THE OFFICIAL BLOG OF THE SBS DIVA

Susan,

You can get as much info about your version of exchange even without an email - try doing a telnet to port 25 of your SBS box and that will show you what version your running. Information leakage is enormous if you know where to look. I was talking to this guy called David who works for our Dept of Defense, and they have their secret network totally isolated from the main LAN - no connectivity between them at all. A good hacker can use the information in your emails quite easily to get in, but they still need more info to actually do any real damage.

As I posted more completely in your other Blog topic (I encourage others to read that blog), I repeat that just because you're leaking information in one place is <no reason> to willingly dump more information about yourself on the Internet.

And, remember... everything you dump on the Internet lives forever... somewhere...

Also, regarding your current post...
- dotLocal and dotLAN are recommended names for all Windows Domains, not just SBS
- There's little excuse for most people to be using the 192.168.16 network ID. They do so only because they don't know better. I have always consistently recommended changing it and have even suggested in my "Web Publishing Companyweb" paper that the SBS team should do something about this, too... for instance, assigning a network ID by random from a selection.
- Public network IDs are fine. You often intentionally publicize it because that's how others will find your server.
- Yes, you identify your mailserver but if that's a bugaboo to you, you can modify your server's banner. Personally on an SBS I don't bother to do that because I expose so much other information that identifies I'm running Microsoft technologies... like aspx websites, IIS webserver, the number and types of services I'm running.

Yours,
Tony

.local and .lan are not typically seen by me in other "non" SBS domains.

Your mileage may vary.

192.168 wont get routed by default across the internet anyways....., so whats the issue here?

As a side note, I don't think people knowing less about your network should be a form of security. A poor analogy could be that I know you drive a ford expedition, but I cant steal it, because you *lock* it. My point is that the difference between stealing your data and not stealing your data should not hinge on what IP scheme you are doing, which can be easily figured out by sniffing your unsecure wireless network, or walking into your office and using an available lan jack to sniff things out.

Security by obscurity is no security at all. Enough said.

Secure Computing is a relative term. As long as so much of the Internet requires no authentication (eg. SMTP, DNS) and as long as hackers discover new vulnerabilities particularly where they don't have to be authenticated there is no reason to make it easy for malicious users.

Remember, even people who write exploits look for low hanging fruit, and the more useful information about yourself is easy to acquire, the lower you are all the time.

"Security by Obscurity" alone is insufficient, but it's also a mistake to not include it in your overall Security Solution.

I don't want to discuss specific possibilities of exploiting a Host with a private address because it wouldn't be responsible, but a general comment is that if what you say were true then there would not be any IDS technology, there would be no reason to patch/harden your machines behind a firewall, there would be no reason to run anti-virus or anti-spyware, there would be no reason to encypt your wireless LAN network.

Tony Su

Perhaps the difference then is that in the newsgroup, people are asking for help with a problem, and should post complete, accurate information.

If I ask someone for their ipconfig output, and they replace everything with x.x.x.x, what good does that do me, or them, from a troubleshooting standpoint.

My internal ip range is 192.68.10, 255.255.255.0, default gateway is 192.168.10.1. DNS is 192.168.10.4. Primary DNS suffix is vekst.lan. Now armed with that info, what can you do with it?

Although I said I wouldn't post a possible attack vector, because one isn't all that technically original...

I'd check out whether you're running any kind of wireless. If you are located close enough to me, have information that's valuable enough and I felt I could crack your wireless security (WEP and WPA are flawed, MAC addresses worse, not everyone is implementing 802.11i yet and I don't know any SMB installs implementing RADIUS-backed 802.1x), I'd know exactly what machines to target in the underbelly of your network... the DG, at least one host workstation, maybe more. I could assign myself a workgroup name the same as your domain name and browse your machines although I wouldn't be able to view resources on the machines without a User account, but be certain that if I have that much access to your network already it wouldn't be long at all before your entire network is transparent.

Note that although I've mentioned only a wireless way of getting into your network, don't be misled that if you don't run wireless you can't be vulnerable... it's only an example of one scenario and an imaginative SysAdmin and hacker should be able to easily dream up variations on the theme using other technologies.

Tony

Oh if you really want to scream check this guy out...

https://kmslaw.kennethmschwartzpc.com/Remote/logon.aspx?ReturnUrl=%2fremote%2fDefault.aspx

Think he is telling you enough about himself?

You know I was taking a look at the Google hits and it would be very easy to make yourself harder to be found just by doing a few simple things to the RWW page.

1. Change the Title of the page in the HTML.
2. Change Username/Password to something less "googleable"
Who are you:
Secret Code:

I think if I ever decide to allow direct connections to SBS and not via VPN (which is pretty stupid if you ask me) I would without a doubt make those changes.