An interview of r.f.p., from Wiretrip and ADM
"Whenever you implement a production server on the internet, you have to think twice about *everything*"
<r.f.p.> - I have not seen *anything* from Microsoft on this topic. I think this is because of 2 reasons: 1. It was a 'feature'--it was there *on purpose*. It was not a bug. It
was just undocumented, except for *one* place I found 2 sentances
describing it. 2. MDAC 2.1.1 was released, which fixed this problem silently. They just removed this feature. Well, so it seems. I haven't finished my testing yet.
>:)
<Kitetoa> - Do you think that the the fact that there is the eEye bug, your advisory, BO2K, and, I guess, many other exploits out there for NT and/or IIS, should make people think about it twice before making a choice on what OS and server they are going to use for a Web site? <r.f.p.> - Quite honestly, whenever you implement a production server on the internet, you have to think twice about *everything*. The problem is that some corporations have standardized on Windows. That means, even if Linux looks like a good idea, they will not--they only use Windows, and that's policy. So rather than complain that you want to use Linux, figure out how to make NT secure. <Kitetoa> - NeonSurge says he can... Is there, in your opinion, ways of really securing an NT box running IIS ? <r.f.p.> - Yes there are. The problem is that it's usually stuff you have to dig and find out yourself, and only the better experts (like NeonSurge) know how to do it--it's not default. And Microsoft doesn't help you any. IIS ships with a few holes open *by default*. Not many people know where to look and what to close. And with Microsoft's big push to make NT administration 'easy', that means we are having more and more 'less-technical' admins surface, compared to the unix gurus of the old day. They just don't know how to do some of the technical stuff. <Kitetoa> - Do you think Internet should be used to conduct e-commerce? Mudge and Kitetoa (yes, he is smarter ;) ... ) think that it has not been disigned to be secure... Let's put it in another way: companies are linking in a way or another their information systems (which is the heart of their business capabilities) to the net. In many cases they put themselfs at risks. Is that wise? <r.f.p.> - I have to say yes and no. I don't think the Internet has been designed securely enough for e-commerce. Well, what I really mean is that *there are secure ways to do e-commerce*. They do exist. Unfortunately, a bunch of humans run it, and humans are less than perfect. The create bugs, holes, and otherwise break that secure model. To be a hacker, you only have to find one hole. To be an admin, you have to patch *all* the holes.Now, when we start making it so that servers are easier to administer, we get sysadmins that aren't exactly as aware of the big picture as they should be.
If I was a company, and I put the heart of my corporation on the Internet, I would want to make sure my admins were 'the best', and not just 'ok'.
<Kitetoa> - What would be your advice for a sysadmin so that he could get all the needed information to keep his/her domain secure? What should he/she read? What mailing list, what Web server? <r.f.p.> - Best advice is 'don't assume anything'. Pretend you're a secret government agent--only give people 'what they need to know'. Keep everything as minimal as you need it. Go over everything with a fine-tooth comb. Understand how it works on the lowest level...don't assume it just 'works'. When you get intimate with the technology and understand it, you'll also know how to protect yourself.
Back
Retour à la page précédente