Greetings.

We are almost exclusively a UNIX shop, but we maintain one Windows server for a few webhosting customers. Recently, we decided to eliminate our WatchGuard Firebox and replace it with filter rules in the MikroTik, and moved the Windows server out from behind the Firebox. Not being completely stupid, I completely locked down access to the Windows server, allowing only ftp, http, and https to go through.

A week later, the server was completely owned. Several hundred viruses, websites hijacked, etc. etc., and thank God I had a backup. I've now done what I had assumed the previous sysadmin had done (i.e. an antivirus and run Windows update).

However, obviously, the (very old) Watchguard was doing something more to protect the server than simple port filters, since simple port filters on the Mikrotik weren't enough to protect the server. The watchguard doesn't have a built-in Virus scanner, so it wasn't that.

So, here's my question: what can I do within the Mikrotik (beyond port filtering) to protect this ridiculously insecure operating system from getting owned again?

Thanks for any suggestions!

Patrick

So, here's my question: what can I do within the Mikrotik (beyond port filtering) to protect this ridiculously insecure operating system from getting owned again?

Use one of your UNIX-boxes as a transparent proxy to run ClamAV and another antivirus (AVG ?), as well as Dansguardian/ClamAV.

So, here's my question: what can I do within the Mikrotik (beyond port filtering) to protect this ridiculously insecure operating system from getting owned again?
Patrick

Without starting a windows / linux war; you need to start with the Windows box. The firewall won't help if the box itself isn't configured in a secure manner. Any server (windows, *nix, bsd, etc..) is only as secure as the admin who set it up. The biggest problem with Window security is that it's too easy to bring an insecure server online. If you don't know how to secure the box (this applies to any OS), take it offline. The first question you should ask yourself is how was it compromised (ftp, file services, print, http, bad code, etc...)? I see to many servers where admins use administrator accounts for FTP, and have remote desktop open to the world. If it's running print and file services, kill them. If the box is soft and "squishy", start with the box.

Yep, you may have blocked the ports that you thought you needed to, but unless the server is setup to be secure or for public access, then it is just waiting to be compromised. Anything from an unpatched system, to crap private code. Once had a customer wonder why their SQL database server (thats not public) had completly changed entire tables, when the web server had an unsecured, non-password protected, non nothing protected, "RUN SQL COMMAND" right on the webpage! lol