Usenet Newsgroups
Newsgroups are an open forum that should be monitored as well:
alt.security — pertains to all security issues
alt.hacking — focuses on hacking in general
alt.2600 — pertains to the 2600 club
alt.cyberpunk — discusses hacking and cracking openly
comp.security.misc — provides a more serious discussion on security issues and concerns
Online Literature
The Hacker Crackdown, by Bruce Sterling, is an electronically published book that chronicles government efforts to catch hackers, crackers, and phreaks. It is available free through many sites on the Internet, including http://www.cs.wesleyan.edu/HTML/The-Hacker-Crackdown.
In this section, I cover some of the well-known problems with Internet services, showing you the major points of attack on your network. You should read this material carefully and scour your systems and network for signs of any of these vulnerabilities. In some cases, I may point out the obvious, but in others, I may not. In either case, all the information in this section is food for thought.
Remember this particular phrase whenever you are contemplating security issues in your environment: Think like an intruder.
Facility Access
When people think of security, they often don’t consider the floor space surrounding their systems and networking environment. An important aspect of securing your network is securing your facilities. Your security system could be as simple as housing your systems in a locked room or as complex as installing a high-tech intrusion detection system.
Never underestimate the lengths to which intruders go in their attempt to access your environment. Controlling access to your facility is just as important as any other part of securing your networking environment. Did you ever wonder who cleans your office at night while you’re away? If not, you should. More people have access to your facilities and network than you probably realize, including your building management and their vendors, leasing agents with master keys to all suites, cleaning crews with master keys, and utility companies that provide services to your building.
A truly secure environment includes strict control over who has access to facilities and when. Remember, you can evaluate your present situation by thinking like an intruder. Here’s a checklist (that by no means should be considered all-encompassing) to help you secure your environment.
Facility Access Checklist
Who has keys to all the office doors?
What’s above those ceiling tiles — could someone crawl over the wall?
Would a motion-detecting alarm be valuable?
Who has access to your computers?
Who has access to your administrator passwords, and how often are they changed?
Is your cleaning crew bonded?
Is your building management company bonded?
Is your building’s leasing company bonded?
Do your network cables run through exposed and vulnerable areas of the building?
Do you enforce policies about controlling visitors?
Do your employees bring family members to work on weekends or after hours?
Do you change locks and passwords when an employee leaves the firm?
Do you let vendors and other employees know when someone departs the firm?
Do you have a policy detailing what gets shredded before it is put in the trash?
These basic questions are a great starting point for evaluating your current situation. They can also help you arrive at better methods of controlling your physical environment. We’ll talk more about policies and procedures in Chapter 7.
The Password Playground
Passwords are required nearly everywhere. You need a password to access almost any protected resource in a computing environment. As I mentioned earlier, carefully chosen passwords can go a long way to strengthen your overall security implementation. Intruders go to great lengths in their efforts to obtain your passwords.
The risks of not adopting a strong password-choosing scheme are numerous. Poorly chosen passwords are easily guessed by robotic software designed just for that purpose. To get an idea of just how easy it is to get a password-cracking software tool, point your Web browser to an Internet search engine such as AltaVista (http://www.altavista.digital.com) or Excite (http://www.excite.com), and type the keywords "password cracker". You’ll be amazed at how quickly you can find one and get it up and running. I put a password cracker to work on my own system’s password file. Within eight hours, it had correctly found more than 190 passwords that it could use to gain access to my systems. I immediately changed all those passwords and instituted a very strict policy of password assignment that will help stop this situation from occurring again.
Most computer systems use a maximum password size of eight characters. However, Windows NT lets you choose even longer passwords. Choosing a good password is the real trick in preventing it from being cracked. The other side of the fence is that if your network transmits passwords in clear text, a sniffer can easily intercept them anyway. Although Windows NT networks don’t transmit passwords in clear text over the internal network, some of the computers attached to your Windows NT network might. Examine each type of operating system you use in your environment so you understand what your goals must be.
Choosing good passwords is only part of the equation. You must also adopt policies and procedures that determine how those passwords are used and disseminated. Here are a few tips for choosing and using great passwords:
Never use words that are in a dictionary. Intentionally misspell words, or simply make up a new word instead.
Never use your name in any way, shape, or form. Also, never use any other information about you that could be easily discovered.
Never use your family names, pet names, or other names or words that can be associated with you. If you’re boating enthusiast, "sailing" would be a bad choice for a password, as would the words "captain" or "skipper."
Never let anyone borrow your user ID and password, no matter who it is. It could cost you your job or your network’s security. If you find yourself in a situation where you must let someone use your user ID or password, don’t leave that person alone at a computer logged on with it. Change the password immediately after the person is done, and log the incident to protect yourself just in case.
Never write down your passwords and leave them in your desk, purse, wallet, briefcase, or anywhere else. The rule of thumb here is if you can’t lock it up, don’t write it down.
Never reuse old passwords.
Never use the same password for multiple systems that you may have to access, unless you have a strong authentication system that governs such singular use of passwords.
Never use the "save this password" feature found in many software packages. If you do, you may as well tell everyone what your password is up front.
Do use at least six characters in your password at all times. If possible, use the maximum allowable password length. Remember, a password is meant to be difficult to discover, not easy to remember.
Do use a combination of letters and other allowable nonalphabetic symbols. Replace letters with numbers once in a while, but not always. For example, you can use "1" instead of the letter "L" or a "4" instead of the letter "A."
Do make passwords logically easy to remember, but only if absolutely necessary, and in those cases make them physically difficult to guess. For instance, "extreme" may at first seem like a good password, but "extr3m3" is a far better choice.
Do change your password frequently, even if your security policies don’t require it.
