 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Security Principles So now you want to know what you can do to help secure your network? Well, I've got some good news for you. I'm here to offer some help. I'll show you how to use some common tools to harden your systems and point you towards some more in-depth research that will help you along the way to security bliss. Disclaimer: No network or system can be 100% secure. This document is intended to be informational only and cannot guarantee your system/network security. It is your responsibility to consult with your local trusted security experts about measures you can take that will increase your level of security. Though I believe the information contained in this document is accurate, I cannot make any warranties, express or implied, about this document's content, fitness for a particular purpose, or merchantability. Now that the legal mumbo-jumbo is out of the way, let's get down to business. You want to secure a Windows NT, Windows 2000, or Sun/Solaris computer? Windows NT 1. Shut down unnecessary services and only install the ones you need. For server side security, this is the number one thing you can do to limit what potential hackers can do. This is especially important if you installed Internet Information Server (IIS) on a non-webserver. IIS 2.0 comes with NT 4, but you have to select to install it. IIS 4.0 comes on the Windows NT 4.0 Option Pack CD (or downloaded from microsoft.com). We'll go more into this later. During the Windows NT installation, many people just select all the checkboxes for everything and end up creating a monstrosity that is running WINS, DNS, DHCP, IIS, as well as acting as a PDC, router, fileserver, and print server. Not only does is squelch your server's usability by slowing it down tremendously, but it also makes it a big target, especially if your network is connected to the internet. Please, please, please, please, PLEASE be mindful of the purpose of your server. If you're setting up a file and print server, chances are that it doesn't need to run IIS or message queuing services, nor does it need to have SNMP configured (unless you're using an SNMP monitoring utility such as HP OpenView). 2. Keep up to date with hotfixes and service packs. Microsoft (as well as other vendors) makes patches available for reported bugs. Microsoft issues hotfixes these to fix critical issues, such as security threats or stability problems with specific applications. Periodically, many of these hotfixes get rolled up in a service pack along with other non-critical patches. You should thoroughly test a service pack or hotfix before deploying it. Everyone's environment is different. There is a great utility called HFNetCheck (Microsoft Network Hotfix Checker) that you can run against a server to determine what hotfixes are available for it and which ones have been installed. Shavlik Technologies offers a commercial version of HFNetCheck as well. 3. Keep it standard across your install base. Standardizing the software on your servers is also an important step to securing your NT network. It's a good idea keep them operating on the same versions of software because it eliminates one variable from the troubleshooting equation. For example, if you have 10 servers running Windows NT 4 SP6a and 10 servers running Windows SP5 and you run across a problem on 5 of the servers running SP6a, you're stuck. Is it a service pack issue? Maybe. You can't tell because not all of the machines running this service pack are experiencing a problem. Since service packs are cumulative, they can also be a helpful tool to bring your servers to a standard level of operating software. For example, if you have 5 servers running at SP 4, 7 servers running at SP5, 3 servers at SP2 and 1 server at SP6, you can use the SP6a service pack installation to bring them all to SP6a. 4. Use the Security Configuration Manager. The Windows NT Resource Kit has a great utility called the Security Configuration Manager which you can use to bring your servers and workstations up to C2 security level. The SCM turns off many features of the OS and write-protects many registry keys, thereby locking down the machine. There's a lengthy manual that comes with it, but it's well worth reading. Best of all, you don't have to implement all of the features--you can pick and choose for a security configuration that meets your needs. 5. Check your permissions and groups. Particularly in large organizations, it's possible to have thousands of users accounts and hundreds of groups stored in the SAM (Security Accounts Manager) database. It's important from time to time to verify that the right people are in the right groups and that they are granted the permissions to do what they need. Try to avoid giving users or groups more than what they need. If the marketing department only needs to read the most recent sales data, don't grant them the change permission on files and folders belonging to the sales department. 6. Password security. Passwords, like it or not, are here to stay for a long while. Password security is a Catch-22: you need the passwords to be difficult to guess or crack, but not so difficult to remember that users end up writing them down. On the previous page, I talk about using mnemonics to create passwords based on pass phrases. There are a couple of great guides and utilities that Microsoft puts out for this. Be sure to check Microsoft's guide for securing passwords and the Microsoft Strong Password Filter for Windows NT. 7. Microsoft's Security Checklists. Microsoft has made available a wealth of checklists to lock down your servers. The checklists are available on the Microsoft Technet site. 8. Microsoft C2 Security Guide. Windows NT 4 is able to be configured to a C2 security level (orange book). A C2 secure environment has the following characteristics: The owner of a system resource has the right to decide who can access
it.
In addition, the Trusted Computer System Evaluation Criteria mandates that a C2 system provide the following features: Define and control its users’ access to objects, such as files and directories. Provide a way for users to uniquely identify themselves. Provide a way to audit security-related events and actions of individual users. Prevent all processes from accessing the data for other processes. The Microsoft C2 Security guide is available here. 9. NTFS. Microsoft's NTFS filesystem allows for fine-grained file-level access control. With FAT16 partitions, you are limited to Share permissions over the network; no permissions can be set on files or folders, which is a real drawback in a corporate environment. NTFS lets you combine share and file permissions to allow you to take complete control over system access. The use of NTFS also extends the amount of auditing you can perform on system access. NTFS also has hooks in the filesystem to provide a quota-system (though NT itself doesn't implement it, there are a few third-party tools that take advantage of this) as well as file-level compression. Anyone serious about security on a Windows machine needs to take a hard look at NTFS. 10. Antivirus Software. A pandemic problem, viruses a responsible for hundreds of millions of dollars worth of downtime. Most antivirus software vendors offer weekly or bi-weekly virus signature file updates for download and some sort of email notification if a new virus prompts an "urgent" update. Well-known antivirus vendors include McAfee/Network Associates, Symantec/Norton, Panda, Sophos, AVG, and Trend. References and Links http://www.microsoft.com/ntserver/techresources/security/password.asp - Microsoft's guidelines for securing passwords. |
website design: © www.aaronguilmette.com