Security Basics mailing list archives
Re: secure sharepoint 2010 design
From: Paul Johnston <paul.johnston () pentest co uk>
Date: Thu, 05 Aug 2010 16:40:42 +0200
Hi,
I'm worried about browser exploits calling home and giving remote shell to outsiders.
Internal firewalling does nothing to prevent that. Smart exploits will pretty much always be able to call home, either through DNS, picking up proxy settings from a browser, or actually through the browser. The firewall does reduce what a compromised system can access. Of course, it can access anything that the user needs to do their job, which may be significant (say, if the user is a cashier). What it stops (hopefully :-) is a hacker using an exploit to get more access than that. I'm not sure how important that is these days though - if your patching is up-to-date, remote compromise exploits are rare. And even with the firewall in place, if the hacker has a remote compromise exploit, they could target it against other workstations. Although, with the "IPsec everywhere" approach they can't do that. In fact, simpler than IPsec, if workstations had their host firewall enabled, with an exception for specific management networks that contain things like the domain controllers, that would prevent this. I'm not against internal firewalling, just pointing out that the benefits might not be as clear-cut as you'd think.
Depending on what your company does, other actions may be appropriate. If you have extensive web operations, it may be better to focus on your SLDC. If you handle lots of confidential information, DLP may be a higher priority. Most organisations are well behind with patching; this may be more important to you.
Did you think about other approaches you could take to boost security?
we would create specific rules for those workstations to only have access to the systems and ports they need. yes that opens a little hole, but it's still better than leaving it wide open.
Fair 'nuff. The only realistic alternative is to have separate workstations for administration, perhaps VPNing over the main workstation network. While this would be fab for security, I've never seen it implemented.
I was thinking about making this a separate project instead of trying to piggyback it with the sharepoint project.
I think that's the best way. As for no-one wanting to touch it... surely that would be a good thing for a firewall :-)
we just had a company near us get hit with a major worm and it caused them lots and lots of damages and changed the way they do things internally.
You can include the incident that happened at the nearby company in your risk assessment. Concrete incidents are always more persuasive than "in theory if..." arguments. But think carefully about what controls would have helped with this (I know it's tough without all the details). For example, NAC and disabling USB ports may have prevented the outbreak - while internal firewalls would just limit its scope. Paul -- Pentest - When a tick in the box is not enough Paul Johnston - IT Security Consultant / Tiger SST Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982) Office: +44 (0) 161 233 0100 Mobile: +44 (0) 7817 219 072 Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy Registered Number: 4217114 England & Wales Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: secure sharepoint 2010 design Paul Johnston (Aug 03)
- Re: secure sharepoint 2010 design Francois Yang (Aug 03)
- Message not available
- Message not available
- Re: secure sharepoint 2010 design Paul Johnston (Aug 09)
- Message not available
- Re: secure sharepoint 2010 design Francois Yang (Aug 03)
- RE: secure sharepoint 2010 design Boyd, Chad (Aug 03)
- Message not available
- RE: secure sharepoint 2010 design Boyd, Chad (Aug 09)
- Message not available
- Re: secure sharepoint 2010 design Paul Johnston (Aug 10)
- RE: secure sharepoint 2010 design Boyd, Chad (Aug 10)
- Re: secure sharepoint 2010 design Ansgar Wiechers (Aug 11)