[963] in Intrusion Detection Systems
Re: IDS: Real-time IDS for Windows NT?
daemon@ATHENA.MIT.EDU (David)
Mon Sep 15 23:36:47 1997
In-Reply-To: <1.5.4.32.19970915000847.00a8a8d8@pop.mindspring.com>
Date: Mon, 15 Sep 1997 18:03:28 -0700
To: ids@uow.edu.au
From: David <sideone@ultranet.ca>
Reply-To: ids@wyrm.its.uow.edu.au
Hello I don't want to sound rude, but I don't know how my name got on this
mailing list, but PLEASE stop sending me mail...
>ISS inc makes 2 products, Real Secure which is a "real time" intrusing
>detection system and their S3 product which is a vulnerability analysis tool
>(Limited in scope to the vulnerabilities posed via an IP network); as far as
>vulnerability analysis I also use the Kane Security analyst and Bindview EMS
>to look specifically at NT issues outside of the scope of the ISS tools;
>These tools look at password policies, checks all passwords against a
>dictionary, looks at RAS permissions, User Rights issues, etc. they can look
>at the ACL of a directory for easier analysis than you can get from the
>native NT tools, well worth investigating, you can download eval copies of
>all three from the respective web sites. (www.iss.net; www.bindview.com;
>www.kane.com (?) not sure of the last one. )
>
>For "real time" security monitors I personally use the ISS "Real Secure" for
>my IP networks, but Wheelgroup also makes a very good monitor that some of
>my co-workers use.
>
>As far as the dial up access to RAS is concerned no "real time" system that
>i am aware of can monitor this access, they MAY pick up hacking attempts
>made across the network AFTER the RAS line is accessed but would not catch
>anything across the local wire. I use several tools for user authentication
>including id systems on firewalls, shiva modems etc. as they have much
>better authentication control. NT 5.0 is supposed to ship with kerberos and
>s/key.
>
>One thing is certain, NT will never be secure from a default installation
>and from my impression was never intended to be... I think microsoft's
>claims that NT is C2 certified is, in large part, a disservice as it leads
>many inexperienced network managers to a false sense of security and at the
>same time makes the hacker's much more interested in defeating it's so
>called security...
>
>
>At 08:31 AM 9/14/97 EST, you wrote:
>>I have worked on half a dozen different networks over the past six
>>years and the two most effective intrusions I saw were through
>>out-of-the-box Windows NT installations with dial-up modems.
>>
>>Recently I ran my own command files to check the security on 12
>>newly installed NT boxes and every one of them had most of it security
>>turned off. This looks like it is going to be a continuing problem.
>>
>>Does anyone have any experience with a Windows NT based real-time
>>intrusion detection system that is commercially available?
>>
>> Hog Farmer,
>> formerly with
>> Tropical Hog Improvement Programme
>>
>>
