Apress hardening windows apr 2004 ISBN 1590592662
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.54 MB, 298 trang )
HardeningWindows
byJonathanHassell
Apress©2004(200pages)
ISBN:1590592662
Thisbookisdesignedtoprovideaquickand
easychecklist-stylereferencetothesteps
systemadministratorsneedtotaketo
anticipatethoseattacksandcompromisesand
hardenWindowsNT,2000,XP,andServer
2003againstthem.
TableofContents
HardeningWindows
Introduction
Chapter1 - Hardening:TheoryandGeneralPractice
Chapter2 - WindowsNTSecurity
Chapter3 - Windows2000Security
Chapter4 - WindowsXPSecurity
DefiningEnterpriseSecurityPolicieswith
Chapter5 Windows2000andLater
Chapter6 - PatchManagement
Chapter7 - NetworkAccessQuarantineControl
Chapter8 - InternetInformationServicesSecurity
Chapter9 - Exchange2000ServerSecurity
Chapter10 - SecurityAuditingandEventLogs
AppendixA - Quick-ReferenceChecklists
Index
ListofFigures
ListofTables
BackCover
SystemadministratorsknowtheInternetisahostile
environment.Theycan'ttellwhenahackerwill
attempttogainaccesstotheSQLserver,buttheycan
betthattherewillbeanattemptsoon.Becausethe
operatingsystemisvitaltoacomputer'sfunctioning,
andbecauseit'stheonlylayerbetweenthemachine's
availableresourcesanditsusers,it'scriticalthatthe
operatingsystemresistcompromise.
HardeningWindowsisanintermediatetoadvanced
guidetoimplementingpreventativesecuritymeasures
fortheWindowsoperatingsystem,andit'stheonly
bookthatcoversNT,2000,XP,and2003.Thisbookis
designedtoprovideaquickandeasychecklist-style
referencetothestepssystemadministratorsneedto
taketoanticipateattacksandcompromises,andto
hardenWindowsNT,2000,XP,andServer2003
againstthem.
AbouttheAuthor
JonathanHassellisasystemsadministratorandIT
consultantresidinginRaleigh,NorthCarolina.Heis
currentlyemployedbyoneofthelargestdepartments
oncampusatNorthCarolinaStateUniversity,
supportingacomputingenvironmentthatconsistsof
WindowsNT,2000,XP,Server2003,SunSolaris,and
HP-UXmachines.Hassellhasextensiveexperiencein
networkingtechnologiesandInternetconnectivity.He
currentlyrunshisownwebhostingbusiness,Enable
Hosting,basedoutofbothRaleighandCharlotte,
NorthCarolina.
HardeningWindows
JONATHANHASSELL
Copyright©2004byJonathanHassell
Allrightsreserved.Nopartofthisworkmaybereproducedortransmitted
inanyformorbyanymeans,electronicormechanical,including
photocopying,recording,orbyanyinformationstorageorretrieval
system,withoutthepriorwrittenpermissionofthecopyrightownerand
thepublisher.
ISBN(pbk):1-59059-266-2
PrintedandboundintheUnitedStatesofAmerica10987654321
Trademarkednamesmayappearinthisbook.Ratherthanusea
trademarksymbolwitheveryoccurrenceofatrademarkedname,weuse
thenamesonlyinaneditorialfashionandtothebenefitofthetrademark
owner,withnointentionofinfringementofthetrademark.
LeadEditor:JimSumser
TechnicalReviewer:OrisOrlando
EditorialBoard:SteveAnglin,DanAppleman,GaryCornell,James
Cox,TonyDavis,JohnFranklin,ChrisMills,SteveRycroft,Dominic
Shakeshaft,JulianSkinner,JimSumser,KarenWatterson,GavinWray,
JohnZukowski
ProjectManager:TracyBrownCollins
CopyManager:NicoleLeClerc
CopyEditor:MarkNigara
ProductionManager:KariBrooks
ProductionEditor:JanetVail
Compositor:DinaQuan
Proofreader:LizWelch
Indexer:CarolBurbo
Artist:AprilMilne
CoverDesigner:KurtKrames
ManufacturingManager:TomDebolski
DistributedtothebooktradeintheUnitedStatesbySpringer-VerlagNew
York,Inc.,175FifthAvenue,NewYork,NY10010andoutsidetheUnited
StatesbySpringer-VerlagGmbH&Co.KG,Tiergartenstr.17,69112
Heidelberg,Germany.
