I am concerned about securing a windows server without the use of a hardware firewall.
I have an idea as follows:
1) have a dedicated server running linux
2) run VMware Server edition on this linux box to host the windows 2003 server.
3) use iptables etc to secure the outer linux layer (only allowing required ports through to the windows box etc)
What does everyone think - is this a potential runner? am I overdoing things?
Unlike earlier versions of Microsoft Windows Server, the 2008 version gives you a default logon screen that is very similar to Vista. Instead of the the interactive dialog box that prompts you for a username, password, and sometimes domain, users will find a “push button” screen displaying all users with login permissions. To log into an account all the users will now need to know is the password. This makes things much easier for hackers as the only thing they will now need to guess is the password.
There are a couple of ways to resolve this problem. First, the server administrator can set the local security policy to not display the last username and disable fast user switching. Second, in the System Remote Settings dialog, the remote desktop options can be set to allow computers with Remote Desktop that support Network Level Authentication.
Since the first method is covered in a few blogs, I’ll limit myself to discussing the second method. In the latest versions of Remote Desktop Connection client (version 2.0 for Mac and the version shipped with Windows Vista), Network Level Authentication is supported. This means users must send the username and password before Windows 2008 accepts the connection. Earlier versions of RDC (like the one found in many installations of Windows XP) don’t support NLA. So technically, users will only need to supply the IP or domain name of the remote Windows server, leave the username and password blank, and interact with the logon process that is provided at connection time. Windows 2008 servers that do not have the NLA option set for remote desktop connections are vulnerable since the interactive logon screen (post-connection) is displayed to users using earlier versions of RDC.
This last point may be of significance to service providers offering Windows 2008 dedicated servers. If the server is set up with default settings, the NLA option is disabled and new users will by default be made to change passwords on first logon. Users using new versions of RDC will not be able to logon because the initial password change sequence on first logon is not compatible with NLA. The server will return an incorrect password message to the RDC client even though the user has provided the correct username and password. The only way to establish first connection is thus to use a non-NLA supporting version of RDC so that the user can establish connections without supplying credentials and then going through the password change wizard during the initial login. But as mentioned, having NLA disabled on server side is not an ideal practice at this point.
So there are a couple ways to do this. The service provider should disable the “change password on next logon” option during the user creation process and get user to manually change the password after logon. Or alternatively, assist the client/user in changing passwords through the console internally.
I'm starting to test out VPS panels and found vePortal 2. I purchased it and installed it. Now I'm checking some security, as we all know about the terrible result of HyperVM as everyone blindly used it because it was "pretty" but it was not secure.
Some serious concerns I'd like to share with vePortal 2.
1) It makes no backups of any of the files it modifies during install, or so I haven't seen any, like httpd.conf.... more of a pain than anything. There is no way to auto uninstall it either..
2) vePortal gives full root access to the Apache user, letting apache run any root commands!
They add this to your /etc/sudoers
apache ALL=(root) NOPASSWD:ALL
[root@nd11108 myadmin]# su -s /bin/sh apache -c "whoami"
apache
[root@nd11108 myadmin]# su -s /bin/sh apache -c "sudo whoami"
root
This is a root exploit waiting to happen. I asked them about this and got the response.
Quote:
It would be a security breach if a) apache was allowed SSHD Access, or b) the server was running scripts that havn't been marked secure, We have a very comprehensive team of beta testers including one of the largest providers around, They and their staff have not been able to break the security or integrity of the panel as of yet.
All panels in one way or another have root control over the system, for example they wouldnt be able to have a SSH Console without it, as only specified commands would work, we do have a list of the commands required by vePortal if you wish to limit it, but the console and the Shell Commander functions would stop working.
Regards,
Gavin H.
Chief Information Officer
That's funny I have been using the panel a few minutes and already found they've ignored the biggest security hole possible..
3) In 5 minutes I've found multiple XSS vulnerabilities in the admin area... Like search customers, I was able to generate JavaScript alerts in multiple fields....
4) It stores the MySQL root password in clear text in a .php file... yeah that's real secure. Why does it even operate under the MySQL root user, its using a single database....
5) I forgot to add, it doesn't recognize ANY OpenVZ Vps's you've created manually. It has no idea they exist and you cannot view them at all.
I'm sure I could dig deeper into the source code and find more but it's not worth it. Judging by what I found without actually trying to spend time on security I completely removed the product.
