > SBS
> > > > 2003.
> > > > Out Come: This method is okay, it works fine. But VPN authetication
is
> > > > handle by SBS 2003 not Linksys VPN router itself. In this case I
don't
> see
> > > > the effective of this VPN.
> > > >
> > > > --> Help/Comment: How could I setup so that Linksys VPN Box handle
the
> > > > authentication as I know it should be IPSec
> > > >
> > >
> > >
> > >
>
>
- Next message: Neil Jarman: "Re: need to add second mail address - SBS 2003"
- Previous message: Neil Jarman: "Re: public folder not getting email"
- In reply to: Jeff Middleton [SBS-MVP]: "Re: BEFVP41 -2003 SBS Help Please"
- Next in thread: Lino: "Re: BEFVP41 -2003 SBS Help Please"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
