287 105 2MB
English Pages 159
Installing Locks in the Global Village ( Securing Your Hom e or Sm all Business Net work)
Introduction As I wrot e t his int roduct ion, word of an e- m ail virus was breaking in t he news. As I sat t o edit it , yet anot her virus had been found and was being fought . These viruses can t ake down m aj or e- m ail syst em s, disrupt com m unicat ions, and dest roy dat a. Worst of all, t he viruses spread fast and easily t hrough our net works, yet t his is not hing new. Several e- m ail viruses have surfaced prior t o t hese, and m any m ore are sure t o follow. So how can t hey st ill be a t hreat ? Why hasn't som eone done som et hing t o st op t hem ? The m ain reason is easy t o see: m ost people aren't prepared t o defend t heir com put er syst em s from t hese at t acks and aren't aware of t he t ypes of t hreat s wait ing for t hem in t he elect ronic front iers of t he I nt ernet . I n fact , m ost people are so unprepared t hat t hey don't see any t hreat result ing from connect ing t heir com put ers t o t he world. For t his reason, t hese virus at t acks are successful. Many people connect ed t o t he I nt ernet are not prot ect ing t hem selves in any way from such t hreat s; in fact , m ost are not prot ect ing t hem selves at all. I don't have st at ist ics t o back m e up, but I 'd guess t hat m ost hom e users and sm all businesses have no effect ive securit y on t heir I nt ernet - exposed net works or com put ers. Because we all share t he sam e net work ( t he I nt ernet ) , we each need t o place som e securit y around our part of it t o provide som e prot ect ion for our dat a. Ot herwise, we are providing an opport unit y for som eone t o com e along and exploit our com put ers. Wit h so m any com put ers on t he Net , you m ight be lucky enough t o rem ain safe for m ont hs or even years wit hout securit y because no one has looked your way yet . But t his can work against you, t oo, by giving you a false sense of securit y when indeed you are com prom ised or under at t ack and you j ust don't know it . Don't be fooled int o t hinking t hat because you are one of m any, you won't be a vict im . Probably every gazelle and wat er buffalo in Africa t hinks t hat , t oo, but t he lions st ill eat . Aft er hearing all of t his, you m ight ask why not j ust m ove t o t he woods of t he Rocky Mount ains and hide? Or perhaps you should sim ply not connect t o t he I nt ernet . Bot h of t hose are opt ions, but I 'm not t rying t o scare you away from t he I nt ernet and it s great possibilit ies for inform at ion research, ent ert ainm ent , and com m erce. Rat her, I m ean t o encourage you t o use t his t ool wisely and securely. I hope t o t each you t he basics of inform at ion securit y so you can m ake decisions about t he risks and benefit s of doing or not doing cert ain t hings online and so you can do t hem as securely as possible. I don't prom ise t o m ake you an expert but t o show you how t o get your foot in t he door and where t o look for expert inform at ion.
Who Needs to Read This Book? This book is prim arily designed for hom e users and focuses on securit y issues t hat face t hese users. Hom e users aren't t he only ones who could benefit from t his book, however. Sm all and m edium - sized businesses wit h I nt ernet connect ions could use t his inform at ion, as well. The t echniques discussed will t ransfer direct ly t o such
businesses, but t he scale for a business is a bit larger. Addit ionally, anyone who want s t o learn about inform at ion securit y and net work securit y but doesn't have a st rong com put er background can use t his book as an ent ry point int o t he concept s and t echniques of inform at ion securit y. The cont ent of t he book ranges in nat ure from nont echnical exam ples t hrough t echnical det ails t hat som e readers m ight find hard or st range. That 's okay—not every reader will underst and every it em in t his book. Because t he book can help you put som e basic securit y in place, som e part s are rat her t echnical. I f you have t o skip sect ions or com e back lat er, t hat 's fine. My goal is t o present t he m at erial in a t echnically accurat e way while t rying t o m ake it underst andable for nont echnical readers. That is a broad range t o cover, and I 'm sure som e people will feel som e areas are t oo t echnical or not t echnical enough. For readers who want m ore t echnical inform at ion, I 've included links and resources t hat can cover nearly all t opics in t his book t o a far great er dept h. On t he ot her hand, if you find som et hing t hat is t oo t echnical for you, feel free t o skip ahead a bit . As you becom e fam iliar wit h t he t opics and discussions, you can go back and read again lat er. Alt hough users of non- Windows operat ing syst em s such as Linux, Macint osh, or BeOS will find t he concept ual part s of t his book useful, t he m ain focus is on t he Windows fam ily of operat ing syst em s m ost oft en found in hom es and sm all businesses. Addit ionally, users seeking advanced t echnical discussions of securit y or in- dept h script ing and coding analysis of t ools will not find t hem in t his book. Those areas of discussion are out side t he scope of t his book. I will, however, provide links and references t o t hose subj ect s as appropriat e t hroughout t he t ext of t he book.
Why the Homestead Example? Every chapt er st art s wit h an exam ple. I chose t he hom est ead exam ple for a variet y of reasons. First , it is an easy analogy t hat capt ures securit y concept s sim ply and in a way t hat m ost people can relat e t o. By int roducing t he concept s wit hout t heir t echnical aspect s, I hope t o m ake t hem easier t o underst and. Then, as t he chapt er progresses, I int roduce t he t echnology t o you slowly, carrying t he concept s from a fam iliar exam ple int o a pot ent ially unfam iliar one. I f you find t hat t he exam ple is not working for you, sim ply skip ahead a bit in each chapt er. Concept s are int roduced t wice in each chapt er, once in t he exam ple and once m ore in t he t echnical sect ions. I would encourage you, t hough, t o at least read t he exam ple and be fam iliar wit h it as t he book progresses, so you can refer t o it as needed.
Is the Example Important? So really, why should you read t he exam ple? I hope because it is a good illust rat ion of securit y concept s in a nont echnical set t ing. Even people who know com put ers reasonably well are usually not fam iliar wit h securit y issues, let alone t rained in t hem . The exam ple t akes away any preconceived not ions about t echnology and com put ers and let s you concent rat e on t he concept s. Then when t he t echnology is reint roduced, I hope you will see t he applicat ion of t he concept s m ore easily. But keep a few t hings in m ind as you progress t hrough t he exam ple. First , it does not include any fact ual inform at ion about real places or village growt h. I f you are an ant hropology or sociology person, please be forgiving about any assum pt ions or errors in t hose fields. The hom est ead is m erely an illust rat ive t ool for t his book.
Second, I have t ried t o m ake t he sect ions about our hom est ead and village enj oyable reading, but t hey are t here j ust t o provide exam ples. Don't worry if you don't see t he securit y issues right away in t he exam ple; t he t ext of t he chapt er will help bring out t he point s I am m aking.
Introduction to the Homestead To help put t he securit y discussions in a cont ext t hat m ost users can underst and, I have used an analogy of a hom est ead t o dem onst rat e cert ain point s and int roduce concept s in t he book. The hom est ead was st art ed by t he Sm it h fam ily and grew int o a village over t im e. Using t his exam ple, I int roduce each chapt er's securit y concept s in a noncom put er- relat ed way so you can focus on t he securit y point s before grappling wit h t he com put er t erm s or concept s. Then I revisit each point t o reinforce t he learning and provide a com put er- specific applicat ion t o t ake you from concept t o pract ice. And t hat brings us t o t he hom est ead it self. On a sm all hill, near a river, was a fine pat ch of land wit h plent y of room for farm ing on t he gent le slopes of t he hill. The wint ers were not t oo harsh here nor t he sum m ers t oo dry. I t was t he perfect place for sm all anim als and a sm all pat ch of grain and veget ables. And so t hey cam e. We'll call t hem t he Sm it hs: John, Kat ie, Jennifer, and Carl. They packed up everyt hing t hey owned, spent nearly all t heir m oney on livest ock and supplies, and headed out here for t he chance at som et hing bet t er. " Owning our own hom e and farm has t o be bet t er t han working on som eone else's," t hey t hought . They spent several days building a sm all log cabin—j ust enough space for t he four of t hem —and a pen for t he anim als. The pen was as m uch t o keep t he anim als in as t o keep ot her t hings out , but —as John's fat her always t old him —it never hurt s t o have som e prot ect ion. They t hen began clearing a plot of land for t he garden. Soon t hings set t led int o a daily rout ine of farm ing and t ending t he livest ock. John Sm it h was no fool. He wasn't expect ing t rouble, but he cam e prepared for it . He had heard of foxes t hat m ight t ry for t he chickens, wolves t hat hunt ed sheep, and bears t hat m ight go aft er a cow or even t he fam ily. He kept his shot gun handy, cleaned it night ly, and reloaded it before going t o bed. Out t his far, a loss of an anim al could m ake t he difference bet ween get t ing t hrough t he wint er or not . As John drift ed t o sleep each night list ening t o t he wolves howling in t he dist ance, he wondered how m any were even closer t han t he ones he could hear. John and Kat ie Sm it h cam e t o t heir new hom e knowing lit t le about it . They had heard about foxes, wolves, and bears being around but had not seen any yet . The Sm it hs had built t heir new hom e and so far had been safe from int ruding anim als, but John and Kat ie were also caut ious. Living t his far from help and wit h wint er com ing on, t hey could not afford t o lose an anim al, have eggs st olen from t he chickens by a weasel, or see t heir crops eat en by deer and elk. John built a fence around t he propert y t o help keep anim als out and t o show where t he boundaries were. The loose- log fence was not t he m ost effect ive at keeping out sm all anim als, but it was good for t he larger ones. John
and his son Carl t hen built a st one wall around m ost of t he close propert y, including t he house, barn, and veget able garden. This was a m uch bet t er st ruct ure for keeping out t he sm aller anim als. Kat ie and daught er Jennifer used t his t im e t o m ake wint er clot hing and blanket s from t he wool t hey sheared in t he spring, and t hey built a sm all chicken coop near t he house. The Sm it hs did have a lock on t he door but not on t he gat es; locks weren't needed t his far out . John did, however, t each everyone in t he fam ily how t o use t he shot gun, j ust in case. John checked t he st one wall every day and rode t he horse out t o t he wood fence at least once a week, wat ching for anim al t racks or signs of som et hing t rying t o get across t he fence. Norm ally t here was not hing, and he t hen went about t he t asks of m aint aining t he crops and livest ock. Som e days he was even able t o relax. Kat ie spent her days cooking and sewing t he necessary it em s for t he fam ily t o cont inue living out here. She t ended t he garden, fed t he livest ock, and kept t he house clean. The children helped where t hey could. They drew wat er from t he well and assist ed t heir m om and dad wit h t he ot her chores. They also played in t he fields and woods around t he house. I t was a good sum m er. One day, however, John found fox t racks near t he st one fence. When he looked closer, he saw t hat t he t racks cam e near t he chicken coop, but he couldn't see any way for t he fox t o get int o t he coop. John spent t he rest of t he day inspect ing and repairing t he chicken coop t o prevent any sm all holes from giving t he fox an ent rance t o it . The rest of t he sum m er passed unevent fully, but John didn't let his guard down. Many days he found deer t racks in t he crops, and once he even found bear t racks j ust out side t he wooden fence. Cert ainly t here were m any t hreat s out here, but so far t he Sm it hs' preparat ions had paid off.
Is Your House Locked at Night? Odds are you are reading t his in your hom e or office, locat ed in a t own or village or m aybe even a big cit y. The idea of a com m unit y isn't st range t o us. Many of us know our neighbors, wave t o t hem as t hey walk t heir dog, and feel safe in our hom es at night . Even so, you probably lock your doors when you go t o sleep. Why? Do you need t o do t hat if you're safe and am ong friends? The t rut h is t hat m ost people are t rust wort hy and would never break int o your hom e, but you know t hat not everyone is t hat nice. Som e people, given t he chance, will com e in and t ake t hings from your hom e, or worse. You probably don't t hink t wice about locking your doors at night or when you plan t o be away from hom e for any lengt h of t im e. You m ight even have a fence or wall around your yard t o keep people from get t ing in t here. Most of us like our privat e spaces and will t ake som e m easures t o prot ect t hem . Why, t hen, do m ost of us connect t o t he I nt ernet and not provide any prot ect ion for our com put ers? For a large num ber of us, our personal lives are becom ing very closely t ied t o com put ers. By exposing your com put er t o t he I nt ernet , you are indeed
living a life wit hout locks or gat es. On t he surface, t hat sounds fine—m aybe even a bit desirable. But let 's t ake a closer look at what t hat m eans. How m any of you have online banking or pay your bills online? How m any of you use e- m ail t o t alk about personal issues wit h friends and fam ily? How m any use soft ware t o file t axes or do ot her act ivit ies relat ed t o a hom e business? Leaving your com put er unprot ect ed wit h your personal and financial inform at ion on it is like carrying your m edical records and checkbook t o a park and spreading t hem out on t he grass t o review t hem . I t m ight even be worse, because in t he park you probably would not ice if som eone began t o look over your shoulder. Most people, however, will never not ice t he person wat ching in t he com put er world. Providing securit y for your hom e com put er is like locking your door at night or looking over your shoulder in t he park. I t isn't all you need t o do, but wit hout it , you are an easy t arget .
What's Important Here? Before you go on, here are som e suggest ions for get t ing t he m ost out of t he chapt ers. 1. The exam ple is a good place t o st art in each chapt er. Read t he exam ple t hrough com plet ely, and t hen read t he rest of t he chapt er. You m ight even want t o read t he exam ple once m ore aft er you read t he chapt er t o see t he concept s in act ion aft er get t ing t hem in t he securit y cont ext .
Key Security Concepts
Here is a quick list of securit y- relat ed concept s used t hroughout t he rest of t he book, wit h brief explanat ions. Absolu t e se cu r it y: The st at e where a syst em can be called secure regardless of what it is exposed t o. This is largely t hought t o be an im possible st at e for any syst em t hat is useful and being used. Cert ainly it is im pract ical. Acce pt a ble r isk : The level of risk allowed or accept ed by t he owner of t he it em or dat a at risk. Acce ss con t r ol: The process by which access t o it em s is grant ed or denied t o request ors. Au t he n t ica t ion : Det erm ining who a user is t hrough a t rust ed m echanism . Cr a ck : Using a hack t o infilt rat e com put er syst em s t hat do not belong t o t he cracker. Cr a ck e r : Som eone who is out t o access your com put er syst em wit hout your perm ission; usually know t hey are breaking int o a syst em .
D e n ia l of se r vice ( D oS) : Causing a condit ion where a com put er syst em can no longer respond t o valid net work com m unicat ions. D e ny a ll, gr a n t e x plicit : Securit y philosophy of denying all access t o a syst em and t hen grant ing access only t o specific t hings for specific reasons ( opposit e of Grant all, deny explicit ) . En cr ypt ion: Mat hem at ically changing dat a so it can be read by t he int ended receiver but not read by anyone else. Gr a n t a ll, de ny e x plicit : Securit y philosophy of grant ing access t o everyt hing and t hen rem oving access right s from specific t hings t hat need t o be cont rolled ( opposit e of Deny all, grant explicit ) . H a ck : A clever or creat ive use of com put er code t o solve a problem . H a ck e r : Som eone who uses com put er code or securit y holes creat ively and is out exploring for curiosit y's sake. Obfu sca t ion : Hiding inform at ion or m et hods of accessing inform at ion so t hey are not obvious t o t he user or int ruder. OSI m ode l ( Ope n Syst e m s I n t e r con n e ct ion m ode l) : Fram ework for com put er syst em com m unicat ion so everyone is working from t he sam e basic m odel. Por t s: Used in TCP/ I P t o allow different applicat ions t o com m unicat e on a TCP/ I P connect ion. Re la t ive se cu r it y: The idea t hat all securit y is a m easure of risk and t hat securit y is never perfect but can be t ight enough for t he st at ed purpose. Se cu r it y in de pt h : Using m ore t han one layer of securit y t o ensure t hat an exposure doesn't occur even if one layer fails. Socia l e n gin e e r ing: Talking your way int o a desired result . Also called a " con" or " grift ." ( Discussed in great er det ail in Chapt er 8, " Defending Against Hackers." ) Un solicit e d com m e r cia l e - m a il ( UCE) or " spa m " : E- m ail sent t o you from som eone you do not know, usually in an at t em pt t o sell you som et hing. Many UCE m ailings have been t raced t o scam s. TCP/ I P ( Tr a n sm ission con t r ol pr ot ocol/ I nt e r n e t pr ot ocol) : Dom inant net working prot ocol used for t he I nt ernet and net working. A prot ocol is a set of rules t hat enable com put ers t o speak t o each ot her. Use r Pr ivile ge : The list of act ions and access t hat a user has on a given syst em . Vir u s: A self- replicat ing, st ealt hy com put er program t hat perform s som e act ion ( t ypically m alicious) on your com put er when it is run.
W or m : A self- replicat ing program t hat m oves t hrough net worked com put ers on it s own, wit h lit t le or no int eract ion from users. Not always m alicious: som e search engines use worm s t o crawl links and find pages for t heir search engines. 2. This book was designed around t eaching inform at ion securit y concept s and principles as well as applying t hose concept s t o t he Windows fam ily of operat ing syst em s. I f you use anot her operat ing syst em , I will assum e you underst and t he differences well enough t hat you won't be confused by t hem . 3. Only apply what you feel you need. Securit y is a st range subj ect , because you can always have m ore. Som e level of securit y will probably m eet your needs wit hout being all you could possibly do. Aft er you read t his book, I hope you won't feel you need a full- blown firewall syst em and packet filt ering rout er j ust t o prot ect your kid's gam e m achine. Please read and underst and Chapt er 1, Assessing Risk, before j um ping int o securing your hom e syst em . 4. Don't be afraid t o experim ent , but m ake backups j ust in case. As wit h anyt hing in com put ers, feel free t o learn by doing. But I also encourage you t o go t hrough t he st eps slowly so you can assess t he im pact s of t he changes on your syst em . Making regular backups of dat a is always highly recom m ended, but you should cert ainly m ake a backup before changing securit y set t ings on your syst em . I 'll t ell you how t o undo cert ain act ions where appropriat e, and I 'll let you know when you would not be able t o undo som et hing easily. 5. A checklist appears at t he end of m ost chapt ers. You can use t hese checklist s t o t rack any changes you m ake t o your syst em and what t he set t ings used t o be. They also include som e quest ions designed t o help you underst and t he securit y needs of your syst em . I encourage you t o use t he checklist s, but don't feel obligat ed t o do every st ep. Sim ply use t he checklist s as a way t o t rack what you did and didn't do.
Starting Out Everyone who knows anyt hing about securit y had t o learn it som ewhere. No one is born wit h t his inform at ion. I t is okay t o have quest ions and t o not underst and a few t hings. Securit y is a com plex field. I have t ried wherever possible t o m ake it easier for you and t o provide exam ples t o help clarify. Even so, you will probably find t im es t hrough t he course of t his book when som et hing will not m ake sense im m ediat ely. This is especially t rue if you are less fam iliar wit h t he t echnology side of t hings. So what should you do when you don't underst and? My first suggest ion is t o cont inue t o read. Som e concept s are addressed m ult iple t im es t hrough each chapt er, wit h som e addit ional inform at ion each t im e. Also, t he chapt er m ight help clear up concept s as it progresses. Second, m ark t he place where you have a quest ion and go t o t he Web t o search for m ore inform at ion. The chapt er on addit ional resources cont ains links and inform at ion for get t ing securit y inform at ion on t he Web, and you can check t here. Finally, t ry reading t he exam ple again if you have a concept ual quest ion, or refer t o t he Windows Help syst em if your quest ion is specific t o t he com put er. By t rying all t hese t hings, you should be able t o get t he inform at ion you need t o answer your quest ion.
Important Assumptions While writ ing t his book, I have m ade som e assum pt ions t hat I will m ent ion here so you can underst and t hem . Not all of t hese assum pt ions will be t rue for everyone, but I want you t o underst and where I 'm com ing from . First , I assum e t hat you, t he reader, are an average com put er user, wit h no special skill or knowledge of com put ers. I explain concept s t hrough t he course of each chapt er and present inform at ion in a way t hat I feel can best be underst ood by t he average person. However, I do expect you t o know what t asks you do on your com put er and how im port ant each t ask is t o you. Second, I assum e t hat m ost hom e users are on a Windows plat form . Alt hough m ost of t he concept s present ed in t his book apply t o any plat form , t he det ails and checklist s are t ailored t o Windows- based syst em s. Securit y is needed on any operat ing syst em , but I chose t o focus on t he syst em s m ost people are probably using. I f you use anot her operat ing syst em , you can use t he book for concept learning and even use t he checklist s and exam ples, but you will need t o know enough t o t ranslat e t he Windows- based inform at ion t o your operat ing syst em .
It's Your Data Throughout t his book you will find m any suggest ions for securing your com put er. More t han likely, you will not im plem ent every one of t hem on your syst em . You m ight not need som e set t ings; ot hers m ight not even apply t o your com put er. I f you feel uncom fort able or unsure about a set t ing, you m ight choose not t o im plem ent it . I n rare cases, som e set t ings m ight , in fact , cause problem s on your com put er. Think of your com put er's securit y as a cont inuum , wit h usabilit y on one end and securit y on t he ot her. A com plet ely secure com put er m ight be unusable, and an ext rem ely usable com put er m ight be com plet ely unsecured. You m ust feel com fort able wit h where your com put er fit s on t his cont inuum . I nvest igat e each set t ing t o ensure t hat it does not have a negat ive im pact on your com put er. You should always m aint ain backups of dat a st ored on your com put er, but I st rongly encourage you t o back up dat a before m aking serious securit y changes t o your syst em . That way you will always have a recent backup from which you can rest ore your syst em if t he unpredict able happens. Chapt ers 3, Securing Your Com put er, and 4, Securing Your Servers, offer det ailed st eps for securing your Windows syst em , and Appendix A is a large collect ion of links for m ore inform at ion about securit y. Not e t hat alt hough hackers and crackers can dam age dat a, t hey are not a t hreat t o your hardware. You m ight want t o buy backup drives and ot her devices t o be m ore secure, but you'll never need t o replace hardware as t he result of an at t ack.
Where to Look First Where do you st art ? Assessing securit y for your com put er can seem confusing at first , but a sim ple m et hod will help keep t hings under cont rol. St art by asking yourself t he following quest ions:
•
• •
• • •
W h a t a r e you u sin g you r com put e r for ? Buying t hings online? Elect ronic banking? Elect ronic t rading? E- m ail? Do you know how secure t hese services are? What would it m ean t o you if your access t o t hese funct ions was com prom ised? Keep in m ind t hat not all t he risk is m onet ary. By im personat ing your ident it y, a hacker can also dam age your reput at ion. W h a t a r e you con n e ct in g you r com pu t e r t o? Most people connect t heir com put ers t o t he I nt ernet , but som e connect t o privat e net works such as corporat e rem ot e access for t heir com pany. H ow a r e you con n e ct in g? I s it a full- t im e connect ion, or do you cont rol your com put er's connect ion ( and disconnect ion) ? Connect ing via an analog m odem has been t he only m et hod available t o m ost users, but newer t echnologies such as DSL and cable m odem are enabling m any people t o connect at m uch higher speeds. Using t hese new t echnologies carries cert ain securit y considerat ions, so you need t o know your connect ion t ype. W h o ha s ph ysica l a cce ss t o your com pu t e r ? Do you aut horize t hese people t o use your com put er? Do you want t o cont rol t he access t hese people have t o your com put er or local net work? W h o do you t r u st ? Do you open an e- m ail at t achm ent from a friend? From som eone you don't know? How do you choose secure Web sit es for online shopping? W h a t ope r a t ing syst e m a r e you u sin g? Som e operat ing syst em s are inherent ly m ore secure t han ot hers.
Answering t hese quest ions will m ove you down t he pat h t oward securing your syst em . Once you have an assessm ent of your com put er, you can weigh t he risks you are open t o versus t he usabilit y you require. I f you don't know t he answers t o any of t hese quest ions, don't worry. I will help you t hrough t hem as you read t his book.
How Secure Is Your System Out of the Box? When you purchase a com put er, it t ypically arrives wit h a default configurat ion. The com pany from whom you purchased t he com put er set s t his configurat ion, usually by inst alling t he operat ing syst em and choosing all t he default set t ings t he operat ing syst em offers at inst allat ion. This com pany is usually m ore focused on selling com put ers t han on your com put er securit y, and t hey m ake som e assum pt ions about what t he " average" user will be doing and needing from a securit y and usabilit y perspect ive. You can change t he default set t ings t o harden ( m ake m ore secure) or relax ( m ake less secure) your com put er's securit y set t ings. Addit ionally, you m ight want t o use som e t hird- part y program s t hat can ext end t he funct ionalit y and securit y of your operat ing syst em . The m akers of m ost com put ers leave t hat all up t o you. They have t o do t hat because m ost users prefer usabilit y t o securit y. Why? Because t hey don't know any bet t er or don't t hink t hey are a t arget . The goal of t his book is t o show you why you need securit y and t hen t o help you get t he inform at ion you need t o achieve t hat securit y.
Chapter 1. Assessing Risk How does our hom est ead exam ple help us learn about securit y and risk assessm ent ? Let 's look at it in m ore dept h. First , rem em ber t hat John built bot h fences and walls. He had heard t hat anim als m ight com e in and t ry t o kill his livest ock or eat his crops, so he t ook st eps t o prevent t hat from happening. He assessed t he risk of losing an anim al and found t he anim al t o be wort h t he effort of building t he walls and fences. John also det erm ined t hat a fence was sufficient for t he out er layer, but a wall was needed t o prot ect t hem nearer t he house. We know t hat John t ook specific m easures t o prot ect t he chicken coop when he found out a fox was in t he area, but he and Kat ie decided t hat locks on t he gat es and doors were not necessary at t his t im e. Their assessm ent of t he risk changed as t hey got m ore inform at ion about t heir new hom e. John found t hat his fence wasn't prot ect ing against all t he deer and t hat at least one fox had got t en close t o—alt hough not all t he way int o—t he chicken coop. Kat ie looked at t he risks t he com ing wint er m ight bring ( cold weat her, rain or snow, sickness) and prepared by m aking clot hing suit able for wint er. She also fed t he livest ock and m aint ained t he household and garden while John was doing his work fart her out . The Sm it hs displayed several concept s here t hat we will discuss t hroughout t he book in m ore det ail. For now, t hough, we will concent rat e on t he aspect s of risk assessm ent . To underst and risk assessm ent , you m ust first underst and what is m eant by risk and get a few definit ions out of t he way. • • • •
Risk : What m ight happen Ex posu r e : How likely a risk is t o happen Cost : The pot ent ial dam age if t he risk does happen M it iga t ion : Fact ors t hat can reduce or elim inat e t he risk
An exam ple of assessing risk every day m ight be crossing t he st reet . The risk is being hit by a car, bus, t ruck, or ot her vehicle. The cost of being hit is possible inj ury or deat h. We all cross st reet s all t he t im e in spit e of such a st eep cost . How can we put ourselves at t hat t ype of risk? Easy. Several fact ors reduce exposure and m it igat e t he risk t o an accept able level. First , we cross st reet s only occasionally and when we are awake and m oving around. The exposure is usually short and is not const ant . Addit ionally, we m it igat e t he risk by following rules such as using crosswalks ( we all use crosswalks, don't we?) and looking bot h ways before crossing, and we t rust t he drivers t o see us and t o do t heir best t o avoid hit t ing us. Wit h all t hese fact ors, t he risk is relat ively low, so we can cross t he st reet wit hout put t ing ourselves at t oo m uch risk. I t is im port ant t o not e, however, t hat people do get hit by cars. We have not elim inat ed t he risk—we have only m it igat ed it t o an accept able level. I f you leave your hom e unlocked when you go t o work, you are reducing your m it igat ion fact or ( locked doors) and t hus adding t o t he risk t hat som eone will break int o your house. However, if you don't have any valuables in your hom e, t he cost of a break- in would be low, and you m ight assess your risk as low t oo. You'd probably t hink t wice about inst alling an expensive hom e securit y syst em if you have not hing t o prot ect .
Assessing risk also enables you t o m ake decisions about how t o secure your com put er syst em . First you need t o det erm ine t he t hings t hat are valuable on your com put er syst em . This includes t hings t hat m ight not be valuable t o ot her people, such as digit al pict ures of your children or im port ant personal docum ent s. Or it m ight be a service you are used t o accessing reliably, such as e- m ail, online banking, or Web browsing. Assessing risk m eans list ing t he t hings you st ore and do on your com put er and t hen assigning t hem a cost , exposure level, and m it igat ion value. Financial records m ight have higher value for you t han a gam e you inst alled once and never play anym ore. Rem em ber t hat alt hough you m ight have inst alled a program from a CD and can reinst all it if necessary, t he dat a you have creat ed or configured since you inst alled t hat program will not com e back when you reinst all. This dat a and configurat ion inform at ion is t he st uff you'll usually want t o save and will m iss t he m ost if you lose it .
Data Classification When you t hink of classified dat a, you t hink of spies, right ? That is pret t y close t o what we're t alking about here. Odds are you don't have nat ional secret s on your hard drive. You do, however, have dat a on your hard drive t hat is personal, privat e, or sensit ive t o you and your fam ily. Many people are banking online, buying from online st ores, balancing checkbooks, and preparing t axes on t heir com put ers. I f you have a digit al cam era, you m ight also have som e phot os on your hard drive—not necessarily sensit ive, but possibly hard t o replace. Som e t hings you value m ight be as sim ple as t he saved gam e dat a of your favorit e gam e. I 'm not advocat ing t hat hom e users should spend a large am ount of t im e classifying dat a when t hinking about securit y. Even a business m ight not need t o do a great deal of classifying. You should, however, t hink about what dat a is im port ant and how im port ant it is t o prot ect . I f no dat a on your com put er is wort h prot ect ing, you don't need securit y. Wit h t hat in m ind, you don't need a com plex classificat ion syst em , but rat her one int uit ive enough t o use wit hout causing confusion. You can t ry t he following cat egories: 1. Re pla ce a ble : Dat a t hat is st ored on a CD or ot her relat ively perm anent m edium and can be replaced by reinst alling or copying it back t o t he hard drive of your com put er. This includes soft ware you can download from t he I nt ernet . Please not e, however, t hat such soft ware m ight qualify as not replaceable if you can't easily rem em ber t he URL t o get t o t he download point or don't have it backed up or writ t en down. 2. Cr it ica l: Dat a t hat you believe you m ust be able t o recover or prot ect , such as t ax docum ent s or financial inform at ion. 3. I m por t a n t : Dat a you would like t o prot ect , even t hough it isn't absolut ely necessary. This m ight be a recipe spreadsheet you have m ade or ot her dat a t hat would be hard or very t im e- consum ing t o replace. 4. Ot h e r : Everyt hing left aft er using t he first t hree cat egories. This dat a is not im port ant enough t o classify or is known t o be not wort h prot ect ing or saving. Using t hese cat egories, you can form a loose idea of what on your hard drive is wort h saving and prot ect ing. You don't have t o writ e down t he dat a locat ion and cat egory or even t rack it . All t hat is im port ant is t hat you have t hought about your dat a and know what you are prot ect ing. We'll t alk lat er about how t o organize your
dat a t o help wit h t his process, but for now, j ust underst anding what needs t o be prot ect ed is enough.
What Am I Protecting? We have t alked about risk assessm ent generally and about dat a classificat ion, but t he real quest ion com es down t o t his: What is it t hat I am prot ect ing? This quest ion has several answers, not all of which will apply t o you specifically, and you m ight t hink of som e t hat aren't shown here. But let 's t ake a look at som e of t he t hings t hat probably need prot ect ion. The first and m ost obvious answer is financial dat a for your hom e or sm all business. Everyone t hinks of t his one first . For sure, it is a good one t o prot ect and has t he m ost direct analogy t o t he real world. Pr ot e ct your m on e y. You should probably also pr ot e ct you r da t a . I nform at ion is a powerful new t ool t hese days, and you m ight not realize how m any people want t o get it , alt er it , or dest roy it . Your dat a is like a t reasure t o som e people, a puzzle t o be cracked, and t he prize for cracking it is reading your recipes. Sounds boring or point less? Let m e assure you, plent y of people out t here do it regularly. The allure is oft en bragging right s t hat t hey cracked a syst em , and som et im es t hey even get som et hing valuable: perhaps a docum ent you brought hom e from work or a privat e e- m ail m essage. Anot her area where people need prot ect ion is a newer concept in t he I nt ernet world: pr ot e ct you r ide n t it y. Online, m ost syst em s don't have easy built - in ways t o " prove" who you are. A clever person can get som e pieces of inform at ion and pret end t o be you. They m ight post m essages t o online bullet in boards as " you" or use your inform at ion t o m ake purchases or set up credit cards in your nam e. Cases of ident it y t heft are becom ing m ore com m on on t he I nt ernet , because m ost people are not very careful wit h t his t ype of personal inform at ion. Relat ed t o ident it y is privacy. You should pr ot e ct your pr iva cy online. The m ore inform at ion t hat is on t he I nt ernet about you, t he m ore ways people can find t o use it . I suppose t his one sounds a bit paranoid, but t hink about t he m arket ing firm s who t roll t he I nt ernet for m ailing addresses so t hey can send out j unk m ail or get phone num bers t o put you on t elem arket ing list s. They aren't out t o st eal your ident it y, but t hey will use your ident it y inform at ion t o t ry t o cont act you. Maybe som e people don't care. Personally, I don't like it , so I prot ect m y privacy. The last area is easy t o overlook in all t he focus on m oney and such: pr ot e ct your com pu t e r . Not everyone who is out cracking syst em s is doing it t o get t he dat a on t hat syst em . Som e people want t o crack your syst em so t hey can get your syst em t o do som e dirt y work lat er. Not t oo long ago, a series of Denial of Service ( DoS) at t acks were launched against Yahoo, eBay, and som e ot her very large com panies. This happened because a cracker inst alled soft ware on a series of com put ers and t hen had t hose m achines do t he work of at t acking t he t arget com panies. Som e of t hose m achines were hom e com put ers.
Is It Worth Protecting? An oft en overlooked quest ion in securit y can be boiled down t o " I s it wort h t he t rouble of prot ect ing?" This is a som ewhat loaded quest ion. To answer it properly, you need t o know what you are prot ect ing, how you would need t o prot ect it , and how difficult or cost ly t he prot ect ion would be. We will be get t ing int o m uch m ore det ail on som e of t hese areas in a short while, but for now let 's concent rat e on t he benefit of securit y versus t he cost of im plem ent ing t hat securit y. First , realize t hat value is subj ect ive. What is im port ant t o m e m ight not be wort h anyt hing t o som eone else. Cost fact ors are also subj ect ive or relat ive. A hom e user m ight not be able t o spend t he m oney t o im plem ent a full firewall solut ion, but luckily, m ost will never need t hat am ount of prot ect ion. I can only provide guidance and suggest ions in t his book. You will have t o assess your cost - t o- benefit rat io on each it em and m ake decisions accordingly. Second, m ake sure you t ake int o account t he risk assessm ent when working on t his quest ion. Som e of your dat a m ight very well be crit ical and obviously wort h prot ect ing. But if t hat dat a is at lit t le risk, spending a large cost for adding a lit t le m ore securit y m akes no sense. This really com es down t o a m at t er of t he degree of prot ect ion and what is accept able t o you. That brings us t o t he concept of " accept able risk." Sim ply put , t his is t he level of risk t hat m akes you com fort able relat ive t o t he dat a or syst em in quest ion. That level m ight be different for different people, or even for different direct ories on your hard drive. The level is not fixed and can change over t im e. Sounds t ough t o t rack, but in realit y it isn't very hard. You m ake sim ilar decisions every day when you cross t he st reet or drive your car, and you can use t he sam e logic when working on your com put er. Sim ply ask yourself, " Would I be okay if t his dat a were dam aged or lost ? I f not , what am I doing t o prevent or m it igat e t hat dam age or loss?" I f you're com fort able wit h t he t hought t hat t his dat a could be lost , you probably are okay wit h t he level of prot ect ion you current ly have for t hat dat a. However, if you t hink get t ing t hat dat a back or rebuilding it t o where it is now would be a real pain, you are st art ing t o cross int o t he area where you need t o consider m ore prot ect ion. I f you t hink t he dat a you are working on is irreplaceable and you would never be able t o recover from it s loss, you should consider securing t hat dat a and ensuring t hat you can prot ect or recover it . These levels also coincide wit h t he " Ot her," " I m port ant ," and " Crit ical" dat a classes we t alked about earlier. " Replaceable" is oft en not used for dat a you have creat ed unless you are doing regular backups of t hat dat a or of your syst em as a whole. Any dat a you creat ed is t heoret ically replaceable because you creat ed it t o begin wit h, but t he line can be drawn when replacing it becom es im pract ical.
Who Am I Protecting Against? This quest ion is bound t o com e up in any discussion of securit y, so let 's t ake a quick look at it . First , you aren't always prot ect ing against a " who." Securit y of your inform at ion encom passes disast er recovery, backups, and equipm ent m aint enance.
To be really secure, you m ust be prepared for an " act of God" or t he event ualit y t hat t he securit y you put in place could fail. Let 's look at " what " first and t hen we'll get t o " who." Here's a quick list of som e t hreat s t o t he securit y of your dat a: •
• •
•
• • • • • •
Pow e r su r ge / ligh t n in g st r ik e : Local power int errupt ion or surge causes hardware failure or dat a corrupt ion. N a t u r a l disa st e r : " Act of God" st uff. Pow e r flu ct u a t ion ca u sin g da t a cor r upt ion : Power surges and changes can cause dat a corrupt ion wit hout causing syst em dam age. N or m a l u sa ge h a r dw a r e fa ilu r e : Moving part s fail, drives or fans st op spinning, and so on. Ca t a st r oph ic h a r dw a r e fa ilu r e : You drop your com put er while m oving it . Soft w a r e fa ilu r e or bu g: Soft ware failure corrupt s or dest roys dat a. Vir u s: Com put er or e- m ail virus alt ers or dest roys dat a. Ta m pe r in g: Som eone changes dat a int ent ionally. M a liciou s de st r u ct ion : Som eone dest roys dat a int ent ionally. H u m a n e r r or : Som eone accident ally changes or dest roys dat a.
These are j ust som e of t he fact ors t hat can cause valuable dat a t o be lost or rendered unusable. Now com es t he quest ion of who you're prot ect ing from . The answer is relat ively easy: everyone, even you. I f you can m ake m ist akes, you can adversely alt er t he dat a or you can cause a syst em problem t hat delet es or corrupt s dat a. Fam ily m em bers and pet s ( yes, pet s) can do t he sam e. Probably t he single biggest cause of dat a loss from com put er syst em s is hum an error. Most people event ually m ake a m ist ake t hat can be cost ly or even fat al if t hey work wit h sensit ive dat a long enough. Wit h good dat a recovery, you can sim ply rest ore and cont inue working. Wit h no dat a recovery plan, you can be delayed—even out of business—in very short order. Here is probably t he biggest secret t o dat a securit y you'll get from t his book: You 'r e u su a lly pr ot e ct ing you r da t a fr om you r se lf a n d m u nda ne m ist a k e s.
Who Are They?
The t ypes of people who are aft er your com put er probably fall int o t he following cat egories: • •
•
Cr a ck e r s: Out t o access your com put er syst em wit hout your perm ission. Usually know t hey are breaking int o a syst em and doing so for bragging right s or possible m alicious int ent . H a ck e r s: Exploring for curiosit y's sake, usually wit hout t he int ent t o harm anyt hing. Scr ipt k iddie s: Have less skill at com put er hacking but use t ools built by t alent ed program m ers t o crack com put er syst em s.
•
•
Colle ct or s: Persons or program s accessing your syst em in an at t em pt t o collect specific inform at ion. Spa m m e r s: Persons or program s t rying t o send or relay unwant ed e- m ail m essages t hrough or t o your syst em .
The t hreat of a cracker is real, however. I t 's m uch m ore sexy and fun t o discuss, and t hough t he chances are sm all, som eone could be out t here in t he wild front ier of t he I nt ernet gunning for you. Preparing is up t o you. So who is t his cracker? What m akes som eone want t o get your dat a? That quest ion is m uch harder t o answer. Crackers are usually sm art people who work in t he com put er indust ry, but no single profile describes t hem . They fit a wide variet y of physical and social descript ions. Many would have you believe t hat t he cracker is a t een genius out j oyriding on your dat a for fun and m ischief. Though t hose t ypes are out t here, t hey are not com m on. More oft en, we're t alking about an average person who has som e com put er skill, whose m ot ives are probably not so m uch m alicious as driven by curiosit y.
Risk Assessment Checklists Following are som e checklist s t hat will help you assess your com put er syst em 's risks. Table 1- 1 is a sam ple invent ory of what m ight be wort h prot ect ing on your syst em and t o what degree t hose it em s m ight be at risk. Table 1- 2 is a blank form . You can use it or creat e your own sim ilar list t o assess your overall risk. The Risk Checklist is sim ply a place t o record and consolidat e a list of t he t hings you need t o prot ect on your com put er. Fill it wit h t he following inform at ion: •
•
•
•
• •
W h a t Am I Pr ot e ct ing?: List each t hing you want t o prot ect . You m ight have m ore t han one ent ry for an it em if it faces m ore t han one risk. Risk N um be r / D e scr ipt ion : The nam e or num ber from Table 1- 3 of t he risk you assign t o t his ent ry. Ex posu r e : A value from 1 t o 10 represent ing t he exposure of t he dat a t o t he risk list ed ( 1 is low risk; 10 is high risk) . Cost : A value from 1 t o 10 represent ing t he cost of t he loss of t his dat a ( 1 is low cost ; 10 is high cost ) . M it iga t ion : A brief descript ion of what you are doing t o m it igat e t he risk t o t his it em . You can fill t his in as you read t his book and learn about ways t o prot ect your dat a. Cla ssifica t ion a n d Cla ssifica t ion Va lu e : I f you are classifying your dat a, you can use t hese colum ns t o record t he classificat ion of t he dat a and t he relat ive value assigned. I use Crit ical ( value 10) , I m port ant ( value 6) , Replaceable ( value 2) , and Ot her ( value 0) .
Table 1- 3 is a descript ion of com m on risks t o which com put er syst em s are exposed, wit h brief descript ions. Again, t hese are j ust exam ples. Feel free t o use t hese, rem ove t hem , or add ot hers as needed.
Ta ble 1 - 1 . Ex a m ple Risk Ch e ck list W ha t Am I Pr ot e ct ing?
Risk Ex posu r e N u m be r
Cost
M it iga t ion
Cla ssifica t ion Cla ssifica t ion Va lu e
Row Risk Va lu e
Hom e Banking Dat a
3
4
9
UPS or linecondit ioning device
Crit ical
10
23
Hom e Banking Dat a
4
2
7
Backups
Crit ical
10
19
I nsurance I nform at ion
4
2
5
Backups
I m port ant
6
13
I nsurance I nform at ion
10
7
4
Backups
I m port ant
6
17
Privat e E- m ail
7
8
6
Virus scanner
I m port ant
6
20
Privat e E- m ail
8
6
8
Firewall or secured em ail server
I m port ant
6
20
Logon I nform at ion t o Online Service( s)
4
3
3
Recoverable Replaceable t hrough t he online service
2
8
Com put er Syst em Logon I nform at ion
9
3
10
None
Crit ical
10
23
Tax or Financial Dat a
3
2
9
Backups
Crit ical
10
21
Credit Card I nform at ion
8
5
8
Fraud prot ect ion t hrough credit card com pany
I m port ant
6
19
Personal Dat a
3
1
6
None
Replaceable
2
9
Digit al Phot os or Movies
0
Program Configurat ion I nform at ion
0
E- m ail Addresses or Cont act
0
Ta ble 1 - 1 . Ex a m ple Risk Ch e ck list W ha t Am I Pr ot e ct ing?
