Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


July 1997

NT Security Scares?


From the July 1997 Edition
of Windows IT Pro
Mark Minasi
Feature
InstantDoc #453
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

No need to panic
The sky is falling! The sky is falling! The sky is--oh, whoops, sorry. That was a raindrop. Well, it's almost the same, isn't it? You'll think so if you listen to the current gang of so-called NT security experts, each trying to out-do the other in proving that NT's security has more holes than a bowling ball factory.

If you're an NT administrator or a network security officer, no doubt higher-ups have asked you in baleful tones, "Are you sure it was a good idea to use NT? Hardly a day goes by without another security hole discovery!" If you're having a rough time answering that question, read on.

As more people use NT, they'll examine more and more of NT's nooks and crannies, leading to the discovery of more and more bugs. Some discoveries will be genuine security bugs, worthy of fear and reaction. But I haven't seen one yet. Bear in mind that although I'm no security expert, I have been running PC networks since 1985, so I've picked up a few lessons along the way. One article doesn't give me enough space to consider all aspects of NT security, but I can take up most of the big scares.

SCARE NUMBER ONE:  NTFSDOS
One of my fellow Windows NT Magazine contributing editors, Mark Russinovich, wrote a program, NTFSDOS.EXE, that occasioned the spilling of much ink (see "NTFSDOS Poses Little Security Risk," September 1996). Mark's very clever program lets you read NTFS volumes from DOS: You can go to an NT machine containing one or more NTFS volumes, boot DOS, and run NTFSDOS. You'll see the NTFS volumes, which now show up as regular drives. You can read the volumes, not write them.

Some people claim this program reveals a chink in NT's armor. They claim that previously they could format their server drives to NTFS and know that file and directory permissions would keep the casual user or hacker from coming up to the server, booting DOS, and having full access to the data on the drives.

I don't understand why this scenario is a problem. To use NTFSDOS, an intruder must have physical access to the server (that is, shove a bootable DOS floppy into the server's A drive). But is why would just anyone be able to walk in off the street and reboot a server? One of the first lessons I learned in PC networking was that unless you physically secure servers, you don't have security.

I'm amazed to see companies with swipe cards and security guards, offsite backups, and hot-start sites protecting their mainframes but doing nothing for the LAN servers. "So, where are your servers?" I once asked a client.

"In Scott's office," he replied.

"Does Scott's office have a lock on the door?" I wondered.

"Well, sure." came the answer. "But those servers keep it pretty warm, so I think he keeps the door open most of the time."

Walking into Scott's office, I saw that the servers were in max-height towers, and the towers were on the floor, where the vacuum cleaners could give them a little whack now and then. Several bookshelves piled high with backup tapes were mounted above the computers.

"So," I wondered aloud, "when the servers catch fire, the backups can go as well?" The clients looked sheepish and admitted they needed to move the backups somewhere else, but they just hadn't had the time.

The biggest problem with security is that we know what we're supposed to do, but we forget to do it or we're just too busy. (And I'm no exception, as I detailed in "Recovering from a Network Disaster," March 1997.)

Advice: Think Nike: Just do it. Control access to the servers. Whatever you do on the mainframes--disaster recovery plans, offsite backups, hot-start sites, the works--do it on the LANs

SCARE NUMBER TWO:  The Internet
Many companies want to attach their corporate networks to the Internet but are worried about the consequences. To hear people at such companies talk, you'd think that at this very moment, 50 guys in Stuttgart are waiting for you to put your company on the Net so that they can magically destroy your network by remote control.

Cliff Stoll's excellent book, The Cuckoo's Egg, and Robert Morris Jr.'s 1989 Internet worm highlighted problems in UNIX and VAX Internet security. The problems stemmed from users' lack of concern about security in the early days of the ARPAnet/Internet.

In the NT world, things are different. Let's suppose you put an NT file server on an Internet-connected computer. What can the bad guys do? To access your files, they must log on as recognized users of that server. To do so, they need to know four things: a valid user account name, the password for that account, the name of the server's domain, and either the name of a domain controller in the domain or the IP address of a Windows Internet Name Service (WINS) server in the domain.

Let's suppose you have a C-class network, acme.com at 200.200.200.x, where x can range from 1 to 254. Using NBTSTAT (a command to get NetBIOS information over TCP/IP) and a bit of patience, our theoretical hackers can figure out which machines are domain controllers and the name of your NT domain. (See "Knowing the Angles of NetBIOS Suffixes," February 1997, and Tom Sheldon, "NT Security Tips," December 1996, for specifics on using NBTSTAT to dump network information.) Suppose the hackers find that you have a domain named ACMENET with a domain controller at 200.200.200.15. They've won half the battle, two of the four things that they need to crack your network. Next, they need the name of an administrator account. They can get the name of an administrator account in a few ways, but the easiest is probably the RedButton program that's available on the Internet (http://www.ntsecurity.com/RedButton/index.htm). Another way to get the name of an administrator account is with NBTSTAT. When you dump a machine's NetBIOS name table with NBTSTAT, you often find the name of the person logged on to the server. You often see two names with the suffix <03>. One is the computer's name, and the other is the user's name. To keep this information from displaying, stop the Messenger service on that server.