IntheUnitedStates:phone1-800-SPRINGER,e-mail
<>,orvisit.OutsidetheUnitedStates:fax+496221345229,e-mail
<>,orvisit.
Forinformationontranslations,pleasecontactApressdirectlyat2560
NinthStreet,Suite219,Berkeley,CA94710.Phone510-549-5930,fax
510-549-5939,e-mail<>,orvisit
.
Theinformationinthisbookisdistributedonan"asis"basis,without
warranty.Althougheveryprecautionhasbeentakeninthepreparationof
thiswork,neithertheauthor(s)norApressshallhaveanyliabilitytoany
personorentitywithrespecttoanylossordamagecausedorallegedto
becauseddirectlyorindirectlybytheinformationcontainedinthiswork.
Thesourcecodeforthisbookisavailabletoreadersat
intheDownloadssection.
AbouttheAuthor
JonathanHassellisasystemsadministratorandITconsultantresiding
inRaleigh,NC.Heiscurrentlyemployedbyoneofthelargest
departmentsoncampusatNorthCarolinaStateUniversity,wherehe
supportsacomputingenvironmentthatconsistsofWindowsNT,2000,
XP,Server2003,SunSolaris,andHP-UXmachines.
HassellhasextensiveexperienceinnetworkingtechnologiesandInternet
connectivity.Hecurrentlyrunshisownweb-hostingbusiness,Enable
Hosting,whichisbasedoutofbothRaleighandCharlotte,NC.Heis
involvedinallfacetsofthebusiness,includingfinances,marketing,
operatingdecisions,andcustomerrelations.
Jonathan'spreviouspublishedworkincludesRADIUS,publishedby
O'Reilly&Associates,whichservesasadetailedguidetotheRADIUS
authenticationprotocolandofferssuggestionsforimplementingRADIUS
andoverallnetworksecurity.Hehasalsowrittenmonthlycolumnsforthe
Windows2000MagazineNetworkandWindowsITSecurity.com.Hiswork
hasalsobeenpublishedinCMP'sPublishmagazineandPinnacle's
LinuxAppDevnewsletter.Hassell'slatestbook,ManagingWindows
Server2003,willbepublishedbyO'Reilly&Associatesinearly2004.
AbouttheTechnicalReviewer
OrisOrlando,borninNaples,Italy,in1971,hasbeeninterestedin
computersciencesincetheeighties.Hisfirstcomputerwasan
IntellivisionComputerModule,whichallowedhimtodevelopprogramsin
thelimitededitionBASIClanguageonly.Attheendoftheeighties,he
begantouse8086machines,andin1989heenrolledinthecomputer
sciencedepartmentattheUniversityofSalerno(Italy),fromwhichhe
graduatedin1997.Duringhisuniversitycareer,hedevelopedmany
applicationsforsmallbusinessesandoftenusedabulletinboardsystem
(BBS),beforetheInternetgrewinpopularity.InDecember1997he
workedatSiemensNixdorffortwoyearsasananalystandprogrammer
(Java,C,PL/SQL,CGI,HTML)inawebenvironment.In1999hetooka
positionatBullHN,where,forthefirsttwoyearshebelongedtoa
technicalteam.Bythethirdyearhebecametheprojectleaderinthe
securitydepartment,beforeeventuallybecomingprojectmanager.Heis
experiencedinUNIX,Windows,Linux,DOS,computerprogramming,the
Internet,security,anddatabases(Oracle,LDAP).
Acknowledgments
Thisbookwaswrittenbyme,butthatisarguablythesmallestpartofthe
job.Thistomewasmadepossibleandputtogetherbyascoreofpeople
otherthanme,andtheyalldeservepraiseandgratitude.First,my
sincereappreciationgoestomyeditor,JimSumser,forhisroleinthis
work.Jimisafabulous,flexible,andunderstandingguy,andI'mthankful
formyopportunitiestoworkwithhim.AlsothankstoTracyBrownCollins
andMarkNigara,bothatApress,whocorrectedmymistakes,keptme
onschedule,andworkedwithmeduringaverybusyperiod.
AlsothankstoOrisOrlandoforhistimelyandhelpfulcommentsupon
reviewingthemanuscript.Althoughheworkedtopointoutmistakesand
deficienciesincoverage,anyerrorsandomissionsthatremainaremine
andminealone.
Andfinally,butcertainlynotleastimportant,mysignificantotherLisahad
thepatienceofasaintduringthisprocessandmadetheentire
experiencealoteasieronme.Thanksforallthatyoudoforme.Thisone
isforyou.
