Security Basics mailing list archives
RE: Server Naming Conventions
From: "S. Earl Jarosh" <earlj () moneycenters com>
Date: Thu, 20 Dec 2007 14:42:10 -0600
I sort of like use toons or mythological characters with their pictures as the wallpaper so that when you are using a KVM or other remote scheme you know the server by the background picture. Sequential naming conventions are very boring and lack any sort of imagination. Earl -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of crazy frog crazy frog Sent: Friday, December 14, 2007 12:58 PM To: krymson () gmail com Cc: security-basics () securityfocus com Subject: Re: Server Naming Conventions mogli,mario,contra etc............ On 12 Dec 2007 18:50:15 -0000, <krymson () gmail com> wrote:
I can't cite any references (basically I only do the research when I
really want to!), but I imagine you will find references that suggest (or require) naming systems in a way that does not reveal their use. Naming an IIS 5 Web Server something like WEBSIIS5 would be a bad practice, in theory.
In reality, I think most shops name systems how they want, since finding
out services, uses, and system OS levels can be fairly trivial and done in many ways. Still, making an attacker work and possibly make false assumptions has minor value to some. I think anyone that has done any black box service/server recon will have made an error in judgement at one time or another.
I'd break server naming into three groups: 1) Random names, or even names of random stuff. HanSolo, Luke, Jupiter,
Mercury, Zeus, MilkyWay, Larry, Curly, Moe, REGEHSJE, GSDFOHE, XKCD... This is a fun way, keeps the systems fairly hidden with the tradeoff that you better know which system does what, and new staff will take time to figure it out. Names that mean something, like Mercury, are a step in the "better" direction, as opposed to DFSDRLJH.
2) Random, but predictable names that you track. This is a great tact for
workstations, and can be used for servers as well. SERVER001, SERVER002, SERVER003... You'll have to track in inventory what each does, however, and can become confusing. But in this way the systems have standard names and do not give away their use.
3) Predictable names that reflect their use. CompanyDC01, CompanyDNS02,
CompanyFS23 could be names for a domain controller, dns server, and file server, respectively. I've found most companies do this, even if they give away the server use to any curious parties.
<- snip -> Id like to see if anyone has any information on system naming conventions, best practices, NIST, DISA, etc.... Are there any US GOV requirements on how systems/servers should or should NOT be named?
-- advertise on secgeeks? http://secgeeks.com/Advertising_on_Secgeeks.com http://newskicks.com
Current thread:
- Server Naming Conventions xelerated (Dec 12)
- <Possible follow-ups>
- Re: Server Naming Conventions krymson (Dec 12)
- Re: Server Naming Conventions crazy frog crazy frog (Dec 14)
- RE: Server Naming Conventions S. Earl Jarosh (Dec 20)
- Re: Server Naming Conventions crazy frog crazy frog (Dec 14)