Having fun while learning about and pivoting into the world of DFIR.
by ogmini
Just finished “Preventing Web and Email Server Attacks (IR205) offered by CISA. I talked about these in a previous post and would encourage those eligible to register.
In the course we were given overviews about:
The labs had us examining and later installing an SSL Certificate for a website hosted on an IIS server. We also disabled port 80 and verified this by using NMAP. The last half of the labs had us comparing PCAP files of an email sent over TLS and in the clear. Finally, we created SPF, DKIM, and DMARC records.
This was a very, very high level overview of how to prevent web and email server attacks. It honestly just barely scratched the surface of what needs to be done to properly configure and secure these types of servers. What they suggest in the course should be considered the bare minimum. Nothing that was presented would prevent SQL Injections, XSS, or DoS attacks. One small complaint of mine is the lab showing how to remove the binding for port 80. In my opinion, they instead should be showing how to setup a redirect on the server level to 443.
Swapping some of those labs over to showing how to use various tools to scan for misconfigurations or show best practices would be far more useful for the real world. Just as an example, I’ve found IIS Crypto to be very useful as a baseline tool https://www.nartac.com/products/iiscrypto. A bunch of us also shared with the other students various websites such as https://www.ssllabs.com/ssltest/ that is useful for checking your web server configuration.
Overall, it was a solid introductory course, though it was intended for a different audience than myself.
tags: training