Introduction
BeforeIbegin,letmeoffermysincerethanksforpurchasingthisbook!
I'mgladyou'vemadethedecisiontospendsometimesecuringand
hardeningyoursystems.Notonlyareyouhelpingyourself,butyou're
protectingtheInternetcommunityasawhole.
HardeningWindowsisorganizedintochaptersthatfocusondifferent
aspectsofsystemhardening.Chapters2,3,and4describeprocedures
relatedtospecificversionsofWindows.Thisisn'ttosaythatthe
techniquesdescribedinonechapterforoneversionofWindowscan'tbe
usedonanother:It'ssimplyamatteroforganizingtheflowofthebookso
yougetthemostfromeachchapter.Theremainingchaptersfocuson
differentissuesthataffectthesecurityandintegrityofyoursystemsand
networks.Attheendofeachchapter,you'llfindalistofcheckpoints,
whichsummarizeinasentenceortwoeachstrategydiscussedwithinthe
chapter.I'vecollectedalistofcheckpointsfromeverychapterandput
theminAppendixAforeasyreference.
Thisbookisquickandsimple,soit'sbesttounderstandwhat'sinside
beforeyouevenbeginreadingit.Forone,thechaptersthemselvesstand
alone.Youcanreadtheminanyorder,andthematerialisn'tcumulative.
Ofcourse,you'rewelcometoreadthemall,andcross-referencesare
clearlyidentifiedwheninformationinachapterisdiscussedinmore
detailearlierinthebook.However,ifyouchoosetobeginwithChapter7,
youwon'tbemissinganything.Youalsowon'tbegettinglong,theoretical
discussionsaboutoperating-systemdesign,kernellocking,OSIlayers,
andthelike.Instead,you'regettingquick,practical,checklist-style
suggestionswithaminimumoffluff.Thisbookismeanttobecarried
underyourarmtoclientworkstations,placedonthetopoftheserver
rack,orsnuglykeptrightbesideyourmonitorforeasyreference.It
certainlyisn'ta1600-pageWindowsbible.
Letmebrieflyaddressanotherissue:Thereare,ofcourse,anynumber
ofhardeningmethods,andanynumberofopinionsonhoweffective
thosemethodsare.Thisbookwouldneverbecompleteifitattemptedto
describeeveryviewofeverywaytopossiblysecureasystemfroman
unknownthreat.Instead,I'vechosentokeepthebookshort,using
proven,time-testedwaystoachievemaximumprotectionforthetimeand
moneyinvested.Ithinkyou'llfindtheresultsmorethanacceptable.
Inshort,youhave145suggestionsforhardeningyoursystem—which
averagesonecheckpointperpageinthisbook.Ihopethisbookhelps
youhardenyoursystems,andIhopeyouconsideritaworthwhile
investment.Thanksforreading.
Chapter1:Hardening:TheoryandGeneral
Practice
Overview
Youshouldbeexactlyasparanoidasitiscost-effectivetobe.
—ScottCollins
ThesearewisewordsfromsecurityexpertScottCollins,andtheyserve
astheunderlyingmotivationbehindthisbook.
Computersecurityseemstobemakingthenewsalotlately.Almost
everyweek,malevolentforcescrawloutofthewoodworktotakedown
high-profilewebsites.Companieslosemillionsofdollarsandsuffer
damagetocomputersystems.Asaresult,largecompaniesspend
thousandsofdollarsonsecuritysystemsandproductstoprotectthe
doorstotheircorporatenetworks.Microsoftrecentlyborethebruntoftwo
intruderattacksonitswebproperties.Theresultwashoursofdowntime
anddecreasedcustomerconfidence.
It'shardtoknowthenumberofintruderscurrentlythreateningthe
computerrealm.Manysystemsadministratorsandusershavebuiltupa
tolerancetoattemptedhacking.Theyhaveacceptedintrudersasthe
norm,asby-productsofusingadirectlyconnectedsystem.Many
attempts,whethersuccessfulornot,gounnoticedbyusers.Internet
securityexpertsagree,though,thatthenumberofattemptsatsecurity
breachesisincreasing,asisthesophisticationandefficiencyofthe
attempts.Tokeepup,vendorsandsecurityhardwaremanufacturers
struggletoplugthesecurityholesthatintrudersuncoverandexploitwith
today'seasy-to-usesystem-crackingtools.
