Windows IT Pro
Windows IT Library
  - Advertise        
Windows IT Pro Logo

  Home  |   Books  |   Chapters  |   Topics  |   Authors  |   Book Reviews  |   Whitepapers  |   About Us  |   Contact Us

search for  on    power search   help
  






Windows NT Security: A Collection of Topics
View the book table of contents
Author: John Enck
Published: June 1998
Copyright: 1998
Publisher: 29th Street Press
 


CONFRONTING YOUR NETWORK SECURITY NIGHTMARES

by John Enck

When my kids were younger, they slept with night lights on to protect them from the nameless, unspecified evil that was lurking beyond their vision. As they grew older, however, they learned that nothing was stalking them from the dark corners of their room, and now they can sleep in the dark. In contrast, as I grow older, I become increasingly aware of the nameless, unspecified evil that is stalking me from the dark corners of my network. In fact, if I could attach a night light to my network, it would glow brightly around the clock.

My fears are proportional to the size of the network: The bigger the network, the more dark corners I have to worry about. When I hook up a private network to the Internet, for instance, I see an endless maze of dark corners and shadowy alleys. Some people may say I’m just paranoid — that Windows NT has industrial-strength security and that Microsoft would never release a product like the Internet Information Server (IIS) unless it was completely secure. My cynical view, however, is that no product connected to a network is 100 percent secure — it’s just a matter of time before intruders find paths through the software or through your security implementation.

Personal paranoia aside, most discussions about security usually degenerate into a classic optimist/pessimist argument: The optimist sees the glass as half full and the network as mostly secure; the pessimist sees the glass as half empty and the network as partially insecure.

To shed some light on the issue of Internet security (and to justify my paranoia), I connected a system running Windows NT Server 4.0 beta 2 and IIS 2.0 to the Internet and asked a professional security analyst from Midwestern Commerce (MWC) to hack away at it. As you’ll see, the results were both amazing and horrifying.

My Little Shop of Horrors
I built the NT system for this test by configuring NT and IIS the way most people configure them. I installed NT Server on one NT File System (NTFS) drive partition (for information about NTFS and its security issues, see “NTFS vs. FAT” in the System Management section of this book) on an Intel dual Pentium system from Advanced Logic Research (ALR). During the NT Server installation, I accepted the default settings for security and protocol. I then installed IIS — with Web, FTP, and Gopher support enabled on the same partition — and configured IIS for Internet access (for example, I enabled anonymous FTP and Web access).

Finally, I went through the entire directory structure on the disk and made sure that only the Administrator had full read and write access to all files. I restricted other users to read-only access in system directories and read and write access in the designated Web, FTP, and Gopher directories.

I debated going back through the system configuration to plug some security holes I happened to be aware of, but ultimately, I decided not to. I wanted to see whether the security analyst would exploit the obvious holes and how Microsoft’s out-of-the-box configuration fared against a full frontal assault. So I kept my paranoia under wraps and pushed my test server over the cliff and into the valley of darkness — in other words, I plugged the server into the Internet and told the security analyst where to find it.

I didn’t need a medium to let me know when my system came under attack. Strange things began happening to my server system almost immediately. I experienced a series of mysterious system lock-ups. I also received ominous warning messages on the console, such as the one in Figure 1.

However, I didn’t realize just how exposed my server was until a fateful conversation with the security analyst. He called to tell me he had accidentally corrupted my swap file. He needed me to reboot from NT Server to NT Workstation and then back to NT Server to correct the corrupt swap file so he could continue testing.

I said I couldn’t recall whether I had installed NT Workstation on that system. He calmly told me that both NT Server and NT Workstation were, in fact, installed. He then proceeded to list the entire contents of the server system’s hard disk. Obviously, he had penetrated far beyond the boundaries of ordinary Web access.

The Test Results
After several days of testing, the security analyst sent me his observations and recommendations. The observation section of his report listed the computer name, all the users defined for the system, the groups assigned to those users, all the directories on the hard disk, the permission levels assigned to those directories, and other details about my server.

The recommendations section included the following instructions:
  • Disable NetBIOS over TCP/IP.
  • Disable the Guest account.
  • Disable the Everyone group (but be careful how you do this!).
  • Disable mapping for .bat and .cmd files, and don’t use them as Common Gateway Interface (CGI) scripts.
  • Avoid using the FTP server.
  • Don’t use the Web server as a file server.
  • Remove unused (and dangerous) program files (that is, Ftp.exe, Rasdial.exe, and Telnet.exe).
  • Create separate partitions for NT system files, Hypertext Transfer Protocol (HTTP) documents, CGI scripts, template files, and FTP files.
One recommendation I expected to see but didn’t is to remove or rename the Administrator account.

In Close-Up
Do you need to implement all these recommendations? In most cases, yes. But before you run over to your server keyboard, let’s look closely at each one.