So the bad guys now have a domain name, the name of a domain controller or two, and the name of the built-in Administrator account; now they need a password. Potential intruders possessing the name of the built-in Administrator account is particularly scary because that account doesn't lock out, like other accounts. You can set your system's account policies so an account becomes locked out if someone tries to log on to that account and fails after a given number of tries. For example, you can set up accounts so that five failed logon attempts in a row keep anyone from logging on to that account until the administrator unlocks it. The built-in Administrator account is unfortunately an exception to that rule; when hackers have the name of your built-in Administrator account, they can try to log on to that account as many times as they like. Would-be intruders can randomly try passwords for the built-in Administrator account until they hit the right one. So don't make the random search easier by allowing a simple password.

You can make the built-in Administrator account safer in another way. The NT resource kit includes a program, PASSPROP.EXE, that modifies the built-in administrative account so that you can lock it out like other accounts.

The key to securing the built-in Administrator account, then, is through a good password. This advice is old, but don't use obvious passwords, and don't use English words or names all by themselves: For example, if you like the password "Hale-Bopp," append some other character, as in "Hale-Bopp7," to make it harder to guess. If you figure each failed logon attempt takes (conservatively) 10 seconds, someone beating on your system unnoticed for a year would have an opportunity to try about 3,000,000 passwords. How worrisome is that? Well, you can have up to 14 characters in an NT password. If you restrict yourself to just lowercase letters, you have 64 quintillion possibilities (64,509,974,703,300,000,000), 26 raised to the 14th power. If you use 26 lowercase, 26 uppercase, and 10 numerics, you get 12,401,769,434,660,000,000,000,000 possibilities--I think that's septillions, but I won't swear to it.

You can use basic rules for developing passwords for most accounts, and go to extremes on the built-in Administrator account. Set the account's password to some randomly generated 14-character password. The password won't be inconvenient for logging in because you don't want to use the built-in Administrator account anyway. You can also protect yourself from someone logging on if you filter out UDP ports 135 through 139 and TCP port 139. With these ports filtered out, you can't log on to an NT server's file-and-print sharing services (unless you're doing Point-to-Point Tunneling Protocol--PPTP). And of course, all this advice goes out the window if you enable the Guest account--don't do it, ever.

Now you know how to secure your files from attack via NT's NetBIOS-based file sharing protocols. But someone can theoretically read or perhaps change files on your server another way--older Internet protocols. I honestly can't detail how someone can crack an NT system with one of these protocols, but I can relate the protocols that most Internet security types talk about: Telnet, Remote Shell (RSH), and FTP. I'm told that running Telnet, RSH, or FTP servers on any machine that contains sensitive data is a bad idea, so I don't. Other people have hinted that HTTP (the protocol underlying Web servers) is also insecure, so I suppose the same advice goes for Web servers. More specifically, if a hacker can upload a dangerous Common Gateway Interface (CGI) program to your Web server and then execute it, that criminal can do some damage to your server. How someone can upload unwanted data to a Web site is not clear to me--there's that sky falling again--but if that feat is possible, you can still protect yourself from the ill-intentioned CGI program. Set the file and directory permissions on your files to keep the intruder from doing damage. People coming in on your server log on as the user IUSR_servername, which Internet Information Server (IIS) automatically creates. If you use file and directory permissions to give that user account No Access to some file, no CGI program (or HTTP hole) in the world will let a criminal damage or even look at one of your files.

Advice: First, never enable the Guest account on any NT machine, ever. And if you're really worried, filter out UDP ports 135 through 139 and TCP port 139 with your firewall or your router. Our Cisco 2501, for example, can filter UDP ports, making a firewall unnecessary. (That is, unnecessary to me. Again, remember I'm not a security expert. Your mileage may vary and all that.) Also, don't put anything sensitive on a computer running an FTP server. Next, use file and directory permissions on all the files on an IIS server to ensure that hackers can't exploit security holes in HTTP; if you really want to be careful, run IIS on a computer that doesn't run anything else. Finally, use a long, randomly-generated password for the built-in Administrator account, or use PASSPROP to lock out the built-in Administrator account. (Again, PASSPROP is part of the NT Server resource kit, a separate Microsoft product.) For more information on Internet security, see John Enck, "Confronting Your Network Security Nightmares," October 1996.

   Previous  [1]  2  Next 


Top Viewed ArticlesView all articles
Microsoft, News Corp. Discuss Locking Out Google

Microsoft and Rupert Murdoch's News Corp. recently discussed an alliance that would counter Google's fledgling online news service. ...

2009 Windows IT Pro Editors' Best and Community Choice Awards

Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...
Security Whitepapers Reducing the Costs and Risks of Branch Office Data Protection

Solving Desktop Management Challenges in Healthcare

Solving Desktop Management Challenges in Education
Related Events Deep Dive into Windows Server 2008 R2 presented by John Savill

Introduction to Identity Lifecycle Manager "2"

SQL Server Security: How to Secure, Monitor & Audit Your Databases

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Free CDs Offer Fundamental Content for IT Pros
Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Exchange Server 2010: Deploying Unified Communications - Virtual conference
December 1, 2009 - Free Registration. Build your Unified Communications future on a strong Exchange Server 2010 foundation.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement