 |
| Prev-20 | Home | Next-20 |
| Prev-20 | Home | Next-20 |
| Prev-Msg | Prev-Thread | Postfix-users | Nov-2007 | Next-Thread | Next-Msg |
| Subject: | RE: How to avoid dictionary attacks, from internal network? |
| Group: | Postfix-users |
| From: | MacShane, Tracy |
| Date: | 13 Nov 2007 |
> From: owner-postfix-users
> [mailto:owner-postfix-users] On Behalf Of Tony Earnshaw
> Sent: Wednesday, 14 November 2007 6:12 AM
> Cc: postfix-users
> Subject: Re: How to avoid dictionary attacks, from internal network?
>
> 1: Ban all internal network Windows machines from your
> internal networks
> - suggestion: make them all k12ltsp thin clients under
> Unix/Linux. Run Windows software under vmware (enough RAM and
> disk space is necessary).
Oh dear. Sure thin clients can be good. But if you don't have a thin
client guru, an adequately maintained Windows domain with a *firewall*
in front of it is fine.
> 2: If (for any reason) 1: is not possible, make a Windows
> image CD/DVD of guaranteed virus/trojan free Windows source
> including the latest, greatest, anti-shit Windows AV software
> (this is where it begins to cost for the second time), wipe
> with dd or similar each Windows client and install the new
> CD/DVD. Norton's Ghost or similar will cost for the third
> time, but is much better than what you have now. Avoid stuff
> like IE and Outlook, replacing it with Firefox, Thunderbird,
> Lightning, Seamonkey or whatever. AND KEEPING THESE UP TO DATE.
Kind of bolting the barn door after the horse has fled, isn't it? Using
an up-to-date AV is common sense, as is AV on user filestore servers and
Exchange servers. Using a web border filter/proxy is common sense too.
If you have Exchange, then you have to use Outlook (well, you could just
run IMAP, but why bother with Exchange then) - products like Evolution
and other MAPI connectors aren't ready for enterprise deployment, IMO.
As previously suggested, using your firewall to block outbound client
access to port 25 (and pretty much every other port than 80, 443, 21 and
22) is also the *first* thing you should do. Keep your OS patches up to
date (which applies to *any* OS).
> 3: (if 2:) make sure you update your Windows image on every
> client every time an important official Windows software
> update for whatever is released. See 2: Ghost.
This is standard procedure for any SOE build process.
> 4: Try, wherever possible, to use Open Source software rather
> than MS Exchange. THIS CAN GIVE GREAT PROBLEMS. ESPECIALLY
> WITH POSTFIX AND
> IMAP/POP3 SOFTWARE, depending on what stuff you have installed now.
Despite its annoyances, Exchange these days is reasonably good for
emailing (although don't talk to me about message threading), sharing
mailboxes/resources, and *scheduling*. These are the things that
grown-up enterprises want in their groupware systems. Frankly, if anyone
is just using Exchange for IMAP/POP, they're a mug. I've had no
interoperability problems *at all* with using Postfix as my enterprise
gateway.
> 5: On my internal LANs I have more or less what you have, 1:,
> 2: and 3:
> are implemented. Thank $DEITY 2: and 3: are implemented by a
> young, adventurous, (21 year old) Windows sysadmin who isn't
> afraid of suffering the odd nervous breakdown (seriously, he
> gets them regularly.
Maybe it's just me, but this 39 year old Windows and Exchange admin
hasn't had a nervous breakdown in years. My systems just *work*.
> With the k12ltsp/vmware stuff everything runs for weeks and
> weeks, months and months.
So do all of our systems. Other than patching, our Exchange servers have
had 100% uptime (touch wood) for the last 2.5 years (that I know of). So
too with our Windows servers. I think we've had about 3 virus outbreaks
(3000+ workstations) in that time - by "outbreak", I mean one or two
machines infected, and quickly controlled by our AV. No
virus/malware-related packets left our networks. This was with idiot
firefighters downloading porn at all hours of the night on remote
networks (they can't do that any more).
| Prev-Msg | Prev-Thread | Postfix-users | Nov-2007 | Next-Thread | Next-Msg |