Halloween came early this year for Microsoft. And by extension, the entire industry and user community is also...
haunted by the very real specter of the hackers who invaded Microsoft's internal networks. If the industry needed another wake-up call to the perils of networking life in the 21st century, this is it.
A hack can happen to anyone at anytime. Traditionally, security is something that is practiced in hindsight. It's one of those "soft" items in the capital budget and is frequently hard to justify. That is, too many of us pay scant attention to the security of our collective networks, software, PCs and laptops until it is too late.
Giga has assembled a list of best security practices based on its own experience as well as extensive interviews with Microsoft security experts and corporate IS security professionals. These are intended as general guidelines to be used in conjunction with the appropriate security devices, mechanisms and practices that are specifically tailored for your environment.
Let's examine Windows NT Server networks first. The most important thing is to familiarize yourself with all of the security mechanisms within the server operating system and configure them properly. On a Windows NT 3.x or 4.0 server-based networks, the Server Manager facility displays a list of users on a particular server. It will also let you temporarily disconnect a user from that server. This will work in the case of a so-called "ankle biter" hacker � that is, a rank amateur or inexperienced hacker. But Server Manager will be an ineffectual deterrent to any rogue user who is practiced at the art of hacking. This is because unless you actually disable the account or block the connection to the server that the hacker is accessing, he/she will automatically reconnect. Worst of all, the server will not even generate an error message that the intruder was forcibly ejected. This Server Manager tactic will work in a pinch, though. And if you elect to use this method to thwart a hacker, you must also STOP the server service from running on the system that the hacker is attempting to access. This will stop the server from "servicing" any shared resources. You can restart the service after you are sure the user cannot reconnect. If going this route, pause the NETLOGON service on all your domain controllers so the user cannot log back on (none will be able to accept those with ADMIN privileges).
Windows 2000 Server contains much more granular and improved security capabilities including Kerberos and C-2 level support. But complexity is an issue as well. . As a general rule, Microsoft advises organizations to use security groups to define and delegate administrative roles associated with an application server and to identify the users and computers that are granted access to the service's objects in the directory. This will play a key role in helping your firm quickly identify the source and shut down any services or ports on the domain controller that are not needed. Whenever possible, deploy applications on member workstations or servers rather than on the domain controller. If you absolutely must run an application on the domain controller, run it as a service account.
In the Windows 2000 environment the "keys to the kingdom" are the password to the Administrator account. Guard this zealously! Any user in possession of this password can configure full privileges on the domain controller. Microsoft's Daniel Blum in his book "Understanding Active Directory Services" (published by Microsoft Press), advises that "to simplify configuration and close any loopholes, use the Microsoft Security Configuration Editor to set an entire domain controller to run in high secure mode."
Be warned however, that this option comes with high risks. Setting your domain controller to run in high secure mode will break some applications. Before embarking on this strategy, test it in a pilot network with your crucial network applications. And as always, good computer security in any environment begins with physically restricting access to the server.
In the wake of an attack, a thorough risk assessment of your network operating system and overall network infrastructure is in order. It's also a good policy to perform an in-depth risk analysis of your organization on an annual basis, or more frequently as your business needs demand..
Companies are well advised to disseminate a corporate security policy and associated penalties for infractions during a new employee's orientation process and to regularly disseminate the policies via hard copy and e-mail to the general user populace. Make sure your employees -including network administrators, high-level executives and internal development staff -� know that the policy applies to everyone, no exceptions allowed. Too often, people believe that their titles exempt them from obeying the rules. Consider the recent example of the former CIA chief who was censured (though not prosecuted) for downloading sensitive government files on his relatively un-protected home computer. He himself was not a hacker, but by virtue of his office, he should have known better than to use an insecure computer for classified information.
Also post warnings on your site serving notice to external intruders that violation of your private network is an offense punishable by law. Realistically, this will not stop anyone determined to invade your network, but it will help to negate any claims of ignorance should your organization successfully prosecute them.
Careful planning and preparation will not guarantee that your networks will be immune, but they will ensure that you can minimize the damage and possible theft of data. And it will help authorities successfully pursue, apprehend and prosecute the perpetrator. This in turn will send a strong signal to possible copycat hackers to stay away. For more information on the dynamics of hacking, check out the Computer Emergency Response Team at www.cert.org.
Laura DiDio is a Giga Group analyst who covers Windows 2000 and third-party products and utilities. DiDio will be the speaker for an upcoming Live Session Q&A on the SearchWin20000 site on Nov. 16 at 3 pm.
For security tips, visit: searchSecurity