Disable NetBIOS over TCP/IP
Running NetBIOS over TCP/IP on your corporate network and then connecting your network to the Internet is one of the most dangerous things you can do with a Microsoft-based network. When you run NetBIOS over TCP/IP, you open all your print, file, and application sharing services to any system that can run TCP/IP. Considering the Internet is a TCP/IP-based network, you’re opening up your network to the world.

Unless you take adequate precautions, a hacker can fake a NetBIOS-over-TCP/IP session and try to penetrate any system on your network. Note that I’m not talking about penetrating just your Web server, I’m talking about penetrating any system that offers network services.

What can you do? The simplest, most obvious solution is to disable NetBIOS over TCP/IP with the Network applet on the Control Panel. You can then run your native Microsoft file, print, and application services with NetBIOS over either Internet Packet eXchange (IPX)/Sequenced Packet eXchange (SPX) or NetBEUI.

Because a hacker can’t easily access IPX/SPX or NetBEUI services over the Internet, your corporate systems are better insulated from intrusion. Furthermore, because you can run TCP/IP on your corporate systems without running NetBIOS over TCP/IP, all your systems can still access the usual TCP/IP and Internet services.

Unfortunately, in many cases, you can’t disable NetBIOS over TCP/IP. For example, you may have built your entire WAN using TCP/IP, or your CEO may have designated TCP/IP as a corporate standard. In these situations, to protect yourself from the dangers of running NetBIOS over TCP/IP, you can take one or both of the following actions:

  1. Implement a firewall between your network and the Internet, and filter out traffic on the sockets UDP 137, UDP 138, and TCP 139. These sockets are for NetBIOS traffic; if you filter them out, NetBIOS traffic can’t flow between your network and the Internet.
  2. Implement a proxy server, such as Microsoft’s Proxy Server. A proxy server hides your corporate systems’ IP addresses from the Internet to protect them from a direct attack.
Whatever you do, please don’t take this recommendation lightly. If you run NetBIOS over TCP/IP without protection, you’re putting your entire corporate network at risk.

Disable the Guest Account
Like the Administrator account, the Guest account is a standard NT account and is often the target of attack. Even though the Guest account ordinarily has limited privileges, it can still hurt you. For example, if your Guest account has read access to your security database (the Security Accounts Manager) or your Registry files, a hacker can use FTP to download those files and pick them apart. Why open yourself to risk? Just disable the Guest account.

Disable the Everyone Group
Of all the recommendations in the report, this is the most tricky to implement and can cause you real grief if you do it incorrectly. So be warned: Try this on a test machine before you do it on your production server!

The security analyst’s report outlines the disabling process, beginning with this ominous note:
Group Everyone is a dark side of Windows NT. Get rid of group Everyone wherever possible. Take great care when doing this procedure; otherwise, you can easily make NT installation unstable.

The steps are as follows:
  1. Create a new group called Every User, for example.
  2. Include all existing users in this group.
  3. Use the User Manager program to grant group Every User the right to access this computer from the network; revoke group Everyone’s right to access this computer from the network.
  4. In User Manager, substitute Everyone with Every User for all other rights.
  5. In File Manager’s Security menu, replace group Everyone with group Every User. Be careful: Do not propagate the permissions through an entire file tree.
  6. Substitute Everyone permission with Every User on all disk shares.
  7. Some special network shares with group Everyone access cannot be deleted. The best known example is the Registry. Determining optimum permissions to all Registry keys in a real NT box is almost impossible. A practical recommendation is to remove group Everyone from the HKEY_ LOCAL_MACHINE key and include Every User (read-only access) instead.
Note that IIS is particularly sensitive to the presence (or absence) of group Everyone — so again, try this procedure in a test environment before doing it on your live server.

Disable Mapping for .bat and .cmd Files (and Don’t Use Them as CGI Scripts)
Unfortunately, IIS has a history of problems regarding improper access to .bat and .cmd files through the Web server interface.

MWC, the company that performed the security probe into our test server, provides a complete explanation of this problem on its Web page at ntsecurity.com/News/bugs/alert.html. This Web page also notes similar problems with the Netscape Web server.

The bottom line is don’t use .bat or .cmd files to launch CGI scripts, and don’t let users access .bat or .cmd files through your Web server (disable any mappings to these types of files). If you don’t take these precautions, hackers can launch NT commands on your server.

Avoid the FTP Server
FTP servers have always been a weak spot in Internet security, regardless of what platform and OS they run under. An FTP server lets hackers hack away at usernames and passwords at their leisure. Once hackers find the right username and password (e.g., the Administrator username and password), they can gain read and write access to the entire system.

You must seriously evaluate your need for an FTP server. If you really need one, establish separate partitions for its data area, and don’t permit write access to the root FTP directory (force users to write into a lower-level anonymous directory or into individual user directories).

Don’t Use the Web Server as a File Server
Using a Web server as a file server creates a double-edged sword. First, if you store corporate data on your Web server, hackers can access or corrupt the data through the Internet. Second, if you let corporate users access Web server data, you risk having them corrupt (accidentally or otherwise) your Web pages.

I feel more strongly about this topic than the security analyst did. In fact, I recommend you put your Web servers in a domain separate from your corporate domains in a TCP/IP subnet separate from your corporate subnets. All access from your corporate network to your Web server will need to flow through a router or firewall.

Remove Unused (and Dangerous) Program Files
Remove unused files to keep hackers from gaining further access to your network if they find a hole in your server.

For example, if intruders can exploit the .cmd and .bat exposure, they can launch a client program on your server to access other corporate network resources. Because the clients are coming from one of your systems (your Web server), these clients may be able to bypass your external firewalls or proxy servers. A hacker, for instance, can launch an FTP session to attack any FTP servers on your corporate network.

Again, you can minimize such intrusions by putting your servers on separate networks — but why run any further risk? Simply delete client-oriented programs that you ordinarily install on your server, including Ftp.exe, Telnet.exe, and Rasdial.exe.

Create Separate Partitions for Your NT and Internet Data
This suggestion is subtle but important. If you place each logical group of files or each independent directory structure on a separate partition (separate logical disk drives), you reduce the risk of contamination. For example, if you store your Web pages and your Web scripts in the same directory, hackers can break into your Web page area and easily contaminate your scripts.

An obvious response to this problem is to separate the files into different root-level directories. Unfortunately, after a hacker finds a security hole, moving around from one directory to another inside a partition is pretty easy — crossing partitions is much more difficult.

What types of Internet data do you need to keep separate from your NT data? Everything you can. Put your NT system files, HTTP documents, CGI scripts, template files, and FTP upload and download files on separate partitions.

Yes, carving up a drive into multiple partitions is a lot of work and multiple partitions are more difficult to configure and manage. And yes, this approach is not the most efficient way to use space on a disk drive. No one said implementing security would be fun or efficient.

Sweet Dreams?
After you implement all these recommendations, you can turn off your night light and slip peacefully to sleep, right? Wrong. Remember, no system connected to a network is 100 percent secure — and no one knows how many new bugs and security monsters are waiting to be discovered.

But look at network security this way: If you implement these precautions, you should at least be able to sleep with a night light on. If you don’t implement them, chances are that you’ll wake up screaming — if you can sleep at all.

NT Version: NT 4.0 Server



Page: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16
next page



ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

EXCHANGE 2007 Mastery Series – May 29, 2008
3 Info-packed eLearning seminars for only $99! Learn the pros and cons of your mailbox high availability options, see real-world examples of Transport Rules, and get started with basic PowerShell commands with Mark Arnold, MCSE+M and Microsoft MVP.

Windows IT Pro Master CD: Take the Experts with You!
Find the solutions you need in thousands of searchable articles, helpful bonus content, and loads of expert advice with the Windows IT Pro Master CD. Order comes with a 1-year subscription to the new, online articles posted every day!

Making the Case for Oracle Database on Windows
One of the best-kept secrets in the IT industry is the depth of support Oracle offers to customers deploying its databases on Microsoft Windows platforms.

SQL Server Magazine Master CD: Take the Experts with You!
Find the solutions you need in thousands of searchable articles, helpful bonus content, and loads of expert advice with the SQL Server Magazine Master CD. Order comes with a 1-year subscription to the new, online articles posted every day!

Attention User Group Leaders...
Announcing the eNews Generator—a FREE HTML e-newsletter builder for user group leaders. Build your HTML and text e-newsletters in minutes. And add Windows IT Pro & SQL Server Mag articles alongside your own message!.

Become a fan of Windows IT Pro on Facebook
Join the Windows IT Pro fan club on Facebook. Chat with other IT Pros, upload your pictures, check out what's up n' coming in the next issue and more!



Solve the 12 Toughest Active Directory Management Tasks Today
No matter which management tasks you’re dealing with, you’ll discover a new set of ideas about how to best manage your Active Directory environment.

Get Started with Oracle on Windows DVD
Learn how Oracle gives you the power to grow by providing a scalable, easy-to-use platform for running your business at a price you can afford.

Exchange and Outlook Update Fundamentals CD
Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.

Virtualization Essentials – Free Online Conference :: June 24th
Learn virtualization basics - Discover how to reduce IT costs while increasing the efficiency, utilization, and flexibility of your existing computer hardware. Register Today!

Gain enhanced insight into and control over your IT systems.
View this web seminar to learn about the latest and greatest features and product enhancements in the Systems Center Configuration Manager SP1 and R2.

11 Myths About Microsoft Exchange Backup & Recovery
This white paper will guide you in overcoming Exchange Backup and Recovery myths with careful planning and the right toolset.
Windows IT Pro Home Register About Us Affiliates / Licensing Press Room Media Kit Contact Us/Customer Service  
SQL Connected Home IT Library SuperSite FAQ Wininfo News
Europe Edition Office & SharePoint Pro Windows Dev Pro Windows Excavator 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing