[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Security



On Fri, Apr 28, 2000 at 06:18:12AM -0700, Dan Hutchinson wrote:
> Thanks for the response.  I was working for the government and we were
> just hacked twice with a WindowsNT System.  I am basically looking for
> a way to make it hard to be hacked.  Right now we are wide open and it
> is mostly because management wants there ICQ, MSN, etc.. and total access
> to HTTP and cgi scripts, etc...

WinNT is very unsecure out of the box, and securing it tends to break
everything.. (how can one call a system `secure' when most of the
filesystem has permissions like Everyone: Full Control??? or has every
disk/partition along with C:\WINNT shared for `administrive purposes'
with no clear way to disable it?)  it also has a new security problem
found about 3 times a day..  just replacing that heap with a *nix
based OS is a very good start.  if your looking for very good security
right out of the box i would recommend looking into OpenBSD, they have
just gone 3 years without a remote hole in the default config and 2
for a localhost hole in the default config, very nice.  it also
includes lots of strong crypto in the base system and libc.  however
like any system it can be made very unsecure by adding the wrong stuff
to it.  they audit everything in the base system but what you add is
up to you to keep track of.

as for all the services et al people are insisting on, if they are
causing security problems you have to remove them, that is simply the
only solution.  it does not matter how much security features and
programs you layer on the system or how much crpyto is in the libc or
how much the base OS is audited if you leave the door open your going
to let annoying pests in.  management is going to have to decide what
they like better: kewl MS crap and unsecure, broken into systems,
compromised data etc. or secure safe, boring systems without the MS
fluff.

if you go with *nix you should also check out the book "Practical Guide
to Unix and internet security"  (or very close to that, sorry don't
have it handy at the moment) it does a good job pointing out
historical mistakes and what things need to be secured and why, very
helpful for understanding what to look for.  

> Dan
> 
> ---- Ethan Benson <erbenson@alaska.net> wrote:
> [Non text/plain message body suppressed]
> 
> 
> ___________________________________________________________________
> To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax,
> all in one place - sign up today at http://www.zdnetonebox.com
> 

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgpfg1moWU1tr.pgp
Description: PGP signature


Reply to: