IT Olympics

Data that travels over the air and how to protect (or decipher) it

IT Olympics

Post by usernumber5 on Wed Mar 04, 2009 1:04 am
([msg=19207]see IT Olympics[/msg])

Hello,
I go to high school, and am participating in a new IT class offered called IT Olympics. My team needs to create a webserver, complete with mail and several other services. After we have one month to set it up, professional security analysts as well as college students in the it environment have a chance to take us down. I don't know where to begin with securing our server, because it involves many tasks. We have to set up a dns server as well. Right now, I'm leaning towards using .htaccess to secure our files. Does anyone have pros/cons to this, from a hackers point of view? Btw - you can use hacker vocabulary, I think I will understand. And don't mention brute forcing, as all the passwords will be at least 12 characters long, as well as most likely be hashed in an encryption we create from scratch. Thanks to anyone who posts.

usernumber5
usernumber5
New User
New User
 
Posts: 3
Joined: Wed Mar 04, 2009 12:47 am
Blog: View Blog (0)


Re: IT Olympics

Post by yourmysin on Fri Mar 06, 2009 10:12 pm
([msg=19451]see Re: IT Olympics[/msg])

Very Interesting, I'm doing similar in my school. Unfortunately because of this i cannot give you help.

I wish you luck! :)
A+, Network+, MCTS(70-620), Security+, CCNA
yourmysin
Experienced User
Experienced User
 
Posts: 83
Joined: Mon Apr 21, 2008 9:02 pm
Location: Newport, Maine, USA
Blog: View Blog (0)


Re: IT Olympics

Post by Andomis on Sun Mar 08, 2009 12:47 am
([msg=19542]see Re: IT Olympics[/msg])

Get all windows updates, and turn automatic updates off- manually install updates on your own- else they might be able to use BITS against you.
Turn off LM hashes off.
Turn off all extra services that arnt being used (the simplier the server, the less mistakes or opennings there are room for)
Uninstall any excess programs that are not needed.
Make all passwords 15 characters or longer, 12 is below the cut off (this includes any sql, wsus, domain, or other service needed user accounts).
Don't have 1 master password forever thing.
Make sure you configure the firewall that is being use properly.
Put the server behind a router, not directly connected to a modem (even if it has a DHCP service running).
Turn off remote desktop and remote assistance.
sha1 or sha2 varient for encryption.
Any installations or files you bring to the servers, bring through a CD to help prevent viruses at the very beginning, don't use your servers as webbrowsers- they are not for that- and they should have a warning about that anyways I believe as soon as you open ie/firefox.
Get a good antivirus/malware preventer. I suggest AVG antivirus free or corporate symantec with malwarebytes or spybot s&d.
Get a network monitor to watch incoming/outgoing stuff.
Code a mac address filter for the domain, having it block all mac addresses until they register with a proper password.
Its gonna be hard for you to secure it 100% if they are "experts" anyways because alot of the methods they will use, you probably wont even A. know about, B. think to prevent- just do your best to not make silly mistakes.

Just some ideas, I know I am forgetting alot of stuff- but thats some stuff to think about or get started on.

Windows Servers?

Alive,
Andomis
"I'm choking on that four letter word, it sticks in my throat as i read the words YOU wrote..."
User avatar
Andomis
Experienced User
Experienced User
 
Posts: 75
Joined: Thu Oct 23, 2008 8:50 pm
Blog: View Blog (0)


Re: IT Olympics

Post by yourmysin on Sun Mar 08, 2009 11:20 pm
([msg=19611]see Re: IT Olympics[/msg])

The contest I'm joining requires the server to run a vulnerable version of SSH. I'm not sure whether your challenge is the same. This makes things a lot harder to secure.
A+, Network+, MCTS(70-620), Security+, CCNA
yourmysin
Experienced User
Experienced User
 
Posts: 83
Joined: Mon Apr 21, 2008 9:02 pm
Location: Newport, Maine, USA
Blog: View Blog (0)


Re: IT Olympics

Post by mischief on Mon Mar 09, 2009 1:16 am
([msg=19618]see Re: IT Olympics[/msg])

usernumber5, i hope you are using non-windows based machines. and if you are, virtualize a linux machine ^^

depending on you and your opponents knowledge of linux systems, linux would be drastically easier to secure over a windows machine, imo.
The whole secret of existence is to have no fear. Never fear what will become of you, depend on no one. Only the moment you reject all help are you freed.
--Buddha
User avatar
mischief
Poster
Poster
 
Posts: 355
Joined: Wed Jan 07, 2009 4:16 pm
Blog: View Blog (0)


Re: IT Olympics

Post by yourmysin on Mon Mar 09, 2009 5:21 pm
([msg=19687]see Re: IT Olympics[/msg])

mischief wrote:usernumber5, i hope you are using non-windows based machines. and if you are, virtualize a linux machine ^^

depending on you and your opponents knowledge of linux systems, linux would be drastically easier to secure over a windows machine, imo.


That is not such a good idea. Why?

By adding a virtual operating system you allow for two extra vulnerabilities. First of all, you can easily exploit the host operating system to take control of the VM. Second of all, you could exploit the Virtual software. You could also exploit the virtual operating system.

I remember having this discussion with one of my professors a few months ago. Albeit linux allows for a much more secure configuration, the host operating system is still windows. You may as well focus on securing the windows operating system instead.
A+, Network+, MCTS(70-620), Security+, CCNA
yourmysin
Experienced User
Experienced User
 
Posts: 83
Joined: Mon Apr 21, 2008 9:02 pm
Location: Newport, Maine, USA
Blog: View Blog (0)



Return to Networking

Who is online

Users browsing this forum: No registered users and 0 guests