Web Security Field Guide [1st ed.] 9781587050923, 1587050927

Field reference of hands-on techniques for protecting Windows servers, browsers, and communications * Solutions to secur

327 99 19MB

English Pages 675 Year 2003

Report DMCA / Copyright

DOWNLOAD PDF FILE

Recommend Papers

Web Security Field Guide [1st ed.]
 9781587050923, 1587050927

  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Citation preview



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Web Secur it y Field Gu ide p r ovides y ou w it h h ands- on, pr ov en solut ions t o help pat ch t he m ost com mon v ulner abilit ies of Win dow s( r) w eb serv er s and br ow ser s w it hin t he con t ex t of an en d- t oend net w or k secur it y ar chit ect u re. Av oiding concept ual discu ssions of u nder lying t echnolog ies, t he book spends lit t le t ime d iscussing how each applicat ion w or k s. Using plain langu age and lot s of st ep - by - st ep ex amp les, t h e book in st ead focuses on helping y ou secu r e you r w eb serv er s and pr event t he maj or it y of net w or k at t acks. D iv ided int o f ive par t s, t he b ook opens w it h an ov er v iew of essen t ial back gr ound inf or mat ion an d h elp s you est ablish w or k in g net w ork secur it y • Table of Content s r ules and policies. Par t s I I t h rou gh I V t each y ou t he t echn iq ues for har dening t h e operat in g • I ndex syst em , t he web ser v er , and t he b row ser. Part V of t he book ad dr esses ov er all net w or k secu rit y , W e b S ecur it y Fi el d Gu ide focu sing on pr event in g and con t r olling access. Topics such as becomin g a Cer t ificat ion Au t hor it y, By St evePIKalman Cisco X( r ) Firew all, Cisco I OS( r ) Fir ew all, access list s, ongoin g secu r it y main t en ance, and t est in g are all ex am ined in - dept h, pr ov id ing an ov er all net w ork secur it y plan t hat can d r ast ically r ed uce t he o you r bu siness syst em s and dat a. Pub lish er: risk Cisco tPress Pub Dat e: Novem ber 08 , 20 02

Full of diag ram s, screen cap t ur es, an d st ep- b y- st ep inst r uct ions f or per for m ing sim ple t ask s t hat I SBN: 1- 58 705 -0 92 -7 can rad ically im pr ove t he secu rit y of y our I n t ern et bu siness solut ions, Web Secur it y Field Gu ide 60 t8ool t hat can h elp ensur e t he in t eg r it y and secur it y of y our b usiness- cr it ical is a prPages: act ical app licat ions.

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Copy right

Hand son tthechniqu About e Aut h or es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. About th e Tech nical Rev iewer s Ackeat nowledgmen Cr e eff ecttsiv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a I n tr oduct secur it yion - conscious env ir onm en t Focus of t he Boo k

Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Audience Com man d Sy nt ax Conv ent ions

Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce I con s Used in Th is Book secur it y on exist ing w eb an d FTP ser v er in st allat ions Part I : Th e Fun damen ta ls of Web Secur it y Chaove pter secur 1. Essen orm end at ion user' for Web y Adm inist inclu rat ors ding w eb b row ser s, desk t ops, an d I m pr it ytialatI nft he s Securit w or kst at ion, lapt op s I nt ernet work ing Models Two Headers

Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Shim s Cer t ificat ion Au t hor it y Abov e t he Transpor t Lay er

marCisco y Lear Sum n t he PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco Cha pter Secu y Policies st andar d 2. and exritt en ded access list s Ju st ifying Secu rit y

Discover s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Securitw y ay Policies Sum mar y

Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion Part I I : Hardenin g t he Serv er pter em Securit While t h Cha e I nt er3.netWindows has t rSyst ansfor m ed yand im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat t echritnologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. NTed 4 Secu y The ch alleng e for20successfu Windows 00 / XP Securl,it ypu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining One Final Task per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm Sum mar y daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just Part I I I : I nst alling and Prot ect ing I I S as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a Cha pter in 4. tI Ihe S I nst allat ion m ar ket leader developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a I n st allin I S4 I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est t r av eling acr ossgt Ihe n st allin I I S5s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e link . Net wIork at gt ack w eb ser ver , or t hy e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an Sum mar eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Cha pter 5. En han cing Web Serv er Secu rit y Web Serv er s Versus Dev elopm en t Serv ers Lo cat in g Docu ment Root Lo gging Lim it ing Access t o Your Web Ser ver Miscellaneou s Securit y Enh ancem en t s Hostin g Mult iple Web Serv ers

• •

Table of Content s

Sum mar y

I ndex

Cha pter 6. En han cing th e FTP Serv er W e b S ecur it y Fi el d Gu ide I n ner Wor kin gs of FTP By St eve Kalman Secure FTP Ex am ple of Secure FTP Produ ct Pub lish er: Cisco Press Sum mar y Pub Dat e: Novem ber 08 , 20 02 Part I V: Prot ect ing t he User I SBN: 1- 58 705 -0 92 -7 Cha pter 7. Browser Secur it y Pages: 60 8 Dangerou s Con t en t Four Zones Cookies Sum mar y Cha pter 8. Desk t op/ Lapt op Secu rit y

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Acquirin g I EAK6 Con figur in g t h e I EAK

Cr eatBuilding e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a a Deskt op securI EAK it y - Profile conscious env ir onm en t Manager Man aging Mu lt iple I NS Files

Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Sum mar y Part V: st Prot ect ing t he Net workallat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce Under and secur e inst secur it y on exist ing ebtifan FTP ser vyer in st allat ions Cha pter 9. Beco ming awCer icatdion Au t horit ( CA) En cry pt ion Sch emes

I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d CA Respon sibilit ies lapt op s Estab lish ing Your Own CA

Request ing pr a Serv if icate of in st alling a cer t ificat e serv er and becom in g you r ow n Ev aluat e t he os er anCert d cons I n st allin g aAu Cert ificatiteyon You r Web Serv er Cer t ificat ion t hor Browser Cert if icat es

Lear Sum n t he PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco marCisco y st andar d and ex t en ded access list s Cha pter 10 . Firewalls

FirewallNet work s at e of secur it y and k eep it up t o dat e Discover w Prot ay sect t oedt est t he Compon cur r enent t st Firewall Design

Lear Access n t o eng List sage end users as par t of t h e ov er all n et w or k secu rit y solut ion Usin g Access List s

While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and Firewall Fea tu re Set it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. Cisco PI X Firewall The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing Sumor mar y un desir able malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining Cha pteror11scalabilit . Maint aining Ongoin Securit y per for m ance y . Th e mgore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm es and Fixes daily j obs Pat orchcond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a Miscellaneou s Risks m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a Ant iv ir us t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est Person al Firewalls link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e Sum mar y w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an Cha pter 12 . Th e Weak est Link eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Why Worry ? What You Can Do Sum mar y Closing Remar ks Part VI : Appendix es Appendix A. Cust om izing I nt ernet Ex plo rer Error Messages Custom izing Messages

• •

Table of Content s

Appendix B. Decodin g Base64

I ndex

Capt ur in g t h e Dat a W e b S ecur it y Fi el d Gu ide Tran slat ing from Base64 By St eve Kalman Appendix C. Cont ent s of t he WSFG Web Sit e Hom e Pag e Pub lish er: Cisco Press Referenced Pages Pub Dat e: Novem ber 08 , 20 02 I n dex I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Copyright Cop yr igh t © 2 003 Cisco Sy st em s, I nc. Pub lished by :Table of Content s • Cisco Pr ess • I ndex 20 1 W est 103 rd St r eet W e b S ecur it y Fi el d Gu ide I ndian apolis, I N 462 90 USA By St eve Kalman

All r ight s reserv ed. No par t of t h is book m ay b e repr od uced or t r ansm it t ed in an y for m or b y any m ean r onic or m ech anical, inclu ding ph ot ocopy in g, r ecor d in g, or by any in for m at ion Pubs, lishelect er: Cisco Press st orPub ageDat and r et r iev em , w it hou t w r it t en p er m ission fr om t h e pu blish er , ex cept for t he e: Novem ber al 08 syst , 20 02 inclusion of b rief qu ot at ions in a r eview . I SBN: 1- 58 705 -0 92 -7 Pages: 60 8 P rin t ed i n t he U nit e d St a t es of Am er ica 1 2 3 4 5 6 7 8 9 0

Fir st Pr in t ing N ov e m b er 2 0 0 2 Li bra r y of Cong re ss Ca t al ogi ng- in- Pu bli cat i on N um be r: 2 0 0 2 1 0 1 2 9 1 Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions.

Warning and Disclaimer Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a it ydesig - conscious env onm This bsecur ook is ned t o pr oviride infen ort mat ion ab out w eb secur it y . Ev ery ef for t has been mad e t o m ake t his book as comp let e an d as accu rat e as possib le, b ut no war r ant y or fit n ess is im plied . Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP The in for m at ion is p r ovided on an " as is" basis. The au t hor s, Cisco Pr ess, and Cisco Sy st em s, Under st and secur inst ionr espon op t ions or yWind owsperson w eb ser ers itan d ithow t o enhan ce loss I nc. shall h ave n eit h er eliab ilitallat y n or sibfilit t o any orv ent y w h r espect t o any secur it y on exist ing w eb an d FTP ser v er in st allat ions or d amag es arising fr om t h e inf orm at ion cont ained in t h is book or fr om t h e use of t he d iscs or pr ogr am s t h at m ay accomp any it . I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s ex pr essed in t his b ook belong t o t he aut hor and ar e not necessar ily t hose of Cisco The op inions Sy st em s, I nc. Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y

Trademark Acknowledgments Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s All t er ms ment ion ed in t his b ook t hat ar e kn ow n t o be t rad em ar k s or serv ice mar k s hav e b een app rop Discover riat ely capit w ay salized. t o t estCisco t he cur Pr ess r en torst Cisco at e of Syst secur em it ys, and I nc.kcannot eep it up at ttest o dat t oet he accur acy of t his inf orm at ion. Use of a t er m in t h is book should not be regar ded as af fect in g t he v alid it y of any Lear t o ser engv age as par t of t h e ov er all n et w or k secu rit y solut ion t r adem arkn or ice mend ar k users . While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining At Cisco Press, our g oal is t o cr eat e in- d ep t h t echn ical book s of t he h ig hest qu alit y and v alu e. per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm Each book is cr aft ed w it h car e an d p recision , und er g oin g r igor ous developm ent t hat in volv es t he daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just un iq ue ex pert ise of m emb er s f r om t he pr ofessional t ech nical com m un it y. as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket s'leader in t he developm rod pr uctocess. s and Itfechnologies t h at p rot ect sd at a d in g Reader f eed back is a n at ur al ent contan inudatsale ion of of pt his y ou h ave any com ment regar thow r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est w e cou ld im pr ov e t he qualit y of t h is book , or ot h er w ise alt er it t o bet t er su it y our n eeds, link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, e y ou can cont act u s t hr ou gh e- m ail at ciscopr ess. com . Please mak e sur e t o include t he book ttithle w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an and I SBN in y our m essage. eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Feedback Information

We g reat ly app r eciat e y our assist an ce.

Pub lisher

John Wait

Ed it or- I n - Chief

John Kane

Cisco Repr esent at ive

Ant h ony Wolf en den



Table of Content s

ogr am Manager • Cisco Pr ess Pr I ndex WCisco e b S ecur it yk et Fi el ide mu nicat ion s Mar indgGu Com By St eve Kalman

Sonia Torr es Ch avez Man ager

Tom Geit ner

Cisco Mar k et in g Pr og ram Manager

Ed ie Quir oz

Ex ecu Pub lish t ive er: Edit CiscoorPress

Br et t Bar t ow

Pub Dat e: Novem ber 08 , 20 02

Pr oduct ion Manag er

Pat r ick Kanouse

I SBN: 1- 58 705 -0 92 -7

Dev elopm Pages:ent 60 8 Edit or

Ch rist oph er Clev eland

Pr oject Edit or

San Dee Phillips

Cop y Edit or

Mar cia Ellet t

Tech nical Ed it ors Hank Mauldin Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Car l Sm igielsk i Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and aint aining a Boleslav Sy km ora secur it y - conscious env ir onm en t Team Coor dinat or Tam m i Ross Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Book Designer Gina Rex rod e Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce Cov er Desig ner Lou isa Adair secur it y on exist ing w eb an d FTP ser v er in st allat ions Com posit or Mar k Shir ar I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d I ndex er op s Tim Wr ight lapt Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Corpor Discover at e H e w a dqua ay s t ortter ests t he cur r en t st at e of secur it y and k eep it up t o dat e Cisco Sy st em s, I nc. t o eng end users as par t of t h e ov er all n et w or k secu rit y solut ion 17 0 WLear est nTasm an age Dr ive San Jose, CA 9 513 4- 17 06 While USA t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it associat t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. htst p: / / w w wed . cisco.com The ch alleng e for 0successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing Tel: 40 8 526- 400 un desir able or malicious 8 00 553 - NETS ( 638 7)t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm Fax: 40 8 5 26- 4 100 daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m arope ket an leader developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a Eur H eaindqt he ua rt e rs tCisco r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est Sy st em s Eur ope link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e 11 Ru e Cam ille Desm oulins w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an 92 782 I ssy - les- Moulineaux eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Cedex 9 Fran ce ht t p: / / w w w - eur ope.cisco. com Tel: 33 1 58 04 6 0 0 0 Fax: 33 1 58 04 61 0 0

Am e ri ca s H e adq ua rt e rs • Table of Content s Cisco Sy st em s, I nc. • I ndex 17 0 W est Tasm an Dr ive W e b S ecur it y Fi el d Gu ide San Jose, CA 9 513 4- 17 06 By St eve Kalman USA ht t p: / / w w w . cisco.com Tel:Pub 40lish 8 er: 526766 0 Cisco Press Fax:Pub40Dat 8 e: 5 270 883 Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8 Asia Pa ci fi c H e adq ua rt e rs Cisco Sy st em s Aust r alia, Pt y . , Lt d Lev el 17, 99 Walker St r eet Nor t h Syd ney NSW 2 059 Au st r alia Hand ht t p: /s-/ w onw w t echniqu . cisco.com es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Tel: + 61 2 84 48 710 0 Fax: + 61 2 995 7 4 350 Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a y- s conscious env ir onm Ciscosecur Sy stitem ha s m ore t han 2 en 0 0t of fi ces i n t he fol low i ng cou nt ri es. A ddr esses, p hone nu m b er s, an d f ax n um be rs a re l ist e d on t h e Ci sco W e b si t e a t n how t o/ go/ har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP w w wLear . cisco.com off ice s

Under and op t ions ows wia eb• ser v ers an how t •o enhan Ar gent ina • stAu st rsecur alia •e inst Austallat r ia •ionBelgiu m •f orBrWind azil • Bulgar Canad a •d Chile China ce • Colomb ia secur it y on exist ing w eb an d FTP ser v er in st allat ions • Cost a Rica • Cr oat ia • Czech Rep ublic • Denm ar kD•ubai, UAE • Finland • Fr ance • Germ any • Gr eece • Hong Kong • Hu ngar y • I n dia • I ndon esiaI reland • • I sr ael • I t aly • Japan • Kor ea • Im pr ove it y at •t he end user' s wNet or kst atlands ion, inclu ding w eb •b row s, •desk an ilipp d ines Lu xem bour g • secur Malaysia Mexico • The her New • Zealand Norser w ay Pert ops, u • Ph lapt op s • Polan d • Por t ug al • Pu er t o Rico • Rom ania • Russi a • Saudi Arab ia • Scot land • Singap ore • Slovak ia • Slovenia • Sou t h Af r ica • Sp ain • Sw ed en • Swit zer land • Taiw an • Th ailan d • Tur k ey Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n • Uk r ain e • Unit ed Kingd om • Unit ed St at es • Venezu ela • Viet n am • Zim bab w e Cer t ificat ion Au t hor it y Cop yr igh t © 200 0, Cisco Sy st em s, I nc. All r igh t s r eser ved. Access Regist rar , AccessPat h, Are You Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco Ready , ATM Dir ect or , Br ow se w it h Me, CCDA, CCDE, CCDP, CCI E, CCNA, CCNP, CCSI , CD - PAC, st andar d and ex t en ded access list s CiscoLink , t h e Cisco Net Wor k s log o, t he Cisco Power ed Net w or k logo, Cisco Sy st ems Net w or k in g Academy , FastwSt eRun ner, acke, I GX, I n t elligence Discover ayep s ,t oFirt est t he curFollow r en t stMe at e Br of owsing secur it,yForm and Shar k eepe,it Gig up aSt t o dat in t he Op t ical Cor e, I nt ern et Qu ot ien t , I P/ VC, iQ Br eak t hr oug h, iQ Ex per t ise, iQ Fast Tr ack , iQuick St ud y, iQ nRead in ess d, Th iQ tLogo, MGX, Nat Netion w or k View er , Lear t o eng ageScor endecar users asepar of t h eKer ovnel er allPrnox ety, w or k secu rituyral solut Net w ork Reg ist r ar , t h e Net wor k ers log o, Packet , PI X, Point and Click I nt er net w ork ing , Policy Builder eMUX, er , Rey Scrpript e eScr t , Shop wtithis h Me, While t h, eRat I nt er net Rey has Mast t r ansfor m edView and, im ovSh edart e, h e Secur w ay w doipbusiness, v astSlideCast net w or k , and SMARTn et , ed SVX, Trnologies aff icDir ect or,e opened Tran sPatt he h, VlanD Voice Wav t h Rout , s. it s associat t ech hav d oor tiroect anor, incr easinLAN, g n um bereleng of secur it y ter h reat Wor gralleng oup Dir ect or , and Wor k grblic oupwSt ar eist tr oadem arkage s of access Cisco Sy ; Chang g ting he The kch e for successfu l, pu eback sit es encour t ostt em h e s, sit Ienc. w hile elim in inat Way Weable Work Live, Play t, rand pow eering t h e I nt erels netof Gener e serv ice rm ark s of un desir or, malicious aff icLear and n, t o Em pr ovid su ff icient lev securatition, y w itarhout const aining Cisco st em s, nc. ; and yAir onet ASI reliant ST, BPX, alystions , Cisco, t h e Cisco ified net w or k per for Sy m ance or Iscalabilit . Th e m, ore orgCat anizat b ecom on t heCer I n t er netI nt t o er p er f orm Ex perjtobs Logo, Ciscouct I OS, Cisco Cisco Sy st ems, st ems CapitJust al, daily or cond t rant he sact ions,I tOS h e logo, gr eat er t he Pr imess, pactCisco a br each of n etCisco w or k Sy secu rit y has. tas heCisco CiscoSy Syst ems shlogo, Collision ee,orEnt erer , Et herChann el, Et her Sw it ch Huitb,a st em as been an innFr ovat iner u pr sinise/ g t hSolv e I nt net t o conduct business, so, tFast oo is Fast Linkleader , Fast PAD I P/ TV, ent I PX,anLight St rof eam , Ligh it ch , MI CA, Net Ran , Post m ar ket in t ,heI OS, developm d sale p rod uct st Sw and t echnologies t h atger p rot ect d- Rout at a in g, Pr e- eling Rout ing Regist Stnet r at.aView Stkr at m, Sw ch Prob err,ong ar e as r egist ereak ed est t r av acr, oss t her ar, I nt er Yet a Plu nets, w or secur it y itsolut ione,isTeleRout only as st it s w tlink r adem ark s ofat Cisco st em s, Ir nc. or yit point s aff iliat es in t het hU. cert ainnect ot hion er , cou r ies. . Net w ork t ack sSy can occu at an , including e S. netand w ork con t hentfir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an All ot hivere, ballr ands, n ames, or net t r adem ks ment ion ed in t his d ocu ment or Web sit e are t he p rop er t y eff ect encom passing w orkarsecur it y solu t ion.

of t heir r esp ect iv e ow ners. Th e use of t h e w ord par t n er does not imp ly a par t n er ship r elat ionship bet w een Cisco an d an y ot her com pany . ( 0 010 R)

Dedications This b ook is dedicat to tw • Table of ed Content s o p eop le w ho h ave sp en t t h eir w or k ing liv es in pub lic ser vice. •

I ndex

The f ir st is m y w ife, Gail. Sh e is a special ed ucat ion t eacher w it h r espon sib ilit ies f or phy sically W e b S ecur it y Fi el d Gu ide and em ot ionally hand icap ped childr en. Sh e has, ov er m ore t han 35 y ear s, br igh t en ed t h e liv es of By eveeds Kalman huStndr of st ud en t s and t h eir p arent s. ThePub ot lish herer:isCisco for mPress er New Yor k Cit y May or , Ru dolph Guiliani. D ur ing t he w or st cr isis in our t ime, he em erg ed as a nat08ional Pub Dat e: Novem ber , 20 02lead er of t he caliber of Ken nedy , Roosevelt , an d Chur chill. He t aug ht us all lessons in fait h , t r ust , lov e, and su ppor t . Aft er being at risk him self , he led t he n at ion out I SBN: 1- 58 705 -0 92 -7 of t he dar kn ess. He becam e Am er ica's May or . Pages: 60 8

St eve Kalm an Lor ds Valley , Pennsy lv ania Jun e 20 02 Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

About the Author St e v e Ka lm a n is t he pr incipal off icer at Esquir e Micr o Con su lt ant s, w hich off er s lect ur ing, w r it in g, an d con su lt in g ser vices. He has m or e t han 30 y ears of ex per ience in dat a pr ocessing, in net w or k desig n an d im p lem ent at ion. St ev e is an inst r uct or and au t hor f or •w it h st r eng t hs Table of Content s Lear ning Tr ee I n t ern at ional an d h as w r it t en and r eview ed m any n et wor k ing- r elat ed t it les. He • I ndex holds CI SSP, CCNA, and CCD A cer t if icat ions. W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

About the Technical Reviewers H a nk M au ldi n is a consult ing engineer f or Cisco Syst em s, I nc., w ork ing for t he Office of t h e CTO. He has w or k ed w it h Cisco for sev er al y ear s, ev aluat ing and d esignin g d at a n et w or k s. His ar t iseofinContent clu de IsP r out in g p r ot ocols, q ualit y of ser v ice, and n et w or k secu rit y . Han k is • eas of ex per Table cur r en t ly t he p rog ram m anager f or Cisco Net wor k D esigner , w hich is a n et w or k d esign t ool. Pr ior • I ndex tWoe bjoining Cisco, he wor k ed f or sev er al dif ferent syst em int eg rat or s. He h as m ore t han 15 y ear s S ecur it y Fi el d Gu ide of dat a net w or king ex perience. Hank r esid es in San Diego, Calif orn ia. He holds a m ast er ' s By St eve Kalman degr ee in in for m at ion sy st em t ech nology f rom Georg e Washing t on Univ ersit y . CarPub l Sm lish igi er: e Cisco lsk iPress is a sen ior net w or k en gineer at Aq uidneck Man agement Associat es in New por t , Rh ode I slan d. Carl I T secur it y solut ions f or m ilit ar y clien t s, including t h e Naval Pub Dat e: Novem ber develops 08 , 20 02 Under sea e-0Cent I SBN:Warf 1- 58ar 705 92 -7 er . He has wr it t en aw ard - w inning secu rit y an alysis t ools u sed daily by t h e Nav al Pages: Cr im in al I nv est ig at iv e Ser vice and ot h er in vest igat iv e or ganizat ions. Car l t each es cou rses 60 8 on net w or k secur it y t echnologies, including I nt r usion Det ect ion , Cr y pt ogr aph y, PKI , Web Secu rit y , Vir t ual Priv at e Net w or ks, an d Fir ew alls. Bole sla v Sy k ora is a r ecogn ized secu rit y ex per t . He consult s on net w or k and sy st em secu r it y issu es, d ealing w it h int r usion d et ect ion, vu ln er abilit y assessm en t , penet r at ion t est ing , f ir ew alls, Hand s-won for PKI secur in galso Window s( rs) on servt hese ers, bsu r owser net w ork com unnat icat ions. VPNs, ebt echniqu serv er s,esand . He inst r uct bj ect ss,atand Lear ning Tr ee I nmt er ion al, for w hom h e w rot e cou rses on int r usion det ect ion and Cisco OSPF/ BGP rou t ing. Boles is an elect r ical en gineer and holds t he CI SSP cer t ificat ion. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Acknowledgments When I decided t hat I w ant ed t o w r it e t his b ook, I sen t a sh or t e- m ail t o Cisco Press Ex ecu t ive Ed it or, Bret t Bart ow. We'v e w or ked t oget her f or y ear s; I ' ve h ad t he pr iv ilege of bein g a t echnical edit or f or sevTable eral of Cisco Pr ess • Content s book s. I n t hat not e, I ask ed h im if he could recom mend a pu blish ing house f or a b ook on w eb secur it y , nev er t hink ing t hat Cisco Pr ess w ou ld b e • I ndex int er est ed. Br et t im m ediat ely cam e b ack and said t h at w e could do it t og et h er ; so w e began W e b S ecur it y Fi el d Gu ide w or king on t h e out line. I am delig ht ed t o hav e h ad t he opp ort unit y t o w r it e for Cisco Pr ess. I t is By St eve Kalman alw ays a pleasant ex per ien ce w h en y ou get t o w ork wit h t h e best . Than ks, Br et t . On ePub oflish t he er: fCisco irst tPress hing s I asked Br et t t o do w as t o assig n Chr is Cleveland as d ev elop m en t edit or . I k new f r om ber t he08TE PubCh Datris e: Novem , 20w 02or k I 'v e d one, and I h ad t h e high est r espect f or his sk ills an d dedicatI SBN: ion. 1Now , as an 58 705 -0 92 -7 aut hor , I ' ve seen h ow m uch w ork h e did t o t he r aw m at er ial I sen t h im . Con sist ency is essent ial in t ech nical w r it in g, an d Chr is did ( and does) a t r em endou s am ount of Pages: 60 8 w or k behind t h e scenes t o mak e it happ en . No au t hor st an ds alone. Sev er al p eop le and com p anies played k ey r oles in mak ing t his p r oject hap pen. Am ong t h em are Adr ian Hand s- on Brytan. echniqu He isest he forau secur t hor inofg aWindow cour se s(on r ) wserv eb ers, securbitr owser y giv en s, band y Lear netning w orkTrcom ee. m Thun aticat cour ions. se, w hich I t each f rom t ime t o t im e, w as t he sou rce of t h e idea f or t his b ook. Adr ian also g raciously pr ov ided t he m at erial for App en dix B, " D ecoding Base64. " Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a it y - conscious onm Add iesecur Sheridan . She was env a stirud en tenint a class I t aug ht as I w as st ill t hin king ab out wh et her t o t ak e on t his p roj ect . When I m en t ioned it t o h er , she said, " Fin ally , a book t h at w e can act ually denbial Window u lt i- uully, ser pI lat s, inclusom dingetNT, and use. " Lear Thatn whow as t ht oe har pr over st r aws . mHopef ' vefor prm oduced hing2 t000 h at, m eet XP s t hat defin it ion . Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce it yAs onaut exist eb Learn an d FTP v ercour in stse allat Pet er secur Vogel. h oring of w t he in g ser Tree on ions t ech nical w rit ing , Pet er put t oget h er four int ensiv e day s of t r aining on t he sk ills n eeded t o p r oduce ever y t hing fr om a w hit e p aper t o a meprtove y at end suser' w or tkst s, ydesk ops, an d. book Ilik his. secur Man yitof t het he lesson he tsaugh mat e ion, hav einclu im prding ov edw teb h ebrrow eadser abilit of tthis book lapt op s Gr ant Moy le and Mik e Cov ingt on , w ho help ed w it h t he origin al out line. Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cercou t ificat t hor it y t elecom mu nicat ions, and secur it y f or Lear ning Tr ee. Th is has g iven I t each rsesion onAu r out ing, m e t he oppor t un it y t o lear n fr om t he st u dent s w h ich ar eas are mor e or less dif ficult f or t h em t o Lear PI X Fir ew d Cisco I OS ar chitMany ect u ret hand un derst annd,t he andCisco w hich skills arall e man ore im p ort an t Firew t h an all ot hers. ank show go tt o o tapp h e ly fouCisco nder s, st andar d and ex t en ded access list s Er ic Gar en and Dav id Collins, w h o cr eat ed a com pany t hat has g iv en me t he opp ort unit y t o m eet and w or k w it h scor es of t he ind ust r y' s best an d b r ig ht est pr of essionals. Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e I nt er net Secur it y Syst em s for perm ission t o use it s pr od uct as an ex amp le of a secu rit y scanner . Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion Sanct um , I n c. for p er m ission t o u se it s AppSh ield pr odu ct t o d em on st r at e w eb cont ent While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and insecu rit y . it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The alleng pu it blic w eb esitFTP es is t o er encour t o t h e sit e w hile elim inat ing Rh inch osof t for epfor er msuccessfu ission t o l,u se s secur serv and age clienaccess t. un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per or scalabilit Th e m ore reliant anizat ions ecom on t he n t er p er Thefor U.m S.ance Nat ional Secur ityy. Agency ( NSA) w hoorg hav e cr eat edb an ex ecellen t w Ieb sitnet e cht oock - fuf orm ll of daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y best p ract ices st at em ent s. I ' ve sham elessly adapt ed , edit ed, and r epur posed sev er al of has. t hemJust for as s hce. as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a t hisCisco b ook'Sy s st auem dien m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a tThe r av eling er netHan . Yet netBoles, w or k secur it y com solut only w eak t echnacr icaloss ed itt he or s,I nt Carl, k, aand w hose mion en t sis m adeas allstt hr ong e difas fer it ens ce. Thest ey link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew dedicat ed com pu t er s f or sever al m ont h s t o t h e sole t ask of ed it in g t his book —r un ning t hrall, ougt h eall w ebstser verm , or t h e sugg clientest . Har d en t her ect defing en ses ats.allThe t hese s iserr key ing bu an t t h e t he eps, ak ing ions, anindg cor er ror rempoint aining or st oarcreat e m ine, eff ect iv e, all- encom passing net w ork secur it y solu t ion.

credit for all t he cor r ect ions goes t o t h em w it h m y g rat it u de f or a j ob w ell d one. Last , b ut und oubt edly m ost im p ort an t , is m y w ond er f ul w ife of 25 year s, Gail. As I g et close t o deadlines, I g et focused on t h e t ask at hand t o t he ex clusion of near ly ev ery t hin g else. When, du rin g a conv er sat ion, m y m ind dr ift ed off t o som et h ing I should hav e w r it t en or cou ld hav e w r it t en b et t er , she w as u nder st anding an d sup por t ive. ( Sh e calls it " Pr ogr am m er Mode" — ju st slid e t he p izzas un der t he d oor and w ait f or him t o com e out . ) Wit hout her u nw aver ing suppor t , m y achievem en t s w ould not only hav e b een imp ossible, bu t also p oint less. Th ank s. •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Introduction I t seem s t hat ev ery d ay or t w o br ings a r ep ort on some n ew v ulnerab ilit y or secur it y hole. Adm inist r at or s ar e adv ised on wh at p at ch t o app ly or w hat wor k ar ound t o em ploy . Wit h so m any secur it y aler tTable s, w e'ofve becom • Content s e com placen t in t he sam e w ay t h at t h e daily lit any of f elon ies r• ep or t ed in t he n ew spap er s an d on TV has im m unized us again st t he r epor t ed news. Th e KLEZ I ndex vWiru s, wh ich m ade t he t opt en list s for t hr ee mon t hs r un ning in t he spr ing of 20 02 could h ave e b S ecur it y Fi el d Gu ide been p r ev ent ed wit h a pat ch issued fou r t een m ont hs ear lier . By St eve Kalman

Most net w ork ad m in ist r at or s ar e doin g t he equiv alen t of d riv ing w it hout insur ance. I t isn' t t h at t heyPub 'r elish incom er: Cisco petPress ent or t hat t hey d on't care, b ut t hat t he d em and on t hem is t o show p osit iv e r esult t oday —t ober p ut08 out t he f ires t h at ar e bu r ning now . Th ey d on' t h ave t he lux ur y of t im e t o Pubs Dat e: Novem , 20 02 creat e IfSBN: ir e pr ent-0 ion plans. 1- ev 58 705 92 -7 Pages: 60 8

This b ook is w r it t en f or t hem . I n plain lan guage, w it h lot s of ex amp les, it sh ow s how t o secur e a w eb ser ver and p rot ect a net w or k fr om m ost at t ack s.

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Focus of the Book The f ocus is on w hat t o d o an d h ow t o do it , rat her t han on how it w or ks. Read er s of t h is book w ill be ad min ist r at or s w ho hav e secur it y r esp onsibilit y w it hout enoug h d ed icat ed t im e and t r aining t o do t he job p rop er ly . These r ead er s n eed solu t ions r at her t h an t heory . Th is book •supp lies t h em Table of Content s . •

I ndex

W e b S ecur Fi el dmp Gutide Under t h eit yassu ion t hat r eader s w ill look only at par t s t hat ar e per t inent t o t h em , som e m at erial is necessar ily du plicat ed. Occasionally , t hat du plicat ion is in t he sam e chapt er . ( Th e By St eve Kalman I I S4 / I I S5 inst allat ion ch apt er is a good ex am ple.) Ot h er t imes, t he mat er ial is spr ead acr oss sev er al chapt er s. ( Cer t ificat es are d escr ibed an d d ef ined in t h ree p laces, albeit in diff erent Pub lish er: Cisco Press cont ex t s. ) Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Audience The m ain aud ience f or t his b ook is t he net w ork adm in ist r at or wh o h as r espon sibilit y f or m any sep arat e asp ect s of a comp any 's net w ork —t h e kin d of j ob t hat mig ht b e held by sev er al people at a lar ger comp any . I t w as w r it t en assum ing t h at t h e audience m emb er s w ou ld r at her lear n •how t han w hy Table of yContent . Man of t hes t echnical t op ics are t reat ed w it h j ust enou gh infor m at ion t o m ak e t he •t ut orial p ar t sI ndex m ake sense. W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Command Syntax Conventions The con vent ions used t o pr esent comm an d sy nt ax in t his b ook ar e t he sam e conv ent ions u sed in t he I OS Com m and Ref er ence. Th e I OS Com m and Ref er ence d escr ibes t hese con vent ion s as follow s: • Table of Content s •

I ndex

W e b S ecur it y Fi el d Gu ide

Vert ical b ars ( | ) separ at e alt er nat iv e, m u t ually exclusive elem en t s.

By St eve Kalman

Squ are br ack et s [ ] ind icat e op t ional element s. Pub lish er: Cisco Press

Br aces { } indicat e a requ ired choice.

Pub Dat e: Novem ber 08 , 20 02

92 ack -7 et s [ { } ] in dicat e a r equir ed choice w it hin an opt ional elem en t . BrI SBN: aces1-w58it705 hin-0br Pages: 60 8

Bold fa ce in dicat es com m ands and key w ord s t hat ar e ent er ed lit er ally as show n . I n act u al conf ig ur at ion ex am ples and out p ut ( not general com m and syn t ax ) , boldf ace indicat es com man ds t h at ar e m anu ally in put by t h e user ( such as a show com m and) . I t alics in dicat e ar gum ent s f or w hich you supp ly act ual v alues. Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Icons Used in This Book Thr oug hout t his b ook, you w ill see a nu m ber of icon s used t o designat e Cisco an d general net w or kin g d ev ices, p er iph er als, and ot her it em s. The icon legend t h at f ollow s ex plains w h at t• hese icons r Table epr esent . of Content s •

I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Part I: The Fundamentals of Web Security • •

The m ost secur e comp ut er in t he w or ld w ould be one t hat is fully conf igur ed, t h en un plugg ed , encased in plast ic, an d placed in a ban k v ault . I t w ou ld also b e t he m ost useless Table com put er in tshe wor ld. As someone responsible f or k eeping t h at com put er secur e, of Content y ou n eed t o keep t wo t hing s in min d: I ndex

W e b S ecur it y Fi el d Gu ide

Fir st —Ev ery t h ing y ou d o t o in cr ease t he u sab ilit y of t hat com pu t er low ers it s secur it y .

By St eve Kalman

Se cond—That t r ade of f is n ot on e- f or - one . Som e act ions low er secur it y a lit t le but u sabilit y a lot . Ot hers lower secu r it y a lot but r aise u sab ilit y on ly a lit t le. Your Pub lish er:r aise Cisco Press job is o w Pub Dat e: Novem tber 08illing , 20 02ly do t he f orm er and ad aman t ly r esist t h e lat t er. I n t h is par t , y ou fill in som e blank s t hat y ou mig ht h ave wit h r egar d t o dat a com mu nicat ion f unct ions, an d I SBN: 1- 58 705 -0 92 -7 y ou lear n about secur it y policies. Pages: 60 8

Ch apt er 1 Essent ial I n for m at ion f or Web Secur it y Ad min ist r at or s Ch apt er 2 Secur it y Policies Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Chapter 1. Essential Information for Web Security Administrators • s This chap t er Table cov erofs Content t he f ollowin g t opics: •

I ndex

W e b S ecur it y Fi el d Gu ide

Tw o I nt er net w or kin g Models

By St eve Kalman

Headers Pub lish er: Cisco Press

Shim Pub Dat e:s Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7

Abov e t h e Tran spor t Layer Pages: 60 8

Tw o t h ings ar e alm ost cer t ain ly t r ue abou t t he v ast m ajor it y of r eaders of t his book : You kn ow m ost of t h e infor m at ion in t his chapt er . Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. You need t o br ush up on a f ew t hing s or , possib ly, lear n about t hem f or t he fir st t im e. You wCr illeat most ely h er sk or skimand most he mr ules at er ial e efflikect iv eeitsecur it yippolicies estof abt lish for here. op er at ing in and m aint aining a secur it y - conscious env ir onm en t Ot h er ch apt er s, how ev er , assu me t hat you k now t hese f un dam en t als. I f y ou find t h at a sect ion assu mLear es knnow t hat don 't shav how Secur e Socket s Layer or ks howledge t o har denyou Window m ue, lt i-such u ser as p lat for m s, inclu ding NT, 2 000( ,SSL) and w XP ( Ch apt er 9, " Becom in g a Cer t ificat ion Au t hor it y [ CA] " ) or w h at a SYN- Flood is ( Ch apt er 10 , " FirewUnder alls" ) st , tand his is t h e eplace t o get h et ions det ails. secur inst allat ion top f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Two Internetworking Models Som eon e once said, " Th e only t h in g wor se t h an n o st and ard s is t w o st an dar ds." As y ou' ve un doub t ed ly obser v ed, t h e w orld of dat a comm u nicat ion s has an ov erab und ance of cases w her e t w o ( or t hr ee, or m ore) st andar ds ap ply t o t he sam e pr ocess. Som et imes, it m ak es sen se: •Et h er n et andTable of Content Tok en Rin g ars e t w o st andar ds f or p assing dat a on a m edium , and each h as •adv ant ag es and I ndexdisadv ant ages w hen comp ar ed t o t he ot h er . Som et im es, m ult ip le st an dar ds W e b 'tS ecur it y Fi el d Gu ide don m ake sense: Fr ame Relay h as t hr ee slig ht ly dif fer en t Link Man agement I nt er face ( LMI ) t y St pes—t he cor rect on e t o use depends on w h ich comp any m ade t he sw it ch ( an d w r ot e it s By eve Kalman soft w ar e) . Pub lish er: Cisco Press

Ev en t he t er min olog y used t o descr ibe dat a com m unicat ion pr ocesses and fun ct ion s is m ade Dat e: Novem ber 08 , 20 02 m orPub e diff icu lt by t he p resen ce of t w o dif fer en t m odels. For ex am ple, t he OSI r eference m odel h as I SBN: 1- 58 705 -0 92 -7 sev en lay er s, and t he TCP/ I P m odel has f our lev els. Because t heir t er min olog y is used so Pages: 8 h ar e d escr ib ed her e. per vasiv ely ,60bot

HandNO s- onTE t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Alm ost all t echnical book s an d cour ses discu ss ( or at least r efer t o) t he OSI r ef erence m it sivlay ers. Iitny t he in dustand r y , est even t houg h t he odel is pr m edom inant , ita Crodel eat eand eff ect e secur policies ab lish r ules forTCP/ op erI P atm ing in and aint aining has becom e accep t able t o ref er t o t h e TCP/ I P m odel as hav in g lay er s, rat h er t han using secur it y - conscious env ir onm en t t he mor e cor r ect t er m , levels. This b ook follow s t he in dust r y pr act ice. Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions

OSI Reference Model

I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d The I nlapt t er op natsion al Or gan izat ion f or St and ar dizat ion ( I SO) dev elop ed and p rom ulg at ed t h e Open St and ard s for I n t erconn ect ion ( OSI ) r efer ence m odel. The OSI refer ence m odel has sev en lay er s, he pr cons1of as listEv edaluat an d ed tescr ib os ed an in dTable - 1.in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s

Tab le 1 -1 . O SI Ref e r en ce M ode l Lay e r s

Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



N um b er N a m e

D e scri pt i on

7

App licat ion

Com m un icat ions pr ogr am s operat e her e. Som e, such as FTP and DHCP, ar e par t of t he TCP/ I P pr ot ocol suit e.

6

Pr esent at ion Con t rols t he f orm at of t he m essag e. For ex am ple, con ver sion s fr om ASCI I t o EBCD I C w ould occu r her e. So, t oo, w ou ld encr yp t ion an d decry pt ion an d com pr ession and exp ansion .

Table of Content s Session Man ages t he ov erall com m un icat ions pr ocess and logg in g in . An I ndex exam ple is a TCP session , includin g ev er y t hing f rom t he f irst SYN, t o W e b S ecur it y Fi el d Gu ide t he dat a in bet w een, t o t he f inal FI N. Ear ly day s of r emot e t er m inal By St eve Kalman access also included check poin t and r est art .

5



4

Tr anspor t Pub lish er: Cisco Press Pub Dat e: Novem ber 08 ,

3

En d- t o- end int egr it y is t h is layer 's r esponsibilit y. The idea h er e w as t o pr ov ide host - t o- host int egr it y checkin g at t his lay er. ( Low er layer s 20check 02 hop- t o- hop in t egr it y. )

I SBN: 1- 58 705 -0 92 -7

Net w ork

Add ressin g an d rou t ing operat e at t h is layer .

Pages: 60 8

2

Dat a link

The b it s ar e or ganized in t o f r ames an d er r or m echan ism s ( such as CRC) occu r her e. Com m unicat ion pr ot ocols, such as Et hern et , Token Ring , HDLC, PPP, an d D SL, op er at e at t his lay er.

1 Phy sical This lay er allow s t he bit s t o g et t o t he ot her end b y defining t h e Hand s- on t echniqu es for signaling secur in g speed Window , vs( oltr )age serv levels, ers, b m r owser odems,frand equency net w,ork andcom conn m un ecticat or pions. ins. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a A p ow er f ul ad van t age t h at com es fr om t h e layer ed OSI refer ence m odel is t he in t ersecur it y - conscious env ir onm en t chang eab ilit y of p ar t s. A com put er t h at u ses TCP/ I P for it s t r anspor t an d n et wor k lay ers can be changLear ed fnrom o Et her net elyp lat r em one ding n et w NT, or k car d an d adding anot her howToken t o harRing den tWindow s m bu ylt i-muer ser forov ming s, inclu 2 000 , and XP ( plu s it s dr iv er s) . The I P addr ess need n ot chan ge. Similar ly, t he sam e Lay er 2 Et her net n et wor k can deliv er st I P, I PX, ande App s atf or Layer . Under and secur inst leTalk allat ionpack op t et ions Wind3ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m prModel ove secur it y at t he end TCP/IP

user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d

lapt op s

The TCP/ I P meodel is os q uit b it sim Because is com posed only fou rinlayer s,r some Ev aluat t he pr ane da cons of pler in st.alling a ceritt ificat e serv er of and becom g you ow n of t he OSI lay er fu nct ions h ave t o be com bined. Table 1 2 list s t h e layer s and t h eir r esp onsibilit ies, Cer t ificat ion Au t hor it y along w it h a com par ison t o t he OSI mod el. Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e

Tab le 1 -2 . TCP/ I P M ode l Lay e r s an d Fun ct ions

Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion La y er N a m e Funct ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and itApp s associat nologies opened t he but d oor t o an incr g n um ber and of secur it y t lay h reat licat ioned t ech Sam e as in hav t heeOSI m odel, includes OSIeasin pr esent at ion session er s. The ch alleng e forr espon successfu pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing sib ilitl,ies un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining Tr anspor t En d- t o- end com mu nicat ions, like OSI ' s t r anspor t lay er ; add s t he cap abilit y t o per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm add ress dif fer en t app licat ions and pr ocesses wit h p ort nu mb er s daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as h as been ant oinn ovat or net in uwsin t h e I ;ntuerses netI P t oaddr conduct oo is it a I ntCisco er net Sy st em sCor r esp onds t he OSI or kg layer essesbusiness, t o id en t ifysontodes m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a Net w ork Sam e as OSI ' s dat a lin k layer t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est I nt er face link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e wUnlike eb sertver or tm h eodclient . Har ennet in gmt he defhen all tion heseofpoint is sical key tlay o creat he ,OSI el, t he I ntder odel asses no at definit t he pshy er. ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

This m odel also defines t he object s passed b et ween t he lay er s. Figur e 1- 1 p r esent s t h e defin it ion s in con t ex t .

• •

FiguTable r e 1of- Content 1 . Desfi ni t i on of D at a Con t e nt Du r in g Lay er - t o- La ye r Tr an sit i ons I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions Alt houI m ghprtove hesesecur t er mitsyarate tnot of ficially t he inclu OSI ,ding t heywar ons,ly desk usedt ops, along he end user' sd ef w ined or kstbatyion, ebe bcomm row ser anwdit h bot h tlapt h e op OSIs r efer en ce mod el and t he TCP/ I P m odel lay er nam es. To use OSI t er m inology , t h e dat a link lay er receiv es fr am es f r om t he phy sical lay er and passes dat agr am s t o t h e net w ork lay er .Ev Thaluat e net e wt he orkprlay oseran , in d cons t ur n,of g ivines st alling pack etascer t o ttificat h e t reanspor serv ert lay anderbecom , and tin heg tyou er mr m owessage n is used Cer at Lay t ificat er sion 5, 6Au , and t hor it 7.y I n keeping Lear n w t he it hCisco in dustPIr yX conv Fir ewen allt ions, an d Cisco all r efer I OS en ce Firew t o all lay ar er schit in ect t heu re b ook andarhow e based t o app onlyt hCisco e OSI r ef erence st andar m odel. d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Headers As dat a passes dow n t he st ack f rom one lay er t o t h e next , a h ead er w it h a for m at specific t o t hat lay er is ad ded unt il t he f ram e w it h all it s h ead er s an d t h e dat a is t r ansm it t ed . Each layer exam ines an d r em oves it s h ead er as t he p ack et w or k s it s w ay up t h e st ack . Event u ally , t h e dat a •r eaches it s applicat Table of ion. Content Thes next sev eral sect ions look at header s in det ail. •

I ndex

W e b S ecur it y Fi el d Gu ide

Data Link Headers By St eve Kalman

Pub lish er: bCisco Press As def in ed y t he OSI r ef er ence m odel, t he dat a link lay er is r esp onsib le for receiv ing t he f r ame Pub Dat e: Novem 08er , 20 02d hand in g it off , as a dat ag ram , t o t h e cor r ect net w or k layer p rot ocol. fr om t he ph ysicalber lay an I SBN: 1- 58 705 -0 92 -7

The I EEE mad Pages: 60 8e a m od if icat ion t o t his lay er , sp lit t in g it int o t w o halv es. The low er half, kn ow n as t he Med ia Access Con t r ol ( MAC) sublay er, look s at ever y fr am e capt u red by t h e ph ysical layer and discard s m ost of t h em . I t ret ains only t hose f ram es add r essed t o t he specific m achine on w hich it is r unn ing, t o m ult icast s for wh ich it is a gr oup m em ber, or br oadcast s. The MAC lay er t hen han ds it off t o t he Logical Link Cont r ol ( LLC) layer f or fu r t her pr ocessing, in clu ding event u ally hand in g off t he dat agr am t o t he appr opr iat e n et w or k lay er pr ot ocol. Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions.

Ethernet Cr eatIIe and eff ectthe iv e Type secur it Field y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Thr ee comp anies defined Et h er net : Digit al, I nt el, an d Xer ox. ( The or iginal nam e for t he cable Lear o DI harXden Window lt i-on u ser lat for inclu ding 000 ,es. and connect or nwhow as t ht e conn ect or , tshm e uacr ym pcom ingmfrs,om com panNT, ies' 2nam ) I tXP w as lat er r ev ised t o becom e Et her net I I , bu t t h e header w as n ot chang ed d ur ing t he r evision. Table 1 - 3 Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce show s t h e t hr ee fields in t he h ead er . secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s

1 -3 t h e Et het ificat r ne te Iserv I Deratand a Lin k Hinea de rr ow n Ev aluat eTab t he le pr os an .d Fie conslds of ini n st alling a cer becom g you Cer t ificat ion Au t hor it y D e st i na t ion MA C Sou rce MA C Ty pe Code Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco 6 by tst esandar d and ex t en ded access list 6 by 2 by t es s t es Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e For m any y ears, t h e t y pe codes, pr ot ocol codes, por t num ber s, and m any ot h er cod es an d n t o eng age as in par" tthe of assign t h e oved er all et w secu" rit y ich solut ionp er iodically nu mbLear er assign ment s wend er e users d ef ined nunmb eror s' kRFC, wh w as up dat ed and renu m bered. The last of t h em was RFC 1 700 . When t hat pr ocess b ecam e While h e I nt er net r ansfor imabase pr ov edt htat h eyw w e rdo business, t his v ast net w or k and un mant ageable, it whas as ttran sf er rm ededt oand a dat ouaycan each on lin e at it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur h reat w w w .ian a.or g/ assignm ent s. Th e Et h er net t yp e codes ar e list ed t her e. Thr ee t hat ariteyutsed ins.t he The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing exam ples t h at f ollow ar e hexad ecim al v alues 0x 080 0, 0 x0 806 , and 0x 81 36, wh ich m ean I P, ARP, un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining and I PX, r esp ect iv ely . per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est NO TE link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver ,t hor t h efix e client d en in gprt he all t hese point secim is key t o mb creat Using e pr 0x .isHar com m on actdef ice en w hses en at pr esen t ing hexad al nu er sing in an pr int . eff ect iv e, all- encom passing net w ork secur it y solu t ion.

When a f r ame arr iv es, t h e dat a link header is ex amin ed and r emov ed, an d t he r esu lt in g dat ag r am is hand ed of f t o t h e pr oper n et w or k lay er pr ocess. I f, f or exam p le, t h e t y pe code w er e 0x 08 00, I P w ould get it . Sim ilar ly , t y pe 0x 080 6 f r ames w ould go t o ARP, and t y pe 0 x8 136 fr am es w ould go t o I PX. Scor es of d ef ined num ber s exist , b ut most of t hem ar e assig ned t o com panies t hat no longer exist and ar e unu sed. •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide

NO TE

By St eve Kalman

Otlish h er ot ocols, Pub er: pr Cisco Press

such as I BM Token Ring and Dat ap oint Ar cnet , h ad t heir ow n w ay s of passing dat a higher u p t he st ack. Neit her p rot ocol had num b er s list ed in t he assigned Pub Dat e: Novem ber 08 , 20 02 nu mb er s' RFCs. I SBN: 1- 58 705 -0 92 -7

Pages: 60 8

IEEE 802 Working Group The w or kin g rou p ( for ed in Feb ) rt owser ook ons, t and he t ask ofork st andar izinicat g ions. HandI EEE s- on 802 t echniqu esgfor secur in gmWindow s( rru) ary serv1980 ers, b net w com md un net w or k comm u nicat ion s. To t h at end , t hey subd ivided int o sev er al su bgr oup s, each w it h a specif ic r espon sibilit y . Table 1 - 4 list s t h e or ig inal sub gr oups. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

Tab le 1 -4 . I ni t ia l 8 0 2 W or k ing Gr ou ps Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I EEE N um be r Re sponsib ili t y user'inist s w or 80 2. 1I m pr ove secur it y at t he end Adm r atkst ionat ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s 80 2. 2 [ 1] Log ical Link Cont r ol [ 2] aluat e t he pr os an d cons of in st alling a cer t (ificat serv 80 2. 3Ev CSMA/ CD access Et here net ) er and becom in g you r ow n Cer t ificat ion Au t hor it y 80 2. 4 Tok en Passin g Bus Lear n t he Cisco PI X Fir ew all an denCisco I OS Firew all ar chit ect u re and how t o app ly Cisco 80 2. 5 Tok Passin g Ring st andar d and ex t en ded access list s

Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e [ 1]

ANSI dev eloped t he standar d for FDDI . I t is also a MAC sublay er definition, expecting an 802.2 LLC to suppor t it.

Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion [ 2]

Moder n Ether net cards ar e capable of handling Et her net I I and 802.3 Ether net concurr ently. Windows

Whilesystem t h e I nt er net has t r ansfor m ed pr ov edfort heit e her w ay w ecan dobebusiness, v ast oroth k and s default to sending Ethern et Iand I andim listening , but configur edt his to use onenet or w the er it s associat ex clusived ely.t ech Thenologies only tr ick hav is that e opened both sender t heand d oor r eceiv t o er anmust incragr easin ee. g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing Iun EEE 8 02. 3, or .4 ,malicious and . 5 allt rdefine t he t MAC por e t ion t he dat header. h t heconst f orm rat and desir able aff ic and o pr ovid su ffoficient lev aelslink of secur it y Bot w it hout aining size var b ased on t he p art m et hod . How ev er ,ball v eresions f eed o a st per for myance or scalabilit y . icular Th e maccess ore reliant org anizat ions ecom on t he I n tint er net t oand p erard f orm 80 2. 2j obs LLC or header daily cond .uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e NOver TE, or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an w eb ser eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Bot h DI X an d I BM r eleased som e of t heir pat ent s t o t h e pub lic dom ain an d, as a r esult , t he I EEE st andar ds are q uit e close t o t h e pr opr iet ary ver sion s; in man y cases, t hey can coex ist on t he sam e p hy sical n et w or k . Dat ap oint ( wh o h ad a 70 per cent m ar ket sh are at t h at t im e) r efused t o do t he sam e. Ther e w as only on e 802 . 4 lar ge- scale ex per im ent ( at Gen er al Mot or s) befor e it fad ed aw ay . Today , t h e vast m ajor it y of inst allat ion s ar e Et h er net - b ased. •

Table of Content s



I ndex

W e b S ecur y Fiows el d Gu idef ields Table 1 - 5it sh t he

in t h e 802 . 3 h ead er . I f y ou com par e it t o Table 1 - 3, y ou see t h at t h ey hav By St eve e t hKalman e sam e n um ber of by t es. The d iffer ence is t hat t he last t w o by t es in t he 8 02. 3 header ar e t he leng t h of t he ent ir e f ram e r at h er t han a t y pe code. Because t he low est t y pe cod e is hexPub adecim 0 800 , w hich is eq ual t o decim al 2 048 an d is f ar lar ger t han t h e m axim um Et her net lish er:al Cisco Press fr amPub e, Dat t her e is no pot ent ial for conf usion. e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Tab le 1 -5 . Fie lds i n t h e 8 0 2 .3 M AC Sub la ye r H ea der D e st i na t ion MA C Sou rce MA C Le ng t h Code Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. 6 by t es 6 by t es 2 by t es Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a y - conscious ir onm The 8secur 02. 2 it LLC su blayer isenv m ade upenoft t hr ee fields: Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Sour ce Serv ice Access Point ( SSAP) Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y ion on exist w eb an Poin d FTP v er in st allat ions Dest inat Ser ving ice Access t (ser D SAP) ICon m prt rol ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s The SSAP ser v es t he sam e pur p ose f or LLC as t he Ty pe field d oes f or Et hern et . How ev er, Ev aluat pr osb an cons st alling cer terificat erost and r owis n t he because it is eont he ly one yt ed lon g, tof h eincodes ar a e diff ent .eI serv n alm allbecom cases,intgheyou DSAP t ificat t hor itTable y sam eCer valu e as ion t heAu SSAP. 1 - 6 list s t h e m ost comm on v alues. Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e

Tab le 1 -6 . M ost Com m on SAP Val ue s

Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion Code Me a ni ng While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and I BM it04 s associat ed t ech nologies hav e opened t he d oor t o SNA an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing 06 IP un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining 80 for m ance or scalabilit y . Th e m ore reliant org3Com per anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just AA SNAP as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a BC ans and t echnologies t h at p rot ect d at a m ar ket leader in t he developm ent an d sale of p Bany rod uct tE0 r av eling acr oss t he I nt er net . Yet a net w or k secur it yellsolut ion is only as st r ong as it s w eak est Nov link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Figur e 1- 2 sh ows t he r elat ion sh ip b et ween 802 .2 and t h e sep arat e MAC su blayer s and com par es it t o Et h er n et I I . Bot h t he 80 2. 2 and Et h er net I I lay er s deliv er dat ag r ams t o t h e net w or k layer .

Figu r e 1 - 2 . Da t a Li nk Alt er n at iv es •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions.

NO TE Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a The LLC Con t rol field can be u sed t o est ablish eit h er of t wo classes of ser v ice. The fir st , secur it y - conscious env ir onm en t called Ty pe I , is connect ionless ser vice. I t w or k s on a best ef for t s basis. The ot her, called Ty pe I I , is connect ion- or ien t ed . I t is b ased on SDLC ( as d ev eloped b y I BM in t he Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP 19 60s) and requ ires ack now led gm en t of f r ames sent and receiv ed. Because TCP also pr ov ides connect or ien t ed I P imp lem s rely Ty pe . Under st and securione inst allat ionserv op tice, ionsmf ost or Wind ows went eb at serion v ers an donhow t o Ienhan ce How eviter some nonan - TCP/ I Pser suit es in d ost not secur y ,on existof ingt he w eb d FTP v er allathav ionse a TCP equ ivalent and need Ty pe I I ser v ices. I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling Network Layer Headers Cer t ificat ion Au t hor it y

a cer t ificat e serv er and becom in g you r ow n

I t m igh t com e as a suPI rpXrise, buall t nan eardlyCisco ever Iyon r uns all muarltchit ip leect netuw k layer ocols. The Lear n t he Cisco Fir ew OSeFirew reorand howprt ootapp ly Cisco obv ious on e is I P. Less obv ious, bu t list st ills par t of t he TCP/ I P suit e, is ARP. I n add it ion , it is st andar d and ex t en ded access cer t ainly p ossible an d v er y com m on t o r u n ot h er net w ork ing pr ot ocols, such as Novell's I PX or I BM'sDiscover SNA. Because w ay s ttoh et est I nt ter henet curr un r enst on st at I P, e of t hose secur otither y and n et kweep or k ing it upprtot o ocols dat e aren' t discussed any f ur t her h er e. Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion The d at a link lay er uses t he Et her t y pe or DSAP fields t o det erm ine wh ich of t he net w ork lay er While t h e should I nt er net has ansfor ed Not andeim pr ov t h e IwPay e do business, v ast net w or pr ot ocols get t het r dat agrm am. t hat foredTCP/ onwnon - DI X n et w ortkhis s, DSAP w ou ld kh and ave it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. 0x AA an d t he Sub Net w or k Access Prot ocol ( SNAP) header w ou ld h ave t h e SAP v alue. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per IP for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a ImPar p rov connect b est ef for ser vice, rouuct t ing and tfrechnologies ag ment at ion and r eassem ket ides leader in t heionless, developm ent an dt s sale of p rod s and t h, at p rot ect d at bly. a Table 1 7 sh ows t he f ields in t h e I P header . t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Tab le 1 -7 . Fie lds i n t h e I P H ea de r Fie ld N a m e

Purp ose

Version

Alw ays four .

I P Header Len

Leng t h of t his header in 4- b yt e wor d s.

•Ty pe of Ser vice Tableorof ContentOr s iginally int end ed t o pr ior it ize t raf fic b ased on delay, t hr ough put , •Dif ferent iat ed I ndex Serv ices r eliabilit y , and cost . Widely ignor ed for y ear s, it has b een r ep ur posed W e b S ecur it y Fi el d Gu ide

t o in dicat e net w or k congest ion.

By St eve Kalman Tot al Len gt h

Leng t h of t he ent ir e dat ag r am; m axim um value is 65, 53 5 by t es.

I dent if icat ion

Pub lish er: Cisco Press

A u niqu e num ber assigned t o each dat agr am . ( All f r agm en t s of a single d at agr am hav e t h e sam e I D. )

Pub Dat e: Novem ber 08 , 20 02

Flags

I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Frag m en t Of fset

The f lag can be mar k ed as eit her : D F= D on't Frag m en t or MF= Mor e Frag m en t s. Giv es t his f rag ment 's st ar t ing point in t he r eassem bly bu ff er .

Tim e t o Live ( TTL)

Or iginally int end ed as a t im er , n ow t h e TTL is decr em en t ed at each r out er . When zero, t he p ack et is d iscar ded. Th e TTL pr ev ent s end less circulat ion in t he ev en t of r out ing loops. Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Pr ot ocol Say s w hich t ran sp ort lay er ser vice t o deliv er t he p acket t o. Header Check su m For err or r ecognit ion. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a Sour secur ce Add I P ad dr ess it yress - conscious env ir onm enof t t h e int er face on t he sending m achine u sed t o t ran sm it t he dat agr am . Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Dest inat ion Addr ess I P ad dr ess of t h e int er face on t he r eceiv in g machin e t o w h ich t he datallat ag r am ast ions sen tf or Wind ows w eb ser v ers an d how t o enhan ce Under st and secur e inst ion w op secur it y on exist ing w an d FTP ser vum er in st allat Op t ions Opeb t ional, m axim size is 4ions 0 by t es. Th is field is u sed t o im p lem ent I P sour ce rou t ing. I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s I P p ack s do, rse, er seoft he I nalling t er neta. cer As taificat r esueltserv , t her ar e becom a f ew secur it yr ow n Evet aluat e tof hecou pr os antdr av cons in st ereand in g you considerat ion s: Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u16 re and how t o app ly Cisco Ov er siz ed pa ck et s— Th e m axim um packet size is 6 553 5 ( 2 ) - 1. A p ack et t h at ex ceeds st andar d and ex t en ded access list s t hat size can cr ash a comp ut er . The Ping - of- D eat h w as a fam ous hack t hat caused m any com put erw s ay r unn I P t(he notcur ju rstenWind to h ang,itr eboot or epr odu ce u nexp ect ed Discover s t oin tgest t st atows e of machin secur it es) y and k eep up t o ,dat r esult s. Most m oder n op er at ing sy st em s ar e now imm un e t o t his pr oblem , bu t old (Lear un pat Window 9 5 and syst s er could be lnerab le. ion n tched) o eng age end susers as NT par 4 t of t h em e ov all n st et ill w or k vu secu rit y solut rout ore m rou s wim er pr e inv en tt ed wer e sen tt his acr oss WhileSou t h e rce I nt er neti ng— has t rBef ansfor edt er and ov ed h e, wdat ayagr w eams do business, v astt he netIwntorerknet and w it h t he drnologies esses of hav t he egat ew ays t(he t rav er salt opoint s) list ed ginn tum h eber I P header s f ield it s associat ed ad t ech opened d oor an incr easin of securOp it yt ion t h reat s. . Alt hou gh it hasn' t beenl, used it im m anyage y earaccess s, t h e tfeat av elim ailabinat le. ing On The ch alleng e for successfu pu blic( leg w eb sitat esely) is tfor o encour o t hur e esitise st will hile Cisco er s, you shou t hovid is opt u sinlev g tels he of nosecur ip source - rou tconst e comr aining m and. un desir abler out or malicious t r affld ic disable and t o pr e ion su ffby icient it y w it hout per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Ping of Death RFC 791 say s t hat I P pack et s can b e no lon ger t han 6 5, 535 by t es includin g t he I P header lengt h ( 2 0 oct et s if no opt ion s ar e pr esent ) . All t he d at a link p r ot ocols h ave am e ofsizContent es ( 1 500 oct et s is com mon ) , so lar ger pack et s m ust b e • m axim um frTable s fr ag ment ed. That ' s t he net w ork lay er' s j ob, an d I P will d o t h is. Pack et s hav e t o be • I ndex r eassemb led at t he d est inat ion and , again, I P can h andle it . Fr agm ent at ion is W e b S ecur it y Fi el d Gu ide nor m ally done by r out er s along t he p at h but can also b e han dled b y t he sending By St eve Kalman host . I PPub u ses lish er: t h eCisco I dent Press ificat ion, Fr agm ent Off set , Flags, an d Lengt h f ields t o do t he r eassemb Pub Dat e:ly. Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7

The p ing pr ogr am u ses I CMP m essages. The I CMP header is 8 oct et s. A qu ick Pages: 60 8 calcu lat ion ( 6 5, 535 less 20 less 8 = 6 5, 507 ) g iv es t he max im um n um ber of oct et s t hat can be sen t v ia t h e ping p rog ram for t he dest inat ion t o r et ur n. At t em p t ing t o sen d mor e m igh t ov er f low t he dest in at ion 's buf fer s. This w or ks b ecause t h e last fr ag ment m ight hav e a v alid off set and a size such t hat ( off set + size) > 65 , 535 . A simp le com m and t h at gener at es t his in valid packet by sending m or e t han 65 , 507 Hand echniqu es s: for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. oct ets-s on of tdat a follow Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a y - conscious env ir onm en t pingsecur –l it 65510 your.test.IP.Address Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions You can t r y t h is on you r t est m achine if y ou w an t . Just be p repar ed for a cr ash. You needI m a pr Wind 95it yoratNT 4 PC it h no ser appding lied tw o eb g etb row an unp at ch ed t ops, an d oveows secur t he endwuser' sw orvice kst atpack ion, sinclu ser s, desk Ping.lapt ex e. Th e ping pr ogr am t hat com es w it h Window s 2 000 , for ex am ple, issues an op s err or m essag e if t he d at a size is m or e t han 65 ,5 00. Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y

ARP Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s To com m unicat e f r om one h ost t o anot her acr oss a net w or k , t he sendin g st at ion needs t o kn ow Discover w ay s t o addr t est ess. t he cur t st at e of secur it y header and k eep up of t o t dat t he dest in at ion's MAC Alt hr en ough t he Dat a Link s f orit all he eBr oad cast Mult iple Access ( BMA) LANs ( Et hern et , Tok en Ring , and FDDI ) diff er , t hey all hav e at least one t hin g in Lear—t n he t o eng users par t of t hress e ovis er at all or n etnear w or kt he secu ritty of solut com mon d estage inat end ion st at ion'as s MAC add st ar t heion f r ame and pr ecedes t he sou rce ad dr ess. While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat edused t ech nologies e opened t he dwoor an kincr um of secur y addr t h reat s. is The p r ot ocol t o r esolv ehav MAC addr esses hent oyou noweasin onlyg tnhe d ber est inat ion 's it IP ess The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing called t he Ad dr ess Resolut ion Pr ot ocol ( ARP) . Table 1 - 8 list s t h e fields in t he ARP r equest . un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm sale lds of p rod t echnologies Tab leent1 an -8 d. Fie i n uct t hseand ARP He ad er t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

• •

Fie ld N a m e

Purp ose

Har dw ar e Addr ess Typ e

1 = Et hern et I I , 6 = 80 2. 2

Pr ot ocol Add ress Ty pe

Alw ays = 0x 08 06

Har dw ar e Lengt h

Leng t h of t he MAC add ress = 6

Pr ot ocol Leng t h

Leng t h of t he I P ad dr ess = 4

Op er at ion

Table of Content s

1 = Requ est , 2 = Reply

I ndex

Sour W e b Sce ecurMAC it y Fi el d Gu ide

MAC add ress of sen ding st at ion

By Sour St eve ceKalman I P Add r ess

Sending st at ion' s I P ad dr ess

Dest inat ion MAC

Unk now n addr ess, t yp ically all 1s, occasion ally all 0s

Pub lish er: Cisco Press

Dest inat ion I P Add ress Pub Dat e: Novem ber 08 , 20 02

Dest inat ion st at ion 's I P addr ess

I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

ARP has it s ow n Et hern et t y pe code ( 0 x0 806 ) , so w hen t he dat a link lay er is r eady t o hand of f t he dat agr am t o t he net w ork lay er, it g oes t o ARP rat her t han t o I P. When a st at ion needs t o det erm ine t he MAC add ress of anot h er st at ion ( assum ing it alr eady k now s t h e I P add ress) , it const r uct s an ARP Request u sin g t h e dest inat ion MAC br oadcast Hand s- onWhen t echniqu for itsecur Window s( yr ) stserv ers, b r owser s, and net w orkit ,com add ress. it t res ansm s t hatin g f ram e, ever at ion receiv es and pr ocesses bu t m onun lyicat t heions. st at ion wh ose I P add ress m at ches t he d est inat ion I P ad dr ess in t he ARP h ead er con st r u ct s an ARP reply . I t places t he MAC add ress it f ound in t he requ est ' s Sour ce MAC addr ess field int o t h e Cr eat eff ectfield iv e secur y spolicies estadd ab lish ules er ce at ing in fand Dest inat ione MAC an d pitut it s ow nand MAC ressr int o tfor he op sour MAC ield.m aint aining a secur it y - conscious env ir onm en t Bot h st at ions cache t h e I P add ress/ MAC ad dr ess p air t o f acilit at e con t inued com m un icat ion s. o ies har wit denh Window m uerlt at i- uing sersy p lat fors) m,s,t he inclu ding , and Aft er Lear a t imnehow ( it vtar d if fer en st op st em addr essNT, will2b000 e flu sh edXP . and secur e inst op ton ions f or net Wind ows eb ser v ers d how o s)enhan BecauUnder se t hestMAC add ress is allat usedion only local w ork s (wARPs don' t cran oss r out ter , t herce e is lit t le secur it y on exist ing w eb an d FTP ser v er in st allat ions secur it y r isk. The sm all r isk t h at d oes ex ist com es f r om t he cap abilit y t o ent er a st at ic ( per m anent ) MAC addr ess in t o a Window s Reg ist r y . Shou ld a bog us add ress get en t er ed I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d ( per haps t he MAC ad dr ess f or t he default gat ew ay' s I P ad dr ess) , d at a w ould be misdir ect ed. This lapt op s is un lik ely and r eq uir es access t o t he user ' s PC wit h ad min ist r at iv e pr ivileges. Prog r ams su ch as I SS I nt net eScann eros( descr ibed in er 3,a "cer Wint ificat dow se Sy st em Secur it y " ) in can alerr tow you Ever aluat t he pr an d cons of Ch in stapt alling serv er and becom g you n t o t his r isk . Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d Layer and ex t Headers en ded access list s Transport Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e When I P is f inish ed w it h a d at agr am , it st r ips of f it s header and d eliv er s t h e pack et t o t he t r anspor header ind icat ed as by par it s tProt f ield . The ost com rit m on pr otion ocols are TCP an d Leart nlayt oereng age end users of tocol h e ov er all n et wmor k secu y solut UDP, bu t ot h er pr ot ocols also ru n just abov e I P. The I GRP, EI GRP, I S- I S, and OSPF r out ing pr ot ocols use TCP or t hemsted anand dar dimt ran sped or tt hlay eray header. her d oes on wwor hich While t h e do I nt not er net has t r ansfor pr ov ew w e do Neit business, t hisI CMP, v ast net k and ping is b ased. it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just NO Sy TEst em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a as Cisco m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a The ot her t w o m ain r out ing pr ot ocols ar e RI P an d BGP. RI P r u ns ov er UDP on por t 5 20. t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est BGP ru ns ov er TCP on p or t 17 9. link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

TCP Tr ansm ission Cont r ol Pr ot ocol ( TCP) is a rob ust , f eat u r e- laden t r anspor t pr ot ocol. Thr ough it , host s can pr ov id e err or - check ed, g uar ant eed d eliv er y of m essag es t o app licat ion layer p rot ocols. Table 1 - 9 list s an d d escr ib es t he f ields in t h e TCP header. Two of t hose f ields are Sou r ce Por t and Dest inat ion Port nu mb er , and som e of t h e m ost com mon ones ar e d escrib ed in Table 1 - 10. •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press

Fie ld N a m e

Tab le 1 -9 . Fie lds i n t h e TCP H ea de r Purp ose

Pub Dat e: Novem ber 08 , 20 02

Sour ceI SBN: Por 1t 58 705 -0 92 -7The p or t nu m ber used b y t he ap plicat ion lay er pr ot ocol t hat gener at ed t h e pack et . Pages: 60 8 Dest inat ion Port

The p or t nu m ber used b y t he ap plicat ion lay er pr ot ocol t hat is int end ed t o r eceive t he m essage. Som e com m on TCP por t num b er s ar e list ed in Table 1- 1 1.

Sequence Num b er A 3 2- bit field t hat is in crem en t ed f or each b yt e t hat is su ccessf ully Hand s- on t echniqu es for secur g .Window b ring owser s, can and rnet w ork un icat ions. t r ansm it tined Thr oug s( h rit), serv t he rers, eceiv host ecogn izecom t he m occur r en ce of a m issin g p acket . Ackn Cr oweat ledg em effen ectt iv e secur A 3 2-itbit y policies field t hat and is est in crem ab lish en tred ules f orforeach op erbat yting e t hat in and is sum ccessf aint aining ully a Num secur ber it y - conscious r eceived. env ir onm Thren ough t it , t he sen ding host can r ecog nize t hat t r ansm it t ed d at a w as not r eceived. Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Of fset Num ber of 4 - by t e w or ds in t he TCP Header ( m inim um = 5) . e instballat iont oopzer t ions f or Wind ows wion eb Not ser if v ers an dishow t o enhan ReserUnder v ed st and securFour it s set o u nless Congest icat ion enabled, in wcehich secur it y on exist ing w eb an d FTP ser v er in st allat ions case t he b it s indicat e t hat t he receiv er has cut t h e w in dow size in half. FlagsI m pr ove secur it ySix w h ose set cont r ol tinclu h e flow at a. They described at tbit hes end user' s twing or skst at ion, dingofwdeb b row serar s, edesk t ops, anind m or e det ail in Table 1 - 12. lapt op s Wind ow A n um ber r epr esent ing t h e num ber of b yt es t h at t he r eceiver is w illing t o Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n accept at t he cur r en t t im e. TCP low er s t h is size w h en dat a is t h reat ening Cer t ificat ion Au t hor it y t o over w helm t he inp ut buf fer s. Lear X Firtew an de Cisco I OS all. ar chit ect u re and how t o app ly Cisco Ch eck su mn t he Cisco PI Used o vall alidat t h e ent ir e Firew pack et st andar d and ex t en ded access list s Urg en t Point er Of fset int o t he dat a p oint ing t o t he b yt e follow in g t he ur g en t dat a. Only hen flag is set o 1 . k eep it up t o dat e Discover w ay s t ovtalid est twhe curt he r enUr t stgent at e of secur it y t and Op t ions Gener ally used in t he b eg in ning of conv er sat ions t o negot iat e max im um Lear n t o eng age m end usersan asd par of t hsizes e ov er all ional) n et w or essage wintdow ( opt . k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining Tab -1ore 0 . reliant Com m on TCP Por t Nu per for m ance or scalabilit y . le Th 1 em org anizat ions b ecom em on be t her s I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



TCPP ort N um be r

Corre spondi ng Ap pli ca t i on P rot ocol

7

Echo

13

Dat e and Tim e

17

QOTD ( Quot e of t h e day )

19

Ch arg en ( Char act er g en er at or ) Table of Content s

20



ft p- dat a

I ndex

21 W e b S ecur it y Fi el d Gu ide

ft p

By 23 St eve Kalman

Telnet

25

Sm t p Pub lish er: Cisco Press

37 Pub

Dat e: Novem ber 08 , 20 02

53

I SBN: 1- 58 705 -0 92 -7

80

Pages: 60 8

Tim e Dom ain ( upd at es) ht t p

13 9

net bios- ssn

17 9

BGP

44 3 HTTPS ( SSL) Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. The f irCrsteat fou e reff it ems ect iv in e secur Tableit 1 y -policies 10 ar e kand now est n as abtlish h e TCP r ulesSmall for opSer er at v ices. ing inThey and can m aint t ypaining ically be a fou ndsecur in bot it yh- host conscious s and renv out er ir onm s. Alt enhoug t h usef ul at one t im e ( most ly f or t est in g) , t h ey are no longer ap pr opr iat e in a m oder n env ir onm ent . Even w orse, t h ey ar e w ell- kn own h omes of sever e how o har den s mched, u lt i- um ser latbfor m s, inclu 2 000 ,not andused. XP Uninst all secur Lear it y h noles t h tat h ave notWindow b een pat ostply ecause t h eyding are NT, t yp ically t hem at y our f irst oppor t un it y. Ch apt er 3 t ells y ou how . Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce it ys on ing ebo an er in st allat ions Por t nsecur um ber ar eexist div id ed wint t wdo FTP g rouser ps.v Those u nder 1 024 ar e r eserv ed and ar e assign ed only by t he I nt er net Assigned Num bers Aut hor it y ( I ANA, cit ed in t he Et her net Header sub sect ion) . meprkove it elly atknt he s w or kst at ion,einclu ebown b row s, desk t ops, They Iar nowsecur n as w ow end n p oruser' t s. Num bers abov 102 ding 4 arewkn asser ephem er al . Whan end lapt op s connect ing t o a ser v er , t he client uses t he ser ver 's well- k now n por t as t he dest inat ion por t and pick s an ep hemer al por t for t he serv er t o u se for r et ur n t r aff ic. I t places t hat ep hemer al p ort he prce osPor antdf cons of in of st alling a scer er and g you n m it or nu mbEv er aluat in t hee tSour ield. One t h e job oft ificat bot h ef irserv ew alls and becom accessinlist s is r t ow o per Cer t ificat ion Au t hor it y deny t raf fic b ased on ex am inat ion of t he p ort nu mb er s. Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e NO TE Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion Becau se of t he t im e delay bet w een ap plyin g f or a reser v ed n um ber and act ually get t ing ANA, any v en dorms ed simp ly im use ar bit f rom t he eph er alnet w or k and Whileit t fhr eom I ntI er net m has t r ansfor and pr an ov ed t h er ary w ayn um w e ber do business, t hisem v ast r ange. Th is can w or k w hen t he v endor is t he ex clusiv e supp lier of bot h t h e ser it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur itv yert hand reat s. client app licatsuccessfu ion soft wl,arpu e. blic RealAu amp le. age access t o t h e sit e w hile elim inat ing The ch alleng e for w ebdio sit is es an is tex o encour un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just Anot h er essen t ial- t o- und er st and f ield in t he TCP header cont ains t he six flag bit s. Table 1 - 11 as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a list s and descr ibes t h em . m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Tab le 1 -1 1 . Fl ags a nd M e an in gs Fla g N am e

I nt e rp re t at ion ( w he n = 1 )

Urg en t ( URG)

Urg en t Point er is Valid ( r ar ely u sed)

Ackn ow ledg m en t ( ACK)

Ackn ow ledg m en t Num ber is Valid



Table of Content s

Push ( PSH) I ndex W e b S ecur it y Fi el d Gu ide Reset ( RST)

Flush send qu eu e on n et wor k or flush r eceiv e q ueue t o t he p rocess

By Stnchr eve Kalman Sy onize ( SYN)

Requ est t o est ablish a con nect ion or p ar t of a posit iv e r esp onse t o t hat r eq uest



Pub lish er: Cisco Press

Finish ( FI N)

Tear dow n t he con nect ion

Don e w it h t r an sm ission

Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

TCP uses t he f lags t o set up, con fir m , use, comp let e, an d t ear d ow n a connect ion. Table 1 - 12 show s som e of t he k ey fields an d f lags u sed dur ing t h e lif e of a conn ect ion. A sim ple Teln et session is used as an exam p le. ( Th e pr esence of t h e fir st let t er of a f lag's nam e m ean s it is set t o one. I f absent , t he f lag is set t o 0. ) Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e le secur it y2policies andFlest ules forge op a er at ing inect andion m aint aining a Tab 1 -1 . Usi ng agab s lish t o rM a na Conn secur it y - conscious env ir onm en t rcet o har D e st i naWindow t ion s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP LearSou n how den Fra m e P ort P ort Fla gs Com m e nt Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce 1 23 ing w eb an d SFTP ser v er Requ est ions t o st ar t a connect ion. Client ar bit r arily secur20 it y00on exist in st allat pick s an ep hemer al por t . Fir st leg of t hr ee- w ay han dshak e. ding w eb b row ser s, desk t ops, an d I m pr ove secur it y at t he end user' s w or kst at ion, inclu lapt op s 2 23 20 00 S A Serv er ackn ow ledg es client ' s pack et and r eq uest s t o open a connect ion t o client : secon d leg of a Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n t hr ee- w ay hand sh ake. Ser ver p laces t h e sequ en ce Cer t ificat ion Au t hor it y nu mb er fr om clien t ( ad ds 1 in som e cases) in t h e ackn ow ledg m chit en t ect nu m berand field an tdo select it s ow n Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar u re how app lys Cisco ar bit r ar y sequ en ce. st andar d and ex t en ded access list s 3

20 00 23 A Client ack now ledges serv er' s p ack et : t h ird and Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e fin al leg of a t hr ee- w ay h andshak e. Client places t he sequ en ce num ber f rom t he serv er ( add s 1 in Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion som e cases) in t he ack now led gm ent n um ber f ield. The now op en f orv ast dat net a flow While t h e I nt er net has t r ansfor m ed and im pr ov ed TCP t h e conn w ay ect w e ion do is business, t his w or. k and it4s associat hav e opened oor ter o san ber ofion' secur it y ner. t h reat s. 23ed t ech nologies 20 00 A t he dServ oftincr en easin sen d gt hneum app licat s ban The ch alleng e for successfu l, pu blic w eb sit es Becau is t o encour age access t o t h e sit e w hile elim inat se of t he secu rit y v uln er abilit y , t his p ack eting un desir able or malicious t r aff ic and t o pr ovid emsu ff icient lev els of secur it y w it hout const r aining ay not be sent . per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm 5 23t ran sact ions, t h A send or dat daily j obs20 or00 cond uct e gr eat erClient t he im pacts dat a braeach ofan reteq wuest or k .secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a 23 20developm 00 r espon St eps 5 ant h d at 6 rpepeat ofat en as m6ar ket leader in t he ent an A d sale ofServ p roderuct s and ds. t echnologies rot ect as d at necessar y. t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link ork at t ack20 s 00 can occu r at an A y point including e net w min ork at con ion ,nect t heion fir ew 7 . Net w23 F P , Eit h er sidet hcan t er e nect t he con . all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

8

20 00

23

A

Ackn ow ledg m en t of connect ion t er m inat ion. The ot her end m ay st ill hav e dat a t o send , so it may not sen d FI N. This is called gr acef ul close in TCP.

9

20 00

23

A F

Con nect ion t er min at ion f r om t his ( can be eit her , bu t u su ally client 's) en d.

10

23

20 00



Table of Content s



I ndex

R This is f or r ecov erin g f r om err or s and is n ot used in nor m al oper at ion. Con nect ion is f or cibly r eset .

W e b S ecur it y Fi el d Gu ide By eve gh Kalman AltSthou using

a f lag t o m anage a connect ion w or k s flaw lessly in nor m al sit uat ions, w ould - be int r ud er s h ave f igur ed out how t o subv ert it f or t h eir ow n use. They const r uct a fr am e like t he fir stPub onlish e er: show n Press in Table 1 - 13, send anot h er f r am e just lik e it but w it h a dif fer en t sour ce por t , Cisco t henPub anot h er , an ber d so To hide t heir t r ack s, t hey f org e someone else's I P ad dr ess in t h e Dat e: Novem 08 on. , 20 02 Net w ork Lay1-er h ead er-7, mak ing it n ear ly im possib le t o t r ace t h e int r uder 's act u al sour ce addr ess. I SBN: 58 705 -0 92 Pages: 60 8

Ev ery t ime one of t hose f r ames ar r ives, t he ser ver set s aside m emor y an d ot h er resour ces t o pr epar e t o sat isfy t he ex pect ed up com ing r eq uest . I f en ough of t hese half - con nect ion s ar r iv e in t oo sh ort a t im e, t h e ser v er ru ns out of space in t he list en ing queue, p rev en t ing leg it im at e connect ions t o t hat por t on t h e ser v er . This is k now n generically as a Denial of Ser vice ( DoS) at t ack . I t s for m al n ame is a SYN flood at t ack. Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Web ser ver s ar e oft en f ar m ore pow er f ul an d h ave mu ch f ast er I n t er net con nect iv it y t h an a single h ack er' s r esou rces. This m ak es t he lar ge- scale serv er m ore im p er v ious t o at t ack. As a ect escalat iv e secur policies lish er at aint aining r esultCr , teat he esteff ak es edit. yHacker s f irand st dest ist ab r ibu t e raules Tr ojfor an op ( see Ching aptin er and 11 , m " Main t aininga secur it y conscious env ir onm en t Secu rit y , " f or def in it ion, d et ails, pr event ion , and det ect ion d iscussions) t o hun dr eds or t h ousands of m ach ines. The Tr ojan does n ot hing bu t m onit or s t h e connect ion, w ait ing f or a com m and t o t ell Lear n ive. howAtt ot hat har den Window m uin lt i-fect u ser lat for mer s,s inclu ding NT, at 2 000 XP iv ely, t his it t o go act m oment , allst he ed pcom put begin a DoS t ack, .and Collect is k now n as a D ist r ibu t ed Denial of Ser v ice ( D DoS) at t ack , an d it can b e v er y eff ect iv e. One of Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce t he best - kn own DD oS event s w as t he sim ult aneous cr ipp lin g of eBay , Am azon, an d Yah oo in secur it y on exist ing w eb an d FTP ser v er in st allat ions Feb ru ar y 200 1. Ch apt er 10 sh ows how t o pr ot ect y our sy st em s ag ain st t his misuse of TCP.

UDP

I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s

Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer tagr ificat t hor (itUDP) y User Dat amion Pr Au ot ocol is f ar , far sim pler t h an TCP. I t d oes it s wor k w it h a mer e fou r fields. Table 1 - 13 list s t h em . Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e

Tab le 1 -1 3 . Fi el ds in t he UD P He ad er

Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While he I nt has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and Fie ld tN am e er net Purp ose it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. Sour ce Por t The p or t nu m ber used b y t he ap plicat ion lay er pr ot ocol t hat gener at ed t h e The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing pack et . un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per forinat m ance scalabilit y. m Thber e mused ore reliant anization ions b er ecom e ocol on t he t erint net t oed p ert of orm Dest ion or The p or t nu b y t he org ap plicat lay pr ot t hatI nis end daily uct t ran ions, t h eSom gr eat er t he imUDP pact por a brt each of ns et k secu y has. Por t j obs or cond r eceive t hesact m essage. e com m on n um ber arweorlist ed inritTable 1 -Just 14. as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a Leng t h Leng t h of t he pack et , including t h e t r anspor t h ead er . m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a tCh r aveck eling acr ossFor t hevIalid nt eratnet . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est su m ion. link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Tab le 1 -1 4 . Com m on UDP Por t Nu m be r s



U DP P ort N um be r

Corre spondi ng Ap pli ca t i on P rot ocol

53

DNS ( I n quir y )

67

Table of Content s

•69

I ndex

W e b S ecur it y Fi el d Gu ide

12 3

By St eve Kalman

16 1, 1 62

BOOTP ( Used by D HCP) Tr ivial File Tr anspor t Pr ot ocol ( TFTP) Net w ork Tim e Pr ot ocol ( NTP) Sim ple Net w ork Managem en t Pr ot ocol ( SNMP)

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02

App licat ion desig ners, w h en deciding t o use TCP or UD P, check w h et h er or not TCP and it s I SBN: 1- 58 705 -0 92 -7 at t end ant ov er head ar e r equir ed. Th e t hr ee gener al cir cum st ances w here t hat w ill be t he case follow :Pages: 60 8 W he n p ack e t l oss i s a cce pt a ble — For ex am ple, a DNS inqu ir y n eeds no ackn ow ledg m en t . Shou ld a reply n ot b e for t h com ing , t he r equest ing st at ion mer ely ask s again. Hand son t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. W he n t h e da t a re cove ry w ou ld be use le ss— For ex am ple, a net w or k t im e r eq uest han dled b ect y TCP a lost and hav e r eterr ansm . The r esult w ouald b e Cr eat e eff iv e wou securlditryecover policies and packet est ab lish r ules forit op at ing itint ed and m aint aining tsecur he t ime ser ver 's reply t o t he or igin al r eq uest , but r eceived aft er t h e delays imp osed by t h e it y - conscious env ir onm en t err or r ecover y fu nct ions. I ssu in g a new r equest is f ar m or e accu rat e. Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP W he n t h e a ppl icat i on ha s it s ow n da t a re cove ry and a ck now le dgm e nt p rocess— For exam ple,secur TFTP as allat bot hion ackop now led fgm t anows d r equest r etan r ansmission b uilt in. Under st and e hinst t ions or en Wind w eb serf or v ers d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s

TI P

Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n ICer t is tof t enion said ificat Aut that hor tithe y v oice ov er I P ( VoI P) pr ot ocol h as built - in err or t ran sm ission abov e t h e applicat ion lay er . I f eit her caller doesn 't un derst and t h e ot her , err or rLear ecovnery t heisCisco in it iatPIedX by Fir ew send allinan g da Cisco " Wh atI ?" OSmFirew essage. all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e

ICMPLear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion As it s nt hame While e I ntim erpnet lies, has t het r Iansfor n t er net m ed Cont and r olim Message pr ov ed tPr h eotw ocol ay w ( IeCMP) do business, , is used t ohis m vanag ast net e t he w orI P k and it s associat net w or k. ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing The m ost com on use oft rI aff CMP is viat ot he p in ge (su Pack et I ntlev er els net of Grsecur oper)it pr ogr am , w hichr aining uses t w o un desir able ormmalicious ic and pr ovid ff icient y w it hout const of he m I CMP r ol messag es,eecho est and ech o ions r ep ly. The feorm is Iused t o ask her I P pert for ancecont or scalabilit y . Th m orerequ reliant org anizat b ecom on er t he n t er net t o panot er f orm m achine e t he t erions, . In m et ail, t hat awbr ant s t o of t est Por conn ect iv sendJust s an daily j obst oorgener condat uct ranlat sact t hore e grdeat er t ahehost im pact each n etIw k secu ritityy has. Ias CMP echo uest t o anot ostovat . The eceiv const r uct an I CMP echo r epso ly and send Cisco Sy rsteq em s h as beenher an hinn or rin u siningg t host h e I nt er net t o sconduct business, t oo is it as it t o ket t he leader host t hinatt he st ardevelopm t ed t he prent ocess. m ar an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est Becau se wI CMP u tses as itoccu s net k yprpoint ot ocol, it is a rout ht able link . Net ork at ackIsPcan rw atoran , including e netpwrot orkocol. con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an Table 1 e, - 15alllist s t h e passing fields in net t hewIork CMPsecur header an dt ion. Table 1 - 16 ex pand s on t w o of t h em , t he Ty pe eff ect iv encom it y solu

and Cod e fields.

