The security concerns in establishing and running your own Internet mail server revolve around its configuration. Some mail servers allow users a certain amount of control over aspects of their mail account, such as passwords, mail aliases, descriptions, vacation messages, and forwarding options. At first glance, these options don’t sound like much of a security threat, but because they can be used to falsify identities or intercept mail, the potential for damage is great.
Intruders often spoof e-mail addresses, posing as another person by inserting that person’s return e-mail address in their mail client and using that person’s mail server to send mail. Perhaps they’re trying to get sensitive information from one of your vendors, like your account number and the amount of open credit. Or perhaps they want to do some social harm by sending negative e-mail to others on the network. Whatever the reason, you can protect against it by using a mail server that can authenticate a connection before it’s allowed to send mail. The SMTP/POP3 server found in Microsoft’s Commercial Internet System platform (formerly code-named Normandy) is one such server. You can learn more about the Commercial Internet System platform at http://backoffice.microsoft.com.
Intruders also use mail servers to gain access to sensitive company information. If they crack the password to one of your mail accounts, they may be able to forward mail destined for that mailbox to themselves instead, or they may even simply log on and read it from the server. The two best ways you can protect yourself against any type of mailbox hijacking are to encrypt all your e-mail and to practice good password selection and rotation policies. Pretty Good Privacy (PGP), a popular encryption software, is compatible with many popular POP3 e-mail clients. PGP was created by Phil Zimmermann and uses the RSA and IDEA algorithms, which make it one of the best ways to encrypt information. You can get a copy of PGP from http://world.std.com/~franl/pgp/where-to-get-pgp.html.
Another way to protect your POP3 server, if your POP3 server doesn’t have this ability built in, is to install a packet filter or some other type of firewall and limit access to the POP3 server to only those within your own networks.
You should be aware that intruders sometimes retaliate against others by bombarding their mail server with high volumes of mail or by sending mail with giant file attachments. High volumes of mail overload a mail server, rendering it incapable of doing its real job and creating useless messages that you must clean up. Likewise, sending giant files to a mail server can wreak equal havoc. The files eventually eat all your precious disk space, causing the server either to crash or to stop accepting new mail.
Unfortunately, neither of these scenarios can be prevented if you expect to keep an open channel for e-mail in and out of the Internet. The best practice is to monitor your logs and keep a close watch on your disk space utilization. If users frequently complain about missing mail or slow performance from your mail server, look closely at the server before space becomes a problem.
Web Servers
A Web page may seem harmless, but it’s what’s in the Web page that counts. For the most part, Web servers are very secure software systems with only one job: to deliver Web pages to Web browsers. The jeopardy in a Web server comes from the way the Web pages are created and the content they hold.
In a Web page, a Common Gateway Interface (CGI) script, which is a mini-program, poses a potential problem. CGI lets programs output information to a Web server. CGI scripts run on your Web server when a Web page that has one is requested by a client. They can contain code designed to loosen security in any number of ways. Scripts can copy files, delete files, or even add or modify user accounts. Anything a programmer can think of is possible as long as the operating system allows it.
Protecting yourself against malicious CGI scripts under Windows NT relies on your Web server’s ability to limit program execution to certain directories and your ability to correctly configure your NTFS file security permissions. A good Web server always lets you limit the directories from which a CGI script can run. You should consider letting your scripts reside in and execute from only one directory. Configure that directory’s permissions for access only by the Web server and the administrator. This measure gives you greater control over scripts being placed on your Web server because users must ask the administrator to put them in the directory. You should also preview these scripts to see how they operate before you allow them to be used on your production Web server.
Microsoft’s ActiveX and Sun Microsystems’s Java are newer programming tools that you can use to create Web page content in the same way you use a CGI script. They both pose the same inherent dangers as CGI and thus should be treated with equal caution. The main difference between CGI and ActiveX or Java is that both ActiveX and Java can be made to run on the client’s Web browser instead of the Web server. This setup presents a whole new set of dangers to guard against. An intruder can write some type of malicious code that causes plenty of irreparable damage when run on an unsuspecting Web-browsing computer.
ActiveX and Java have been available only for a short time, and intruders are already using these new programming tools. For example, I happened upon a Web site with an opinion poll. The poll asked whether viewers liked the Web site. Those who clicked "yes" were quickly sent to another pleasing Web page from that site. Those who clicked "no" were in for quite a surprise. The "no" button launched an ActiveX control that my Web browser ran, which spawned dozens of new Web browser clients on my desktop until my system ran out of resources and locked up. It certainly opened my eyes to the potential dangers of freely surfing Web sites. That ActiveX control could have done much worse things to my system than simply making it crash.
Microsoft’s Web server, IIS, is covered in detail in Chapter 11. If you plan to run your own Web server under Windows NT, IIS is an excellent choice. Because it is seamlessly integrated into Windows NT, it adopts all the underlying security mechanisms provided by the operating system.
Denial of Service
One practice of torment intruders use is called denial of service , in which intruders bombard a system with unnecessary traffic on a certain port or group of ports so that the services using those ports cannot respond to genuine requests. A denial-of-service attack is one of the easiest and most common ways an intruder torments a network. I give an example of a real denial-of-service attack later in the book.
A denial-of-service attack can be launched on any TCP/IP-based service you provide access to from the Internet. Protecting yourself against denial of service is tricky in some cases. Without a packet filtering router or proxy server, you may not be able to stop such attacks. However, TCP/IP-based software that can close off traffic and limit access only to certain networks and users can help.
