Re: Security Question
- From: "Dana Epp" <dana@xxxxxxxxxxx>
- Date: Wed, 08 Nov 2006 19:04:27 GMT
Why is water wet? Seeking for such an answer will end with the same result
as your question. Its a valid question with merit, but is too broad to be of
any intrinsic value.
I would guess what you really want to know is if you have an information
disclosure issue that needs to be plugged, where usernames can easily be
discerned. The reality is that a competent adversary may be capable of
getting a username; it is entirely different to also obtain the credentials
for that account if it is managed correctly.
From an information security perspective, if you are concerned about theweaknesses with static reusable passwords for administration accounts,
consider adding more technical safeguards that can both defend against
attack vectors of this type, and provide strong audit facilities. Strong
two-factor authentication may be of use here. As would controlling network
access to the resource in the first place. If you are forced to expose a
service logon where an admin account can be used, provide access control at
the perimeter (IP restrictions at the firewall may be enough) to
significantly reduce the risk and damage potential.
Lets face it... changing the username of an administration account has some
merit, but little intrinsic value over the application of technical
safeguards that can actually provide another layer of security that can be
controlled. Security by obscurity on its own does very little.
As a final point to your question on how they obtained the username in the
first place, it would depend on where the attacking source is coming from.
Were they able to see an email where the new admin name was used (ie: daily
reports)? Could the attacker STAT the exchange server and retrieve
verification of the account? Could an adminstrator have been sloppy and
performed a logon sequence from an untrusted computer that may have captured
the credentials? There are many ways for such information disclosure to be
caught. Instead of fretting about that, assume that it IS caught. What now?
It is that sort of higher thinking that has more value... since you can then
assess the real threats to your business and mitigate the risk to what you
find acceptable.
Yes, my rambling is long and tedious. This topic is one of the reasons I
believe in strong authentication so much, and have a passion to find a
solution for the SMB space. Protecting your information assets on single
static credential alone in this day and age of the Internet is something I
think needs to be fixed. But we can leave that debate to another day. :)
--
Dana Epp [Security MVP]
http://silverstr.ufies.org/blog/
"cjobes" <cjobes@xxxxxxxxxxxxx> wrote in message
news:%23I2lDv0AHHA.144@xxxxxxxxxxxxxxxxxxxxxxx
Hi all,
A first for me, so I would like to get some feedback from other admins.
As a standard, we always change the Administrator account name to
something else. For the first time we had a breakin attempt at one of our
clients (SBS2003/ISA2004) that was using the correct renamed admin account
name. Now, the password is pretty complex but I still don't like the fact
that 50% of the safeguard is out there. Does anybody have an idea how an
outside hacker would be able to obtain that username?
--
Claus
.
- References:
- Security Question
- From: cjobes
- Security Question
- Prev by Date: Re: for Charlie Russel
- Next by Date: Re: VPN not working when i connect through SBS 2003 server running ISA 2004
- Previous by thread: Re: Security Question
- Next by thread: Re: Security Question
- Index(es):
Relevant Pages
|
Loading
