[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 24/06/10 12:34, Simon Waters wrote:
Aaron Trevena wrote:a) Quite a few "windows" of vulnerability for IIS/SQL Server/ASP/etc where servers or system software are shipped with unpatched vulnerabilities and you needed to keep your server behind a firewall blocking all services for hours or days until all the service packs and patches have been applied (at some points in the last few years tests have demonstrated a standard Windows Server install with no 3rd party software being compromised within **minutes** of being plugged into the internet)My boss recently demonstrated this with W2KSP4 CD. Installing Windows 2000 with a slipstream CD that included service pack 4 on a box exposed to the Internet (not clever, but he was just testing if someone else's virtual server supports relevant aspects of W2K for a legacy application) and by the time it loaded the latest Microsoft Malware removal tool it had already been infected with something nasty, so he had to redo it all after adding a virtual firewall to the virtual server. Hardly news but it does make the point.
In the late 90s we used to set up (Solaris) servers on a private, physically separate network and transfer them to the public network once all patches were installed and the system had been hardened. From the point at which the server was booted on the public network on a previously unused IP address from a new RIPE PI netblock assignment you'd have lost your money if you'd bet on it being more than fifteen minutes before the machine was first scanned for vulnerabilities. James -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html