Detecting a denial-of-service attack is usually not difficult. If your mail or Web server is not responding, it could be under attack. A significant drop-off in performance is another prime indicator. Finding out who the culprit is can be another story. If your system software isn’t logging connection attempts, you need a sniffing tool that lets you capture packets and look at the origin addresses. NetXRay is one software-based tool that can be invaluable when you experience various types of weirdness on your servers. You can get a copy of NetXRay at http://www.cinco.com.
Keystroke Grabbers Keystroke grabbers are another way intruders gain access to your systems. Keystroke grabbers record every keystroke on a given computer’s keyboard. A typical keystroke grabber records keystrokes on the machine the program is running on, so for it to work, an intruder must install the keystroke grabber on a particular machine. Intruders can install grabbers in one of two ways: by gaining access to your facility or by penetrating the system over your network.
One of the best ways to protect against keystroke grabbers and any other kind of unauthorized software installation is to use Microsoft’s System Management Server (SMS) on your network. SMS performs many useful functions, including monitoring every piece of software that is installed on a system. SMS routinely inventories the systems, looks for changes, and alerts the administrator the instant something is installed or removed. This type of monitoring can easily tip you off to a keystroke grabber. If you want to see what a keystroke grabber can do, type keycopy or playback into an Internet search engine such as AltaVista (http://www.altavista.digital.com).
Packet Sniffers Packet sniffers monitor and capture every packet coming in and out of a network interface. With a packet sniffer, an intruder does not need a keystroke grabber.
Hardware-based sniffers usually must be physically connected to a network cable on your network, but software-based sniffers can be run from a workstation or even a dial-up link. Anything unencrypted is potentially useful to a would-be intruder. For instance, if your network transmits passwords over the network in clear text, a packet sniffer will capture them eventually. Your best protections against a packet sniffer are to encrypt all your sensitive data before it is transmitted over your network and to routinely change your passwords.
It is smart to get a software-based packet sniffer and see what your network reveals. Many good software-based sniffers for Windows NT systems are out there, including NetXRay, mentioned above. If you’re using SMS in your shop, you may find the accompanying Network Monitor useful as well.
Back Doors
Once intruders successfully gain access to your systems, one of the first things they do is install some sort of back door that lets them come back in whenever they want. With Windows NT 4.0 and Service Pack 2, it is possible for anyone to add to an NT system a .dll (an executable program) that intercepts and records any password changes on the system. This .dll could store the pass-word information in a place the intruder could access, such as the computer’s Web server or in an e-mail message sent to the intruder. This fact is well known in the hacking community, and example source code is readily available for creating such a .dll.
Viruses and Trojan horses
Detecting back doors can be very difficult. As I mentioned earlier, running Microsoft’s SMS server can go a long way toward detecting software installations, but the best practice is to monitor your system security and audit logs carefully. If you suspect someone may have installed a back door, you should immediately reinstall a new copy of your operating system. Do not perform an upgrade or even overwrite the old installation — completely reinstall a new copy in a new directory. This measure ensures that all files and data are reinstalled as shipped from the manufacturer, wiping out anything out of the ordinary.
Two of the most common and best-known threats to computer systems today are the virus and the Trojan horse. Viruses are rampant in the computing industry, with source code for numerous virus strains readily available all over the Internet. Thousands of strains of computer viruses already exist, and new ones emerge almost daily. They cover quite a range, from harmless viruses that simply put a message on the screen to downright nasty viruses that can destroy all the data they can reach on the local machine and the network. In most cases, viruses easily replicate themselves on every computer system and disk storage system they touch. Virus eradication can be a painful experience.
Trojan horses are a different breed of intrusion mechanism, named after the Trojan warriors who hid themselves inside a hollow statue of a horse. Once inside the fortress gates, the soldiers emerged to begin their killing rampage. Computer-based Trojan horses act in the same way. They get into your network systems through seemingly harmless software, and once in place, they create back doors, release viruses, sniff packets, or do almost anything else you can imagine an intruder doing. They are quite a dangerous threat indeed.
Your network can become infected with a virus or Trojan horse in a number of different ways, especially when connected to the Internet. For example, a customer can unwittingly give you an infected diskette or program file; someone can send you a seemingly harmless Microsoft Word document containing a Word macro with some destructive purpose; a user can download a software package that contains a virus; or friend borrowing your machine for a few minutes could unknowingly insert an infected floppy disk. The list goes on.
The best way to prevent virus and Trojan horse infections is to implement policies that mandate using a virus scanner at all times on all your computer systems. Here is a list of some of the more popular virus and Trojan horse protection packages available on the Internet:
Many antivirus software packages are available, and they are simple to find on the Internet with a search engine. They are well worth the time and effort they take to locate and install.
SUMMARY
This chapter has given you some insight into the world of network security and the intruders who plague us all. By now, you should understand how security is evolving, where the ranks of intruders came from, what problems exist in Internet-enabled software systems, and where to start protecting those systems. Minimally, you should now understand that having great monitoring software and equipment can be invaluable in your security efforts. The rest of this book builds on this foundation, giving you a more detailed look at how to secure your Windows NT network environment.
Order Your SQL Fundamentals CD Today! Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
You've Deployed SharePoint...Now What? This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions
What Would You Do If You Ran Microsoft? ITTV's 2008 inaugural video contest, "If I Ran Microsoft..." is your chance to tell it like it is. Be goofy or be serious, but don"t miss this chance to have fun, win prizes, and go viral in a major way.
Maximize Your SharePoint Investment This web seminar discusses how true bi-directional replication of SharePoint content from one server to another enables branch offices to maintain access to current SharePoint content.
Windows IT Pro
Register
