mailing list archives
Re: Server Naming Conventions
From: "crazy frog crazy frog" <i.m.crazy.frog () gmail com>
Date: Sat, 15 Dec 2007 00:28:15 +0530
On 12 Dec 2007 18:50:15 -0000, <krymson () gmail com> wrote:
I can't cite any references (basically I only do the research when I really want to!), but I imagine you will find
references that suggest (or require) naming systems in a way that does not reveal their use. Naming an IIS 5 Web
Server something like WEBSIIS5 would be a bad practice, in theory.
In reality, I think most shops name systems how they want, since finding out services, uses, and system OS levels can
be fairly trivial and done in many ways. Still, making an attacker work and possibly make false assumptions has minor
value to some. I think anyone that has done any black box service/server recon will have made an error in judgement
at one time or another.
I'd break server naming into three groups:
1) Random names, or even names of random stuff. HanSolo, Luke, Jupiter, Mercury, Zeus, MilkyWay, Larry, Curly, Moe,
REGEHSJE, GSDFOHE, XKCD... This is a fun way, keeps the systems fairly hidden with the tradeoff that you better know
which system does what, and new staff will take time to figure it out. Names that mean something, like Mercury, are a
step in the "better" direction, as opposed to DFSDRLJH.
2) Random, but predictable names that you track. This is a great tact for workstations, and can be used for servers
as well. SERVER001, SERVER002, SERVER003... You'll have to track in inventory what each does, however, and can become
confusing. But in this way the systems have standard names and do not give away their use.
3) Predictable names that reflect their use. CompanyDC01, CompanyDNS02, CompanyFS23 could be names for a domain
controller, dns server, and file server, respectively. I've found most companies do this, even if they give away the
server use to any curious parties.
<- snip ->
Id like to see if anyone has any information on system naming
conventions, best practices, NIST, DISA, etc....
Are there any US GOV requirements on how systems/servers should or
should NOT be named?
advertise on secgeeks?