Threats.
Risk.
Entry points.
We all have them. But ... honestly.. I don't think we truly understand them well enough to be doing the proper things about them. So many times I see people so worried about the outside wall, the firewall, the perimeter.
Too often I see folks blindly refuse to look at SSL or RDP as oh, they are subject to Man in the Middle attacks so we just have to use this technology over there..without really understanding the REAL and TRUE risks to the network. I talk about SMB signing and that's often touted as being able to deflect man in the middle attacks.. and where's the REAL risk of MITM attacks via smb? With non Windows clients. That's right, the main thing SMB signing deflects in man in the middle attacks done by non Windows workstations.
Okay...so how many non Windows workstations do I have in my full 100% Borg network?
Hm... do we remember?
Yes?
Yeah.. Zippo...nada...zilch.
So why do we worry about things over 'there' when because I'm having to still run a lot of desktops with local administrator, or hacking registry hives in a manner that even afterwards, I'm not sure that opening up classes roots like I have to is the wisest thing in the world. And yet we get so caught up in these threats ...that because either we don't get good enough information about them... or we don't understand them that we put our resources in the wrong place.
Today someone was saying that they didn't set up their clients with Remote Web Workplace because they didn't feel it was secure enough and never got an answer back from the sources they contacted at Microsoft regarding RWW [my question...uh..who did you talk to at Microsoft, because honestly even the Security bulletin on the RDP vulnerability didn't understand that SBS doesn't 'listen' on 4125. The bulletin's “mitigation“ for SBS is not right at all. That port never “listens“. That's the beauty of it. It waits for authentication].
Next the comment was made that SSL and RDP are both susceptible to Man in the Middle attacks....but with server based certificates they are not. Okay...but in SBSland we have a self signed server certificate that you can add to the local certificate store on your computer. So where's the Man in the Middle risk?
Remember what happens during the installation of SBS 2003 sp1 if you don't export out those self signed certs and ISA 2004's wizard kicks in and builds new ones? Remember how Outlook over http suddenly fails?
Remember the warnings from the SP1 premium notes?
- To maintain the current authentication experience for your users, it is highly recommended that you save your existing certificate by exporting it before you begin to set up ISA Server 2004.
- During the ISA Server installation process, you will need to indicate that you are creating a new certificate. Later, you will import your saved certificate in order to maintain your current authentication experience for your users.
So ... tell me... how much of a risk of Man in the Middle attacks over our Remote Web Workplace is there truly? In REALITY?
Truly ... I've never seen a MITM attack in the SBS newsgroups. What is the true reality of that kind of attack happening?
Malware.. oh yeah.... SMTP auth attacks.. heavens yes... Stupid passwords... all the time... but MITM?
I guess what I“m saying is, one size of paranoia ...does not fit all.
We've got to stop following something just because it's the super duper high security right thing to do over there without looking to see if it's the RIGHT SECURITY thing to do over here.
Read between the lines of what Dana is doing in this post. He's not throwing stuff on his system just because he can, he sat down and made a risk analysis of what his concerns were, what his threats were, and what protection he felt was reasonable. We'll actually be talking a bit about this at SMBnation where he and I will be presenting.
I love the comment that several attendees of the SMB Technology Network session..they wanted real solutions that would deliver real value to their clients. They didn't want to use scare tactics to sell anything and especially solutions that really didn't help the real risk.
So truly... what's your REAL risk for your clients?
Are you solving that?
Hope to see you there at SMBnation!