Risk Ex posu r e N u m be r
Cost
M it iga t ion
Cla ssifica t ion Cla ssifica t ion Va lu e
Row Risk Va lu e
I nform at ion Hom e Business I nform at ion
0
Privat e Work Dat a Used at Hom e
0
I dent it y I nform at ion
0 0 Overall Risk Value
192
Num ber of Risks List ed
18
Minim um Risk Value
72
Use upper box if you are classifying dat a and lower box if you are not classifying dat a.
Maxim um Risk Value ( wit h Classificat ions)
540
Overall Risk Percent age ( using Classificat ions)
35.56
Maxim um Risk Value ( wit hout Classificat ions)
360
Overall Risk Percent age ( not using Classificat ions)
53.33
Ta ble 1 - 2 . Ex a m ple Risk Ch e ck list W ha t Am I Pr ot e ct ing?
Risk Ex posu r e N u m be r
Cost
M it iga t ion
Cla ssifica t ion Cla ssifica t ion Va lu e
Hom e Banking Dat a
UPS or linecondit ioning device
Crit ical
Hom e Banking Dat a
Backups
Crit ical
I nsurance I nform at ion
Backups
I m port ant
Row Risk Va lu e
Ta ble 1 - 2 . Ex a m ple Risk Ch e ck list W ha t Am I Pr ot e ct ing?
M it iga t ion
Cla ssifica t ion Cla ssifica t ion Va lu e
I nsurance I nform at ion
Backups
I m port ant
Privat e E- m ail
Virus scanner
I m port ant
Privat e E- m ail
Firewall or secured em ail server
I m port ant
Logon I nform at ion t o Online Service( s)
Recoverable Replaceable t hrough t he online service
Com put er Syst em Logon I nform at ion
None
Crit ical
Tax or Financial Dat a
Backups
Crit ical
Credit Card I nform at ion
Fraud prot ect ion t hrough credit card com pany
I m port ant
Personal Dat a
None
Replaceable
Digit al Phot os or Movies Program Configurat ion I nform at ion E- m ail Addresses or Cont act I nform at ion Hom e Business I nform at ion Privat e Work
Risk Ex posu r e N u m be r
Cost
Row Risk Va lu e
Ta ble 1 - 2 . Ex a m ple Risk Ch e ck list W ha t Am I Pr ot e ct ing?
Risk Ex posu r e N u m be r
Cost
M it iga t ion
Cla ssifica t ion Cla ssifica t ion Va lu e
Dat a Used At Hom e I dent it y I nform at ion Overall Risk Value Num ber of Risks List ed Minim um Risk Value
Use upper box if you are classifying dat a and lower box if you are not classifying dat a.
Maxim um Risk Value ( wit h Classificat ions)
Overall Risk Percent age ( using Classificat ions)
Maxim um Risk Value ( wit hout Classificat ions)
Overall Risk Percent age ( not using Classificat ions)
Ta ble 1 - 3 . Risk N u m be r s a n d D e scr ipt ion s Risk N u m be r
Nam e
D e scr ipt ion
1
Power Surge/ Light ning St rike
Local power int errupt ion or surge causes hardware failure or dat a corrupt ion.
2
Nat ural Disast er
" Act of God" st uff: eart hquake, volcano, flood, t ornado.
3
Power Fluct uat ion Causing Dat a Corrupt ion
Power surges and changes can cause dat a corrupt ion wit hout causing syst em dam age.
4
Norm al Usage Hardware Failure
Moving part s fail, drives or fans st op spinning, and so on.
5
Cat ast rophic Hardware Failure
Unusual event such as syst em being dropped or hit by a car, dest roying dat a.
6
Soft ware Failure or Bug
Soft ware failure corrupt s or dest roys dat a.
7
Virus
Com put er or e- m ail virus alt ers or dest roys
Row Risk Va lu e
Ta ble 1 - 3 . Risk N u m be r s a n d D e scr ipt ion s Risk N u m be r
Nam e
D e scr ipt ion dat a.
8
Tam pering
Som eone changes dat a int ent ionally.
9
Malicious Dest ruct ion
Som eone dest roys dat a int ent ionally.
10
Hum an Error
Som eone accident ally changes or dest roys dat a.
11
Power I nt errupt ion
Short - or long- t erm power int errupt ion causes syst em s t o shut down abnorm ally or be unavailable.
How will t he risk checklist help you? You can use it t o assess your risk quickly. No syst em will be perfect for everyone, and underst anding t he it em s on t he checklist is far m ore im port ant t han assigning a " value" t o your overall risk. Get t ing a snapshot look at risk is useful, however, when you're deciding whet her t o spend m oney or t rying t o m ake t echnology choices. To t hat end, t urn t o t he blank checklist ( or m ake a copy) and follow t hese st eps t o get an overall pict ure of your risk. 1. For each ent ry on t he Risk Checklist , assign a Risk by nam e or num ber, an Exposure value ( 1–10) , and a Cost ( 1–10) . Describe any Mit igat ing Fact ors. I f you are classifying your dat a, add a Classificat ion in t he next colum n. 2. For each risk, add 2 if you classified it as Replaceable, 6 if I m port ant , and 10 if Crit ical. Place t hat value in t he Classificat ion Value colum n. 3. I n t he final colum n, t ot al t he exposure, cost , and classificat ion values for each risk. 4. Now t ot al all t he values for t he risks shown on t he list t o get your Overall Risk Value. 5. At t he bot t om of t he checklist , count t he Num ber of Risks you list ed and ent er t he num ber. 6. Calculat e t he Minim um Risk Value by m ult iplying t he num ber of risks by 4. 7. Calculat e t he Maxim um Risk Value by m ult iplying t he num ber of risks by 30 if you are using dat a classificat ion. I f you are not classifying your dat a, m ult iply by 20. 8. Now calculat e t he Overall Risk Percent age by dividing t he Overall Risk Value by t he Maxim um Risk Value and t hen m ult iplying by 100. ( Two boxes are shown, one for list ing t he value if you didn't classify your dat a and one if you did classify your dat a.) Now you should have a percent age value t hat represent s your overall risk. I f you are below 30 percent risk, you are in t he low range. From 31 percent t o 80 percent is a m oderat e risk range, and 81 percent t o 100 percent would be considered high risk range. This is a very sim ple syst em designed t o give a broad overview of your risk. I f you have several areas of dat a t hat qualify as Crit ical, you m ight choose t o secure
your syst em regardless of t he overall risk rat ing. The bot t om line is t hat t he decision is up t o you. This checklist t ool sim ply gives you a snapshot view. Now t hat you have a pict ure of your risk, you can begin t o m ake decisions about what securit y m easures are necessary t o prot ect your dat a. We'll now st art looking at securit y m easures you can use t o help achieve t he prot ect ion you'll need. I n Chapt er 2, I 'll discuss t he general securit y m easures and philosophies t hat are t he beginnings of a good securit y plan. Then I 'll t alk about users, groups, roles, and general concept s t hat will lay t he groundwork for m ore det ailed securit y discussions t hroughout t he book. But first , let 's look back in on John and Kat ie Sm it h and see how t hings are going.
Chapter 2. General Network Security John spent a good am ount of t im e building fences around his propert y and walls around t he nearby garden and anim al pens. Every couple of weeks in t he wint er and each week in t he sum m er t hat followed, John rode out t o t he fence and checked it all t he way around, repairing t he fence where needed and building im provem ent s as he could. He would som et im es be away from his fam ily for a couple of days while doing t his, but he knew t he fence was his first defense against wild anim als and predat ors. He couldn't afford t o let his guard down. John recognized t hat t he log fence wasn't enough, based on his experiences earlier in t he year. He also m aint ained t he coop for t he chickens and t he barn for t he livest ock, and everyone helped m aint ain and im prove t he st one wall on a regular basis. Aft er all, t hey knew a fox had got t en t hrough t he fence once, so it was likely t hat one would do it again. John wasn't t aking any chances, even pat ching t he wood in t he floor of t he chicken coop regularly t o help prot ect against sm all rodent s t hat m ight eat t he eggs. The Sm it hs quickly got int o a rout ine of m aint aining t he fence and wall and buildings and keeping t hem in good shape. John always rode t he fence line aft er a big st orm t o check it s condit ion and im m ediat ely repaired any dam age he found. The hom est ead was a fam ily affair. John knew he couldn't do it all alone, so each fam ily m em ber had chores t o do and responsibilit ies around t he farm . Kat ie pret t y m uch ran t hings in t he house while John was away—and som e would say even while he was t here, but t hat 's a different discussion—and she also supervised t he children's daily act ivit ies. Jennifer was older t han Carl, so she was allowed in t he chicken coop. Carl wasn't old enough t o handle t hat responsibly, so he was only allowed in t he barn and garden. Jennifer was also supposed t o ensure t hat Carl didn't leave t he barn doors open, but Carl was careful and t hat rarely happened. Som e days t he children t raded t he feeding or t he garden work, but only wit h Kat ie's approval. That way she could keep an eye on how t hings were going. There was one t hing t hat nobody except John was responsible for, and t hat was t ending t o John's horse, Dakot a. John always t ook care of Dakot a personally. He and t hat horse had been t hrough a lot of m iles
and hard t im es. This fam ily depended on t he healt h of Dakot a for so m any aspect s of survival t hat John m ade it clear he was t he only one allowed t o shoe Dakot a or t end t o him . No one was even t o ride Dakot a wit hout John's perm ission. By t he end of t he following sum m er, t he Sm it hs had a fine farm ( see Figure 2- 1) and a wonderful crop t o t ake int o t he closest t own and sell. I t would be a good wint er for t hem indeed, wit h plent y of food st ored, som e new clot hes and blanket s t o get t hrough t he wint er, and a few new neighbors m oving ont o propert ies nearby.
Figu r e 2 - 1 . D ia gr a m of t h e h om e st e a d
Security In-Depth, or Layered Security Once again let 's j um p back int o t he world of t he com put er and high t ech. What does all t he wall t alk have t o do wit h com put er securit y? I t is a good way t o visualize how com put er securit y should be set up. This concept is called layered securit y or securit y in- dept h, and Figure 2- 2 shows how t he hom est ead exam ple m aps t o a securit y exam ple. Sim ply st at ed, any securit y m easure you can build can event ually be broken or bypassed, so t o gain high securit y you need t o have m ult iple layers. This also ensures t hat as t echnology and t echniques change and evolve, a new weakness in one area of your securit y won't com prom ise t he whole syst em .
Figu r e 2 - 2 . D ia gr a m of la ye r e d se cu r it y
When it com es t o hom e securit y, t he layered- securit y concept is adm it t edly close t o overkill. How t ough does your hom e securit y need t o be? You probably det erm ined t hat answer in Chapt er 1, Assessing Risk, but let 's look at an exam ple of applying t his concept t o hom e securit y and see what can happen if hom e- com put er securit y is broken. Several years ago a Germ an hacking group m anaged t o figure out how t he program Quicken encrypt ed financial dat a. They also figured out which files t he program used for st oring account inform at ion and financial dat a such as bank balances, bill paym ent s, and so on. Using t his inform at ion, t hey m anaged t o find unsecured com put ers t hat were using t he online feat ures of Quicken and at t ack t hose syst em s t o get t he files from t arget syst em s. I n t his fashion t hey were able t o get bank account num bers and balances of several people's account s. The good news is t hat t hese guys were not m ot ivat ed t o st eal t he account s or t he m oney, but inst ead used t his act ivit y t o show how insecure t he program and com put ing pract ices were at t hat t im e. I t is im port ant t o not e t hat t he m akers of Quicken ( I nt uit ) responded quickly and correct ed t he program and online feat ures of Quicken so t his exploit would not work again. The hom e users, on t he ot her hand, probably didn't know how t o correct t heir syst em securit y or didn't know t hey needed t o, so t hose holes st ill exist ed on som e syst em s aft er t he pat ch was available. I f you're a current user of Quicken, don't worry—I nt uit correct ed t his hole long ago. You'd only st ill be exposed if you are using a version t hat is m ore t han six years old ( probably not t he case for anyone) .
As you can see, a lack of good hom e securit y has consequences. Let 's look at how securit y in- dept h would have helped in t he Quicken sit uat ion. First off, t he Quicken program m ade use of encrypt ion and obfuscat ion t o provide securit y. Obfuscat ion is not real securit y—it m eans t he dat a is hidden or placed in " out of t he way" locat ions, which only st ops an ext rem ely novice hacker. I f t he hackers hadn't had access t o t he files t hat st ored crit ical dat a ( t hose files could be st ored on servers or t he dat a could be request ed at each use) , t hey never would have been able t o crack t he encrypt ion schem e. The encrypt ion t hat Quicken used wasn't very st rong but probably was st rong enough when it was writ t en int o t he program . As t im e passed and t he PC revolut ion cont inued, t he average com put er becam e significant ly m ore powerful and t he t im e required t o crack encrypt ion m uch less. One layer of securit y—applicat ion securit y pat ches—was not available or applied t o correct t he need for st ronger encrypt ion as t im e passed. I f t he encrypt ion had been harder t o crack or updat ed m ore recent ly, t he hackers could not have cracked t he encrypt ion and t he problem would have been avoided. ( We'll t alk m ore about encrypt ion and what is " st rong enough" lat er in t his chapt er.) Aft er cracking t he encrypt ion, t he hackers needed t o gat her files, so t hey built Web pages wit h special code t hat collect ed t he files t hey needed from t he m achines of Webpage users. I f t he user's m achines had been secured properly by t he m anufact urer or t he user, t he hackers would have been denied access t o t he files and never had t he chance t o crack t hem , even aft er t hey cracked t he encrypt ion. ( We'll t alk about how t o secure your syst em in Chapt er 3, Securing Your Com put er, and Chapt er 4, Securing Your Servers.) As you can see from t his very sim ple analysis, t he hackers had t o penet rat e t hree layers of securit y t o get t he inform at ion t hey were aft er. First t hey m anaged t o break t he encrypt ion; second, t hey found where t he sensit ive dat a was st ored; and t hird, t hey gained access t o t he user's syst em s t o get t he files t hey want ed. The am azing part is t hat t hey m anaged t o do it . I f even one of t hose layers had been closed off, t hey m ight have failed. Or, if t hey kept t rying, t hey m ight have found a different securit y hole and st ill m anaged t o get in.
Grant All versus Deny All For allowing users perm ission t o do t hings on your com put er syst em , t wo m odels are com m only used. One is Grant All, Deny Explicit and t he ot her is Deny All, Grant Explicit . As you can probably guess from t heir nam es, t hey are opposit e ends of t he sam e spect rum for grant ing perm issions. Grant All works on t he assum pt ion t hat you grant everyone all perm issions by default and deny only cert ain known perm issions t o known users. The Deny All m odel t akes t he opposit e approach, in which you grant no perm issions t o anyone except t he ones you explicit ly decide are okay. The second m et hod is com m only accept ed t o be vastly superior for syst em s requiring high securit y, but how do t hese apply t o hom e users? Rem em ber t hat t hese decisions are based ent irely on t wo fact ors: your risk of being exposed ( as det erm ined in Chapt er 1) and how usable and m anageable you want your syst em t o be. A m ore secure syst em generally requires m ore work t o m anage and m aint ain. You should include t hat fact or in your decisions about securit y, because you do not want t o secure your syst em t o t he point t hat it becom es unusable or unm anageable. I n a Grant All m odel, all users have perm ission t o do all t hings unless you choose t o deny t hem a part icular right . This m odel is risky because any securit y hole or exposure t hat you don't know about isn't covered and t herefore will exist in t he syst em unt il you becom e aware of it and fix it . I t is, however, a m ore usable syst em
and requires less m aint enance of t he securit y set t ings. You also don't have t o know ahead of t im e what your users will be doing on t he syst em . They will t ypically have perm ission by default t o do what ever t hey want , but t his can lead t o t rouble. Users will be able t o do t hings you didn't ant icipat e, including accident al or int ent ional alt erat ion of dat a or syst em set t ings, changing of set t ings, and accessing of m ost files, including t hose used by t he operat ing syst em . Usually t his isn't a big deal. Users of hom e syst em s aren't going t o int ent ionally alt er or dest roy t he dat a t hey own; however, t hey m ight accident ally do so—som et im es wit hout even realizing it . By rest rict ing som e perm issions t o syst em files and im port ant dat a, you can prot ect t hose files so t hey can't be alt ered by anyone who isn't aut horized t o do so. Conversely, t he Deny All m odel assum es t hat select ed act ivit ies are approved on a syst em and t he rest are not approved. This m odel is used in high- securit y syst em s because Adm inist rat ors know exact ly what is allowed and what is not . They can assum e t hat t hings t hey don't know about or didn't predict are not allowed and t herefore prot ect ed against . The t rut h is t hat som e t hings can st ill be problem s, but by and large t his m odel works well. The biggest difficult y wit h t he Deny All m odel is t he am ount of adm inist rat ive overhead required t o m aint ain t he high securit y level. You have t o keep up on pat ches, operat ing syst em service packs, applicat ion updat es, and securit y developm ent s. ( I t alk about t hese t asks m ore t hrough t he rest of t he book.) Again t he decision about what is bet t er for your hom e syst em com es down t o t he am ount of t im e and effort you feel is appropriat e for t he level of securit y you need. Let 's look at an exam ple from t he Risk Checklist in Chapt er 1 t o get an idea of how t his works. Consider t he risk Hum an Error on Hom e Banking Dat a. Assum e t hat your hom e banking program st ores som e of it s dat a on your local hard drive—not your account inform at ion but program - specific inform at ion t hat enables you t o pay bills online. I n t he t ypical household, t here are m ult iple users on a single com put er. I n a Grant All m odel, you would have t o explicit ly deny perm issions t o change or delet e t hat st ored dat a for t he people who should not be doing t hose t hings. Presum ably t he parent s would be able t o change and access t he dat a, and t he children wouldn't . Ot herwise, your Hum an Error risk goes up because anyone using t he com put er could change or delet e t he dat a m ist akenly, not knowing how im port ant it was. I n t he Deny All m odel, no one could change or delet e t hat st ored dat a, because t he perm issions would prohibit it unless you specifically grant perm ission t o som eone. I 'll get int o t he subj ect of grant ing perm issions lat er, but it is im port ant t o point out t hat if you rem ove t he perm issions on a file or direct ory or Deny Access t o everyone, t hat change will affect you, t oo, and you m ight not be able t o access t he dat a. A good idea is t o grant perm issions t o yourself explicit ly ( assum ing you are t he Adm inist rat or or Owner of t he syst em ) so you can correct any m ist akes you m ight m ake when you're adj ust ing perm issions.
Encryption or Clear Encrypt ion can be described rat her sim ply as encoding or obscuring dat a so t hat only t he int ended recipient or holder of cert ain inform at ion can read it . The pract ice of encrypt ion is a bit harder, requiring cert ain m at h operat ions t hat are easy t o do one way but not easily reversed and t hen using som e special propert ies of t hose operat ions so we can put dat a in and ret rieve it lat er. That sounds a bit com plicat ed, so let 's look at a sim pler exam ple. Squaring a num ber is an operat ion t hat m any people consider rat her easy, but t aking a square root of a num ber is considered
hard. Most people can square j ust about any num ber, even wit hout com put ers and calculat ors, but t he sam e group of people would be challenged t o solve any but t he easiest square root problem s. That is how encrypt ion operat es. Squaring 12 is easy, result ing in 144. However, if you ask som eone t o t ell you what num bers you m ult iplied t oget her t o get 144, t hey would have t o guess. The possible answers are 1 and 144, 2 and 72, 3 and 48, 4 and 36, 6 and 24, 8 and 18, and 12 and 12. You lit erally have t o t ry every com binat ion of num bers t hat could result in t he t arget and see if t he com binat ion result s in t he correct answer. Now im agine t hat t he t arget num ber you are t rying t o break is 24,514,637,765,345,777,254,910,164. Guessing which num bers were used t o get t hat result would be a long process. Not ice I said long—not im possible.
Determining "Strong Enough" and Moore's Law
When you t alk about encrypt ion, one quest ion t hat is bound t o com e up is " How st rong is st rong enough?" The answer isn't easy. St rong enough for what ? A bet t er way t o view encrypt ion st rengt h is t o look at what you are prot ect ing. I f t he dat a life ( defined as t he lengt h of t im e t he dat a is useful or valuable) is significant ly short er t han t he t im e it t akes t o crack t he encrypt ion, it is st rong enough. I f t he dat a life is longer t han t he cracking t im e, t he encrypt ion isn't st rong enough. Let 's t alk num bers. Current ly t he accept ed st andard in encrypt ion key st rengt h seem s t o be 128–256 bit s. That m eans t hat various indust ries and governm ent agencies have det erm ined 128–256 bit s t o be t he " right " st rengt h for t hem , and t hey recom m end t his t o ot hers. The st rengt h is derived from t wo m ain fact ors, t he algorit hm used ( i.e., RSA, BlowFish, DES, 3DES) and t he key lengt h. The algorit hm is t he com plex m at h operat ion, and t he key st rengt h is t he random ness. A very long key on a weak algorit hm m ight not be as secure as a short er key on a bet t er algorit hm . Most Secure Socket s Layer ( SSL) com m unicat ions used in Web browsing are 128- or 256bit st rengt h, depending on your browser version. You m ight be wondering " What does 128- or 256- bit st rengt h m ean?" That m eans t he key uses 128 or 256 pieces of dat a t o help random ize t he encrypt ion. This is kind of like t he ridges and valleys on t he keys t o your house or car. Those ridges m ake t he key unique, despit e t he fact t hat m ost house keys and car keys are shaped sim ilarly. Encrypt ion is t he sam e way. We all use t he sam e basic concept s, and using t he sam e program or st yle of encrypt ion is like having t he sam e m ake and m odel of car. But t he ridges on t he key m ake m y key unique t o m e and yours t o you. Encrypt ion perform s t he sam e funct ion. One last t hing about encrypt ion. A concept called Moore's Law, in it s original form , st at es t hat t he num ber of t ransist ors per int egrat ed circuit would double every 18 m ont hs. That m eans t hat every 18 m ont hs, com put ers would double in power. Since Gordon Moore's[ 1] init ial observat ion in 1965, t his has indeed been t he case. I t s significance here is t hat because of Moore's Law, encrypt ion also get s t wice as easy t o break every 18 m ont hs. Encrypt ion is based on really hard m at h, and t he Cent ral Processing Unit ( CPU) power det erm ines how fast t hose m at h operat ions can be carried out . More CPU power m eans a bet t er chance of breaking encrypt ion quickly. This is also why folks who have ext rem ely powerful com put ers are m ore likely t o be
able t o crack harder encrypt ion. When you are planning your encrypt ion st rengt h, rem em ber you will need t o review and adj ust it every 18 m ont hs or it will soon be t oo weak. [ 1]
Co- founder of I nt el
Encrypt ion also depends on relat ive securit y rat her t han absolut e securit y. Encrypt ed dat a can always be cracked, given enough t im e and/ or enough processing power. Encrypt ion doesn't st rive t o be unbreakable, t herefore, but rat her st rives t o be so difficult t hat t he dat a is useless by t he t im e it could be recovered. I f t he dat a can't be cracked in t he span of 10 hum an lifet im es, you can reasonably assum e it is secure. For exam ple, if t he encrypt ion used t o prot ect credit card num bers for a large e- com m erce com pany is prot ect ing inform at ion t hat is good unt il 2006 ( t he last expirat ion dat e in t he dat a) and it would t ake 256 billion guesses t o find t he right key, t hat sounds pret t y secure. But at a m illion operat ions per second, you'd guess t he right key in 256,000 seconds— only about 72 hours. However, if t he num ber of guesses required is 256 billion billion, you'd change t he crack t im e t o j ust over 8 m illion years. That would likely be considered safe. Why is encrypt ion a big deal? Why do we use it if it can be broken? That 's like asking why people send let t ers inst ead of post cards. When people want som et hing t o be privat e, m ost people want t o t ake reasonable precaut ions against som eone ot her t han t he int ended recipient reading t he inform at ion. Does t hat paper envelope really st op som eone from get t ing in? No, of course not . But if som eone does read t he let t er, it is because t hey m ade t he effort t o do so, not because t he inform at ion wasn't prot ect ed. Anyone can read t he dat a on a post card wit hout t rying very hard and m ight even do so by m ist ake. Encrypt ion provides a sim ilar ( grant ed m uch st ronger) way of achieving privacy in t he digit al world. Wit h encrypt ion properly used, you can be reasonably sure t hat only t he int ended recipient is able t o read t he inform at ion. All ot hers who m ight see t he dat a will see a st ring of charact ers t hat do not m ake sense. When we discuss encrypt ion, t he t opic of keys com es up quickly, so let 's look at t hat for a bit . An encrypt ion syst em is one t hat predict ably changes dat a so t hat it can be predict ably unchanged t o get back t he original form . But wait a second. I f t he syst em is predict able and everyone knows how it 's done, wouldn't it be easy for everyone t o decrypt all dat a t hat uses t he sam e syst em ? Yes, but . . . By using keys, we can add a t wist t o t he predict abilit y so t hat it is t ailored t o t he individual person or m achine using it . This m eans encrypt ion syst em s can be used by a large group of people while not com prom ising t he int egrit y of t he syst em . Keys can be random ly generat ed st rings of charact ers st ored on t he local m achine, a pair of Public and Privat e Keys generat ed by t he program one t im e, or digit al cert ificat es generat ed and st ored by a t hird- part y vendor or syst em . From a securit y perspect ive, t hese keys are crit ical. You should prot ect t hem t he way you prot ect t he keys t o your house or your car. Wit hout keys, it is not im possible t o break int o your car and st eal it , but it is hard. Wit h t he keys, st ealing your car is very easy. The sam e is t rue wit h digit al keys. Wit hout t hem , a pot ent ial dat a t hief has a very hard t im e get t ing t o your dat a. But if som eone has access t o your encrypt ion keys, all benefit s of t he encrypt ion are lost and t hat person can recover any dat a t hat used t hose keys in t he first place.
Defining Access and Rights Most hom e com put er syst em s have been built and shipped assum ing t hat no securit y will be used. That was sufficient unt il t he advent of t he I nt ernet and t he increase in use of always- on connect ions such as xDSL and cable m odem s. These always- on connect ions can be locat ed m ore easily by hackers, because t hey have relat ively predict able and st able addresses—m eaning eit her a st at ic address or one from a sm all pool of cont iguous addresses. I f your address is st at ic, you only have t o be found once; if it is dynam ically assigned, you have t o be found each t im e but oft en from a sm all, known collect ion of addresses. Once you are found by address, t he cracker or hacker can begin probing for inform at ion or at t acking your syst em . That is why as you connect t o m ore syst em s, your need for securit y rises as well. One of t he core ways t o achieve securit y is t o allow or rest rict access t o files or direct ories and do t he sam e wit h cert ain act ivit ies t hat can be perform ed by users of t he syst em . Wit h such rest rict ions, a syst em owner or Adm inist rat or can get an idea of who is or is not doing t hings on t heir syst em . More im port ant , t he Adm inist rat or can cont rol who can do t hese t hings. The nam e for t his concept is Access Cont rol. The t erm s User Right s and User Privileges describe who is allowed t o do cert ain t asks on t he syst em . Right s and Privileges define what you as a user can and can't do, see, read, and alt er. Please not e t hat som e securit y resources dist inguish bet ween a User Right and a User Privilege. For t he purposes of t his book, " User Privilege" covers bot h Right s and Privileges. Access t o a file or direct ory is cont rolled t hrough t he use of Access Cont rol List s ( ACLs) . An ACL is essent ially a list of usernam es t hat have perm ission t o access a file or direct ory and a list of perm issions t hey have been grant ed or denied. The ACL is st ored in t he file syst em . When a user m akes a request t o get access, t he ACL is checked t o det erm ine if t he correct perm issions are present before allowing access. I n advanced discussions you m ight see references t o DACL ( Discret ionary or User Defined ACL) or SACL ( Syst em Defined ACL) , but t hese are sim ply special t ypes of ACL.
Users and Their Roles A user is som eone who will access t he com put er or it s resources. Sounds sim ple, but what does t hat really m ean? I t m eans t hat som ewhere is a list of nam es and passwords ( and usually several ot her pieces of dat a) , and each ent ry on t he list defines a user t o t he com put er. A user in t he com put er sense isn't t he person who is sit t ing at t he keyboard but a nam e and password used t o ident ify what will be allowed. The com put er cannot m ake any dist inct ion bet ween t wo people who log on wit h t he sam e usernam e and password. The reason we can m ake assum pt ions about a person m at ching a usernam e on t he com put er is t hat t he only one who usually knows t he password associat ed wit h a part icular usernam e is t he person who is allowed t o use t he usernam e. I f t he person gives t hat password t o anyone else, t he com put er can m ake no dist inct ion t hat som eone else has logged on t o t he com put er. I f you need t o assign different perm ission levels or access levels, you cannot share passwords or account s wit h people who need different access. Everyone who uses t he com put er will use it for different purposes. Word processing, Web access, e- m ail, chat , gam es, hom ework, and research are j ust som e of t he
t hings you or your fam ily m em bers m ight do on your com put er. Yet even t hough we all use t he com put er slight ly different ly, som e users can be grouped t oget her int o roles for easier adm inist rat ion. A role is a group of access and/ or privileges t hat defines how a user is allowed t o use t he syst em . For exam ple, one role m ight be Gam e Player, and t his role would have access t o t he gam es direct ory and t he abilit y t o change files in t hat direct ory for saving or delet ing gam es. They m ight also be denied perm ission t o open or change any files in t he hom e- banking direct ory. Hom eBanking Users m ight have a different set of perm issions or be allowed t o use different program s and could even be allowed t o play t he gam es. You can decide how you want t o set t his up. For t he t ypical hom e, I 'd guess t hree roles are defined already. Adm inist rat or/ Owner, User, and Everyone Else. These roles easily encapsulat e all t he t ypical differences t hat need t o be t racked for hom e users. The Everyone Else role is represent ed by t he Everyone group and is anyone in t he world who m ight access t he com put er over t he I nt ernet and every user on t he syst em . Because m ost hom e users are not securit y expert s, I 'm guessing t his is also set t o t he default set t ing shipped wit h t he operat ing syst em . Users are t he act ual people who use t he syst em on a regular basis— probably parent s and kids, wit h m aybe som e friends or ext ended fam ily in t here t oo. Finally, t he Adm inist rat or/ Owner role is t he person who act ually configures t he syst em , set s t he rules for it s use, and would be t he one t o define m ore roles or perm issions as t hey are needed. This usually equat es t o one or bot h parent s in t he household. Of course, you can have as m any roles as you see fit , but each one should be a unique grouping of perm issions. Rem em ber, t oo, t hat m ore roles oft en m eans m ore m aint enance of your securit y st ruct ures, so use t he Keep I t Sim ple rule as best as you can. Because Windows 9x and Windows ME are ext rem ely lim it ed in t heir abilit y t o cont rol and m anage users, Chapt er 2 is prim arily about Windows NT and Windows 2000. Win9x users can get t hird- part y product s t o achieve t he sam e result s as WinNT users. Users on a Windows 9x hom e com put er usually are not prom pt ed for a user nam e or password, or t hey share a com m on one. The Windows 9x and ME series do not have full ACL awareness, so you cannot lock down t he file syst em wit h- out t hirdpart y help. You can apply securit y t o shared direct ories, but we'll t alk m ore about t hat in j ust a bit .
Who Is the Boss? Granting Administrator Privileges
As you can see from t he discussion in t his chapt er, t he Adm inist rat or is a powerful user. The Adm inist rat or is grant ed a large am ount of privileges by default and usually needs t hat aut horit y t o inst all soft ware or hardware or configure t he syst em for proper use. But som e nat ural securit y concerns arise from using t his account . For pract ical purposes, unless you change t hings from t he default set t ings, t he Adm inist rat or can do m ost anyt hing on t he syst em . The reason for t his is sim ple: Adm inist rat ors are able t o change perm issions on files and folders, grant user right s, and inst all soft ware or hardware. By doing t hese t hings, t hey can t ake cont rol of syst em s wit h relat ive ease. That is why anyone wit h Adm inist rat or privileges should be t rust ed, and not everyone who uses t he syst em should have Adm inist rat or
privileges. As you m ight have already guessed, one of t he highest goals of hackers and crackers is t o gain adm inist rat ive access t o a syst em . I f t hey can do t his, t hey can inst all Troj an- horse soft ware ( see Chapt er 9) , add user account s t o be used lat er, or sim ply dest roy t he syst em and it s dat a. You need t o know who is supposed t o be an Adm inist rat or and check on occasion t hat no one else has gained Adm inist rat or privileges. One ot her t hing should be m ent ioned. I f your securit y risk profile cam e out above 50 percent risk, I highly recom m end t hat your Adm inist rat or account should be separat e from your day- t o- day user account . This prevent s accident al problem s, but it also reduces t he am ount of exposure you have on a daily basis by reducing t he perm ission level at which soft ware execut ed by you will run. This m eans m acro viruses, e- m ail script s, and Troj an horses will probably not have perm ission t o do t he really bad st uff t o your syst em , because you won't be on a privileged account . This one st ep alone can save you hours of headache if you visit lot s of unt rust wort hy Web sit es or t hink you m ight be at risk of an at t ack. Windows 9x and ME users t ake not e: Because of t he lack of ACLs on t hese operat ing syst em s, every user is essent ially an Adm inist rat or for t he purposes of file and direct ory access or user right s—t he equivalent of set t ing t he Everyone group t o Full Cont rol on all files and direct ories. This isn't necessarily bad if you are at low risk anyway, but if you rat ed yourself at t he high side of Moderat e Risk or at High Risk, consider swit ching t o Windows 2000 for it s securit y feat ures.
Grouping Users Now t hat you have users on your syst em , you'll need t o do som e m anagem ent t o get t hem set up correct ly. One m echanism for t hat t ask is t he group. A group is exact ly what it sounds like: a collect ion of users who have som e sim ilarit ies. I n t his case t he sim ilarit ies are eit her perm issions on files and direct ories or privileges grant ed, or bot h. This is effect ive because a user get s all t he perm issions grant ed t o t he groups in which t he user is a m em ber. By using t he roles of t he users, you can creat e groups and apply perm issions t o t he groups rat her t han t o t he individual users. This is a role- based access m odel. For sm all num bers of users, building groups and adding only one user m ight seem silly, and for hom e users I agree t hat building a role- based access m odel isn't required. However, if you own a sm all business or do work from hom e, you m ight want t o build som e groups t o m anage who get s access t o what , j ust so it 's easy t o m aint ain lat er. I t is also som et im es helpful when set t ing perm issions t o have a group called Hom eUsers t o which you can apply perm issions and t hat cont ains all t he Users of your hom e syst em but not t he Everyone Else group. This way you can easily apply perm issions t o Users wit hout t he exposure of grant ing t he sam e access t o everyone on t he I nt ernet as well. I n Windows NT 4.0, you can set up a Hom eUsers group by accessing t he User Manager applicat ion in t he Adm inist rat ive Tools m enu select ion. I n Windows 2000, you access t his funct ionalit y by going t o t he Adm inist rat ive Tools applet in t he Cont rol Panel, choosing t he Com put er Managem ent applet , and finding t he Local Users and Groups under Syst em Tools ( as shown in Figures 2- 3, 2- 4, and 2- 5) .
Figu r e 2 - 3 . Fin din g t h e Con t r ol Pa n e l
Figu r e 2 - 4 . Fin din g t h e Com pu t e r M a n a ge m e n t a pple t
Figu r e 2 - 5 . M a n a gin g u se r s a n d gr ou ps
Win9x and WinME syst em s do not direct ly support users or groups, so t hese operat ing syst em s do not have t his funct ionalit y. I f t hese com put ers are m em bers of a net work wit h a WinNT or Win2k server, t hey can use t he users and groups from t he server effect ively, but t hey sim ply can't t rack t hat dat a on t heir own.
Providing File and Directory Access One of t he m ost basic and crit ical pieces of securit y for a com put er syst em is t he grant ing of access t o files and direct ories. The dat a you use, t he program s you run, and indeed t he operat ing syst em it self are all st ored in files and direct ories. Unless t hese obj ect s are secure, t he rest of your syst em securit y is in j eopardy. When set properly, file and direct ory perm issions are t he cornerst one of t he syst em 's securit y. You m ust m ake a lot of decisions when you t hink about set t ing perm issions on files and direct ories, but first we should t alk about what perm issions can be set and what t hey m ean. Following is a list of file perm issions and t heir definit ions. •
• • • • •
• • •
• • • •
Tr a ve r se Folde r / Ex e cu t e File : Allows running of execut able files and referring t o ot her files in t he current direct ory List Folde r / Re a d D a t a : Allows reading of file or folder cont ent s Re a d At t r ibu t e s: Allows reading of file at t ribut es Re a d Ex t e n de d At t r ibu t e s: Allows reading of ext ended file at t ribut es Cr e a t e File s/ W r it e D a t a : Allows writ e access t o files and folders Cr e a t e Folde r s/ Appe n d D a t a : Allows folder creat ion and append access t o files W r it e At t r ibu t e s: Allows writ ing of at t ribut es W r it e Ex t e n de d At t r ibu t e s: Allows writ ing of ext ended at t ribut es D e le t e Su bfolde r s a nd File s: Allows delet ion of child folders and files ( files in subdirect ories or subfolders) D e le t e : Allows delet ion of files or folders Re a d Pe r m ission s: Allows reading of t he Access Cont rol List ( ACL) Ch a n ge Pe r m ission : Allows changing of t he ACL on files or folders Ta k e Ow ne r sh ip: Allows t aking of ownership of files or folders
Special Permissions Groupings for Files Special groups of perm issions are built int o Windows 2000 t o sim plify som e of t he t ask of grant ing perm issions t o files. Here is a list of t hese special perm ission groups: •
•
•
•
•
Fu ll Con t r ol: As can be guessed, t his allows t he user or group all perm issions t o t he file. M odify: Allows all perm issions except Delet e Subfolders and Files, Change Perm issions, and Take Ownership. Re a d a nd Ex e cu t e : Allows Traverse Folder/ Execut e File, List Folder Read Dat a, Read At t ribut es, Read Ext ended At t ribut es, and Read Perm issions. Re a d: Allows List Folder Read Dat a, Read At t ribut es, Read Ext ended At t ribut es, and Read Perm issions. W r it e : Allows Creat e Files/ Writ e Dat a, Creat e Folders/ Append Dat a, Writ e At t ribut es, and Writ e Ext ended At t ribut es.
Directory Permissions The sam e perm issions can be given t o direct ories as t o files and are shown in t he preceding File Perm issions sect ion. Where t he direct ory and file perm issions are slight ly different , t he behavior for each is list ed. For exam ple, one perm ission is Traverse Folder/ Execut e File. Because you can execut e files only and t raverse direct ories only, t he perm ission is list ed wit h bot h and t he direct ory perm ission is list ed first . The ot her perm issions follow t he sam e form at . They are eit her exact ly t he sam e ( one it em list ed) , or t hey differ slight ly and are separat ed by a slash m ark.
Special Permissions Groupings for Directories Special groups of perm issions are built int o Windows 2000 t o sim plify som e of t he t ask of grant ing perm issions t o direct ories. Here is a list of t hese special perm ission groups: •
•
•
• •
•
Fu ll Con t r ol: Just as for files, t his allows t he user or group all perm issions t o t he direct ory. M odify: Allows all perm issions except Delet e Subfolders and Files, Change Perm issions, and Take Ownership. Re a d a nd Ex e cu t e : Allows Traverse Folder/ Execut e File, List Folder/ Read Dat a, Read At t ribut es, Read Ext ended At t ribut es, and Read Perm issions. List Folde r Con t e n t s: Sam e perm issions as Read and Execut e. Re a d: Allows List Folder Read Dat a, Read At t ribut es, Read Ext ended At t ribut es, and Read Perm issions. W r it e : Allows Creat e Files/ Writ e Dat a, Creat e Folders/ Append Dat a, Writ e At t ribut es, and Writ e Ext ended At t ribut es.
Now t hat you see what can be set , let 's t ake a look at som e general rules for set t ing perm issions. Following is a list of general rules you can use t o help you set your perm issions properly. Please rem em ber t hese rules are built t o be som ewhat generic. Adding som e of your own is not only encouraged but probably necessary t o achieve t he desired securit y level.
•
•
• •
•
The biggest t ip I can give t o you is t o writ e down t he changes you m ake. I nclude t he old set t ing and t he new set t ing, as well as t he file or direct ory affect ed. I can't st ress st rongly enough how m uch t im e t his will save if you find you have m ade a m ist ake and som et hing doesn't work as expect ed. Maint ain t his list for a few days aft er m aking changes so you can det erm ine if t he change had any unint ended effect s. Make only a sm all num ber of securit y changes at any one t im e; t hen wait and use t he syst em t o assess im pact s before m aking furt her changes. This sim plifies t he t roubleshoot ing and helps you get a clear pict ure of what program s and operat ing syst em funct ions use t he files or direct ories you are changing. I f m ist akes occur, you can easily correct t hem because you know what you changed and t he volum e of changes is not large. Be ve r y ca u t iou s when changing operat ing syst em files or direct ories. What files and direct ories are used by what program s is usually not int uit ive, so changes t o syst em direct ories can have unint ended effect s. I f possible, st ore your dat a on a separat e drive or drive part it ion from your applicat ions. This m akes securing t he dat a easier, because you don't have t o worry about applying t he securit y t o bot h program files and dat a. This t echnique also helps great ly when you're upgrading your com put er or doing backup and recovery of syst em s. Typically, dat a is m ore secured t han t he applicat ions t hat use it . Windows operat ing syst em s have st art ed using t he Program Files and My Docum ent s folders as a st andard, which helps encourage t his separat ion. I f you have det erm ined t he general securit y m odel you want t o use ( Grant All or Deny All) , you can begin t o apply t he securit y t o support t hat m odel. I f you are using t he Grant All m odel, you need t o det erm ine what access you want t o explicit ly deny. This m ight be rest rict ing access t o financial program direct ories or dat a or rest rict ing access t o personal dat a. I f you have select ed t he Deny All m odel, you should rest rict access t o m ost direct ories and t hen grant access t o ones t hat need t o be opened a bit m ore.
I will m ake som e furt her recom m endat ions on what files and direct ories need t o be secured in Chapt ers 3 and 4.
Granting Privileges I n several operat ing syst em s—Windows 9x and Windows ME, in part icular—t here are no privileges t o be grant ed t o users. However, Windows NT and Windows 2000 provide a list of user privileges t hat can be grant ed explicit ly t o users. Som e of t hese privileges are also grant ed t o groups or users by default . So what is a privilege and why should you care? Privileges are act ions som eone can t ake while using t he syst em , and t he abilit y t o cont rol privileges is crucial t o securing an operat ing syst em . Even if you j ust leave privileges at t he default , it 's helpful t o know t hat you can cont rol t hem if necessary. I f you are using Windows 9x or ME, you can skip ahead a bit t o t he sect ion about denying access. I f you are using Windows 2000 or Windows NT, t he following sect ion applies t o you. I f you are using Macint osh, Linux, Unix, or anot her non- Microsoft operat ing syst em , you m ight wish t o read t hrough t his sect ion, but t he nam es of right s and services m ight be different or not present , depending on your OS. I 'll leave it t o t he users of t hose syst em s t o decide what applies t o you and what does not .
N OTE Som e of t he following cont ent is a bit t echnical in nat ure. I f you do not want t o get involved in t echnical discussions, skip ahead t o "Denying Access" and com e back t o t his sect ion lat er.
Domain versus Workgroup
Windows has t wo m ain ways of grouping net worked com put ers: t he Workgroup and t he Dom ain. A Workgroup is sim ply a group of com put ers on t he sam e net work t hat can share dat a, print ers, and such wit h each ot her. A Dom ain is also a collect ion of com put ers, print ers, and such t hat share dat a wit h each ot her, but a Dom ain has a cent rally cont rolled Account Dat abase t o keep t rack of users and perm issions. That usually m eans t hat a WinNT or Win2k server is t here som ewhere. A Workgroup is j ust fine for m ost hom e net works, but Dom ains t end t o be m ore secure. I f you are a sm all- business or hom e user wit h t he need and resources t o put up a server, I recom m end a Dom ain. Following is a list of User Right s t hat can be assigned in Windows NT and Windows 2000 syst em s, wit h suggest ions for who should have t hem . As always, t his is subj ect t o how you use your syst em and your needed securit y level, but it 's a good place t o st art . •
• •
• •
Act a s pa r t of t h e ope r a t ing syst e m : Allows a process t o perform as a secure, t rust ed part of t he operat ing syst em . Som e subsyst em s are grant ed t his right . I t is not grant ed t o any user or group by default . Sounds com plex, but in essence all t his m eans is t hat t he user or applicat ion wit h t his right will be " t rust ed" by t he OS and can do pract ically anyt hing on t he com put er wit hout being denied access. This is a very powerful user right and should not be grant ed t o any user— and only rarely t o applicat ions and services. Add w or k st a t ion s t o t h e dom a in : Allows a user t o add workst at ions t o a part icular Windows NT dom ain. This right is m eaningful only on dom ain cont rollers, so you probably will not have t o worry about it . Not grant ed t o any user by default ; however, any Adm inist rat or of t he dom ain cont roller can perform t his act ivit y by default . Ba ck up file s a nd dir e ct or ie s: Allows a user t o back up files and direct ories. This right supersedes file and direct ory perm issions but provides Read access only. Grant ed t o t he Adm inist rat ors, Backup Operat ors, and Server Operat ors groups. This right not norm ally used in Workst at ion environm ent s.
•
•
•
•
•
•
•
Bypa ss t r a ve r se ch e ck in g: Allow s a user t o change direct ories and access files and subdirect ories even if t he user has no perm ission t o access parent direct ories. Grant ed t o t he Everyone group by default . This essent ially m eans t hat wit h t his right you can m ove direct ly t o t he file or folder you want t o access. I f you do not have t his right , you m ust have access t o all direct ories you pass t hrough t o get t o t he t arget or you will be denied access. Ch a n ge t he syst e m t im e : Allows a user t o set t he t im e for t he int ernal clock. Grant ed t o Adm inist rat ors and Power Users on workst at ion syst em s and t o Adm inist rat ors and Server Operat ors in server environm ent s. Yup, j ust like it sounds, t his allows users t o set t he t im e. Sounds t rivial—and for m ost people it is—but very im port ant in St ock Trading and Financial areas. I recom m end no change for hom e users. Cr e a t e a pa ge file : Allows a user t o creat e new pagefiles for virt ual m em ory swapping. Norm ally grant ed only t o Adm inist rat ors. Sounds com plex, so let 's t ake a closer look. Virt ual m em ory is a syst em used t o m ake applicat ions " t hink" t here is m ore m em ory available t han t here act ually is. The OS det erm ines what part s of t he m em ory ( also known as RAM) are not being used and t em porarily saves t hose sect ions t o t he hard drive in a " swap file," so nam ed because t he OS is always swapping dat a in and out of t he file as applicat ions use it or leave it alone. This m em ory swapping happens in unit s called " pages." Cr e a t e a t ok e n obj e ct : Allows a process t o creat e access t okens. Only t he Local Securit y Aut horit y can do t his. This very privileged operat ion is not grant ed t o any user or group by default . This user right allows t he creat ion of t okens. Can it help get m e on t he subway? Well no, but t he idea is sim ilar. When anyone logs ont o t he syst em , Windows creat es a t oken obj ect t hat cont ains all t he securit y perm issions for t hat user. When t he user t ries t o access any file or folder or direct ory, t he OS checks t his t oken against t he ACL on t he file, folder, or direct ory being accessed. I f t he t oken cont ains t he right or privilege being request ed, t he user get s t o do her t hing. I f not , t he user receives a Denied Access m essage. Cr e a t e pe r m a n e n t sha r e d obj e ct s: Allows a user t o creat e special perm anent obj ect s, such as \ \ Device, t hat are used wit hin WinNT. Not grant ed t o any user or group by default . The det ails of t his are really beyond t he scope of t his book. Briefly, a perm anent shared obj ect is a low- level OS obj ect used by applicat ions. This user right is not oft en used by anyone ot her t han developers of soft ware. D e bu g pr ogr a m s: Allows user t o debug various low- level obj ect s such as t hreads. A t hread is a specific unit of code t hat does work on t he syst em and occupies m em ory. This right is usually only grant ed t o Adm inist rat ors, but if you do any developm ent , you m ight need t o add t his right t o your developer's group. For ce sh u t dow n fr om a r e m ot e syst e m : Allows a user t o shut down a WinNT syst em rem ot ely over a net work. Norm ally grant ed t o Adm inist rat ors and Power Users on workst at ion syst em s and Adm inist rat ors and Server
Operat ors on server syst em s. Unless you're net worked at hom e, you do not grant t his right t o anyone. •
•
•
•
•
•
•
•
Ge n e r a t e se cu r it y a udit s: Allows a process t o generat e securit y audit log ent ries. Norm ally not grant ed t o any user or group. This right is used t o enable audit ing ( t alked about in Chapt er 8) and should be left at t he default set t ing. I n cr e a se qu ot a s: Does not hing in Windows NT; allows m odificat ion and set t ing of disk quot as in Windows 2000. Grant ed t o Adm inist rat ors only. Disk quot as are used t o rest rict t he am ount of dat a a user can st ore on t he hard drive of a syst em . I n cr e a se sch e du lin g pr ior it y: Allows a user t o boost t he execut ion priorit y of a process. Usually only grant ed t o Adm inist rat ors. I n a com put er syst em , everyt hing t hat happens is placed in a queue and has a priorit y. When you com e t o t he t op of t he queue, you get m em ory and CPU t im e t o operat e. The scheduling priorit y t ells t he com put er how im port ant your t ask is and how soon and how oft en you should get m em ory and CPU t im e. Loa d a n d u n loa d de vice dr ive r s: Allows a user t o inst all and rem ove device drivers. Norm ally grant ed only t o Adm inist rat ors. This one should be grant ed t o anyone who inst alls hardware on t he com put er. Each piece of hardware has a driver t hat t ells t he OS how t o t alk t o t he hardware; t he drivers m ust be loaded for t he hardware t o operat e correct ly. Lock pa ge s in m e m or y: Allows a program m er t o lock pages in m em ory so t hey cannot be paged out t o a backing st ore such as t he pagefile. Not grant ed t o any user or group by default . This right should usually not be grant ed t o any user. Log on a s a ba t ch j ob: Allows a process t o log on for bat ch or script ed execut ion. This right has no effect in Windows NT and is not grant ed t o any user or group by default in Windows 2000. Not generally used; leave at default . Log on a s a se r vice : Allows a process t o regist er wit h t he syst em as a service. Not grant ed t o any user or group by default but oft en added t o user account used for services during inst allat ion of soft ware. I f you inst all soft ware t hat inst alls as a service ( t his is how WinNT and Win2k applicat ions t hat m ust st ay act ive are run) , t his user right is added t o t he account used. Most oft en t he set up program of t he applicat ion will do t his for you or provide inst ruct ions on how t o do it . Do not add t his unless inst ruct ed t o by t he applicat ion m aker. M a na ge a udit in g a nd se cu r it y log: Allows a user t o specify what t ypes of resource access ( such as file access) are t o be audit ed and t o view and clear t he securit y log. Not e t hat t his right does not allow a user t o set syst em audit ing policy by using t he Audit com m and in t he Policy m enu of User Manager. Mem bers of t he Adm inist rat ors group always have t he abilit y t o view and clear t he securit y log. Norm ally only grant ed t o Adm inist rat ors.
•
• • •
•
•
M odify fir m w a r e e nvir on m e n t va r ia ble s: Allows a user t o m odify syst em environm ent variables st ored in nonvolat ile RAM on syst em s t hat support t his t ype of configurat ion. Norm ally grant ed only t o Adm inist rat ors. Det ailed discussion is beyond t he scope of t his book. Briefly, it am ount s t o changing t he variables t hat run t he com ponent s of t he hardware. No need t o t ouch t his set t ing or t hose environm ent variables for hom e users. Pr ofile single pr oce ss: Allows a user t o perform profiling ( perform ance sam pling) on a process. Usually grant ed t o Adm inist rat ors. Pr ofile syst e m pe r for m a n ce : Allows a user t o perform profiling ( perform ance sam pling) on t he syst em . Usually grant ed t o Adm inist rat ors. Re pla ce a pr oce ss- le ve l t ok e n : Allows a user t o m odify a process's securit y access t oken. This is a powerful right used only by t he syst em . Not grant ed t o any user or group by default . This user right enables an applicat ion t o " im personat e" or " act on behalf of" ot her users. Should not be grant ed t ypically t o anyt hing or anyone wit hout a good knowledge of why. Re st or e file s a nd dir e ct or ie s: Allows a user t o rest ore backed- up files and direct ories. This right supersedes file and direct ory perm issions but grant s Writ e perm ission only. Usually grant ed t o Adm inist rat ors and Backup Operat ors on workst at ion syst em s and Adm inist rat ors, Server Operat ors, and Backup Operat ors on server syst em s. Ta k e ow ne r sh ip of file s or ot he r obj e ct s: Allows a user t o t ake ownership of files, direct ories, print ers, and ot her obj ect s on t he com put er. This right superedes perm issions prot ect ing obj ect s. Usually grant ed only t o Adm inist rat ors by default .
Denying Access This quest ion oft en com es up: " I f I don't give perm ission t o do som et hing, is t hat t he sam e as denying access?" Well, yes and no. I f you do not explicit ly grant perm ission, t he default perm ission st ruct ure applies. I f t he users in quest ion don't have perm ission by default , t hey cannot perform t he request ed operat ion. I f t he m odel you choose is Grant All, Deny Explicit , odds are t hat t he user can do what she is request ing. I f you choose Deny All, Grant Explicit , t he user m ost likely can't do t he operat ion by default . I f you deny access, t he user will not be able t o do t he request ed operat ion, period. Let 's look at an exam ple t o see how t his works. When users double- click a file, t hey are request ing Read or Execut e access ( depending on t he t ype of file clicked) . The first t hing t hat happens is t hat t he syst em checks on who is asking for t he access and com pares t his inform at ion wit h t he ACL of t he file. I t checks t o see if t his user is denied access; if so, it st ops checking and provides a Denied Access m essage. I f t he user is not denied access, t he syst em reads t hrough t he list looking for an ent ry t hat allows t he user t o get t he access request ed. I t cont inues checking unt il it finds an ent ry in t he ACL t hat allows t he request ed access or unt il it reaches t he end of t he list . I f it reaches t he end of t he list , it generat es an Access Denied m essage. I f it finds an ent ry t hat allows access, it sim ply allows access by opening or running t he file.
Sharing Files On all Windows syst em s, you can share inform at ion rat her easily. You can j ust right click on a direct ory, select t he Sharing t ab ( see Figure 2- 6) , nam e t he share, and click OK. This share will now be available t o all Windows users who can connect t o your m achine. The default perm issions grant ed are Everyone Full Cont rol. That is bad—t he perm issions are far t oo broad. To change t hem , click Perm issions and set everyone t o Read ( assum ing people do not need t o edit files on t he share) . Bet t er yet , rem ove t he Everyone group and replace it wit h t he nam e or group t hat needs t he access. You can see an exam ple of t his access reduct ion in Figure 2- 7.
Figu r e 2 - 6 . Sh a r in g a dir e ct or y
Figu r e 2 - 7 . Re du cin g pe r m ission s
Following are som e quick guidelines on sharing dat a: •
•
•
Share dat a only when needed, and st op sharing dat a aft er t he need has passed. Don't keep up perm anent shares on your syst em . Always reduce t he perm issions on t he share t o t he m inim um required or at least t o Everyone Read ( if t hat m eet s your purpose) . Apply ACLs t o t he shared direct ory and file if you are using an operat ing syst em t hat support s t hat opt ion. Also t urn on logging if you can and if t he files are sensit ive dat a.
Data Backups Your dat a is not really secure if you have all t he logical prot ect ion in t he world but t he hard drive fails and you have no backup. I f you have any dat a you consider I m port ant or Crit ical, you need t o have som e form of backup. I t doesn't have t o be fancy, but it should be som et hing t hat covers you in case of hardware failure or dat a corrupt ion. Typically people use a rem ovable st orage drive ( such as a t ape drive or rem ovable disk) and schedule a backup t o run every night or every week. I f your
dat a is Crit ical, such as financials for t he hom e business you run, you should consider having off- sit e st orage for at least one full backup, and you should always have recent dat a in t hat locat ion. This is t ypically a safe deposit box or a t ape st ored at a fam ily m em ber's or friend's house. To keep t he dat a current on t he backups, you can rot at e t he t apes each week. Run a full backup on Friday and leave t he t ape at hom e, t ake last week's backup t ape t o t he off- sit e locat ion, and t ake t he t ape from t he off- sit e locat ion back hom e t o be used for t he next backup. I f you use t his syst em , your dat a will never be m ore t han one week old. I f you m ust have t he dat a m ore current , sim ply rot at e m ore frequent ly. There are plent y of ot her m et hods t o use, t oo, but rem em ber t hat you should keep your backup rout ine as sim ple as possible t o ensure it get s done every week.
Selecting a Network Security Model Checklist Here is a worksheet for det erm ining your net work securit y m odel and set t ing up users, groups, and access t o your syst em . This should help you focus your effort s on st art ing your syst em securit y. 1. 2. 3. 4.
What was your Securit y Risk Rat ing ( from Chapt er 1) ? ___% __________ Who uses t he syst em regularly? ____________________________________ Who will adm inist er t he syst em regularly? __________________________ Are t here any applicat ions t hat use sensit ive dat a? Yes / No I f yes, please list t hem : ___________________________________________ ______________________________________________________________ ___
5. What operat ing syst em are you using? ______________________________ 6. I s t he syst em connect ed t o t he I nt ernet ? ____________________________ 7. What t ype of I nt ernet connect ion do you use ( DSL, cable, dial- up) ? ______________________________________________________________ __ 8. Are you using a firewall or ot her securit y on t he I nt ernet connect ion? ______________________________________________________________ __ 9. Do you norm ally have guest s who use your com put er? _______________ 10. Are your files and direct ories secured by using ACLs? ________________ 11. Are your shares using reduced perm issions? ________________________ 12. Are you unsharing direct ories when t hey're not in use or no longer needed? _________________________________________________________
Chapter 3. Securing Your Computer (Locking the Home) The Sm it hs live far away from everyone, in relat ive seclusion, yet t hey lock t he door at night . They have t aken several precaut ions against a variet y of t hreat s, as we have seen in t he earlier chapt ers. I f you look at everyt hing t hey are doing, you m ight feel t hat all t he precaut ions are redundant or t hat John is doing t oo m uch work t o prot ect his land or fam ily from t hreat s t hat have a low chance of occurring. But he is doing what he feels is needed, and t hough t he risk is low, t he cost of a problem would be very high. So John does t he work. Because t he Sm it hs live far away from help, t he im pact of a problem could be very great . So John does everyt hing from sim ply loading and caring for his shot gun t o t he m ore com plex building of walls and fences. He doesn't have a writ t en list of t asks, but he does keep t rack of what is done and what needs t o be done. Every day he does t he t hings he needs t o do t o keep up t he safet y and well- being of his fam ily; in fact t he ent ire fam ily does. They use a com binat ion of t hings t o ensure t heir securit y, and t hey m aint ain t heir vigilance even when no t hreat is apparent . They m aint ain t he walls and fences, keep t he house repaired, ensure t he anim als are fed and shelt ered, and t hey st ore supplies for t he wint er. John also does one ot her t hing t hat helps out great ly. Whenever he is in t own t o buy supplies or sell crops, he t alks t o t ownspeople, t o m erchant s, and even t o t he local soldiers if t hey will t alk. He asks about what has been going on in t he area around him and st ays in t ouch wit h current event s as best he can. This gives him a decent idea of whet her a t hreat is out t here current ly or not .
Securing Your Windows System A few t hings about securit y generally apply across t he board t o all syst em s and all levels and should be considered by anyone working on a securit y plan. I will discuss a few of t hem here before m oving int o som e m ore det ails and concept s of net work and operat ing syst em securit y lat er in t his chapt er and in Chapt er 4, Securing Your Servers. I have set t his up so you can start reading here in Chapt er 3 and cont inue unt il you find it em s t hat do not apply t o you. At t hat point you m ight wish t o keep reading or—if t he securit y det ails being discussed are beyond your needs—you m ight skip t o Chapt er 5, Connect ing t o t he I nt ernet . Each sect ion from t his point unt il t he end of Chapt er 4 is designed t o build on t he previous sect ions. Each sect ion assum es t hat you are doing som e or all of what was given before it . I f you are not , be sure t o not e t hat as you im plem ent t he securit y changes recom m ended. Your not es will help you great ly if you need t o t roubleshoot a problem while put t ing your securit y in place.
General Security Practices The first t hing t o do is define som e t erm s and concept s t hat relat e t o Windows securit y. Many of t hese concept s also apply t o any operat ing syst em , but som e of t he discussion brings in det ails t hat are Windows- specific. The it em s in t he following list form t he basic building blocks of securit y. Underst anding what t hey are and how t o apply t hem is t he first st ep t o securing a com put er. •
• •
•
Bor de r Con t r ol: Prot ect ion at t he point where som eone m ight ent er a syst em , usually t he net work connect ion t o t he I nt ernet . This oft en is a firewall, proxy server, or rout er on bigger net works, but in a hom e net work, it is m ost likely a personal firewall or a device int egrat ed wit h t he m odem or service provided by your I nt ernet Service Provider ( I SP) . Syst e m Se cu r it y: Third- part y set t ings and soft ware t o secure an individual com put er from ext ernal t hreat s. This chapt er and t he next deal prim arily wit h t his. Ph ysica l Se cu r it y: Securit y st art s here. I f int ruders can t ouch t he box, insert disks, t urn off t he power swit ch, and so on, t hey can essent ially own t he box. As a hom e user, you probably do not have st rangers regularly visit ing your hom e. Even if you do, t hey probably don't com e over t o sit at your com put er. However, if you have a sm all business or you're a t elecom m ut er for a larger com pany, you m ight want t o ensure som e cont rol over who accesses t he com put ers in your house or office. The reason for t his is very sim ple. I f I can open t he com put er case and rem ove or insert hardware, or if I can rem ove a syst em from behind a firewall or even j ust insert a CD or disk in t he drive, I can negat e m uch of t he securit y of your syst em . By allowing public or uncont rolled access t o your syst em , you com prom ise it s securit y. St a ying Cur r e n t on Ve r sion s, Se r vice Pa ck s, a nd H ot fix e s: Som e aspect s of securit y cannot be configured by users; in fact , som e aspect s cannot be configured at all and can be fixed only by updat ing t he soft ware of t he operat ing syst em it self. That is why it is crit ical for you t o keep current in your soft ware versions, service packs, and hot fixes. The following is from a Microsoft Securit y Bullet in ( March 3, 2001) : Today, t he FBI 's Nat ional I nfrast ruct ure Prot ect ion Cent er ( NI PC) released an advisory det ailing recent at t acks against ecom m erce and e- banking syst em s. ( The advisory is available at ht t p: / / www.nipc.gov/ warnings/ advisories/ 2001/ 01- 003.ht m .) One of t he m ost t roubling aspect s of t hese at t acks is t hat virt ually all of t hem were carried out via known vulnerabilit ies for which pat ches have been available for m ont hs or, in som e cases, years. Microsoft shares t he NI PC's concern about t hese at t acks, and would like t o ensure t hat all cust om ers have t aken t he needed st eps t o prot ect t heir syst em s. We have published a com panion art icle t o t he NI PC advisory, available at ht t p: / / www.m icrosoft .com / t echnet / securit y/ nipc.asp. The art icle det ails t he vulnerabilit ies used in t hese at t acks and t he bullet ins t hat provide pat ches for t hem . I t also discusses ot her m easures cust om ers should t ake t o ensure t he securit y of t heir
syst em s. I f you haven't applied t he pat ches for t hese vulnerabilit ies, please t ake t he t im e t o do it im m ediat ely. As you can see from t his bullet in, t he vendors of soft ware do spend t im e and effort publishing bullet ins, pat ches, and upgraded releases of soft ware. But if soft ware users don't apply t he pat ches or aren't aware of an updat e, t he pat ches and updat es do no good. Crackers will always t ry old exploit s ( t he nam e for code used t o crack syst em s or t ake advant age of known securit y holes) first . They're usually easy and fast , and if users aren't pat ching old holes, why look for new ones? The cracker can sim ply run som e script s and gain cont rol of t he syst em , deface t he Web page, or do what ever it is t hey cam e t o do. Businesses should always st ay up- t o- dat e on t heir service packs and hot fixes t o rem ain secured. The sam e holds t rue for hom e users; however, pat ches com e out frequent ly, so you m ight want t o use t he Aut o Updat e feat ure or wait for Service Packs t o com e out . You can check www.m icrosoft .com / securit y for inform at ion about pat ches t o t he Windows syst em s and ot her Microsoft product s. You can also sign up for t he securit y newslet t er from t his sit e t hat will inform you in t he case of a new pat ch or service pack release. Just follow t he link " Securit y Bullet ins" and t hen click t he link " Regist er t o Aut om at ically Receive Securit y Bullet ins."
Service Packs and Hotfixes
Through t he course of t his book you'll hear references t o service packs and hot fixes and how you should be current on t hese t hings t o m aint ain your securit y. I suppose it would be nice t o know what t hese t hings are. A service pack ( SP) is a package of soft ware for updat ing a released soft ware product . Service packs usually deliver in a single package all updat es, securit y fixes, and driver updat es t hat have com e out since t he product was released. ( Most com panies now deliver only fixes, not feat ure enhancem ent s, in service packs.) The release schedule for service packs is variable by product and vendor, but Microsoft seem s t o release a service pack for t heir operat ing syst em s about every six m ont hs. Service packs usually undergo a fair am ount of t est ing and can generally be considered st able for inst allat ion on your syst em . As wit h any operat ing syst em upgrade, however, you should m ake a backup first and know how t o uninst all t he changes or rest ore if som et hing unexpect ed happens. A hot fix is a pat ch for a specific problem and is released as soon as possible aft er t he problem is discovered. Hot fixes can exist for a variet y of problem s, not all of which you will encount er, so it is generally recom m ended t hat you apply t hem only if specifically relat ed t o your syst em or t o securit y. You can wait for t he next service pack t o apply any ot her hot fixes. Service packs usually cont ain all hot fixes released since t he last service pack or operat ing syst em release. Because hot fixes and service packs usually cont ain a large port ion of securit y fixes, t he release inform at ion and not ificat ions oft en go out on t he securit y m ailing list s.
Bugs and ot her problem s will also surface on t he securit y m ailing list s if t hey have securit y ram ificat ions. ( Appendix A includes inform at ion about m ailing list s.)
Windows 9x I have t o com e right out and say t his: Windows 9x m ust be looked at as being unsecurable wit hout help from t hird- part y soft ware or hardware. These operat ing syst em s sim ply don't provide t he basic necessit ies of securit y, such as User Managem ent and Access Cont rol. They do support int egrat ion int o m ore secure syst em s such as Windows NT or Windows 2000, but will usually be t he weak link. What can you do? The answer is personal firewalls, ant ivirus soft ware, and safe com put ing pract ices. You can also get hardware firewalls, proxy servers, and rout ers, or you can upgrade t o an operat ing syst em t hat support s bet t er securit y. Pe r sona l Fir e w a lls Personal firewalls are reasonably new on t he PC scene. This is a soft ware or hardware firewall you can set up t o prot ect your hom e and sm all- business com put er or net work. First , let 's define firewall. A firewall is a device or soft ware ( or a com binat ion) t hat prot ect s your net work by m onit oring and blocking unwant ed t raffic while allowing t raffic t hat is desired. The firewall usually uses a set of rules t o det erm ine what t raffic is " okay" and what is not . A t ypical firewall for a large corporat ion can run from a few t housand dollars t o t ens of t housands. This is obviously not a solut ion for t he hom e or sm all- business user, so t he personal firewall concept was developed. The t ypical personal firewall is soft ware t hat runs on your workst at ion and provides sim ple logging, m onit oring, and blocking for your single syst em . The soft ware can range in price from free t o m oderat ely expensive. Wit h higher cost , you get opt ions and configurabilit y not available on t he cheaper or free m odels. An exam ple of a free personal firewall is Zone Alarm from Zone Labs. This product provides adequat e, t hough not com plet e, prot ect ion for m ost hom e securit y needs. I f you wish t o m ove up a not ch from free, BlackI ce Defender by Net workI CE is a good product . I t is easy t o use and covers nearly all your securit y needs, but it does have a few known holes. Firewalls can be very t echnical and hard t o underst and when you're first dealing wit h t hem , so be prepared. BlackI ce Defender would be m y recom m endat ion for m ost hom e users who feel t hey need securit y. I f you want even m ore prot ect ion and configurabilit y, Zone Alarm Pro adds som e cost but also som e opt ions for configurat ion of rules. You'll find reviews for t hese and addit ional product s at www.firewallguide.com . An t ivir u s Soft w a r e I will t alk in dept h about viruses and Troj an horses in Chapt er 9, Viruses, Troj an Horses, Hoaxes. For now, underst and t hat t his com ponent is a key part of any securit y plan. First and forem ost , get and use ant ivirus prot ect ion, and updat e it regularly. Using t his soft ware is one of t he m ost cost - effect ive securit y m easures you can t ake. I t is not very expensive ( som e is even free for personal use) but is very effect ive at det ect ing and cleaning up viruses and Troj an horses. The soft ware is also get t ing bet t er at dealing wit h t he m acro viruses t hat are appearing wit h m ore frequency t hese days.
Sa fe Com pu t in g Pr a ct ice s Following are som e guidelines t hat apply t o all com put ing sit uat ions. Whet her you are a single hom e user or an em ployee in a large insurance com pany wit h volum es of sensit ive and privat e inform at ion, t hese ideas will be helpful. •
•
•
Ba ck up you r da t a r e gu la r ly: You'll hear m e say t his again and again, but it is t hat im port ant : Back up your dat a regularly. I n m any cases, backups are t he only way t o recover if t hings go bad, and having t hem is always an assurance t hat you can get back t o dat a you need. I f you deal in sensit ive dat a, st ore one backup t ape or CD off- sit e ( t ake it t o work or place it in a locat ion t hat isn't wit h t he com put er t hat uses t he dat a) . En su r e pr ot e ct ion a ga in st pow e r su r ge s a n d ou t a ge s: Power fluct uat ions and disrupt ions m ight not be com m on in your area, but t hey do happen and t hey are and can cause problem s wit h your com put ers. Obviously, t he com put ers will not operat e if t hey have no power, but t hey also m ight lose som e of your work if you are using t hem when t he power goes out . I f you are working during a st orm or ot her condit ions where power int errupt ion is possible, save your work frequent ly. Addit ionally, as Californians have found out , t he condit ion and availabilit y of elect ricit y is subj ect t o t rouble from t im e t o t im e. I f you use an Unint errupt ible Power Supply ( UPS) , you will have short - t erm prot ect ion from t hese periods of down power. You can also use line condit ioners t o reduce or elim inat e t he am ount of variance in your elect rical current . UPS devices and line condit ioners are available at m ost com put er st ores. D o n ot ope n file s fr om u n k n ow n sou r ce s: The m ost com m on way for you t o get a virus or Troj an horse on your syst em is by opening an execut able file from an unknown source. Most com m only, an e- m ail m essage you receive or Web sit e you visit links t o a file on a different server t hat is t he virus or Troj an. I f you do not run t he file or open t he at t achm ent , you are in no danger. At a bare m inim um , m ake sure you scan all files you receive or download from t he I nt ernet before using t hem , even if you know t he source. Also, t urn off t he hiding of file ext ensions and rem em ber t o look at t he last ext ension shown so you can t ell what is being sent t o you. Som e hackers have used t he filenam e readm e.t xt .vbs t o t ry t o get people t o run t heir Troj ans ( .vbs is t he file ext ension used by Visual Basic Script ing) . I f you have your file ext ensions hidden, t he .vbs ext ension does not show and t he file looks harm less because it seem s t o be only a t ext file wit h a .t xt ext ension. I n realit y, however, it could be a Troj an horse t hat can infect your syst em or inst all a back door because it is act ually a Visual Basic Script writ t en by a hacker or cracker for t he purpose of com prom ising your syst em .
N OTE You can t urn off t he hiding of file ext ensions ( which is on by default in m ost consum er Windows product s) by going int o t he Cont rol Panel ( from t he St art But t on, choose Set t ings and t hen Cont rol Panel) . Then double- click t he Folder Opt ions icon and choose t he View t ab. Uncheck t he box for Hide File Ext ensions for Known File Types, as shown in Figure 3- 1.
Figu r e 3 - 1 . Un h idin g file e x t e n sion s
•
D o n ot gr a n t e x ce ssive pr ivile ge s t o use r s: This is t he general rule of t he Deny All, Grant Explicit m odel we t alked about in Chapt er 2, " General Net work Securit y" . You should grant only t he level of aut horit y required t o do t he work needed, not ext ra. Even as t he Adm inist rat or, you should have t wo account s, one for everyday use, wit h lim it ed aut horit y, and one for adm inist rat ion of t he syst em , which you use only when doing syst em adm inist rat ion t asks. The reason behind t his rule is sim ple: m ost com put er program s run wit h t he aut horit y of t he user who st art ed t hem . I f a regular user runs a program t hat has a Troj an or virus, t he program is only a regular user and has lim it ed aut horit y t o hurt t he syst em . I f, however, t he Adm inist rat or of a syst em runs t he sam e program , t he Troj an or virus has adm inist rat or- level aut horit y and can do far m ore dam age t o t he syst em .
N OTE Win9x and ME do not have t he capabilit y t o rest rict local file access, so t his st ep is not direct ed at users of t hose syst em s.
•
•
Pr ot e ct you r pa ssw or ds fr om e ve r yon e : Whet her or not you t rust people, you should n e ve r reveal your passwords t o anyone. That 's like loaning out your house keys or car keys. Sure, you m ight do t his wit h very t rust ed people, but if t hey lose t he keys or loan t hem out furt her, you quickly lose cont rol of who is using your house or car. The sam e is t rue for com put ers. I f you loan out your password, you lose cont rol of who is using your ident it y on t he com put er. Perhaps t his isn't crit ical wit hin your fam ily, but would your children t ell t heir friends, who m ight t ell t heir friends, and so on? I f t hey do, m any of t he prot ect ions we'll be t alking about will not be effect ive, because t he com put er will believe it 's you using t he syst em , not som eone else. I n addit ion, change your password frequent ly ( every 90–120 days) and use a m ixt ure of num bers and let t ers in your password. Do not use words found in a dict ionary, but m isspell t he words int ent ionally or use t wo or m ore words so t hat dict ionary at t acks will not work on your password. For exam ple, if your last nam e is Johnson, do not use your first nam e as your usernam e and your last nam e as your password. Even using j ohnson146 or j 0hns0n is not good; you shouldn't use your nam e in your password, regardless. Try som et hing like C00ki3Mobst er inst ead. Pr ot e ct w it h scr e e n - sa ve r se t t in gs: I f your syst em is in an area where people can walk by or pot ent ially sit at your syst em while you are away from t he keyboard, select a screen saver you like and t hen enable it s password prot ect ion feat ure. Set t he screen saver t o com e on aft er 3–5 m inut es.
Windows NT 4.0 I n addit ion t o all t he general it em s we've t alked about , you should consider som e addit ional st eps t o secure a Windows NT 4.0 box. These addit ional st eps t ake advant age of feat ures present in Windows NT 4.0 t o give you ext ra securit y.
N OTE Win9x users who purchase a t hird- part y securit y soft ware suit e t hat offers som e feat ures not norm ally present in Win9x m ight want t o read t his sect ion and apply what you are able wit h t he t hird- part y soft ware.
Use r s a nd Gr ou ps Because Windows NT com es wit h t he capabilit y t o ident ify users and t o cont rol and m onit or t heir access and act ivit y, you can do several t hings t o enhance securit y on your Windows NT syst em . •
•
•
Re na m e t he Adm in ist r a t or a ccou n t : The built - in Adm inist rat or account is well- known and m ight be exploit ed. The sim ple act of renam ing t he account will m ake t hese exploit s m ore difficult . As a m inim um , be sure t he password has 14 charact ers and uses bot h num eric and alphabet ic charact ers. D isa ble t he Gu e st a ccou n t : The built - in Guest account increases your risk. This account can be used by people on t he I nt ernet t o gain lim it ed access t o your syst em wit hout your knowing it . By using t his lim it ed access, t hey m ight t hen be able t o gain furt her access. To be ext ra safe, add a 14- charact er, st rong password t o t his account . Eve r y u se r sh ou ld ha ve a u n ique logon a ccou n t : I t is im port ant t o know t hat each user is unique and t hat you can ident ify t hem . On workst at ions at t he high side of Medium Risk or at High Risk, always enable audit ing on t he sensit ive files on your syst em so you know who is accessing t hem . Do your best t o ensure t hat users pick st rong passwords.
Gr a n t ing Acce ss t o File s Now t hat you know who is accessing your syst em , you have t o det erm ine what t hey will be able t o access. I n all of t he list ings below, I will use Aut hent icat ed Users ( AU) as t he m ain avenue of grant ing access, but if you are using WinNT wit h less t han Service Pack 3 ( SP3) , t his group will not exist . Please subst it ut e Dom ain Users unt il you can get and apply t he m ost current service pack. Once you are above SP3, you can use eit her Aut hent icat ed Users or Dom ain Users, alt hough Aut hent icat ed Users is probably m ore appropriat e. You change securit y set t ings on files by right - clicking on t he file or direct ory you want t o change and select ing t he Propert ies opt ion. Then select t he Securit y t ab shown in Figure 3- 2. From here you should see t he set t ings and but t ons for Add and Rem ove t hat enable you t o alt er t he securit y set t ings of t he select ed obj ect . I f you need inst ruct ions on how t o navigat e t o or use t he Securit y t ab, please consult t he online Help file or Windows Resource Kit , which can be purchased separat ely.
Figu r e 3 - 2 . Se t t in g file se cu r it y
•
All drives should be form at t ed t o NTFS, not FAT 16 or FAT 32. These acronym s are defined in Appendix B, but j ust rem em ber t hat t hey are file syst em s t hat a hard drive can use for st oring files and direct ories. NTFS support s t he Access Cont rol List s ( ACLs) you need t o properly secure files and direct ories; FAT 16 and FAT 32 do not have t his support .
N OTE I f you are set t ing up a syst em t o dual- boot wit h anot her operat ing syst em such as Windows ME, do not convert or form at all drives t o NTFS. Drives used by bot h operat ing syst em s should rem ain FAT 16 or FAT 32. Do t his if you are using only one operat ing syst em t hat support s NTFS, such as Windows NT or Windows 2000.
What Is the Registry?
I n t his sect ion of t he book, we t alk about prot ect ing t he Regist ry and get pret t y t echnical about what t o do and how t o do it . But what is t he Regist ry really, and why do you need t o prot ect it ? The Regist ry is a st orehouse of inform at ion. I t can hold all kinds of dat a and is used m ost oft en t o st ore operat ing syst em and applicat ion configurat ion dat a, set up and uninst all dat a, and various bit s of securit y dat a. The dat a is st ored in a hierarchical t ree form at , wit h five m aj or sect ions ( known as hives) . Each hive has a collect ion of branches under it , which in t urn can have branches under t hem , and so on. Alt hough it sounds com plex, it is a good syst em for organizing t hings. Think of t he Regist ry as like a library. A library has sect ions for Science and Art . Under t he Science sect ion, you can find Chem ist ry, Physics, and Biology, while under Art , you can find Music, Poet ry, and Paint ing. Under each of t hose sect ions, you can find m ore dat a or m ore branches unt il you get t o t he level you need. The Regist ry on your com put er works t he sam e way. That t he Regist ry has a large port ion of t he syst em and applicat ion configurat ion dat a in it is indeed a big deal. This dat a t ells t he operat ing syst em such t hings as how t o run various applicat ions, when t o run t hem ( when you double- click on a file, t he dat a in t he Regist ry t ells Windows what t o run t o open t hat file) , and how t he operat ing syst em it self is configured. Even user account s and groups are st ored in a special sect ion of t he Regist ry on som e Windows syst em s. The Regist ry becom es a t arget for hackers because by affect ing t he Regist ry, hackers can cause t he syst em t o run, download, or erase files on t he syst em . Because it is very powerful, it needs t o be prot ect ed. • •
I f possible, st ore operat ing syst em files on a separat e drive from your applicat ion and dat a files. For exam ple, st ore operat ing syst em inform at ion on C: drive, but put your applicat ions and dat a on E: ( assum ing D: is your CD drive) . For all drives, change t he default perm ission of Everyone: Full Cont rol t o Aut hent icat ed Users: Full Cont rol. Then rem ove t he perm issions for t he group Everyone and leave any ot her perm issions in place. Now propagat e t hese changes t o all files and subdirect ories. To do t his, right - click on t he C: drive in Explorer, choose Propert ies, choose t he Securit y t ab, and t hen click Advanced. Figure 3- 3 shows t he checkbox t o select t o apply t he default perm ission changes t o all obj ect s on t he drive. Repeat for all drives on t he syst em .
Figu r e 3 - 3 . Pr opa ga t in g file pe r m ission s in W in dow s 2 0 0 0
•
Secure t he Operat ing Syst em Direct ory. Find t he direct ory where t he operat ing syst em was inst alled ( usually \ WI NNT or \ WI NDOWS) . Now change t he perm issions on t his direct ory and all t he ones below it t o Adm inist rat ors: Full Cont rol, Creat or Owner: Full Cont rol, Aut hent icat ed Users: Read, Syst em : Full Cont rol. I f you want st andard users t o be able t o inst all soft ware on t his syst em , you m ight need t o add Dom ain Users: Change t o t hese perm issions.
Gr a n t ing Pr ivile ge s Typically, t he services and privilege levels on workst at ions are set t o an adequat ely secure level. However, t o be safe, disable any services you do not need and do not grant ext ra user right s unless you know t hey are needed t o accom plish a t ask. I f you have a need for t he Scheduler Service, ensure it is running under a local account wit h adequat e perm issions, but do not run it as t he Local Syst em Account . Pr ot e ct ing t h e Re gist r y The Regist ry is a syst em resource used for st oring operat ing syst em , applicat ion, and user dat a and configurat ion set t ings. I t is int ended t o be accessed only by aut horized users of t he syst em , but accessing regist ries rem ot ely is useful if you are a syst em adm inist rat or on a large net work. Hom e users usually do not need t o rem ot ely
access t he Regist ry, and sm all businesses do so only rarely. To rest rict net work access t o t he Regist ry, use t he Regist ry Edit or shown in Figure 3- 4 t o creat e or m odify t he following Regist ry key: Hive: HKEY_LOCAL_MACHINE Key: \CurrentControlSet\Control\SecurePipeServers Name: \winreg Type: REG_DWORD Value: 1
Figu r e 3 - 4 . Vie w in g t h e Re gist r y w it h t he Re gist r y Edit or
The securit y perm issions set on t his key define which users or groups can connect t o t he syst em for rem ot e Regist ry access. The default Windows NT workst at ion inst allat ion does not define t his key and does not rest rict rem ot e access t o t he Regist ry. You should add t his key and set t he perm issions t o Adm inist rat ors: Full Cont rol on any syst em t hat is connect ed t o t he I nt ernet full- t im e via a cable m odem or DSL connect ion. Users who dial up t o t he I nt ernet m ay choose not t o add t his key at t heir discret ion. I f your risk fact or is high, I would recom - m end you do add t his key regardless of connect ion t ype. I f you do not add t his key t o prot ect your Regist ry, rem ot e users ( including hackers and crackers) m ight be able t o connect t o and alt er your Regist ry wit hout your knowledge. I n addit ion t o t hese rest rict ions, t he following keys are also rem ot ely accessible. Only advanced users should alt er t hese set t ings; however, we need t o t alk about t hem because of t he securit y exposure possible from t hese keys. The perm issions should be set t o Adm inist rat ors: Full Cont rol, Creat or Owner: Full Cont rol, Syst em : Full Cont rol, Aut hent icat ed Users: Read t o prevent at t ackers from adding pat hs t o t his key.
Hive: HKEY_LOCAL_MACHINE Key: \System\CurrentControlSet \Control\SecurePipeServers\winreg Name: AllowedPaths Type: REG_SZ Value: A string list of key names that will allow remote access. Rest rict t he abilit y of anonym ous users t o look up dat a about your syst em , including User Nam es and Share Nam es, by set t ing t he following in your Regist ry. Prevent ing t his dat a from being easily discovered is im port ant for keeping int ruders out and m aking t heir at t em pt s t o crack your syst em m ore difficult . Hive: HKEY_LOCAL_MACHINE Key: \System\CurrentControlSet\Control\LSA Name: Restrict Anonymous Type: REG_DWORD Value: 1 Last , on any syst em where m ult iple people log on regularly or access is not rest rict ed physically, you will want t o set t he syst em t o not display t he usernam e of t he last user who logged on. This keeps a hacker from viewing t he last logged- on usernam e. To accom plish t his, set or creat e t he following in t he Regist ry. Ensure t hat t his key has Everyone: Read perm ission, leaving all ot her perm issions as t hey were. Hive: HKEY_LOCAL_MACHINE Key: \Software \Microsoft \WindowsNT \CurrentVersion \WinLogon Name: DontDisplayLastUserName Type: REG_DWORD Value: 1 Viewing t hat last logged- on usernam e can m ake life easier for hackers. I f t hey know at least one account nam e t hat is valid on t he syst em , t hey can use t hat account nam e t o st art guessing passwords. The best plan is not t o give t hem t hat advant age. This Regist ry change is m ost beneficial on m ult i- user or publicly accessible syst em s; however, m aking t his change on all WinNT and Win2k syst em s is a good idea. Gr a n t ing a n d Con t r ollin g Re m ot e Acce ss t o File s Unt il recent ly, t he hom e com put ing environm ent was usually one com put er syst em . However, it is becom ing increasingly norm al for hom es t o have m ult iple syst em s and sm all net works. I f you have files or direct ories t hat are shared ( referred t o as shares or share point s) , it is im port ant t o cont rol who has access t o t hese shares so int ruders can't use t hese as easy st art ing point s for a breach of your securit y. Sm all businesses m ust be even m ore careful about dat a being shared on t heir net works. We t alked about shares in Chapt er 2, but here are som e ext ra st eps for prot ect ing shares. By set t ing t he following in your Regist ry, you can rem ove well- known shares from t he syst em t o prevent rem ot e at t acks against t hese shares. Please not e t hat if you have a Syst em Adm inist rat or who needs rem ot e access t o your syst em s, ask before rem oving t hese shares. These shares should be rem oved because t hey are " well
known" ; t hat is, at t ackers know t hey exist on every WinNT and Win2k syst em unless t hese changes have been m ade. This provides a known pat h t o exploit , so rem ove t he shares t o rem ove t he known pat h of at t ack. Hive: HKEY_LOCAL_MACHINE Key: \System\CurrentControlSet \Services\LanManServer\Parameters Name: AutoShareWks Type: REG_DWORD Value: 0 I f you have t o share files and direct ories from a workst at ion, be sure t o change t he default perm issions on t he shared resource. ( For a rem inder of how t o do t his, see Figures 2- 6 and 2- 7.) The perm issions are Everyone: Full Cont rol by default , which allows unknown users t o writ e t o your hard drive. You should rem ove t he Everyone perm issions and change t his t o Aut hent icat ed Users: Read. I f users m ust writ e or change dat a in t he share, add t heir usernam e t o t he share and set t he perm ission t o Change. Only as an absolut e last resort should you set t he perm issions on t he share t o Everyone: Full Cont rol, and you should do so only if you need users t o writ e t o t he share and you do not have t hem set up as users on your syst em . I f you set perm issions t o Everyone: Full Cont rol, m ake sure your virus scanner is updat ed and running at all t im es.
Small Businesses Only The changes in t his sect ion are generally only needed if you run a business from out side your hom e. Hom e users do not have t o m ake t he changes shown, alt hough t hey m ight choose t o. D ispla yin g a Le ga l N ot ice Be for e Logon By m aking t he following changes, you can have Windows NT and Windows 2000 display a Legal Not ice before a user logs on. You can use t his not ice t o supply inst ruct ions on how t o log on or a legal not ice about accept able use of t he syst em . I n m ost corporat e environm ent s, t his not ice not ifies users t hat t he com put er syst em is not a public syst em and t hat legal act ion m ay be t aken if t he syst em is used inappropriat ely. Several exam ples of what t hese legal not ices should say are available on t he I nt ernet at securit y resource sit es referenced in Appendix A. To display a legal not ice, use t he Regist ry Edit or t o creat e or assign t he following Regist ry key values on t he workst at ion t o be prot ect ed: Hive: HKEY_LOCAL_MACHINE\SOFTWARE Key: \Microsoft\Windows NT\Current Version\Winlogon Name: LegalNoticeCaption Type: REG_SZ Value: Whatever you want for the title of the message box Example: WARNING! Please Read! Or Legal Warning! Read Before Proceeding! Hive: HKEY_LOCAL_MACHINE\SOFTWARE Key: Microsoft\Windows NT\Current Version\Winlogon Name: LegalNoticeText
Type: REG_SZ Value: Whatever you want for the text of the message box Example: You are about to access a privately owned computer system. Unauthorized use or access is prohibited. If you are accessing this system without permission, log off now. W in dow s 2 0 0 0 Windows 2000 Professional is t he workst at ion version of Windows 2000, and t he securit y is com parable t o Windows NT 4.0 as far as changes you need t o m ake. I n fact , m ost user syst em s need no changes ot her t han t hose discussed for Windows NT 4.0. For higher securit y syst em s, you should look ahead t o t he changes in Chapt er 4 for Windows 2000 server on TCP/ I P Filt ering and I PSec, but t hose changes are only recom m ended for syst em s wit h a high risk profile. The biggest difference bet ween t he t wo operat ing syst em versions is t he t ools you use t o accom plish t he changes. I n Windows NT, you have t o use Policy Edit or or RegEdit and a local version of User Manager t o m ake your changes. I n Windows 2000, you use t ools locat ed in t he Adm inist rat ive Tools applet of t he Cont rol Panel ( see Figure 3- 5) . Bot h syst em s use Explorer t o alt er file and direct ory securit y ( not t o be confused wit h I nt ernet Explorer, t he Web browser) .
Figu r e 3 - 5 . W in dow s 2 0 0 0 t ools
Security Configuration Editor
I f all of t his edit ing of t he Regist ry sounds t erribly t ough or t echnical, do not worry. Microsoft has creat ed a t ool called Securit y Configurat ion Edit or ( SCE) for Windows NT 4.0 t hat enables you t o m ake t hese changes in a user int erface wit hout direct ly edit ing t he Regist ry. I n Windows 2000, t his t ool is int egrat ed in t he operat ing syst em as t he Local Securit y Policy. SCE can be found on syst em s wit h Windows NT 4.0 Service Pack 4 or higher. This t ool enables you t o change securit y- relat ed set t ings very easily. I n Windows 2000, t his funct ionalit y is found in t he securit y edit ing t ools in t he Cont rol Panel, Adm inist rat ive Tools, Local Securit y Policy. Ot her t ools for edit ing securit y and Regist ry can be found on various sit es on t he I nt ernet such as Tucows ( www.t ucows.com ) . Be sure you get t hese t ools only from t rust ed sources; do not go find j ust any old Regist ry edit or or securit y t ool and assum e t hat it is okay. Table 3- 1 is a checklist of st eps you can use t o help you secure your workst at ion. I t isn't im port ant t o do t hem in order, and in fact you can skip st eps you don't feel are needed, but you should record t he st eps you do t ake so you know what and when you did each one.
Ta ble 3 - 1 . W or k st a t ion Se cu r it y Ch e ck list Se cu r it y St e p
W indow s 9 x , M E Physical Securit y: I s your syst em reasonably secured physically? Have you applied t he lat est pat ches and service packs? Run Windows Updat e lat ely? What t ype of border cont rol or firewall do you have in place? Are you running ant ivirus soft ware? What m aker and version? Have you updat ed it recent ly? Are you backing up your dat a? How regularly? Are you prot ect ed against power surges? Power out ages? Do you follow t he Safe Com put ing Pract ices list ed in Chapt er 3?
Re cor d Old Se t t ing ( if a ppr opr ia t e )
Date New Ch a n ge d Se t t ing
Ta ble 3 - 1 . W or k st a t ion Se cu r it y Ch e ck list Se cu r it y St e p
Have you given out your password t o anyone? I f so, who? W indow s N T 4 .0 Have you set your screen saver t o use a password? Have you configured any users or groups for use on your syst em ? Have you renam ed t he Adm inist rat or account ? Does t he Adm inist rat or account have a st rong password? I s t he Guest Account disabled? Does each user have a unique logon t o your syst em ? Are all hard drives form at t ed t o NTFS? Are Operat ing Syst em files st ored separat ely from dat a files? Did you change Everyone t o Aut hent icat ed Users on ACL list s? Did you set t he perm issions on t he WI NNT direct ory? Did you change t he account t hat t he Scheduler Service runs under or disable t he Scheduler Service? Did you disable unneeded services? Hive: HKEY_LOCAL_MACHI NE Key: \ Current Cont rolSet \ Cont rol\ SecurePipeServers Nam e: \ winreg Type REG_DWORD Value: 1 Adm inist rat ors: Full Cont rol Hive: HKEY_LOCAL_MACHI NE Key: \ Syst em \ Current Cont rolSet \ Cont rol\ SecurePipeServers\ winreg
Re cor d Old Se t t ing ( if a ppr opr ia t e )
Date New Ch a n ge d Se t t ing
Ta ble 3 - 1 . W or k st a t ion Se cu r it y Ch e ck list Se cu r it y St e p
Nam e: AllowedPat hs Type: REG_SZ Value: A st ring list of key nam es t hat will allow rem ot e access. Adm inist rat ors: Full Cont rol, Creat or Owner: Full Cont rol, Syst em : Full Cont rol, Aut hent icat ed Users: Read Hive: HKEY_LOCAL_MACHI NE Key: \ Syst em \ Current Cont rolSet \ Cont rol\ LSA Nam e: Rest rict Anonym ous Type: REG_DWORD Value: 1 Hive: HKEY_LOCAL_MACHI NE Key: \ Soft ware\ Microsoft \ WindowsNT\ Current Version\ WinLogon Nam e: Dont DisplayLast UserNam e Type: REG_DWORD Value: 1 Everyone: Read Hive: HKEY_LOCAL_MACHI NE Key: \ Syst em \ Current Cont rolSet \ Services\ LanManServer\ Param et ers Nam e: Aut oShareWks Type: REG_DWORD Value: 0 Did you reset t he perm issions on any shares so t hey do not cont ain Everyone: Full Cont rol?
Re cor d Old Se t t ing ( if a ppr opr ia t e )
Date New Ch a n ge d Se t t ing
Ta ble 3 - 1 . W or k st a t ion Se cu r it y Ch e ck list Se cu r it y St e p
Hive: HKEY_LOCAL_MACHI NE \ SOFTWARE Key: \ Microsoft \ WindowsNT\ Current Version\ Winlogon Nam e: LegalNot iceCapt ion Type: REG_SZ Value: What ever you want for t he t it le of t he m essage box Exam ple: WARNI NG! Please Read! Or Legal Warning! Read Before Proceeding! Hive: HKEY_LOCAL_MACHI NE \ SOFTWARE Key: Microsoft \ WindowsNT\ Current Version\ Winlogon Nam e: LegalNot iceText Type: REG_SZ Value: What ever you want for t he t ext of t he m essage box Exam ple: You are about t o access a privat ely owned com put er syst em . Unaut horized use or access is prohibit ed. I f you are accessing t his syst em wit hout perm ission, log off now. W in dow s 2 0 0 0 Pr ofe ssiona l a n d W in dow s XP No changes required; however, using t he Windows 2000 Tools t o m ake t hese set t ings is far easier.
Re cor d Old Se t t ing ( if a ppr opr ia t e )
Date New Ch a n ge d Se t t ing
Chapter 4. Securing Your Servers (Locking the Barn) The Sm it hs lock t heir house at night ( we've heard som e of t heir reasons) , but what about t he barn? Of course t hey lock t hat , t oo, and t he reason is sim ple. The barn holds t he resources and t ools t hey use for t heir daily t asks. The fam ily couldn't survive long t his far away from a t own wit hout t hose resources, so t hey t ake precaut ions t o prot ect t hem from t hreat s. The livest ock is brought in each night and placed in st alls, t he horse's shoes are checked, and t he saddle and bit are checked and oiled and t hen hung on a nearby peg. Som e food and supplies are kept in t he pant ry in t he m ain house, but t he bulk of t he long- t erm food st ores are kept out in t he barn's st orage areas. These, t oo, are locked and frequent ly visit ed t o check on t he condit ion of t he st orage and t he cont ent s. Many of t he t hings done t o prot ect t he house also cover t he barn and st orage sheds. John's shot gun is loaded and ready ( wit h t he safet y on, of course, because of t he children) , even when no danger seem s im m inent . Locks on doors are sim ple and easy but provide prot ect ion t o all areas where t hey are inst alled, and t he fences and walls surround t he barn as well as t he house.
Why Servers Are Different Servers are like t he barn and st orehouse m ent ioned in t he exam ple, m eaning t hey are t he place where you st ore t ools, applicat ions ( in som e cases) , and dat a. This isn't direct ly applicable for m ost hom e users, who probably have at m ost a sm all net work of workst at ion syst em s. I f t hat is you, you m ight j ust want t o scan t hrough t his sect ion for det ails on addit ional securit y you m ight want t o t ake. However, if you are a sm all- business owner and have a server t o secure or if you have assessed your risk as High, I encourage you t o read t his sect ion of t he book and apply t he set t ings t o give yourself st ronger securit y against at t ackers. This brings us t o t he issue of what a server is. A server is in fact a provider of som e service, so in t he t rue sense of t he word, every syst em is a server of som e sort . However, t his book defines a server as a physical syst em wit h server versions of soft ware inst alled on it —in part icular, Windows NT or Windows 2000 Server soft ware. Please t hink of a server syst em as a physically separat ed syst em on t he net work, running server- specific soft ware.
Where to Start on Your Server Security Rem em ber t hat a server is usually t he cent ral part of t he net work, where m ost of t he resources reside, and as such it requires ext ra prot ect ion. I f you are not planning t o provide your server ext ra prot ect ion or you feel t hat t he server is not at any addit ional risk, perhaps you are not using it t o it s full pot ent ial ( or perhaps you don't need a server) . My experience t ells m e t hat alm ost every server requires addit ional
prot ect ion. A server syst em requires at least as m uch prot ect ion as a workst at ion syst em , so a good place t o st art securing your server syst em is by doing everyt hing in Chapt er 3, Securing Your Com put er. I f you have a server, it is safe t o assum e t hat you have a net work and probably are connect ed t o som e form of always- on connect ion such as DSL or cable. I f so, you need border prot ect ion of som e sort . This can be a personal firewall, a proxy server, or a full- blown firewall. We t alked briefly about t his in Chapt er 3, but I 'll define a few m ore t hings now. •
• •
•
•
•
•
Fu ll fir e w a ll: Usually a com binat ion of hardware and soft ware for cont rolling access t o a net work. On a sm all- business net work, you should do fine wit h a proxy server, a rout er, or a com binat ion of t he t wo. Typically t he rout er can be accom plish t he packet filt ering while t he proxy server does t he applicat ion layer filt ering. ( More about t hese short ly) . Pr ox y se r ve r : A server t hat m akes request s t o t he I nt ernet for you so your syst em and net work address are not exposed t o t he I nt ernet . A proxy server t hat can perform ot her securit y func- t ions such as applicat ion layer filt ering m akes a good securit y t ool for prot ect ing your net work. Pr ot ocol isola t ion : The I nt ernet operat es on TCP/ I P as it s prot ocol. I f you use t he sam e prot ocol ( usually a good idea, by t he way) , accessing and operat ing wit h t he I nt ernet are m uch easier. But it can also lead t o securit y issues if you are not careful. One way t o ensure high securit y in areas t hat require it is t o use prot ocol isolat ion, m eaning t hat m ost of your net work uses TCP/ I P but t he secured part s use a different net work prot ocol— Net BEUI , I PX/ SPX, or som e ot her support ed prot ocol. Syst em s needing access t o t he isolat ed part of t he net work can run bot h net work prot ocols, or a proxy server can sit bet ween t hem and t ranslat e t he t raffic back and fort h. This prevent s people on t he I nt ernet who are running only TCP/ I P from being able t o " see" your net work; t hey can't get across t he sect ion t hat is isolat ed via a different prot ocol. You would use t his only if you need st rong securit y or your risk profile is High. M u lt i- h om in g: Syst em s wit h m ore t han one Net work I nt erface Card ( NI C) are m ult i- hom ed, which can m ake som e part s of t he net work available wit hout exposing t he ent ire net work. This t echnique is not usually found at hom e, but is oft en in sm all- business environm ent s. Proxy servers can also be m ult i- hom ed syst em s. Un bin ding n e t w or k se r vice s: I n Windows, services being m ade available t o a part icular net work card are considered " bound" t o t hat net work card. I f you do not wish a service t o be available on a part icular card, you can unbind it . This m eans t hat t hough t he service is running, it will not respond t o request s m ade on t hat net work card. This reduces t he chances for a hacker t o exploit t hose services t o gain access t o your syst em . Pa ck e t filt e r in g: TCP/ I P ( t he prot ocol used by t he I nt ernet and m ost large net works) sends dat a from one syst em t o anot her in " packet s," which are sim ply sm all am ount s of dat a t hat can be handled easily. Packet filt ering is t he process of det erm ining which t ypes of packet s you will or will not accept t o your net work. How t his works is beyond t he scope of t his book, but any rout er or firewall product should have sufficient det ails in t he product docum ent at ion. Applica t ion la ye r filt e r in g: Sim ilar t o packet filt ering, but operat es on t he applicat ion layer of t he OSI m odel. What t his m eans is t hat applicat ions on TCP/ I P connect ions can be blocked or allowed in t heir ent iret y by applicat ion
layer filt ering. Proxy servers oft en do t his. As an exam ple, Web browsing operat es on t he applicat ion layer via t he prot ocol called HTTP ( Hypert ext Transfer Prot ocol) , and all Web t raffic can be blocked by using applicat ion layer filt ers. File Transfer Prot ocol ( FTP) and Telnet are ot her applicat ions t hat can be blocked by t hese filt ers.
The OSI Model
The Open Syst em s I nt erconnect ion m odel, or OSI m odel, gives a high- level view of how syst em s int erconnect wit h one anot her. OSI uses seven layers t o describe t he funct ions t hat m ust happen for com put er syst em s t o t alk wit h one anot her on a net work ( see Figure 4- 1) . You can find m ore inform at ion about t he OSI m odel in alm ost any basic net working t ext from your local library or bookst ore. This m odel m ight look sim ple, but it represent s how dat a is shared bet ween all com put ers t hat are net worked. At t he t op is t he applicat ion layer, which m ight be your I nt ernet browser or word processor. To get t he dat a t o or from t his applicat ion, you have t o m ove t hrough t he OSI layers down t o t he physical layer, which is t he cabling and Net work I nt erface Card t hat act ually connect your syst em t o ot hers. The det ails are a bit beyond t he scope of t his book, but I t hought it was im port ant t o show you t his m odel, because m any concept s in net working and securit y refer t o it .
Figu r e 4 - 1 . Th e OSI m ode l
Securing Windows NT Servers I n addit ion t o t he st eps in Chapt er 3, you should m ake t he following changes t o secure your NT Server syst em .
Install Patches and Service Packs This was covered in Chapt er 3 but bears repeat ing here. On a server syst em , st aying current on your securit y fixes and service packs is crit ical. You can subscribe t o securit y m ailing list s t o help det erm ine which ones are im port ant and which aren't or use t he Windows Updat e Feat ure t o do t he updat es. I f you are unsure of t he im port ance of t his, re- read t he NI PC m essage from Chapt er 3, which essent ially st at es t hat m ost syst em s polled were out - of- dat e—som e by as m uch as a year or m ore. Com prom ising t hese syst em s would seem t rivial t o a cracker.
Secure Important Files and Directories Make sure you secure t he files and direct ories in t he following list in addit ion t o t he ones in Chapt er 3. These files and direct ories cont rol how your syst em operat es. I f you do not prot ect t hese files and direct ories, at t ackers can alt er t he cont ent s of t he files or sim ply delet e t hem , m aking your syst em unusable. They can also alt er t he files and leave back doors open, or t hey can st eal ot her vit al inform at ion on t he syst em if t hey have t his access, so it is best t o always secure t hese it em s. I n t he \ WI NNT direct ory, set t he following direct ory perm issions: \ REPAI R\ set t o Adm inist rat ors: Full Cont rol, Syst em : Full Cont rol; rem ove all ot her perm issions. \ SYSTEM32\ CONFI G\ set t o Adm inist rat ors: Full Cont rol, Syst em : Full Cont rol, Creat or Owner: Full Cont rol, Aut hent icat ed: List . \ SYSTEM32\ SPOOL\ set t o Adm inist rat ors: Full Cont rol, Syst em : Full Cont rol, Creat or Owner: Full Cont rol, Aut hent icat ed Users: Read, Server Operat ors: Change. \ COOKI ES, \ FORMS, \ HI STORY, OCCACHE set t o Adm inist rat ors: Full Cont rol, Creat or Owner: Full Cont rol, Aut hent icat ed Users: Special Direct ory Access ( R, W, X) , Aut hent icat ed Users: Special File Access ( R) . \ PROFI LES, \ PROFI LES\ XXXX\ SENDTO, \ TEMPORARY I NTERNET FI LES set t o Syst em : Full Cont rol. I n t his case, XXXX represent s a usernam e and t here m ay be m any of t hese keys t o secure, depending on t he num ber of users on t he server. I n t he Root Direct ory, set t he perm issions on \ TEMP t o Adm inist rat ors: Full Cont rol, Syst em : Full Cont rol, Creat or Owner: Full Cont rol, Aut hent icat ed Users: Special Direct ory Access ( R, W, X) , Aut hent icat ed Users: Special File Access ( R) .
On t he files BOOT.I NI , NTLDR, and NTDETECT.COM, set Adm inist rat ors: Full Cont rol and Syst em : Full Cont rol. On t he files AUTOEXEC.BAT and CONFI G.SYS ( if present ) , set Adm inist rat ors: Full Cont rol, Syst em : Full Cont rol, Aut hent icat ed Users: Read.
N OTE Syst em s t hat require anonym ous access m ight need t o subst it ut e t he group Everyone for t he group Aut hent icat ed Users in t hese list s. You only need anonym ous access if people who do not have account s on your local net work or com put er have a need t o access files on your syst em . Most people don't need t o be anonym ous t o access files and can use t he Aut hent icat ed Users set t ing.
Turn On Auditing I f you know who is doing what on your servers, you can det ect int rusions and m ist akes on t he part of users. At a m inim um you should audit Logon Event s Success and Failure, Account Managem ent Event s Success and Failure, Obj ect Access Success and Failure, Policy Change Success and Failure, Syst em Event s Success and Failure. You can do t his in t he User Manager for Dom ains t ool in t he Adm inist rat ive Tools m enu opt ion. The result s of t hese audit s appear in t he securit y logs so t hey can be viewed and evaluat ed for im port ant inform at ion. I m port ant inform at ion includes logon of account s you do not recognize or logon of your account s at a t im e when no one should be working on your com put er. Also helpful is t o keep t rack of access failures for files t o which you rest rict or cont rol access. Addit ionally, you m ight want t o check for Error Event s, as shown in Figure 42. There are plent y of ot hers, but if you need t o go deeper t han t his, you'll probably get int rusion- det ect ion or log- parsing t ools t o do t he work for you. More det ails about ot her det ect ion and prevent ion st eps are in Chapt er 8, Defending Against Hackers.
Figu r e 4 - 2 . Vie w in g e ve n t logs
Account Policies Set t he account policies t o t he list ed set t ings: • • • • • •
Enforce Password Hist ory: 5 Maxim um Password Age: 60–90 days Minim um Password Age: 1 Account Lockout Threshold: 5 Account Lockout Durat ion: 240 Reset Account Lockout Threshold: Never ( Manually Reset )
These account policies are set t his way t o reduce t he chances t hat hackers can guess or crack a password on your syst em . By forcing users t o use five different passwords, by aging t he passwords so users m ust change t hem frequent ly, and by locking out at t em pt s t o use weak passwords, you can m ake a hacker's j ob very hard.
Disable Unneeded Services Anot her change needed when securing a Windows NT server is t o disable or unbind from ext ernal int erfaces all unneeded services. Reducing t he am ount of soft ware t hat responds t o request s from t he I nt ernet closes som e of t he openings a hacker m ight have. The following services can t ypically be unbound or disabled: • • • •
•
•
•
•
•
•
•
•
Ale r t e r : Sends not ificat ions t o a list of users and m achines when syst em alert s happen on t he m achine. For m ost hom e users, t his service is not necessary. ClipBook Se r ve r : Allows rem ot e viewing of ClipBook pages. D yna m ic H ost Configu r a t ion Pr ot ocol ( D H CP) : Used t o regist er and updat e I P addresses and nam es dynam ically. Not generally required on a hom e net work. W indow s I nt e r ne t N a m ing Syst e m ( W I N S) : Resolves Net BI OS nam es t o I P addresses. D ir e ct or y Re plica t or : For replicat ion of dat a bet ween servers. Not usually configured on hom e net works. M e sse nge r : Sends and receives m essages from t he Adm inist rat or or Alert er service. N e t w or k D D E: Provides net work t ransport and securit y for Dynam ic Dat a Exchange ( DDE) . DDE was an old form of dat a- sharing bet ween applicat ions but is rarely used anym ore. N e t w or k D D E D SD M : Dynam ic Shared Dat a Manager ( DSDM) used by Net work DDE t o m anage shared dat a. Rarely used anym ore. Sch e du le : Schedules t asks t o execut e at a lat er or recurring t im e. Useful service, but not oft en needed for hom e net works. Sim ple TCP/ I P Se r vice s: Sm all set of ut ilit ies for TCP/ I P t hat are rarely used on sm all net works. Sim ple N e t w or k M a na ge m e n t Pr ot ocol ( SN M P) : Net work m anagem ent prot ocol used in large net works t o m onit or servers and availabilit y. Not required in sm all net works. Se r vice s for M a cin t osh : Can set up Macint osh usable shares t o int eroperat e wit h Macint osh com put ers. Not useful in environm ent s wit hout Macint osh com put ers.
•
FTP or Goph e r : I f you are using I nt ernet I nform at ion Server ( I I S) , do not inst all FTP or Gopher unless absolut ely necessary. These t ools are designed t o facilit at e file sharing and can easily be exploit ed t o share files you do not wish t o share.
Control Access to Event Logs Set or creat e t he following Regist ry keys t o rest rict anonym ous users from accessing inform at ion in your event logs. Hackers could use t he inform at ion in your event logs t o discover errors, soft ware versions or t ypes, and key inform at ion about exploit able weaknesses in t he syst em . Hive: HKEY_LOCAL_MACHINE\System Key: \CurrentControlSet\Services\Eventlog\System Key: \CurrentControlSet\Services\Eventlog\Application Key: \CurrentControlSet\Services\Eventlog\Security Name: RestrictGuestAccess Type: REG_DWORD Value: 0 Set t he perm issions on t hese keys t o Adm inist rat ors: Full Cont rol, Syst em : Full Cont rol, Creat or Owner: Full Cont rol t o prevent hackers from alt ering t he cont ent s.
Delete Administrative Shares I n Windows NT and 2000, adm inist rat ive shares are shared direct ories t hat assist Adm inist rat ors in doing t heir j ob of connect ing t o and operat - ing syst em s on a net work. These direct ories are well known and point t o every drive you have ( C$, D$, E$, and so on) , as well as t o som e special direct ories, and t hus can pose a t hreat t o your securit y. Rem ove t hese well- known shares if your syst em Adm inist rat or does not need rem ot e access t hrough t hese shares. For sm all net works, you probably do not need t hese shares enabled. Hive: HKEY_LOCAL_MACHINE Key: \System\CurrentControlSet\Services\LanManServer\Parameters Name: AutoShareServer Type: REG_DWORD Value: 0
Secure Registry Keys Set t he appropriat e securit y on t he list ed keys as indicat ed. These keys represent areas of your syst em configurat ion t hat can be used t o creat e holes in your securit y or t o gain an at t ack point . Placing t he proper securit y on t he keys will reduce or elim inat e t he t hreat of som e at t acks.
N OTE The first t wo changes will prevent all users except Adm inist rat ors from inst alling soft ware on t he server. This usually isn't a problem , but if you
need users or ot her people t o inst all soft ware, do not m ake t he first t wo changes in t his list .
1. Change t he perm issions on HKEY_Local_Machine\ Soft ware\ Microsoft \ Windows\ Current Version from Everyone: Special Access t o Everyone: Read Cont rol, Query Value, Enum erat e Subkeys, Not ify. Leave all ot her values at t heir current set t ings. I f Aut hent icat ed Users group is present , reduce it t o t he sam e perm issions. 2. The subkeys AppPat hs, Uninst all, Run, RunOnce, and RunOnceEx should have t he perm issions set t o Everyone: Read and Aut hent icat ed Users: Read. Leave all ot her perm issions at t heir current set t ings. Propagat e t hese changes t o all subkeys below t hese keys. 3. The key HKEY_Local_Machine\ Soft ware\ Microsoft \ WindowsNT\ Current Version\ WinLogon should be rest rict ed t o Everyone: Read and Aut hent icat ed Users: Read. Leave any ot her perm issions at t he default s. 4. Hive: HKEY_LOCAL_MACHINE 5. Key: 6. \Software\Microsoft\WindowsNT\CurrentVersion\WinLogon 7. Name: AutoAdminLogon 8. Type: REG_DWORD 9. Value: 0 10. 11. Name: DefaultPassword 12. Type: REG_SZ 13. Value: (NONE) If this value has something here, clear that value so this is empty.
Removing Unneeded Subsystems You should rem ove t he OS2 and Posix subsyst em s from t he server. The OS2 and Posix subsyst em s were put int o Windows NT and Windows 2000 t o allow int eract ion bet ween Windows syst em s and t he OS2 operat ing syst em or a Unix- based operat ing syst em . Most hom e users will never have t he need t o do t his, so t he syst em s can be rem oved. To do t his, rem ove t he OS2 and Posix Regist ry values from t he HKLM\ Syst em \ Current Cont rolSet \ Services\ Session Manager\ SubSyst em s Regist ry key. Then delet e t he associat ed files ( os2* , posix* , and psx* ) in % syst em root % \ Syst em 32.
N OTE For t hose not fam iliar wit h t he * charact er in filenam es, t his m eans all files t hat st art wit h os2, posix, or psx and have any charact ers aft er t hose ( t he * is a wild card represent ing any one or m ore charact ers) .
Control Access to Performance Data Cont rol access t o t he following key so an at t acker cannot view perform ance dat a about your syst em and t hen perhaps use t hat dat a t o st art an at t ack on t he syst em . Set or creat e t he following set t ings in t he Regist ry: Rem ove t he perm issions of t he Everyone and Aut hent icat ed Users groups from t he Regist ry key HKEY_Local_Machine\ Soft ware\ Microsoft \ WindowsNT\ Current Version\ PerfLib. D o not set t he perm issions t o NONE; sim ply rem ove t hose groups from being list ed on t he ACL.
Why Protect Your Performance Data?
You can probably see why you need t o prot ect t he t hings we've been t alking about from pot ent ial t hreat s. Syst em files, Regist ry configurat ion dat a, and your personal inform at ion all have a pret t y direct im pact on how your syst em operat es and what you do wit h your syst em . Personal dat a is t he reason for doing all of t his. Prot ect ing it is prot ect ing your inform at ion ( and your fam ily's) from t he rest of t he world. But why prot ect t he perform ance dat a of your syst em ? What harm could it be if som eone sees whet her your com put er is slower t han t heirs? There are t wo reasons. First , by viewing perform ance dat a, an at t acker can gat her inform at ion about your syst em and t he soft ware you m ight have inst alled, errors you are experiencing, or even how m any drives you have. This dat a m ight show t hem a new pat h t o t ry t o exploit t hat t hey hadn't t hought of previously. Second—and probably t he m ain reason—is t hat if som eone can profile your perform ance on your com put er, t hey will know when and how you use your syst em . Then t hey can plan t o at t ack when you are not expect ing it , when it is hard t o det ect an at t ack, or even when you are t ypically away from your syst em . Knowing when t o at t ack your syst em gives hackers a huge advant age in t heir abilit y t o hide t he at t acks and be successful.
Disable Logon Caching To ensure t hat Server Adm inist rat ors have t o log on against t he Dom ain Cont roller Account Dat abase, t urn off logon caching by set t ing or creat ing t he following in t he Regist ry. The Dom ain Cont roller Account Dat abase is t he cent ral dom ain st ore of user account s and com put ers. By forcing t he local syst em t o not cache ( st ore locally) t hose credent ials, you force t he request t o be sent t o t he dom ain cont roller for aut hent icat ion. The dom ain cont roller is t he com put er t hat keeps t rack of all logons on t he dom ain and is t he aut horit y on who can and can't log on. This m eans t hat a previous Adm inist rat or can't disconnect t he net work cable, log on by using cached credent ials, and t hen reconnect t he cable t o get back ont o t he net work.
N OTE I f you use t his set t ing, be sure t o m ake t he local Adm inist rat or account logon available t o Adm inist rat ors in case of em ergency. I f t he server is off t he net work due t o failed NI C or ot her issue, t his set t ing can m ake it im possible for Adm inist rat ors t o log on t o t he server wit h t heir dom ain account . This local Adm inist rat or account is built in t o allow adm inist rat ive access t o t he syst em when t he dom ain cont roller isn't available, and it cannot be disabled or rem oved.
Hive: HKEY_LOCAL_MACHINE Key: \Software\Microsoft\WindowsNT\CurrentVersion\ WinLogon Name: CachedLogonsCount Type: REG_DWORD Value: 0
Turn On Auditing of Base Objects For syst em s requiring high securit y, you should t urn on audit ing of Base Obj ect s. Base Obj ect s are low- level syst em obj ect s used prim arily by t he operat ing syst em t o do t he basic funct ions of com put ing. Det ailed discussion is a bit beyond t he int ended t echnical level of t his book, but audit ing of t hese obj ect s can oft en cat ch hackers, who can use t hese obj ect s in t heir program s t o help gain cont rol of a syst em . This audit ing will let you gat her dat a for m ore obj ect s in t he operat ing syst em and t herefore get a bet t er idea of what is happening. The down- side is t he perform ance cost s for audit ing, so use it wit h discret ion if perform ance is a m aj or issue or you are working on a m id- t o low- end syst em . To t urn on ext ended audit ing, set or creat e t he following set t ings in t he Regist ry. You can find det ailed descript ions of t he effect s of t hese changes in t he Windows NT Resource Kit or on TechNet . Hive: HKEY_LOCAL_MACHINE Key: \System\CurrentControlSet\Control\LSA Name: AuditBaseObjects Type: REG_DWORD Value: 1 Hive: HKEY_LOCAL_MACHINE Key: \System\CurrentControlSet\Control\LSA Name: FullPrivilegeAuditing Type: REG_DWORD Value: 1
TCP/IP Security From t he TCP/ I P propert ies page, select Advanced and t hen select Perm it Only. Allow only t he port s you will need t o use t o com m unicat e wit h t his server. I f you do not know what port s will be used or which ones t o set , do not use t his set t ing. I nst ead, rely on your rout er packet filt ering. I f you block cert ain TCP/ I P port s on your servers, t hey m ight funct ion abnorm ally or st op funct ioning alt oget her.
False Administrator Account I f you are in an exposed sit uat ion or suspect you m ight be under at t ack, you m ight wish t o creat e an account nam ed Adm inist rat or and t hen disable or rem ove as m uch privilege from it as you can. Change t he default group t o Dom ain Guest s and rem ove t his account from Dom ain Users. Then audit t his account t o see if logon at t em pt s are being m ade against it . This m ight indicat e an at t acker t rying t o use t he account or guess it s password.
Secure the AllowedPaths Key(s) in the Registry On syst em s requiring a high degree of securit y or ones suspect ed of being under at t ack current ly, you can m ake t he following changes t o help prot ect your syst em . I do not recom m end m aking t hese changes unless you need t o, because som e of t hem could im pact rem ot e operat ions.
Resource Kit, MSDN, and TechNet
Microsoft provides several resources for underst anding, t roubleshoot ing, m anaging, and program m ing t heir operat ing syst em s. Three of t hese t ools are t he Resource Kit , t he Microsoft Developer Net work ( MSDN) , and TechNet . Th e Re sour ce Kit : This is pret t y m uch exact ly what it sounds like: a collect ion of syst em resources t o help you operat e t he Windows environm ent bet t er. The kit cont ains t ools, docum ent s, and script s t o help you m anage such funct ions as adding m any users at once, writ ing script s t o do t asks for you, and t roubleshoot ing various part s of t he net work or operat ing syst em . I t even includes som e st uff t hat j ust plain explains how t hings work. The Resource Kit is usually available for a sm all fee or in conj unct ion wit h a print ed book t hat has even m ore det ails about t he OS. M icr osoft D e ve lope r N e t w or k ( M SD N ) : A collect ion of CDs cont aining inform at ion t arget ed at people developing Windows applicat ions. What 's nice is t hat t his dat a is oft en very useful when you are t roubleshoot ing difficult problem s or want ing t o writ e script s or program s t o help you m anage your com put er bet t er. Hom e users m ight be overwhelm ed quickly by t his dat a, but as you get t o be a m ore advanced user, keep t his one in m ind. Check out m sdn.m icrosoft .com / for m ore inform at ion. Te ch N e t : The m ainst ay of Windows t roubleshoot ing. This is a collect ion of resources available on t he Web or as a set of CDs and designed for t he support and m aint enance of Windows syst em s. Anyone who has spent any t im e as an Adm inist rat or or support person for Windows probably has a copy of or links bookm arked t o TechNet . TechNet cont ains t he Knowledge Base ( a dat abase of problem s and solut ions) , whit e papers, product specificat ions, and general inform at ion about how t o deploy, use, m aint ain, and repair Windows syst em s. Check it out on t he Web at t echnet .m icrosoft .com / .
Change t he group Everyone t o I nt eract ive on all subkeys beneat h Allow edPat hs except AEDebug, Drivers, Drivers.Desc, I m age File Execut ion Opt ions, MCI 32, and WOW. On t he keys list ed, set Everyone: Read. Leave all ot her group perm issions at t he current set t ings.
Securing Windows 2000 Servers I f you have Windows 2000 servers, you can use t he following t echniques and set t ings t o secure your servers. You should set t hese in addit ion t o what has already been discussed in t his chapt er and in Chapt er 3.
Security Policy Settings Table 4- 1 represent s t he set t ings recom m ended for use on your Windows 2000 Server syst em . You can set or view t hese set t ings in t he Securit y Opt ions sect ion of t he Local Policies. These are found in t he Local Securit y Set t ings applet of t he Adm inist rat ive Tools in t he Cont rol Panel.
Ta ble 4 - 1 . Se cu r it y Policy Se t t in gs for W in dow s 2 0 0 0 Se r ve r Policy
Se t t ing
Addit ional Rest rict ions for Anonym ous Connect ions
No access wit hout explicit anonym ous perm issions.
Allow Syst em t o Be Shut Down Wit hout Having t o Log On
Disabled.
Audit Use of Backup and Rest ore Privilege
Enabled.
Clear Virt ual Mem ory Pagefile When Syst em Shut s Down
Enabled.
Digit ally Sign Client Com m unicat ion ( Always)
Enabled ( for high securit y) .
Digit ally Sign Client Com m unicat ion ( When Possible) . Server and client check t o see if bot h support t his opt ion. I f not , it is not rej ect ed; t hey j ust don't sign t he com m unicat ion.
Enabled ( for m edium securit y) .
Digit ally Sign Server Com m unicat ion ( Always)
Enabled ( for high securit y) .
Digit ally Sign Server Com m unicat ion ( When Possible) . Server and client check t o see if bot h support t his opt ion. I f not , it is not rej ect ed; t hey j ust don't sign t he com m unicat ion.
Enabled ( for m edium securit y) .
CTRL- ALT- DEL Requirem ent for Logon
Disabled.
Ta ble 4 - 1 . Se cu r it y Policy Se t t in gs for W in dow s 2 0 0 0 Se r ve r Policy
Se t t ing
Do Not Display Last User Nam e in Logon Screen
Enabled ( for m ult i- user syst em s) .
LAN Manager ( LM) Aut hent icat ion Level
Send NTLMv2 responses only/ refuse LM & NTLM. ( LM, NTLM, and NTLMv2 are all t ypes of aut hent icat ion support ed by Windows syst em s of various t ypes. Not all versions of Windows will support all t ypes unt il Windows 2000.)
Message Text for Users At t em pt ing t o Log On
Get from your legal depart m ent .
Message Tit le for Users At t em pt ing t o Log On
Get from your legal depart m ent . Som et hing along t he lines of " Aut horized Users Only."
Num ber of Previous Logons t o Cache ( in case dom ain cont roller is not available)
0
Prevent Users From I nst alling Print er Drivers
Enabled.
Recovery Console: Allow Aut om at ic Adm inist rat ive Logon
Disabled.
Renam e Adm inist rat or Account
Renam e t his t o som et hing ot her t han " adm in" or " adm inist rat or."
Rest rict CD- ROM Access t o Locally Logged- On User Only
Enabled.
Rest rict Floppy Access t o Locally Logged- On User Only
Enabled.
Secure Channel: Digit ally Encrypt or Sign Secure Channel Dat a ( Always)
Enabled ( for high securit y) .
Secure Channel: Digit ally Encrypt Secure Channel Dat a ( When Possible)
Enabled ( for m edium t o high securit y) .
Secure Channel: Digit ally Sign Secure Channel Dat a ( When Possible)
Enabled ( for m edium securit y) .
Secure Channel: Require St rong ( Windows 2000 or Lat er) Session Key
Enabled ( for ult ra- high securit y) .
Send Unencrypt ed Password t o Connect t o Third- Part y SMB Servers
Disabled.
Shut Down Syst em I m m ediat ely I f Unable t o Log Securit y Audit s
Disabled.
Ta ble 4 - 1 . Se cu r it y Policy Se t t in gs for W in dow s 2 0 0 0 Se r ve r Policy
Se t t ing
St rengt hen Default Perm issions of Global Syst em Obj ect s ( e.g., Sym bolic Links)
Enabled.
Unsigned Driver I nst allat ion Behavior
Do not allow.
Unsigned Non- Driver I nst allat ion Behavior
Do not allow.
Windows 2000 Minimum Services For a m edium - t o high- securit y syst em , t he following services are t he only ones recom m ended. The ast erisks ( * ) indicat e t he m inim um services required. Ot her services m ight be present from soft ware inst allat ions such as backup or ant ivirus soft ware packages. • • •
• • •
•
•
•
•
•
•
•
D N S Clie n t * : The client soft ware for Dom ain Nam ing Syst em ( DNS) services on a com put er. DNS resolves nam es such as Microsoft .com t o I P addresses such as 120.120.120.3 for hum ans t o use. Eve nt Log* : Operat es your syst em 's event logs. I PSe c Policy Age n t : Only required if you are using I P Sec, so not required unless you have a high- risk profile. Logica l D isk M a na ge r * : Manages port ions of your disk drives. N e t w or k Con n e ct ions M a na ge r * : Manages net work connect ions. Plu g a n d Pla y* : Soft ware t hat operat es Plug and Play, used t o det ect and m anage t he hardware on your syst em . Pr ot e ct e d St or a ge * : Secure dat a st ore on your syst em used by m any operat ing syst em funct ions. Re m ot e Pr oce du r e Ca ll* : Manages rem ot e procedure calls ( RPCs) , t he basic com m unicat ion m echanism t hat allows your syst em t o operat e. Re m ot e Re gist r y Se r vice : Allows rem ot e access t o t he Regist ry; used only as required t o access t he Regist ry rem ot ely. Ru nAs se r vice : Execut es soft ware under different securit y I D from t he current ly logged- on user. Used only for sm all- business net works or net works wit h dedicat ed Adm inist rat ors. Se cur it y Account s M a na ge r * : Manages users and groups on t he local syst em . Se r ve r ( w h e n sha r ing r e sou r ce s) : Shares files, direct ories, and devices ( such as print ers) wit h ot her syst em s and users. W or k st a t ion ( w he n con n e ct ing t o r e sour ce s) * : Request s and uses shared resources on ot her syst em s ( t he opposit e of t he Server service) .
For a dom ain cont roller you need: •
•
D N S Se r ve r : Helps resolve nam es t o I P addresses and t he reverse. Not a requirem ent if you have t his service from an I SP. File Re plica t ion Se r vice : Copies files from one syst em t o anot her on a regular basis.
•
• • •
Ke r be r os Ke y D ist r ibu t ion Ce nt e r : Securit y and aut hent icat ion st andard used by Windows 2000; not present on Windows NT or Win9x syst em s. N e t Logon : Request s and fulfills logon request s. N T LM Se r vice Pr ovide r : Used by t he securit y syst em s of t he operat ing syst em . RPC Loca t or : Locat es rem ot e procedure call services on t he net work.
SysKey SysKey is a ut ilit y t hat can increase t he securit y of your syst em by encrypt ing part s of t he operat ing syst em it self. SysKey is available in Windows NT 4.0 aft er Service Pack 3 but com es inst alled by default in Windows 2000. Ordinarily I wouldn't recom m end changing set t ings, but if you have a need for st rong securit y or suspect you are current ly under at t ack, you m ight wish t o configure Windows 2000 t o require a password or encrypt ion key from floppy disk t o boot up.
N OTE This m eans t he syst em will not reboot unat t ended, so use Sys Key wit h caut ion. To configure SysKey, you run SYSKEY from t he com m and line and t hen use t he Updat e opt ion.
IPSec Filtering I PSec, short for I nt ernet Prot ocol Securit y, is a set of rules for defining how dat a can be shared securely on an I P net work. I PSec is a relat ively advanced t opic, so I 'll only cover t he basic set up here. I f you have quest ions or wish t o dig deeper int o I PSec, I suggest Crypt ography Decrypt ed by H. X. Mel and Doris M. Becker. [ 1] [ 1] Mel H. X. and Doris M. Becker. Crypt ography Decrypt ed. Bost on, MA: Addison- Wesley, 2000.
You can view or change t he I P Securit y ( I PSec) Policy by changing set t ings in t he Local Securit y Set t ings applet in t he Adm inist rat ive Tools sect ion of t he Cont rol Panel ( see Figure 4- 3) .
Figu r e 4 - 3 . Se t t in g u p I PSe c policy
By using anot her part of I PSec called TCP/ I P filt ering, you can filt er out or allow t raffic t o t his specific server based on prot ocol. I recom m end doing t his only if you
know what t raffic you'll be using on t his server and if you require st rong securit y. Ot herwise, depending on your border rout ers t o do your filt ering will m ost likely be enough. Use t he Help funct ions t o learn m ore about using t his feat ure in Windows 2000. Even m ost large com panies do not t ake t his st ep, which can be a perform ance problem . Use I PSec only if you really require it or if you have a net work card designed t o support it . You can set TCP/ I P filt ering by going t o t he Advanced Opt ions sect ion of t he TCP/ I P propert ies page, select ing TCP/ I P Filt ering, and t hen clicking t he Propert ies but t on ( see Figure 4- 4) .
Figu r e 4 - 4 . Se t t in g u p TCP/ I P filt e r in g
N OTE This illust rat ion is only an exam ple of a filt ering suggest ion. Do not rest rict your TCP/ I P t o only t hose port s shown here.
Tightening TCP/IP You can apply a num ber of TCP/ I P set t ings t hat will increase your syst em securit y and m ake t hings a bit m ore st able. Make or creat e t he following keys and set t ings in your Regist ry: Hive: HKEY_LOCAL_MACHINE Key: \System\CurrentControlSet\Services\Tcpip\Parameters: Name: SynAttackProtect
Type: REG_DWORD Value: 2 Name: EnableICMPRedirects Type: REG_DWORD Value: 0 Name: KeepAliveTime Type: REG_DWORD Value: 0x493E0 (which is 5 minutes).
"Special" Files For syst em s requiring st ronger securit y, you can m ove certain applicat ions t o a new direct ory called Tools. Set t he Access Cont rol List ( ACL) on t he direct ory so LocalSyst em and Adm inist rat ors do not have Read or Execut e Perm issions t o t his direct ory. ( Do not set t hose groups t o NONE, but sim ply rem ove t hem from any ACLs t hey m ight be set on current ly.) Then creat e a new group called ToolsUsers and set t his group t o Read and Execut e perm issions on t he new direct ory. Add t his new Tools direct ory t o your pat h as well. These t ools are syst em - diagnosis and m anagem ent t ools t hat can be easily used t o com prom ise your syst em . Because t hey are oft en st ored in known locat ions, hackers can use t hem t o break int o your syst em if t hey are not prot ect ed. Not prot ect ing t hese files is a bit like leaving bolt cut t ers next t o a padlocked gat e. I 'm not going t o discuss each t ool, but t hey are all syst em t ools or applicat ions. • • • • • • • • • • • • • • • • • • • • • • • • • • •
arp.exe nbt st at .exe net .exe at svc.exe ping.exe posix.exe rcp.exe debug.exe regedt 32.exe rexec.exe edlin.exe Runonce.exe secfixup.exe ft p.exe t racert .exe ipconfig.exe at .exe net st at .exe nslookup.exe cacls.exe qbasic.exe rdisk.exe regedit .exe edit .com rout e.exe rsh.exe finger.exe
• • •
syskey.exe t elnet .exe xcopy.exe
Other Steps You m ight wish t o use t he Encrypt ing File Syst em on direct ories where sensit ive inform at ion is st ored. To enable t his opt ion on a direct ory, right - click on t he direct ory and select t he Propert ies m enu opt ion. On t he General t ab, click Advanced and check t he box for " Encrypt cont ent s t o secure dat a." Then click OK t wice.
Server Security Checklist Microsoft provides a checklist at www.m icrosoft .com / t echnet / t reeview/ default .asp?url= / t echnet / securit y/ t ools/ t ools.a sp, but I have creat ed a checklist for you by using t heirs and ot her resources ( see Table 4- 2) .
Ta ble 4 - 2 . Se r ve r Se cu r it y Ch e ck list Se cu r it y St e p
Have you done all t he st eps in t he workst at ion securit y checklist first ? I s your server soft ware up- t o- dat e on pat ches and service packs? \ REPAI R\ set t o Adm inist rat ors: Full Cont rol, Syst em : Full Cont rol and rem ove all ot her perm issions. \ SYSTEM32\ CONFI G\ set t o Adm inist rat ors: Full Cont rol, Syst em : Full Cont rol, Creat or Owner: Full Cont rol, Aut hent icat ed: List \ SYSTEM32\ SPOOL\ set t o Adm inist rat ors: Full Cont rol, Syst em : Full Cont rol, Creat or Owner: Full Cont rol, Aut hent icat ed Users: Read, Server Operat ors: Change \ COOKI ES, \ FORMS, \ HI STORY, OCCACHE set t o Adm inist rat ors: Full Cont rol, Creat or Owner: Full Cont rol, Aut hent icat ed Users: Special Direct ory Access ( R, W, X) , Aut hent icat ed Users: Special File Access ( R) . \ PROFI LES, \ PROFI LES\ XXXX\ SENDTO, \ TEMPORARY I NTERNET FI LES set t o Syst em : Full Cont rol. I n t his case, XXXX represent s a usernam e and t here m ay be m any of t hese keys t o secure, depending on t he num ber of users on t he server.
Re cor d Old Se t t ing ( if a ppr opr ia t e )
Date New Ch a n ge d Se t t ing
Ta ble 4 - 2 . Se r ve r Se cu r it y Ch e ck list Se cu r it y St e p
I n t he Root Direct ory set t he perm issions on \ TEMP t o Adm inist rat ors: Full Cont rol, Syst em : Full Cont rol, Creat or Owner: Full Cont rol, Aut hent icat ed Users: Special Direct ory Access ( R, W, X) , Aut hent icat ed Users: Special File Access ( R) . On t he files BOOT.I NI , NTLDR, and NTDETECT.COM, set Adm inist rat ors: Full Cont rol and Syst em : Full Cont rol. On t he files AUTOEXEC.BAT and CONFI G.SYS ( if present ) , set Adm inist rat ors: Full Cont rol, Syst em : Full Cont rol, Aut hent icat ed Users: Read. Did you t urn on Audit Logon Event Success and Failure, Account Managem ent Event s Success and Failure, Logon Event s Success and Failure, Obj ect Access Success and Failure, Policy Change Success and Failure, Syst em Event s Success and Failure? Set t he account policies t o t he list ed set t ings: Enforce Password Hist ory: 5 Maxim um Password Age: 60–90 days Minim um Password Age: 1 Account Lockout Threshold: 5 Account Lockout Durat ion: 240 Reset Account Lockout Threshold: Never ( Manually Reset ) Disable or unbind from ext ernal int erfaces: Alert er Clipbook Server Dynam ic Host Configurat ion Prot ocol ( DHCP) Windows I nt ernet Nam ing Syst em ( WI NS)
Re cor d Old Se t t ing ( if a ppr opr ia t e )
Date New Ch a n ge d Se t t ing
Ta ble 4 - 2 . Se r ve r Se cu r it y Ch e ck list Se cu r it y St e p
Direct ory Replicat or Messenger Net work DDE Net work DDE DSDM Schedule Sim ple TCP/ I P Services Sim ple Net work Managem ent Prot ocol ( SNMP) Services for Macint osh I f you are using I I S, do not inst all FTP or Gopher unless absolut ely necessary. Did you enable and password- prot ect a screen saver, preferably one t hat forces logoff? Hive: HKEY_LOCAL_MACHI NE Key: \ Syst em \ Current Cont rolSet \ Services\ Event log\ Syst em Key: \ Syst em \ Current Cont rolSet \ Services\ Event log\ Applicat ion Key: \ Syst em \ Current Cont rolSet \ Services\ Event log\ Securit y Nam e: Rest rict Guest Access Type: REG_DWORD Value: 0 Adm inist rat ors: Full Cont rol, Syst em : Full Cont rol, Creat or Owner: Full Cont rol
Re cor d Old Se t t ing ( if a ppr opr ia t e )
Date New Ch a n ge d Se t t ing
Ta ble 4 - 2 . Se r ve r Se cu r it y Ch e ck list Se cu r it y St e p
Hive: HKEY_LOCAL_MACHI NE Key: \ Syst em \ Current Cont rolSet \ Services\ LanManServer\ Param et ers Nam e: Aut oShareServer Type: REG_DWORD Value: 0 Change t he perm issions on HKEY_Local_Machine\ Soft ware\ Microsoft \ Windows\ Current Version\ from Everyone: Special Access t o Everyone: Read Cont rol, Query Value, Enum erat e Subkeys, Not ify. Leave all ot her values at t heir current set t ings. I f Aut hent icat ed Users group is present , reduce it t o t he sam e perm issions. AppPat hs, Uninst all, Run, RunOnce, RunOnceEx should have t he perm issions set t o Everyone: Read and Aut hent icat ed Users: Read. Leave all ot her perm issions at t heir current set t ings. Propagat e t hese changes t o all subkeys below t hese keys. The key HKEY_Local_Machine\ Soft ware\ Microsoft \ WindowsNT\ Current Version\ WinLogon should be rest rict ed t o Everyone: Read and Aut hent icat ed Users: Read. Leave any ot her perm issions at t he default s. Hive: HKEY_LOCAL_MACHI NE Key: \ Soft ware\ Microsoft \ WindowsNT\ Current Version\ WinLogon Nam e: Aut oAdm inLogon Type: REG_DWORD Value: 0
Re cor d Old Se t t ing ( if a ppr opr ia t e )
Date New Ch a n ge d Se t t ing
Ta ble 4 - 2 . Se r ve r Se cu r it y Ch e ck list Se cu r it y St e p
Nam e: Default Password Type: REG_SZ Value: ( NONE) I f t his value has som et hing here, clear t hat value so t his is em pt y. Did you rem ove t he Posix and OS2 subsyst em s? Rem ove t he perm issions of t he Everyone and Aut hent icat ed Users groups from t he Regist ry key HKEY_Local_Machine\ Soft ware\ Microsoft \ WindowsNT\ Current Version\ PerfLib. D o n ot set t he perm issions t o NONE; sim ply rem ove t hose groups from being list ed on t he ACL. Hive: HKEY_LOCAL_MACHI NE Key: \ Soft ware\ Microsoft \ WindowsNT\ Current Version\ WinLogon Nam e: CachedLogonsCount Type: REG_DWORD Value: 0 High- Securit y Syst em s Hive: HKEY_LOCAL_MACHI NE Key: \ Syst em \ Current Cont rolSet \ Cont rol\ LSA Nam e: Audit BaseObj ect s Type: REG_DWORD Value: 1 Hive: HKEY_LOCAL_MACHI NE Key: \ Syst em \ Current Cont rolSet \ Cont rol\ LSA
Re cor d Old Se t t ing ( if a ppr opr ia t e )
Date New Ch a n ge d Se t t ing
Ta ble 4 - 2 . Se r ve r Se cu r it y Ch e ck list Se cu r it y St e p
Nam e: FullPrivilegeAudit ing Type: REG_DWORD Value: 1 Did you set up TCP/ I P Filt ering for ext ra securit y? Did you creat e a false Adm inist rat or account and set up audit ing t o wat ch it s act ivit y? Did you secure t he AllowedPat hs keys? W in dow s 2 0 0 0 Se r ve r s Did you set t he Syst em Securit y Policies as indicat ed in Chapt er 4, Securing Your Servers? Did you reduce or elim inat e unneeded services? Did you change t he SysKey set t ings? Did you set up any I P Filt ering? Did you t ight en t he TCP/ I P set t ings? Did you rest rict access t o special execut able files? Did you set up t he Encrypt ing File Syst em on direct ories t hat cont ain sensit ive dat a?
Re cor d Old Se t t ing ( if a ppr opr ia t e )
Date New Ch a n ge d Se t t ing
Chapter 5. Connecting to the Internet (Growing into a Village) The Sm it hs picked a great locat ion. So great , in fact , t hat ot hers soon cam e t o live nearby. Over t im e, t heir hom est ead t urned int o a group of farm s and event ually grew int o a sm all village. John Sm it h was elect ed t he m ayor of t his village, and t he village t hrived. As t he village grew, t hey built roads t o ot her t owns, villages, and cit ies around t he area, hoping t o encourage t rade and com m unicat ion. The roads also brought new dangers t o prot ect against . Thieves out in t he count ryside t hreat ened t ravelers. All kinds of people could ride int o t he village on t he new roads, and som e m ight not be t rust wort hy. This up- andcom ing village had plent y of new t rouble t o wat ch out for. Som e resident s t hought t o t hem selves, " Our hom es are safe; t hose t hieves are far away from here." Ot hers t hought , " I t is easy t o cat ch t he bad guys, so we'll be prot ect ed. Besides, we have not hing t hey want ." But John knew bet t er. He t alked t o local officials and used t he sam e t hinking t hat had kept his hom e safe for all t hese years. John appoint ed a sheriff t o help enforce t he laws and allowed som e of t he resident s t o be deput ies. The villagers built walls around som e crit ical areas and added a st rong vault for t he bank, corrals for t he horses, and barns and st ore- houses for food. The t ownspeople also all wat ched out for each ot her. They were neighbors and friends, who helped one anot her and kept an eye on unusual t hings. John even had t he sheriff and t he deput ies ride t he roads t o check for t rouble.
Types of Connections You can connect your net work or com put er t o t he I nt ernet in several ways. These involve plent y of differences, but also som e im port ant sim ilarit ies. First , you m ust be running TCP/ I P as your net work prot ocol.
Why Should You Worry?
During t he week of February 9, 2000, several of t he biggest and best e- com m erce sit es ( Buy.com , Am azon.com , Yahoo.com , and eBay.com , am ong ot hers) were t aken down in a Denial of Service ( DoS) t hat was t he first of it s kind t o hit so broadly. The DoS was generat ed in a dist ribut ed fashion, originat ing from lit erally hundreds of syst em s across t he world and generat ing m assive volum es of t raffic. The sit es were overwhelm ed wit h t he t raffic, and event ually servers were unable t o answer legit im at e request s. Tracking t he problem was difficult because t he source of t he t raffic was com put ers t hat were unwit t ing accom plices. People like you and m e owned t hose com put ers, as did large com panies, universit ies, and m any ot hers. The
original cracker plant ed " zom bie" code on t hese boxes when t hey were unprot ect ed and t hen lat er sent a sim ple com m and so t he com put ers st art ed sending net work request s t o t he t arget . I t was very effect ive. Anot her exam ple is a program t hat surfaced a while back called Back Orifice ( BO) — supposedly a play on t he nam e of Microsoft 's Back Office. This program is a Troj an horse t hat allows t he owner t o do a wide variet y of t hings on any syst em wit h t his soft ware on it . I f I were running BO, I could at t ach t o your syst em and open t he CD t ray, record your keyst rokes, m ove your m ouse, and m ore. That is pret t y scary, but worse, t hen BO would publish your I nt ernet address t o a place where ot her hackers could find it and use your syst em t oo. Let 's say you are browsing t he I nt ernet and you get an e- m ail m essage. The m essage appears t o be from som eone whose nam e you don't know, but t he subj ect says " Here's t hat file we t alked about ." You're curious, so you open t he m ail and see t hat it says, " This one cracked m e up, you should check it out ." You figure it 's som e hum or m ail, probably from som eone who knows you at t he office, so you open t he file. I t t akes you t o a Web sit e and says " Loading . . . One Mom ent . . ." At t his point you m ight be perfect ly safe, or you could be in big t rouble. I f t his is a m alicious hacker's at t em pt t o com prom ise your syst em , t hey m ight well have succeeded. The m ail was sent wit h a Troj an- horse program at t ached, and when you opened t he file, it inst alled t he program , possibly in addit ion t o doing what was advert ised or prom ised in t he m essage. Now t he hacker can " visit " your syst em any t im e you are connect ed t o t he I nt ernet . That 's all t he t im e if you're using DSL, cable, or I SDN, so t he hacker has essent ially unlim it ed use of your syst em . I f you're able t o cont rol file access, you m ight st op som e of t hese act ivit ies, but not all. A really t ricky hacker can even send an e- m ail m essage t o your com pany as if it cam e from you, t elling your boss you quit or t hat you want an out rageous raise. You don't have t o be running it on your syst em , but you do need t o be running it at t he point where you connect t o t he I nt ernet . TCP/ I P is t he net work prot ocol t he I nt ernet uses t o operat e. That m eans it is t he language t he I nt ernet speaks. I f you're wondering why t his is im port ant t o securit y, t hink back t o Chapt er 3, Securing Your Com put er, where we t alked about prot ocol isolat ion. Not speaking t he sam e language as everyone else increases your securit y. When you speak t he sam e language, at t ackers already know som e t hings about you and have a m eans of " t alking" t o your syst em . At t acks t hat can be carried out wit h only t his knowledge are lim it ed, but it is one less piece of inform at ion hackers m ust figure out before t hey can m ake an at t ack on your syst em . Second, m ost people use t he I nt ernet in predict able and som ewhat lim it ed ways. By far, m ost people use e- m ail, browse t he Web, and m aybe chat via I RC or inst ant m essaging services such as I CQ or AOL I nst ant Messenger. Coupled wit h t he fact t hat m ost users are uneducat ed or lax about securit y, t hese predict able behaviors can be used t o m ount at t acks against t arget ed net works or syst em s. An at t acker who knows your behavior and what applicat ions or prot ocols you're using m ost frequent ly can narrow down t he num ber of t hings t o t ry first in an at t ack. Your connect ion t ype is im port ant because an at t acker can only work when you are connect ed t o t he I nt ernet . I f your connect ion is always on and has a st at ic I P address ( one t hat doesn't change regularly) , at t ackers have m ore hours per day t o t ry t o get in. You can see, t hen, t hat picking t he right connect ion t ype and knowing
it s exposure is an im port ant aspect of securit y. I 'm not recom m ending t hat you m ove back t o dial- up connect ions, but rat her t hat you underst and t he securit y issues involved wit h using t he various connect ion t ypes available t oday. Here are som e of t hose issues: • • •
• • •
D ia l- u p con n e ct ion : Using a st andard phone line t o dial in t o an I nt ernet service provider. This connect ion is not always present and oft en assigns I nt ernet addresses ( I P addresses) dynam ically. I SD N ( in t e gr a t e d se r vice s digit a l n e t w or k ) conn e ct ion : An always- on connect ion t hat uses a special m odem t o connect at high speeds over dedicat ed lines. I t can assign perm anent addresses or dynam ic ones, depending on t he service provider. D SL ( digit a l subscr ibe r lin e ) con n e ct ion : Com es in t wo variet ies: synchronous and asynchronous. ( Their differences are beyond t he scope of t his book and not ext rem ely relevant t o securit y.) These are always- on connect ions t hat can assign addresses dynam ically or st at ically, but usually st at ically. Ca ble m ode m con n e ct ion : Runs t hrough cables t hat used t o carry only t elevision signals but now carry net work t raffic t oo. Connect ions are oft en shared wit h ot her local cable users, but not always. I P addresses can be st at ic or dynam ic. Sa t e llit e syst e m conn e ct ion : Oft en configured t o download from t he sat ellit e dish but upload across an at t ached m odem and your phone line. Addresses can be st at ic or dynam ic and are not considered " always on." W e bTV/ I nt e r n e t a pplia n ce : Generally connect ed t hrough phone or cable connect ions. Oft en are j ust souped- up browsers wit h securit y equivalent t o browsing t he Web ( discussed in lat er chapt ers) .
What does it m ean when we say I P addresses are st at ic or dynam ic? St at ic addresses are like your hom e address. Once you get an address, it st ays wit h you unt il you m ove. An I P address is assigned by your I nt ernet service provider ( I SP) while you are get t ing your service t hrough t hem . The I SP assigns dynam ic addresses, t oo, but t hey have expirat ion dat es and can change over t im e. The prot ocol for t his is DHCP ( dynam ic host configurat ion prot ocol) , which m anages t he assignm ent addresses from a pool of addresses used by t he I SP. I f you want t o invest igat e DHCP a bit m ore, you can find det ails about t he full DHCP prot ocol in RFC 2131 at www.rfc- edit or.org/ rfc.ht m l. ( Som e good inform at ion is also locat ed at www.dhcp.org.) The securit y im plicat ions of st at ic versus dynam ic are oft en m inim al. While it is t rue t hat a st at ic address m akes a com put er easier t o find on successive connect ion at t em pt s, using DHCP doesn't m ake locat ing t he t arget syst em t hat m uch m ore difficult . So in short , dynam ic addresses are m ore secure, but only slight ly so, and cert ainly not enough m ore secure t hat you don't need t o use ot her securit y m easures t o prot ect your syst em .
Basic Internet Security What can you do, t hen, t o help secure your syst em when it 's exposed t o t hreat s? Let 's st art wit h t he basics. You need t o t ake t he following st eps t o secure your syst em when you're connect ed t o t he I nt ernet . We've already covered m any of t hese st eps, so t his is j ust a rem inder. Rem em ber t hat t hese are t he foundat ions of good securit y, and if you do not follow t hese, all your ot her securit y m easures will lose effect iveness.
• •
• •
•
• •
Secure your operat ing syst em t o t he best level it support s. To be t ruly securable, t he OS m ust support user ident it ies, securit y at t he file- syst em level, and audit ing of act ivit ies on t he syst em . Don't run program s from unknown sources, including execut ing program s, script s, or files cont aining m acros. Use an ant ivirus program and be sure it scans your syst em regularly. Do not give out your password or logon inform at ion, and be careful wit h your personal inform at ion. Know your risk, and be aware of t he value of t he dat a on your syst em t o yourself and ot hers. Don't assum e out - of- t he- box securit y is enough. Turn on audit ing if your operat ing syst em support s t his opt ion.
Advanced Internet Security Now let 's look at a few m ore advanced opt ions for I nt ernet securit y. These opt ions are not required for m ost people; however, if you rat ed your risk as High, you should consider som e or all of t hese opt ions. ( Again, we've t alked about som e of t hese in earlier chapt ers.) •
•
Fir e w a lls: A firewall is som e hardware—or a com binat ion of hardware and soft ware—t hat cont rols access t o t he t raffic in and out of your net work. Hm m m , sounds com plex. I ndeed firewalls can be very com plex, but t hey can be sim ple t oo. Think of firewalls as t he fences and gat es t hat eit her allow t raffic t hrough or not . The t ypical hom e user doesn't need t he power t hat m ost full- fledged firewalls offer. I nst ead, soft ware packages called " personal firewalls" can serve t he purpose for hom e users j ust fine. Generally speaking, t hese soft ware packages should be capable of cont rolling out going and incom ing t raffic and set t ing " rules" concerning what t raffic is okay and what isn't . They should also provide audit ing or logging funct ions t o let you det erm ine if som eone is t rying t o access your syst em wit hout your perm ission. You can find m ore inform at ion about firewalls, as well as reviews and suggest ions about which product s are best for you and your sit uat ion, at www.firewallguide.com . Pr ox y se r ve r s: Different proxy servers will give you different funct ions, so I 'll cover t he basic concept first and t hen t alk about som e feat ures you can find in t hese devices. Webst er's dict ionary [ 1] defines proxy as " aut horit y or power t o act for anot her," and t hat is exact ly what happens here. A proxy server " act s on your behalf" on t he I nt ernet while your syst em sit s behind t he proxy, prot ect ed. All request s for Web pages, e- m ail, chat , inst ant m essaging, and such all are m ade from your syst em s t o t he proxy server. The proxy server t hen m akes t he request for your syst em s out t o t he I nt ernet , wit hout revealing your com put er t o t he I nt ernet . At t ackers can't see your com put er and pot ent ially get access—t hey see only t he proxy server. You only have t o secure t he proxy, and t he rest of your net work can be prot ect ed behind it . I f you have only one com put er, don't bot her wit h a proxy server; j ust prot ect t he one com put er. Addit ionally, som e proxy servers offer packet filt ering, which is t he capabilit y t o block cert ain t ypes of net work t raffic while allowing ot her t raffic in. Som e proxy servers act as com plet e firewalls, wit h incom ing and out going filt ers, and som e include audit ing and logging of t he t raffic allowed and/ or blocked.
[ 1]
Merriam Webst er's Collegiat e Dict ionary, Tent h Edit ion. Springfield, MA: Merriam Webst er, I ncorporat ed, 1993.
•
•
•
N e t w or k a ddr e ss t r a n sla t ion ( N AT) : This very basic form of prot ect ion is essent ially j ust hiding your address from t he out side world. NAT act s like a proxy server for your address only. This is not very st rong prot ect ion, but it is prot ect ion, and m any of t he newer Windows versions are shipping wit h t his capabilit y built in. Au dit log pa r sing: Okay, you t urn on your audit ing so you can see what is happening on your syst em . That 's good. But now you get a log full of event s t hat are norm al, and you have t o sort t hrough t hem t o find t he ones of int erest . That 's bad. This is a j ob for audit - log parsing t ools. The nam e sounds com plex, but t hey are usually easy t ools t o use. You t ell t hem what event s you want t o see, and t hey search t he logs and collect t hose event s. The event logger in Windows NT and lat er versions can do lim it ed filt ering, but if you want t he high- end st uff for syst em s at high risk, you can get parsing t ools t hat can alert you t o event s in real t im e and can analyze event s as t hey occur, t rying t o det erm ine if t he pat t ern is an at t ack or j ust norm al act ivit y. These advanced t ools—called " int rusion det ect ion program s" —m ight be a bit m ore t han m ost hom es and sm all businesses need, and t hey are usually cost ly. However, m any of t he personal firewall product s available include t hese funct ions t o som e degree. File e n cr ypt ion : One of t he oldest ways of prot ect ing inform at ion is t o encode or encrypt it . Rom ans used an encrypt ion syst em t o send m essages bet ween legions in big bat t les. They gave st affs of cert ain sizes t o all com m anders. Then t hey wound paper around a st aff, wrot e a m essage on t he paper, and t hen unwound it . Only by having a st aff of t he correct diam et er could som eone rewind t he paper and reconst ruct t he m essage. This m ade t he m essage reasonably secure in t ransit . Obviously, m odern encrypt ion is m uch m ore advanced, but it involves som e of t he sam e principles t he Rom ans used. First you need a m essage or piece of dat a you want t o prot ect . Second, you need a m et hod for disassem bling and reassem bling t he m essage reliably. Last , you need t o ensure t hat all aut horized part ies know how t o encrypt and decrypt properly and t hat t hey are t he only ones who can. As a hom e user, t he t wo places where you m ost likely would use encrypt ion are for your e- m ail and for your files.
More About Encryption
You can use a program such as PGP [ 2] ( which st ands for Pret t y Good Privacy) or Blowfish [ 3] t o provide encrypt ion for your e- m ail. These program s use what is called public/ privat e key encrypt ion t o accom plish t heir goals. This m eans you have one key t hat everyone in t he world can know, and one key t hat only you know. When you encrypt a m essage wit h one key, it can be decrypt ed by using t he ot her, and vice versa. Using t his t echnology, you can prot ect m essages from anyone but t he int ended recipient . Windows 2000 has an Encrypt ed File Syst em ( EFS) you can use t o encrypt your files, or you can use t hird- part y product s t o do t he j ob if you are
using ot her Windows- based syst em s. You can find som e of t hese program s at www.t ucows.com / syst em / fileencrypt ion95.ht m l. I t is im port ant t o know t hat no encrypt ion is unbreakable. I f you can encrypt a file, som eone wit h enough com put ing power and t im e can decrypt it . The idea is t o m ake t he decrypt ion so hard or t im e- consum ing t hat it will do t he person no good. For exam ple, say you could som ehow know who will win t he 2015 World Series. You want t o prot ect t he inform at ion, so we'll encrypt it . At t he t im e of t his writ ing, 2015 is 13 years away— roughly 177 m illion seconds ( 176,601,600, t o be exact ) . I f a person could guess once every second from now unt il 2015, t hat person would get 176,601,600 guesses at being right . We'll use a key t o int roduce random ness t o t he encrypt ion, which allow s us t o cont rol how st rongly t he dat a is encrypt ed. To prot ect our dat a, we want t o m ake sure t here are lot s m ore choices t han 177 m illion—say, 100 t im es m ore—so we choose a num ber bet ween 0 and 20 billion ( rounding up t o m ake it even harder) . Now, even by guessing once a second, a person has lit t le chance of get t ing it right . Lucky for us, t his sim ple exam ple is a m assive sim plificat ion of t he real m at h done by people who do encrypt ion, which m eans encrypt ion can be bot h st rong and safe. One last t hing about encrypt ion: you m ight hear t alk about encrypt ing and also about signing when referring t o docum ent s and files. Encrypt ing obscures t he cont ent s of t he docum ent or e- m ail so t hat no one but t he holder of t he decrypt ion key can read it . Signing, on t he ot her hand, doesn't prot ect t he docum ent ; it put s a block of encrypt ed t ext on t he docum ent as a signat ure. This block of t ext can be decrypt ed by your public key t o show t hat it was indeed you t hat sent t he docum ent , m uch as a signat ure on a piece of paper or cont ract does.
•
• [ 2] Freeware program developed by Philip Zim m erm ann • [ 3] Free program designed by Bruce Schneier Se cu r it y Te st in g a nd Ana lysis Tools: The last advanced opt ion for I nt ernet securit y is securit y t est ing and analysis t ools. These t ools are t he sam e as or sim ilar t o t he ones act ual hackers use t o access sit es. I don't recom m end t his approach for novices because som e of t he t ools can be com plex; however, if you want ( or need) t o see how exposed you really are, t ry som e of t hese t ools on your syst em s. I t can be an eye- opening experience. Som e t ools will deface Web pages, grant access t o syst em s, load program s, let you lit erally cont rol syst em s, or j ust leave a not e saying you were t here. These t ools are t he digit al equivalent of a m ilit ary t raining exercise. You'd bet t er know how ready you are before you have t o fight t he bat t le, or you'll probably lose event ually. I f you know where your weaknesses are, you can fix t hem , or at least prot ect yourself bet t er. You can find a list of som e securit y t est ing t ools at www.insecure.org/ t ools.ht m l.
Who Is Watching You? Wit h all of t his t alk about securit y, you m ight be wondering who is out t here wat ching. What do t hey want wit h you? That quest ion has m any answers, and we'll explore t hem in t he next few sect ions. But before we do, let m e warn you t hat t hese sect ions t ouch on som e areas t hat sound scary t o m ost people. I have every int ent ion of scaring you a bit wit h t his inform at ion, but I don't want t o scare you away. There are som e rat her unseem ly charact ers out t here in t he world, and som e
of t hem are on t he I nt ernet . Locks and walls, doors, and m aybe a dog can prot ect you at hom e. All I 'm t rying t o do here is dem onst rat e t hat having prot ect ion on t he I nt ernet m akes good sense t oo. Let 's say t hat now you are connect ing t o t he I nt ernet . You do so by dialing a phone or by using your cable or DSL connect ion. No one can possibly know you are t here, right ? Wrong. Let 's hit t he obvious ones first . Your I SP ( I nt ernet service provider) and t he phone com pany or cable or DSL provider ( if different t han your I SP) all know you are connect ed. You haven't even done anyt hing yet , and a few people already know. Of course, t he I nt ernet isn't really fun unless you do som et hing, so next you hit t he Web, answer som e e- m ail, and m aybe st art up your inst ant - m essaging program . Now you've m ade som e request s ( called DNS request s) across t he I nt ernet t o resolve nam es so you can get t o t hose places. You've sent request s t o Web sit es, your online " buddies," and som e ot her people t hrough e- m ail. What you m ight not know is t hat you've also sent inform at ion t o t he Web sit e owner and t o advert isers t hrough t he banner ads t hat display on Web pages. Furt herm ore, your request s passed t hrough probably dozens— possibly hundreds—of servers or rout ers along t he way. This is rout ine. There is not hing insidious or wrong about it ; it is j ust t he way t he I nt ernet works. But t he point is t hat an at t acker or som eone who wishes t o collect inform at ion about you ( or anyone, for t hat m at t er) can " see" t hose request s and addresses and begin t o get an idea of where you go and what you do on t he I nt ernet . Wit h 10 billion billion addresses available on t he I nt ernet , you m ight t hink t here are t oo m any for anyone t o "guess" yours, right ? Wrong again. Those addresses are all bet ween 0.0.0.0 and 255.255.255.255, and a knowledgeable program m er can use a com put er t o t est each of t hose addresses at a rat e of about several m illion a second. Also, som e addresses are reserved and som e are for special purposes, which reduces t he num ber of required guesses. Event ually, som eone will scan your address range and find you. I t usually doesn't t ake m ore t han a m ont h of being online ( it can be as short as a few hours or days) before som eone " finds" t hat your address is live. Most people don't ever get beyond t hat , but som e will t ry. Wow—so people know you are out t here. I n fact , t hey probably know you are out t here quit e oft en. Who are t hese people? Most are businesses wit h legit im at e reasons t o know t hings: t he people who carry t he phone signal or run t he devices t hat rout e I nt ernet t raffic, for exam ple. The people t hat run t he DNS servers t o provide nam es of sit es will know, if t hey choose t o look. Such people are usually safe for t wo good reasons. Because you are t heir cust om er, t hey already know a lot m ore about you t han t hey can get on t he I nt ernet . They have billing addresses, phone num bers, and possibly credit card inform at ion ( if you pay by t hat m et hod) . Also, t hey get lit erally t housands of DNS request s a second, which am ount s t o a huge am ount of inform at ion every day. Even if t hey want ed t o t rack it , doing so would t ake m ore t im e and m oney t han t he dat a is wort h. The advert isers and Web sit es are a different m at t er, however. Banner ads you click on and Web sit es you visit oft en glean e- m ail addresses and browser inform at ion from you. UCE ( unsolicit ed com m ercial e- m ail or " spam " ) is big enough business t o m ake list s of valid e- m ail addresses valuable. Advert isers and m arket ing folks pay good m oney t o know who is visit ing t he sit es of product s sim ilar t o t heirs so t hey can t ry t o cross- sell t o you.
Yes, people are wat ching, and som e of t hem are gat hering inform at ion. But t he last group are t he ones t o worry about m ost : t he hackers and crackers and script kiddies. They use t ools t hat are available on t he I nt ernet t o wat ch addresses, t ry t o break int o syst em s, or at t em pt t o disrupt t hings in general. They som et im es do it t o be m alicious, but som et im es it 's j ust t o see if t hey can.
Privacy Issues Wit h all of t hese people out t here looking around, it 's probably not surprising t hat your personal privacy is at risk. Advert isers and m arket ing people are always t rying t o gat her m ore dat a so t hey can t arget t heir m arket ing t o your t ast es and int roduce you t o product s t hat fit your lifest yle. ( Of course, t his is t heir pict ure of your t ast es and lifest yle, based on snippet s of inform at ion. Regardless of how good t hey are, t hey'll get som e t hings wrong, and you'll be st aring at advert isem ent s t hat m ean not hing t o you.) But what can be worse are t he people who collect your dat a t o sell or who gat her inform at ion about you t hat can be used in m ore harm ful ways. For exam ple, what if som eone m onit ored t he Web sit es you visit and found you t aking an int erest in cancer inform at ion. They m ight report t his t o your insurance com pany, who m ight raise your rat es or drop your coverage for fear of having t o pay for cancer t reat m ent . This exam ple is com plet ely fabricat ed, but it could happen. There are m any addit ional reasons for prot ect ing t his inform at ion, and, as t hey say, " Trut h is st ranger t han fict ion." One exam ple t hat act ually occurs and oft en goes unknown for a long t im e is ident it y t heft . I f som eone get s your Social Securit y num ber or t axpayer I D, t hey can get st at e ident ificat ion as you in anot her st at e. Wit h t hat , t hey can get credit cards, apart m ent s, what ever—all in your nam e. They can request addit ional dat a about you by using t his ident ificat ion, and use t hat dat a t o t ake out loans, buy cars, rent hot els, or t ravel. There is no real lim it t o what t hey can do, because t o t he rest of t he world, t hey are you. As long as t hey st op using your ident ificat ion and m ove on before you cat ch t hem , t hey can get away wit h t his t ype of t hing for a long t im e. People have had credit rat ings ruined, houses foreclosed on, and incredible hassles from cases of ident it y t heft , and t his is only get t ing easier as m ore people use com put ers and have t hat dat a exposed online. These exam ples show why you need t o m onit or your online privacy. The Plat form for Privacy Preferences Proj ect ( P3P) from t he W3C ( World Wide Web Consort ium ) provides a set of rules t hat com panies who build sit es and soft ware can use t o help you cont rol who get s what access t o your inform at ion. You can learn m ore at t he W3C Web sit e ( www.w3.org/ P3P/ ) . Here's a quot e from t heir sit e: The Plat form for Privacy Preferences Proj ect ( P3P) , developed by t he World Wide Web Consort ium , is em erging as an indust ry st andard providing a sim ple, aut om at ed way for users t o gain m ore cont rol over t he use of personal inform at ion on Web sit es t hey visit . At it s m ost basic level, P3P is a st andardized set of m ult iple- choice quest ions, covering all t he m aj or aspect s of a Web sit e's privacy policies. Taken t oget her, t hey present a clear snapshot of how a sit e handles personal inform at ion about it s users. P3P- enabled Web sit es m ake t his inform at ion available in a st andard, m achine- readable form at . P3Penabled browsers can " read" t his snapshot aut om at ically and com pare
it t o t he consum er's own set of privacy preferences. P3P enhances user cont rol by put t ing privacy policies where users can find t hem , in a form users can underst and, and, m ost im port ant ly, enables users t o act on what t hey see. At t his sit e you can also see product s and t ools available for t aking advant age of P3P and what it does for you. This is a great st ep forward in I nt ernet privacy and let t ing users t ake cont rol of who get s access t o inform at ion about t hem selves.
Internet Security Checklist We have covered a lot of ground, so I have included a quick checklist here t o help you assess how you are handling securit y for your I nt ernet connect ion. This list should help det erm ine how well you are covering t he areas t hat need t o be secured when you're connect ing t o t he I nt ernet . • • •
•
•
•
• • • • • • •
What t ype of connect ion do you have? I s it " always on?" Do you use an operat ing syst em t hat can be secured? Does it support user ident it ies, securit y at t he file- syst em level, and audit ing of act ivit ies on t he syst em ? Do you run program s from unknown sources, including execut ing program s, script s, or files cont aining m acros? Do you use an ant ivirus program and m ake sure it scans your syst em regularly? Have you given out your password or logon inform at ion? Are you careful wit h your personal inform at ion? Do you know your risk and are you aware of t he value of t he dat a on your syst em t o yourself and ot hers? Do you assum e out - of- t he- box securit y is enough? Have you t urned on audit ing, if your operat ing syst em support s t his opt ion? Are you using a firewall, proxy, or net work address t ranslat ion ( NAT) ? Do you m anually read audit logs or use a parser t o do it ? Do you prot ect sensit ive inform at ion wit h encrypt ion? Do you use any t ools t o analyze your own securit y? How oft en? Do you prot ect your online privacy?
Chapter 6. E-mail Security (Communicating with Other Villages) The t own was growing nicely now, but John knew it wouldn't cont inue unless t hey st ayed in close com m unicat ion wit h t he nearby t owns. John's t own had t o know about event s in ot her t owns, and t hey should know about his, so John m ade road t rips t o each of t he t owns t o visit wit h t heir m ayors. The purpose was sim ple: t o m eet t hem and est ablish good relat ions and com m unicat ion. Wit h each m ayor, he t alked about sharing inform at ion about local event s, law enforcem ent , roads, and ot her issues t hat each faced. They agreed t o st art a newspaper in which t hey could carry all sort s of local news and event s. The paper would be published weekly and sent out t o t he t owns so everyone would know what was going on in t he area. A m an in John's t own had a newspaper background, so John volunt eered t o st art up t he paper in his t own. The ot her t owns could have report ers gat her st ories and send t hem t o t he m ain office via m essenger. Then on Fridays, t hey would publish t he paper, and m essengers would deliver a st ack t o each t own for dist ribut ion t o t he people. Aft er his t rip, John t alked t o William , t he m an wit h t he newspaper background, and he accept ed t he j ob. John and William st art ed t o work right away at get t ing t hings est ablished. I n j ust a week t hey had t he print ing press in and set up and had even ordered a few ext ra part s t hat William suggest ed so t hey could replace ones t hat m ight break easily. By t he second Friday, t hey were able t o publish t he first edit ion of t he Local Journal.
Why E-mail Is Cool I f you've used t he I nt ernet at all, odds are you've used e- m ail. I n fact , som e people have only used t he I nt ernet for e- m ail. E- m ail is one of t he oldest and m ost desired funct ions m ade possible by t he I nt ernet . I nit ially, e- m ail was used on DARPANET[ 1] by researchers from all over t he globe, for whom t im e zones had been a really big deal. Asynchronous com m unicat ion was required, because people were not all at t heir desks at t he sam e t im e. Wit h e- m ail, t hey could com m unicat e wit hout regard t o t im e zones. Anot her big feat ure of e- m ail is being able t o writ e one m essage and send it t o m ult iple people at t he sam e t im e. This j ust wasn't possible wit h st andard m ail, and it enabled discussion groups t o be form ed t hat couldn't exist in ot her m edium s. The final plus was at t achm ent s. Being able t o at t ach a separat e docum ent t o t he m ail and send it t o som eone—or t o a group—helped people com m unicat e m ore quickly and efficient ly t han t hey ever had in t he past . Wit h all of t hese t hings going for it , t he popularit y of e- m ail began t o grow. [ 1]
Defense Advanced Research Proj ect Adm inist rat ion Net work
E- m ail wasn't an overnight success, but as t he net work called t he I nt ernet grew in size and capabilit y, e- m ail was growing right alongside it . As e- m ail use increased, t he need for great er ease and added feat ures increased t oo. And wit h m ore users, m ore feat ures, and wider dist ribut ion cam e m ore securit y issues. The t ypical e- m ail client being used in Windows t oday is m uch m ore com plex t han t he first m ail readers and has m ore built - in feat ures t han were even possible back t hen. But as t he code and feat ures expand, so do t he possibilit ies for securit y holes t hat can be found and exploit ed.
How E-mail Works E- m ail is essent ially a t ext t ransfer bet ween your m achine and t he recipient 's m achine, but it is a lot m ore com plex t han t hat . I 'm not going t o get int o deep analysis of how I nt ernet Mail Access Prot ocol ( I MAP) , Sim ple Mail Transfer Prot ocol ( SMTP) , or Post Office Prot ocol 3 ( POP3) work, but you do need t o underst and a few key point s about how a m essage m oves t hrough t he syst em if we're going t o t alk about securit y ( see Figure 6- 1) .
Figu r e 6 - 1 . Ou t look e - m a il clie n t
First , som eone who want s t o send a m essage m ust be running soft ware t hat " underst ands" I MAP, SMTP, or POP3 and can use t hese prot ocols t o com m unicat e wit h t he surrounding syst em s. These prot ocols are t he accept ed m et hods for sending, receiving, and forwarding e- m ail m essages on t he I nt ernet . This is sim ilar t o John's m eet ing wit h t he m ayors t o decide about using a newspaper t o com m unicat e inform at ion. Som eone has t o decide how t he inform at ion exchange will
be done, and t hen everyone can st art t alking. Unless everyone uses t he sam e rules, however, we'll end up wit h our own version of t he Tower of Babel. Think of t he m essengers in our exam ple as t he prot ocols I MAP, SMTP, and POP3. These prot ocols were est ablished by using t he RFC ( Request For Com m ent ) syst em t o est ablish and m odify st andards used on t he I nt ernet . RFCs are m aint ained by t he I nt ernet Engineering Task Force ( you can find m ore inform at ion about I ETF at www.iet f.org/ rfc.ht m l) . I MAP is RFC 2061, SMTP is RFC 821, and POP3 is RFC 1957. Each of t hese act ually has m ore t han one RFC, and you can find t hem all at www.ren.nic.in/ rfc.ht m l, but t he RFC I 've list ed for each prot ocol is t he one t hat st art ed t he prot ocols we now use for our e- m ail syst em . E- m ail users are like t he report ers in our exam ple. They writ e t he " st ories" —e- m ail m essages—and send t hem t o t he " cent ral office." I n t he case of e- m ail, t hough, t he cent ral office is a collect ion of com put ers on t he I nt ernet . For our purposes, you can t hink of t he place where you send your e- m ail as t he m ail com put er at your I SP. Typically t his is a group of m achines ( called a clust er) t hat handles t he m ail for an I SP, especially if you use a larger I nt ernet provider such as AOL, Eart hlink, MSN, or Yahoo! . This cent ral office t hen dist ribut es t he m essage t o all t he int ended recipient s, whet her one or m any. I t uses t he sam e prot ocols we used for sending our m essage, and it " t alks" t o several m ail syst em s ( usually) on t he way t o delivering t he m ail t o t he recipient . The m ail syst em uses DNS ( Dom ain Nam ing Syst em , t he I nt ernet 's nam ing syst em ) t o det erm ine if t he dom ain in t he e- m ail address is valid; t hen it sends t he m essage along t o t he SMTP server in t hat dom ain. When t he m essage arrives, t his server looks up t he usernam e. I f t he usernam e exist s, t he m essage is placed in t he user's m ailbox for ret rieval; if not , t he m ail bounces back t o t he sender wit h an " Undeliverable" m essage.
Security Issues with E-mail Systems E- m ail is a reasonably secure m edium t o use for com m unicat ions. I t cert ainly isn't infallible, but t he average user wit h nonsensit ive inform at ion can be confident t hat t hings are get t ing t o t he recipient and not being read by anyone else. Let 's look at som e of t he weaknesses in t he e- m ail syst em and see what you can do t o avoid t hem or prevent t heir affect ing you.
Spoofing Spoofing m eans som eone get s you t o believe t hat a piece of e- m ail was sent from som eone ot her t han t he act ual sender. Oft en t his is done as a j oke, such as sending you m ail t hat appears t o com e from president@ whitehouse.gov or get t ing you t o respond by m aking you t hink t he sender is known or nont hreat ening. The address set for t he reply isn't necessarily t he one t hat shows in t he " From " line. The t echnique for doing t his is relat ively sim ple and will not be covered here, but t he good news is t hat it 's easy t o det ect t he correct sender. The e- m ail headers cont ain t he correct inform at ion about where t he m essage originat ed ( see Figure 6- 2) and t he ent ire pat h it t raveled. Even if som eone is savvy enough t o alt er t he headers at t heir locat ion, you can easily see ( if you know what t o look for) t hat t he m essage was faked. The lesson here is t hat you cannot always t rust t hat your e- m ail is com ing from t he person you see in t he " From " line. I f a m essage is asking for personal
inform at ion, passwords, or anyt hing sensit ive, t ell t hem you would rat her not discuss it by e- m ail, and ask t hem for a phone num ber or post al address. Real com panies wit h legit im at e business will usually do t his happily; scam m ers and crooks will not .
Figu r e 6 - 2 . Vie w in g a n e - m a il h e a de r in M icr osoft Ou t look
DNS Redirecting DNS redirect ing is a t echnically challenging hack ( clever or creat ive use of com put er code) and not easily accom plished. Here's an exam ple. I f I know I want t o get at t he m ail from a specific t arget —say, business dat a from Coca- Cola—I m ight t ry t o " redirect " t raffic from cocacola.com t o a fake address I set up. Now t raffic sent t o cocacola.com will com e t o m e inst ead of going t o t he real com pany. Wit h a bit of ext ra effort , I can t hen re- forward t he m ail t o t he real Coca- Cola so t hey'll never know I read it first ( t hey m ight experience a delay in receiving it ) . Wow, sounds serious! Yes, it is, and fort unat ely, it is not easy. I n fact , wit h current DNS syst em s, such at t acks are m ore and m ore difficult t o do. The advant age for hom e users and sm all businesses is t hat redirect ing t akes lot s of effort , so you won't be wort h t arget ing unless t he payoff is high. Sm all businesses and hom e users do not t ypically approach t his level of payoff, so t he likelihood of such an at t ack against t hem is m inim al.
"Read As HTML" Mail client s t hat allow you t o " Read as HTML" should be t urned off, left off, and if at all possible, never used. Period. Alt hough cont rol seem s t o be get t ing bet t er, t his was a bad idea from t he beginning. By let t ing senders writ e com put er code t hat I allow t o run on m y syst em , I aut om at ically give t hem a shot at t aking cont rol of m y syst em . HTML ( Hypert ext Markup Language) is what m akes t he World Wide Web look and operat e t he way it does. HTML looks nice, so som eone t hought having em ail in t hat sam e form at would be a good t hing. I t isn't . I can send HTML- form at t ed m essages t hat cont ain script ing, links t o ext ernal servers, and a variet y of redirect s or com m ands t hat can run on your syst em as t he HTML runs on your m ail reader. The fast est way for m e t o do t his is t o send spam m ail ( I 'll cover spam m ail in a bit ) t o your address t hat m akes som e claim for a vacat ion prize or som et hing t hat m ight m ake you want t o read a bit furt her. While you're reading, t he HTML redirect s t he m ail reader t o get dat a from a rem ot e syst em , not from t he e- m ail m essage anym ore. This rem ot e syst em can cont ain code t hat t ries t o inst all Troj an- horse soft ware, gain access t o your syst em , or j ust plain wreck your syst em by delet ing key files. You t hink you're possibly winning a free t rip t o Hawaii, but inst ead your hard drive is being erased. Not good. You open yourself up t o lit erally hundreds of exploit s when you use " Read as HTML" as your m ail opt ion. Many of t hese are being pat ched, but it 's a losing bat t le. Turn off t hat " Read as HTML" opt ion and prevent t hese at t acks. I f you want Web cont ent , go t o t he Web.
Scripting Issues Som e e- m ail program s allow senders t o im bed script s or m acros in m essages. Then t hey t ry t o run t he script or m acro when you read t he m essage. I f som eone t rying t o break int o your syst em wrot e t hat script or m acro, it can be bad. There are t wo m ain avenues t hrough which you are vulnerable t o t hese at t acks: t urning on "Read as HTML" ( j ust discussed) and using Microsoft Word as your e- m ail edit or. The newer versions of Microsoft Word now com e wit h m acro prot ect ion, but older versions m ight not or t he prot ect ion m ight be disabled. That m eans a m acro can be run if it is im bedded in t he m ail m essage. Again, if t he m essage is from som eone m alicious, t he m acro can cause all sort s of havoc. The best way t o avoid t his one is t o ensure t hat your MS Word is up- t o- dat e ( version 6.0 or lat er is sufficient ) or t o ensure t hat you are running an ant ivirus program t hat can scan e- m ail for m acros. All of t his is also t rue for MS Word docum ent s t hat com e t o you at t ached t o e- m ail m essages.
Attachments Speaking of at t achm ent s, a world of problem s can com e from files at t ached t o e- m ail m essages. I n t his case, it isn't t echnically t he m ail syst em t hat is t he securit y t hreat ; t hat syst em is sim ply t he delivery m echanism . Never t rust files at t ached t o m ail m essages—scan every one of t hem . I n part icular, you should always scan execut able files ( for exam ple, .exe, .cm d, .bat , .pl) , docum ent files ( such as .xls or .doc) , and script files ( such as .vbs, .j s, .j ava, and .wsh) . Even bet t er is t o scan everyt hing t o be sure som eone hasn't renam ed a file j ust t o get it past your scanners. An exploit went around for a while in which people would renam e a file t o have t wo ext ensions ( t echnically, one ext ension and a nam e wit h a period in it ) , result ing in a file called som et hing like readm e.t xt .vbs. I f a com put er's file- viewing opt ions were set at default , t his appeared as " readm e.t xt " and seem ed harm less, but double- clicking t he
file would run t he VBS script . A subsequent pat ch from Microsoft prevent s t his behavior from working.
Unsolicited Commercial E-mail (UCE aka spam) Unsolicit ed com m ercial e- m ail ( UCE) , also known as spam m ail, is a spreading phenom enon ( see Figure 6- 3) . I t wasn't unt il people st art ed using e- m ail in large num bers t hat spam st art ed appearing on t he scene. As soon as folks realized t hey could use e- m ail t o reach cust om ers and t hat enough cust om ers were out t here, t he m arket ing t ypes went t o work and began figuring out how t o fill your m ailbox wit h " useful" inform at ion. The t rut h is t hat t he vast m aj orit y of t he public didn't want t hat j unk m ail com ing int o t heir e- m ail boxes as well as t heir real m ailboxes, so m ost com panies have st opped. Why, t hen, do you see so m uch spam ? Frankly, som e people are willing t o annoy m illions of people if it m eans a few bucks in t heir pocket s. Most spam m ailings qualify in one or a few of t he following cat egories. •
•
•
•
•
M a k e m on e y fa st : This is usually raw scam m ail. I t includes work- from hom e offers and get - rich- quick schem es. These m ailings are usually a pure scam , at t em pt ing t o get m oney out of you. You are not t he one who will " get rich quick" if you answer t his m ail. Lose w e igh t n ow , m ir a cle cur e s, a n d su ch : These also are usually scam m ails. They claim t o be selling cures for com m on ailm ent s or condit ions, oft en preying on people who are desperat e or who want t o find t he Easy Answer. Weight loss is a big t arget of t hese m ailings. You w on $ $ $ $ $ : This is usually som e form of sales pit ch. The m essage claim s you won a vacat ion or m ight win som e prize t o get you t o visit a Web sit e or click on a link. The sender is usually get t ing m oney for t he page hit s or clickt hroughs on t he link, and t here probably is not a prize t o be won. Se lling of m a ss- m a ilin g soft w a r e : Of course m ass e- m ailers also like t o sell t heir own st uff t hrough m ass e- m ail. CDs wit h nam es and e- m ail addresses, soft ware for generat ing m ass m ailings, and " inst ruct ional program s" on how t o use m ass m ailing effect ively are oft en sold t hrough m ass m ailings. Ge n e r a l sa le s: Most any product t hat can be sold m ight be a m ass- m ailing candidat e, but rem em ber one t hing. Most com panies care if t hey are angering 96 percent of t he audience t o get at t he 4 percent who m ight respond. Most legit im at e com panies st ay away from m ass m ailings because of t he am ount of rej ect ion and anger a m ass- m ailing cam paign can generat e.
Figu r e 6 - 3 . Ex a m ple of spa m m a ilin gs
Encryption in E-mail
One way t o ensure privacy of your e- m ail st ands above all t he rest in t erm s of reliabilit y. That is encrypt ion. I f you encrypt your e- m ail, it can be read only by t he int ended recipient . Well, t hat 's assum ing t hat t he key is st rong and t hat t he encrypt ion program is correct ly inst alled and coded t o allow no back doors or adm inist rat ive overrides. When I say a st rong key, what I m ean is one t hat is 256 bit s or m ore in lengt h. As a general rule, t he key is st ronger as it uses m ore bit s. We also m ust assum e t hat t he code breaker doesn't have m assive com put ing power available. By m assive, I don't m ean t he newest Pent ium chip or even a dual or quad processor syst em , but a supercom put er. I f you use a program for encrypt ion, you can ensure t hat not j ust anyone can read your e- m ail m essage. I f t he recipient of t he m ail has t he right decrypt ion key, t hat person will be set . Several opt ions for e- m ail encrypt ion exist , and som e are bet t er t han ot hers for specific m ail program s. I favor PGP [ 2] on m y syst em . I t 's t he program I st art ed using first , I 'm fam iliar wit h it s use, and it is very user- friendly. Searching on t he I nt ernet for e- m ail and encrypt ion will yield a large num ber of links you can visit t o get m ore inform at ion about encrypt ion and about product s or services suit able for your needs. I f you go t o dir.yahoo.com / Com put ers_and_I nt ernet / Securit y_and_Encrypt ion/ , you'll be able t o dig deeper int o e- m ail, encrypt ion, and securit y. [ 2]
Freeware program developed by Philip Zim m erm ann
What Makes It Junk Mail?
Reading t hrough t his sect ion, you m ight be wondering what m akes a m essage j unk m ail. How do you know when it 's j unk? Well, if you don't want it , it 's j unk. Perhaps you subscribe t o a m ailing list . You act ively signed up and request ed t hat service, so m ail from t hat source obviously isn't j unk. How about advert ising from a com pany you have purchased from before? Som e people would say t his is okay, but som e wouldn't like it . Then t here is t he random m ailing you receive from som eone who bought your nam e and address from a list . Most people seem not t o like t hat very m uch. But your m ailbox is exact ly t hat : yours. You get t o det erm ine what is and what isn't j unk m ail.Many legit im at e businesses wit h whom you have an exist ing " relat ionship" ( you bought som et hing or used t heir services) m ight send you m ail as a follow- up or t o t ry t o keep your business wit h t hem . Such m essages oft en t ell you t hat if you don't want t o receive t heir offers, you can elect not t o get t hem . This is called " opt ing out ." Or perhaps you sign up for a service and t he form includes " Do you want t o receive addit ional inform at ion about services and specials we offer?" I f you select yes, you have " opt ed in" t o being on t heir m ailing list . The laws governing UCE can vary from st at e t o st at e; however, m ost st at es have laws on t he books or being considered t hat will give you t he right t o opt in or opt out of m ailing list s, wit h senders required t o provide a valid m ailing address, phone num ber, and/ or e- m ail address in t heir m ail so recipient s can com plain or cont act som eone about t he cont ent s. Failure t o provide legit im at e addresses or opt ions for get t ing off list s can be illegal in som e st at es, and if you can t rack down t he sender, t hey can be prosecut ed.You've surely guessed t hat I 'm not fond of j unk e- m ail. I 'd go so far as t o say I really hat e t he st uff; it 's a wast e of m y t im e. I 'm not alone in t hat opinion, eit her. Many st at es have m ade j unk m ailing t hrough e- m ail illegal or rest rict ed by requiring valid ret urn addresses or " opt - out " choices t hat get you off t he list t hat got you t he m ail in t he first place. The problem oft en is t hat t he sender eit her doesn't know or doesn't care and sends t he m ail anyway. Ret urn addresses m ight be forged or incorrect , and links t o pages are oft en redirect ed—all in at t em pt s t o hide t he ident it y of t he real sender. So m any people get m ad about j unk e- m ail t hat lawsuit s, deat h t hreat s, and hacker at t acks have all been direct ed at m assm ailing com panies. Yep, you read t hat right : deat h t hreat s. I 'm not so against j unk e- m ail t hat I 'd t hreat en som eone, but I do t hink t he fact t hat people will go t o great lengt hs t o hide who t hey are when sending out spam m ail indicat es an inherent adm ission t hat what t hey are doing is wrong. I n m any cases, t he m ailings are part of con gam es or scam s t arget ing people who will send m oney or credit card inform at ion over t he I nt ernet . Then t he com pany j ust disappears wit h t he m oney or inform at ion.
Getting Off E-mail Lists Here's how you can get off m ailing list s. First let m e warn you, it can be a lot of work. You have t o opt out of all t he m ailing list s you are on. This m eans when it says " Click here t o be rem oved from our m ailing list ," you do it . I f a m essage doesn't offer opt - out , delet ing t he m ail is oft en t he easiest choice, but you can do m ore. Use your e- m ail program t o view t he headers of t he e- m ail, and look for t he original sender in
t he headers ( you can usually find t hat inform at ion near t he t op of t he header, as in Figure 6- 2) . Then send m ail t o t hat address and request rem oval from t he list . Oft en t he sender's address is forged, but t his is wort h a shot . ( Not e t hat by responding t o t he m ail at all, you verify for t he sender t hat your address is valid. Som e will st ill rem ove you from t he list when asked; ot hers won't .) I f you live in a st at e wit h ant ispam laws, report t he sender t o your St at e At t orney General or j ust forward t he m ail t here. ( Each st at e is different ; check wit h t he At t orney General before forwarding spam m ail.) I f you don't want t o go t o t he t rouble of responding and possibly m aking t he problem worse, your best bet is t o never respond t o any m ass m ailing. Not only does t his m ake t heir effort s not profit able because you don't buy anyt hing or give out any m oney, but t hey can't verify t hat your address is valid and keep sending you m ail. I f you don't want t o fight t he m ail but you don't want it in your inbox, you can t ry blocking it . Check t he inst ruct ions for your e- m ail program ( see Figure 6- 4) . Most have j unk- m ail filt ers t hat you can enable t o st op j unk m ail from com ing in aft er you have ident ified t he sender as an originator of j unk m ail. Third- part y program s are also available t hat claim t o be j unk- m ail blockers. I haven't t ried any of t hese yet , but you m ight want t o check t hem out .
Figu r e 6 - 4 . Addin g n a m e s t o j unk - m a il list in Out look
E-mail Security Checklists Following is a quick checklist you can use t o det erm ine if you've covered all t he bases for securing your e- m ail. I f you have quest ions about t his list , go back t o t hat sect ion of t he chapt er t o get det ails or look in t he Help sect ion of your e- m ail program . • • • • • •
Do you use an e- m ail program t hat allows " Read as HTML" ? I s it t urned off? Are you using an ant ivirus scanner t hat can read e- m ail and at t achm ent s? Do you opt out of j unk e- m ail list s? Do you encrypt sensit ive inform at ion in e- m ail m essages? What key st rengt h do you use for your encrypt ion? Who can decrypt your m essages? ( Who has t he key for decrypt ing your em ail?)
Chapter 7. Web Security (Opening the Village to Trade) Not long aft er t he t owns st art ed com m unicat ing, t hey also st art ed t o look t o each ot her for t rade and com m erce. Each t own had st ores and Sat urday m arket s, and t he local farm ers had a few m ore places for selling t heir goods. Wit h t his new burst of com m erce cam e new prosperit y—but also a new set of worries. John needed t o hire m ore law enforcem ent t o wat ch out for t hieves and wat ch t he roads and t o generally ensure t hat t he m oney t hat was m oving around was doing so lawfully. John's plan was sim ple: he had every m erchant apply for a local license. This license cost a sm all fee, but t hat fee was used t o hire m ore deput ies. Any m oney left over was used t o ensure t hat t he bank vault was secured. Merchant s from ot her t owns could apply for licenses or j ust get perm it s for t he weekly m arket if t hey only want ed t o sell t here. But t hen John t ook one m ore st ep t hat helped t he people of his t own: Merchant s had t o display t heir licenses at t heir place of business for cust om ers t o see. That m eant cust om ers knew right away t hat a m erchant was okay and not som e " snake oil salesm an." John also kept his deput ies visible during t he m arket t im es. They walked t he area t o be available but also so people knew t hat prot ect ion was nearby. John knew t his visibilit y wouldn't prevent all crim es, but it would help cat ch t he ones t hat did happen. His t own was on it s way t o being a large cit y, and he was confident t hat he was prepared t o face t hose challenges t oo.
What Is the World Wide Web, Really? Because you're reading a book on com put er securit y, and especially a chapt er t his far int o t he book, I t hink I can assum e t hat you've at least heard of t he World Wide Web. But what is it , really? The answer is probably sim pler t han you t hink. The World Wide Web ( I 'm going t o j ust call it t he Web t o save t im e) is a series of linked docum ent s and applicat ions. Yup, t hat sim ple explanat ion describes t he Web, but it cert ainly is a vast oversim plificat ion t oo. To get a bet t er underst anding, we have t o look under t he hood a bit . The Web was born out of a concept of " hyperlinked" docum ent s. A hyperlink is a connect ion from a docum ent t o relat ed m at erial locat ed som ewhere else. I nit ially, t his is exact ly what t he Web was, t oo—no com m erce, no gam es, j ust docum ent s and links. Most of t he cont ent was st at ic ( t ext and pict ures only, no anim at ion or int eract ive areas) and it was, by t oday's st andards, boring. Then about 1995, t hings began t o get m ore excit ing. Anim at ed im ages, script ing, im proved browsers, and evolving st andards all brought t he Web from st at ic t o dynam ic, and in t he process, t he business world and consum ers t ook not ice of t he huge pot ent ial for com m erce on
t he Web. " I m agine," t hey'd say, " ordering food online t o be delivered, or buying a car wit hout ever having t o deal wit h pushy salesm en. Wouldn't it be great ?" For t he m ost part , t he Web is a great t ool for com m erce, but people did get a bit carried away. The recent dot - com failures show t hat j ust because you can sell som et hing online doesn't m ake it a good idea. Som e com panies, however, such as Am azon.com and ot hers wit h a solid business m odel, cont inue t o show prom ise of being successful online business vent ures. Realize also t hat t he World Wide Web isn't equal t o t he I nt ernet , as som e advert ising would have you believe. The Web is, in fact , a prot ocol ( HTTP) and a series of int erconnect ed com put ers ( I nt ernet Web servers) working t oget her t o provide you wit h a way t o navigat e t hrough t hem all. The I nt ernet , on t he ot her hand, is a series of int erconnect ed net works t hat support s m ult iple prot ocols. So where does t his leave t he Web? Well t oday's Web is a com plex m ixt ure of applicat ions, script s, t ext im ages, anim at ions, and so fort h. Most of t he larger Web sit es are m ore like a running program t han a st at ic Web page. The end result is a Web page you can view, but sit es are now offering personalizat ion, dynam ic cont ent , and t arget ed m arket ing and advert ising. Wit h t his com plexit y com es t he chance for securit y t rouble as well. To be able t o " personalize your Web experience," a sit e's owners m ust know som et hing personal about you. This m ight be your address or zip code so t hey can give you local weat her or news on t heir page. Som et im es it is st ock sym bols you like t o t rack, your favorit e baseball or foot ball t eam , or ot her int erest s and hobbies. Let 's look at t his a bit m ore in dept h.
What They Know About You Personalizat ion sounds good. " Your Web sit e can be personalized t o show you dat a t hat pert ains t o you." That 's nice. But how do t hey do it ? What inform at ion do t hey have about you t hat let s t hem do t his? For t he m ost part , it 's all inform at ion t hat you gave t hem . Usually t he sit e has a preferences page or opt ions page where you give inform at ion about st ocks, address, zip code, int erest s, or what ever, and t hat inform at ion is used t o provide t he personalizat ion. Ot her t im es you put t he inform at ion on a form you fill out t o get service from t hat com pany. These are fairly st raight forward ways for som eone t o get inform at ion about you. But aft er t hat it get s a bit m ore subt le. Once com panies have t his inform at ion, m any of t hem t urn around and sell it t o ot her people who want it . For exam ple, a sleeping bag m anufact urer m ight want t o buy a list of Out door Equipm ent Suppliers I nc. cust om ers so t hey can t ry t o sell sleeping bags t o som eone who is probably int erest ed in cam ping. Usually t his list includes personal inform at ion t oo. The buyers want unique nam es, so t hey ask for e- m ail addresses, phone num bers, addresses, or som et hing t hat can ensure each ent ry is unique. Banner ads on Web pages are even worse. Many of t hese ads can det erm ine who clicked and what t hey clicked. Then by t racking t hat inform at ion, t he advert isers can t ry t o build a profile of part icular cust om ers and t ailor t heir ads t o m eet t hose cust om er's needs. A large online advert ising firm has syst em s t hat at t em pt t o do t his—or at least t hey did unt il lawsuit s were filed. Every t im e som eone clicked an ad t hat was placed by t his com pany, an ent ry was m ade in a dat abase about who clicked what ad. Over t im e t his let t hem build a profile of habit s and int erest s for t ailoring advert ising t o a specific user—or t hat was t he t heory. The problem is, m any people feel t hat t his t ype of " t racking" of user behavior is an invasion of t heir privacy.
I n addit ion t o all of t his, inform at ion about your syst em and browser is being sent as part of t he norm al com m unicat ion bet ween your syst em and t he Web servers. This includes which browser you use, your I nt ernet Prot ocol ( I P) address, and a variet y of inform at ion used by t he Web server and t he net work t o get you connect ed in t he first place. All of t his inform at ion is of m arginal use t o m arket ers, but it 's a great volum e of dat a for helping hackers accom plish a break- in. Because you can't st op t his inform at ion from being t ransferred, you need t o secure your syst em .
Cookies and Security You m ight hear t alk of cookies when you hear about t he Web, or you m ight not . Som e people don't even know cookies exist , yet ot hers view t hem as essent ial t o t he operat ion of t he Web. The t rut h is t hat cookies are handy t ools, but not essent ial. A cookie is a sm all bit of dat a—a sim ple nam e/ dat a pair—t hat is writ t en t o t he client syst em ( t he one you are operat ing, not t he server t hat holds t he Web pages) . Cookies can st ore som et hing like Fullnam e= BobJohnson or PhoneNum ber= 5551212, or t hey can also have m ult iple ent ries. The reason cookies are a pot ent ial securit y issue isn't t hat som eone can com prom ise t he securit y of your syst em direct ly by using one, but t hink about t he inform at ion t hat could be st ored in cookies. For exam ple, if you visit a sit e, and a but t on next t o t he logon says " Rem em ber My Password," t his could creat e a cookie t hat is writ t en t o your syst em in t he form Password= Mypassword. I f t he sit e owner didn't do a good j ob of obscuring t he inform at ion in t he cookie, t he next Web sit e you visit m ight t ry t o read t hat cookie t o glean out t he password inform at ion. Personalized sit es should never use persist ent cookies ( t hose t hat are writ t en t o your syst em as files) t o st ore personal dat a. I n t he past , som e have and by doing so have accident ally exposed cust om er inform at ion t o ot her sit es t hat were looking for it . The best way t o deal wit h cookies is t o be aware t hey exist . Don't use Rem em ber My Password opt ions on sit es for hom e banking, st ock t rading, or I RA account s, for exam ple. I f you want t o find out what cookies are already on your syst em , you can check in your Windows\ cookies direct ory, assum ing you have Windows and I nt ernet Explorer. ( Ot her browsers and operat ing syst em s m ight st ore t he dat a in ot her locat ions, but usually in a direct ory called Cookies or som et hing sim ilar.) One warning: You probably shouldn't delet e any cookies in t he direct ory unless you know what you're doing or unless you don't care t hat you m ight have t o reconfigure som e sit es t o your preferences.
Browser Security: Why Is It So Important? A browser is an applicat ion t hat let s you m ove about t he Web, " browsing" pages. Since 1992 or 1993, when t he first browser was writ t en, t his soft ware has grown in com plexit y and becom e a cent ral part of how people access t he I nt ernet . Browsers have also cont ribut ed t o t he need for increased com put er securit y. As browsers do m ore work for users and int erpret m ore dat a, t hey m ust do so wit h t he right securit y. Each t ype of browser does it s own t hing about securit y, and not all browsers do all t he sam e t hings or in all t he sam e ways. To focus t his discussion, I 'm going t o t alk about Microsoft I nt ernet Explorer ( I E) , because t his browser is shipped wit h Windows ( t he prim ary focus of t his book) and t he m arket share of I nt ernet Explorer is significant ly higher t han t hat of ot her browsers. Odds are t hat if you are reading t his book, you use I nt ernet Explorer as your browser.
Security Zones I nt ernet Explorer uses a concept called securit y zones t o det erm ine how som e of it s securit y set t ings will be applied. How do securit y zones work? The browser ships wit h four preset zones ( I nt ernet , Local I nt ranet , Trust ed Sit es, Rest rict ed Sit es) and each is set t o a predet erm ined level ( Low, Medium Low, Medium , High) . I n I E, if you click on Tools and t hen I nt ernet Opt ions and t hen select t he Securit y t ab, you can view t he int erface shown in Figure 7- 1.
Figu r e 7 - 1 . Se cu r it y t a b of I n t e r n e t Opt ion s for I n t e r n e t Ex plor e r
The purpose of I E's securit y zones is t o let you set how t he browser does securit y wit hin each zone. The browser det erm ines what zone t he page is in, based on sit e dom ains, I P addresses, or a local list of sit es, and applies t he appropriat e zone. I f you highlight t he Local I nt ranet , Trust ed Sit es, or Rest rict ed Sit es zones, t he Sit es but t on is enabled. Click t his but t on t o ent er t he nam es of sit es t hat should fall int o t hese zones. I f you use Out look t o read your m ail and you have enabled Read As HTML, your m ail also uses t he Local I nt ranet zone securit y set t ings. You can click on t he Cust om Level but t on and change set t ings for ent ire zones t hrough t his int erface. For t he average user, leaving t he set t ings at t heir default s is good, wit h one except ion. Microsoft set s " Script Act iveX cont rols m arked safe for script ing" t o Enabled in t he I nt ernet zone. I recom m end t hat you change t his t o Prom pt . There
have been several incident s when cont rols t hat were not safe t o script were m arked as if t hey were, and securit y holes were opened because of it .
Security Settings That Prompt By default , som e of t he securit y set t ings in I E are set t o Prom pt . What t his m eans is t hat I E will pop up a box asking a quest ion about whet her a part icular act ivit y should be allowed. You, t he user, can m ake t he det erm inat ion. However, if you are one of t he folks who j ust click yes aut om at ically, t his securit y set t ing does no good. Rem em ber t o read prom pt s and m ake an effort t o underst and what is being asked, so when you answer a quest ion you know what you j ust allowed t o run on your syst em . I f you don't underst and, or if what is being asked sounds bad, click no. I f t hings seem t o break or not work when you click no, you can hit t he Back but t on and t ry again. You will not harm your com put er or t he Web sit e by choosing no; you sim ply m ight cause t he page t o not display properly.
Patches As wit h t he operat ing syst em , your browser m ight need t o be pat ched from t im e t o t im e t o cover securit y holes t hat are discovered aft er it is released. This can be t edious but needs t o be done if you are t o rem ain secure. The pat ches for browsers are usually m ade available t hrough Windows Updat e ( windowsupdat e.m icrosoft .com / ) and are usually post ed wit hin days of when securit y holes are announced. I suggest you use Windows Updat e or subscribe t o t he securit y m ailing list s described in Appendix A t o keep up- t o- dat e on your pat ches.
"Sandboxes"
Java and som e ot her Web- based soft ware use " sandboxes" t o enable higher securit y. This m eans t hey have rest rict ed what t heir soft ware can do out side t he scope of t he browser. For exam ple, in " norm al" soft ware, I can call various funct ions from t he operat ing syst em , t he browser, or ot her applicat ions I am running, and m ost soft ware will allow m e t o use t he funct ions. Wit h a " sandbox" around m y soft ware, I 'd be able t o call only browser funct ions ( or what ever funct ions t he sandbox allowed) . A sandbox is a very effect ive m eans of providing securit y, because it " denies all" of t he funct ions out side t he init ial int ent of t he soft ware. Even if som eone figures out lat er how t o use OS calls t o do a securit y exploit , sandboxed soft ware will not be vulnerable t o it . But sandboxing isn't perfect . The sandbox is only as good as t he code t hat defines it , so if t he sandbox code has a bug, securit y holes m ight st ill exist in sandboxed soft ware.
Web Page Security Now t hat your browser and OS are secure, you're free t o run anywhere and do anyt hing, right ? Well, not com plet ely. There is anot her im port ant t hing you should wat ch for when using t he Web. Som e pages need t o use sensit ive dat a; it is t hat
sim ple. You can't buy anyt hing online, for exam ple, unless you have a credit card or have exchanged som e personal inform at ion t o get t he process st art ed. I f you are going t o exchange any sensit ive inform at ion on t he Web, m ake sure you're doing it on a secured page. How do you know? By looking for t he lock in t he lower right corner of t he st at us bar at t he bot t om edge of t he browser ( for I nt ernet Explorer) . I f t he lock is t here and closed, you are on a secured connect ion. Addit ionally, if t he address is ht t ps: / / inst ead of ht t p: / / , you're also on a secured channel. The secured channel I am t alking about is t he Secured Socket s Layer, or SSL. SSL is a m et hod of encrypt ing t he dat a t hat t ravels bet ween your syst em and t he server t hat needs t o st ore or use t hat dat a. I personally will not exchange any personal inform at ion across t he Web unless it is done on SSL connect ions. SSL only prot ect s t he dat a in t he current session, so if a com pany uses SSL t o gat her your dat a and t hen leaves it in t heir dat abase unprot ect ed, t hat isn't good. You did all you could, however, and t he com pany is responsible for t he dat a loss—not you as t he user. Ot her t hings t o wat ch for while browsing t he Web include pages in fram es t hat load from different dom ains ( you can usually t ell by wat ching t o see where t hey load from in t he st at us bar or if t hey load at significant ly different rat es) , persist ent navigat ion bars t hat force all ot her pages t o include t heir navigat ion, and sit es redirect ed across m ult iple dom ains. And wat ch in t he address bar t o see if t he URL m akes som e sense. I f you are going t o Charles Schwab t o check your st ocks, but t he URL says www.haxorjohn.com, don't t rust it . Be sure t he address t hat loads is t he correct one. An exam ple of m ism at ched addresses is shown in Figure 7- 2. ( Wat ch t he dom ain nam e. I f it j um ps t o an unrelat ed dom ain, t here m ight be a problem . I f a sit e j um ps t o a different server on t he sam e dom ain, it is likely a norm al and accept able act ion.) Most of all, j ust use com m on sense. There are plent y of legit im at e and secure sit es t hat will be happy t o do business wit h you. I t is far m ore rare t hat som eone want s t o rip you off, but if you find one, you need t o be able t o ident ify t he scam and avoid it .
Figu r e 7 - 2 . M ism a t ch e d a ddr e sse s in br ow se r
E-commerce Security Issues While we're on t he t opic of m oney, let 's t alk briefly about e- com m erce. I 've already t alked about how t o shop online securely, but here are a few ot her point s t hat are less t echnical and m ore social. Buying online can be easy; in fact , it is very easy. And t here are plent y of sit es t hat will happily t ake your m oney and send you pet food, groceries, shoes, cars, books, Superm an com ics, and on and on. Here's som e advice t hat isn't direct ly com put er relat ed but could help you use your com put er m ore safely when you're buying online.
Use Trusted Vendors Finding st uff t o buy online is easy, and finding it from a nam e- brand or large chaint ype st ore wit h an online presence is usually easy t oo. Do not t rust t hat som e sm aller business necessarily has t he sam e product or ret urn policies j ust because it has a Web sit e. I f you choose t o do business wit h less- recognized vendors, realize t hat you m ight not get t he qualit y of m erchandise or service t hat t he nam e- brand st ores can give.
If It Sounds Too Good to Be True, It Is The I nt ernet is a large and relat ively anonym ous place—t he perfect place for scam s and cons t o be run against people looking for a deal. This has occurred a num ber of t im es already, and I 'm sure it will happen again. Alt hough finding a bargain at an auct ion sit e or online vendor is good, t here are rip- offs out t here t hat specifically t arget I nt ernet users. I f som et hing sounds t oo good t o be t rue, m ake very sure you know what you're get t ing int o. Also, rem em ber t hat false urgency is a nearly universal sign t hat som eone is scam m ing you. I f t hey are t rying t o rush you and won't supply you wit h inform at ion about t he com pany and t he product but rat her push for a sale, walk away. They m ight not be direct ly t rying t o rip you off, but odds are som et hing isn't right . Any legit im at e com pany would be able t o give you inform at ion and let you t ake your t im e t o decide. Auct ions obviously have t im e fact ors, but buying vacat ion t icket s or shoes online shouldn't .
Web Security Checklist Table 7- 1 shows t he set t ings recom m ended for t he zones in I nt ernet Explorer 5.0. These set t ings will vary slight ly wit h different versions of I E and probably won't exist if you're using a different browser. Net scape does have sim ilar securit y feat ures and set t ings, so AOL users and Net scape users should be able t o t ranslat e bet ween t hese set t ings and t he ones in t heir browsers. The left colum n gives t he set t ing nam e, and t he ot her colum ns show t he recom m ended set t ings for t he individual zones.
Ta ble 7 - 1 . W e b Se cu r it y Che ck list Se t t ing Download
I nt e r ne t Prom pt
H igh Se cu r it y Prom pt
Loca l I ntranet Prom pt
Tr u st e d Sit e s
Re st r ict e d Sit e s
Enable
Disable
Ta ble 7 - 1 . W e b Se cu r it y Che ck list Se t t ing
I nt e r ne t
H igh Se cu r it y
Loca l I ntranet
Tr u st e d Sit e s
Re st r ict e d Sit e s
signed Act iveX cont rols Download unsigned Act iveX cont rols
Disable
Disable
Disable
Prom pt
Disable
I nit ialize and script Act iveX cont rols not m arked as safe
Disable
Disable
Disable
Prom pt
Disable
Run Act iveX cont rols and plug- ins
Enable
Prom pt
Enable
Enable
Disable
Script Act iveX cont rols m arked safe for script ing
Prom pt
Prom pt
Enable
Enable
Prom pt
Allow cookies t hat are st ored on your com put er
Enable
Disable
Enable
Enable
Disable
Allowed persession cookies ( not st ored)
Enable
Enable
Enable
Enable
Disable
File download
Enable
Disable
Enable
Enable
Disable
Font download
Enable
Disable
Enable
Enable
Prom pt
Java perm issions
High Safet y
High Safet y
Medium Safet y
Low Safet y
High Safet y
Access dat a sources across dom ains
Disable
Disable
Prom pt
Enable
Disable
Drag and drop or copy and past e files
Enable
Prom pt
Enable
Enable
Prom pt
I nst allat ion of deskt op it em s
Prom pt
Prom pt
Prom pt
Enable
Disable
Ta ble 7 - 1 . W e b Se cu r it y Che ck list Se t t ing
I nt e r ne t
H igh Se cu r it y
Loca l I ntranet
Tr u st e d Sit e s
Re st r ict e d Sit e s
Launching program s and files in an I FRAME
Prom pt
Prom pt
Prom pt
Enable
Disable
Navigat e subfram e across different dom ains
Enable
Prom pt
Enable
Enable
Disable
Soft ware Channel perm issions
Medium Safet y
High Safet y
Medium Safet y
Low Safet y
High Safet y
Subm it nonencrypt ed form dat a
Enable
Prom pt
Enable
Enable
Prom pt
Userdat a persist ence
Enable
Disable
Enable
Enable
Disable
Act ive script ing
Enable
Prom pt
Enable
Enable
Prom pt
Allow past e operat ion via script
Enable
Disable
Enable
Enable
Disable
Script ing of Java applet s
Enable
Prom pt
Enable
Enable
Disable
Logon
Aut om at ic logon only t o I nt ranet zone
Anonym ous logon
Aut om at ic logon only t o I nt ranet zone
Aut om at ically log on wit h current usernam e and password
Prom pt for usernam e and password
Chapter 8. Defending Against Hackers (Posting Guards in the Town and Building Outposts) Now t hat t he t own was growing and prospering, John had one last concern t o address. He needed t o ensure it s cont inuing prot ect ion. That m eant using deput ies t o help his sheriff keep t he peace, and it m eant building out post s around t he t own t o provide prot ect ion and early warnings of t rouble. When John got t oget her wit h his current sheriff and deput ies, t hey decided m ore help was needed, so he hired m ore deput ies. Their j ob wasn't t he day- t o- day law enforcem ent of corralling crooks or prot ect ing t he st agecoaches; it was wat ching what was going on in t he t own and let t ing t he sheriff know if som et hing unusual or suspicious was happening. The new deput ies act ed as eyes and ears in t own so t he sheriff and t he senior deput ies could do m ore work. Next John and t he ot her t ownspeople built out post s in t he surrounding count ryside. These also didn't serve as a direct line of defense so m uch as an early warning syst em if som et hing was happening or som eone was com ing. John knew t hat an early warning was crucial t o good preparat ion. Knowing who was com ing— and how m any—m eant being prepared t o face t he challenge rat her t han guessing or being surprised. The out post s were all m anned wit h t wo observers, who kept at least one fresh horse for a quick ride back t o t own. The observers' orders were sim ple: I f you see som et hing out of t he ordinary, one of you ride t o t own and report it . Then get a fresh horse and ride back t o resum e t he wat ching. The sheriff or John would send som eone out t o act ually invest igat e t he sight ing. John quickly realized t hat a lot of inform at ion was being gat hered, and som eone needed t o act ually review it all t o see what was im port ant . John found him self spending m uch of his t im e reviewing report s of act ivit y, and he delegat ed t o his sheriff t he j ob of act ually invest igat ing. This was som et hing he hadn't ant icipat ed, so over t im e he t rained ot hers t o review t he incom ing report s so he could have som e t im e t o run t he t own. And t hey t ook one m ore st ep: They t rained t he observers in t he out post s t o filt er inform at ion bet t er so t hat unim port ant act ivit y was not report ed. Aft er all t his was in place, John felt he had achieved a level of securit y t hat enabled his t own t o grow and prosper while rem aining prot ect ed. He could relax and t hings would be okay. He never let his guard down, but he didn't have t o work so hard now t o keep t hings secured.
The Extent of the Problem Windows operat ing syst em s represent t he largest inst alled base of any client operat ing syst em . A large num ber of server syst em s are also inst alled t hroughout t he world. Som et hing wit h hundreds of m illions of users would nat urally becom e a t arget for hacking and at t em pt s t o break securit y, if only because of t he large chance t hat a successful exploit could land som et hing valuable. I t seem s believable t hat som eone is always t rying t o break int o a Windows syst em . That is t rue. Som eone som ewhere is always t rying t o find t he next exploit or securit y hole t o t ry. They do t his for a variet y of reasons. Som e are working at Microsoft and in t he process of im proving t heir own product , while ot hers are working at ot her securit y com panies t hat work wit h Microsoft t o pat ch holes before m aking t hem public. Som e hackers want t o cause t rouble because t hey don't like Microsoft as a com pany, and som e because it gives t hem bragging right s. Finally, a very sm all num ber of people are int ent on causing harm or st ealing inform at ion for profit . Wit h all t hese people t rying t o break in, t he gam e of securit y becom es a const ant push/ pull of exploit and pat ch. For every feat ure or change in t he operat ing syst em or applicat ion, t here is an opport unit y for a new exploit and a chance for a hacker t o get t o it first . The rule of t he world of securit y is t hat no one is safe forever. Securit y is a dynam ic field, and it is not only Windows syst em s t hat are t arget ed, as you can see in Table 8- 1 from www.securit yfocus.com . As you can see, pret t y m uch every operat ing syst em available has som eone finding holes in it . What t his chart doesn't show is t he inst alled base of each operat ing syst em , so we can't t ell if report ed vulnerabilit ies for an operat ing syst em in 2001 are act ually low or high as a percent age of t he t ot al volum e of inst alled syst em s.
Ta ble 8 - 1 . OS Vu ln e r a bilit ie s Re por t e d pe r Ye a r N u m be r of OS Vu lne r a bilit ie s by Ye a r OS
1997
1998
1999
2000
2001
AI X
21
38
10
15
6
BSD ( aggr.)
9
8
25
52
28
BSD/ OS
7
5
4
1
3
BeOS
0
0
0
5
1
Caldera
4
3
14
28
27
Connect iva
0
0
0
0
0
Debian
3
2
31
55
28
FreeBSD
5
2
17
36
17
HP- UX
9
5
11
26
16
Ta ble 8 - 1 . OS Vu ln e r a bilit ie s Re por t e d pe r Ye a r N u m be r of OS Vu lne r a bilit ie s by Ye a r OS
1997
1998
1999
2000
2001
I RI X
28
15
9
14
7
Linux ( aggr.)
14
25
99
153
96
MacOS
0
1
5
1
4
MacOS X Server
0
0
1
0
0
Mandrake
0
0
2
46
36
Net BSD
2
4
10
20
9
Net ware
1
0
4
3
1
OpenBSD
1
2
4
17
14
Red Hat
6
10
47
95
54
SCO Unix
3
3
10
2
21
Slackware
4
8
11
11
10
Solaris
24
33
34
22
33
SuSE
0
1
23
31
21
TurboLinux
0
0
2
20
2
Unixware
2
3
14
4
9
Windows 3.1x/ 95/ 98
3
1
46
40
14
Windows NT/ 2000
10
8
78
97
42
Source: www.securit yfocus.com , reprint ed wit h perm ission
Determining If You Are a Target At som e point in your life, if you spend t im e on t he I nt ernet , you will becom e t he t arget of a hacker or virus—it 's t hat sim ple. People are looking for t arget s, and you will m ost likely be hit —or at least probed—by one of t hese people. But t he good news is t hat if your syst em looks unint erest ing or hard t o penet rat e, t hey oft en m ove on t o easier t arget s.When t hey don't m ove on, and t hey st ick around t o t ake a look at your syst em , how do you know? What signs are available t o t ell you t hat som eone is looking at you? The answer really depends on t he hacker, your operat ing syst em , and t he t echniques being used t o do t he looking. A sim ple scan m ight leave lit t le or no t race t o indicat e it has been done. More act ive inform at ion- gat hering t ends t o leave clues t hat you can find if you know where t o look and how t o do som e configurat ion on your syst em . I f your syst em support s Access Cont rol List s ( ACLs) and audit ing, t urn t hem on t o an appropriat e level. ( I f you're wondering what is an
appropriat e level, I 'll get back t o t hat short ly.) I f your syst em doesn't support ACLs and audit ing, you'll need t o get som e sort of firewall or proxy t o sit bet ween you and t he I nt ernet and log at t ack at t em pt s. Having bot h a firewall and proxy soft ware is even bet t er, because you'll have opt ions for bot h logging and audit ing.
How Much Is Enough? What is t he appropriat e level of logging and audit ing? Som e expert s would t ell you t o t urn it all on so you'll be sure. But t oo m uch logging can cause perform ance issues and logs t hat are t oo full of dat a t o be useful. You want logging t hat is done at t he right level for you. First , underst and your operat ing syst em 's logging and audit ing capabilit ies. This is oft en described in t he user m anual or online Help of your operat ing syst em and of your firewall ( if you're using one) . For Windows 9x, ME, and XP, t he answer is none; for t he NT and 2000 series, good opt ions are available.You want t o know ( 1) who is logging on t o your syst em ( Audit Account Logon, Success and Failure) , ( 2) who is t rying t o change your securit y set t ings ( Audit Account Managem ent , Audit Policy Change, bot h Success and Failure) , and ( 3) what t hey are accessing on t his com put er ( Audit Obj ect Access, Failure only) . You cont rol t hese set t ings from User Manager on Windows NT 4 syst em s or from Adm inist rat ive Tools ( found in t he Cont rol Panel) on Windows 2000 syst em s ( see Figure 8- 1) . Find t he Local Securit y Set t ings icon and double- click. I n t he left panel, navigat e t o Local Policies and t hen t o Audit Policy t o view or change t hese set t ings. You have t o be Adm inist rat or of t he syst em t o be able t o m ake t hese changes.
Figu r e 8 - 1 . Th e Com pu t e r M a n a ge m e n t a pple t
You m ight wish t o audit port ions of t he file syst em t o see if anyone is accessing cert ain files, but t hat can cause a lot of perform ance hit s. My advice is t o decide if you have any direct ories ( folders) or files t hat need special prot ect ion or for which you especially need t o know if anyone is accessing t hem . Then audit only t hose files or folders, rat her t han t he whole file syst em . To set file audit ing, open Explorer and go t o t he file or folder you wish t o audit . Right - click, select Propert ies, and t hen go t o t he Securit y t ab. On t he Securit y t ab, click t he Advanced but t on and t hen select t he Audit ing t ab. You should see an Add but t on. Click Add and select an account in t he dom ain or on t he local syst em t hat you want t o audit . I f you're prot ect ing sensit ive files, you m ight wish t o audit t he Everyone group or you m ight want t o audit specific users. Aft er you click OK, you are t aken t o t he Audit ing Ent ry for FolderNam e screen, where FolderNam e is t he nam e of t he folder you are audit ing ( see Figure 8- 2) . Select t he act ivit ies you want t o audit against . Typically you should audit for Read ( shows as Traverse Folder/ Execut e File and List Folder/ Read Dat a on Windows 2000) , Change Perm issions, Take Ownership, and possibly Delet e. Now click OK t hree t im es t o close t he windows. You m ight receive a m essage st at ing t hat audit ing is not set on t his syst em . I f you do, go back t o t he previous paragraph on set t ing Audit Policy and ensure t hat you have set Obj ect Access t o audit at least Success or Failure.
Figu r e 8 - 2 . Se t t in g a u dit in g on a folde r
Now you need t o look at t he result s. To find t he collect ed dat a, look at t he Securit y Log of your syst em . You do t his from t he Event Viewer applicat ion, which is in t he Adm inist rat ive Tools sect ion of t he Cont rol Panel for Windows 2000 and in t he Cont rol Panel for Windows NT 4 syst em s. I recom m end viewing t his about once a week for a while and t hen adj ust ing your viewing t o suit your t im e and needs. Realize, t hough, t hat if you don't review t he logs, you m ight as well t urn audit ing off. I t does no good t o collect dat a t hat goes unviewed.
Attacks and Penetrations I t is oft en hard—or even im possible—t o det erm ine if you are act ually under at t ack at any given m om ent . Mainly you have t o depend on t ools t o help. BlackI ce Defender ( by Net workI CE) and m any ot her personal firewalls have alert s you can set t o inform you when t he soft ware t hinks you are under at t ack. These syst em s aren't perfect , but t hey are far m ore reliable t han t rying t o " cat ch" som eone by reading logs or wat ching perform ance yourself. But if you want ed t o put in t hat m uch effort , how m ight you " cat ch 'em in t he act " ? I 'm not recom m ending t hat you t ry t his, but it is possible. I f you want t o read an int erest ing account of som eone who did t his before t ools were available t o help, t ry Cliff St ohl's Cuckoo's Egg. [ 1] I t 's not only a good com put er securit y st ory, but a good book in general and a t rue st ory. [ 1]
St ohl, Clifford. Cuckoo's Egg: Tracking a Spy Through t he Maze of Com put er Espionage. New York, NY: Pocket Books, 2000.
First , t o be able t o cat ch t he unusual on your syst em , you have t o know what is usual. You should know what kind of perform ance you get out of your net work connect ion ( connect ion t o t he I nt ernet for m ost people, but som e have hom e net works) and out of your syst em disk drives, CPU, and so on. You should also have a reasonable idea of t he files t hat are found on your hard drive, especially in t he root of t he C: drive. From t his baseline, you can st art t o spot abnorm alit ies. Rem em ber, t hough, t hat abnorm alit ies com e in a variet y of ways. You could have a net work connect ion problem due t o t echnical issues at your I SP or server problem s on one of t he m any servers t hat assist you in get t ing access t o t he I nt ernet . You could also experience hardware failure on your own syst em . The abnorm al you are looking for can be obscured a bit by such event s, but once you know your syst em , you can wat ch for t he following indicat ions t hat a hacker has t ried t o gain access t o your syst em —or worse, has already succeeded. • • •
Un u su a l syst e m r e sou r ce s: I f you not ice a sudden surge in t he consum pt ion of syst em resources ( syst em slowdown) or you find a service or applicat ion running t hat you never saw before, you could be looking at t races of a hack or Troj an horse on your syst em . N e t w or k con n e ct ion a t t e m pt s: I f your syst em at t em pt s t o connect t o t he I nt ernet , or your DSL or cable connect ion shows act ivit y when you don't t hink it should, you m ight have an int ruder on your syst em . File s not nor m a lly fou n d in W indow s: St range files or program s appearing when you don't expect t hem can signal hack at t em pt s or successes, Troj anhorse infect ion, or a worm or virus infect ion. An exam ple would be a file nam ed root .exe on your C: drive.
•
Ch a n ge s or disa ppe a r a n ce of file s or folde r s: I f you find files and folders changing nam es, m oving, or being alt ered wit hout your knowledge ( or if m ult iple users are on t he syst em , wit hout anyone's knowledge) , you m ight be looking at a com prom ise.
Rem em ber t hat not every hack- like sym pt om m eans you've been hacked; in fact , odds are you are seeing som et hing else. But st aying alert and wat chful is a good idea. Just because hom e syst em s rarely are hacked doesn't m ake it im possible.
Social Engineering or "The Art of the Con" Throughout hist ory, t here have been people who t ake advant age of ot hers, people who prey on t he t rust of t hose around t hem t o " get ahead." I n t he com put er world, t his is oft en called " social engineering." Hackers m ight say it m eans hacking t he people who run com put ers, but it is really not hing m ore t han a con. I 'm t alking about t he art or m anipulat ive skill of get t ing inform at ion from people when you m ight not be able t o get it from com put ers. Social engineering is oft en not discussed in securit y because it isn't " t echnical" or com put er- relat ed, but it 's a t hreat t o any com put er user, so I want t o show you a few exam ples. A t iger t eam is a group of professional hackers hired by a corporat ion t o t est securit y by at t em pt ing t o break in t o t he corporat ion's syst em s. One such t eam was hired by a large oil com pany t o t est it s syst em securit y, and t he t est was slat ed t o run for t hree days. Aft er t hree days t he t iger t eam was t o report t heir result s so any holes discovered could be fixed. The first day went sm oot hly. The t iger t eam scanned t he syst em s t hrough t he usual script s and t echniques and found only a few m inor issues. The t eam t hen t ried a different t act ic. One m em ber of t he t eam called t he com pany's recept ionist and asked for t he num ber of t he Help Desk, saying he was on t he road and had forgot t en t he num ber. The recept ionist , who of course want ed t o be helpful, gave out t he num ber of t he Help Desk. Next a m em ber of t he t iger t eam called t he Help Desk, pret ending t o be in a big rush, and asked t he person at t he Help Desk t o reset t he Adm inist rat or password on t he m ail server. He t old t he Help Desk worker t hat t here was current ly an out age of e- m ail and it was im port ant t o get t his password reset im m ediat ely. When asked for verificat ion of ident it y, t he t iger t eam m em ber becam e irat e and dem anded t hat t he Help Desk worker should reset t he password, give him t he password and server nam e, and " do it now! " He said his nam e was Bill Brown and t hat t he I T m anager, whose nam e he "forgot ," had hired him a week ago. He added t hat if t his were not resolved soon, bot h he and t he Help Desk person would m ost likely be out of a j ob, " so let 's get t his t hing reset ." Reluct ant ly, t he Help Desk worker reset t he password of an Adm inist rat or account on t he m ail server and gave t he nam e of t he server and password t o t he t iger t eam m em ber. The t eam report ed t hat t he com pany's securit y was reasonably good from a t echnical st andpoint ( m inor issue) , but t hat t he em ployee securit y awareness program was weak and t he t est was a failure. The next exam ple m ight , unfort unat ely, be fam iliar t o som e readers. The Happy99.exe worm is an execut able file t hat is sent wit h an e- m ail m essage or downloaded from I nt ernet newsgroups. When run, t he worm shows t he user som e graphics of fireworks and gives t he m essage " Happy New Year 1999! " ( I t , of course, appeared in early 1999.) However, while t he user is wat ching t he fireworks, t he worm m odifies t he syst em files. The next t im e t he user connect s t o t he I nt ernet , t he worm m ails it self t o people in t he user's e- m ail address book. Because t he m essage
isn't from a st ranger, recipient s don't suspect a virus or worm and oft en run t he file. Thus t he worm spreads. What do t hese t wo exam ples have in com m on? They bot h used social engineering t echniques t o accom plish t he hack. I n t he first case, t he t iger t eam used social engineering t o get access t o a syst em t hat cont ained valuable inform at ion and t o get Adm inist rat or access. I n t he second, t he worm was coded t o spread t hrough a user's e- m ail address book so t he m essages would not be viewed as being from st rangers and t herefore unt rust wort hy.
Who Is to Blame for the Problems? About t his t im e, people oft en begin asking, " Who is t o blam e for t his m ess?" They wonder who put t hem where t hey are. Let 's look at t hat . Why is securit y such a m ess right now? I s it really a m ess at all? First , it is im port ant t o hold soft ware producers account able for t he soft ware t hey produce. I t is not realist ic t o t ot ally absolve t hem of responsibilit y for t he st at e of t he soft ware t hey writ e, which is what som e of t he End User License Agreem ent s would have us t hink. However, t he producers aren't t ot ally t o blam e for t he sit uat ion, eit her. Despit e t heir best effort s, people do m ake m ist akes. Because corporat ions are m ade up of people, we can expect soft ware t o cont ain som e m ist akes. Add t his t o t ight schedules and ( in t he early years) a lack of any road m ap t o help det erm ine how t his " should be done." These can lead t o errors in any field. I n t he early days, soft ware securit y was not only difficult t o achieve but oft en overlooked or avoided. The few hackers were also writ ing t he soft ware—t hey were t he only ones who underst ood t his st uff well enough t o do it .
Signs of a Social Engineering Attack
You m ight be asking, " How will I know t hat I 'm being subj ect ed t o social engineering? What are t he signs?" Let 's t ake a look. •
•
Fa lse se n se of u r ge ncy: Oft en, t he con art ist depends on a false sense of urgency or im port ance. Salesm en have used t his for years t o get sales, and con art ist s also use it t o get t heir way. When people t hink som et hing is im port ant and t im e- sensit ive, t hey t end t o react different ly t han if t hey had t im e t o t hink about it . This false urgency can t ip you off t o a con or hack at t em pt . Too good t o be t r u e : Prom ises of huge rewards and benefit s can be used t o con people int o doing t hings t hey ot herwise wouldn't . People have given out bank account num bers on t he prom ise t hat t hey would receive several m illion dollars for t he " inconvenience" of t he use of t heir account . I n t rut h, t heir account is drained and not hing ever is ret urned. I 'm quit e sure t he sam e request would be t urned down wit hout a second t hought if t he pot ent ial reward were only 20 dollars.
• • •
•
Ta k e a dva n t a ge of t r u st e d fr ie nds: Con art ist s oft en don't t arget you direct ly but use you t o get at your friends. By convincing you t o " t alk t o" friends or fam ily, t hey can con t he friends or fam ily, using t hose people's t rust in you t o get som et hing t hat a st ranger couldn't get . I n com ple t e or m issin g ve r ifica t ion : ( May be com bined wit h " false sense of urgency.") Con art ist s oft en can't produce act ual verificat ion of ident it y or legit im acy. I nst ead, what t hey show you sounds good but has no subst ance. Ask ing for " a big fa vor " : This sim ple t echnique t akes advant age of people's desire t o be helpful and " good people." The con art ist sim ply asks for help or " a favor" and t hen asks you t o do som et hing you probably know you shouldn't . You feel obligat ed t o help because t hey ask and say t hey really need you. D oe sn 't fe e l r igh t : Rem em ber t hat inst inct is oft en accurat e. Cons oft en don't quit e feel right . I n fact , m ost vict im s of a con know t hey are being conned but som ehow t alk t hem selves int o it , ignoring t he part t hat is giving warning in favor of t he part t hat " want s t his t o be real." That is t he heart of t he con.
As t im e passed and m ore people bought com put ers, t hey dem anded m ore feat ures and expect ed bet t er product s. Producers had no t im e t o t hink about securit y, and users weren't asking for it , so it was put on t he back burner. Once again, securit y wasn't applied. Event ually, t he Web and I nt ernet evolved and a huge net work of users and com put ers were " suddenly" connect ed. A m assive playground opened up for hackers, and t arget s were available everywhere. Now syst em s are get t ing bet t er, and t he average user is m ore aware of securit y issues. ( You're reading t his book, right ?) I n m any cases, however, t he securit y pract ices t hat were not set a few years ago are st ill suffering from old holes and repeat ed m ist akes, even when we should know bet t er. One exam ple is t he buffer overrun: a sim ple exploit of put t ing t oo m any byt es ( com put ers use byt es and bit s t o represent t he dat a t hey use t o run program s and st ore your inform at ion) in som e soft ware wit h t he int ent of m aking som e of t he ext ra byt es run a program t hat wasn't originally int ended. This t ype of securit y hole has exist ed and been docum ent ed for 20 years, yet our soft ware t oday is st ill as vulnerable as it was 20 years ago. Sounds bad for t he st at e of affairs, huh? But let 's not get all " doom and gloom " on t he st at e of soft ware. Soft ware has im proved great ly in t he past few years. Securit y is im proving because t he people writ ing soft ware are bet t er educat ed, bet t er t est ing is being done, and t here is m ore indust ry scrut iny. I t is reasonable t o expect t hat a syst em as com plex as a m odern operat ing syst em will have bugs, errors, and int eract ions t hat were not predict ed. I f I recall correct ly, Windows 2000 has over 35 m illion lines of code. That is at least 35 m illion chances for an error t o occur, and if even 1 percent are possible securit y holes and only 1 percent of t hose are act ually exploit able, t he soft ware has 3500 securit y holes. The chances are act ually less t han t hat because of t est ing, coding st andards, and a wide variet y of t hings, but t he holes are t here. Wit h several hundred ( if not t housands) of people t rying t o break int o t he syst em , t hings can happen t hat were never int ended. Today's com put er syst em s are incredibly com plex, even for t he people who writ e t he soft ware. Syst em s are so com plex, in fact, t hat no one can com plet ely underst and every aspect of t hem . This com plexit y is one reason securit y will always be im port ant
and needing t o be wat ched. I n a very com plex syst em , even sm all changes can result in big im pact s. Wit h so m uch t o wat ch for, so m any possible cases t o t est , and so m any dependencies and int eract ions, it t akes am azing soft ware engineering t o get any com put er syst em t o work, let alone som et hing like t he I nt ernet , where t hey all t alk t o each ot her. The answer t o our quest ion, t hen, is t hat alt hough t here is a lot of room t oday for im provem ent in soft ware producers and in t he product s t hey creat e, t hey are only part ially t o blam e. Mist akes and bad decisions m ade years ago account for t he rest of t he blam e. People need t o put pressure on all soft ware producers t o supply usable and st rong securit y in t heir product s and t o correct t he m ist akes of t he past . Users m ust becom e m ore educat ed on securit y pract ices and how t o achieve good securit y. Unless users put pressure on producers and vendors, I 'm afraid securit y will always t ake a back seat t o usabilit y and convenience. I t shouldn't be t hat way, but unt il users st op paying for soft ware t hat can't be secured, we'll see it on t he m arket .
Can Anyone Help? I hope you realize now, wit hout being t oo scared, t hat com put er securit y is a t ough endeavor—so t ough t hat you m ight want t o find help. I f so, you are in luck: plent y of people are willing and able t o help. I have placed links in Appendix A t o m any different resources about securit y, but t hese are especially not able: • • •
M icr osoft Se cu r it y Bu lle t in ( w w w .m icr osoft .com / se cu r it y) : A great source of Microsoft Securit y inform at ion. Lot s of inform at ion for nont echies and t echies alike. Be sure t o subscribe t o t he securit y alert m ailing list for em ail updat es about securit y pat ches for Microsoft product s. N TBu gTr a q ( n t bu gt r a q.n t a dvice .com / ) : A great m ailing list and Web sit e m ainly devot ed t o NT securit y but covering m any Microsoft issues wit h ot her product s t oo. Se cur it y Focus ( w w w .se cur it yfocus.com ) : A verit able clearing house of securit y inform at ion for a variet y of operat ing syst em s and product s. I ncludes, of course, Microsoft product s and operat ing syst em s.
The final chapt er looks at a subj ect m any readers will be fam iliar wit h, at least by reput at ion: viruses and Troj an horses. These pieces of code and t he prevent ion of t heir spread and dam age are a const ant focus of securit y effort s. Chapt er 9 looks at what you can do for your com put er or net work.
Chapter 9. Viruses, Trojan Horses, Hoaxes (Spies and Saboteurs in the Village) Now t hat John's village is defended and a nice t hriving econom y is boom ing in his t own, what is left t o do but sit back and enj oy? That would be nice, but it 's not quit e t hat easy. Enem ies of t he village can't at t ack by force now because John is prepared for t hat , but t hey can use subt let y and subt erfuge. Spies and sabot eurs can st ill at t ack t he village and cause problem s. Because t hese spies m ove t hrough t he village unseen, t hey represent a m ore difficult securit y problem t han a direct at t ack. At least a direct at t ack announces it self. John would be able t o see t he arm ies m assing, could wat ch t heir m ovem ent s, and could respond t o t hose pieces of inform at ion accordingly. But t he spy or sabot eur is a different t hreat ent irely. These enem ies look and act like anyone who would norm ally be t raveling t hrough t he village, even buying goods and visit ing local spot s of int erest . They m ight com e as peddlers, offering a service, or as ent ert ainers. Once inside t he walls and t he securit y rest raint s, however, t he spies can begin t o do dam age. Som et im es t his dam age is so slight t hat t he t own m ight not not ice right away, or t hey m ight not suspect t hat incident s are relat ed. But if left unchecked, t hese spies and sabot eurs can dest roy t he village wit hout firing a shot , or t hey can creat e enough dist urbances t hat John will be unable t o defend t he t own against t he at t ack. What can John do about t hese t hreat s—t he ones he can't see or hear unt il t hey're causing problem s? The answer for sure isn't easy, but let 's look at t he opt ions. We have already discussed John's layered securit y. He has ext ra deput ies in t he m ore sensit ive areas and requires credent ials before anyone can get in. Those sensit ive areas are isolat ed from less secure areas wherever possible. Addit ionally, t he lookout s wat ch for suspicious act ivit y in an at t em pt t o prevent harm t o t he t own's resources or defenses. Com bining all t hese securit y m easures wit h act ive m onit oring m ight seem t o be t he best John can do. But he has an addit ional point in his favor: He has som e spies and sabot eurs working for him t oo. The old saying " I t t akes a t hief t o cat ch a t hief" holds t rue for cat ching such decept ive at t acks. John hires spies t o const ant ly updat e t he sheriff about what is at risk, how t he t hreat m ight be carried out , and signs t o look for t o ident ify an at t ack early. John's spies m ight even have inform at ion about specific people and t he t echniques t hey plan t o use so t he sheriff can check out t hose people. The bad news is t hat if a t ot ally new spy wit h a t ot ally new t echnique appears, t hat new spy will probably not be caught . Then all John can do is t ry t o cont ain t he dam age. Wit h layered securit y, John can
prevent serious losses, but he can't cat ch everyone. Luckily, he has one final, very effect ive t ool in his arsenal: cooperat ion. John can t alk t o t rust ed neighboring villages and allies t o gat her and share inform at ion. He can t alk t o professionals who spend t heir days t racking and cat ching spies. He can keep list s of inform at ion about sim ilar act ivit ies in different locat ions. By doing all t his, John can put t oget her a quick pict ure of new act ivit ies and t hreat s and shut t hem down by early det ect ion, lim it ing t he overall dam age.
Computer Viruses and Trojan Horses What are t he com put er equivalent s t o spies and sabot eurs? Viruses and Troj an- horse program s. Before we go fart her, here are som e definit ions you'll need: •
• •
•
•
• •
•
• •
Com pu t e r vir u s: St ealt hy soft ware code designed t o self- replicat e and carry a payload. Might also be polym orphic. St e a lt h , st e a lt hy: Conscious effort t o hide oneself from det ect ion. Se lf- r e plica t ion : Capabilit y t o m ake copies of it self and infect ot her files or syst em s. Pa yloa d: Code t hat m akes t he virus do som et hing. Can be as sim ple as displaying a m essage or as bad as form at t ing your hard drive ( if you aren't prot ect ed) . Polym or phic: Capabilit y of a virus t o change it self as it infect s different files or syst em s. Helps t he virus rem ain st ealt hy. I n fe ct ion : When a virus becom es act ive on a syst em or at t ached t o a file. Tr oj a n hor se : Soft ware t hat carries wit h it code t hat is not acknowledged or not for t he st at ed purpose. Oft en used t o break int o syst em s for t he first t im e or t o inst all soft ware a user would not t ypically inst all knowingly. W or m : Soft ware code designed t o spread aut onom ously from syst em t o syst em , usually wit hout any user int eract ion. Cle a n syst e m : Has no virus infect ion in it s files or m em ory. " I n t h e w ild" : Describes a virus t hat has been report ed as being on real syst em s in use at hom e or at a business.
As you can see, t he m odel used for com put er viruses is t he sam e as t hat used for live viruses t hat infect people ( such as a cold or t he flu) . The t wo viruses have m any sim ilarit ies. Bot h are able t o self- replicat e and m ight carry a dam aging payload. Bot h m ight also change over t im e t o avoid " dying off." I f you t hink about your com put er as you would t hink about m oving around in a crowded area during flu season, you can begin t o get t he idea of t he t hreat you m ight face. Not everyone get s sick during flu season; however, as m ore people get sick, m ore people are exposed, and t he cycle get s bigger. Aft er enough people get sick, t hey begin t o get t reat m ent , and t he flu begins t o go away. That 's t rue of com put er viruses t oo. A few folks hit by a virus m ight not even know or care. I f t hey don't expose anyone else, no one will probably know. However, if t hose infect ed com put ers share dat a or connect t o ot her syst em s, t hey can pass t he infect ion t o ot her syst em s. I f t his occurs, t he ant ivirus expert s hear about it . They work up a " cure" for t he virus, and it can be cont ained. Com put er viruses are different from live ones in one way: com put er viruses usually need t he person who is being infect ed t o do som et hing before t he virus can succeed. This m ight sim ply be reading or opening a file t hat has been infect ed, or it m ight be
visit ing a part icular Web sit e. I f you have a clean syst em and you never open infect ed files or visit unt rust wort hy sit es, your chances of infect ion are reduced. However, I 'll show you lat er why your safet y is st ill not guarant eed. First , t ake a look at t he t ypes of infect ions t hat can occur: • •
•
•
M a st e r boot r e cor d ( M BR) : Virus designed t o infect t he Mast er Boot Record or Boot Sect or of a disk so t hat when t he disk is used, t he virus is loaded int o m em ory. File infe ct or : Virus designed t o infect a file. The virus is loaded when t he file is opened or run. M a cr o vir u s: Virus writ t en in m acro coding languages and dependent on a part icular program or operat ing syst em t o operat e. Most com m on exam ple is Microsoft Word m acro viruses. E- m a il vir us/ w or m : Usually a special variet y of m acro virus t hat script s act ivit ies in e- m ail program s. One of t he m ost publicized was t he " I Love You" virus in 2001 or t he m ore recent Code Red and Nim da viruses.
Nimda, Code Red, and I Love You
I n t he t im e t hat I was working on t his book, t hree e- m ail worm s caused large disrupt ions in t he e- m ail syst em of t he I nt ernet . The t hree used slight ly different approaches but were very effect ive at spreading quickly and essent ially t aking down e- m ail syst em s and severely im pact ing t he I nt ernet . I 'll describe t hem here t o illust rat e how viruses work. First t o surface was t he " I Love You" or LoveLet t er worm , which has been m odified and recirculat ed several t im es since it s original launch. I t goes by m any nam es now, but t he gist was t hat it m ailed you a m essage t hat said " I Love You" or cont ained a file called resum e.t xt .vbs. I f you ran t he file, it downloaded a second file t hat was a Troj an horse and t hen m ailed it self t o people in your address book. I t m ight show you a bogus resum e, t oo. You can find m ore det ails at vil.nai.com / vil/ cont ent / v_98617.ht m . Next cam e Code Red, a worm t hat exploit ed a hole in t he I nt ernet I nform at ion Server ( I I S) t o spread and m ove about t he net work. What 's worse, t he hole t hat allowed t he virus was pat ched m ont hs before t he worm , and published best pract ices also would have prevent ed t he worm from succeeding. But t he worm found unprot ect ed syst em s and m anaged t o slow or st op e- m ail com m unicat ions in m any com panies. Det ails can be found at www.sym ant ec.com / avcent er/ venc/ dat a/ codered.worm .ht m l. The t hird one was Nim da. This worm cont ains som e at t em pt s t o exploit syst em s t hat were vict im s of a previous worm ( Code Red I I ) as well as a few different infect ion vect ors. This one shut down e- m ail syst em s and net works for a few days while t he im pact s were being underst ood and repaired, but it appears t o be under cont rol at t he t im e of t his writ ing. Det ails on t his virus are at www.sophos.com / virusinfo/ analyses/ w32nim daa.ht m l.
I n- dept h discussions of how viruses work and how t hey can hide but st ill funct ion are out side t he scope of t his book, but I do want t o m ake som e point s about t hese program s. Because writ ing com put er code is a logical operat ion, com put er viruses act predict ably. Clever use of st ealt h or polym orphism can delay or obscure t he act ivit ies of t he virus, but ult im at ely t he virus has t o act in cert ain ways because of how com put ers work. Having ant ivirus soft ware and set t ing proper securit y in your e- m ail soft ware and Web browser can go a long way t oward reducing your risk of virus infect ion. Addit ionally, you can avoid headaches by m aking sure you know who sent files t o you before you open t hem . To be m ost safe, you should know t he senders well enough t o know t hat t hey are using virus prot ect ion.
Why Should I Care? The first virus ever writ t en was an accident , sort of. The st ory goes t hat t he soft ware writ er was t rying t o m ake a piece of soft ware ( lat er dubbed t he Morris I nt ernet worm ) t hat was a " m essage in a bot t le." I t would replicat e unt il it got t o t he t arget syst em and t hen would pop up a m essage. Unfort unat ely, because of bugs in t he code and changing disk- form at st andards, t his " m essage" could end up scram bling dat a on floppy disks. That wasn't t he int ent ion at all; it j ust worked out t hat way. The Morris I nt ernet worm of t hose early I nt ernet days was designed t o be a self- replicat ing piece of soft ware, but was supposed t o replicat e very slowly. I nst ead, a coding error or bug caused it t o replicat e very quickly, and it consum ed syst em resources and lit erally brought t he I nt ernet t o it s knees. How does all t his affect you? First , t he world of com put er viruses is com plex. People m ake and dist ribut e viruses for a wide variet y of reasons, from sim ple experim ent at ion t o clandest ine int ernat ional espionage. At t he t im e of t his writ ing, well over 48,000 viruses are known. Many of t hese viruses are harm less and easily cont rollable; som e are not . The biggest problem is t hat t hese viruses are not very discerning—t hey at t ack anyone t hey can. I f you do not prot ect yourself, you are event ually going t o fall vict im t o one or m ore of t hem . Quit e a few " virus creat ion kit s" exist now for viruses and m acro viruses. Even novice program m ers can easily creat e viruses t hese days, unlike in t he past when program m ers needed reasonably advanced program m ing knowledge t o writ e a " decent " virus. One t hing should be painfully clear: what you don't know about viruses can hurt you. The good news is t hat you can get a large am ount of prot ect ion by t aking t wo st eps and perform ing one ongoing t ask. Regularly back up your dat a. I nst all a virusprot ect ion package. Then, regularly m anually updat e t he soft ware or set it t o get updat es aut om at ically. Wit h t hese st eps, you can cover your bases ext rem ely well for relat ively lit t le cost and effort . Appendix A " Addit ional Resources" includes links t o ant ivirus ( AV) program s and resources, or you can get AV soft ware from your local com put er soft ware dealer. Most reput able AV soft ware is easy t o use, t akes up lit t le m em ory, and has opt ions for updat ing aut om at ically if you are connect ed full- t im e or have a dial- on- dem and
connect ion. I 'll say it again: Regular backups should always be part of your safe com put ing rout ine. Viruses are j ust one m ore reason t o do it .
N OTE I f you find you have a virus and you rest ore from a backup t ape or CD, always rescan your syst em wit h a virus scanner aft er rest oring it . The virus m ight have been on t he syst em when you m ade t hat backup, and you could put t he virus back on your syst em by rest oring. I f t hat happens, sim ply use t he AV soft ware t o clean your syst em aft er rest oring and t hen m ake a full backup im m ediat ely. This should ensure t hat you have at least one full clean backup. Anot her good idea is t o run a full virus scan before creat ing a full backup, j ust t o be sure you're clean.
Defending Against Threats Alt hough t he t hreat of viruses and Troj ans is const ant ly changing, prot ect ing against t hem is relat ively easy. The first and best defense is ant ivirus soft ware, which I 'll t alk about m om ent arily. I f you're already arm ed wit h AV soft ware, here are a few t ricks t hat will help reduce your risk of exposure.
• •
•
Do not open files or run soft ware from unknown sources. Even e- m ail from known sources can cont ain Troj ans or viruses, so encourage your friends and fam ily t o get ant ivirus prot ect ion t oo.
Read e- m ail in plain t ext only. HTML allows script ing t hat can be used t o gat her dat a about your syst em or put Troj an code on your syst em . To set t his in Out look, choose Opt ions from t he Tools m enu. Then select t he Mail Form at t ab shown in Figure 9- 1. You can select plain t ext or Rich Text form at safely; j ust don't use HTML form at .
Figu r e 9 - 1 . Ch a n gin g t he m a il for m a t
• •
Download soft ware only from reput able sources. Soft ware from unknown sources can easily be alt ered wit h Troj an- horse code. Upgrade t o t he newest versions of your browser and Office Suit e soft ware, and t urn on m acro prot ect ion if your soft ware support s t his opt ion ( see Figure 9- 2) .
Figu r e 9 - 2 . Tur n in g on M a cr o Se cu r it y in M icr osoft W or d 2000
•
•
• •
Turn off Windows Script ing Host if you do not need it . You can learn how by going t o www.sophos.com / support / faqs/ wsh.ht m l. Windows Script ing Host is a program t hat let s you run script s writ t en in several different languages on a Windows syst em . These script s can be writ t en in VBScript , JavaScript , or PERL, am ong ot hers. Always writ e- prot ect floppy disks ( if you st ill use t hem ) before t aking t hem t o ot her m achines for use. Make regular backups of dat a. I f possible, use CDs for your backups or writ eprot ect your t apes or disks aft er creat ing t he backup t o prevent infect ion lat er. Make a clean syst em boot disk wit h a copy of your AV soft ware on it ( if you can) , so you have a way t o get a clean st art up for cleaning, if needed. Put t his disk in a safe place and updat e it when you upgrade your operat ing syst em .
Using t hese t echniques can reduce your exposure and help prot ect you, but t here is no real subst it ut e for a good ant ivirus soft ware package. Because AV soft ware is one of t he m ost crit ical elem ent s of a hom e securit y plan, I 'll spend som e t im e now discussing what t o expect and how t o use it . I 'll also list som e resources ( which are repeat ed in Appendix A) for get t ing inform at ion, soft ware, and updat es.
Antivirus Software What exact ly is an AV soft ware package? There are m any form s of AV prot ect ion, and m any soft ware vendors are t rying t o cover all t he bases by providing packages of t ools for prevent ing, det ect ing, and cleaning viruses and Troj ans, as well as ways t o keep t heir t ools updat ed wit h t he lat est inform at ion. Each t ool in t he package oft en has one or m ore purposes, but we can look at t he t asks individually. Som e soft ware vendors package t heir t ools as one program ; ot hers provide m any sm aller program s. Whet her everyt hing is in t he sam e program is usually not im port ant . Let 's look at t he t asks t hat one of t hese packages t ypically accom plishes:
•
• • •
Vir u s de t e ct ion : The heart of all AV packages. Aft er all, what good is ant ivirus soft ware if it can't det ect viruses? This soft ware get s loaded int o m em ory at t he t im e t he syst em boot s. To do t his, you use Term inat e and St ay Resident ( TSR) t echniques, Syst em Services, Syst em Ext ensions, or ot her m eans available t o t he operat ing syst em you are using. The soft ware inspect s your hard drive for files t hat m ight be infect ed, giving warnings and report s or cleaning up t he files as it goes. The drives, direct ories, and t ypes of files inspect ed are usually configurable but should always include ( for Windows- based syst em s) EXE, COM, BAT, and ( if you're using Windows NT) CMD. Several ot her fact ors m ight also be configurable, depending on t he soft ware. You should scan your syst em at least once a week or have t he soft ware do t his aut om at ically if it can. Vir u s cle a n in g: This program t ries t o clean up t he virus from your syst em . Though norm ally safe, t his process m ight render a file unusable if t he virus was part icularly dest ruct ive. I t is best t o rely on prevent ion rat her t han cleaning as m uch as possible. Tr oj a n - hor se de t e ct ion : Sim ilar t o virus det ect ors, but t his one det ect s Troj an- horse soft ware. These funct ions are usually added aft er a part icular t ype of Troj an- horse soft ware is det ect ed. Vir u s de finit ion upda t e s: Obt ains t he lat est inform at ion files ( definit ion files) about viruses and Troj an horses from t he AV soft ware vendor. The soft ware uses t hese files t o det erm ine if viruses or Troj ans are present in m em ory, in files, or in e- m ail and at t achm ent s.
How you use your AV soft ware depends som ewhat on your part icular vendor, but here are som e rules t hat will help it run sm oot hly. First , buy your soft ware from a com pany t hat will be able t o supply you wit h long- t erm support and prot ect ion. You m ight save a dollar or t wo by buying from a sm all com pany, but if t hey go out of business, you'll lose support . Second, set t he soft ware t o aut om at ically scan your syst em and get t he virus definit ions, if possible. This saves you t he t rouble of doing it and keeps your syst em up- t o- dat e. I f you set t his t o occur at night or during off hours, t he syst em will t ake care of t his for you and your perform ance won't suffer a hit at all. I f you t ry t o work during a scan, you will som et im es see a slowdown. Do not alt er t he set t ings for what t he AV soft ware does or how it does t hem unless you know what t he result s will be. Accident ally disabling t he soft ware but t hinking it is running is worse t han having none. Here are som e links t o ant ivirus- relat ed inform at ion. All of t hese links are repeat ed in Appendix A. Resources for Virus ut ilit y soft ware: VirusScan: www.m cafee- at - hom e.com / product s/ ant i- virus.asp?m = 1 Sym ant ec Securit y Response, hom e of Nort on Ant iVirus: www.sym ant ec.com / avcent er PC- cillin 2000: www.ant ivirus.com / pc- cillin/ product s/ Sophos Ant i- Virus: www.sophos.com Norm an Virus Cont rol: www.norm an.com
F- Prot Professional Ant i- Virus Toolkit : www.dat afellows.com I nt egrit y Mast er: www.st iller.com / st iller.ht m Sim t el.Net MSDOS Ant i- Virus Archives: ht t p: / / www.sim t el.net / pub/ m sdos/ virus/ Sim t el.Net Windows 3.x Ant i- Virus Archives: oak.oakland.edu/ sim t el.net / win3/ virus.ht m l Grisoft 's ant ivirus offering: www.grisoft .com / ht m l/ us_index.cfm Links t o m ore inform at ion about viruses: " Viruses in Chicago: The Threat t o Windows 95" [ 1] ( I an Whalley, edit or of " Virus Bullet in" ) : www.virusbt n.com / VBPapers/ I vpc96/ [ 1]
Windows 95 code was nam ed Chicago during it s developm ent .
Com put er Virus Help Desk: iw1.indyweb.net / ~ cvhd/ " eicar" ( European I nst it ut e for Com put er Ant ivirus Research) : www.eicar.org " Fut ure Trends in Virus Writ ing" ( Vesselin Bont chev, Research Associat e, Universit y of Ham burg) : www.virusbt n.com / Ot herPapers/ Trends/ McAfee Virus I nform at ion Library: vil.m cafee.com / default .asp?/ Sym ant ec Virus Search Page: www.sym ant ec.com / avcent er/ vinfodb.ht m l
Hoaxes and Why They're a Problem St range as it m ight sound, t his final t hreat t hat you should be aware of is not even a real t hreat —it 's a hoax. A com m on exam ple is an e- m ail m essage describing t he t hreat of a virus and inst ruct ing you t o " inform everyone you know about t his t hreat ." Unless t his warning com es from an AV vendor or reput able securit y resource, it is likely a hoax. Before spreading any e- m ail about a " virus," always check your AV vendor sit e for news about it . I f you don't see t he virus described on t heir sit e, do not m ail warnings t o your friends and fam ily. Why people st art t hese hoaxes is not clear, but usually t hey can be t raced t o one of t wo t hings. Perhaps t he perpet rat or want s t o focus so m uch at t ention on t he hoax t hat it m akes t he news, and t hey'll get som e sat isfact ion out of knowing t hey caused it . Or t he perpet rat or m ight genuinely want t o cause a Denial of Service ( DoS) at t ack on t he e- m ail syst em s of one or m ore areas. By causing a flood of warning e- m ails, such a person can enlist t he general public as t ools in crashing or seriously delaying e- m ail syst em s. Not e, t oo, t hat som et im es a virus warning claim ing t o have t he " fix" for
som e securit y issue is act ually a Troj an horse it self. When you run t he file, it infect s your syst em .
Crying Wolf or Real Threat?
Rem em ber t he st ory of t he boy who cried wolf? I f enough hoaxes are perpet rat ed in a short enough period of t im e, som e people will assum e t hat t he next one is a hoax. I f, inst ead, it 's a real virus, som e people will not be prepared, and t he virus will be launched int o t he wild. This com plex bit of social engineering can be highly successful. I f you hear about a " new virus t hreat " from a coworker, fam ily m em ber, or friend, please do not im m ediat ely forward t he m essage t o your ent ire m ailing list . Check your AV vendor or securit y m ailing list for confirm at ion first .
Active Content on the Web Act ive cont ent on t he Web sim ply m eans using script ing and program m ing languages t o provide dynam ic and int eract ive Web pages. ( That sounds like a m arket ing brochure.) I guess t he easiest way t o describe t his is t o say t hat m ost cont ent on t he Web is st at ic, but it can be specifically built t o perform t asks, collect dat a, or display dynam ically. Som e of t his can be done by using anim at ed graphics or HTML t ags ( t he language for program m ing Web pages) . Som et im es a m ore advanced program m ing language is used t o " inst ruct " t he com put er or browser what t o do. Most Web program m ers are designing act ive cont ent t o provide t heir users wit h a bet t er experience on t he Web—easier and m ore enj oyable—but hackers can use t he script ing for ot her reasons. By t aking advant age of poorly coded Act iveX cont rols or using script ing t o access files on your local syst em , hackers can do m any t hings from a Web page. The cat ch is t hat if you prot ect yourself by t urning off Act ive Script ing in your browser, you'll lose out on som e of t he feat ures program m ed int o pages t o m ake t hem easier t o use. So what can you do? Microsoft I nt ernet Explorer includes a feat ure called securit y zones t hat let s you det erm ine t he level of access program s can have, based on t heir " zone." You can set t he zone levels or leave t hem at t heir default s. ( I t alked about t he det ails in Chapt er 7) . Using t hese set t ings can increase your securit y. Addit ionally, don't browse t he Web while you're logged on as Adm inist rat or. I f a Web page t ries t o do som et hing on your syst em , it does so wit h t he sam e perm issions you have ( because your user I D opened t he browser) and, t herefore, wit h t he sam e access t o files, direct ories, and user right s. Always use t he account wit h t he lowest privileges when you browse t he Web. Act ive Cont ent is get t ing safer, but it has a long way t o go before it can be considered t ruly safe. I f you browse sit es t hat are not " m ainst ream " or run by reput able com panies, I recom m end upping your browser securit y so you can be as safe as possible.
Virus and Trojan Horse Security Checklist This chapt er's checklist isn't t oo com plex, but here it is: 1. 2. 3. 4. 5. 6. 7.
Are you backing up your syst em regularly? What virus prot ect ion package are you running? When did you last updat e your prot ect ion soft ware? Do you get your downloaded software from reput able sources? Do you browse t he I nt ernet while logged on as Adm inist rat or? Do you use your AV scanner frequent ly? Do you use floppy disks t o share inform at ion? I f so, are t hey writ e- prot ect ed as m uch as possible? 8. Do you have your AV soft ware vendor's Web sit e bookm arked so you can get updat es and news regularly?
Appendix A. Additional Resources (Maintaining Peace in the Village) Now t hat you've read all t he chapt ers, you m ight be feeling a bit over- whelm ed at t he prospect of securing your syst em and keeping it secure. That 's cert ainly how I used t o feel. Luckily, you don't have t o face t his t ask alone. There are lit erally hundreds of inform at ion securit y professionals, hackers, and inform at ion t echnology professionals who share t heir knowledge and inform at ion about securit y wit h each ot her const ant ly. Even bet t er, t hey share t his inform at ion wit h t he rest of t he world freely on I nt ernet sit es, and you can even list en in on t heir conversat ions on m ailing list s. Through t hese resources, you can get a great look int o t he ever- changing world of inform at ion securit y. Because crackers and hackers are always updat ing t heir t echniques, t he securit y professionals also keep up- t o- dat e wit h t heir defenses, best pract ices, and warnings concerning how t o secure your syst em . Not e t hat t hese resources are for all levels of users. Som e sit es get deep int o t he t opics quickly and can lose novice readers equally quickly. No worries t hough; plent y of resources are available. I highly recom m end finding a list or sit e t hat m eet s your needs and is roughly at your t echnical level ( or slight ly higher, if you want t o learn t he t opic in dept h) . Keeping up will be hard enough wit hout t he addit ional t ask of having t o figure out what is being said every t im e you read it . Then m onit or t hat list or sit e t o keep yourself up- t o- dat e.
Where Can I Learn More? I have collect ed a large num ber of securit y- relat ed resources, Web sit es, m ailing list s, books, you nam e it . Most readers of t his book will use 10% or less of t he resources list ed here and in t he bibliography. That 's no problem —in fact , t hat 's good. Finding what you want is easier when you are looking in a sm aller place. However, I can't predict which 10% will be useful t o you, so I 've included as m uch as possible. I f you are int erest ed in I nform at ion Securit y, you'll find plent y on t hese list s t o get you st art ed.
Mailing Lists A m ailing list is pret t y m uch what it sounds like: a list of people who receive e- m ail cont aining inform at ion on a chosen t opic. The nam es of individual users are not displayed when t he m ailing goes out , but each user can m ail inform at ion t o t he list , which in t urn is forwarded t o t he rest of t he list . There are t wo t ypes of m ailing list s: unm oderat ed and m oderat ed. An unm oderat ed list is essent ially t ot ally aut om at ed, and every m essage t hat is subm it t ed ends up in your m ailbox. These list s are becom ing m uch rarer because of people sending e- m ail ads, j okes, hoaxes, and m isinform at ion t o t hem wit hout any checks or balances. Moderat ed list s, on t he ot her hand, have a hum an ( or a group of t hem ) t o read t he m essages and det erm ine if t hey are on t opic and should be m ailed t o t he list . As you m ight guess, t his isn't an easy j ob on high- volum e list s, so som et im es inform at ion goes out t o a m oderat ed list som ewhat m ore slowly t han t o unm oderat ed ones. The benefit is t hat when you get t he inform at ion, you know it is on t opic and som ewhat useful. The qualit y of t he
m essages sent t o m oderat ed list s probably isn't significant ly higher, but t he qualit y of t he received m essages is very m uch higher. Most m oderat ed list s have chart ers t hey send t o you when you subscribe so you know ahead of t im e what t ype of cont ent is appropriat e for t he list . Following are som e of t he list s t hat are available. I f you want t o read m ore about list s, check out t he Frequent ly Asked Quest ions ( FAQ) link at The Securit y List FAQ: xforce.iss.net / m aillist s/ ot herlist s.php3.
General Security Information Best of Securit y List ( bos) : best - of- securit y- request @cyber.com .au Bugt raq Full Disclosure List : list serv@securit yfocus.com CERT Advisories: cert - advisory- request @cert .org CI AC Advisories ( ciac- bullet in) : Maj ordom o@rum pole.llnl.gov COAST Securit y Archive: coast - request @cs.purdue.edu Firewall Wizards ( firewall- wizards) : m aj ordom [email protected] Firewalls Digest ( firewall- digest ) : m aj ordom o@list s.gnac.net I nt rusion Det ect ion Syst em s ( ids) : m aj ordom [email protected] Legal Aspect s of Com put er Crim e ( lacc) : m aj ordom [email protected] RI SKS Forum ( risks) : risks- request [email protected] Virus List s ( virus- 1 & virus) : LI [email protected] WWW Securit y ( www-security-new) : m aj ordom o@nsm x.rut gers.edu
Windows-Specific Mailing Lists NT Bugt raq: list serv@list serv.nt bugt raq.com
Other Operating System–Specific Mailing Lists FreeBSD Securit y I ssues: m aj ordom [email protected] Linux Securit y I ssues: linux- securit y- request @RedHat .com
Web and FTP Sites The following is a collect ion of securit y- relat ed Web sit es used by professionals and am at eurs alike t o read about securit y news, t ools, and research. Som e sit es are m ore t echnical t han ot hers, and som e cover m ore t han j ust Windows, so feel free t o browse and pick ones t hat relat e t o your experience level.
General Information Sites At St ake Web sit e for securit y inform at ion; cont ains t he L0pht Heavy I ndust ries t ools and inform at ion: www.l0pht .com / Cent er for I nform at ion Technology I nform at ion Securit y Page: www.cit .nih.gov/ securit y.ht m l Com prehensive firewall guide and inform at ion: www.firewallguide.com Com put er Operat ions, Audit , and Securit y Technology, a m ult iple- proj ect , m ult ipleinvest igat or laborat ory in com put er securit y research in t he Com put er Sciences Depart m ent at Purdue Universit y: www.cerias.purdue.edu/ coast / Dedicat ed t o st oring t he Request For Com m ent ( RFC) docum ent s t hat are t he basis for m ost I nt ernet open st andards: www.rfc- edit or.org/ rfc.ht m l I nform at ion from Microsoft on privacy and securit y online: www.m icrosoft .com / privacy/ safeint ernet / Microsoft 's securit y page: www.m icrosoft .com / securit y/ Nat ional I nfrast ruct ure Prot ect ion Cent er Web sit e: www.nipc.gov Nat ional I nst it ut e of St andards and Technology Com put er Securit y Division Page: cswww.ncsl.nist .gov/ Nat ional Securit y I nst it ut e's Securit y Resource Net : www.nsi.org/ com psec.ht m l Naval Surface Warfare Cent er I nform at ion Securit y Resources and I nform at ion: www.nswc.navy.m il/ I SSEC NTBugTraq I nform at ion Archives: www.nt bugt raq.com or nt bugt raq.nt advice.com Securit y inform at ion for a variet y of operat ing syst em s: www.boran.com / securit y/ Sun Microsyst em s Java securit y page: j ava.sun.com / securit y/ The " Hacker Quart erly" for hacking and cracking inform at ion: www.2600.com / Truesecure Securit y Consult ing and general inform at ion: www.icsa.net /
Unit ed St at es General Services Adm inist rat ion sit e on securit y: www.it policy.gsa.gov/ Yahoo Link t o t heir list ing of securit y and encrypt ion resources online: www.yahoo.com / Com put ers_and_I nt ernet / Securit y_and_Encrypt ion/
Sites with Security Vulnerability Information Com m on Vulnerabilit ies and Exposures Proj ect from Mit re: cve.m it re.org General securit y inform at ion as well as a very com prehensive vulnerabilit y dat abase: www.securit yfocus.com / I nt ernet Engineering Task Force sit e: www.iet f.org/ rfc.ht m l I nt ernet Securit y Syst em s page on securit y vulnerabilit ies: www.iss.net / cgibin/ xforce/ xforce_index.pl St ephen A. Sut t on, TSS/ NSA Windows NT Securit y Guidelines, Version 2 ( Oct 4, 1999) : www.t rust edsyst em s.com / t ss_nsa_guide.ht m Universit y of California at Davis, Depart m ent of Com put er Science Vulnerabilit ies Proj ect : seclab.cs.ucdavis.edu/ proj ect s/ vulnerabilit ies/ # dat abase/ Universit y of Caliform ia at Davis, Vulnerabilit y Dat abase: www.cs.purdue.edu/ coast / proj ect s/ vdb.ht m l
Sites with Security Tools Berkeley Soft ware Design, I nc. ( BSDI ) securit y pat ches ( More inform at ion at www.bsdi.com / services/ support or e- m ail [email protected] ) : ft p: / / ft p.bsdi.com / bsdi/ pat ches/ Caldera OpenLinux ( For m ore inform at ion, e- m ail [email protected] ) : www.calderasyst em s.com / support / securit y/ Cisco Product Securit y I ncident Response from Cisco Syst em s ( E- m ail securit yalert @cisco.com ) : www.cisco.com / warp/ public/ 707/ sec_incident _response.sht m l Com paq ( For m ore info, e- m ail rich.boren@com paq.com ) : www.com paq.com / Debian Linux ( More info at www.debian.org/ securit y/ or e- m ail securit [email protected]) : www.debian.org/ dist rib/ ft plist Free BSD ( E- m ail securit y- [email protected]) : www.freebsd.org/ securit y/ Hewlet t Packard ( HP) ( E- m ail securit y- alert @hp.com ) : us- support .ext ernal.hp.com / I BM ( More info at www- 1.ibm .com / services/ cont inuit y/ recover1.nsf/ ers/ Hom e or em ail [email protected] .com ) : service.soft ware.ibm .com / support / rs6000
Novell ( E- m ail [email protected] ) : www.novell.com / corp/ securit y/ solut ions.ht m l Open BSD ( E- m ail deraadt @openbsd.org) : www.openbsd.com / securit y.ht m l Purdue Universit y's securit y t ools sit e: ft p: / / coast .cs.purdue.edu/ pub/ t ools/ RedHat Linux ( More info at www.redhat .com / cgi- bin/ support / or e- m ail support @redhat .com ) : redhat .com / corp/ support / errat a/ Sant a Cruz Operat ion ( SCO) UNI X securit y pat ches ( For m ore info, e- m ail support @sco.com ) : www.sco.com / securit y/ Silicon Graphics I nc. ( SGI ) ( For m ore info, e- m ail cse- securit y- alert @sgi.com ) : ft p: / / ft p.sgi.com / pat ches/ Sun Microsyst em s ( More info at sunsolve.sun.com / pub- cgi/ secBullet in.pl or e- m ail securit y- alert @sun.com .) : sunsolve.sun.com / pub- cgi/ show.pl?t arget = pat ches/ pat chaccess/ Tools and docum ent s on UNI X securit y: ft p: / / ft p.porcupine.org/ pub/ securit y/ index.ht m l Trust ed Syst em s securit y sit e wit h NSA guidelines for securing Windows NT 4.0: www.t rust edsyst em s.com / UNI X Securit y Tools vendor- specific securit y pat ches: ft p: / / ft p.funet .fi/ pub/ unix/ securit y/ Windows 2000 securit y inform at ion from Phil Cox of Syst em Expert s. com : www.syst em expert s.com / t ut ors/ HardenW2K101.pdf Windows product s, specifically Windows NT and Windows 2000 ( E- m ail secure@m icrosoft .com ) : www.m icrosoft .com / securit y/
Computers Incident Response Centers The following sit es are from governm ent al securit y agencies in t he Unit ed St at es and som e from abroad. These agencies are incident response cent ers, inform at ion resources, and research facilit ies you can use t o st ay current on securit y or report an incident you are experiencing now. Again t he t echnical level of t hese sit es varies, but m ost here will assum e t hat you are at least a m oderat ely skilled securit y professional. Aust ralian Com put er Em ergency Response Team ( AUSCERT) ( E- m ail auscert @auscert .org.au or call + 61 7 3365 4417.) : www.auscert .org.au/ CERT( sm ) Coordinat ion Cent er ( E- m ail cert @cert .org or call 1 412 268 7090.) : www.cert .org/
Com put er I ncident Advisory Capabilit y ( CI AC) ( E- m ail [email protected] or call 1 925 422 8193.) : ciac.llnl.gov Defense I nform at ion Syst em s Agency Cent er for Aut om at ed Syst em s Securit y I ncident Support Team ( ASSI ST, for DoD sit es) ( E- m ail cert @cert .m il or call 1 800 357 4231.) : www.assist .m il/ Federal Bureau of I nvest igat ion ( FBI ) Nat ional I nfrast ruct ure Prot ect ion Cent er ( NI PC) ( E- m ail [email protected] or locat e nearest FBI field office by checking www.fbi.gov/ cont act / fo/ fo.ht m .) : www.fbi.gov/ nipc/ index.ht m Federal Com put er I ncident Response Capabilit y ( FedCI RC) ( E- m ail [email protected] or call 1 888 282 0870.) : www.fedcirc.gov/ Forum of I ncident Response and Securit y Team s ( FI RST) ( E- m ail first sec@first .org.) : www.first .org Full list of European CERTs: www.cert .dfn.de/ eng/ csir/ europe/ cert s.ht m l Germ an Research Net work Com put er Em ergency Response Team ( DFN- CERT) ( Em ail dfncert @cert .dfn.de or call + 49 40 42883 2262.) : www.cert .dfn.de/ eng/ dfncert / NASA I ncident Response Cent er ( NASI RC) ( E- m ail [email protected] or call 1 800 762 7472.) : www- nasirc.nasa.gov/ incident s.ht m l
Antivirus Software Here are som e links t o popular ant ivirus soft ware on t he m arket t oday. This is j ust a sm all sam pling of t he m any com panies producing ant ivirus ( AV) soft ware. Don't worry if your vendor isn't list ed—t here are t oo m any good com panies producing t his t ype of soft ware for m e t o list t hem all. I have included t hese links in case you have no ant ivirus soft ware and want t o get som et hing for your prot ect ion. F- Prot Professional Ant i- Virus Toolkit : www.dat afellows.com Grisoft 's ant ivirus offering: www.grisoft .com / ht m l/ us_index.cfm I nt egrit y Mast er: www.st iller.com / st iller.ht m Norm an Virus Cont rol: www.norm an.com PC- cillin 2000: www.ant ivirus.com / pc- cillin/ product s/ Sim t el.Net MSDOS Ant i- Virus Archives: www.sim t el.net / pub/ m sdos/ virus/ Sim t el.Net Windows 3.x Ant i- Virus Archives: ft p: / / oak.oakland.edu/ sim t el.net / win3/ virus.ht m l Sophos Ant i- Virus: www.sophos.com
Sym ant ec Securit y Response, hom e of Nort on Ant iVirus: www.sym ant ec.com / avcent er VirusScan: www.m cafee- at - hom e.com / product s/ ant i- virus.asp?m = 1
Antivirus Resources These links lead t o m ore inform at ion about viruses, discussions about what m ight be in st ore for us, and a couple of virus encyclopedias. Com put er Virus Help Desk: iw1.indyweb.net / ~ cvhd/ " eicar" ( European I nst it ut e for Com put er Ant ivirus Research) : www.eicar.org " Fut ure Trends in Virus Writ ing" ( Vesselin Bont chev, Research Associat e, Universit y of Ham burg) : www.virusbt n.com / Ot herPapers/ Trends/ McAfee Virus I nform at ion Library: vil.m cafee.com / default .asp? Sym ant ec Virus Search Page: www.sym ant ec.com / avcent er/ vinfodb.ht m l " Viruses in Chicago: The Threat t o Windows 95" ( I an Whalley, edit or of " Virus Bullet in" ) : www.virusbt n.com / VBPapers/ I vpc96/
Appendix B. Glossary of Security Terms and Acronyms The following are com m on securit y t erm s and concept s oft en used in t his t ext , on Web pages, or in securit y discussions. You don't have t o know all of t hem right now, but if you plan t o st ay current on securit y you'll probably need t o know t hem soon.
Common Acronyms ACL Access Cont rol List AD SL Asynchronous Digit al Subscriber Line AU Aut hent icat ed Users Group enabled on NT 4.0 SP3 or higher AV Ant ivirus CD Com pact disc CPU Cent ral processing unit D ACL Discret ionary Access Cont rol List D ARPAN ET Defense Advanced Research Proj ect Adm inist rat ion Net work DDE Dynam ic Dat a Exchange, Windows dat a- exchange prot ocol
DNS Dom ain nam ing syst em D oS Denial of Service D SD M Dynam ic Shared Dat a Manager, used by DDE t o m anage shared dat a D SL Digit al Subscriber Line EFS Encrypt ed file syst em ( Windows 2000) FAT 1 6 File Allocat ion Table 16, file syst em for st oring dat a on a hard drive FAT 3 2 File Allocat ion Table 32, file syst em for st oring dat a on a hard drive FTP File Transfer Prot ocol FUD Fear, uncert aint y, and doubt H TM L Hypert ext Markup Language H TTP Hypert ext Transfer Prot ocol I ETF I nt ernet Engineering Task Force
IIS I nt ernet I nform at ion Server I M AP I nt ernet Mail Access Prot ocol I PSe c I nt ernet Prot ocol Securit y I SD N I nt egrat ed Service Digit al Net work I SP I nt ernet service provider LAN Local Area Net work LM LAN Manager, early precursor t o Windows NT M BR Mast er Boot Record N AT Net work Address Translat ion NI C Net work I nt erface Card N TFS New Technology File Syst em , for st oring dat a on a hard drive N TLM New Technology LAN Manager, t he original Windows NT aut hent icat ion prot ocol
N TLM v2 New Technology LAN Manager Version 2, updat ed version of Windows NT aut hent icat ion prot ocol OS Operat ing syst em OSI Open Syst em s I nt erconnect ion P3 P Plat form for Privacy Preferences PC Personal com put er PERL Pract ical Ext ract ion and Report ing Language POP3 Post Office Prot ocol 3 RAM Random Access Mem ory RFC Request For Com m ent RPC Rem ot e Procedure Call SACL Syst em Access Cont rol List SD SL
Synchronous Digit al Subscriber Line SM B Server Message Block SM TP Sim ple Mail Transfer Prot ocol SN M P Sim ple Net work Managem ent Prot ocol SSL Secured Socket s Layer TCP/ I P Transm ission Cont rol Prot ocol/ I nt ernet Prot ocol UCE Unsolicit ed com m ercial e- m ail W3C World Wide Web Consort ium W in 2 k Windows 2000 W in 9 x Windows 95 and 98 and ME W inM E Windows Millennium Edit ion W inN T Windows NT 4.0 x D SL Type of DSL ( usually ADSL or SDSL) , x st anding for t he variable let t er
Common Security Terms Absolu t e se cu r it y St at e in which a syst em can be called secure regardless of it s exposure. Thought t o be an im possible st at e for any syst em t hat is useful and being used. Cert ainly it is im pract ical. Acce pt a ble r isk Level of risk allowed or accept ed by t he owner of t he it em or dat a at risk. Acce ss Con t r ol Process by which access t o it em s is grant ed or denied t o request ors. Acce ss Con t r ol List s ( ACLs) List s of ent ries showing who does or does not have access t o an it em . Applica t ion la ye r filt e r in g Process of looking at applicat ion com m unicat ions and allowing t hem ( or not allowing t hem ) t hrough a net work, based on what applicat ion is t alking. Au dit log Locat ion where event s are recorded for lat er review. Au t he n t ica t e d Use r s Gr ou p Post - SP3 group in Windows NT t hat represent s any user who has a valid securit y t oken from a t rust ed dom ain. ( Post - SP3 m eans t his group was int roduced in Service Pack 3 of Windows NT 4.0 and will not be found on earlier versions of Windows.) Au t he n t ica t ion Det erm ining who a user is t hrough a t rust ed m echanism or from a t rust ed source. Ba ck door Undocum ent ed way t o gain access t o a program , som e dat a, or an ent ire com put er syst em . Ba ck Or ifice ( BO) Troj an- horse program t hat can be used t o t ake cont rol of a com put er syst em .
Ba ck in g st or e Tem porary st orage place for dat a. The pagefile is an exam ple of a backing st ore. Bor de r cont r ol Act of cont rolling net work t raffic at places where t he int ernal net work m eet s t he I nt ernet . Br ow se r Applicat ion t hat let s you m ove about t he Web, " browsing" pages. Ca ble m ode m Form of always- on I nt ernet access. Colle ct or Person or program accessing your syst em in an at t em pt t o collect specific inform at ion. Cook ie Sm all bit of dat a—a sim ple nam e/ dat a pair—t hat is writ t en t o t he client syst em . Cost How dam aging it would be if a risk did happen t o your syst em . Cr a ck Using a hack or exploit t o infilt rat e com put er syst em s t hat do not belong t o you. Cr a ck e r Som eone t rying t o access your com put er syst em wit hout your perm ission. Crackers usually know t hey are breaking int o a syst em . Cr it ica l da t a Dat a you believe you m ust be able t o recover or prot ect .
Ct r l- Alt - D e l Key sequence used t o init iat e logon for Windows NT. This set of keys was select ed because it is considered a reserved sequence for logons and syst em reset s. D e nia l of Se r vice ( D oS) Causing a condit ion in which a com put er syst em can no longer respond t o valid net work request s or com m unicat ion. D e ny All, Gr a n t Ex plicit Securit y philosophy of denying all access t o a syst em and t hen grant ing access only t o specific t hings for specific reasons. ( Opposit e of Grant All, Deny Explicit .) D igit a l Subscr ibe r Lin e ( D SL) Form of always- on I nt ernet access. D iscr e t iona r y or Use r - D e fin e d ACL ( D ACL) Access Cont rol List applied by a user or Adm inist rat or t o cont rol access t o user- creat ed or sensit ive dat a. D om a in Collect ion of com put ers, print ers, and such t hat share dat a wit h each ot her. D om a in Con t r olle r Accou n t D a t a ba se Place where Windows NT st ores user account s. Also known as Securit y Account s Dat abase. D om a in N a m in g Syst e m ( D N S) Used by I nt ernet t o resolve I P addresses t o nam es and back again. D om a in u se r s Built - in group in Windows NT ( when using a dom ain) t hat cont ains all valid users of t he dom ain. D r ive or dr ive pa r t it ion Physical hard drive or port ion of a hard drive used t o st ore dat a.
D yna m ic D a t a Ex cha n ge ( D D E) Form of dat a exchange used in older versions of Windows; st ill support ed in som e versions of Windows. D yna m ic Sh a r e d D a t a M a n a ge r ( D SD M ) Service used by net work DDE t o m anage shared dat a. E- com m e r ce Selling t hings over t he I nt ernet . En cr ypt ion Mat hem at ically changing dat a so it can be read by t he int ended receiver but not by anyone else. Ex ploit s Code or t echniques used t o crack com put er syst em s. Also called " sploit s." Ex posu r e How likely it is t hat a risk will happen. File Tr a n sfe r Pr ot ocol ( FTP) Set of rules and an applicat ion for t ransferring files across t he I nt ernet . Fir e w a ll Usually a com binat ion of hardware and soft ware for cont rolling access t o a net work. Can be hardware, soft ware, or a com binat ion of bot h. Gr a n t All, D e ny Ex plicit Securit y philosophy of grant ing access t o everyt hing and t hen rem oving access right s from specific t hings t hat need t o be cont rolled. ( Opposit e of Deny All, Grant Explicit .) Gr ou p Collect ion of users who have som e sim ilarit ies. H a ck Clever or creat ive use of com put er code t o solve a problem .
H a ck e r Som eone who is exploring som eone else's com put er for curiosit y's sake. H ot fix Pat ch t o an operat ing syst em , usually t o fix a bug t hat is causing errors. H ype r lin k Connect ion from a docum ent t o relat ed m at erial locat ed som ewhere else. H ype r t e x t M a r k up La n gua ge ( H TM L) Set of rules about form at t ing docum ent s for use wit h hyperlinks. Predom inant language for writ ing Web pages for st at ic cont ent . H ype r t e x t Tr a n sfe r Pr ot ocol ( H TTP) Prot ocol used by t he World Wide Web m ost of t he t im e. I de n t it y t he ft Act of assum ing som eone's ident it y wit hout t heir knowledge. I m por t a n t da t a Dat a you want t o prot ect , but is not crit ical. Dat a t hat would be hard or t im econsum ing t o replace. I n t e gr a t e d Se r vice s D igit a l N e t w or k ( I SD N ) Form of always- on I nt ernet connect ion t hat includes phone service. I nternet ( net) Series of int erconnect ed net works t hat support s m ult iple prot ocols I n t e r n e t En gin e e r ing Ta sk For ce ( I ETF) Group of people responsible for writ ing I nt ernet specificat ions and working on plans for t he fut ure of t he I nt ernet . I n t e r n e t M a il Acce ss Pr ot ocol ( I M AP) Newer I nt ernet prot ocol for exchanging e- m ail m essages.
I n t e r n e t Se r vice Pr ovide r ( I SP) Com pany t hat provides access t o t he I nt ernet . I P Se cu r it y ( I PSe c) Process of securing t he connect ion used on t he net work via TCP/ I P, usually by encrypt ing dat a before sending it across t he net work. Ja va Scr ipt Script ing language com m only used in Web program m ing. Loca l Se cur it y Au t hor it y ( LSA) Part of Windows NT or 2000 syst em t hat does t he act ual aut hent icat ion. M a st e r Boot Re cor d ( M BR) Part of disk drive t hat cont ains inform at ion about how t o boot up t he operat ing syst em . Oft en used by viruses t o hide in or infect syst em s. M it iga t ion Fact ors t hat can reduce or elim inat e risk. M u lt i- h om in g Put t ing t wo or m ore net work cards in a com put er so it can t alk t o m ore t han one net work. N e t w or k Addr e ss Tr a n sla t ion ( N AT) Changing t he source address so people on t he I nt ernet can't see t he real address of your syst em . N e t w or k I n t e r fa ce Ca r d ( N I C) Hardware t hat t ranslat es t he digit al signals in your com put er t o physical signals t hat can be carried by wiring. Obfu sca t ion Hiding inform at ion or m et hods of accessing inform at ion so t hey are not obvious t o users or int ruders.
Ope n Syst e m s I nt e r con n e ct ion ( OSI ) M ode l Fram ework for com put er syst em com m unicat ion allowing everyone t o work from t he sam e basic m odel. Ot h e r da t a Cat egory for all dat a left aft er applying ot her cat egories. Not im port ant enough t o classify or known t o be not wort h prot ect ing or saving. See also [ Cr it ica l da t a ] See also [ I m por t a n t da t a ] See also [ Re pla ce a ble da t a ] Pa ck e t filt e r in g Allowing or denying cert ain t ypes of packet s t o t ravel t hrough your net work. Pa ck e t s Part s of dat a t hat have been broken up t o allow sending across a net work. Pa ge file Place on your hard drive t hat holds dat a from RAM t em porarily while space is needed for higher priorit y t asks. Ph r e a k Manipulat ing phone syst em s t o get free calls, m ake conference calls, or ot herwise get services not norm ally offered. Ph ysica l se cu r it y Securing your com put er from physical access. Pla t for m for Pr iva cy Pr e fe r e nce s Pr oj e ct ( P3 P) W3C syst em t hat let s users define what dat a com panies can get from t hem on t he I nt ernet and how t he com panies are allowed t o use t he dat a. Por t s Used in TCP/ I P t o allow different applicat ions t o com m unicat e on a TCP/ I P connect ion. Post Office Pr ot ocol 3 ( POP3 ) An I nt ernet e- m ail prot ocol.
Pr ivile ge s Act ions som eone is allowed t o t ake while using t he syst em . Pr oce ss Unit of work used t o keep t rack of one or m ore t hreads of operat ion. How program s get t hings done on a com put er syst em . Pr ot ocol Language used for com put ers t o speak t o each ot her. Pr ot ocol isola t ion Using a different prot ocol t o " isolat e" part of t he net work and keep int ruders out . Pr ox y se r ve r Server t hat m akes request s t o t he I nt ernet for you and relays t hat inform at ion back t o you when it is fulfilled. Pu blic a n d Pr iva t e k e ys Tools for encrypt ing and decrypt ing dat a t hat allow use and dist ribut ion in reasonably public m edium s because t hey use a m at ched pair of keys, privat e ( not shared) and public ( shared) . You can't derive t he privat e key by having t he public key, but you can decrypt m essages t hat were encoded wit h t hat privat e key. RAM m e m or y Space used by a com put er t o do calculat ions and dat a handling. Re gist r y St orehouse of inform at ion. Can hold all kinds of dat a and is used m ost oft en t o st ore operat ing syst em and applicat ion configurat ion dat a, set up and uninst all dat a, and various bit s of securit y dat a. See Chapt er 3. Re la t ive se cu r it y The idea t hat all securit y is a m easure of risk and securit y is never perfect but rat her can be t ight enough for t he st at ed purpose. Re m ot e Pr oce du r e Ca lls ( RPC) Mechanism by which com put er syst em s t alk t o each ot her or int ernally t o get com put ing t asks done.
Re pla ce a ble da t a Dat a st ored on a CD or ot her relat ively perm anent m edium and t hat can be replaced by reinst alling or copying it back t o t he hard drive of your com put er. Re qu e st for Com m e nt ( RFC) Syst em of proposals and com m ent s t hat oft en result s in t he open st andards used by t he I nt ernet . Risk What m ight happen. Role Group of privileges and/ or access t hat defines how a user is allowed t o use t he syst em . Role - Ba se d Acce ss M ode l Securit y m odel in which your access is grant ed by t he role( s) you have on t his com put er. Rout in g One of t he prim ary m echanism s used t o t hat ensure net work com m unicat ion get s t o it s int ended recipient . Sch e du ling pr ior it y List of im port ant t asks t he com put er uses t o balance which applicat ions and OS funct ions get CPU t im e. Scr ipt k iddie Novice at com put er hacking; uses t ools built by t alent ed program m ers t o crack com put er syst em s. Se cur e cha nne l Prot ect ed connect ion bet ween t wo syst em s; allows sensit ive dat a t o be exchanged. Se cu r e d Sock e t s La ye r ( SSL) Encrypt ed channel bet ween your client browser and a Web server. Prot ect s dat a sent t hrough t his connect ion.
Se cu r it y a u dit s Audit ing and logging t o get a clear pict ure of what is going on in t he com put er. Se cu r it y in- D e pt h Using m ore t han one layer of securit y t o ensure t hat an exposure doesn't occur, even if one layer fails. Se r ve r Physical syst em wit h server versions of soft ware inst alled on it —in part icular, Windows NT or Windows 2000 Server soft ware. Se r vice pa ck Release of fixes and som et im es feat ures for upgrading an operat ing syst em wit hout being a full OS release. Sign in g Put s a block of encrypt ed t ext on a docum ent as a signat ure. Sim ple M a il Tr a n sfe r Pr ot ocol ( SM TP) Mail t ransfer prot ocol used on t he I nt ernet . Sim ple N e t w or k M a na ge m e n t Pr ot ocol ( SN M P) Net work m anagem ent prot ocol used in large net works t o m onit or servers and availabilit y. Socia l e n gin e e r ing The act of t alking one's way int o a desired result . Also called a " con" or " grift ." See Chapt er 8. Spa m See [ Un solicit e d com m e r cia l e - m a il ( UCE) ] Spa m m e r Person or program t rying t o send or relay unwant ed e- m ail m essages t hrough or t o your syst em . St e a lt h , st e a lt hy Conscious effort t o hide oneself from det ect ion.
Su bsyst e m s Part s of t he operat ing syst em t hat allow it t o operat e. Sym bolic lin k Link int ernal t o t he operat ing syst em t hat allows t he syst em t o reference obj ect s. Syst e m - D e fin e d ACL ( SACL) Access cont rol list assigned by t he operat ing syst em t o prot ect sensit ive part s of t he operat ing syst em from users. TCP/ I P filt e r in g Det erm ining what t raffic should and should not be allowed t hrough and on your net work. Te ch N e t Microsoft t ool t hat cont ains vast am ount s of t echnical dat a about Microsoft product s, t roubleshoot ing, and m aint enance. Te ln e t Applicat ion for connect ing t o rem ot e syst em s and perform ing t asks. Th r e a ds Basic unit of work for program m ing Windows. ( Det ails are beyond t he scope of t his book.) Tige r t e a m Group of professional hackers hired by a corporat ion t o t est securit y by at t em pt ing t o break int o t he corporat ion's syst em s. Tok e n obj e ct Cont ains all of your right s and perm issions when you log on t o Windows NT or 2000 successfully. Tr a n sm ission Con t r ol Pr ot ocol/ I n t e r n e t Pr ot ocol ( TCP/ I P) Dom inant net working prot ocol used for t he I nt ernet and net working.
Tr a ve r se ch e ck ing Process in t he OS by which access can be checked at every direct ory t o det erm ine if access should be allowed. Tr oj a n hor se Code t hat appears t o be safe t o run but act ually cont ains dam aging soft ware or m akes your syst em vulnerable t o back doors or hacks. Un solicit e d com m e r cia l e - m a il ( UCE) E- m ail sent t o you from som eone you do not know. Usually at t em pt s t o sell you som et hing. Many UCE m ailings have been t raced back t o scam s. Also called " spam ." Use r r igh t s a nd pr ivile ge s Act ions and access t hat you have on a given syst em . VBScr ipt Microsoft script ing language used on t he Web. Vir t ua l m e m or y Space on t he hard drive for st oring RAM dat a t em porarily while t he RAM space is needed for ot her t asks. Vir u s Self- replicat ing, st ealt hy com put er program t hat perform s som e act ions ( t ypically m alicious) on your com put er when it is run. W in dow s r e sou r ce k it Tools and ut ilit ies released by Microsoft t hat assist in adm inist ering t heir Windows product s. W in dow s Scr ipt in g H ost ( W SH ) Applicat ion t hat allows various script ing languages t o be used on Windows syst em s. W or k gr oup Group of com put ers on t he sam e net work t hat can share dat a, print ers, and such wit h each ot her.
W or ld W ide W e b A prot ocol ( HTTP) and a series of int erconnect ed com put ers ( I nt ernet Web servers) working t oget her t o provide you wit h a way t o navigat e t hrough t hem all. W or ld W ide W e b Con sor t iu m ( W 3 C) People and com panies t hat writ e m ost of t he st andards for t he World Wide Web and HTTP. W or m Self- replicat ing program t hat m oves t hrough net worked com put ers on it s own, wit h lit t le or no int eract ion from t he user.
Bibliography Here is a list of som e books you can use t o dig deeper or find out m ore about various t opics relat ed t o inform at ion securit y. Most can be found at www.am azon.com , www.clbooks.com , or www.barnesandnoble.com , or at your local bookst ore. Am oroso, Edward G. I nt rusion Det ect ion: An I nt roduct ion t o I nt ernet Surveillance, Correlat ion, Trace Back, Traps, and Response. I nt rusion.Net Books, 1999. Anonym ous. Maxim um Securit y: A Hacker's Guide t o Prot ect ing Your I nt ernet Sit e and Net work. 2nd ed. I ndianapolis, I N: SAMS, 1998. Bernst ein, Terry, Anish B. Bhim ani, Eugene Schult z, and Carol A. Siegel. I nt ernet Securit y for Business. New York, NY: John Wiley & Sons, 1996. Cheswick, William R. and St even M. Bellovin. Firewalls and I nt ernet Securit y. Reading, MA: Addison- Wesley, 1994. Cisco Syst em s St aff. Cisco I OS Net work Securit y. I ndianapolis, I N: Cisco Press, 1998. Cohen, Frederick B. A Short Course on Com put er Viruses. 2 nd ed. New York, NY: John Wiley & Sons, 1994. Denning, Dorot hy E., Ed. I nt ernet Besieged: Count ering Cyberspace Scofflaws. Reading, MA: Addison- Wesley, 1998. Escam illa, Terry. I nt rusion Det ect ion: Net work Securit y Beyond t he Firewall. New York, NY: John Wiley & Sons, 1998. Ferbrache, David. A Pat hology of Com put er Viruses. New York, NY: Springer- Verlag, 1991. Fit es, Philip E., Pet er Johnson, and Mart in Krat z. The Com put er Virus Crisis. Bost on, MA: I nt ernat ional Thom son Com put er Press, 1992. Flowers, John S. Linux Securit y. I ndianapolis, I N: Que, 1999. Garfinkel, Sim son. PGP: Pret t y Good Privacy. Cam bridge, MA: O'Reilly & Associat es, 1994. Garfinkel, Sim son and Gene Spafford. Pract ical Unix and I nt ernet Securit y. 2 nd ed. Cam bridge, MA: O'Reilly & Associat es, 1996. ———— . Web Securit y and Com m erce. Cam bridge, MA: O'Reilly & Associat es, 1997. Hughes Jr., Larry J. Act ually Useful I nt ernet Securit y Techniques. I ndianapolis, I N: New Riders Publishing, 1995.
Kabay, Michel E. The NCSA Guide t o Ent erprise Securit y: Prot ect ing I nform at ion Asset s. New York, NY: McGraw- Hill, 1996. Kaeo, Merike. Designing Net work Securit y. I ndianapolis, I N: Cisco Press, 1999. Kane, Pam ela. PC Securit y and Virus Prot ect ion: The Ongoing War Against I nform at ion Sabot age. New York, NY: Hungry Minds, 1994. Ludwig, Mark A. The Giant Black Book of Com put er Viruses. Tucson, AZ: Am erican Eagle Publicat ions, 1998. McGraw, Gary and Ed Felt en. Securing Java: Get t ing Down t o Business wit h Mobile Code. 2 nd ed. New York, NY: John Wiley & Sons, 1999. Mel, H. X. and Doris Baker.Crypt ography Decrypt ed. Bost on, MA: Addison- Wesley, 2000. Nort hcut t , St ephen and Judy Novak. Net work I nt rusion Det ect ion: An Analyst 's Handbook. 2 nd ed. I ndianapolis, I N: New Riders Publishing, 2000. Pipkin, Donald L. Halt ing t he Hacker: A Pract ical Guide t o Com put er Securit y. Englewood Cliffs, NJ: Prent ice Hall, 1996. Rubin, Avi, Daniel Geer, and Marcus Ranum . Web Securit y Sourcebook. New York, NY: John Wiley & Sons, 1997. Scam bray, Joel, St uart McClure, and George Kurt z. Hacking Exposed. 2 nd ed. Colum bus, OH: McGraw Hill Publishing, 2000. Schneier, Bruce. Applied Crypt ography: Prot ocols, Algorit hm s, and Source Code in C. 2 nd ed. New York, NY: John Wiley & Sons, 1995. Scot t , Charlie, Paul Wolfe, and Mike Erwin. Virt ual Privat e Net works: Turning t he I nt ernet int o Your Privat e Net work. 2 nd ed. Cam bridge, MA: O'Reilly & Associat es, 1998. Skardham ar, Rune. Virus: Det ect ion and Elim inat ion. Morgan Kaufm ann Publishers, 1995. Slade, Robert . Robert Slade's Guide t o Com put er Viruses: How t o Avoid Them , How t o Get Rid of Them , and How t o Get Help. 2 nd ed. New York, NY: Springer- Verlag, 1996. St oll, Clifford. The Cuckoo's Egg: Tracking a Spy Through t he Maze of Com put er Espionage. New York, NY: Sim on & Schust er, 1990. St rebe, Mat t hew, Charles Perkins, and Michael Moncur. NT 4 Net work Securit y. 2 nd ed. Alam eda, CA: Sybex 1999.