server names and security risk

What realistically is the risk if somebody found out an internal server name from the outside, e.g. what may it allow them to do in terms of a security attack. I am talking about from the outside. I noticed in some documents available on our website there is some mention of internal servernames and need to quantify the risk, they are not accessible to anyone outside the organisation, only those internal to the company, but it still doesn't sit easy.
LVL 4
pma111Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

masnrockCommented:
I noticed in some documents available on our website there is some mention of internal servernames and need to quantify the risk, they are not accessible to anyone outside the organisation, only those internal to the company, but it still doesn't sit easy.
Are we talking about Sharepoint or something along those lines? I could not think of any other reason why that type of information would be out on a site in the first place.

What realistically is the risk if somebody found out an internal server name from the outside, e.g. what may it allow them to do in terms of a security attack.
This serves more towards potential reconnaissance. How much information is published about that server in the documentation becomes what's key. Naturally, you should always be reviewing the security controls anyway.
0
Pete LongTechnical ConsultantCommented:
Personally It's never bothered me, I work on a lot of different networks, and I've seen everything from Simpsons Characters, Planets, Moons , Greek Gods etc. I just find it annoying. When I build DC's they have DC in the name, When I build Exchange servers then Mail, SQL servers have DB etc

If someone who can see you internal servers, and is up to no good, then A quick port scan will tell them what every server is doing, rather than looking at server names.

Unfortunately a lot of internal documentation, (particularly in the public sector) is written by people who don't have a clue or are copying information for somewhere else.

P
1
jaylwebIT ManagerCommented:
I would remove any documentation about internal IT processes from public facing websites if they are available to the general public.  If they are only accessible via an authenticated login, then as long as you have complexity requirements setup for passwords, I would not worry about the documentation.  

As for server names, there is no risk if the server names are known.   Even if someone was on your network, the server names being known are not a risk.  e
0
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Zero risk if you follow good security procedures.

1) All sites, external + internal, all use SSL certs.

2) Any sensitive materials are password protected + only accessible via people with correct privilege to access these docs.

Hint: A large percentage of stolen data is done by employees + contractors. Don't think for a minute your data is safe, unless you first protect all data from internal staff or anyone else who may be inside your network at any given moment.
0
btanExec ConsultantCommented:
You already mentioned internal so it should not be even be revealed unless it is an inadvertent mistake like hard-coded files and names records.

Server names can means alot as company may have a nomenclature to the naming convention. Therefore leaks of such can give away
1. nature of the system,
2. the network segment it is hosted or connected to,
3. the system numbered out of the asset, the department or team that looks after or owns it
4. how dated the system is and interlink woth certain model and vendor partner

These seems insignificant but as such leaks built up there always lies a opportunity for very targeted and resourceful hacker or even espionage driven ones to further penetrate into the organisation.

 I may be over paranoid though when faced woth real incident on leaks in pastebin, it can get ugly regardless how detailed or completed these are..
2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Gary PattersonVP Technology / Senior Consultant Commented:
Disclosures like this primarily increase the risk of social engineering attacks.  Attackers with knowledge of your system names, architecture, user name structure, allow attackers to create more convincing phishing and phone social engineering attacks.
2
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Operating Systems

From novice to tech pro — start learning today.