Albert <albert.xtheunknown0@gmail.com> writes:
> Todd H. wrote:
>> How is the machine physically secured?
>
> What do you mean by "physically secured"?
Your original post didn't mention if we were talking about a server in
a rack, or under a desk, in an office, in a private residence, etc.
Physical security = who can put their hands on the box. Because if
someone can touch the box, they can own it.
>> Who can, say, get at its USB ports? Console?
>
> Only me.
Then that cuts out a lot of worries about attacks from people with
physical access to the box.
>> What OS is it?
>
> To be Windows 7.
>
>> What else is on the LAN with that computer? What else can initiate
>> any sort of network connection to the computer?
>
> Nothing else.
If it's the only machine on the lan, and that lan is firewalled off
from the Internet, and only getting SAS and AV updates, then indeed
your attack surface is very very small. You can then basically cross
network based attacks off the worry list. And as you dont' have a
user running internet based apps like web browsers chat clients or
peer to peer stuff on it, that cuts out all client-side attacks from
the worry list as well. About all you'd have to worry about is the
security of DNS to the SAS and AV update servers to avoid any arcane
man in the middle rougue update attack that might possibly be
envisioned, but I'd say those odds are quite small.
>> What services are running on the computer? Have they been kept up
>> to date? Do they have unpatched vulnerabilities?
>
> An AV, SAS and probably Sun VirtualBox.
>
>> How is it known that the computer only does those 2 things?
>
> Because I said so.
Sounds like if this is to be Windows 7 and you don't have the OS and
machine together yet, that you don't know exactly what services are
really running on the computer, just what things you plan to put on
the box. So, please, don't be an snide asshole when people are trying
to help you for free.
Technically, "Because I said so" doesn't tell you the same things a
port scan, list of running services pasted into a posting, or network
vulnerability tool would in terms of what you think you know about
what services are being offered by this machine (such as SMBv2 and its
(unpatched by vendor?) vulnerability. Then again we just had a patch
Tuesday so maybe they fixed that big ah-shit with smbv2. At any rate,
the services that are listing turns out to be a moot point since
you're in the very unusual situation of this one box being all alone
on the LAN, therefore the threats to its listening services from other
devices aren't really anything to worry about.
In summary: Your proposed setup seems poised to be a pretty tough
target, if the assumptions you've put forward all turn out accurate.
But I suspect that if this is a single machine in your home(?) all
alone on the LAN, you might be doing some web surfing from it? If so,
then that'd probably be the primary vector for getting infected.
Best Regards,
--
Todd H.
http://www.toddh.net/ 
Re: Security 
Linear Mode