The panel does look nice but it sure gets a mark of insecure for me, I would advise others seriously look into the security of this new panel if you're considering using it.
I have some concerns with hosting an external URL. I have these two websites www.benchmarkportal.com and www.bmponlinestore.com and my question is, is it possible for www.bmponlinestore.com to launch if ever I click on www.benchmarkportal.com/store/ url with the url name unchanged meaning it wont change to www.bmponlinestore.com?
scenario:
step : when I click on www.benchmarkportal.com/store/
result: the contents of www.bmponlinestore.com shows up but without changing the url name(the url will still be www.benchmarkportal.com/store/)
I have been involved in the development of a complex PHP web applications that does very large amounts of processing, includes several files with thousands lines of code, does multiple and complex db queries etc. So far it has been running only on non-public development servers and has been surprisingly fast given what it does.
But I am concerned about what might happen when it is time for it to start running on a website with many users.
Is there a way to estimate in advance how serious that problem may be?
so let's get this all hashed out... it'll be interesting to see how people handle various situations.
Before responding, let's keep this thread signature free.
I recently came across an issue where a customer wanted to bring their own Microsoft products/licenses to the table. Got a few questions for the other providers out there... this really needs to be hashed out.
Microsoft is very strict when it comes to enforcing their license policies, we all know this much.
So... when a customer wants to install their own software, what do people do to help ensure that whatever agreement you have with your upstream provider or Microsoft isn't in voliation by allowing someone to bring their own licenses?
What steps do you take to ensure validity of said licenses?
How do you define, much less enforce, these guidelines?
What role, if any, should a provider play in doing their part to help stem illicit license abuse?
I am hosting IPTV ( internet TV ) which might have copyright issue.
how to host website without copyright concerns ( might be in china or russian )
I have just finished testing with my HP DL380 G3 server and I have been looking at different companies / facilities to ship it off to for co-location.
How do you ease your own concerns of hardware failures on the server (aside from HDD which are easy to replace) when it is so far away.
I control a datacenter / networking environment for my company, so I have immediate access to any of our gear that breaks, but I will not be co-locating within our facility for obvious reason.
Are most people using left over Dell / Compaq / HP stuff or custom builds? I went with HP because of the built-in iLO capability to lessen the need for so much remote hands in the event of a reboot etc.
I guess the biggest thing that is worrying me right now is a catstrophic hardware failure such as motherboard / cpu. All others can be quickly fixed (HDD, RAM, etc), but with a motherboard / cpu failure, the extended downtime can be long while spare are ordered / shipped.
I'm not a windows security expert, so I'm hoping I can get some help here
I have a test server running windows 2003 server (latest updates), php5 (using isapi) and IIS 6.
I copied over a php cms and ran the install script. It is telling me that all the Directory and File Permissions it checks are writable. The thing is I have not setup the security for these directories yet. I have not added the iis user to any groups or changed anything from the default install of windows 2003. How can these directories be writable?
I went through the install anyways thinking that maybe the install script was reporting it wrong, it wasn't. It was able to create the configration file fine and it had given the iis user full control over the file. I double checked the website directory and it does not have iis listed in the security tab and the iis user does not belong to any groups except guest.
In the advance Section of the security tab for the config file of the cms it said that the iis user inherited it's security from c:. I checked c: and all directories down to configuration.php and the iis user is not listed in the security tab so I am not sure how it is inheriting anything.
I was in a shared hosting environment for 2 years. Due to performance problems with website I have moved to a windows VPS with plesk 8 control panel. All of a sudden I am very much worried about my site's security. How vulnarable and volatile is ones security in a windows vps environment. Is there anything I can do from plesk to tighten security of my vps so that my site cannot be hacked or can be safe from any damage.
Is there any guide or tutorial which guide me to do some settings in plesk to make my site secure.
Although i have admin access i rarely do anything but ftp and create or modify or read email and accounts.
I was in a shared hosting environment for 2 years. Due to performance problems with website I have moved to a windows VPS with plesk 8 control panel. All of a sudden I am very much worried about my site's security. How vulnarable and volatile is ones security in a windows vps environment. Is there anything I can do from plesk to tighten security of my vps so that my site cannot be hacked or can be safe from any damage.
Is there any guide or tutorial which guide me to do some settings in plesk to make my site secure.
Although i have admin access i rarely do anything but ftp and create or modify or read email and accounts.
I've been reading these forums for a while now... a lot of very interesting and useful stuff. However, I've always been happy with the hosting of my site until recently, and have never had a pressing reason for wanting to change.
However, I recently had a four day outage to my site. The hosting company (which shall remain nameless, for now) put this down to a security problem which meant they had to take down the shared Windows server and go through all the sites on the server looking for the site that had bad code which caused the security outage. I also has problems with malicious javascript being injected into my pages prior to this.
I quote from the hosting company "Unfortunately this is a shared hosting solution and by its very nature, it means that poor code affects all sites on that web server. .... The vulnerabilities of ASP, MS-SQL and .Net are well documented." They then proceeded to try to sell me a dedicated server (which I believe will likely be too expensive for my needs).
I'm no expert on hosting, but this doesn't sound right to me. Is all Windows shared hosting afflicted with these kinds of security problems? or only when it's not set up right? I need reliability, but not absolute 100% bulletproof uptime if it comes with a dedicated server pricetag. I do need to avoid outages of a number of hours/days (!!) however
Hopefully one of the experts here can put me right I can't believe that Windows hosting security is that bad that no company can have a shared hosting product that avoids the aforementioned problems. What do you think?
I would like to setup a new dedicated server with the following:
- Windows Server Standard 2008 64bit Edition
- Plesk control panel
Questions:
Anyone know of a thorough tutorial on securing/optimizing a Windows 2008 server (even with Plesk) for a shared hosting environment?
Other?'s:
Considering Plesk's rip-off pricing, any free and quality alternatives to their products?
- plesk dr.web antivirus
- acronis trueimage backup
- plesk powerpack (I guess $24.99/mo lease isn't too horrible)
I basically want to replicate a Cpanel shared/reseller hosting environment, but with Plesk since Cpanel for Windows is not yet available and been delayed forever.
After click webadmin its shows a security warning conform box as following on Firefox ...
Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.
Are you sure you want to continue sending this information?
And if click " OK" the page display " Server not found " error
[URL] ...
I run a web hosting company and one of my servers is a LAMP server running CentOs 5. A user of mine has a Joomla installation running to manage his website and he has run into the following problem that I am puzzled by.
When Joomla adds a component or module to itself, or when a user uses the Joomla upload functionality, Joomla will add the new files under the user name "apache". This makes sense as it is the apache service running PHP that is actually creating the files.
However, when he FTP's into the account to modify these files, he doesn't have the appropriate permissions to do so as he doesn't have a root level login, just permissions on his home directory which is the site. Any help would be much appreciated.
Also, does anyone know how to change the owner/group of a directory and all of its sub directories in Linux without changing the actual permissions? I.e. some of the files in the folder have different permissions (0644 as apposed to 0755) than its parent but if I do a top down user/group change on the folder it will change everything in that folder to 0755.
I was actually curious about this since Windows 2008 version came out.
What is the difference between Windows media services on Windows 2003 and Windows 2008?
I have regarding hosting/designing my application. Users of my website upload highly sensitive files to the server. I'll use SSL but will that be enough since the files are not encrypted on the server. I tried to encrypt the files but that is adding a huge overhead.
My first question is - is it a good idea to store the files on the server rather than a database? My other question is regarding hosting; I'm thinking of building my own server and host it in a colo. Is colo more secure than dedicated hosting? Currently i'm still in the process of developing my App and my environment is Windows Server 2008/SQL Server 2005.
Is there any problems with having duplicate rules in different files as I have downloaded some rules and am going to make them all into one file to give me the best protection, but this is going to take time and I really need some sort of protection now
View 2 Replies View Relatedafter install ConfigServer Firewall i get the following ...
ConfigServer Security & Firewall - csf v2.89 >>
PHP Check >>
Check php for register_globals >>
WARNING >> You should modify the PHP configuration (usually in /usr/local/lib/php.ini) and set:
register_globals = Off
unless it is absolutely necessary as it is seen as a significant security risk
must i modify it?or not? put in ur consideration i tried to download it to modify an error occured!
I am on a shared server account with Lunar Pages basic hosting plan.
The only script file I have up running is db Masters FormM@iler. It runs on Cpanel. I deleted whatever other scripts I could find on my server. The site is just basic html pages with jpgs and a gif.
Is there much else I really need to do to secure the server or is that more in Lunar Pages' hands?
If there is still more I can do to secure the server, and is it a small amount that's easy to do or would it be wise to just hire someone else to put in a few hours making sure everything is truly set up securely?
I have a vps that has been exploited, and the hosting company is giving me advise on what to do to fix the security problems, but i need a good server administrator/company to help me with this. can anyone recommend a company that will go thru my server,
View 8 Replies View RelatedI'm inheriting a website that is currently a mess. It was designed in Joomla, but everything about the site by the original designer, is completely a mess. Files weren't placed in their proper directory hiearchy, the site has been hacked into a few times...basically a big headache.
I'm willing to learn and my first goal is the redesign the site. Currently, I'm looking at choosing a CMS or just rebuilding it in Joomla. The problem is that the site is a big part of the business, so any down time is not good.
I have some questions I hope you experienced folks can help me with...
Does CMS choice have any bearing on whether or not its a security vulnerability? If so, which one's are "less a target" of getting hit?
I just want to design the site from scratch and make it secure as possible from suggestions on various forums. I don't want to be a security admin, but is that what I'll end up having to do to run a site like this?
What are my options between "doing it myself" vs "hiring a third party"?
The company is right now in a tween stage. Fast growth but not enough to hire a security guy, based on my talks with the CEO. I disagree with this, but what can I do in the meantime to plug the site holes?
I'm almost wanting to go commercial so I don't have all the headaches, but the company wants to save money. What can be done in those situations?
Before I go out and spend money on books, what do you recommend I buy to start getting my feet wet in what may become a future in IT security?
This is from someone who's just inherited a dedicated server with a swiss cheese website. What is the first order of business for someone who is in the dark and will not get much support in regards to spending more money?
how do I secure my site "on my own"?
I noticed that my vps had utilized 250 gig of traffic in one day [i average 5 gig per MONTH] with cpu usage of close 100%; my hosting company pinpointed one php file which had allowed an outside varibale to be placed in "include" function so that the outside php code was being run;
Is there any program/scripts that can immediately email me if cpu usage stays high
the nic card is being utilized too much memory usage exceed certain levles this way, i would know i have been hijacked in time and try to find the culprit i use knownhost with cpanel/linux mysql and php.
i have an unix server [don't know what version i think it's FreeBSD ]
[url]
and i use WS_FTP to upload the files to my server.. but i have a big problem all my files are encrypted with some problems but when people use getrigh browser or some kind off program to acess my server instead of a normal browser it appears the list of files i have upload and they can download them and when i set password for images etc it's all safe, but people can't acess parts of the site without password... i want to know if there's some way of protect my file without interfering with the normal browser acess.
when we run server with shared hosting. we mostly facing issue os security like c9shell scripts.. as well as ppl hacked database or changed index.html. we do enable php open base dir as well as mo security firewall we do search which user is using find command who is uploading file... but is there any other way to secure server for such hacking issue..
View 5 Replies View RelatedI have run rkhunter and got message saying that /bin/dmesg [BAD]
# rpm -qf /bin/dmesg
util-linux-2.12a-16.EL4.20
# rpm -V util-linux-2.12a-16.EL4.20
.M...... /usr/bin/chsh
It looks like RPM damaged? How can I confirm it?
When securing a vps system, do things like Enable Shell Fork Bomb/Memory Protection use much memory or any other secuirty measure?
View 3 Replies View RelatedWe have a e-commerce web site that has the latest shopping cart software ( that is known to be secure) ssl cert, etc.
We got a call today from a guy who says that he used his brand new card on our web site and that the card was stolen and used on anothoer site within hours. We have checked every file on the web site, logging into serevr root and checking everything and cant find any evidence of a hack or security breach of any kind.
can someone recommend a reliable company that can go in and check things out for us to see if they can find anny security issues, or evidence of a breach? There must be a company out there that does this sort of thing
I am conducting some research into potential risks that web hosts have to deal with on a daily basis. What potential security risks are there for web hosts ? And how do they overcome these issues?
View 6 Replies View RelatedFor security reason I have these php functiosn disabled:
show_source, system, shell_exec, exec, popen, proc_open, procopen, passthru
Can anyone please tell me whether if it will prevent shell scripts from working?
They can still upload the shells but cant read/write/execute commands in 777 directories?
I want to setup a Windows 2003 security policy to filter traffic.
I want to let most of the world through to port 80 so maybe just ban a few nuicance IP's.
But then I have a POP / IMAP server, VPN, SMTP, etc that I want to block all but UK IP addresses.
I know I can do this through the MMC snap in but this is 1000's of IP's.
Is there a way I can import a list/range of IP's that I want to block from a country IP database?
