On Fri, Apr 28, 2000 at 06:18:12AM -0700, Dan Hutchinson wrote: > Thanks for the response. I was working for the government and we were > just hacked twice with a WindowsNT System. I am basically looking for > a way to make it hard to be hacked. Right now we are wide open and it > is mostly because management wants there ICQ, MSN, etc.. and total access > to HTTP and cgi scripts, etc... WinNT is very unsecure out of the box, and securing it tends to break everything.. (how can one call a system `secure' when most of the filesystem has permissions like Everyone: Full Control??? or has every disk/partition along with C:\WINNT shared for `administrive purposes' with no clear way to disable it?) it also has a new security problem found about 3 times a day.. just replacing that heap with a *nix based OS is a very good start. if your looking for very good security right out of the box i would recommend looking into OpenBSD, they have just gone 3 years without a remote hole in the default config and 2 for a localhost hole in the default config, very nice. it also includes lots of strong crypto in the base system and libc. however like any system it can be made very unsecure by adding the wrong stuff to it. they audit everything in the base system but what you add is up to you to keep track of. as for all the services et al people are insisting on, if they are causing security problems you have to remove them, that is simply the only solution. it does not matter how much security features and programs you layer on the system or how much crpyto is in the libc or how much the base OS is audited if you leave the door open your going to let annoying pests in. management is going to have to decide what they like better: kewl MS crap and unsecure, broken into systems, compromised data etc. or secure safe, boring systems without the MS fluff. if you go with *nix you should also check out the book "Practical Guide to Unix and internet security" (or very close to that, sorry don't have it handy at the moment) it does a good job pointing out historical mistakes and what things need to be secured and why, very helpful for understanding what to look for. > Dan > > ---- Ethan Benson <erbenson@alaska.net> wrote: > [Non text/plain message body suppressed] > > > ___________________________________________________________________ > To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, > all in one place - sign up today at http://www.zdnetonebox.com > -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpM3EEmGMfGm.pgp
Description: PGP signature