HardeningWindows
byJonathanHassell
Apress©2004(200pages)
ISBN:1590592662
Thisbookisdesignedtoprovideaquickand
easychecklist-stylereferencetothesteps
systemadministratorsneedtotaketo
anticipatethoseattacksandcompromisesand
hardenWindowsNT,2000,XP,andServer
2003againstthem.
TableofContents
HardeningWindows
Introduction
Chapter1 - Hardening:TheoryandGeneralPractice
Chapter2 - WindowsNTSecurity
Chapter3 - Windows2000Security
Chapter4 - WindowsXPSecurity
DefiningEnterpriseSecurityPolicieswith
Chapter5 Windows2000andLater
Chapter6 - PatchManagement
Chapter7 - NetworkAccessQuarantineControl
Chapter8 - InternetInformationServicesSecurity
Chapter9 - Exchange2000ServerSecurity
Chapter10 - SecurityAuditingandEventLogs
AppendixA - Quick-ReferenceChecklists
Index
ListofFigures
ListofTables
BackCover
SystemadministratorsknowtheInternetisahostile
environment.Theycan'ttellwhenahackerwill
attempttogainaccesstotheSQLserver,buttheycan
betthattherewillbeanattemptsoon.Becausethe
operatingsystemisvitaltoacomputer'sfunctioning,
andbecauseit'stheonlylayerbetweenthemachine's
availableresourcesanditsusers,it'scriticalthatthe
operatingsystemresistcompromise.
HardeningWindowsisanintermediatetoadvanced
guidetoimplementingpreventativesecuritymeasures
fortheWindowsoperatingsystem,andit'stheonly
bookthatcoversNT,2000,XP,and2003.Thisbookis
designedtoprovideaquickandeasychecklist-style
referencetothestepssystemadministratorsneedto
taketoanticipateattacksandcompromises,andto
hardenWindowsNT,2000,XP,andServer2003
againstthem.
AbouttheAuthor
JonathanHassellisasystemsadministratorandIT
consultantresidinginRaleigh,NorthCarolina.Heis
currentlyemployedbyoneofthelargestdepartments
oncampusatNorthCarolinaStateUniversity,
supportingacomputingenvironmentthatconsistsof
WindowsNT,2000,XP,Server2003,SunSolaris,and
HP-UXmachines.Hassellhasextensiveexperiencein
networkingtechnologiesandInternetconnectivity.He
currentlyrunshisownwebhostingbusiness,Enable
Hosting,basedoutofbothRaleighandCharlotte,
NorthCarolina.
HardeningWindows
JONATHANHASSELL
Copyright©2004byJonathanHassell
Allrightsreserved.Nopartofthisworkmaybereproducedortransmitted
inanyformorbyanymeans,electronicormechanical,including
photocopying,recording,orbyanyinformationstorageorretrieval
system,withoutthepriorwrittenpermissionofthecopyrightownerand
thepublisher.
ISBN(pbk):1-59059-266-2
PrintedandboundintheUnitedStatesofAmerica10987654321
Trademarkednamesmayappearinthisbook.Ratherthanusea
trademarksymbolwitheveryoccurrenceofatrademarkedname,weuse
thenamesonlyinaneditorialfashionandtothebenefitofthetrademark
owner,withnointentionofinfringementofthetrademark.
LeadEditor:JimSumser
TechnicalReviewer:OrisOrlando
EditorialBoard:SteveAnglin,DanAppleman,GaryCornell,James
Cox,TonyDavis,JohnFranklin,ChrisMills,SteveRycroft,Dominic
Shakeshaft,JulianSkinner,JimSumser,KarenWatterson,GavinWray,
JohnZukowski
ProjectManager:TracyBrownCollins
CopyManager:NicoleLeClerc
CopyEditor:MarkNigara
ProductionManager:KariBrooks
ProductionEditor:JanetVail
Compositor:DinaQuan
Proofreader:LizWelch
Indexer:CarolBurbo
Artist:AprilMilne
CoverDesigner:KurtKrames
ManufacturingManager:TomDebolski
DistributedtothebooktradeintheUnitedStatesbySpringer-VerlagNew
York,Inc.,175FifthAvenue,NewYork,NY10010andoutsidetheUnited
StatesbySpringer-VerlagGmbH&Co.KG,Tiergartenstr.17,69112
Heidelberg,Germany.
IntheUnitedStates:phone1-800-SPRINGER,e-mail
<>,orvisit.OutsidetheUnitedStates:fax+496221345229,e-mail
<>,orvisit.