Normal Windows NT user accounts disable themselves automatically after a certain number of bad password attempts. A word of caution regarding the Windows NT Administrator user account: this account does not lock itself out for password failures unless you modify the NT registry. The Administrator account is thus incredibly vulnerable to attack because a would-be intruder could repeatedly attempt to guess a password until the password is discovered. The best way to guard against this vulnerability is to change the name used for this account. Don’t leave it defined as "Administrator," and don’t change it to something obvious like "Admin." Change it to something difficult to guess, yet something you won’t forget.
Spoofing Spoofing occurs when IP packets from an intruder masquerade as packets from a trusted system. Spoofing lets an intruder on a TCP/IP network such as the Internet impersonate a local system’s IP address. If other local systems on your network perform session authentication based on the IP address of a connection, they believe incoming connections from the intruder originate from a local trusted host and do not require a password.
This technique is especially damaging when connections are permitted without a password. It is possible for forged packets to penetrate a packet-filtering firewall if the router is not configured to block incoming packets that have source addresses in the local domain. This attack is possible even if no session packets can be routed back to the attacker. Note also that this attack is not based on the source routing option of the IP protocol.
Network configurations that are potentially vulnerable to IP spoofing attacks typically
Have routers to external networks that support multiple internal interfaces
Have routers with two interfaces that support subnetting on the internal network
Have proxy firewalls where the proxy applications use the source IP address for authentication
IP spoofing attacks are very difficult to detect. The best defense against IP spoofing is to filter packets as they enter your router from the Internet, blocking any packet that claims to have originated inside your local network. Commonly called an input filter, this feature is currently supported by several major router manufacturers, such as Bay Networks/Wellfleet version 5 and later, Cabletron with LAN Secure, Cisco with RIS software version 9.21 and later, Livingston, and NSC. If your current router hardware does not support packet filtering on inbound traffic, you can always install a second router between the existing router and the Internet connection. The second router can then filter spoofed IP packets with an output filter instead. In any case, do not underestimate the dangers of becoming a victim of IP spoofing.
Telnet, Rlogin, Rexec, and Rsh
Telnet, rlogin, rexec, and rsh are four programs that allow remote access to your network systems. Fortunately, none of these services come as part of Windows NT. You should never run these services on a Windows NT server unless you absolutely have to. You can enable remote connectivity in other ways that are far more safe than these services. Let’s look at each of program and its intended purpose.
Telnet lets a user log on to your system over a network; the user eventually arrives at a DOS command shell. Once logged on, the remote user has the same abilities and commands as a local user sitting in front of the machine’s keyboard. This scenario can be dangerous — only think about the damage a simple Delete command can do. There is no real need to run telnet on a Windows NT server. Keep in mind that a telnet service is the server aspect of telnet, and that a telnet client is completely different because it connects to the telnet service running on a given machine.
The rlogin service is similar to telnet in that rlogin lets users log on to a remote host and work as if they were sitting directly in front of the remote computer.
The rexec and rsh commands let you send commands to a specified remote host for execution. The difference between rexec and rsh is in security checking. With rexec, the remote host bases authentication on a user name and password. With the rsh command, the remote host bases authentication on user name and information found in either the hosts.equiv or .rhosts file. You should not run these services on your Windows NT machines because you can use other means (such as secure telnet) to get work done.
File Transfer Protocol (FTP) Server
FTP lets a user upload and download files over a TCP/IP network. FTP servers are incredibly useful when configured correctly and offer a great way of moving files.
The FTP server found in Windows NT, like all others, lets a user log on from a remote location to transfer files. The user can log on either by using a valid Windows NT user name and a password or anonymously, if the FTP server is configured to allow anonymous logons. After logging on, users may navigate the parts of directory tree that they can access and upload and download files. You should take special care when you configure the file security settings for FTP users because you don’t want to allow access to system files or other sensitive files inadvertently.
An FTP server running on a Windows NT machine presents most of the same inherent dangers as FTP servers running on Unix machines. Incorrect configuration can leave openings for intruders to exploit your data. You need to understand how file permissions are handled under Windows NT, and with that knowledge you can adequately protect your system when running an FTP server.
One basic rule: never allow the FTP server access to a non-NTFS partition. Only NTFS lets you set permissions correctly; DOS partitions offer no form of security. We discuss NTFS security settings in more detail in Chapter 3. Pay special attention to that chapter if you intend to run an FTP server on your network.
Mail Servers
In the Unix world, Internet mail servers can be a real threat to security for a variety of reasons. In the Windows NT world, the threat is just as real if the server isn’t configured correctly. The most popular Internet mail servers consist of two basic parts: the Simple Mail Transfer Protocol (SMTP) server and the Post Office Protocol (POP3) server. SMTP is a standard means of moving mail from server to server on a TCP/IP network. POP3 is a standard way for mail clients to receive mail from a mail server.
WinConnections Conference Fall 2008 Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).
Master SharePoint with 3 eLearning Seminars Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!
SharePointConnections Conference Fall 2008 Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).
VMworld 2008 - Sign Up Today! Join your peers on September 15-18 at The Venetian Hotel in Las Vegas as VMware hosts VMworld 2008, the leading Virtualization event.
Microsoft® Tech•Ed EMEA 2008 IT Professionals Advance your thinking with new ideas and practical real-world solutions at Microsoft’s FIVE day technical infrastructure conference 3-7 Nov., 2008. Register before 26 September 2008 to save €300.
Order Your Fundamentals CD Today! Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.
Are You Really Compliant with Software Regulations? View this web seminar that will help you with compliance best practices and check out a management solution to assure that you won’t be in jeopardy of an audit.
Virtualization Congress Oct. 14-16 in London Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16 in London.
Windows IT Pro
Register
