Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Server Naming Conventions

From: "crazy frog crazy frog" <i.m.crazy.frog () gmail com>
Date: Sat, 15 Dec 2007 00:28:15 +0530
mogli,mario,contra etc............

On 12 Dec 2007 18:50:15 -0000,  <krymson () gmail com> wrote:

I can't cite any references (basically I only do the research when I really want to!), but I imagine you will find 
references that suggest (or require) naming systems in a way that does not reveal their use. Naming an IIS 5 Web 
Server something like WEBSIIS5 would be a bad practice, in theory.


In reality, I think most shops name systems how they want, since finding out services, uses, and system OS levels can 
be fairly trivial and done in many ways. Still, making an attacker work and possibly make false assumptions has minor 
value to some. I think anyone that has done any black box service/server recon will have made an error in judgement 
at one time or another.


I'd break server naming into three groups:


1) Random names, or even names of random stuff. HanSolo, Luke, Jupiter, Mercury, Zeus, MilkyWay, Larry, Curly, Moe, 
REGEHSJE, GSDFOHE, XKCD... This is a fun way, keeps the systems fairly hidden with the tradeoff that you better know 
which system does what, and new staff will take time to figure it out. Names that mean something, like Mercury, are a 
step in the "better" direction, as opposed to DFSDRLJH.


2) Random, but predictable names that you track. This is a great tact for workstations, and can be used for servers 
as well. SERVER001, SERVER002, SERVER003... You'll have to track in inventory what each does, however, and can become 
confusing. But in this way the systems have standard names and do not give away their use.


3) Predictable names that reflect their use. CompanyDC01, CompanyDNS02, CompanyFS23 could be names for a domain 
controller, dns server, and file server, respectively. I've found most companies do this, even if they give away the 
server use to any curious parties.



<- snip ->


Id like to see if anyone has any information on system naming

conventions, best practices, NIST, DISA, etc....


Are there any US GOV requirements on how systems/servers should or

should NOT be named?





-- 
advertise on secgeeks?
http://secgeeks.com/Advertising_on_Secgeeks.com
http://newskicks.com
Previous By Date Next
Previous By Thread Next

Current thread: