Roll up your sleeves and secure your system

Humor me for a moment and step into my way-back machine. (I bought the machine from a smart-mouthed dog named Mr. Peabody.) We're going back 2 years, to when Windows NT 4.0 was in its second (and final) beta release and when IBM claimed that its AS/400 midrange system was a more secure Web server than an NT system was.

The year is 1996, and I'm challenging IBM to prove its allegation. I ask the company to ship me an AS/400 so that I can expose it to a series of security attacks. I'm also going to expose an NT Server 4.0 system with Internet Information Server (IIS) 2.0 to a set of attacks.

Okay, let's zip back to the present. Veteran Windows NT Magazine readers know that the AS/400 never arrived. An IBM executive in Rochester, Minnesota, canceled the test.

Over the next 2 years, I continued talking to IBM about this challenge. Many folks at IBM were as disappointed as I was about the company canceling the original test, especially the people in charge of AS/400 security. After some negotiation, we agreed on the format and parameters for a head-to-head test of NT Web security vs. AS/400 Web security.

The rules were simple. I'd engage outside security consultants to attack the two systems for 24 hours. The consultants couldn't perform bandwidth-based, denial-of-service attacks (I wanted to keep the Lab network running), and I'd configure both systems only as Web servers.

Folks at IBM and in the Lab had differing opinions about running the two systems only as Web servers. Some people claimed that any security consultant would tell you you're crazy to run additional TCP/IP services on your Web server because these services open up new security holes. Other people argued that because the AS/400 is a general-purpose system, customers probably have only one AS/400 in their shop, so they need to run more than one service on it. Ultimately, the Lab decided to test what companies should be doing (i.e., separating their Web and production systems) instead of what many companies are probably doing (i.e., running all their systems on one AS/400).

After we agreed on the rules, IBM's security experts locked down an AS/400 system. Mark Joseph Edwards, an NT security expert and regular contributor to Windows NT Magazine, locked down an NT system. These experts installed a simple storefront system on both machines, so that the systems would have a business-like look and feel.

In the Know
You might wonder why we locked down the systems instead of testing them out of the box. NT and AS/400 systems are not suitably secure as Web servers out of the box. (I'd have to say that most operating systems--OSs--aren't secure out of the box.) If you connect a new system to the Web without securing it first, you're asking for trouble.

We wanted to define specific goals for the security attacks. On the AS/400, we challenged the security consultants to find Lou Gerstner's (IBM's CEO's) credit card number, which was hidden in a database file. On the NT system, we challenged the security consultants to find the local systems administrator's username and password.

We wanted to use consultants familiar with each system in the attacks. Someone who isn't familiar with the AS/400 can't easily attack it. For example, no one except an AS/400 expert would know that the system power users are QSECOFR and QSYSOPR and that you must invoke certain commands if you find a hole in security. AS/400 neophytes typically don't know commands such as PWRDWNSYS *IMMED (power down the system immediately).

I ended up with two teams. Midwestern Commerce (MWC), from Columbus, Ohio, is a company composed of NT security experts who have launched attacks for the Lab in the past. (You can visit MWC's Web site at http://www.ntsecurity.com.) A west-coast pal of mine (who prefers to remain anonymous) led the team of AS/400 security experts. Both teams attacked both systems: I carved each 24-hour test cycle into two 12-hour cycles.

Ready, Set, Go!
IBM arrived first for the tests. I hooked up the AS/400, which was running OS/400 4.1, to the Lab network and configured it with a public Internet address. The AS/400 security experts began their attack while I monitored network activity from a nearby workstation.

I watched and marveled as the AS/400 security experts worked through their bags of dirty tricks. The AS/400 security experts performed socket attacks, spoof attacks, SQL attacks, and more, but they couldn't break into the system. The only attack that slightly weakened the AS/400 was an attack that tied up the system's HTTP ports and prevented the flow of Web traffic. I can't divulge the details of this attack because IBM is currently working on a fix for the problem.

Next, the NT security experts began their attack on the AS/400. This team also tried every trick in the book, with similar results. After the 24-hour test cycle, I declared the AS/400 unconquered.

We then turned to the NT system: a Compaq server running NT Server 4.0 with Service Pack 3 (SP3) and IIS 3.0. The Compaq server configuration consisted of dual 333MHz Pentium processors with 128MB of RAM and 8.6GB of hard disk space. The NT security team went first and ran attacks for 12 hours to no avail. The AS/400 team couldn't break the NT system either. After the 24-hour test cycle, I declared the NT system unconquered.

So What?
NT's security as a Web server clearly disappointed IBM, but that's their problem. IBM put its best team to work locking down the AS/400, and Mark Joseph Edwards took a no-nonsense approach to locking down the NT system. Both efforts obviously paid off.

I can't explain the steps that IBM took to lock down their AS/400. However, you can read about Mark Joseph Edwards' NT approach in the September issue of Windows NT Magazine (see "16 Steps to Building a Secure Web Server"). If you work on or with NT Web servers, you'll benefit from reading this article.

When the IBM team and the AS/400 were on their way back to Rochester, I pondered our discovery. The win-win situation between the AS/400 and NT was a positive experience, but writing about a system that had failed would have made a much better article.

The lesson I learned from watching the tests is that systems are as secure as you make them. IBM won't come to your office and lock down your AS/400, and Mark Edwards won't work his way around the globe locking down NT servers. Ultimately, you are responsible for securing your system, whether it's an AS/400 or an NT system, so roll up your sleeves and get to work.