Penetration Testing mailing list archives
RE: Internal Servers (noob post)
From: Gorgon Beast <gorgonbeast () hotmail com>
Date: Wed, 3 Jun 2009 09:07:29 -0700
There are many ideas on the subject of methodology. The main idea I go with is to attack my own systems before someone else does. If an attacker gets in, they have free reign to unsecured systems. And, since they got in through perimeter security, is anyone watching to see if it can be done again? Or can they come back for weeks and weeks,picking apart your systems without anyone knowing. Then, when they have EVERYTHING they possible want, do they destroy your systems? (Me? Paranoid? Yep.) That said, hardening internal systems is a good thing, you should keep them just on the "usable" side. This means that they perform what they need to and that people can do their work. Administrators can connect and do everything they need to. Layered security is good for this, but requires a lot of forethought. Since many attacks happen from the inside anyway, you should protect those machines. If you want to get really granular (which a lot of companies are, lately), you can put your servers in an internal DMZ as well, behind a firewall and only all authorized workstations to connect to them. This take a lot of work to implement if you are already set up. If your company takes credit cards, be aware of all of the PCI rules. If it is a financial accounting company, look up the SOX rules. Both are similar, neither covers everything, and you will probably see something that you want to change to make things better. If your company participates in a SAS70 audit, consider expanding it every year to cover more items. They are a huge pain, but you will discover many things that need changing.
Date: Tue, 2 Jun 2009 05:56:45 -0700 From: pmaneedham () hotmail com To: pen-test () securityfocus com Subject: Internal Servers (noob post) I wonder if you could give me some pointers on ways you pen testers would try to penetrate / or gain access to an organisations internal server “farm”. I have read numerous hardening guides for both UNIX and Windows Servers, which we use for our host based Systems, but our IT dept insist perimeter defences (firewall etc) are sufficient to protect the internal servers so there is no need to invest heavily or put resources into hardening internal servers. Is this statement valid or would hardening internal servers also give pen testers a hard time gaining access to data, backups or host based apps residing on internal servers? What I am really after (I am no pen tester but am intreged by what techniques you guys use) is to get into the mindset of the ways you guys would try and gain access to our internal servers and data? If I make some assumptions, could someone with experience (be it white hat, black hat, grey hat) give me some pointers as to whether my assumptions are correct? To attack (bring down, steal confidential data etc) one of our internal servers would you always try to penetrate the firewall or find some vulnerability in the firewall in order to get remote access into our internal servers? Once through the firewall what methods would you guys use to gain access to the server? Would you try default accounts that you know exist (I noticed the vast majority of hardening guides always say disable or remove unnecessary default UNIX / Windows accounts etc)? Is hardening an internal server much protection if somebody has broken through the Firewall or is easy practice to still get data off internal servers? Any pointers most welcome. Regards, -- View this message in context: http://www.nabble.com/Internal-Servers-%28noob-post%29-tp23832003p23832003.html Sent from the Penetration Testing mailing list archive at Nabble.com. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
_________________________________________________________________ Hotmail® has ever-growing storage! Don’t worry about storage limits. http://windowslive.com/Tutorial/Hotmail/Storage?ocid=TXT_TAGLM_WL_HM_Tutorial_Storage_062009 ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Internal Servers (noob post) pma111 (Jun 02)
- Re: Internal Servers (noob post) ticktock123 (Jun 03)
- Re: Internal Servers (noob post) Micheal Cottingham (Jun 04)
- Re: Internal Servers (noob post) misconceptions persist; R. DuFresne (Jun 26)
- Re: Internal Servers (noob post) Micheal Cottingham (Jun 04)
- Re: Internal Servers (noob post) Terry M (Jun 03)
- Re: Internal Servers (noob post) Muhammad Farooq-i-Azam (Jun 03)
- RE: Internal Servers (noob post) Gorgon Beast (Jun 03)
- RE: Internal Servers (noob post) R. DuFresne (Jun 04)
- Re: Internal Servers (noob post) Don Miesle (Jun 04)
- Re: Internal Servers (noob post) R. DuFresne (Jun 12)
- Re: Internal Servers (noob post) Jeffrey Walton (Jun 04)
- Re: Internal Servers (noob post) Wim Remes (Jun 04)
- Re: Internal Servers (noob post) R. DuFresne (Jun 12)
- RE: Internal Servers (noob post) R. DuFresne (Jun 04)
- Re: Internal Servers (noob post) Remo Cornali (Jun 08)
- Re: Internal Servers (noob post) ticktock123 (Jun 03)
- Re: Internal Servers (noob post) Sanjay Badala (Jun 08)
- <Possible follow-ups>
- Re: Internal Servers (noob post) avghacker (Jun 04)