Running Microsoft machines on your network?

w1z4rd

w1z4rd

Karmic Sangoma
Joined
Jan 17, 2005
Messages
52,146
Reaction score
8,340
Location
127.0.0.1
How do you prevent client side attacks and spear phishing?

Really strict firewall rules to block out http to *?

Antivirus`s and updating MS windows are not good enough. You can still turn over a process (ergo a system) even with a fully updated protected MS machine.

I know Google (generally) banned MS machines on their network because of this.
 
Decent firewall/proxy with web filtering
Decent client firewall
Twice daily windows updates
Decent anti virus/spyware/malware
 
Well Google were unable to stop the hacks on their networks with their firewall engineers, so Im wondering what kinda fire-walling we are talking about here. I think the only safe way to stop a MS machine from being exploited to completely cut it off from the Internet... but you would have to do that to all machines on the network because if one machine has got access a hacker can use something like metasploit and pivot to other machines on the network.

Since these exploits dont get picked up as a virus or a trojan normal firewall rules/ av setups dont work so well.
 
Yea, you need to be very vigilant and keep everything up to date.

I wonder how Microsoft deal with this...
 
Updated AV
Well configured firewall and DMZ
Segmented network with switch monitoring
Segmented authentication with strict security policies regarding password complexity and username/password usage for services and servers
Strict change-control and security policy/procedures requiring authorization and confirmation from more than 1 person
Remote access using VDI and seperated VLANs
Less stupid users
 
I dont think Microsoft uses Linux boxes, and their XBL has not been hacked yet, unlike Sony's network. Now, I know in Sony's case it was due to arrogance and ignorance, but if MS can secure it then I'm sure its possible.
 
Using URL Filter on Smoothwall here to block *.naughty.sites

Also, sites referred to by its IP address is also blocked.

Seems good so far.
 
Ancalagon said:
I dont think Microsoft uses Linux boxes, and their XBL has not been hacked yet, unlike Sony's network. Now, I know in Sony's case it was due to arrogance and ignorance, but if MS can secure it then I'm sure its possible.
Click to expand...

But not everybody have deep pocketses like M$ does...
 
Ancalagon said:
I dont think Microsoft uses Linux boxes, and their XBL has not been hacked yet, unlike Sony's network. Now, I know in Sony's case it was due to arrogance and ignorance, but if MS can secure it then I'm sure its possible.
Click to expand...

Again, the biggest security risk are client side attacks. Any good server admin can tighten down a server (windows, linux or mac)... thats not the insecure point. The biggest security risk are the users.
 
w1z4rd said:
Again, the biggest security risk are client side attacks. Any good server admin can tighten down a server (windows, linux or mac)... thats not the insecure point. The biggest security risk are the users.
Click to expand...

Agreed.

Had a user who took his laptop to site. Plugged it in, disabled the AV. Trojans infected it. He noticed nothing amiss, returned back to office, plugged laptop into network, instant nightmare which lasted for quite a while. And, yes, we had AV's on the servers.

This specific trojan causes svchost to fail (and with it, file and printer sharing, RRAS, in fact anything which uses svchost).

Recently installed Symantec Endpoint Protection v11 and the built-in firewall protects Windows workstations (and servers) from this type of attack vector.

Was nasty, but I survived it.

Still want to kick said programmer in the ganoonies for writing such a poxy piece of crud though. (the worm, not windows). Although the Windows programmer(s) is also next in line :D

Why do Windows rely so much on svchost? Single point of failure - attack svchost successfully and you can pwn a Winders PC.
 
w1z4rd said:
I know Google (generally) banned MS machines on their network because of this.
Click to expand...
And the CEO of Tata says he doesn't drive Hyundai because it is not safe. Not saying windows is any good but Google should not be used as the yard stick or should I say CHROME yard stick
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X