RE: [Hardhats-members] VistA Web

[David Sommers]

(letting that license conversation flare out...)

Think also like a hacker...  If you install Perl, PHP, Python, etc (any
of that) on your linux box, hopefully you're using it - otherwise you're
open to be attacked there.

Same for your Windows - don't install (or make it accessible) unless you
plan to use it.

In 2003, they make it part of the interface what ISAPI modules can be
used (and by default their all disabled - you can't even use ASP or
included HTML).  For previous versions, lean on URL Scan to exclude out
the stuff you don't use.  You can tell URL Scan that only HTML and
GIF/JPEGs can be accessed, if you try to use HTM (without the L) - it
can block it.  That's making it work just the way you want it and not
worrying about all the other stuff that comes along with IIS unless you
use it.

Same goes for the config file for Apache - don't load the MySQL module,
etc - if you're not using it.

/David.

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nancy
Anthracite
Sent: Saturday, April 23, 2005 6:06 AM
To: hardhats-members@lists.sourceforge.net
Subject: Re: [Hardhats-members] VistA Web

OK David, you are on.  I will try it fully patched and Norton running
full 
blast and see what happens.  

So were the CodeRed writers really Chinese?

On Saturday 23 April 2005 02:14 am, David Sommers wrote:
> Well Nancy - you were most likely hit with CodeRed.
>
> [anti-flame war hat on]
>
> I like to think that I'm the ambassador for all OSes - I've used them
> all and my three favorites are Windows, OS X, and Linux right now.
> (Although I'm installing FreeBSD on second box in the background right
> now.)
>
> Back in the early days of both IIS and Apache - it was easy to install
> the system with no patches and get hacked - pure and simple.  Now - we
> know what "least priveledges" means, how to NAT/firewall, etc.
>
> The problem with Windows and IIS is most users install it by default
> (which isn't the case for XP or 2003 anymore).  Your standard Windows
> user is about 5 cans short of a 6 pack and has no idea what IIS even
> stands for.
>
> Many of you are linux geeks and you know how to protect your Apache -
> here are some hints for your IIS on 2000 and XP.  (2003 ships with a
> secure base configuration)
>
> First and foremost, IIS Lockdown.  This one does A LOT - so read the
> instructions carefully.
> http://www.microsoft.com/technet/security/tools/locktool.mspx
>
> URL Scan is an optional component of IIS Lockdown.  It restricts the
> information being posted via IIS.
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/
> html/secmod114.asp
>
> Patterns and Practices: Securing your Web Server
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/
> html/secmod89.asp
>
> NSA Security Configuration Guides
> http://www.nsa.gov/snac/
> For IIS:
> http://www.nsa.gov/snac/downloads_miis.cfm?MenuID=scg10.3.1.4
>
> And don't knock IIS too much; Apache has its problems too.  Patch it -
> secure it - check it.
>
> There's not that many great single source guidelines for Apache.
You'll
> find some information with the NSA (since they did all the SELinux
stuff
> too) and some with Apache.
> http://httpd.apache.org/docs-2.0/misc/security_tips.html
> http://www.nsa.gov/selinux/index.cfm
>
> Put your pitch forks down... I'm just being fair.  If you take a few
> minutes to make sure your setup is solid, you can make it work great
> like eWeek did for their OpenHack competition.  The contest was to
hack
> either the Apache/Oracle/Java or IIS/SQL/.NET setup.  They both stood
up
> well (the Oracle stack was hacked but it was due to the application
> itself being vulnerable and not the underlying software).  Note - most
> systems are hacked through non-OS software such as Web Apps or simply
by
> lack of proper administration (bad setup, not patched, etc).
> http://www.eweek.com/article2/0,1759,741388,00.asp
>
> /David.
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
Nancy
> Anthracite
> Sent: Friday, April 22, 2005 5:27 PM
> To: hardhats-members@lists.sourceforge.net
> Subject: Re: [Hardhats-members] VistA Web
>
> Time for a web search for a work-around ... meanwhile, those with XP
Pro
> have
> IIS as an option for their installation.  Can they least try it or
does
> it
> take something more than that, I wonder?
>
> Anyone who uses IIS, be careful. It is a popular target.  A few years
> back I
> was using it to debug some code for a web site that was going to run
on
> an
> IIS server.  I got hit successfully with my first virus when I was
using
> it.
> My screen blanked and a message came up, "You have been hacked by
> Chinese."
> I shut it down and reformatted the disk.  After that, I didn't start
it
> when
> my machine was connected to the Internet.
>
> On Friday 22 April 2005 04:54 pm, Mark Street wrote:
> > It looks to me like it is pretty much Windoze 2003 specific.  Too
>
> bad....
>
> > Software Requirements.... from the installation document.
> >
> > Windows Server 2003 Enterprise, configured with the role of
>
> Application
>
> > Server Internet Information Services (IIS) 6.0 (installed by default
>
> as
>
> > part of the Application Server role)
> > Microsoft Visual J#.NET 2003 runtime component
> > .NET Framework 1.1 (part of the Windows Server 2003 operating system
> > default installation)
> > FTP services and an FTP folder (to be used as a staging location for
> > updates to VistAWeb)
> > SMTP Virtual Server
> > .NET Framework 1.1 is installed by default on Windows 2003 systems.
> > Services packs and updates to all three components are available
>
> through
>
> > Microsoft Windows update (http://windowsupdate.microsoft.com).
> > Web Extension Services set to allow ASP.NET extensions (see Figure
2)
> >
> > On Friday 22 April 2005 11:49, Nancy Anthracite wrote:
> > > Well, then I guess we will have to just figure out how to do that
-
> > > tunnel it or whatever.  We have only begun to fight!
> > >
> > > Actually, since the Hui project folks gave me that nice bound copy
>
> of the
>
> > > documentation, I think they have it going, but I think they said
it
>
> uses
>
> > > an IIS server, which means we will have to see about Apache and
all
>
> of
>
> > > that, too.  It may be written with VB Script or something.  I
really
> > > haven't looked at it at all since I have been working on getting
the
> > > CPRS/Wine problem licked - which we are finally making some
progress
>
> on,
>
> > > I think/hope.

-- 
Nancy Anthracite


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Hardhats-members mailing list
Hardhats-members@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/hardhats-members


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Hardhats-members mailing list
Hardhats-members@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/hardhats-members