The Ultimate Windows Server 1002003 System Administrators Guide [Electronic resources] نسخه متنی

SECURE NETWORK SERVICES AND ARCHITECTURE

Securing your domain internally is but one aspect of security. The system administrator must also be aware of network security issues. In this section, we explore the need to protect network shares, use firewalls, restrict RAS services, invoke IP security, and use other TCP/IPbased applications safely.

Protecting Network Shares

Network shares are an important part of the distributed computing environment because they greatly enhance accessibility. However, they also represent a potential security weakness. To minimize problems associated with network shares, keep these administrative concepts in mind:

The root share determines share permissions for all subdirectories. Subdirectories of a root share cannot be further restricted with share permissions, so NTFS permissions should be used for finer granular control.

Share permissions restrict only network users, not local users.

Share names are visible to all users and should not reveal sensitive information or invite an attack.

Hidden shares can be displayed using the net share command from the command prompt. They should be removed if not in use.

NOTEOne way to minimize the risk to hidden administrative shares is to remove them. Using the Registry Editor, set the Registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters to 0, which will disable hidden shares C$ and D$ (administrative shares).

However, if you are backing up files using these administrative shares, the 0 setting will prevent you from doing so.

Firewalls

In Internet communications, firewalls are normally established to buffer the intranet from outside attacks. Firewall functions are implemented on packet-forwarding devices, which usually, but not always, have at least two interfaces. They can take the form of a dual-homed host with two interface cards or a piece of network gear known as a router.

A typical firewall configuration (Figure 11.14) consists of an external packet-filtering firewall and a secondary firewall supporting the needed proxy services. The packet-filtering rules are configured to allow external Internet users access to HTTP and FTP services on the company's Web and FTP servers or whatever ports you decide to leave open, including SMTP and RealAudio. Network and transport protocol packets that do not match the packet-filtering rules are dropped. Additional rule sets must be implemented to allow services such as DNS and SMTP to pass from the internal intranet through the packet-filtering firewall to servers on the Internet. Servers located in the zone between the two firewalls, sometimes referred to as the Demilitarized Zone (DMZ), are given dedicated Ethernet segments.

If one of them is compromised, a remotely installed network sniffer is prevented from monitoring traffic to the internal network. (This is really dependent on the firewall implementation.) The second firewall proxies Web and FTP services initiated by internal users to the Internet.

The firewall routes packets between interfaces performing packet filtering, stateful inspection, and proxy services. A review of each of these items is appropriate.

PACKET FILTERING

A packet filter is designed to restrict external connections to a limited set of services, protecting the internal network from the Internet. The firewall enforces rules for packet filtering. These rules typically filter protocols, source ports, source addresses, destination ports and destination addresses. Packet rules define connection types that are accepted and those that are rejected. For simplicity and security, it is probably best to establish rules for packets that will be accepted. Everything else is dropped and not forwarded.

Packet filtering occurs mostly at the network and transport protocol levels. If the NetBIOS service ports are not specifically enabled, traffic targeting the NetBIOS services will be blocked from Internet attacks. Attacks using IP source routing can also be stopped by packet filtering.

Packet Filtering Example

The rule set configuration in Table 11.5 allows external clients to access the internal Web server through the packet-filtering router. The rule set allows inbound requests and outbound responses with IP addresses and TCP port settings, as shown in rows A and B in the table. It also allows internal intranet users to connect with external Web servers on the Internet. Packets with destination TCP port = 80 and return TCP port = random number above 1023 are considered inbound HTTP requests from Internet users (row A). In order for the internal Web server to respond to this client connection, the outbound destination TCP port = Random > 1023 and source TCP port = 80 (row B) must be permitted. However, an Internet user who attempts to connect to the intranet using an internal source IP address will not be permitted. Internal IP addresses are forwarded only from the internal to the external interface on the packet filter route.

NOTEThe foregoing is a general rule and is by no means absolute. Additionally, a filter may be applied to the incoming or outgoing interface and the ACK bits may be set. Since a cracker can make a request come from any port she wants, you must check the ACK bit in the header to make sure that incoming requests either are to a specific IP address or were already established.

A rule set similar to this example must be implemented for every network service that intends to communicate through the packet filter. Table 11.6 lists common network services and protocols that could take advantage of packet filtering.

We do not recommend allowing TFTP, SNMP, or any of the NetBIOS services in from the Internet. Of course, such a decision must be based on policy, but these services are relatively insecure.

PROXY SERVICES

A proxy server is a popular way to give internal users access to the Internet without compromising external access. The proxy software runs on a host routing between the internal network and the Internet. The main idea is to allow internally initiated connections with the Internet while preventing externally initiated connections. For example, after installing and configuring Microsoft Proxy Server 2.0 for HTTP, the internal users designate the HTTP proxy server in their Web browser. All external Web site requests are directed to it. The proxy receives HTTP URL requests and establishes its own connections with the destination Web sites. It then retrieves the data and relays it to the correct internal client. This translation between internal Web client and external Web server can be transparent to the user. A proxy firewall requires client proxy and server proxy software specifically designed for each proxy service implemented to provide this transparency.

Both Netscape and Internet Explorer provide client proxy software for HTTP. Noncaching proxies degrade network performance but provide a secure firewall. We specifically mention noncaching because a caching server may actually respond much quicker if the answer is in the cache. The Microsoft Proxy Server also has an added caching feature. Commonly visited sites are stored on the proxy's local hard disk, preventing the need for Internet retrieval. Clients receive the pages faster and reduce the required Internet bandwidth. The proxy can also retrieve and refresh popular Web sites automatically without client requests.

STATEFUL INSPECTION

Stateful inspection offers an alternative way to provide internal users with connectivity to Internet resources while preventing external users from initiating inbound connections. As a user makes an outbound request to an external server, the stateful inspection firewall records details about it. The information tracked includes the source address, destination address, protocol, port number, and so forth, and it is evaluated for a certain period of time. When the destination service responds to the internal user, the packet is permitted to return through the firewall.

The firewall performs intelligent packet filtering without requiring the server and client software to support each network service. However, although stateful inspection offers better performance than the proxy model, it reveals internal IP addresses to the Internet. Several stateful inspection products hide internal IP addresses through address translation.

Web Security

When implementing a Web server, you should follow certain basic guidelines to protect against security breaches. A Web server allows users to download designated files and run CGI scripts, Active Server Pages, and server-side applets that are accessible to it. For this reason, the server should not be able to access sensitive files that contain proprietary company information or files pertinent to system security.

Limit the Web server to a specific directory subtree and dedicate a system to Web server duties (Windows Server 2003 uses %SystemRoot%Inetpub\wwwroot). Also, make sure that Web sites with password security do not place the password security file in a directory the server can read. The Web server should run as a very underprivileged user to limit its own access, with just enough privilege to perform required functions. It should have a firewall between it and the internal network, and no internal host should trust it through Windows Server 2003 domain trust relationships.

RESTRICTING SCRIPTS FROM EXTERNAL SOURCES

Since the Web server is permitted to run local components, all scripts, applets, and active components should be analyzed for unintended uses. Remember, these scripts can be run with freely chosen parameters from the outside, so any service that allows users to download scripts to the server should be carefully scrutinized. FTP users should not be able to download to the Web server's file system area. In fact, almost all services, except HTTP, should be disabled on the Web server.

HTTP SECURITY

HTTP is an unencrypted protocol and will not prevent users from snooping or spoofing your Web server. The Secure HTTP protocol addresses these issues, but your Web clients must be familiar with your server to gain access. The Public Key Infrastructure discussed in Chapter 10 outlines how to use and configure the X.509 certificates and Certificate Authority.

IP Security

The Internet Protocol (IP) is the message delivery portion of the TCP/IP suite. It provides addresses and delivery of data packets. This is a "best-effort" delivery system that does not guarantee arrival of packets or that the information is properly sequenced. Thus, IP packets can be intercepted en route, reviewed, and even modified. The potential misuse is obvious. Let's examine some IP security issues.

IP spoofing can be a major threat. The IP address is ordinarily shown as plain text. The hacker can then direct the packet to the destination with altered information. The use of cryptographic technologies is the best defense against IP sniffing and spoofing.

Internet Browser Security

Downloadable objects accessible from the Internet open a gaping hole in network security because untrusted components can be downloaded right through a firewall. The user must be educated and browsers must be configured to match your network's tolerance for active components and Java applets.

Any browser user can configure his browser to handle untrusted and trusted components. The Microsoft Internet Explorer v6 configures these options through the Tools Internet Options menu selection. Select the Security tab and click Custom Level for the Internet zone. For the purpose of providing an example, we will examine both Java and ActiveX permissions.

RESTRICTING ACTIVEX COMPONENTS

The ActiveX attributes require a Prompt, Enable, or Disable value for each security setting. ActiveX controls do not have the option of running within the sandbox and they have full control over the Win32 API. Therefore, you do not want users to run unsigned ActiveX controls. Period.

Find the ActiveX permissions and select Custom. Then click ActiveX Custom Settings. The attributes that can be modified are shown in Table 11.7. Again, browser permissions should be set at the same relative levels as those of the local server.

NOTEThe browser settings just discussed can be automatically assigned to users through a GPO. They are set from the Default Domain snap-in via User Configuration Windows Settings Internet Explorer Maintenance Security Security Zones and Content Ratings.

INTERNET CERTIFICATE MANAGEMENT

From the Tools Internet Options Content tab, press the Certificates button to display currently installed certificates for signing and encryption. See Chapter 10, "Kerberos and the Public Key Infrastructure," for more information on local certificate stores.

Securing RAS Servers

The Remote Access Service (RAS) allows a connection across a phone dial-up so that a user can use resources like a printer in a remote location. Since these connections are made through unsecured telephone lines, many potential security breaches exist. This is particularly true if the RAS is provided a server that is not otherwise protected. A number of actions can be taken to protect the domain from RAS abuses, including these:

RAS connections should allow dial-in accounts to access only the RAS server.

The RAS server should have its own domain and maintain separate user accounts.

There should be a one-way trust between the rest of the network and the RAS server. (Users can put data on the RAS server for remote access, but the server is buffered from the rest of the network.)

Strong passwords to RAS accounts should be enforced.

Securing Electronic Mail

Electronic mail is the lifeblood of modern organizational communication. The ability to send and receive e-mail messages from external sources is a common requirement. As is the case with any information from external sources, e-mail presents a host of security problems, including:

Flooding.
The e-mail server is hammered with a large number of messages, which can result in denial of service and system crash.

Spoofing.
The e-mail message has an incorrect sender name or address.

Viruses.
Application attachments may contain hostile macros (for example, the ActiveX-based Melissa).

Nonrepudiation.
The receiver needs to verify that the sender actually sent the message and the sender needs to verify that the receiver got the message.

PREVENTING E-MAIL SECURITY ABUSES

Packet-filtering messages from sources that are known to flood is effective but reactionary; the mail buffers and disk space can be monitored for excessive use. Spoofing and nonrepudiation are effectively combated with digital signatures.

Digital signatures are easily implemented from Outlook Express 6.0 via the Tools Options selection under the Security tab, where encryption and digital signing can be configured for outgoing messages (Chapter 10, "Kerberos and the Public Key Infrastructure."

Virus attacks are difficult to filter out, especially when e-mail encryption is involved. Several virus scanners are available but are of limited effectiveness. If the scanner has an error and starts dropping all e-mail messages, regardless of viral content, the network and company can end up in a worse predicament than dealing with the virus. Denial of service is a serious downside to these tools, which means that careful monitoring and reaction time are key to successful implementation.

Other TCP/IP Security Issues

The TCP/IP networking suite provides a host of common services and protocols. The following issues could impact Windows Server 2003 environments using the following TCP/IP suite applications:

FTP.
The File Transfer Protocol is often used by anonymous user accounts that do not require password protection, which permits access to a system by virtually any user. Once inside, hackers can try to work their magic. To guard against this, set permissions to Read-Only and restrict directory access. (Or do not set up anonymous accounts at all unless you really need them.)

TFTP.
The Trivial File Transport Protocol is a relaxed version of FTP, in which generally any files can be transferred without a passwordconceivably even system files such as the Windows Server 2003 Registry. We strongly recommend that TFTP be disabled by removing the tftpd file. In Windows Server 2003, make sure that the service is not enabled.

Finger.
This utility outputs information about users on the system. Once a hacker has a list of user names, systematically discovering passwords becomes the game. This facility should also be disabled unless absolutely required.

DNS.
The Domain Naming Server includes vital network information. Protect yourself by segregating it. For example, two servers can be used with a firewall separating external Internet-required data from inside user account information. You may also want to set filters to allow DNS queries to go to only one specific DNS machine on the DMZ, and allow zone transfers to and from only your parent servers.

Telnet.
Telnet data is transmitted in plain text along with the user name and password. This makes Telnet a valuable tool in an internal environment, especially when attempting to view data on heterogeneous UNIX and Windows systems. However, outside a secured environment, the user must be aware that security breaches can occur with this open transmission.