Jeff, regarding to host hardening, I hope the administrative accounts are not the Windows default ones (Administrator). If so, these need to be renamed to make exploits more difficult for attackers. It's kind of easy to identify WinNT / W2k administrative accounts since their SID ends with 500. If additional levels of host hardening are not applied, an attacker could easily search for an administrative account with a tool (sid2user, http://www.securityfocus.com/tools/544) to locate the account name. If the short passwords are set for convenience of that vendor, you should check if they need administrative rights to fix their own problems. Maybe they can be placed into a less privileged group in order to do their maintenance stuff. This is another point regarding your password issue, that could be helpful when talking to that very spokesman. Also, you should check if the rules in your firewall(s)/router's ACLs are tightened regarding source ip/destination ip and ports for their remote access. It might be helpful to consult your client's Security Policy for it should contain password restrictions, which have been set to mitigate risks. This is an important point, since they hold sensitive/confidential data. Usually, VPNs are taken into place to minimize the risk of exposure/unauthorized access. On Saturday 16 August 2003 23:26, Kirt Cathey wrote: > Also, try to have the client present when you explain these items. the last point is so much important, since your client is getting aware of that real security issue. > 1) That the clients setup is very insecure for the following reasons > a) The admin password is too short > b) The admin password does not contain special characters > c) The admin password should be changed regularly passwords that have been in use already should be added to a password history to prevent using these again. please make sure, that passwords should have a minimum age as well as a maximum age. If the servers keep sensitive informations as you pointed out, new passwords mustn't be similar to previous ones to prevent that vendor from setting passwords like abc$01, abc$02 and so on > > 2) The current information security environment. VIGILANCE IS NO LONGER AN > OPTION. this is also an issue about costs, what should be important to your client's efforts in minimizing costs Kindest Regards, Sebastian -- straightLiners IT Consulting & Services Sebastian Schneider Metzer Str. 12 13595 Berlin Germany Phone: +49-30-3510-6168 Fax: +49-30-3510-6169 --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Aug 18 2003 - 11:46:22 PDT