Forinformationontranslations,pleasecontactApressdirectlyat2560
NinthStreet,Suite219,Berkeley,CA94710.Phone510-549-5930,fax
510-549-5939,e-mail<>,orvisit
.
Theinformationinthisbookisdistributedonan"asis"basis,without
warranty.Althougheveryprecautionhasbeentakeninthepreparationof
thiswork,neithertheauthor(s)norApressshallhaveanyliabilitytoany
personorentitywithrespecttoanylossordamagecausedorallegedto
becauseddirectlyorindirectlybytheinformationcontainedinthiswork.
Thesourcecodeforthisbookisavailabletoreadersat
intheDownloadssection.
AbouttheAuthor
JonathanHassellisasystemsadministratorandITconsultantresiding
inRaleigh,NC.Heiscurrentlyemployedbyoneofthelargest
departmentsoncampusatNorthCarolinaStateUniversity,wherehe
supportsacomputingenvironmentthatconsistsofWindowsNT,2000,
XP,Server2003,SunSolaris,andHP-UXmachines.
HassellhasextensiveexperienceinnetworkingtechnologiesandInternet
connectivity.Hecurrentlyrunshisownweb-hostingbusiness,Enable
Hosting,whichisbasedoutofbothRaleighandCharlotte,NC.Heis
involvedinallfacetsofthebusiness,includingfinances,marketing,
operatingdecisions,andcustomerrelations.
Jonathan'spreviouspublishedworkincludesRADIUS,publishedby
O'Reilly&Associates,whichservesasadetailedguidetotheRADIUS
authenticationprotocolandofferssuggestionsforimplementingRADIUS
andoverallnetworksecurity.Hehasalsowrittenmonthlycolumnsforthe
Windows2000MagazineNetworkandWindowsITSecurity.com.Hiswork
hasalsobeenpublishedinCMP'sPublishmagazineandPinnacle's
LinuxAppDevnewsletter.Hassell'slatestbook,ManagingWindows
Server2003,willbepublishedbyO'Reilly&Associatesinearly2004.
AbouttheTechnicalReviewer
OrisOrlando,borninNaples,Italy,in1971,hasbeeninterestedin
computersciencesincetheeighties.Hisfirstcomputerwasan
IntellivisionComputerModule,whichallowedhimtodevelopprogramsin
thelimitededitionBASIClanguageonly.Attheendoftheeighties,he
begantouse8086machines,andin1989heenrolledinthecomputer
sciencedepartmentattheUniversityofSalerno(Italy),fromwhichhe
graduatedin1997.Duringhisuniversitycareer,hedevelopedmany
applicationsforsmallbusinessesandoftenusedabulletinboardsystem
(BBS),beforetheInternetgrewinpopularity.InDecember1997he
workedatSiemensNixdorffortwoyearsasananalystandprogrammer
(Java,C,PL/SQL,CGI,HTML)inawebenvironment.In1999hetooka
positionatBullHN,where,forthefirsttwoyearshebelongedtoa
technicalteam.Bythethirdyearhebecametheprojectleaderinthe
securitydepartment,beforeeventuallybecomingprojectmanager.Heis
experiencedinUNIX,Windows,Linux,DOS,computerprogramming,the
Internet,security,anddatabases(Oracle,LDAP).
Acknowledgments
Thisbookwaswrittenbyme,butthatisarguablythesmallestpartofthe
job.Thistomewasmadepossibleandputtogetherbyascoreofpeople
otherthanme,andtheyalldeservepraiseandgratitude.First,my
sincereappreciationgoestomyeditor,JimSumser,forhisroleinthis
work.Jimisafabulous,flexible,andunderstandingguy,andI'mthankful
formyopportunitiestoworkwithhim.AlsothankstoTracyBrownCollins
andMarkNigara,bothatApress,whocorrectedmymistakes,keptme
onschedule,andworkedwithmeduringaverybusyperiod.
AlsothankstoOrisOrlandoforhistimelyandhelpfulcommentsupon
reviewingthemanuscript.Althoughheworkedtopointoutmistakesand
deficienciesincoverage,anyerrorsandomissionsthatremainaremine
andminealone.
Andfinally,butcertainlynotleastimportant,mysignificantotherLisahad
thepatienceofasaintduringthisprocessandmadetheentire
experiencealoteasieronme.Thanksforallthatyoudoforme.Thisone
isforyou.
Introduction
BeforeIbegin,letmeoffermysincerethanksforpurchasingthisbook!
