Securing your network requires more than installing a firewall and setting some access controls. Security is an ongoing process of checks and balances that requires you to be diligent and persistent, and you need a good toolkit at your disposal to perform checks and balances.
When I wrote "The Handy Security Toolkit," May 1997, you didn't have as many nifty tools to choose from as you do today. As new products surfaced, I added them to my security toolkit. In this article, I review some mainstay tools and introduce you to some new tools that I've come to rely on in various situations.
My security toolkit includes mailing lists, port scanners, dial-up scanners (aka war dialers), event log analyzers, Registry analyzers, access control analyzers, packet sniffers, password crackers, and general security scanners. Table 1, page 70, lists various types of tools that you can use to secure your network. Let's take a closer look at all these tools.
Good security practice involves constant monitoring of your systems, networks, and product information updates. You need to pay close attention to vendor updates—especially Microsoft updates—because vendors invariably release patches that correct serious security problems. To obtain new security information as fast as intruders do, you need to monitor the vendors. Therefore, mailing lists remain a staple in my security toolkit.
Microsoft has an electronic Security Bulletin in which the company announces new security risks and publishes information regarding fixes for the risks. Other vendors have similar mailing lists, so search for those resources that apply to your needs.
In addition to vendor-based mailing lists, several other mailing lists will keep you up-to-date regarding new security risks. If you work in a mixed OS environment, BUGTRAQ from NetSpace is a great list to join. Although most of the information pertains to UNIX-based OSs and applications, a fair amount of the information relates to Microsoft security.
NTBugtraq's mailing list is another good resource that discusses security bugs in the Windows NT platform. And although you won't find much information on the list that relates to other aspects of Microsoft's products, the list is a good place to quickly learn about new NT-related security problems.
By searching the Internet, I found at least a half-dozen mailing lists that pertain to NT security in some form. The amount of mail you receive by joining all these lists can become a significant burden. For example, on any given day you can expect to receive about eight messages from Internet Security Systems' (ISS's) NT Security mailing list and about a dozen or more messages from Global Networking and Computing's Firewalls mailing list. These two mailing lists alone can amount to 20 messages per day. When you toss in four or five more list memberships, you get an overflowing inbox and not enough time in the day to read all the messages and be productive. If you don't want to join several mailing lists, I offer a mailing list called NT Security Digest (NTSD). The list is a catchall of security problems that surface in the other security-related mailing lists.
If you don't receive Windows NT Magazine's Security UPDATE, you need to subscribe to this free electronic newsletter. This weekly newsletter summarizes industry news about network security in a timely manner.
Each TCP/IP-related service listens on a particular port or set of ports. A port scanner lets you scan ranges of IP addresses to find TCP/IP ports that are listening. These active ports have some type of service running on them. A port scanner immediately reveals systems that are running services that you might not want to make available on your network, such as a private Web site or FTP server running on an employee workstation. For port scanning, I still use Point One Publishers' UltraScan 1.5, which is fast and now free. One limitation of UltraScan is its ability to scan only a Class C network. So, to scan a larger range of addresses, you must break the addresses into Class C networks.
When I need to scan larger networks or when I want some detail beyond which ports are listening, I use Nmap from Insecure.Org. Nmap is a fantastic scanning tool that not only iterates listening ports but also determines which OS is running on the scanned system. Although Nmap is UNIX-based and doesn't run on NT, the utility is well worth the effort to use. I highly recommend that serious security buffs load a copy of Linux and learn to use this OS. Administrators have exposed numerous NT security exploits by running example exploit code on UNIX. If you have a Linux box handy, you can test this code against your networks and also run valuable software, such as Nmap.
A dial-up scanner (aka war dialer) detects listening modems. With this tool, you'll find unwanted and unauthorized modems that are listening for calls on your phone lines. Many employees leave their systems up and their modems online so they can access the corporate LAN and the Internet on the company's dime after hours. This practice is bad news because intruders love to find such back doors into your network. Your firewall is useless when back doors are open. Free dial-up scanners, which many intruders wrote and used, are available for you to use to test your network security. I use ToneLoc because it displays details in a graphical map that represents information in colored patterns. With ToneLoc, I can see immediately the phone numbers that have modems that are listening. To obtain a copy of ToneLoc, you can locate it through a search engine or download it from http://www.ntsecurity.net. ToneLoc might be overkill for your needs because it's designed to scan large blocks of phone numbers.