Anintruderattackisonlyonefacetofsecuritywithwhichyoushouldbe
concerned.Virusesareanotherbigsecuritythreat;thefactthatthey
spreadeasilyonlyincreasestheirinfestations.Forexample,worm
virusesspreadwhenusersopenemailattachments,whichcausethe
virustoemailitselftotheuser'sentirecontactlist.OtherTrojanhorse
virusescancomeintoyoursystemandleaveabackdoorforintruders
whowilluseyourcomputertomakecountlessattacksonotherusers'
machines.
Helpingyoulearnhowtoprotectyourcomputingenvironmentfromthese
variousthreatsisthepurposeofthisbook.Systemadministratorsall
aroundtheworldknowtheInternetisahostileenvironment.Theycan't
tellwhenahackerwillattempttogainaccesstotheSQLserver,butthey
canbetthattherewillbeanattemptsoon.Becausetheoperatingsystem
isvitaltoacomputer'sfunctioning,andbecauseit'stheonlylayer
betweenthemachine'savailableresourcesanditsusers,it'scriticalthat
theOSresistscompromise.
Hardeningisthisprocessofprotectingasystemagainstunknown
threats.Systemadministratorshardenagainstwhatevertheythinkcould
beathreat.Thisbookisdesignedtoprovideaquickandeasycheckliststylereferenceforsystemadministratorswhoneedtoanticipatethose
attacksandcompromises.You'llneedtohardenWindowsNT,2000,XP,
andServer2003againstthesethreats.Andinthischapter,I'lllookatthe
theoriesbehindsecurityandhardeningasystem,andhowyoucantake
verygeneralapproachestooverallorganizationalsecuritybefore
investigatingspecifichardeningpracticesonyourWindowsclientand
servermachines.
WhatisSecurity?
Toprotectthewell-beingorintegrityofsomething,toensurethesafetyof
propertyorinterestsinanobjectfromintrusion,ortokeepaconceptor
objectprivate,you'llneedtosecureasystem.Inthehostileenvironment
oftheInternet,systemadministratorsneedtorestrictaccesstoassets.
Tograntaccesstoaselectedgroupofusers,youneedtoknowwhoto
trustandhowtoverifythecredentialsof—authenticate—thoseyouallow
touseyoursystems.
Thecornerstonesofanysecuritypolicyincludethefollowing:
Privacy,ortheabilitytokeepthingsprivateandconfidential
Trust,orthequestionofwhetheryoushouldtakedataorobjects
atfacevalue
Authenticity,orverifyingthatcontactsaremadewithpeoplewho
areaccuratelyrepresentingtheiridentity
Integrity,ortheprocessofensuringasystemhasn'tyetbeen
compromisedandwillremainsecure
Thisbookwillfocusentirelyonthepracticalaspectsofhardeninga
Windows-basedcomputer.Whatarethesepracticalcheckpoints,which
comprisetherestofthisbook,designedtodo?Whatistheunderlying
motivation?Focusingforabitonthemoregeneralaspectsofcomputer
securityallowsyoutohardenyoursystemsinwaysthatyoumight
otherwiseignoreorfailtoimagine.Therefore,I'lldiscusssecurityandits
associatedtheoreticalissues,andthenmoveintopractical
considerationsthataren'tlimitedtojustWindowsmachines—suggestions
thatareappropriateforanyconnectedmachine.
TheSecurityDilemma
Securitydependsontwothings:First,apersonmustdefinewhatsecurity
meansforthem,andsecond,thatpersonmustcommunicatethatidea
clearlyandcompetentlytothecommunityaroundhim.Securitysuffers
fromsuchaproblemthesedaysbecauseofissuesrelateddirectlyto
thesetworequirements.Securityforeachpersonisdifferent.Though
onepersonmaybesatisfiedwithaBIOSpasswordandafloppydisk,
anotherpersonmighttakegreatpainstodouble-andtriple-encryptfiles.
ShemaywishtotransferthemonlyoverIPsec-protectedlinks,and
purchasetrustedSecureSocketsLayer(SSL)certificatesforanytypeof
publicservicesheoffers.Andbecausethedefinition,meaning,and
intrinsicvalueofsecuritydifferssowildlybetweenparties,it'sdifficultto
communicateaclearsecuritypolicytotheusercommunity.Thereinliesa
criticalproblem—youcanonlyhaveeffectivesecuritywheneveryone
understandsthelevelofsecurityrequiredandwheneveryoneagrees
securityisnecessary.Andinpractice,asyoumightimagine,an
understandingofsecurityonthepartoftheuserissomethingthat's
usuallyseverelylacking.
