Internet scanner stops up security sinkholes

Category: Security software
Name of tool: Cerberus Internet Scanner
Company name: Cerberus Information Security Ltd./ @Stake
Price: free
URL: www.cerberus-infosec.co.uk/cis.shtml
Windows platforms supported: NT, 2000
Quick Description: A quick way to scan various security issues for your NT and Win2000 machines.

Strom-meter:
**** = Very cool, very useful

Key features:

Pros:
Easy to setup and use
Identifies common security weaknesses including Internet, networking and local NT-registry issues.

Cons:
Implementing the suggested repairs could prove difficult to those unfamiliar with NT registry editing and other NT commands.

Description:

We all know that NT and Windows 2000 are security sinkholes. Indeed, according to information collected by the computer security web site Attrition.org, attacks on Windows-based Internet servers surpassed all other operating systems last year.

The problem is that keeping Windows servers secure is in and of itself almost a full-time job. In addition to keeping track of the various weaknesses, as you add software applications to your NT/Win2k machine you can inadvertently open up new security loopholes. This is because Windows security is implemented in various different places around the operating system, and some of these places are very accessible to the ordinary user.

If you are like most administrators, you probably don't have enough hours in the day to keep up with the latest patches and fixes. as a result, you are undoubtedly open to some trouble, particularly if your NT/Win2k system is available through the Internet. The best offense is the best defense, and the best defense is to use a security scanner to see where you are vulnerable.

One of the easiest to use scanners is from Cerberus/@Stake, called the Cerberus Internet Scanner or CIS. It is a free piece of software developed by David Litchfield and runs on either NT or Windows 2000. In just a few seconds, it can check your servers for a wide variety of common security holes, provide advice on how to eliminate them, and suggest strategies for repelling potential hackers.

Some of the scans are very detailed, including a line-by-line analysis of the NT registry and IE browser security settings. Given the mind-numbing number of details that could be overlooked, these by themselves are very illuminating. CIS will also examine a variety of Internet services, including web, FTP, DNS, finger, and POP/SMTP services. Each report is a nicely formatted page of HTML that is saved according to the IP address of the server, which makes it easy to archive and refer back to them as needed.

When I scanned several test machines in my office, I found a few places that I forgot. For example, if you install IIS, you should immediately erase the scripts directory of sample scripts that come along with the product: this is a known vulnerability from Microsoft. And I had inadvertently left anonymous FTP account open on one system, something I really didn't want to do. CIS also alerted me to some security settings for my IE browser that could be tightened up, such as preventing ActiveX controls from automatically downloading. While I certainly knew about all of these issues, the scan pointed out places that I just forgot about when I installed my server operating systems.

CIS isn't perfect. Some of its suggestions on how to fix problems with the registry entries on my NT machines were so terse that I couldn't figure out how to implement them properly. It would be nice to include hyperlinks to the Microsoft knowledge base or some other support web site with more detailed directions on how to make these changes, especially for the more inexperienced NT administrator. (Some of the suggestions do include hyperlinks, but these aren't very useful.)

I got a number of false reports on various issues with one of my web servers. Tracking these down wasn't easy, either, but at least it raised a few issues for me to consider. Finally, CIS also falsely reports that your administrative password should be changed from "administrator" -- the program's author claims this is a bug with how the NT registry reports passwords. But it probably is a good idea to rename this and the other default user name (guest) to something else, and to put strong passwords on them just to be safe.

These are minor issues. CIS is a very useful tool. And given that it is free, it should be in everyone's collection of utilities, no matter how paranoid you might be about potential attacks on your servers.

Strom-meter key:
**** = Very cool, very useful
*** = Hey, not bad. One notch below very cool
** = A tad shaky to install and use but has some value.
* = Don't waste your time. Minimal real value.

Bio: David Strom is president of his own consulting firm in Port Washington, NY. He has tested hundreds of computer products over the past two decades working as a computer journalist, consultant, and corporate IT manager. Since 1995 he has written a weekly series of essays on web technologies and marketing called Web Informant. You can send him email at david@strom.com.