Server security - do not trust others to ensure its overall security
Published: Thursday, October 24, 2019 written by Andy Flagg
View Count: 155
Keywords: Windows Server 2012, Security, Event Logs, 3rd party support, Staff Review
I had a wake up call in the last 48 hours; one of the Windows Servers 2012 that was installed and configured nearly 6 years ago by staff and 3rd party level tech 5 group did not have the GPO security policies enabled to help the server protect itself.
moral of the story: The lock down script and procedure for servers MUST be immediately applied prior to any server going online and directly exposed to the Internet, even if that is just one port for specific business traffic.
Uh... so, after 4 hours of analysis and log files from a 3rd party network log, after recording and reporting the attempted security intrusions, I started the lock down of the server.
Three major no-no's were encountered. The GPOs
1. disable last login displayed
2. force NTLM v2 and reject all others
3. rename main administration account
we had to get 3rd party ISPs to track down their violators and these were in RIPE networks, two small ISPs and two major ISPs, mostly in Russia and one east coast USA on a Verizon network.
Funny, once you trigger the halt of one, an automatic spray from 2-3 other networks came at the server, and then a denial of service ensued. No worries, the packets were holed and reverse traffic analyzed and we made sure the backups were rotating and working and secure, with a wide air-gap and made ready to be used.
no signs of successful penetration, just a lot of unsuccessful lock picking and door handle jiggling.
more to come...
if you found this article helpful, consider contributing $10, 20 an Andrew Jackson or so..to the author. more authors coming soon
FYI we use paypal or patreon, patreon has 3x the transaction fees, so we don't, not yet.
© 2020 myBlog™ v1.1 All rights reserved. We count views as reads, so let's not over think it.