I'mgladyou'vemadethedecisiontospendsometimesecuringand
hardeningyoursystems.Notonlyareyouhelpingyourself,butyou're
protectingtheInternetcommunityasawhole.
HardeningWindowsisorganizedintochaptersthatfocusondifferent
aspectsofsystemhardening.Chapters2,3,and4describeprocedures
relatedtospecificversionsofWindows.Thisisn'ttosaythatthe
techniquesdescribedinonechapterforoneversionofWindowscan'tbe
usedonanother:It'ssimplyamatteroforganizingtheflowofthebookso
yougetthemostfromeachchapter.Theremainingchaptersfocuson
differentissuesthataffectthesecurityandintegrityofyoursystemsand
networks.Attheendofeachchapter,you'llfindalistofcheckpoints,
whichsummarizeinasentenceortwoeachstrategydiscussedwithinthe
chapter.I'vecollectedalistofcheckpointsfromeverychapterandput
theminAppendixAforeasyreference.
Thisbookisquickandsimple,soit'sbesttounderstandwhat'sinside
beforeyouevenbeginreadingit.Forone,thechaptersthemselvesstand
alone.Youcanreadtheminanyorder,andthematerialisn'tcumulative.
Ofcourse,you'rewelcometoreadthemall,andcross-referencesare
clearlyidentifiedwheninformationinachapterisdiscussedinmore
detailearlierinthebook.However,ifyouchoosetobeginwithChapter7,
youwon'tbemissinganything.Youalsowon'tbegettinglong,theoretical
discussionsaboutoperating-systemdesign,kernellocking,OSIlayers,
andthelike.Instead,you'regettingquick,practical,checklist-style
suggestionswithaminimumoffluff.Thisbookismeanttobecarried
underyourarmtoclientworkstations,placedonthetopoftheserver
rack,orsnuglykeptrightbesideyourmonitorforeasyreference.It
certainlyisn'ta1600-pageWindowsbible.
Letmebrieflyaddressanotherissue:Thereare,ofcourse,anynumber
ofhardeningmethods,andanynumberofopinionsonhoweffective
thosemethodsare.Thisbookwouldneverbecompleteifitattemptedto
describeeveryviewofeverywaytopossiblysecureasystemfroman
unknownthreat.Instead,I'vechosentokeepthebookshort,using
proven,time-testedwaystoachievemaximumprotectionforthetimeand
moneyinvested.Ithinkyou'llfindtheresultsmorethanacceptable.
Inshort,youhave145suggestionsforhardeningyoursystem—which
averagesonecheckpointperpageinthisbook.Ihopethisbookhelps
youhardenyoursystems,andIhopeyouconsideritaworthwhile
investment.Thanksforreading.
Chapter1:Hardening:TheoryandGeneral
Practice
Overview
Youshouldbeexactlyasparanoidasitiscost-effectivetobe.
—ScottCollins
ThesearewisewordsfromsecurityexpertScottCollins,andtheyserve
astheunderlyingmotivationbehindthisbook.
Computersecurityseemstobemakingthenewsalotlately.Almost
everyweek,malevolentforcescrawloutofthewoodworktotakedown
high-profilewebsites.Companieslosemillionsofdollarsandsuffer
damagetocomputersystems.Asaresult,largecompaniesspend
thousandsofdollarsonsecuritysystemsandproductstoprotectthe
doorstotheircorporatenetworks.Microsoftrecentlyborethebruntoftwo
intruderattacksonitswebproperties.Theresultwashoursofdowntime
anddecreasedcustomerconfidence.
It'shardtoknowthenumberofintruderscurrentlythreateningthe
computerrealm.Manysystemsadministratorsandusershavebuiltupa
tolerancetoattemptedhacking.Theyhaveacceptedintrudersasthe
norm,asby-productsofusingadirectlyconnectedsystem.Many
attempts,whethersuccessfulornot,gounnoticedbyusers.Internet
securityexpertsagree,though,thatthenumberofattemptsatsecurity
breachesisincreasing,asisthesophisticationandefficiencyofthe
attempts.Tokeepup,vendorsandsecurityhardwaremanufacturers
struggletoplugthesecurityholesthatintrudersuncoverandexploitwith
today'seasy-to-usesystem-crackingtools.
Anintruderattackisonlyonefacetofsecuritywithwhichyoushouldbe
concerned.Virusesareanotherbigsecuritythreat;thefactthatthey
spreadeasilyonlyincreasestheirinfestations.Forexample,worm
virusesspreadwhenusersopenemailattachments,whichcausethe
virustoemailitselftotheuser'sentirecontactlist.OtherTrojanhorse
virusescancomeintoyoursystemandleaveabackdoorforintruders
whowilluseyourcomputertomakecountlessattacksonotherusers'
machines.
Helpingyoulearnhowtoprotectyourcomputingenvironmentfromthese
variousthreatsisthepurposeofthisbook.Systemadministratorsall
aroundtheworldknowtheInternetisahostileenvironment.Theycan't
tellwhenahackerwillattempttogainaccesstotheSQLserver,butthey
canbetthattherewillbeanattemptsoon.Becausetheoperatingsystem
isvitaltoacomputer'sfunctioning,andbecauseit'stheonlylayer
betweenthemachine'savailableresourcesanditsusers,it'scriticalthat
theOSresistscompromise.
Hardeningisthisprocessofprotectingasystemagainstunknown
threats.Systemadministratorshardenagainstwhatevertheythinkcould
beathreat.Thisbookisdesignedtoprovideaquickandeasycheckliststylereferenceforsystemadministratorswhoneedtoanticipatethose
attacksandcompromises.You'llneedtohardenWindowsNT,2000,XP,
andServer2003againstthesethreats.Andinthischapter,I'lllookatthe
theoriesbehindsecurityandhardeningasystem,andhowyoucantake
verygeneralapproachestooverallorganizationalsecuritybefore
investigatingspecifichardeningpracticesonyourWindowsclientand
servermachines.
WhatisSecurity?
Toprotectthewell-beingorintegrityofsomething,toensurethesafetyof
propertyorinterestsinanobjectfromintrusion,ortokeepaconceptor
objectprivate,you'llneedtosecureasystem.Inthehostileenvironment
oftheInternet,systemadministratorsneedtorestrictaccesstoassets.
Tograntaccesstoaselectedgroupofusers,youneedtoknowwhoto
trustandhowtoverifythecredentialsof—authenticate—thoseyouallow
touseyoursystems.
Thecornerstonesofanysecuritypolicyincludethefollowing:
Privacy,ortheabilitytokeepthingsprivateandconfidential
Trust,orthequestionofwhetheryoushouldtakedataorobjects
atfacevalue
Authenticity,orverifyingthatcontactsaremadewithpeoplewho
areaccuratelyrepresentingtheiridentity
Integrity,ortheprocessofensuringasystemhasn'tyetbeen
compromisedandwillremainsecure
Thisbookwillfocusentirelyonthepracticalaspectsofhardeninga
Windows-basedcomputer.Whatarethesepracticalcheckpoints,which
comprisetherestofthisbook,designedtodo?Whatistheunderlying
motivation?Focusingforabitonthemoregeneralaspectsofcomputer
securityallowsyoutohardenyoursystemsinwaysthatyoumight
otherwiseignoreorfailtoimagine.Therefore,I'lldiscusssecurityandits
associatedtheoreticalissues,andthenmoveintopractical
considerationsthataren'tlimitedtojustWindowsmachines—suggestions
thatareappropriateforanyconnectedmachine.
TheSecurityDilemma
Securitydependsontwothings:First,apersonmustdefinewhatsecurity
meansforthem,andsecond,thatpersonmustcommunicatethatidea
clearlyandcompetentlytothecommunityaroundhim.Securitysuffers
fromsuchaproblemthesedaysbecauseofissuesrelateddirectlyto
thesetworequirements.Securityforeachpersonisdifferent.Though
onepersonmaybesatisfiedwithaBIOSpasswordandafloppydisk,
anotherpersonmighttakegreatpainstodouble-andtriple-encryptfiles.
ShemaywishtotransferthemonlyoverIPsec-protectedlinks,and
purchasetrustedSecureSocketsLayer(SSL)certificatesforanytypeof
publicservicesheoffers.Andbecausethedefinition,meaning,and
intrinsicvalueofsecuritydifferssowildlybetweenparties,it'sdifficultto
communicateaclearsecuritypolicytotheusercommunity.Thereinliesa
criticalproblem—youcanonlyhaveeffectivesecuritywheneveryone
understandsthelevelofsecurityrequiredandwheneveryoneagrees
securityisnecessary.Andinpractice,asyoumightimagine,an
understandingofsecurityonthepartoftheuserissomethingthat's
usuallyseverelylacking.
