Re: IDS: Real-time IDS for Windows NT?

Keith Bastin (kbastin@mindspring.com)
Sun, 14 Sep 1997 20:08:47 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Brent Huston: "IDS: Re: Real-time IDS for Windows NT?"
Previous message: petert@giasbm01.vsnl.net.in: "Re: IDS: RE: IDS archive"
Maybe in reply to: adamsb@un.org: "IDS: Real-time IDS for Windows NT?"
Next in thread: nate: "Re: IDS: Real-time IDS for Windows NT?"

ISS inc makes 2 products, Real Secure which is a "real time" intrusing
detection system and their S3 product which is a vulnerability analysis tool
(Limited in scope to the vulnerabilities posed via an IP network); as far as
vulnerability analysis I also use the Kane Security analyst and Bindview EMS
to look specifically at NT issues outside of the scope of the ISS tools;
These tools look at password policies, checks all passwords against a
dictionary, looks at RAS permissions, User Rights issues, etc. they can look
at the ACL of a directory for easier analysis than you can get from the
native NT tools, well worth investigating, you can download eval copies of
all three from the respective web sites. (www.iss.net; www.bindview.com;
www.kane.com (?) not sure of the last one. ) 

For "real time" security monitors I personally use the ISS "Real Secure" for
my IP networks, but Wheelgroup also makes a very good monitor that some of
my co-workers use. 

As far as the dial up access to RAS is concerned no "real time" system that
i am aware of can monitor this access, they MAY pick up hacking attempts
made across the network AFTER the RAS line is accessed but would not catch
anything across the local wire. I use several tools for user authentication
including id systems on firewalls, shiva modems etc. as they have much
better authentication control. NT 5.0 is supposed to ship with kerberos and
s/key. 

One thing is certain, NT will never be secure from a default installation
and from my impression was never intended to be... I think microsoft's
claims that NT is C2 certified is, in large part, a disservice as it leads
many inexperienced network managers to a false sense of security and at the
same time makes the hacker's much more interested in defeating it's so
called security...

At 08:31 AM 9/14/97 EST, you wrote:
>I have worked on half a dozen different networks over the past six
>years and the two most effective intrusions I saw were through 
>out-of-the-box Windows NT installations with dial-up modems.
>
>Recently I ran my own command files to check the security on 12 
>newly installed NT boxes and every one of them had most of it security
>turned off.  This looks like it is going to be a continuing problem.
>
>Does anyone have any experience with a Windows NT based real-time 
>intrusion detection system that is commercially available?
>
>                                  Hog Farmer,
>                                  formerly with 
>                                  Tropical Hog Improvement Programme
>
>

Next message: Brent Huston: "IDS: Re: Real-time IDS for Windows NT?"
Previous message: petert@giasbm01.vsnl.net.in: "Re: IDS: RE: IDS archive"
Maybe in reply to: adamsb@un.org: "IDS: Real-time IDS for Windows NT?"
Next in thread: nate: "Re: IDS: Real-time IDS for Windows NT?"