SecureLogix has a dial-up scanner called TeleSweep Secure, which was in beta at press time. I added TeleSweep Secure to my security toolkit because it goes beyond the average dial-up scanner by performing security checks of the systems answering the modem lines. For example, this scanner can determine whether the phone lines are voice, data, or fax. When TeleSweep detects a modem answering (in the case of data and fax lines), the product checks commonly known username and password combinations to assess the security configuration of the applications running on identified modems.
Event Log Analyzers
Monitoring your system logs is one of the most important tasks you need to perform regularly. Unfortunately, this task is grueling because NT's event log doesn't adequately filter log entries.
Log analyzers provide an alternative method to rifle through all the logged information. You can export the data to a database manager, where you can sift out the items you're looking for and produce reports to your liking. When I want to move event log information into a database, I prefer to use Somarsoft's free DumpEvt tool by Frank Ramos. Somarsoft also has DumpEvt in a .dll form that you can incorporate into custom applications. In addition to DumpEvt, the Microsoft Windows NT Server 4.0 Resource Kit contains a utility called Dumpel, which also dumps events out of the log. But DumpEvt does a much nicer job.
When I want to research logon information, such as failed logons and remote logons, I use NT OBJECTive's NTLast. The product is a fabulous command-line tool that makes searching for logon information a very simple task. J.D. Glaser developed this product, which costs $29.95. For the work NTLast performs, it's worth every penny. (For a review of NTLast's functionality, see "NTLast v2.6," September 1999.)
The Registry plays a crucial role in NT security because it holds almost all of NT's security configuration settings, in addition to other important information and settings. Therefore, you need to routinely check your Registry settings to reveal incorrectly set permissions and parameters before they lead to disaster.
Manually cruising the Registry is incredibly painful work. An analyzer automates this task and produces reports that are easy to read and understand. Also, such a tool lets you see Registry entries that new software makes during installation, and track changes. In most cases, I prefer Somarsoft's DumpReg tool. DumpReg lets you easily locate keys by finding the last modification date or by matching strings.
When I need to learn which Registry keys programs are reading, creating, or writing to, I use Regmon from Systems Internals. Regmon is a powerful desktop application that intercepts Registry access in realtime. You can filter for specific Registry items or let the product operate in a catchall mode so that nothing slips past. Regmon runs on NT and Windows 9x. I highly recommend you add Regmon and DumpReg to your toolkit.
In addition to these two tools, consider getting a copy of Systems Internals' Filemon software. Filemon will watch all file system activity in the same way Regmon watches all Registry activity. With Filemon, you'll discover every file a program touches, including setup programs that install new software. (While you are collecting tools, you should also get Systems Internals' SDelete, which securely deletes files and is US Department of Defense (DOD)-compliant, and Undelete for Windows NT, which can sometimes recover deleted files.)
Access Control Analyzer
Checking ACLs on your shared resources is incredibly important. But similar to working with the Registry, working with the ACL can be tedious. To simplify this task, I use Somarsoft's DumpACL. This analyzer dumps the permissions (or ACLs) for the file system, Registry, shares, and printers into a concise and readable format. The report shows any apparent holes in system security, if you know what you're looking for. In addition to DumpACL, the NT resource kit includes the Cacls utility, which performs a similar function to DumpACL.
A packet sniffer grabs packets off your network for further analysis. Packet capture is a great capability when your network is acting up or when you need to determine what data a particular program is transmitting over the network. Another good reason to use a packet sniffer is to head off intruders who attempt to penetrate your network without leaving traces in the NT event log—a packet sniffer will catch this activity. In addition, intrusion attempts can sometimes confuse your network or make it behave in strange ways. If you suspect something is amiss, a packet sniffer can quickly lead you directly to the source of the problem.
Cinco Networks developed my favorite sniffer: NetXRay. Network Associates bought Cinco Networks and renamed the product Sniffer Total Network Visibility (TNV). As with most packet sniffers, Sniffer TNV requires that your network card support promiscuous mode, so Sniffer TNV can collect packets destined for any address on your network. Most network cards support this mode of operation. Sniffer TNV runs on 10/100 Ethernets and asynchronous transfer mode (ATM) networks. Sniffer TNV also comes in several varieties that offer different feature sets, including Sniffer Basic, Sniffer Pro LAN, Sniffer Pro WAN, and Sniffer Pro High Speed.
Testing password strength is another important task to perform when analyzing network security. When I started in NT security, no NT password cracker tools were available, but today several tools are available. The best password cracker tool that I've found is L0phtCrack from L0pht Heavy Industries. L0phtCrack is easy to use and fast. L0phtCrack can perform dictionary cracks or brute force cracks, making it a well-rounded tool to have in your toolkit. And at $100, L0phtCrack offers a heck of a value.
L0phtCrack lets you dump the SAM and perform password strength testing on the password hashes. In addition, L0phtCrack 2.5 uses SMB Packet Capture Output, an integrated packet sniffer that grabs Server Message Block (SMB) packets sent across the network. Network authentication uses the SMB protocol when authenticating connections to network resources. The sniffer grabs the packets sent during SMB sessions that contain the authentication information. After L0phtCrack's SMB Packet Capture Output obtains the packets, the software then attempts to crack the password hashes. (For information about how NT 4.0 with Service Pack 4—SP4—stands up to cracks on authentication by L0phtCrack, see R. Franklin Smith, "Inside SP4 NTLMv2 Security Enhancements," September 1999.)
In addition to testing your password's strength, you need the ability to recover passwords. And although L0phtCrack can crack almost any password, this intruder tool can't crack the password without access to hashes from the SAM (e.g., you must be able to log on to the system or have remote Registry access). So, if you lose your NT administrator password and don't have the password to any accounts in the administrator's group, you won't be able to log on. In these cases, I use Systems Internals' NTLocksmith.
NTLocksmith is an ingenious tool that uses two NT systems to recover a locked-out system. You can use Systems Internals' NTRecover to connect a working NT system and a locked-out NT system. With NTRecover, you can run NTLocksmith, which directly accesses the NT Registry and lets you reset the administrator account password. A slick feature of NTLocksmith is that it works on any system, even systems with NT 4.0 SP3's Syskey utility in place. If you don't own NTRecover and NTLocksmith, I highly recommend you obtain copies of each because these products will save you sooner or later. At $189 and $49, respectively, these tools are worth every cent.
Overall Security Scanners
What the above tools can't do, system security scanners will do. Security scanners ordinarily include more features than the tools I mentioned earlier, and in most cases, security scanners look for numerous problems with your network security. Most NT-based security scanners are aware of the security risks to NT, which makes them an ideal tool for discovering the state of your NT systems' security.
Of the system security scanners available, I recommend the SAFEsuite kit from ISS. ISS products are valuable because they do a fantastic job of surveying your systems' vulnerabilities. However, a couple of other products have also caught my attention.
Network Associates has a great tool called CyberCop, which, similar to Internet Scanner from ISS, performs vulnerability testing against NT systems. I found CyberCop to be easy to use and a great complement to the Sniffer TNV products. CyberCop also has good support from Network Associates.
An up-and-coming security product from WebTrends is called WebTrends Security Analyzer. WebTrends Security Analyzer performs vulnerability testing in a similar fashion to Internet Scanner and CyberCop. What I really like about WebTrends Security Analyzer is the reporting interface. WebTrends' experience in developing reporting interfaces shines with this product. The reports are well designed and easy to read. WebTrends Security Analyzer also sports a custom API that lets users develop customized vulnerability checks for in-house use, and other WebTrends Security Analyzer users can share the customized checks.
And if your network is rooted into BindView's network management platform, check out the company's new NOSadmin tool. NOSadmin adds security vulnerability testing to the BindView Enterprise Management Station (EMS) console.
While you're checking your NT systems for vulnerabilities, don't forget your Microsoft SQL Server machines. In this area, ISS's Database Scanner stands alone. At press time, I hadn't found any other database security scanners on the market. And although Database Scanner is the only product in this category, it's a great tool for the job. Database Scanner can examine your SQL Server configuration and make recommendations for changes to consider. Database Scanner performs checks that include security permissions and dangerous embedded procedures.
In addition to examining systems to find vulnerabilities, you'll also want to learn which service packs and hotfixes your NT-based systems have installed. One of the best tools for this task is MTE Software's SPQuery. (For a review of service-pack management products, see David Chernicoff, "Service Pack Management," August 1999.) SPQuery checks the Registry on NT systems to discover which service packs and hotfixes are loaded. When necessary, the product can also download missing service packs and hotfixes and help install them. The product is a genuine timesaver. If you don't have a copy of SPQuery, I suggest you get one because it will save you a ton of time and headaches.
An Ounce of Prevention
Now you know some of my security secrets, which often reside with the tools that I have in my toolbox. Keep in mind that the security industry is evolving at a blistering pace, with new tools and techniques surfacing every month. You can do yourself a big favor by obtaining the tools I mentioned, closely monitoring vendor updates, and watching the security industry for new developments. While you're mulling over security, remember that an ounce of prevention is worth a pound of cure, except in the case of security, when an ounce of prevention might be worth a few tons of cure.