Jeff, First and perhaps most importantly, I think the issue at hand really lies with your attitude. This is an attitude that's seen amongst extremely technical people when dealing w/ people they think are clueless. Remember, no one, particularly customers, are going to pay to be put down for their business decisions, even if those decisions were made with a lack of knowledge. In fact, given your post, one would think that they hired you for your knowledge...but I doubt that anyone would hire a consultant to deride their choice of software, etc. In your post (below), you mention the problem. However, there is no correlation between the weak admin password and the change in the server. Even Exchange 5.5 on NT 4.0 can be configured relatively securely. Yes, it makes sense to upgrade, but many places need a business case for making the investment. Vendors like those you describe are nothing new. Nor is the AT&T managed firewall. However, I think that you're approaching this the wrong way. You shouldn't view yourself as "facing" this guy, and "making" him do anything. You should be approaching this from the standpoint that you're helping provide a higher level of security to your customer. Just a thought. Harlan > I have a customer whose company does legal work for > lots of businesses. > The data housed on their network is what I would > call 'financially > sensitive'. Recently, I found their Exchange server > had been turned into > an open relay. It was not that way a month ago.Once > I stopped the > bleeding, I told them I wanted to change the > Administrator password, > (NT4.0, Exch5.5. I know, I know). They told me > they were not allowed to > change the password. "Sez WHO", I asked. "Our > software vendor", they > replied. Turns out the vendor in question has a > niche market in this > kind of legal field. Also turns out they use the > same 4-letter, (no > caps, no special chars), administrator password on > ALL their customers > networks. To make matters worse, they have > PCAnyWhere ports open on all > these networks, because their software is so buggy, > the developers need > to remote in and fix things all the time. The > spokesman for the group > claims that the AT&T managed firewall prevents > anyone else from using the > PCNoWhere ports by IP address. > > I'm not a great negotiator, and I'm going to face > the SW spokesman next > week. He is a good spin doctor. I'm looking for > help in making him > secure his stuff. All help is appreciated. > > Jeff Peterson > BTIIS > > --------------------------------------------------------------------------- > Captus Networks - Integrated Intrusion Prevention > and Traffic Shaping > - Instantly Stop DoS/DDoS Attacks, Worms & Port > Scans > - Automatically Control P2P, IM and Spam Traffic > - Ensure Reliable Performance of Mission Critical > Applications > - Precisely Define and Implement Network Security > and Performance Policies > **FREE Vulnerability Assessment Toolkit - > WhitePapers - Live Demo > Visit us at: > http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 > ---------------------------------------------------------------------------- > __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sun Aug 17 2003 - 10:33:48 PDT