Theveryexistenceofsecurityresidesintrust.Infact,itcanbeargued
thateverysecurityproblemboilsdowntothesimplestlevelasaquestion
oftrust.Theideaofsecurityisintroducedforthesolepurposeof
protectingyourselfagainstpartieswhomyoudon'ttrust.Todothis,
usuallysomekindoftechnologyisputintoplacetomovetrustfroma
risky"zone"toasafer,morepalatablearea.Agreatexampleisafront
doorlock:Youdon'ttrustthegeneralpublic,andthereforeyou'rewaryof
themstealingyourbelongingswithoutyourknowledge.Youinstallalock
onthefrontdoorofyourhouse.Youstilldon'ttrustthegeneralpublic,but
youtrustthelocktodoitsjobtokeeptheuntrustedpeopleout.You
obviouslyhavelessofaproblemtrustingthelockthantrustingthe
intentionsofagreatnumberofpeopletowhomyou'reunaccustomed.
Youcan'tfullytrustthelockeither,soyouinstallanalarmsystemthat
notifiesthepoliceifsomeonebreaksin.You'vedisplacedyourtrustfrom
thepublictothepolice,thealarmsystem,andthelock.
Eachday,youproceedaboutyourbusiness,placingyourtrust
semiconsciouslyinbanks,automatedtellermachines,onlineshopping
sites,thepolice,alllevelsofgovernment,andothervarious
establishments.Thelistgoesonandon.Youdon'tquestionthistrust,
becauseit'sseldombroken,butthatisn'talwaystheendresult.For
example,whenachildlearnstodriveacar,heplaceslivesatrisk.
Becauseofthisrisk,mostmunicipalitiesandgovernmentsrequirethe
childtopassanexamtodemonstratehermasteryofthesafeoperation
oftheequipment.Computersystemsareequallycapableofcausing
greatdamage,eventhoughtheyaren'tsentient.Yourlifeisinterrupted
whencomputersystemsmalfunction,andthisindicatesanincreasing
relianceonthem.Yourtrustincomputersandtheirusersisoftenquite
misplaced.Thisiswheretheproblemstrulycomefrom.
EnemiesofSecurity
Toachievetruersecurity,systemadministratorsneedtoexaminea
methodforanalyzingsystemstoprobetheirweaknessesanddetailtheir
ownassumptionsaboutthosesystems'security,ratherthanblindly
placingtrustinthem.Ifsecurityistobediscussedinamoreseriousway,
thereneedstobethefollowing:
Identificationofwhatoneistryingtoprotect
Evaluationofthemainsourcesofriskandwheretrustisplaced
Assumptionofpossiblecountermeasurestopotentialattacks
Youcandefineasecuresystemasoneinwhichallofthethreatshave
beenanalyzedandoneinwhichcountermeasuresareinplaceforallof
thethreats.Thereareafewstumblingblocksthathinderyourabilityto
createsecuresystems.Thefirstiscomplexity:Userswillbecome
impatientandworkaroundsecurityifitbecomestoocumbersomefor
theirworkstyleandflow.Nextistheneedforbackwardcompatibilityin
software.Oftensecurityistightenedinlaterrevisionsofsoftware,butto
remainoperablewiththepreviousversionofapackage,security
restrictionsmightbeloosened.Additionally,backupscreateasomewhat
obscurebutveryrealhole.Thefactthatbackupsareusuallyconducted
withredundancyinmindmighttranslatetomoreopportunityfordatato
bestolen.Securitymustbeappliedtobackupsaswellasnormal
operations.
Theproblem,however,ishowtoknowwhatallofthepossiblethreats
againstasystemare.That'swherethisbookcomesin.Youcan'talways
knowallofyourthreats;it'simpossibletohavethatsortofknowledge.
Butyoucanbattendownthehatchesandtakeprecautionstoforestall
andthwartanyfutureattemptedintrusions.
SomeGeneralHardeningSuggestions
Intherestofthischapter,I'lldiscusssomepointsthatyoucanconsider
tohardenyournetworkoverall.I'vebrokenthemdownintothree
encompassingcategories:software,hardware,andnetwork
considerations.Again,thefollowingaren'tmeanttobespecific
suggestions;they'remeantmoreasbroadlaunchingpointsforthe
specificcheckpointspresentedlaterinthisbook,andforfuture
improvementstotheintegrityofyournetworkthatyoucanmakeonyour
own.
SoftwareConsiderations
Let'sbeginwiththebehemoth:servicepacks.Servicepacksare
applicationsthatarereleasedafterthepublicreleaseofasoftware
package.Morespecifically,they'recollectionsofhotfixes,orpatchesto
flawsthatarefoundafteranapplication'smainstreamavailability.Mostof
theseservicepacksincludesecuritytocorrectareasoftheprogramcode
thatweren'tsecuredbythedevelopersandthereforehavevulnerabilities.
Youcanbesurethatyoursystemwillbeexaminedbynefarioususers
lookingforthesevulnerabilities;youcanbeequallycertainnew
vulnerabilitiesarebeingsearchedoutasyoureadthisbythesesame
miscreants.Thebottomline:Keepallmachinesonthenetworkupdated
andcheckwiththeoperatingsystemandapplicationvendorsona
regularbasisforservicereleasesandhotfixpatches.
Nextonthelistareviruses,arapidlygrowingirritation.Asyoumaybe
aware,manynewvirusesarereleasedweekly.Becauseofthis,ifan
Internetconnectioncomesanywherenearanymachine,youshoulduse
antivirussoftware.Itshouldbekeptup-to-dateonaregularbasis.To
protectyourself,takealookattheseguidelines:
AnysoftwaredownloadedfromtheInternetshouldbestoredand
installedontestsystemsbeforeanyproductiondeployment,and
thesystemshouldbescannedforvirusesafterthesoftwarehas
beentested.
Likesafesex,don'tdownloadsoftwarefromunknownsources;a
prominentviolationofthispolicyistheretrievalofprogramsfrom
peer-to-peerfiletransferservices.Thisnotonlyendangersthe
hostcomputer,buttheentirenetwork.Lately,virusesare
beginningspreadafterinitialexecutionontonetworksharesand,
dependingonthestrainofvirus,itcancausemanyhoursof
downtime,whichresultsinasignificantfinancialliability.
Forbestresults,youshouldconfigureyourvirussoftwaretothe
mostrestrictivelevel,therebyensuringthatanyvirusactivityis
containedtoonecomputerwithoutinfectingthenetwork.
Mostmodernantivirusprogramsincludetheoptiontoattemptto
repairaninfectedfile—youwilllikelyhavemixedresultswiththis
feature.It'sacceptabletorepairtheinfectedfileforaperiodof
timesothatthesystemcanbecomeoperational.
Asamatterofpractice,Ialwaysrecommendthatinfected
systemsbewipedcleanandreinstalledfromanemptyharddisk
assoonaspossible.Ashardastheantiviruscompaniestry,they
maynevercompletelypenetrateavirus'spayload;theymightnot
everrealizethetrueextentofavirus'sdamagetoasystem,soto
besafe,restartingthesystemfromaknowncleanbaselineis
alwaysthecheapestinsurance.
Blockallpotentiallymaliciousfiletypes,suchasVBS,EXE,
COM,andSCR,fromyourmailserver.Thesefiletypesarerarely
usedforlegitimatebusinesspurposesandcanaccidentallybe
executedbyunsuspectingusers.Thiscancompromiseyour
entirenetwork.RemembertheMelissavirus?
Setyourantivirustoscantheselectedextensionforvirus
patternsthatmayexist.Thisensuresthatavirusdoesn'tslippast
yourfirewall.
HardwareandNetworkConsiderations
Inthissection,you'lllookatsomeconsiderationsabouthardeningyour
hardware.BecausethisbookfocusesonWindows,itdoesn'tcontain
roomanywhereelseforthesekindsofsuggestions,butI'dberemissnot
toincludethem.Inanycase,Windowsdependsasmuchonexternal
hardwaredevicesforsecurityasitdoesonitsowninternalmechanisms.
Themostobviouspieceofthephysical-devicepuzzleisthefirewall,an
integralpartofanynetworkthatisconnectedtotheInternet.Withouta
firewall,anyInternet-connectedmachinecanbesubjectedtodenial-ofserviceattacks,targetedserviceattacks,network-penetrationefforts,and
otherbadevents.Alloftheseattacksareverydifficulttotracebackto
theirorigin,too,makinga"forensicanalysis"nexttoimpossible.Consider
thefollowingfirewallsuggestions:
BlockTCPports135,139,and445,andUDPports135,137,and
445.TheseareMicrosoftWindows'snetworkingportsthathave
beentraditionallyvulnerabletoagreatmanydistributedservice
attacks,andthere'slittleuseforthemovertheInternet.
Blockallotherunusedports.Eachtimeyouopenaportyou
createaholeinthewallthatyou'vebuiltaroundyournetwork,
andyoureplaceitwithawindow.Themoreportsyouopen—the
morewindowsyouinstallinyourwall—themoretransparentyour
networkbecomestotheoutside.Thebottomline?Openports
inviteattacks.
Thefirewall'sbrotherinthesecurityfamilyisanintrusiondetection
system(IDS),anothervitalpartofhardeningaWindows-basednetwork.
AnIDS"sniffsout"orinspectsalltrafficgoinginandcomingoutofa
network,anddistinguishespatternsinsidethattrafficthatcouldindicate
suspiciousactivity.AnIDSdiffersfromafirewallinthatafirewalllooksfor
intrusionsinordertostopthemfromhappening.Thefirewalllimitsthe
accessbetweennetworksinordertopreventintrusionanddoesn'tsignal
anattackfrominsidethenetwork.AnIDS,ontheotherhand,evaluatesa
suspectedintrusiononceithastakenplace,andsignalsanalarm.An
IDSalsowatchesforattacksthatoriginatefromwithinasystem.It'sa
beneficialadditiontoyournetwork,andIhighlyrecommendit.
Remoteaccessremainsoneoftheweakestlinksinnetworksecurityifit's
incorrectlyimplemented,andinmanycasesit'stheholygrailforintruders
lookingtododamage.Ifyouallowremoteaccesstoyournetworkeither
throughdial-upconnectionsorthroughavirtualprivatenetwork(VPN)
connection,youshouldrestrictdial-upaccesstotrustedusers,andlimit
thefunctionalityofthoseusersfromremotelocations.Policiescanbe
designedinsuchawaythatuseractivitywillbetraced.Iwould
recommendaVPNconnection:DatathattravelsoveraVPNismuch
lesssusceptibletointerceptionthannormalpoint-to-pointprotocol(PPP)
connectionsovertheplainoldtelephonenetworks.Ifyourdatais
particularlycritical,youmightconsiderputtingsystemsinplacethat
requirecredentialvalidationforanyresourcethatisaccessedremotely,
likeclient-sidecertificatesandstrongpasswordauthenticationmethods.
Also,it'sasafebettosaythatintruderswouldratherusethe
convenienceandavailabilityoftheInternetthanworkharderat"war
dialing,"whichiswhenanintrudergeneratesphonenumbersona
randombasisanddialsthemtoseeifamodemanswers.However,if
yourbusinessneedsrequireamodembanktoanswerincomingcalls,
youmightconsidermandatingadial-backsettingtoapredetermined
number;thisisagreatwaytoensurethataconnectionismadeonly
betweentheappropriateparties.
Physicalsegmentationofthenetworkisalwaysagoodchoicefor
security.Ifyourhardwaredevicesallowyoutoperformthissegregation
easily,thenthere'slittlereasontonotsegmentthem.VirtualLANs
(VLANs)areagreatwaytowallofflargesectionsofyournetwork.Ifyou
placeyourfirewallwithinaseparateVLANfromyournetworkandspecify
thatonlyyourfirewallcanaccessyournetwork,thenyou'vejust
eliminatedthechancethatanintrudercoulduseanotherwindowofentry
intoyournetwork.Segmentinganetworkcanalsoaddanelementof
securityfromaninternalperspective,becauseyoucansegmenta
networkinsuchawaythatalluserscanseetheserversbutnousercan
seeeachother.Thisreducesthepossibilityofhackinguserdatastored
onusermachinesandgreatlyreducesthechanceofavirusspreading
aroundthecomputers.Iftheviruscodecan'tfindothercomputersto
infect,itcannotspread.
Ifeelcompelledtoincludethisbithere,eventhoughalaterchapteris
devotedcompletelytoInternetInformationServices(IIS)hardeningtips,
becauseit'ssovitaltosecurity.ManyexploitsaretargetedagainstIIS
becauseit'saverygenericandwidelyusedwebserver,andit'sleftonby
defaultinmostinstances.Becauseofthisprevalenceofworms,which
travelatgreatspeedsandexploitunsecuredIISwebserversonpublicly
accessiblenetworks,it'shighlyrecommended—imperative,even.
SystemsrunningIISshouldbeinstalledonanisolatednetworksegment,
orwithnonetworkcableattached,untilthelatestservicepacksand
hotfixesareinstalled.MicrosofthaspublishedanIISLockdowntool,
whichisnowpartoftheMicrosoftBaselineSecurityAnalyzerfor
Windows2000ServercomputersrunningIIS.It'sveryimportantthatthis
toolbeusedtohardentheIISbox.
Checkpoints
Inthischapter,I'vediscussedtheoriesaboutsecurity,andI'vealsolisted
someverybroad,generalsuggestionsforhardeningthehardware,
network,andsoftwareownedbyyourorganization.Here'sarecapof
what'sbeencoveredsofar:
Learnthecornerstonesofgoodsecuritypolicy:privacy,trust,
authentication,andintegrity.
Understandthesocialimplicationsofsecurity.
Recognizethesecuritydilemma—thatusersmustunderstandthe
needforsecurityandagreetotheextenttowhichsecurityis
implemented.
Considertransfersoftrustinsecuritypolicy.
Understandtheprocessofdefiningtheconceptofsecurity:
identificationoftheobjecttoprotect,evaluationofrisk,and
proposalsforcountermeasurestopotentialattacks.
Recognizesomeoftheenemiesofasecuresystem:complexity,
backwardcompatibility,backups.
Embracetherolethathardeningtakesinprotectingagainst
unknownthreats.
Applyservicepackstooperatingsystemsandapplications
throughoutyourcompany.
Purchase,install,andkeepupdatedantivirussoftwareinstalled
throughoutyourcompanynetworks.
Testandscannewdownloads,andpracticesafecomputing
whentransferringfilesfrompublicnetworks.
Wipevirus-infectedsystemstoacleanharddiskassoonas
possible.
Blockmaliciousfileattachmentsastheyenteryournetworkatthe
emailserver,beforeitreachestheclient.
Installafirewallandcloseoffnetworkingports(TCP135,139,
and445;UDP135,137,and445)andanyotherunusedports.
Considerthepurchaseandinstallationofanintrusiondetection
system.
Properlyrestrictaccesstoremoteentrypointstoyournetwork,
andencouragetheuseofvirtualprivatenetworksovertraditional
telephonicandmodemconnections.
Implementdial-backforstandardtelephoneconnections.
Investigatethephysicalsegmentationofyournetwork.
ProperlyhardenandsecureanyIISsystemsonthenetwork,and
relegateIISsystemstoablocked-offsegmentofthenetwork
duringtheinstallationofpatches.
Readtherestofthisbook.
Chapter2:WindowsNTSecurity
WindowsNT,byvirtueofitsage,isvulnerabletoallsortsofattacks,from
bothoutsideandin.ThemosteffectivewaytohardenyourNTsystemis
toattacktheproblemofinsecurityfromseveraldifferentperspectives,
especiallypasswords,accountpolicies,virusprotection,andsystem
policies.Thischapterwillgiveyouthetoolsyouneedtoachievea
reasonablyhardenedNTsysteminexchangeforabitofeffort.
WindowsNTSystemPolicyEditor
AkintoGroupPolicy,whichisfoundinWindows2000andlaterversions,
SystemPoliciesinWindowsNTprovideamoreeffectivewayofapplying
andenforcingacommonsetofsettingsandsecuritydefinitionsacrossa
domainofcomputers.It'scertainlynotascustomizable,flexible,easy-touse,orscalableasGroupPolicy,butit'sstillquiteabitbetterthan
manuallyapplyinghundredsofchangestomultiplecomputers.
Tip Youcanapplymostofthemethodsandhardeningstrategies
coveredinlatersectionsofthischaptertomultiplecomputers
usingNTsystempolicies.
WindowsNTloadswithadefaultsystempolicyineffectthatcontinuesto
dictatewhichsettingsareinforcewhetherit'smodifiedornot.Youcan
viewthispolicyandmakethechangesbyusingtheNTSystemPolicy
Editor,whichyoucanaccessbyselectingStartØRunØPolEdit.Once
you'velaunchedtheprogram,twoiconsaredisplayed:DefaultUserand
DefaultComputer.Theseapplytoallcomputersandallusersina
domain,whereasmorespecificpoliciescanapplytocertainusers,
groups,andcomputers(forinstance,specificdepartmentsofusersor
specificmachinesinagivenlocation).
Whenyoudouble-clickanygivenpolicyobject,boxesareraisedonthe
screen.Here,youcanmakechangestoindividualaspectsofthepolicy.
Therearethreestatestoeachindividualpolicysetting,andyoucancycle
througheachonebyrepeatedlyclickingtheboxuntilthedesiredstate
appears.Thethreestatesaredefinedasfollows:
Settingsturnedonappearwithacheckedboxbesidethetext
describingthefunctionofthesettings.
Settingsturnedoffappearwithanuncheckedboxbesidethetext.
Settingsthathaveneverbeendefined,andthereforeareunused,
appearwithagrayed-outbox.
