Home page logo

basics logo Security Basics mailing list archives

RE: Server Naming Conventions
From: "S. Earl Jarosh" <earlj () moneycenters com>
Date: Thu, 20 Dec 2007 14:42:10 -0600

I sort of like use toons or mythological characters with their pictures as
the wallpaper so that when you are using a KVM or other remote scheme you
know the server by the background picture.  Sequential naming conventions
are very boring and lack any sort of imagination. 


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of crazy frog crazy frog
Sent: Friday, December 14, 2007 12:58 PM
To: krymson () gmail com
Cc: security-basics () securityfocus com
Subject: Re: Server Naming Conventions

mogli,mario,contra etc............

On 12 Dec 2007 18:50:15 -0000,  <krymson () gmail com> wrote:
I can't cite any references (basically I only do the research when I
really want to!), but I imagine you will find references that suggest (or
require) naming systems in a way that does not reveal their use. Naming an
IIS 5 Web Server something like WEBSIIS5 would be a bad practice, in theory.

In reality, I think most shops name systems how they want, since finding
out services, uses, and system OS levels can be fairly trivial and done in
many ways. Still, making an attacker work and possibly make false
assumptions has minor value to some. I think anyone that has done any black
box service/server recon will have made an error in judgement at one time or

I'd break server naming into three groups:

1) Random names, or even names of random stuff. HanSolo, Luke, Jupiter,
Mercury, Zeus, MilkyWay, Larry, Curly, Moe, REGEHSJE, GSDFOHE, XKCD... This
is a fun way, keeps the systems fairly hidden with the tradeoff that you
better know which system does what, and new staff will take time to figure
it out. Names that mean something, like Mercury, are a step in the "better"
direction, as opposed to DFSDRLJH.

2) Random, but predictable names that you track. This is a great tact for
workstations, and can be used for servers as well. SERVER001, SERVER002,
SERVER003... You'll have to track in inventory what each does, however, and
can become confusing. But in this way the systems have standard names and do
not give away their use.

3) Predictable names that reflect their use. CompanyDC01, CompanyDNS02,
CompanyFS23 could be names for a domain controller, dns server, and file
server, respectively. I've found most companies do this, even if they give
away the server use to any curious parties.

<- snip ->

Id like to see if anyone has any information on system naming

conventions, best practices, NIST, DISA, etc....

Are there any US GOV requirements on how systems/servers should or

should NOT be named?

advertise on secgeeks?

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]