Theveryexistenceofsecurityresidesintrust.Infact,itcanbeargued
thateverysecurityproblemboilsdowntothesimplestlevelasaquestion
oftrust.Theideaofsecurityisintroducedforthesolepurposeof
protectingyourselfagainstpartieswhomyoudon'ttrust.Todothis,
usuallysomekindoftechnologyisputintoplacetomovetrustfroma
risky"zone"toasafer,morepalatablearea.Agreatexampleisafront
doorlock:Youdon'ttrustthegeneralpublic,andthereforeyou'rewaryof
themstealingyourbelongingswithoutyourknowledge.Youinstallalock
onthefrontdoorofyourhouse.Youstilldon'ttrustthegeneralpublic,but
youtrustthelocktodoitsjobtokeeptheuntrustedpeopleout.You
obviouslyhavelessofaproblemtrustingthelockthantrustingthe
intentionsofagreatnumberofpeopletowhomyou'reunaccustomed.
Youcan'tfullytrustthelockeither,soyouinstallanalarmsystemthat
notifiesthepoliceifsomeonebreaksin.You'vedisplacedyourtrustfrom
thepublictothepolice,thealarmsystem,andthelock.
Eachday,youproceedaboutyourbusiness,placingyourtrust
semiconsciouslyinbanks,automatedtellermachines,onlineshopping
sites,thepolice,alllevelsofgovernment,andothervarious
establishments.Thelistgoesonandon.Youdon'tquestionthistrust,
becauseit'sseldombroken,butthatisn'talwaystheendresult.For
example,whenachildlearnstodriveacar,heplaceslivesatrisk.
Becauseofthisrisk,mostmunicipalitiesandgovernmentsrequirethe
childtopassanexamtodemonstratehermasteryofthesafeoperation
oftheequipment.Computersystemsareequallycapableofcausing
greatdamage,eventhoughtheyaren'tsentient.Yourlifeisinterrupted
whencomputersystemsmalfunction,andthisindicatesanincreasing
relianceonthem.Yourtrustincomputersandtheirusersisoftenquite
misplaced.Thisiswheretheproblemstrulycomefrom.
EnemiesofSecurity
Toachievetruersecurity,systemadministratorsneedtoexaminea
methodforanalyzingsystemstoprobetheirweaknessesanddetailtheir
ownassumptionsaboutthosesystems'security,ratherthanblindly
placingtrustinthem.Ifsecurityistobediscussedinamoreseriousway,
thereneedstobethefollowing:
Identificationofwhatoneistryingtoprotect
Evaluationofthemainsourcesofriskandwheretrustisplaced
Assumptionofpossiblecountermeasurestopotentialattacks
Youcandefineasecuresystemasoneinwhichallofthethreatshave
beenanalyzedandoneinwhichcountermeasuresareinplaceforallof
thethreats.Thereareafewstumblingblocksthathinderyourabilityto
createsecuresystems.Thefirstiscomplexity:Userswillbecome
impatientandworkaroundsecurityifitbecomestoocumbersomefor
theirworkstyleandflow.Nextistheneedforbackwardcompatibilityin
software.Oftensecurityistightenedinlaterrevisionsofsoftware,butto
remainoperablewiththepreviousversionofapackage,security
restrictionsmightbeloosened.Additionally,backupscreateasomewhat
obscurebutveryrealhole.Thefactthatbackupsareusuallyconducted
withredundancyinmindmighttranslatetomoreopportunityfordatato
bestolen.Securitymustbeappliedtobackupsaswellasnormal
operations.
Theproblem,however,ishowtoknowwhatallofthepossiblethreats
againstasystemare.That'swherethisbookcomesin.Youcan'talways
knowallofyourthreats;it'simpossibletohavethatsortofknowledge.
Butyoucanbattendownthehatchesandtakeprecautionstoforestall
andthwartanyfutureattemptedintrusions.
SomeGeneralHardeningSuggestions
Intherestofthischapter,I'lldiscusssomepointsthatyoucanconsider
tohardenyournetworkoverall.I'vebrokenthemdownintothree
encompassingcategories:software,hardware,andnetwork
considerations.Again,thefollowingaren'tmeanttobespecific
suggestions;they'remeantmoreasbroadlaunchingpointsforthe
specificcheckpointspresentedlaterinthisbook,andforfuture
improvementstotheintegrityofyournetworkthatyoucanmakeonyour
own.
SoftwareConsiderations
Let'sbeginwiththebehemoth:servicepacks.Servicepacksare
applicationsthatarereleasedafterthepublicreleaseofasoftware
package.Morespecifically,they'recollectionsofhotfixes,orpatchesto
flawsthatarefoundafteranapplication'smainstreamavailability.Mostof
theseservicepacksincludesecuritytocorrectareasoftheprogramcode
thatweren'tsecuredbythedevelopersandthereforehavevulnerabilities.
Youcanbesurethatyoursystemwillbeexaminedbynefarioususers
lookingforthesevulnerabilities;youcanbeequallycertainnew
vulnerabilitiesarebeingsearchedoutasyoureadthisbythesesame
miscreants.Thebottomline:Keepallmachinesonthenetworkupdated
andcheckwiththeoperatingsystemandapplicationvendorsona
regularbasisforservicereleasesandhotfixpatches.
Nextonthelistareviruses,arapidlygrowingirritation.Asyoumaybe
aware,manynewvirusesarereleasedweekly.Becauseofthis,ifan
Internetconnectioncomesanywherenearanymachine,youshoulduse
antivirussoftware.Itshouldbekeptup-to-dateonaregularbasis.To
protectyourself,takealookattheseguidelines:
AnysoftwaredownloadedfromtheInternetshouldbestoredand
installedontestsystemsbeforeanyproductiondeployment,and
thesystemshouldbescannedforvirusesafterthesoftwarehas
beentested.
Likesafesex,don'tdownloadsoftwarefromunknownsources;a
prominentviolationofthispolicyistheretrievalofprogramsfrom
peer-to-peerfiletransferservices.Thisnotonlyendangersthe
hostcomputer,buttheentirenetwork.Lately,virusesare
beginningspreadafterinitialexecutionontonetworksharesand,
dependingonthestrainofvirus,itcancausemanyhoursof
downtime,whichresultsinasignificantfinancialliability.
Forbestresults,youshouldconfigureyourvirussoftwaretothe
mostrestrictivelevel,therebyensuringthatanyvirusactivityis
containedtoonecomputerwithoutinfectingthenetwork.
Mostmodernantivirusprogramsincludetheoptiontoattemptto
repairaninfectedfile—youwilllikelyhavemixedresultswiththis
feature.It'sacceptabletorepairtheinfectedfileforaperiodof
timesothatthesystemcanbecomeoperational.
Asamatterofpractice,Ialwaysrecommendthatinfected
systemsbewipedcleanandreinstalledfromanemptyharddisk
assoonaspossible.Ashardastheantiviruscompaniestry,they
maynevercompletelypenetrateavirus'spayload;theymightnot
everrealizethetrueextentofavirus'sdamagetoasystem,soto
besafe,restartingthesystemfromaknowncleanbaselineis
alwaysthecheapestinsurance.
Blockallpotentiallymaliciousfiletypes,suchasVBS,EXE,
COM,andSCR,fromyourmailserver.Thesefiletypesarerarely
usedforlegitimatebusinesspurposesandcanaccidentallybe
executedbyunsuspectingusers.Thiscancompromiseyour
entirenetwork.RemembertheMelissavirus?
Setyourantivirustoscantheselectedextensionforvirus
patternsthatmayexist.Thisensuresthatavirusdoesn'tslippast
yourfirewall.
HardwareandNetworkConsiderations
Inthissection,you'lllookatsomeconsiderationsabouthardeningyour
hardware.BecausethisbookfocusesonWindows,itdoesn'tcontain
roomanywhereelseforthesekindsofsuggestions,butI'dberemissnot
toincludethem.Inanycase,Windowsdependsasmuchonexternal
hardwaredevicesforsecurityasitdoesonitsowninternalmechanisms.
Themostobviouspieceofthephysical-devicepuzzleisthefirewall,an
integralpartofanynetworkthatisconnectedtotheInternet.Withouta
firewall,anyInternet-connectedmachinecanbesubjectedtodenial-ofserviceattacks,targetedserviceattacks,network-penetrationefforts,and
otherbadevents.Alloftheseattacksareverydifficulttotracebackto
theirorigin,too,makinga"forensicanalysis"nexttoimpossible.Consider
thefollowingfirewallsuggestions:
BlockTCPports135,139,and445,andUDPports135,137,and
445.TheseareMicrosoftWindows'snetworkingportsthathave
beentraditionallyvulnerabletoagreatmanydistributedservice
attacks,andthere'slittleuseforthemovertheInternet.
Blockallotherunusedports.Eachtimeyouopenaportyou
createaholeinthewallthatyou'vebuiltaroundyournetwork,
andyoureplaceitwithawindow.Themoreportsyouopen—the
morewindowsyouinstallinyourwall—themoretransparentyour
networkbecomestotheoutside.Thebottomline?Openports
inviteattacks.
Thefirewall'sbrotherinthesecurityfamilyisanintrusiondetection
system(IDS),anothervitalpartofhardeningaWindows-basednetwork.
AnIDS"sniffsout"orinspectsalltrafficgoinginandcomingoutofa
network,anddistinguishespatternsinsidethattrafficthatcouldindicate
suspiciousactivity.AnIDSdiffersfromafirewallinthatafirewalllooksfor
intrusionsinordertostopthemfromhappening.Thefirewalllimitsthe
accessbetweennetworksinordertopreventintrusionanddoesn'tsignal
anattackfrominsidethenetwork.AnIDS,ontheotherhand,evaluatesa
suspectedintrusiononceithastakenplace,andsignalsanalarm.An
IDSalsowatchesforattacksthatoriginatefromwithinasystem.It'sa
beneficialadditiontoyournetwork,andIhighlyrecommendit.
Remoteaccessremainsoneoftheweakestlinksinnetworksecurityifit's
incorrectlyimplemented,andinmanycasesit'stheholygrailforintruders
lookingtododamage.Ifyouallowremoteaccesstoyournetworkeither
throughdial-upconnectionsorthroughavirtualprivatenetwork(VPN)
connection,youshouldrestrictdial-upaccesstotrustedusers,andlimit
thefunctionalityofthoseusersfromremotelocations.Policiescanbe
designedinsuchawaythatuseractivitywillbetraced.Iwould
recommendaVPNconnection:DatathattravelsoveraVPNismuch
lesssusceptibletointerceptionthannormalpoint-to-pointprotocol(PPP)
connectionsovertheplainoldtelephonenetworks.Ifyourdatais
particularlycritical,youmightconsiderputtingsystemsinplacethat
requirecredentialvalidationforanyresourcethatisaccessedremotely,
likeclient-sidecertificatesandstrongpasswordauthenticationmethods.
Also,it'sasafebettosaythatintruderswouldratherusethe
convenienceandavailabilityoftheInternetthanworkharderat"war
dialing,"whichiswhenanintrudergeneratesphonenumbersona
randombasisanddialsthemtoseeifamodemanswers.However,if
yourbusinessneedsrequireamodembanktoanswerincomingcalls,
youmightconsidermandatingadial-backsettingtoapredetermined
number;thisisagreatwaytoensurethataconnectionismadeonly
betweentheappropriateparties.
Physicalsegmentationofthenetworkisalwaysagoodchoicefor
security.Ifyourhardwaredevicesallowyoutoperformthissegregation
easily,thenthere'slittlereasontonotsegmentthem.VirtualLANs
(VLANs)areagreatwaytowallofflargesectionsofyournetwork.Ifyou
placeyourfirewallwithinaseparateVLANfromyournetworkandspecify
thatonlyyourfirewallcanaccessyournetwork,thenyou'vejust
eliminatedthechancethatanintrudercoulduseanotherwindowofentry
intoyournetwork.Segmentinganetworkcanalsoaddanelementof
securityfromaninternalperspective,becauseyoucansegmenta
networkinsuchawaythatalluserscanseetheserversbutnousercan
seeeachother.Thisreducesthepossibilityofhackinguserdatastored
onusermachinesandgreatlyreducesthechanceofavirusspreading
aroundthecomputers.Iftheviruscodecan'tfindothercomputersto
infect,itcannotspread.
Ifeelcompelledtoincludethisbithere,eventhoughalaterchapteris
devotedcompletelytoInternetInformationServices(IIS)hardeningtips,
becauseit'ssovitaltosecurity.ManyexploitsaretargetedagainstIIS
becauseit'saverygenericandwidelyusedwebserver,andit'sleftonby
defaultinmostinstances.Becauseofthisprevalenceofworms,which
travelatgreatspeedsandexploitunsecuredIISwebserversonpublicly
accessiblenetworks,it'shighlyrecommended—imperative,even.
SystemsrunningIISshouldbeinstalledonanisolatednetworksegment,
orwithnonetworkcableattached,untilthelatestservicepacksand
hotfixesareinstalled.MicrosofthaspublishedanIISLockdowntool,
whichisnowpartoftheMicrosoftBaselineSecurityAnalyzerfor
Windows2000ServercomputersrunningIIS.It'sveryimportantthatthis
toolbeusedtohardentheIISbox.
