When you perform a new software installation, do you use a checklist to make sure you've adjusted the configuration for better security? Numerous helpful checklists are available for various systems, many of them online. Windows & .NET Magazine published a new guide in February 2002, which is available for free: "Secure Your Operating System—Guidelines for Hardening Windows 2000."
Jan De Clercq, who writes the NT Gatekeeper column for the Security Administrator print newsletter, developed the checklist, which covers a variety of system-configuration settings. The guide covers topics such as authentication, access control, system-related hardening features, Group Policy settings, and using Microsoft's Security Configuration Tool Set. The guide also includes references to many security tools and resources available for free. You can download a copy of the guide in PDF format at the IT Buyer's Network Web site.
I also recommend a set of free checklists from Australian-based company InterSect Alliance. You'll find valuable checklists for five products that many of you use: Win2K, Windows NT, Microsoft IIS, Apache Web server, and Linux.
The checklists cover several aspects of the products, and, as you might expect, each checklist begins with suggestions about how to perform installation. The checklists also discuss network services and network access controls, object access controls, subsystems that particular products contain, and, of course, auditing. Even if you have checklists you already use, stop by the Web site and examine these lists as well—you might find additional items for consideration that you've overlooked.
Arne Vidstrom, Swedish security aficionado, recently released a new security tool—PromisDetect—which is available for free. The tool runs on Windows XP, Win2K, and NT. The tool checks systems to determine whether their network adapters are running in promiscuous mode. Systems whose network adapter cards run in promiscuous mode probably run software that acts as a traffic sniffer, and you don't want just anybody running a sniffer on your network. As you know, network packets often contain sensitive information, including authentication data and proprietary company information, so letting sniffers run unchecked on the network weakens overall security. PromisDetect is a good way to identify rogue sniffers. However, as Vidstrom notes, because someone running a sniffer might also be intercepting traffic from software designed to detect sniffers, PromisDetect and similar sniffer detectors aren't foolproof. You can download a copy of PromisDetect, as well as several other useful security-related tools, at Vidstrom's Web site.
As I read our "HowTo for Security" mailing list last week (you can subscribe at the URL below), I noticed that subscribers were asking how to map listening ports back to their respective system services. As you know, using a command such as the "netstat –a" command or the "netstat –an" command can produce a list of ports, port service names, and IP addresses. However, the lists don't include a map to the actual system service that opened the port in the first place. Although you can see which port is listening, which computer system is connected to it, and which service the port is typically used for, you're still in the dark about which application on your system actually opened the port.
Fortunately, tools are available that support further discovery. Foundstone's Fport tool maps listening ports to the software on your system that opened the port. When you run the Fport tool, you see a list of open ports matched to a list of the applications that opened the ports. The list includes full pathnames so that you can more easily identify the exact programs referenced. You can download a copy of Fport and several other useful security tools at the Foundstone Web site.
Finally, are you keeping up with Microsoft security bulletins and related hotfixes? Even if you are, keep in mind that occasionally Microsoft publishes workarounds for security problems without releasing a related bulletin to alert you to the need for system-configuration adjustments. For example, Microsoft recently released the article, "Denial of Service Attack on Port 445 May Cause Excessive CPU Use." The article discusses registry settings that can help prevent particular Denial of Service (DoS) attacks. You can read about the matter in the related news story in this issue of Security UPDATE.