Checkpoints
Inthischapter,I'vediscussedtheoriesaboutsecurity,andI'vealsolisted
someverybroad,generalsuggestionsforhardeningthehardware,
network,andsoftwareownedbyyourorganization.Here'sarecapof
what'sbeencoveredsofar:
Learnthecornerstonesofgoodsecuritypolicy:privacy,trust,
authentication,andintegrity.
Understandthesocialimplicationsofsecurity.
Recognizethesecuritydilemma—thatusersmustunderstandthe
needforsecurityandagreetotheextenttowhichsecurityis
implemented.
Considertransfersoftrustinsecuritypolicy.
Understandtheprocessofdefiningtheconceptofsecurity:
identificationoftheobjecttoprotect,evaluationofrisk,and
proposalsforcountermeasurestopotentialattacks.
Recognizesomeoftheenemiesofasecuresystem:complexity,
backwardcompatibility,backups.
Embracetherolethathardeningtakesinprotectingagainst
unknownthreats.
Applyservicepackstooperatingsystemsandapplications
throughoutyourcompany.
Purchase,install,andkeepupdatedantivirussoftwareinstalled
throughoutyourcompanynetworks.
Testandscannewdownloads,andpracticesafecomputing
whentransferringfilesfrompublicnetworks.
Wipevirus-infectedsystemstoacleanharddiskassoonas
possible.
Blockmaliciousfileattachmentsastheyenteryournetworkatthe
emailserver,beforeitreachestheclient.
Installafirewallandcloseoffnetworkingports(TCP135,139,
and445;UDP135,137,and445)andanyotherunusedports.
Considerthepurchaseandinstallationofanintrusiondetection
system.
Properlyrestrictaccesstoremoteentrypointstoyournetwork,
andencouragetheuseofvirtualprivatenetworksovertraditional
telephonicandmodemconnections.
Implementdial-backforstandardtelephoneconnections.
Investigatethephysicalsegmentationofyournetwork.
ProperlyhardenandsecureanyIISsystemsonthenetwork,and
relegateIISsystemstoablocked-offsegmentofthenetwork
duringtheinstallationofpatches.
Readtherestofthisbook.
Chapter2:WindowsNTSecurity
WindowsNT,byvirtueofitsage,isvulnerabletoallsortsofattacks,from
bothoutsideandin.ThemosteffectivewaytohardenyourNTsystemis
toattacktheproblemofinsecurityfromseveraldifferentperspectives,
especiallypasswords,accountpolicies,virusprotection,andsystem
policies.Thischapterwillgiveyouthetoolsyouneedtoachievea
reasonablyhardenedNTsysteminexchangeforabitofeffort.
WindowsNTSystemPolicyEditor
AkintoGroupPolicy,whichisfoundinWindows2000andlaterversions,
SystemPoliciesinWindowsNTprovideamoreeffectivewayofapplying
andenforcingacommonsetofsettingsandsecuritydefinitionsacrossa
domainofcomputers.It'scertainlynotascustomizable,flexible,easy-touse,orscalableasGroupPolicy,butit'sstillquiteabitbetterthan
manuallyapplyinghundredsofchangestomultiplecomputers.
Tip Youcanapplymostofthemethodsandhardeningstrategies
coveredinlatersectionsofthischaptertomultiplecomputers
usingNTsystempolicies.
WindowsNTloadswithadefaultsystempolicyineffectthatcontinuesto
dictatewhichsettingsareinforcewhetherit'smodifiedornot.Youcan
viewthispolicyandmakethechangesbyusingtheNTSystemPolicy
Editor,whichyoucanaccessbyselectingStartØRunØPolEdit.Once
you'velaunchedtheprogram,twoiconsaredisplayed:DefaultUserand
DefaultComputer.Theseapplytoallcomputersandallusersina
domain,whereasmorespecificpoliciescanapplytocertainusers,
groups,andcomputers(forinstance,specificdepartmentsofusersor
specificmachinesinagivenlocation).
Whenyoudouble-clickanygivenpolicyobject,boxesareraisedonthe
screen.Here,youcanmakechangestoindividualaspectsofthepolicy.
Therearethreestatestoeachindividualpolicysetting,andyoucancycle
througheachonebyrepeatedlyclickingtheboxuntilthedesiredstate
appears.Thethreestatesaredefinedasfollows:
Settingsturnedonappearwithacheckedboxbesidethetext
describingthefunctionofthesettings.
Settingsturnedoffappearwithanuncheckedboxbesidethetext.
Settingsthathaveneverbeendefined,andthereforeareunused,
appearwithagrayed-outbox.