Tab le 1 -1 5 . Com pone n t s of t h e I CM P H ea de r •Fie ld N a m eTable Purp of ose Content s •

I ndex

Ty pe

Defin es t he m eaning of t he m essag e or t he cat egor y of t h e m essage t y pe

W e b S ecur it y Fi el d Gu ide

Cod e

For some t yp es, f ur t her d ef ines t he m essag e

Ch eck su m

Validat es t he wh ole I CMP p acket

By St eve Kalman

Pub lish er: Messag e

Cisco Press

Dat a t hat assist s in dealing w it h t h e t y pe and code

Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Tab le 1 -1 6 . I CM P He a der Type a nd Code Fi el ds Ty pe Code Me a ni ng Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. 0 0 Echo Reply 3 3

Net Unr eachable Cr0eat e eff ectwivork e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y conscious env ir onm en t 1 Host Unr each able

3

2 n how Pr ot Unr eachab Lear t oocol har den Windowles m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

3

3 Por t Unr each able Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur 4 it y on Frag exist m ening t atw ion ebNeeded an d FTPand ser DF v er Bit in stSet allat ions

3 3 3 3 3 3

I m5pr ove Sour securceit yRou at tteheFailed end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt 6 op s Dest inat ion Net w or k Unk now n Unk Ev7aluat e Dest t he inat pr osion an Host d cons of now in stnalling a cer t ificat e serv er and becom in g you r ow n Cer ion Au it yI solat ed 8 t ificatSour cet hor Host

3

9 n t heNet w orkPIAd m inew istall r atan iv ely Proh IibOS it ed Lear Cisco X Fir d Cisco Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s 10 Host Ad minist r at iv ely Pr ohibit ed

3

Discover 11 Net w aywsork t o tUnr esteachable t he cur r en f ort st TOS at e of secur it y and k eep it up t o dat e

3

12 n t o Host Unrend eachusers able for TOSt of t h e ov er all n et w or k secu rit y solut ion Lear eng age as par 3 13 Com m un icat ion Adm inist r at iv ely Pr ohibit ed While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and 0 ed Sour ce Quench it4s associat t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, ram pu blic eb w sitores 5 0 Redir ect Dat ag forwNet k is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining 5 for m1ance or Redir ect Dat per scalabilit y .ag Thram e m for ore Host reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat t hewim 5 2 Redir ect Dat ag ram for TOS ander Net orkpact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a 5 ar ket 3leader Redir ectdevelopm Dat ag ram and m in t he entfor anTOS d sale of Host p rod uct s and t echnologies t h at p rot ect d at a t8r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est 0 Echo Request link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e Adv. erHar t isem w9eb ser0ver , orRou t h et er client d enent in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



10

0

Rou t er Select ion

11

0

Tim e t o Live Exceeded in Tr ansit

11

1

Frag m en t Reassem bly Tim e Ex ceed ed

12

0

Par am et er Pr oblem

12

0

Missin g a Requ ir ed Opt ion

12

2



Table of Content s

Bad Lengt h

I ndex

13 0 it y Fi elTim est W e b S ecur d Gu ideam p By 14 St eve Kalman 0

15

0

Request

Tim est am p Reply I nf orm at ion Request

Pub lish er: Cisco Press

16 Pub Dat 0 e: 17 18 30

I nf orm at ion Reply

Novem ber 08 , 20 02

I SBN: 0 1- 58 Add 705 ress -0 92 -7Mask

Requ est

Pages: 60 8

0

Add ress Mask Reply

0

Tr acer out e

Most siton es tpr ohib it es I CMP essages t o and s( fr om t h eers, I nt ern et as s, a secur it y wprork ecau t ion. I CMP Echo Hand sechniqu for m secur in g Window r ) serv b r owser and net com m un icat ions. Requ est s can use and ev en ov er w helm bor d er r ou t er resour ces, causing a D en ial of Ser v ice. I CMP Redir ect s can corr up t h ost r out ing t ab les; Tr acerou t es can div ulge in t ern al net w or k conf igCr ureat at ion, e effwect h ich iv e can secur b eit used y policies t o plan andotest herabatlish t ack r ules s. for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Shims Car pent er s use shim s. They 'r e sm all pieces of w ood t hat ar e shov ed bet w een d oorj am bs or w indow s an d t he w all or f loor int o w hich t h e door s ar e being inst alled t o ensur e a p er f ect ly squar e an d lev el in st allat ion . •

Table of Content s

•I n t he ar ea of I ndex com put er t echnolog y, sh im s ar e p ieces of cod e inser t ed bet w een t w o ot her W b S ecur el d Gu ide preogr am sit tyoFim ake sur e t h at t he out p ut of one m at ches t he ex pect ed inp ut s t o t he ot her. By St eve Kalman

I P Secur it y ( I PSec) is a shim . I t f it s bet w een t h e net w or k and t r anspor t lay ers and pr ovid es conf id en t ialit y , in t eg rit y , an d au t hent icit y by defining a Secur it y Associat ion ( SA) . Th e SA def in es Cisco Press t he Pub en lish cr yer: pt ion algor it hm an d t he k ey s t o be u sed by r un ning t he I n t ern et Key Ex ch ange ( I KE) Pub Dat e: ber , 20 02 pr ot ocol, or Novem b y r ef er08 r ing t o a shar ed k ey ( t hat is, one alr ead y k now n by bot h sender an d I SBN: 158 705 -0 92 -7 r eceiver ) . Figur e 1- 3 sh ows t he m odif icat ion t o t he header s and is called t h e I PSec t r an sp ort m ode.Pages: The origin 60 8 al header st r uct ur e f or a TCP t r anspor t is show n in line 1 . I n line 2, t h e TCP header an d d at a can be encr yp t ed b ased on infor m at ion held in t he Encapsulat ing Secur it y Pay load ( ESP) h ead er . Th e en t ire packet can add it ionally be int eg rit y - check ed and aut hent icat ed based on inf or m at ion h eld in t he Aut hent icat ion Header ( AH) or in t he ESPv 2 aut h en t icat ion field. Encr yp t ion an d au t hent icat ion can be used t og et h er or sep arat ely . AH an d ESP h ead er s pr ov ide seq uence nu ing t hinat p rot ect ss(again st ers, r ep lay at t acks. Th enet detwails how t hey ork Hand s- on t echniqu esmb forersecur g Window r ) serv b r owser s, and ork of com m un icatwions. ar e bey ond t he scope of t h is book , bu t if y ou ar e in t er est ed , st ar t w it h RFCs 2 401, 240 2, an d 24 06. Toget her, t hey defin e I P secur it y . Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how Window u lt egr i- u ser for mCon s, inclu ding and Figu r e t1o- har 3 . den Pr ov id in gs m I nt i t yp lat a nd f ide ntNT, ia li2t000 y w, it h IXP PSe c Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and Becau se of ed t het ech addnologies it ion of sever by t es of anan d tincr railer, m any datber a frof amsecur es mitight it s associat hav ealopened t heheader d oor t o easin g n um y t h need reat s.t o be agm ent ed. is adds t ol, tpu heblic alr eady ades dit is ional ov er head volv edt oint hencry g anelim d inat ing Thef rch alleng e forThsuccessfu w eb sit t o encour age in access e sit eptwinhile decry pt able in g pay s. un desir or load malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a TI Pacr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est t r av eling link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e I PSec w ay, n as ode.point I t adds a new I P h ead w eb ser ver ,isorused t h e anot clienther . Har d enkn in gowt he defI PSec en sesTun at nel all t m hese s is key t o creat ingerant o t he orig in al dat ag r am. ESP t h en encr yp t s t h e en t ire origin al fr am e, including t he eff ect iv e, all- encom passing net w ork secur it y solu t ion.

or iginal I P header. This is usefu l in t w o cases: A d ev ice, su ch as a r out er or f irew all, is pr ov id ing t he I PSec fu nct ionalit y . This is m ost of t en u sed for n et wor k - t o- net w or k v irt u al pr iv at e net w or ks ( VPNs) . I t is im possible t o add sof t w ar e t o a dev ice t h at w ou ld cause t h e I PSec h ead er t o be in ser t ed. Th is is com m on w hen d ealing w it h older, leg acy d ev ices. •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Above the Transport Layer Man y of t he p rot ocols t h at r un abov e t h e t r anspor t lay er hav e bu ilt - in secu rit y weak nesses. This sect ion exam ines enhan cem ent s or alt er nat iv es t o t h ose pr ot ocols t hat sh ore up t he p rob lem s. •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide

NO TE

By St eve Kalman

Som e pr ot ocols t hat m ight hav e been d iscussed in t his sect ion , such as FTP and TFTP, ar e cover ed in det ail in lat er ch apt er s. To av oid ex cessiv e ov erlap , t hey hav e b een Pub ber 08 , 20 02 omDat it te:edNovem h er e.

Pub lish er: Cisco Press

I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Telnet Telnet is a sim ple r em ot e t erm inal pr ot ocol t hat is included w it h t he TCP/ I P su it e. Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. I n t he ear ly day s of m ain fr am e and m inicomp ut er t echnology , it w as comm on t o use dum b t er min als ( essen t ially , a k ey boar d and scr een conn ect ed by dedicat ed cab le) as user Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a w or kst at ions. W it h t h e adv ent of t he ARPANET ( t h e I n t ern et ' s pr edecessor ) and t h e pr oliferat ion secur it y - conscious env ir onm en t of m icr ocom put er s, it b ecam e necessar y t o p rov ide sof t w are t hat mim icked a du m b t er m inal. That soft e is tTelnet . Learwnarhow o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP TelnetUnder sur v iv any forion m s.opEv er y oper at ingows systwem v endor stes andt oday securine m inst allat t ions f or Wind eb ser v ers sup an dplies how at oTelnet enhanclien ce t , and msecur ost sup Teln et v ers. Rem otser e conn ectstions o Cisco r out er s and sw it ch es, f or ex amp le, it y ply on exist ingser w eb an d FTP v er in allat tions can be m ade u sing Telnet . I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d Telnetlapt has opno s b uilt - in secur it y. Ev er y t hing ( includ ing aut hent icat ion) is t r ansm it t ed in t he clear. This w as ap pr opr iat e w hen t he conn ect ions wer e m ade w it h special- pu r pose cab les and w ir ing syst em t hat edid allow t he m edia. t oday neterw ork env irin onm entr, ow t h is Evsaluat t henot pr os an dshar consing of of in st alling a cerI nt ificat e 's serv anded becom g you n is a signifCer icant r isk . t ificat ion Au t hor it y Figur eLear 1- 4n sh ows an Et eal ur d e of a Telnet session bet w een d at o r out erly. The t he Cisco PIher X Fir ewcap all tan Cisco I OS Firew all ar chit ect uarehost andan how app Cisco scr een also show s an ealaccess opt ionlist t hat st andar d and ex tEt enher ded s cau ses t h e dat a t o b e r econst r uct ed and pr esent ed in a sep arat e w in dow . Figur e 1- 5 d ep ict s t hat reconst r uct ion. Th e im por t ant t hing t o not ice is t hat bot h tDiscover h e user access passw are sent and kdisplay he eclear. w ay s t oand t estprtiv heileged cur r en t st ator e ds of secur it y and eep it ed up in t o tdat Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While Figu t h e I nt er net ansfor m ed pr ovRe ed qu t h eest w ayi ng w e TCP do business, t hisRe v ast neter w or re 1 - 4has . Ett rhe r e al Prand ogrim am St r e am cov y k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t o har den Window s mof u lt i-t uhser p latne for m ding, NT, andPassw XP FiguLear r e n1how - 5 . tRe const r u ct i on e Tel t s, Seinclu ssion I n cl2 000 udi,ng or ds Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

TI P Box es at t h e en d of u ser in put in Figur e 1- 5 r epr esent carr iage ret ur n s and line feeds. Rem ot e ech o causes dou ble char act er s. •

Table of Content s

•No secur e verI ndex sion of Telnet ex ist s. Wh en secu rit y is requ ired, you can ru n t he session over a W e b S ecur Fi el d Gu VPN, use itI yPSec, or ide use

SSH if t h e client and ser v er suppor t it . ( Som e, bu t not all, Cisco I OS v er By Stsions eve Kalman h ave SSH su ppor t . ) I n add it ion, NI Cs m ade by I nt el ( an d ot hers) facilit at e est ab lishin g an I PSec session bet w een any t w o host s. Alt hou gh t his w ou ld not help w hen accessing a r out er , it could t o secur e PC- t o- PC com m unicat ions. Pub lishbe er: used Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7

HTTPPages: 60 8

HTTP is b ased on TCP ru nning ov er I P and sim ulat es a du m b t er m inal conn ect ion. Dat a r et ur ned by t he HTTP ser ver is f or mat t ed in a lang uage called Hy pert ex t M ark up Language ( HTML) . Th is is a b yt e st ream of ASCI I ch aract er s w it h em bedd ed for m at t ing cont r ol com m ands. Over t im e, HTML as text en dedest oforprsecur ov ideinadd it ion al, s( comp ut eint ensive resour Hand s-won echniqu g Window r ) serv ers, b r owser s, andces. net w ork com m un icat ions. The HTTP pr ocess st ar t s w it h a clien t m ak ing a TCP/ I P connect ion t o t he host 's I P addr ess and por t num ber I fect t he t nuitmy ber is notand specif t her ules d ef ault is 80. n min ostand cases, t haining e ser v er Cr eat e .eff iv ep or secur policies estied, ab lish for op er atIing m aint a acceptsecur s t heit yconn ect ion. I env f secur it y en is tin p lace ( descr ibed in Ch apt er 5, " Enhan cin g Web Serv er - conscious ir onm Secu rit y " ) , t he w eb ser ver checks t o see if t he clien t is aut hor ized bef ore allow ing access. Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Aft er t he TCP/ I P con nect ion is est ablish ed , t h e client send s a d ocu m en t r equest consist ing of sev er Under al lines t he secur last of wh ich mion ust op bet ions blankf or ) of ASCI I char ervs,ers each m int at b y aceCR LF st (and e inst allat Wind ows w ebact ser an dt er how o ed enhan ( car riage rn , exist line fing eed) pair pically h isinrequ estions con sist s of t h e w or d GET, a sp ace, t he securret it yu on w eb an. dTyFTP ser,v ter st allat docum ent addr ess, and t he v ersion of HTTP. The r esponse t o a sim ple GET r eq uest is an HTML m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d w eb pI age. lapt op s The ser ver t er m in at es t he TCP/ I P connect ion w h en t h e en t ire docum en t h as been t ran sf er r ed. Ev aluat e t theabprort os t an of by in stballing a cer serv andebecom in gion you The client m igh he dt rcons ansfer r eak ing t het ificat conneect ionerbefor com plet b yr ow sennding a Cer t ificat ion Au t hor it TCP RST; in w hich case, t hye ser v er sh all not recor d an y err or cond it ion . Requ est s ar e idem pot ent . Th e ser v er need n ot st or e any in for m at ion ab out t he r equest af t er discon nect ion , n t he Cisco X Fir ew all d hCisco Firew re and Ihow app lyw Cisco alt houLear gh logging is ofPI t en d one f or an bot securI OS it y an d mall ar kar etchit in g ect p uru poses. f t h et oclient ant s t o st andar d and ex t en ded access list s v iew a dif fer en t p age fr om t he sam e w eb serv er, t he ent ir e p rocess is repeat ed. Fr om t h e w eb ser v er' s point of v iew , n o r equest h as any r elat ionship t o any ot her cur r en t or p rev ious r equest . Discover w ay s t o t est t hesupp cur r ort en ts st at eu of it yies and it tup t o dat The sy st em is st at eless. HTTP t he se secur of cook askaeep w ay o simu latee a conn ect ionor ien t ed sy st em . ( Ch apt er 7, " Br ow ser Secur it y ," discusses cook ies in det ail. ) Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat SSL, TLS, ed and t ech nologies HTTPS hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un r affuic and o uat pr ovid ff icient ofidsecur it y yw, it hout const As desir t h e Iable nt ernoret malicious began t o tbe sed in tsit ion se tsu hat r eq uirlev edels conf en t ialit au t hent icit yr,aining and per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t p erwf orm posit iv e ident ificat ion, a new p rot ocol n eeded t o be cr eat ed. Net scape ( t h e t hen leadoing eb daily uct ser t randev sact ions, ent t h e com gr eat er t)he n et wSecur or k secu rit y has. Just ser v erj obs andorw cond eb b row elopm p any cr im eatpact ed a ap br roteach ocol of called e Socket s Lay er as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a ( SSL) . Ov er t ime, Net scap e r eleased cont r ol of SSL, and t he next v er sion, SSLv 2 ( SSLv 3 is now m t he effor developm ent an uct s and t h atapshim rot ect d at aat ing curarr ket en t )leader , w as ainjoint t by sever aldmsale ajorofw pebrod ser v er vendt echnologies or s. I t act s like , oper tbet r avweling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w estit s een TCP and HTTP. Because TCP has t o kn ow t o deliv er t he dat a d irect ly t o SSL, iteak h as link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, e ow n por t ( 4 43) . Figur e 1- 6 sh ows how TCP, SSL, an d HTTP int er act . The com binat ion of SSLt hand w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an HTTP is k now n as HTTPS. eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Figu r e 1 - 6 . SSL a nd H TTP Bot h Re ly on TCP



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7

NO TE60 8 Pages: Figur e 1- 1 d escr ibed sever al com mon t er m s, su ch as f r ame and packet . One m or e t er m in com m on use is Pr ot ocol Dat a Unit ( PDU) . I t descr ibes dat a t hat is being m oved fr om one p r ot ocol t o an ot her at t he sam e layer . Figur e 1- 6 also pr ovides an exam p le of t his. The t ran sp ort lay er gav e a pack et t o SSL at t h e applicat ion lay er. Aft er SSL decry pt ed Handits-, on eshfor secur s( r ) at serv ers, r owser and. net w ork unact icat ions. t h et echniqu PDU w as anded offin tgo Window HTTP, also t he appb licat ions,layer I t is comcom m onmpr ice t o dr aw t his handof f as if one p rot ocol w as su per ior or subor dinat e t o t h e ot her ( b ased on seq uence of ev ent s) w h en , in fact , t h ey 'r e p eer s. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP SSL' s job is t o est ab lish secur e com m unicat ions, deliver t he ser v er cer t ificat e, deliver ( if pr esen t ) t he client cer ificatsecur e, v er t eg rit ant ions d en cr or decry a st . t o enhan ce Under st tand e ify instinallat iony ,op f ory pt Wind ows wptebt he serdat v ers anr eam d how secur it y on exist ing w eb an d FTP ser v er in st allat ions Sup pose Melody w ant s t o send a secu re m essag e t o h er br ot her , Qu in cy , an d w an t s t o be sur e t hat Qu knsecur ow s itit yis at f rom not impatost or.inclu Sheding w ould t akberow t heser f ollow in gt ops, st eps: I minprcy ove t he her endand user' s wan or kst ion, w eb s, desk an d lapt op s 1 . Cr eat e t he message. Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y 2 . Calculat e an d ap pend a m essag e digest . Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s 3 . En cr y pt t he m essag e digest w it h her pr iv at e k ey . (Discover These firw stay t hsr tee eps m ak up t wsthat now nitas a sign ed m .) e o tst est t he curer en at e isofksecur y and k eep it essage up t o dat 4 . App er cer t o t he ( Cer along w it h ion p ublic an d p riv at e Learen n d t oheng aget ificat end eusers assigned par t ofmt hessage. e ov er all n ett ificat w or kes, secu rit y solut k ey s ar e discussed in Ch apt er 9. Th ey v er if y t he id en t it y of t he cer t ificat e hold er an d su pply . ) t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and Whilet heir t h e Ipntublic er netk ey has it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. 5 . ch Con t acteQu cy t o op en get t ificatage e and send ther t ificat e t oelim himinat . ing The alleng forinsuccessfu l, a pusession blic w ebt osit es hisist ocer encour access o t hcer e sit e w hile un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining 6 .forCr e aorr an dom k ey called a session u sed ions only bfecom or t his session. per meat ance scalabilit y . (Th e m ore reliant key org)anizat e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just . En crSy y pt t hes sign m essage u sin or g t he and pt t he business, session k ey as7 Cisco st em h as ed been an inn ovat in usession sin g t h ek ey I nt, er netencry t o conduct so wit t ooh is it a Quleader in cy ' s pub lic key . m ar ket in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est 8 .. Net Tr ansm result Qu rincy. link w orkitatt he t ack s cant ooccu at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an . Qu cy can now use Melody 's p ublic obtt ained eff9ect iv e,in allencom passing net w ork securkitey, y solu ion. fr om h er cer t ificat e, t o v erif y t he d igit al

9. signat u re. Ad dit ionally, he w ill use h is pr ivat e key t o decr y pt t he session key an d u se t he session k ey t o decr y pt t he m essag e.

To m ak e ever y one's liv es easier , SSL au t om at es t he pr ocess. Melody could cer t ainly encr yp t t he ent ir e m essage w it h her pr iv at e k ey and t hen ex pect Quincy t o use her pu blic k ey t o decry pt it . Th e session k ey is used t o pr ot ect her p riv at e k ey. • Table of Content s Cr y pt ogr ap hers hav e long kn ow n t h at t h e m or e en cr y pt ed t ext t hey hav e on han d, especially if •t hey h ave m at I ndex chin g p lain t ex t , t he easier it is t o cr ack t he k ey. Using t he met hod d escrib ed , t he W e b Stecur Ficr el d Gued ide w it h t he pu blic k ey is t he session key , w hich is p er iodically r en eg ot iat ed . only h ingit yen y pt Add By St eve it ionKalman ally , y ou do not en cr y pt messages w it h asy m met r ic pu blic k ey cr y pt ogr aph y, becau se it w ould t ak e about 10 00 t im es lon ger t han using t h e sy m m et r ic session key . I n ot her w or ds, t he asym eter: r icCisco key sPress ar e used t o t r ansm it a session 's sy mm et r ic k ey , w hich is used t o qu ick ly Pubmlish encry pt and d ecr yp t t h e dat a. Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

NO TE An ex cellent , ver y r ead able book on codes and secr et w r it ing s is The Code Book b y Sin gh. es I n for it , hsecur e descr how s( cr rack in g ers, t he bGer m an s,Enigm a mwachine' s daily HandSim s- onont echniqu in gibes Window ) serv r owser and net ork com m un icat ions. set t in gs w as m ad e easier because near ly ev ery m essag e began w it h t he p lain t ex t ph rase, " Heil Hit ler . " Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under NO TEst and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce

secur it y on exist ing w eb an d FTP ser v er in st allat ions TLS st ands f or Tr anspor t Lay er Secur it y . The f ollow in g is a qu ot e fr om it s ch art er . I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s TLS Wor k ing Gr oup w as est ablish ed in 199 6 t o st and ard ize a ' t r anspor t lay er ' The secur it y p rot ocol. Th e w ork ing gr ou p b eg an w it h SSL v er sion 3 .0 , and in 199 9, Ev aluat e t224 he pr anPr d ot cons in st alling ificat e servas er aand becom you r ow n RFC 6, os TLS ocolofVersion 1. 0awcer as t pub lished Prop osed in Stgand ard . The Cer t ificat ion Au t hor w or king g rou p ithyas also pu blish ed RFC 27 12, Ad dit ion of Ker ber os Ciph er Suit es t o Tr anspor t Lay er Secur it y ( TLS) as a Prop osed St and ard , and t w o RFCs on t he u se Lear noft he X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco TLSCisco w it h PI HTTP. st andar d and ex t en ded access list s Not w it hst and ing t he com m it t ee m em ber s' h ard w or k, t he ind ust r y has n ot m ade t he Discover r en su t stppor at e tof it ywand k eep up t w o eb datbr e ow ser s. shift . SSL w3.ay 0 sist osttillest t h tehe m cur et hod edsecur by all eb ser v er sit and Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. DNS The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining Most of u s r em em ber nam es far bet t er t han nu m bers. We org anize our phon e and addr ess book s per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm by n am e. TCP/ I P does it s addr essing based on 3 2- bit binar y n um bers. For h um an con venience, daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just t hey 'r e ex pr essed as a ser ies of fou r decim al num ber s, each less t h an 256 . This is called t h e as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a dot t ed decim al , or som et imes, dot t ed qu ad r epr esent at ion . Alt h ough t he decim al is easier , m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a r em em berin g t he I P ad dr ess f or each of t h e sit es y ou' d lik e t o visit is st ill t oo har d. t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net twhat orkbu atrd t ack occuain r atNam an y epoint including t has e net w orkedcon nect ionocol , t hedescr fir ewibes all, tthhe e To ease en s, tcan h e Dom Sy st,em ( DNS) w in vent . The p rot w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an syn t ax and r ules t hat r esolv e nam es int o I P addr esses. Alt hou gh it or iginally j ust encom passed eff ect iv e, all- encom passing net w ork secur it y solu t ion.

sit es in t h e U. S. , it has long since gr ow n int o an int er nat ion al syst em . DNS was developed w hen secu r it y w as not a big issu e. All of t he n et w or k u ser s w ere m em bers of t he milit ar y- in dust r ial com plex or w er e r esear ch p r ofessionals. Those d ays are g one. Unfor t u nat ely, t he lack of built - in secur it y h as m ade DNS one of t h e m ost - of t en and easily corr u pt ed p r ot ocols. The r isk posed b y insecu re D NS is t h at m essages an d m ail can be d iver t ed . Sup pose t hat t he • s net w or k admTable inist rofatContent or at Ex amp le Manu fact ur ing Cor por at ion ( exam ple. com ) w ant s t o t alk t o it s •I nt er net servIice ndexpr ov id er ( I SP) , Ex am ple I nt er net Co. ( ex am ple. net ) . He com poses an e- m ail W eb S ecur it yitFioff el d. Gu idem ail ser v er send s a D NS qu er y m essag e t o it s D NS ser v er looking f or and sends His ExStam By eveple.n Kalman et 's m ail serv er I P ad dr ess. Unk now n t o sender an d int en ded r eceiv er , an int ru der has corr u pt ed t hat DNS serv er, replacing t he real I P addr ess wit h on e belonging t o him . The D NS r espon seer: t oCisco t h e Press sen der' s m ail ser v er is t he b ogus addr ess but , becau se it look s okay , t h e m ail Pub lish get sPub sent t o t h e int r ud er , w ho r ead s it an d f or w ard s it t o t he I SP. Neit her of t h e aut h orized Dat e: Novem ber 08 , 20 02 par t ies is aw ar e t hat someone is list ening in. I SBN: 1- 58 705 -0 92 -7

60 8 A solutPages: ion , called DNSSEC, is a secu re for m of DNS t hat digit ally signs it s en t ries and secu res t h e DNS ser ver u pdat e pr ocess w it h cr y pt og rap hy . Unfor t u nat ely , on ly t w o- t hir ds of t h e DNS ser ver s on t he I nt er net are usin g it .

You can f ind m ore in for m at ion on DNSSEC in RFC 313 0, a st at e- of- t h e- t echnolog y infor m at ional RFC. Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and DHCP secur it y - conscious env ir onm en t

est ab lish r ules for op er at ing in and m aint aining a

The DyLear namnichow Hostt oCont r ol Pr ot ocol s( DHCP) r ovides a m w ay for PCs er I,P-and b ased har den Window m u lt i- upser p lat for s, inclu dingand NT,ot2h000 XP dev ices t o get a dy nam ic or st at ic I P addr ess, mask , defau lt g at ew ay , DNS ser v er addr ess, an d scor es of set t inUnder gs an dstot hersecur inforeminst at ion. and allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions Micr osof t h as a r obu st , GUI - based DHCP ser v er t hat is in com m on use. Ot her v endor s, including Cisco,I m prpr ovove id e secur DHCPit ser in t heir and fir ew alls.ding w eb b row ser s, desk t ops, an d y atv ices t he end user'r out s wer orskst at ion, inclu lapt op s A st at ion conf ig ur ed t o use DHCP sen ds a UD P br oadcast t o t h e DHCP por t ( 6 7) hoping t h at a DHCPEv ser v er ewtill . Idf cons t her eofis inone on t hae cer same su e bnet , iterwand ill reply , sup h en aluat heanswer pr os an st alling t ificat serv becom in gplyin yougr tow necessar con figu at tion Cer tyificat ion rAu horinf it yor mat ion . Ot h er w ise, a r out er can be conf igur ed t o act as a DHCP pr ox y and f orw ar d requ est s t o t h e act ual DHCP serv er. Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco A D HCP ser ver t y pically les on elist or sm or e su bnet s. Because a D HCP serv er or a net w ork st andar d and ex t enhand ded access dev ice b et ween t he host m aking a DHCP requ est and t he ser ver m ight be dow n, it is comm on t o w ay s t ov er t est t het w cur t st ser at e ver of ssecur k eep ite up t olapping dat e ad dr esses fr om hav e Discover an alt ern at e ser . The o rDen HCP can itnyevand er allocat over t he sam e sub net . For a g iven su bnet , t he pr im ar y ser v er allocat es at least h alf ( oft en mor e) of Learesses, n t o eng users yasallocat par t of e ov er all nder, et w or secu rit yy .solut ion t he addr andage t heend secondar est ht he r emain if kn ecessar While netahas ansfor mor edk and pr ov ed t hser e wv ay e do business, his ved astbynet or kn and Figur et h 1-e7I nt sher ows samt rple net w w it him t wo DHCP er s.w OSPF Ar ea 1 is tserv it sw ow it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. it DHCP ser v er . A back up DHCP ser v er is locat ed in Ar ea 0. Rout er 1 A w ill be con figu red so t hat The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat for w ar ds D HCP r equest s t o bot h ser v er s f or host s on Net 1 and Net 2. I n t he n or mal case, bot h ing un desird. able malicious t r aff ic es andt he t o fpr ovid e su ff icient secur it. yBecau w it hout aining r espon Th eorclient ackn owledg ir st response b ut nlev otels t h eofsecond se tconst he in-rar ea per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er ser v er is closer , it w ill be t he on e t hat answ er s f irst and w hose add ress is used. How ever ,f orm if it daily cond uct ions, t hveergrallocat eat er es t hean imaddr pact ess. a br each of n et w or k secu rit y has. Just becomj obs es uor nav ailab le, t ran t he sact Ar ea 0 ser as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Netrweork s can occuart at an ywpoint , including he d netSe w ork con nect t he firSe ewrall, Figu 1 -at 7 t. ack Con fi gur i on i t h Pr im a r y tan cond ar y ion D ,HCP ve trhse w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

The com esesf r for om secur DHCPinis t hat open her net s, su ch foum nduninicat ions. Handr isk s- ont hat t echniqu g Window s( rEt ) serv ers,por b rtowser s, as andt hose net woft orkencom conf er ence r ooms, can be u sed by v isit ors t o gain access t o t he in t er nal net w ork . Th ese p ort s should alw ays be sw it ch ed so t h at an u naut h orized m onit or cannot see any ot her t raf fic on t h e Crk. eat e eff e secur it y ing policies and estesses ab lishf rom r ules for op er osed at ing por in and aintmaining a net w or Rat herect t hivan for w ard DHCP addr t hose exp t s t omt he ain DHCP secur it y conscious env ir onm en t ser v er, t he near est r out er should supp ly t he D HCP ad dr ess f rom a r ang e of addr esses t h at ar en't used for t r ust ed locat ion s. That way , y ou can w r it e f ilt er s t hat giv e access t o t he I nt er net , t o n ran howett oser har Window i- uwor serk p- at latt ached for m s, pr inclu ding , and selectLear ed int v erden s, or p er haps smaunlt et int er , butNT, not2 000 t o any ot hXP er ser vices. Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions

NAT

I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d s Whenlapt t heop design er s of ARPANET ( Bolt , Bar an ek , an d New m an, lat er t o becom e BBN Planet ) f irst w or ked on t he d ef en se depar t m en t cont r act , t h ey elect ed t o use a 3 2- bit field f or add r essin g. aluatt he at t he pr os an d cons st alling cer ificat serv ands becom g you They Ev chose size because it wof as ineasy t o maan ip tulat e e3 2biterw ord in t he in com putrerow t hney wer e Cer t ificat ion Au t hor it y using for developm ent . Th e or iginal cont r act sp ecificat ions called f or " a few dozen" locat ion s. he et Cisco PI X Firof ewt all d Cisco and I OS HTTP Firew all ar chit ectch u re and how t o app ly way Ciscot o Unt il tLear h e Innttern gr ew out he an ARPANET becam e su a popu lar and easy st andar d and ex t en ded access list s com mu nicat e, t his add ressin g plan was su ff icient . As lat e as m id- 19 92, on ly t w o p er cen t ( app rox im at ely 40, 00 0) of all Class C ad dr esses and app rox im at ely half of all t he Class Bs Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e ( app rox im at ely 15, 00 0) had been allocat ed . That all chang ed w it hin a f ew shor t y ear s. The exp losiv e ngrtow t h of t he I ntusers er net as t hrpar eat tenofedt hteo ov use up nall ofort hk esecu addrritessab le ion sp ace. Lear o eng age end er all et w y solut The p ublicat of RFC of fered a solut ion e Class A add r essv ast ( 1 0.net 0. 0. 0) k, 16 While t h e I ntion er net has 1 t r918 ansfor m ed and im pr ovwedher t hein e wan ay en w et irdo business, t his w or and Class B ad dr esses ( 17 2. 16. 0. 0 t o 172 .3 1. 0. 0) , and 256 Class C add resses ( 192. 1 68. 0. 0 t o it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. 19 168 . 255.e0for ) w successfu ere set asid e for netis w or use. Any w as tforee use h oseelim ad dr esses The2.ch alleng l, pu blicinwt er ebnal sit es t o kencour ageone access t h et osit e wt hile inat ing on his int er nal net w ork s w it hou t f ear of con flict w it h anot h er sit e. Ther e w as j ust on e cat ch . un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining Those adance dr esses cou ld n ot in an y I nt er net r outions ing tbab les. eA on com p any using per for m or scalabilit y . ap Thpear e m ore reliant org anizat ecom t he I n t er net ttohose p er f orm add resses could not com mu nicat e w it h an y ot her com pany . Clear ly, t hat need ed t o rit bey fhas. ixed Just daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu befor e t he sch em e w ou ld b e adopt ed. as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a That ' s w her e Net w ork Ad dr ess Tr an slat ion ( NAT) com es in. A com p any can go t o it s I SP an d g et t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est a sm all pool of addr esses t h at can appear on t h e I n t ern et ( k now n as r egist er ed or pu blic link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e add resses) . Af t er t hat , ev ery host u sing an RFC 191 8 ad dr ess ( t hey' r e called pr ivat e ad dr esses) w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an m ust h ave t heir pr ivat e net w ork addr ess t ran slat ed int o a p ublic add ress bef ore sendin g it on t he eff ect iv e, all- encom passing net w ork secur it y solu t ion.

I nt er net . Replies and ackn ow ledg m en t s come back using t he p ublic ad dr ess, and t h ey m u st be t r anslat ed b ack in t o p riv at e ad dr esses. Man y devices ar e cap able of han dling NAT. How ev er , it is t y pically done at eit her a rou t er or a fir ew all. I f a com pany requ ir ed as m any pu blic add resses as pr ivat e on es, t his w or k w ould be poin t less. How ev er , a sm all r at io of p ublic t o pr ivat e is t yp ically all t h at is n eeded. Just as a com pany • Table of Content s m ight hav e only a few T1 ( Nor t h Am er ica, 24 t r un ks each) or E1 ( Eu r ope, 30 t r unk s each) lin es •t o ser ve hun dr I ndex ed s of phon es, it w ill find t h at a few I nt er net ad dr esses can h andle m any W e b S ecur elw d or Gukide concur r enitty nFiet user s. That ' s becau se addr esses ar e usually n eeded only for t he f ew second s necessar By St eve Kalman y t o r et r iev e a web pag e or sen d an e- m ail. Time can be sp en t r eading a p age an d deciding w here t o click next w it hout hav ing a p ublic add r ess allocat ed . Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: NO TE60 8

Cisco and ot h er vend ors also su ppor t an enh ancem ent called Port Add ress Tr anslat ion ( PAT) . I t act s as a m u lt ip lier on t h e size of t he pr iv at e add ress pool by shar ing t he sam e pr ivat e addr ess wit h sever al concur r en t p ublic add ress conv er sat ions. Th e pr ivat e client sesshfor ar in g a single pu blics(add ressers, choose dif ferent porcom t s, m un icat ions. Handadd s- onress t echniqu secur in g Window r ) serv b r owser s, andsour netce w ork gu aran t eeing t h at a packet com ing back t o t he pub lic ad dr ess can be m ap ped t o t he pr oper int er nal pr ivat e addr ess. Wit h ov er 60, 0 00 t o choose f rom , t his isn't a pr oblem . When Cr eat et he eff in ecteviviteable secur collisions it y policies occur and , aest difab ferent lish r pu ules blic foradd opress er at ing is chosen in and fm rom aintt aining he p ool. a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP A f ew st at ions ( such as e- m ail ser v er s) n eed per man en t ad dr esses. They can eit her be assign ed Under st ess, and secur inst allatdoing ion opt the ions f ort rWind ows w eb d how enhan a p ublic ad dr or t h ee st at ion NAT anslat ions canser bev ers confan ig ur ed t ot or eserv e ce a pub lic secur it y on exist ing w eb an d FTP ser v er in st allat ions add ress for use by a par t icular pr iv at e add ress. This is k now n as st at ic NAT. secur it ye at endsecur user'itsy,walt or h kst at ion, inclu ding eb bldrow deskst ops, d all NAT isI mn pr ot ove a subst it ut fort he g ood ough it does help.wWou beser ins, t r uder w ho an scan opesses s pu bliclapt addr can use t he responses t hey g et t o d r aw a m ap of y our net w or k . Wit h NAT in place, t he m achine associat ed w it h a p art icular ad dr ess on e m om en t w on' t b e associat ed wit h it aluat es tlat heer. pr os ancan d cons in st a cer e -serv er r and youpanies r ow n w it h a f ew Ev second This onlyofser v ealling t o conf uset ificat w ould be int ud erbecom s. Somine gcom ion Au tphor it y add resses u se NAT any w ay . t heir Cer ow nt ificat r eg ist er ed ublic Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Summary This chap t er cov er ed t h e how - it - w or ks basics t h at ar e n eeded t o g et t he most fr om t h is book . Wit h t hese fu ndam ent als in m ind, y ou' r e r ead y t o m ov e on t o t he ot h er chap t er in Par t I , Ch apt er 2, " Secur it y Policies." •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Chapter 2. Security Policies This chap t er cov er s t he f ollowin g t opics: • •

Table of Content s

Just if ying Secur it y I ndex

W e b SSecu ecur it rit y Fi d Gu ide yelPolicies By St eve Kalman

I f you d on't k now w h er e y ou' re going, t her e is no way t o calcu lat e t he b est r out e t o follow . Pub lish er: Cisco Press

This chap t er pr esent s a w ay f or you t o decid e w hat you r secur it y g oals are and est ab lish, Pub Dat e: Novem ber 08 , 20 02 im plem ent , and en for ce t he secur it y r ules t hat w ill help y ou ach iev e t h em . I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Justifying Security Secu rit y is ex pensiv e. Bef ore allocat ing fu nds, senior m anag em ent w ill w ant t o k now w h at t h ey ar e bu ying , w hat it w ill pr ot ect , and w hat alt ern at ives t h ey hav e. This sect ion pr esent s t he t ools y ou n eed t o answer t hose quest ions. •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide

Security Defined By St eve Kalman

The f ollow in g is a good def in it ion of secu r it y : Pub lish er: Cisco Press Pub Dat e: Novem 08 , 20ues 02 " Tools and tber echniq

t hat pr event unau t hor ized p eop le or pr ocesses fr om d oin g any t hing wIit h or1- t58 o 705 y our SBN: -0 92dat -7 a, com pu t er s, or p er iph er als." Pages: 60 8

Secu rit y is not a fir ew all or cr yp t ogr aphy or a v ir us scan ner ; alt hou gh, t hey ar e all com ponent s of a secur it y solu t ion. I t is a pr ocess t hat ex am ines and t hen m it ig at es t he r isks t hat arise fr om y our com pany ' s day - t o- day act iv it ies. Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions.

Kinds of Security Risks

eateeineffaect iv e e var secur forp les: op er at ing in and m aint aining a Risk s Cr com wid ietityyofpolicies for m s. and Hereest arab e lish som reules exam secur it y - conscious env ir onm en t Lear nofhow t os har den) Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Loss asset ( t heft Under st and allat ion f or Wind ows w eb ser v ers an d how t o enhan ce Serv ice disrusecur pt ione (inst bu siness intop er tr ions upt ion) secur it y on exist ing w eb an d FTP ser v er in st allat ions Loss of r eput at ion ( d ispar ag em ent ) I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt Ex penses op s of r ecov er y ( p rof it abilit y im pact ) Shar eholder Ev aluatse exp t heect pr os man anagers d const oofp rot in stect alling or en a cer hance t ificat t h e serv valu er e ofand t hebecom com pany in g .you Secur r owitny br each Cer est ificat t hat ion aff ect Au any t hor it ofy t h ese it em s violat e shar eholder s' ex pect at ions. Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover NO TE w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Learhnert okind eng age endisusers as par of ting: h e ov er all k secu rit y solut ionlaw . Anot of r isk ju st now emt erg t he r iskn et ofwror unn in g afoul of t he WhileMan t h ey I new nt er net t r ansfor m ed im prres ov (ed t hally e w ay w e. do t his fvrom ast net law has s include p unit iv eand m easu u su fines) Thrbusiness, ee exam ples t hew or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y Unit ed St at es ar e Grah am- Leach - Billey , w hich af fect s U.S. finan cial in st it ut ions ant hdreat s. The ch alleng for successfu l, iv puacy blicp w eb sittes is t oom encour access o t h ance e sit ePr wiv hile r eq uir esedisclosur e of pr olicies o cust er s; tage he Healt h I tnsur acyelim andinat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const Por t abilit y Act ( HI PPA) , w h ich r est r ict s disclosur e of h ealt h- relat ed d at a alon g w it hr aining per forper m ance or id scalabilit y . inf Thorm e m at ore reliant ions Com b ecom on t he t erivacy net t oAct p er f orm son ally en t ify ing ion; and torg he anizat Elect r onic mue nicat ion IsnPr daily (jECPA) obs or, cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just w hich sp ecifies w ho can r ead w h ose e- m ails un der w hat con dit ions. as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e Knowing the w eb ser ver , or t h eEnemy client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

A com m on secur it y m ist ak e is t o assu me t hat at t acks alw ay s com e fr om ou t sid e you r or ganizat ion . Many com pan ies d o t h e t ech nological equiv alen t of d ig ging a d eep m oat ar oun d t he org anizat ion and filling it w it h hun gr y alligat or s, t hen leav ing t he in t er ior d oors u nlocked. You m ig ht lik e t o assu me t hat hacker s ar e near ly all pim ply - faced, t eenager s. This j ust isn' t so. A few art ist s can find secu rit y flaw s in sy st ems and ex ploit t hem . Som e of t hose t alent ed- bu t m isg uided in div id uals codif y t heir exp loit s in t o scr ip t s and r elease t hem on t h e I nt ern et w her e a subclass of hack er s, k now n as Script Kid diez, t ry t o use t h ose scr ipt ed ex ploit s. The bad new s is • Table of Content s t hat t her e ar e a lot of t hose " Kidd iez. " Howev er , t he v er y f act t h at t h ey are scr ip t ed at t ack s • I ndex m akes t h em easy t o det ect and of t en f airly sim ple t o defend against . ( See Ch apt er 11 , W e b S ecur it y Fi el d Gu ide " Maint ain ing Ong oin g Secur it y ," for det ails. ) By St eve Kalman

Your I D Badg e get s y ou in t h rou gh t he f r ont door an d int o y our w or k ar ea. I t also p rev en t s y ou fr om w here you ar e not allowed. As a societ y , w e' ve h ad h und r ed s of year s of exp er ience Pubgoing lish er: Cisco Press designing ph ysical secu rit y sy st em s ( w h ich st ill get b reached, b y t he way ) . Com put er s hav e been Pub Dat e: Novem ber 08 , 20 02 w it h us f or only a few d ecades; com put er n et wor k s even less t im e. I SBN: 1- 58 705 -0 92 -7

A CSI /Pages: FBI st60u8dy ( condu ct ed ann ually, available at w w w .g ocsi. com) st at es t hat m or e t h an h alf of all int r u sions are by insiders. Secur it y pr of essionals hav e t o w ork a lot h ard er t o p rot ect t heir or ganizat ion s against t his class of in t r uder s. By and larg e, t hey ar e m ore sop hist icat ed comp ut er users. Even w or se, t h ey alr eady h ave v alid cr edent ials t h at allow t h em access t o t h e net w or k. You hav e t o apply t h e r est r ict ed - area- bad ge concept t o y our in t er nal net w or ks, as w ell. Many of tHand he chs-apt s in t h isesbook ar e specifically aim at pr ot ect ing against intork er nal serunt icat hr eat . onert echniqu for secur in g Window s( red ) serv ers, b r owser s, andt his net w comu m ions. Ch apt er 6, " Enhan cin g t h e FTP Serv er ," is a p r im e ex am ple. I n it , y ou lear n ( am ong ot her t hin gs) h ow t o encr y pt FTP logins so t hat in sid er s cann ot list en in and st eal ot her user s' Cr eat credent ials.e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

The C-I-A Triad

Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce on exist w eb an d FTP er in st allat ions A comsecur pu t erit ysecur it y pring of ession al's j ob ser canv be descr ibed as pr ot ect in g CI A or m ain t ain ing CI A. The let t er s and t heir d ef init ions ar e as f ollow s: I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Confi de nt i al it y — Makin g sur e t h at d at a is n ot d isclosed in an u naut h orized m anner , eit her Ev aluat e ally t he or pr os an dencons of in st alling a cer t ificat e serv er and becom in g you r ow n int ent ion unint t ionally. Cer t ificat ion Au t hor it y I nt e gr it y — Giving t h e follow ing assu ran ces: Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s - Modificat ions ar e n ot m ade by un aut hor ized people. Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e - Unau t hor ized m odif icat ion s ar e not mad e by au t hor ized p eop le. Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion - The dat a is int er nally and ext er nally consist en t . ( That is, t he d at a m at ches up w it h oter her a an d w it h mr ealw or ld ient hce. While t h e I nt netd at has t r ansfor ed and im ex pr per ov ed e )w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. Av a ila bi ty— Pr ov iding t he access d at a or resour The ch alleng e lifor successfu l, pu blicreliable w eb sitand es ist im t o ely encour aget oaccess t o com t h e pu sit et ing w hile elimces inatby ing app rop or riatmalicious e aut hor ized sonnt oel.pr ovid e su ff icient lev els of secur it y w it hout const r aining un desir able t r affpicerand per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a NO TE t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e The op posit e of CI A is D - A- D, w h ich st ands for D isclosu re, Alt er at ion, an d D en ial. w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Approaches to Risk Analysis You ( or y our m anag em ent ) can t ake f ive appr oaches w it h regar d t o an y r isk : • •

Content s m ust accept t he r isks in t h e follow ing t w o cases: Accep t Table t he of risk — You I ndex

W e b S ecur it y Fi el d Gu ide

- You By St eve Kalman

cann ot d o any t h in g about t he r isk ( for ex am ple, a v endor goes out of business or a pr oduct is dr opp ed ) .

Pub lish er: -Cisco ThePress cost

of m it igat ion is not econom ical.

Pub Dat e: Novem ber 08 , 20 02

DIeSBN: fe nd ag ai-0nst 1- 58 705 92 -7t h e ri sk — You can deploy f ir ew alls, an t ivir us pr oduct s, encr yp t ion tPages: echnologies, and so on. You can also est ablish pr ocedur es and policies, as d iscussed lat er 60 8 in t his chapt er . Mi t i gat e t he r isk — Even if you assum e t hat t her e is no such t hing as a web ser v er t hat cannot be b r oken int o, y ou st ill don' t h ave t o j ust accep t t h e r isk . Som e of t he t hing s you can do includ e t he f ollowin g: Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. - You can r ed uce t he h ar sh eff ect s of a successf ul br eak - in by b eing r eady t o reinst all Cr eat et he eff ect iv eser secur it y apolicies and ab lish r ules for op er at ing in and m aint aining a web v er at m oment 's nest ot ice. secur it y - conscious env ir onm en t - You can t ak e st ep s t o m aint ain t h e w eb serv er' s secu rit y . ( Th is is t he sub ject of Lear n Ch how aptt oerhar 11 den . ) Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and can secur e inst ion op f or s. Wind ows w eb ser v ers an d how t o enhan ce - You r eg ularallat ly audit it st ions cont ent secur it y on exist ing w eb an d FTP ser v er in st allat ions - You can exam ine it s log s. I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt opon s t he r isk — You can en sur e against t he r isk ( som et im es) . P ass aluat t he risk pr os—an of on in st a cer t ificatI egnor serv er tand you r ow nas IEv gn ore et he Thdiscons is t he lyalling foolish ch oice. ing h e r becom isk is nin otg t h e same Cer t ificat t horing it y it is m er ely h oping t hat someone else w ill be at t ack ed. accept in gion it . Au I gnor t he (Cisco all an I OS Firew chit ect u reexand how of t o tapp ly rCisco Thr eeLear of t n hese acceptPIinXg,Fir mew it igat ingd, Cisco and p assing on all t hearr isks) are am ples hr eat educt ion st andar d and ex t en ded access list s t echniqu es. Red ucin g t he t h reat is m ade easier if t he pr oper secur it y st ance is select ed. Wit h ever y defense, y ou will u se one of t h e follow ing appr oaches: Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear nit t onot eng users as app par rt oach of t h)e. ov er all n et w or k secu rit y solut ion Perm hinage g ( t end he par anoid WhilePrt hohibit e I nt er t r ansfor ed and im pr ov e wpay w e doappr business, evnet eryhas t h in g not spm ecifically perm it ted ed t(ht he r udent oach) . t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for blic w ebprsit es ised t o (encour access t ooach) t h e sit Perm it ev ery successfu t h in g not l,sppu ecifically ohibit t he p erage m issiv e appr . e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining it ev t h in g ( yt he pe rom iscu reliant ous ap pr oach ) . ions b ecom e on t he I n t er net t o p er f orm per forPerm m ance orery scalabilit . Th m ore org anizat daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just Of t h ese,Sy t he pr udent choiceanmak t he pr gact sense is t h e assu med app as Cisco st em s h as been innes ovat or most in u sin t hical e I nt er netand t o conduct business, soroach t oo isofit tahis book . I t leader is t he in on e t hat m ost v en For am ple, tCisco access list s aut m ar ket t he developm entdor ansdchoose. sale of p rodex uct s and echnologies t h at p rotom ectatdically at a d en y ever yt hingacr not per m it taednet . w or k secur it y solut ion is only as st r ong as it s w eak est t r av eling ossspecif t he Iically nt er net . Yet link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

NO TE The f ollow in g st or y is w ell k now n amon g secur it y pr act it ioners. St u de nt – t o– inst ru ct or : How do you conf ig ur e a f ir ew all? I nst ru ct or – t o– S t ude nt : D en y ever yt h ing and w ait f or t he phone t o r ing. •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman Solving Security with Technology Pub lish er: Cisco, Press Br uce Schneier in Secr et s and Lies, Digit al Secu rit y in a Net w ork ed W orld , st at es, Pub Dat e: Novem ber 08 , 20 02

" II fSBN: you1-t58 h ink t hat 705 -0 92 -7 t echnology will solv e y our secu rit y p rob lem s, t h en y ou don' t u nder st and secur it y an d y ou don 't und er st and y our p rob lem s. " Pages: 60 8

Secu rit y in clu des a n ecessar y m indset f or ever y emp loyee and specified p rocedur es t o follow , in add it ion t o t ech nology , t o m in imize t h e r isk .

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Security Policies Secu rit y policies help you def in e t he lev el of secur it y t hat is accep t able in you r or ganizat ion; t hey set a st andar d of car e f or ever y em ployee ( an d cont ract or ) . •Secu rit y policies Tablehelp of Content s you plan . Wit hou t t h em , t here w ou ld b e no way t o t ell w hich secur it y •decisions help I ndex incr ease y our secur it y and w hich are w ast es of t im e and m oney . Ev en w or se, W eb e S ecur it y Fibe el dnGu t her w ould o ide w ay t o ident ify areas t h at w er e over looked. By St eve Kalman

I n t his sect ion, you learn w hat goes int o a secur it y policy, how t o creat e on e, and how t o m ake sur e t hat it is k ept up t o d at e and u sed ef fect ively . Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Contents of a Security Policy Pages: 60 8

A secur it y policy is a docu ment . Alt houg h t yp ically app rov ed at t h e highest lev els, it is not a high - lev el docum ent ( like a Mission St at em en t ) . You r secur it y policy defin es t he r esou rces t hat y our or gan iz at ion n eeds t o pr ot ect an d t he m easu res t h at y ou can t ak e t o pr ot ect t hem . I n ot her w or ds, it is, collect iv ely , t h e cod ificat ion of t he decisions t hat w en t int o y our secu rit y st an ce. Hand s- on t echniqu es for secur in gdist Window s( rt)o serv ers, b r owser w ork ofcom m un ions. Policies should be pub lished and r ib ut ed all em ploy ees ans,d and ot hernet users y our syicat st em. Man agement should ensur e t hat ever yon e r ead s, und er st and s, and ack now ledges t h eir r ole in follow ing t he policies and in t he p en alt ies t hat v iolat ions w ill br ing . Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

NO TEst and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce Under secur it y on exist ing w eb an d FTP ser v er in st allat ions When sep arat e policies deal w it h secu re n et wor k s, pu blicat ion of t hose p olicies sh ould be est r ictsecur ed t oitind h ave aut hor access to w t heb oseb row n et ser wors, k s.desk t ops, an d I mrpr ove y atividu t heals endw ho user' s w or kst at ized ion, inclu ding lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Secu rit y tpolicies Cer ificat ionshould Au t horemp it y hasize w hat is allow ed, not w h at is p roh ibit ed. Wh er e app r opr iat e, exam ples of per m it t ed an d p roh ibit ed b eh avior sh ould b e supp lied. That way , t h er e is n o d oubt ; if not Lear sp ecifically per mit hean secu rit y pIolicy , it is all pr ohibit policy descr ibe n t he Cisco PI Xt ed Firby ew tall d Cisco OS Firew ar chited. ect uTh reeand howshtould o appalso ly Cisco w ay s st t oandar achiev it s ex goals. d e and t en ded access list s Ex amDiscover ple 2- 1 iswan secu policy f or passw or ds. This le is ay sext oamp t estle tof he acur r enrit t yst at e of secur it y and k eep it ex upamp t o dat e div id ed int o sev er al sect ions, f or w hich Table 2 - 1 list s t h e sect ions an d descr ibes t heir cont ent . Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng Tab le e for 2 -1 successfu . Ge nel,rpu icblic Dewscr eb ipt sit esion is t oofencour a Secu age raccess it y Policy' t o t h e sit s eCon w hile t eelim nt sinat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Se ct ion Nam e

Cont e nt Gui de

1. 0 Ov erv iew

Just if ies t h e r eason for t he policy and ident if ies t he r isk s t h e policy addr esses.

2. 0 Pur pose

Ex plains wh y t he p olicy ex ist s and t he g oal t hat it is w r it t en t o accom plish .

3. 0 Scope

Defin es t he per sonnel cov er ed b y t he policy . Th is mig ht r an ge f rom a single gr oup in a d ep art ment t o t he ent ir e com pany .



Table of Content s

•4. 0 Policy

This is t he policy it self . I t is of t en d iv ided int o sev er al sub sect ions. Ex am ples ar e I ndex

W e b S ecur it y Fi el d com Gu idemon ly

used t o illu st r at e p oint s.

By 5.St0eve Kalman

Defin es t he penalt y f or f ailu re t o f ollow t he p olicy . I t is u su ally wr it t en as " ever y t hing up t o and including …" so t h at a ser ies of san ct ion s can b e app lied. Dism issal is t y pically t he m ost sev er e penalt y but , in a few cases, cr im in al Cisco Press pr osecu t ion shou ld b e list ed as an opt ion. Novem ber 08 , 20 02

En for cem ent Pub lish er: Pub Dat e:

6. 0 Definit I SBN: ion 1- 58s705 Any -0 92t -7 er m s t hat m ight be u nclear or am biguou s should be list ed an d d ef ined her e. Pages: 60 8 7. 0 Rev ision Hist ory

Dat es, chang es, an d reasons g o her e. This t ies int o en for cem ent in t h at t he inf ract ion should be m easur ed again st t he ru les in place at t he t im e it occur r ed, not necessar ily w h en it w as discov ered.

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y -2-1 conscious env ir onm en t Example A Sample Security Policy (Covering Passwords) Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP P assw or d Pol icy Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce 1. 0 Ov ervitiew secur y on exist ing w eb an d FTP ser v er in st allat ions Passw aresecur an im aspect of scom secuinclu rit y . ding Th eyware ron s, t line I morprds ove it ypor at ttant he end user' w orput kster at ion, eb bt he rowf ser deskoft ops, an d pr ot ect ion f or user accou nt s. A poor ly ch osen passw ord m ay r esu lt in t he lapt op s com pr omise of Ex am ple Cor p orat ion 's ent ir e cor por at e net w or k. As such, all Exam p le Cor por at ioneemp r act oras cer andt ificat v en dor s w er it h and access t o Exam pler ow n Ev aluat t he loyees pr os an( including d cons of cont in st alling e serv becom in g you Cor por at ion syst em s) ar e r espon sible f or t ak ing t he appr opr iat e st eps, as ou t lin ed Cer t ificat ion Au t hor it y below , t o select and secur e t h eir passw or ds. Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco 2. 0 Pur posed and ex t en ded access list s st andar The Discover p ur pose of t his policy estr en ablish dar d itfor cr eat ion of st r ong passw ord s, w ay s to t est is t het ocur t st ataestofansecur y and k eep it up t o dat e t he pr ot ect ion of t hose p assw or ds, and t h e fr equency of chang e. Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion 3. 0 Scope While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and scope ed of t ech h is nologies policy inclu des all per sonnel w ho e oreasin ar e rgesp onsible an it y t h reat s. itThe s associat hav e opened t he d oor t o hav an incr n um ber offor secur accou nt ( or eany or m of access t hatwsupp uir es age a passw ordt)o on em elim inat ing The ch alleng for fsuccessfu l, pu blic eb sitort ess isort or eq encour access t h eany sit esywsthile t hat r esides any Examt rple Corp f acilit y ,ffhas access e Ex am un desir able oratmalicious aff ic andort at o ion pr ovid e su icient lev elst ooft hsecur it y ple w it hout const r aining Corfor por ion or netscalabilit w or k, ory st ores y nonpublic por ateion for Im per m at ance . Th e man ore reliant org Exam anizatple ionsCor b ecom on in t he n at t erion. net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just 4.Cisco 0 Policy as Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a Gener aloss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est t r4. av1eling acr link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser t h-elev client . Haror d en g g. t he ses at all point is key Allver sy, storem el passw dsin( e. , rdef ooten , enable, NTt hese adm in, apsplicat iont o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

adm inist r at ion accoun t s, et c. ) mu st be ch anged on at least a q uar t erly b asis. All pr od uct ion sy st em - level p assw or ds m ust be par t of t he I nf or m at ion Secur it y Depar t m ent adm in ist er ed g lobal p assw or d m an agement dat ab ase.



All user - lev el passw ord s ( e.g ., em ail, w eb, d esk t op com p ut er, et c. ) mu st be chang ed at least ev ery six m ont hs. The r ecom m ended chang e int erv al is ev ery fou r m ont h s. Table of Content s



I ndex s t hat hav e syst em - lev el pr ivileges gr ant ed t hr ou gh gr oup User account pr ogr am s such as " su do" mu st hav e a uniqu e passw ord f rom ot h er accoun t s held by t hat user . By St eveall Kalman W e b S ecur it y bFier elships d Gu ideor m em

Passw or ds mu st not be in ser t ed in t o em ail m essages or ot h er f or m s of elect r onic com mu nicat ion.

Pub lish er: Cisco Press

Pub Dat e: Novem ber 08 , 20 02 I SBN: 1705 -0 92 Wher e 58 SNMP is -7used , t he com m un it y st r ing s m ust b e defined as som et h ing Pages: ot her 60 t h8 an t he st and ard d ef ault s of " p ublic," " pr iv at e" and " sy st em " an d mu st be d iff er ent fr om t h e passwor ds used t o log in int er act iv ely. A k ey ed hash m u st be u sed w her e available ( e. g. , SNMPv3 ) .

All user - lev el and syst em - lev el passw ord s m ust conf or m t o t he gu idelin es descr ibed below . Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. 4. 2 Guid elines Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a A. Gener al Passw ord Con st ru ct ion Gu idelin es Passw or ds ar e used for v ar ious secur it y - conscious env ir onm en t pu rp oses at Ex am ple Cor por at ion. Some of t he m or e comm on uses include: user levelLear account s, twoeb nt s, email t s, pscr er p r ding ot ect NT, ion, 2voicemail n how haraccou den Window s maccoun u lt i- u ser lateen for msav s, inclu 000 , and XP passw ord , and local r out er logins. Sin ce v er y few sy st em s hav e sup por t f or one- t im e t ok en s ( i. e.st, and d yn secur am ic epassw or dsion whop icht ions ar e fonly u sedows once) Under inst allat or Wind w eb, ever ser vyon ers eanshould d how be t o enhan ce aw arsecur e of how select passw it y ont oexist ingstwr ong eb an d FTPord sers.v er in st allat ions PoorI, mwpr eak e tend he fuser' ollowin act er ist ics: ding w eb b row ser s, desk t ops, an d ovepasswor secur it ds y athav t he s wgorchar kst at ion, inclu lapt op s The p assw d os conan t ains lessoft han eig ht ch aract er s e serv er and becom in g you r ow n Ev aluat e t heorpr d cons in st alling a cer t ificat Cer t ificat ion Au t hor it y The p assw or d is a w or d foun d in a dict ionar y ( Eng lish or f oreign ) Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco The p assw or d is a com m on u sag e w ord such as: st andar d and ex t en ded access list s Discover w ay sest ooft est t he, cur enftriend st at es, ofcosecur y s, and k eep up act t o er dat - Nam f amily petrs, w or kiter f ant asy itchar s,espor t s t eam s, et c. Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion - Com put er t er m s and nam es, comm and s, sit es, com panies, har dw ar e, While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and soft w ar e. it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng-e The for successfu l, puple blicCorp w eb or sitates encour, age o tan h eysit e w hile elim inat ing w or ds " Exam ionis" ,t o" EXMC" " Bigaccess Apple" tor un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining der ivat ion . per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or -cond sactotions, gr eatin erfor t he imion pact a bras each n et wan or kd secu Bir t huct dayt ran s and her pt h eresonal m at such addof resses phonrit e y has. Just as Cisco Sy stnu emmb s heras been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a s. m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr-oss t he or I ntner net . Yet net or ek aaab securbb, it y solut is xonly r ong as et it sc.w eak est Word um ber patat er nswlik q w erion t y , zy wv utas s, st 123 321, link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , -orAny t h e of client t he . abov Har deen spinelled g t hebackw def enar ses ds.at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

- Any of t he abov e pr eceded or follow ed b y a d igit ( e. g. , secr et 1, 1secr et ) St r ong passw ord s hav e t he follow ing ch aract er ist ics: Con t ain b ot h upp er an d low er case char act er s ( e. g. , a- z, A- Z)

• •

Hav e digit s an d punct u at ion char act ers as w ell as let t er s e. g. , 0- 9 , Table ! @# $% ^ &*of( )Content _ + | ~ -s= \ ` { } [ ] : " ; ' < > ?, . / ) I ndex

Ar eit yatFileast W e b S ecur el d Gueight ide

alph anum eric ch aract er s long.

By St eve Kalman

Ar e not a w or d in an y langu age, slan g, d ialect , j arg on, et c.

Pub lish Cisco Press Ar eer:not based

on per sonal inf or mat ion , nam es of fam ily , et c.

Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

NO TE Passw or ds sh ould never b e w rit t en dow n or st or ed on - lin e. Try t o cr eat e passw ord s t hat can b e easily r emem ber ed . On e w ay t o d o t h is is cr eat e a Hand s-passw on t echniqu es for in gt itWindow s( rat ) ion, serv ers, r owser s, and ork le, com m un icat ions. ord b ased on secur a song le, aff irm or otbher p hr ase. Fornet exwamp t he phr ase m ight be: " Th is May Be On e Way To Remem ber " an d t he passw ord could be: " TmB1 w2 R! " or " Tm b1 W> r~ " or some ot her v ariat ion . Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n nhow o har den of Window u lt i-les u ser lat for or m s, NOTE: Do ot utse eit her t h ese sexmamp as ppassw ds!inclu ding NT, 2 000 , and XP Under st and inst f or t Wind ows passw w eb ser howle t o enhan ce B. Passw ord Pr otsecur ect ione St anallat dar ion ds Dop o tnions ot use h e same or vd ers for an Exdamp secur it y on exist ing w eb an d FTP ser v er in st allat ions Cor por at ion accou nt s as f or ot h er non- Exam ple Corp or at ion access ( e. g. , p er sonal I SP account , opt ion t r ading, benefit s, et c.) . Wher e possib le, don' t u se t he sam e I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d passw ord f or v ariou s Ex am ple Cor por at ion access need s. For ex am ple, select on e lapt op s passw ord f or t he Engin eer ing sy st ems and a separ at e passw ord f or I T sy st em s. Also, select separ p assw t o b eofused f or ana NT and er a UNI account Evaaluat e tat hee pr os anorddcons in st alling ceraccount t ificat e serv and Xbecom in g. you r ow n Cer t ificat ion Au t hor it y Do not sh are Ex amp le Cor por at ion passw or ds wit h any one, in clud ing adm inist rat iv e assist antns or et aries. Allewpassw s ar e I tOS o be t r eat sensit ive,and Confident Lear t hesecr Cisco PI X Fir all anord d Cisco Firew alledaras chit ect u re how t o ial app ly Cisco Ex am ple Cor por at ion inf orm at ion. st andar d and ex t en ded access list s HereDiscover is a list of don w ay s t'tos:t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion Don 't rev eal a p assw or d ov er t h e phon e t o ANYONE While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and Don 't rev eal a p assw or d in an email messag e it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The chDon alleng e for l, d put blic sit es is t o encour age access t o t h e sit e w hile elim inat ing 't rev ealsuccessfu a p assw or o thw e eb boss un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit . Th e or mdore anizat ions b ecom e on t he I n t er net t o p er f orm Don 't t alk about a ypassw in reliant f r ont oforg ot hers daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy'tsthint em sath as or in u sin net conduct business, so t oo is it a Don t h ebeen for man at inn of aovat passw ord ( e.gg.t h , e " mI nt y er f am ilyt on ame" ) m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling Donacr 't rev osseal t hea I pntassw er net or. dYet on aq uest net wion or knair secur es or it y secur solut it ion y for is m only s as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e Don passw or dd w h gfam men emb s all t hese point s is key t o creat ing an w eb ser ver't, sh or are t h e aclient . Har enitin t heilydef seserat eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Don 't rev eal a p assw or d t o co- w or ker s w hile on vacat ion I f som eone d em an ds a passw or d, refer t h em t o t h is docum ent or hav e t hem call som eon e in t h e I nfor m at ion Secur it y D ep art m ent . Do not use t he " Rem em ber Passw or d" feat u re of ap plicat ion s ( e. g. , Eu dor a, Out Look , Net scape Messenger ) . • Again, do not Table ofeContent w r it p asswsor ds dow n and st or e t hem an yw h er e in y our of fice. Do n ot • st or e passwor I ndex ds in a file on ANY com put er sy st em ( inclu ding Palm Pilot s or sim ilar Wdev e b Sices) ecur itw y it Fihou el d Gu ide yp t ion. t encr By St eve Kalman

Ch ange p assw or ds at least once ever y six mon t hs ( ex cep t sy st em - lev el passw or ds w hich mu st be ch anged quar t er ly ) . Th e r ecom m en ded ch ange in t er v al is ever y f our Pub lish er: Cisco Press m ont h s. Pub Dat e: Novem ber 08 , 20 02 SBN: 1- 58 705p-0assw 92 -7 or d is su sp ect ed t o h ave been com pr omised, r epor t t h e I f an Iaccoun t or incident Pages: t o60 t h8 e I nfor m at ion Secur it y D ep art m ent and chang e all passw ord s.

Passw or d crack ing or gu essing may be per for m ed on a period ic or r andom basis by t he I n for m at ion Secur it y Depar t m ent or it s deleg at es. I f a passwor d is gu essed or crack ed d ur ing one of t h ese scans, t he user w ill b e r eq uir ed t o ch ange it . Hand s- on t echniqu formsecur g dar Window r ) serv r owser net w ork com m un icat ions. C. Applicat ion D eves elop en t Stinan ds Aps(plicat ioners, d evbelop er s s, m uand st ensur e t heir pr ogr am s cont ain t he follow in g secur it y pr ecau t ions. App licat ions: Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur y - sup conscious ir icat onmion en tof in divid ual u ser s, not gr oups. Shouitld por t au tenv hent Lear n ld how Window u lt i- ut ext ser p m s,easily inclu ding Shou n ott osthar or eden passw ord s sinmclear orlat infor any rev erNT, sible2 000 f orm, .and XP Under e inst allat iont of op rt ions f or agement Wind ows, w eb ser v ers d how t ot enhan Shou st ld and p rovsecur ide f or som e sor ole man such t hat on an e user can ake ce secur it y on exist ing w eb an d FTP ser v er in st allat ions ov er t he f unct ions of an ot her w it hou t h aving t o kn ow t h e ot her 's p assw or d. Im pr ove secur at t he end, RADI user' US s w and or kst at ion, ebsecur b rowitser t ops, an d Shou ld sup poritty TACACS+ / or X. 50inclu 9 w itding h LDwAP y r s, et rdesk iev al, lapt op s w her ev er possible. Ev aluat e t heorpr an dPassph cons of in st alling a cer e serv and becom you r ow D. Use of Passw dsosand r ases f or Rem ot et ificat Access Userers Access t o t hinegEx amp le n Cer t ificat ion Au t hor it y Cor por at ion Net wor k s v ia r emot e access is t o b e cont r olled using eit her a on e- t im e passw ord au t hent icat ion or a pu blic/ pr iv at e k ey syst em w it h a st r ong passphr ase. Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t enrases ded access list sally u sed for pub lic/ pr iv at e k ey aut hent icat ion. E. Passph rases Passph ar e gener A p ublic/ pr ivat e key sy st em d ef ines a m at h em at ical r elat ion sh ip b et ween t he p ublic Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e k ey t hat is kn own b y all, and t he p r iv at e k ey, t hat is kn ow n on ly t o t h e user. Wit hout t he passp " u nlock" t he pas rivpar at et kofey, Lear nhrt oase engt oage end users t h et he ovuser er all cannot n et w or kgain secuaccess. rit y solut ion Passpthr e nhas ot t ht reansfor same mas passphr asewis a lon ger v er sion a net w or k and While h eases I nt erarnet edpasswor and im ds. pr ovAed t h e w ay e do business, t his of v ast passw ord an d is, t h er efor e, m ore secur e. A p assph rase is t y pically comp osed of it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. m ult w oreds. his, a pwassp hres aseis ist omor e secu againstt o" tdict The chiple alleng for Because successfuofl, t pu blic eb sit encour agereaccess h e ion sit eary w hile elim inat ing at t ack s. " un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm A g ood passp hr ase is relat iv ely long an d cont ain s a com binat ion of up per and daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just low er case let t er s and n um er ic an d p unct uat ion char act ers. An exam p le of a good as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a passphr ase: m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr?# oss> *t he I nt er net . Yet neteWas* w or k &# secur y solut ning ion is " The* @Traf ficOnTh eBraidg ! # it ThisMor " only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e wAll eb of sert hver , or e ove client . Har d en int og passw t he def ensses at all hese point s is key t o creat ing an e ru lest hab t hat apply ord apply t o tpassphr ases. eff ect iv e, all- encom passing net w ork secur it y solu t ion.

5. 0 En for cem ent Any em ploy ee foun d t o hav e v iolat ed t h is policy may be subj ect t o d isciplinar y act ion, u p t o and includin g t er m inat ion of em ploy m en t . 6. 0 Definit ion s • •

Te rm s

Table of Content s I ndex

W eApp b S ecur y Fi el d Gu ide licatition

Adm r at ion By St eve inist Kalman Accou nt

D e fin it i ons Any accoun t t h at is f or t he adm in ist r at ion of an app licat ion ( e.g ., Or acle d at abase adm inist r at or , Not es adm inist r at or ) .

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02

7. 0 Rev ision Hist y -7 I SBN: 1- 58 705 or -0 92 Pages: 60 8

NO TE Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. I n par t 4 .2 - A in Ex am ple 2- 1, t h er e is a line sugg est ing t h at t h e nam e of t he com pan y, t he nick nam e of a near by t ow n, or a st ock sy mb ol ( w hich w as unassigned at t h e t im e of hiseweff r itect ingiv) earsecur e poor or ds, d ab t hey Ot her poor d exmam ples w ill a Cr teat it y passw policies andanest lishare. r ules for op er atpassw ing inorand aint aining com e itfryom y our ow nenv env secur - conscious iriron onmmenent t . For exam ple, t h e w ord bu lldog is far less secur e at Mack Tr uck ( w her e it is t he com pany 's mascot ) t han at an y ot her com pany . You should exp Learand n how t hatt osect harion denw Window it h locally s mbad u lt i-choices. u ser p latI ffor y our m s, com inclupany ding isNT, n at2ional 000 , or and XP int er nat ional, y ou need t o m ake it clear t hat t here are classes of b ad ch oices. Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions m pr ove secur it y at t heritend user' s ar w or kstult atipar ion,t inclu ding b row ser desk ops,or anm d or e I n lar Ige org anizat ions, secu y policies em d ocum en tws,ebeach r ef errs,ing t o tone op s For ex am ple, in a policy on r ou t er secur it y, t he sect ion on choosing rou t er access of t helapt ot hers. passw ord s w ill r ef er t o t h e passwor d policy. Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cercom t ificat ionlyAu t hor itt oy less t han all sect ions of t he or ganizat ion . Policies on acq uir ing Policies mon apply com mer cial sof t w ar e or r unn ing a t est lab or t r aining depar t m ent apply on ly t o segm ent s of t h e Lear, nwther he eas Cisco PI X Firsuch ew allas anan d Cisco I OS Firew all ar ect u re( dand ly gCisco com pany policies I n for m at ion Sensit iv chit it y Policy ealshow w it ht ok app eepin st andar d and ex t en ded access list s conf id en t ial comp any inf or mat ion p riv at e) or Passw or d Policies ap ply acr oss t he ent er pr ise. Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e

Example Policies Lear n t oSecurity eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t hm e Iodel nt er secu net has r ansfor m and im le pr ov w ayA wgood e do st business, t his is v ast or k and Sever al rit y tpolicies ared e av ailab oned t h et hwe eb. art in g p lace RFCnet 21w96, it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. " Sit e Secur it y Handb ook, " w hich d iscusses all asp ect s of secu r it y policies, fr om cont en t The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing dev elop ment t o im plem en t at ion. An ot her sour ce of sam p le policies com es f r om SANS. The direct un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining link is w w w .sans. or g/ new look / resour ces/ policies/ policies. ht m . I f t he lin k br eaks, k ey t he t it le of per m ance scalabilit y . ri Th m ore org ions b ecom e on I n ton er net p er f orm t he for page, TheorSAN S Se cu t ye Pol icyreliant P roj ect , anizat int o t he sear ch- t hissittehebox t h et oSANS hom e daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y pag e. Table 2 - 2 list s m any of t he policies y ou' ll f in d t here, alon g w it h a descr ipt ion of whhas. at Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a t hey 'r e f or. m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Tab le 2 -2 . Com m on Secur it y Policie s Poli cy N am e

D e scri pt i on

Accept able En cr y pt ion

Pr ovid es g uidan ce t hat lim it s t h e use of encry pt ion t o t hose algor it hm s t h at hav e r eceiv ed subst an t ial pub lic rev iew and hav e been p rov en t o w or k eff ect iv ely . Add it ionally, pr ovides d ir ect ion t o ensur e t hat app licable law s and r egulat ions are f ollowed. • Table of Content s •Accept able Use I ndex Ou t lin es wh o can use comp any - ow ned com pu t er eq uipm ent and net w or ks. W e b S ecur it y Fi el d Gu ideI t cov er s com pan y com p ut ers locat ed on com pan y pr emises as w ell as com put er s locat ed in em p loy ee' s hom es. By St eve Kalman Analog Line

Ex plains t he analog and I SDN lin e accept ab le use and app rov al p olicies and pr oced ur es. Sep arat e ru les ap ply t o lin es t hat are conn ect ed for t he sole pu rp02 ose of send in g and receiv ing fax es and lines t hat ar e connect ed t o Novem ber 08 , 20 com 1- 58 705 -0 92 -7 put er s.

Pub lish er: Cisco Press Pub Dat e: I SBN:

Pages: App licat ion60 8 Serv ice Pr ovider s

Descr ibes t h e com p any 's Ap plicat ion Serv ice Pr ovider s ( ASPs) r eq uir em ent s. ( ASPs com bine host ed soft war e, h ard war e, an d n et w or k ing t echnologies t o off er a ser v ice- based applicat ion. ) I t ref er s t o and incor por at es t he separ at e ASP St andar ds Policy .

ASP st an dar ds Defin es t he m inim um - secur it y cr it er ia t h at an ASP mu st m eet t o b e Hand s- on t echniqu esconsidered for secur infor g Window use. s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Aud it Pr ovid es t he aut hor it y for m em bers of t he I nf or mat ion Secu r it y Depar t m en t Cr eat e eff ect iv et eam securt it policies lishditr ules fory op erem at ing and aining a or o ycon duct aand secuest ritab y au on an syst owin ned by mt haint e comp any secur it y - conscious env iron onm en com t inst alled t he pan y' s pr em ises. Aut om at ically Prden ev ent s t he un aut en t disclosu sensit Lear n how t o har Window sm u hor lt i- uized ser porlatinadv for m ert s, inclu ding NT,re2of 000 , andive XPcom pan y Forw ar ded Em ail inf orm at ion. and secur e es instt allat ion irem op t ions ser ers how enhan DB CrUnder ed en st t ials St at h e requ ent sf or f orWind securows ely w steb orin g van d ran et d r iev ingt odat ab asece secur it y on existusern ing wam ebes anan d FTP ser v er in st allat ions d passw or ds ( t hat is, d at abase cr ed en t ials) for u se by a pr ogr am t hat w ill access a dat ab ase ru nning on one of t he com pany 's I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d net w or ks. lapt op s Dial- in Access Est ablishes r ules t hat pr ot ect elect r onic inf or mat ion f rom being Ev aluat e t he pr os an er d cons in st alling a cer serv erpersonn and becom in g a you r ow inadv t en t lyofcomp rom ised b yt ificat aut heorized el using d ialinn Cer t ificat ion Au connect t hor it y ion. Ex t r anet ocu enan t describes t h eFirew policy er w hich h ird -how par t tyoorapp ganizat ion s Lear n t he CiscoThis PI X dFir ewmall d Cisco I OS allund ar chit ect u re t and ly Cisco connect t o t he com pan y' s net w or k s for t he pu rp ose of t r ansact in g b usiness. st andar d and ex t en ded access list s I nf orm at ion Help s emp loyees det erm ine wh at inf or m at ion can be d isclosed t o Discover w ay s tnon o t est t he cur r en at eas of tsecur it y ivand k eepivitit up dat Sensit iv it y em ploy ees, ast st well he r elat e sensit y oft oinf or emat ion t h at should not be d isclosed w it hou t pr op er au t hor izat ion. Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion I nt er nal Lab Est ablishes inf orm at ion secur it y r equir em en t s for lab s t o en su re t hat While t hye I nt er net has t r id ansfor m inf ed orm andatim pr and ov edt echnologies t h e w ay w e ar doebusiness, v ast net k and Secu rit conf en t ial ion not comptrhis omised, andw tor h at it s associat ed t ech nologies opened t hed dotoor incrseasin n um secur y tiv h it reat pr odu cthav ioneserv ices an hert ointan er est ar e pgrot ectber ed frofom lab itact ies.s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing Ant i- Vir us Est ablishes r equir em ent s t hat mu st be met by all com put er s conn ect ed t o un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining t he com pan y' s net w or k s t o ensur e ef fect iv e v iru s det ect ion an d p rev ent ion. per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily t ran sact ions, e dar gr eat er tcr heeat iminpact br each oforn ds, et w tor secu rit yion has. Passwj obs or d or cond uctEst ablishes a stt han d for g st raong p assw hek pr ot ect of Just as Cisco Sy st em s h ast hose beenpan innorovat in tuhsin t h e I nt erofnet t o ge. conduct business, so t oo is it a Pr ot ect ion assw ds, or and e frgequency chan m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Rem ot e Access

Defin es st an dar ds f or connect ing t o t h e comp any 's net w ork f r om any h ost . These st andar ds are design ed t o m in imize t he pot en t ial ex posu re t o dam ages ( such as t h e loss of sensit ive or confident ial com p any dat a, int ellect ual pr oper t y, dam age t o pu blic imag e, dam age t o crit ical int er nal syst em s, and so on) .

Risk Assessment

Em pow er s t he I n for m at ion Secur it y Depar t m ent t o per for m p er iodic inf orm at ion secur it y r isk assessm ent s t o det er min e areas of v ulner abilit y Table of Content s and t o init iat e app rop riat e rem ed iat ion.

• •

I ndex

Rou and chideDescr ibes W e b St er ecur it y FiSw el ditGu Secu rit y

By St eve Kalman

a requ ired m in imal secur it y conf ig ur at ion for all r ou t er s an d sw it ch es con nect in g t o a p rod uct ion net w ork or used in a p rod uct ion capacit y.

Serv erlishSecu rit y Press Est ablishes st and ard s for t he base conf igur at ion of int er nal serv er Pub er: Cisco equipm ent t hat is ow ned and oper at ed on comp any p rem ises or at w ebPub Dat e: Novem ber 08 , 20 02 host ing locat ions. I SBN: 1- 58 705 -0 92 -7

Vir t ual Pr iv60 at8e Pages: Net w ork

Pr ovid es g uidelines for Remot e Access I PSec or L2TP Vir t u al Pr ivat e Net w ork ( VPN) connect ions t o t he com pan y' s cor por at e net w or k.

Wir eless Com m un icat ion

Est ablishes st and ard s for access of t he com pany ' s net w ork via secur ed w ireless com m un icat ion m echan ism s.

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions.

Creating Your Own Security Policy

Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Cr eat ing secur it y policies is a f our - st ep pr ocess: Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP St e p 1 . Decid e on you r level of t r ust . Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce St e p 2 . Defin e appr opr iat e b eh avior . secur it y on exist ing w eb an d FTP ser v er in st allat ions e pove 3 . secur Cr eatit e ya at p olicy r eview t eam . kst at ion, inclu ding w eb b row ser s, desk t ops, an d I St m pr t he end user' s w or lapt op s St e p 4 . Use t he w or k of ot her s. Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y The sect ions t h at f ollow ex am ine each of t h ese st eps in gr eat er det ail. Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s

Step 1: Decide on Your Level of Trust Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Assu m in g t hat people w ill do t he r ight t hin g is easy and t em pt ing . Don' t let you rself t ake t his Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion shor t cut . Sp ell ou t w h at is ex pect ed and w hat is pr ohibit ed. Decide on t he cont r ols y ou w ill u se tWhile o measur er ence t he g ood ract ices hat t t obusiness, defin e. ( This o or k and t h e Ientadh er net has tt or ansfor m edpand im prtov edyou t h ear weayabou w e do t his app v astlies nettw pr ogr am s as w ell as p eop le. ) Sp ecify reper cussions t hat w ill follow if emp loyees do not adher it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s.e t o pr actch ices. Tr ust er ent eml,ppu loyblic ees winebd ifsit feresenist w s. Those it h unpt o r ivt ileg edeaccess ar e inat in aing The alleng e fordiff successfu t oay encour agewaccess h e sit w hile elim dif fer en t cat egor y t han t h ose w it h hig h lev els of access p riv ileg e. un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just Step 2: Sy Define Behavior as Cisco st em sAppropriate h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a tWhet r av eling t he nt er . Yet net w or or dk policies, secur it y solut ion inisg only as styr secr ong et ass,ityou s w eak estem 's h er tacr he oss t op ic is Iem ailnet u sag e, apassw or k eep com pan r syst link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, the users and t he p eop le w ho ev aluat e t h em mu st k now w h at is ex pect ed. Your p olicies are w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an necessar y t o sup por t an HR act ion in t he face of inapp rop r iat e behav ior, or ev en t o p rosecu t e a eff ect iv e, all- encom passing net w ork secur it y solu t ion.

crim inal case in ext r em e ex am ples.

Step 3: Create a Policy Review Team The m em ber s of t his t eam ar e r esp onsible for dr aft ing n ew policies and r evising ex ist ing ones. Table 2 - 3 d escr ibes t he r epr esent at iv es and t heir r oles. •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Tab le 2 -3 . M e m ber s of t he Poli cy Rev ie w Tea m

Pub lish er: Cisco Press

Re pr ntNovem a t iv eber 08 , 20 02 D ut i es Pubese Dat e: From I SBN: 1- 58 705 -0 92 -7 Man agement Pages: 60 8

Som eon e w ho can enf orce t h e policy. This is oft en a senior m em ber of t he HR st af f.

I nf orm at ion Secu rit y Depar t m ent

Som eon e w ho can pr ov ide t echnical insigh t an d r esear ch.

User sAron eas w ho cans(vr )iew t he p olicies t hes, wand ay anet user m ig ht m view t h em . Hand t echniqu es for Som secureon in ge Window serv ers, b r owser w ork com un icat ions. Legal Depar t m en t Possib ly par t t im e, bu t som eon e w ho can r eview policies wit h r esp ect t o applicable law s. For mu lt inat ional f ir ms, t h is r ev iew is exp onent ially Cr eat e eff ect iv e secur it yepolicies and m or com p licat ed.est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Pub licat ions Som eon e w ho can m ak e su ggest ions on com mu nicat ing t he p olicies t o Lear n how t o har dent he Window org anizat s m ion' u lt i-su m seremp ber lat for s and m s, ginclu et t inding g t heir NT,buy 2 000 in ,. and Also,XP a good w r it er is alw ay s helpf ul. Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions

StepI4: m pr Use ove the secur Work it y at of t heOthers end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s The p r ev ious sect ion gav e a point er t o a set of p olicies suit able f or a lar ge com pan y. A Ev com aluatsear e t hechprt ur osns anudpcons of indstozens alling of a sam cer t ificat e serv erf orand becom in g you Goog le. lit er ally ple policies sale. Am azon hasr ow sevner al Cer t ificat ion Au t hor it y book s. You should inv est igat e t hese resour ces an d find one t hat mat ches y our org anizat ion' s pr of ile. Th is will sav e y ou sign ificant am ou nt s of w or k . Ev en m or e im por t ant , it w ill k eep you Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco fr om accident ally om it t ing v it al ar eas fr om considerat ion . st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion

TI P

While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and I n for med at ion it y Policies Made Easy Ver sion 8 ) , easin an exgcellent book on secur it s associat t echSecur nologies hav e opened t he d( oor t o an# incr n um ber of secur it y tithyreat s. policies b y Ch arles C. Wood, com es w it h a CD cont aining policies you can ed it and use. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing The on ly dr aw back is it s r elat iv ely high cost ( cur r en t ly $59 5 U. S. ) . un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ketTopics leader infor t he Security developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a Key Policies t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e Man y of t he secu rit y policies list ed in Table 2 - 2 h ave key clauses t hat sh ould be includ ed , as w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an fu r t her descr ibed in Table 2 - 4. eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Tab le 2 -4 . Ke y Poli cy Pr ovi si ons Poli cy N am e

Ke y P rov isions

Tells sem ploy ees h ow t o use encry pt ion t o pr ot ect inf orm at ion in t ran sit •Accept able Table of Content •En cr y pt ion I ndex W e b S ecur it y Fi el d

( bot h ov er t he net w ork an d via lap t op) . Nam es encr yp t ion p rod uct s, Gu ide algor it hm s, and st r en gt hs.

By Accept St eve Kalman able Use

Pub lish er: Pub Dat e:

List s ap pr opr iat e use of com put ing r esou rces. User s should be m ade t o r ead an d sign . Cont ain s r ules for e- m ail, new sgr oups, w eb su rf ing, and Cisco Press non business use. Also st at es user s' r espon sibilit ies r eg ard ing dat a in t h eir pr iv at e spaces. Novem ber 08 , 20 02

AnalogI SBN: Line1- 58 705 -0 92Discusses -7 w ho can h ave analog lines in st alled, f or w hat pur p ose, an d t h e t hin gs t h at t h ey m u st do t o p rot ect t he net w or k w hile t he lin e is in u se. Pages: 60 8 App licat ion Ser v ice Defin es m inim um - secu rit y st an dar ds t o w hich ASPs mu st adh er e t o be Pr ovid er s elig ible t o cont ract w it h t h e comp any . Aut om at ically Discusses w het her accessing, m ain t aining, and for w ar ding com pany e- m ail Forw ar ded Em ail t o pr ivat e accoun t s is allowed. Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. I nf orm at ion Tells user s h ow t o t reat com p any conf id en t ial, com p any of ficer ey es- on ly, Sensit iv it y com pany t r ad e secr et , t hir d- par t y p r iv at e an d ot her classificat ions of Cr eat e eff ect iv e pr secur policies and est ab lish r ules for op er at ing in and m aint aining a iv atiteyinf orm at ion. secur it y - conscious env ir onm en t I nt er nal Lab Set s r ules t hat pr ot ect t he main net w or k fr om w or k d one in t he lab. Secu Lear rit y n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Ant i- Vir us List s b aseline r ules for using ant iv ir u s pr oduct s ( AVPs) and fr equency of Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce up dat es. Ex plains p rocedur e t o follow af t er becomin g in fect ed . I ncludes secur it y on exist ing w eb an d FTP ser v er in st allat ions r ules for dow nloading soft w ar e an d f or allow ing at t achm en t s. Im at ers t he min endimuser' w gt or h, kstch at ange ion, inclu ding w eb biq row ser s, cr desk ops,good an d Passw orpr d ove secur it yCov u m slen periods, t echn ues for eatting lapt op s passw ord s, and m ist ak es t o av oid. Rem ot Access Accept able use difafer useresserv w orer k ing hom Usinr gow com Evealuat e t he pr os an d cons of inm stight alling cerfor t ificat andfr om becom ine. g you n pan y facilit ies t o r each out t o t he I nt er net m igh t or mig ht n ot b e ok ay. Allow ing Cer t ificat ion Au t hor it y fam ily m emb er s t o use t h e com p ut er and access lines is anot h er decision n eed t o an mak an d Iconv ey. all ar chit ect u re and how t o app ly Cisco Lear n t he Cisco yPIou X Fir ew all d eCisco OS Firew st andar d and ex t en ded access list s Rou t er Secur it y Deals w it h st or ag e of rou t er passwor ds and w it h m inim um access con t r ol list r eq uir em ent s. Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Wir eless Deals w it h main t aining secur it y w hen sen ding dat a acr oss w ir eless LANs Lear n t oion eng ageand endt husers as for parw t hen of t htehis ovm erigh all tn or et wmigh or k secu Com m un icat e ru les t n otritbye solut doneion ( and, if d one, how t o im p lem ent it ) . While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or Implementing malicious t r aff ic andYour t o pr ovid e su ff icient lev els of secur it y w it hout const r aining Effectively Security Policy per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just When y ou d ev elop p olicies, you need t o b alan ce pr oduct iv it y and secur it y . The g oal of all g ood as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a emp loyees is t o get t h eir w or k don e. I f y ou creat e a r ule t hat t he em ploy ee t hink s is j ust in t he m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a w ay , t hat emp loyee w ill eit her ignor e it or by pass it . Som et im es, y ou can im plem en t t echnical t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est cont r ols t o mak e sur e t h at p olicies are follow ed ( passw or d chan ge p er iods, f or exam ple) , b ut link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e ot her t im es y ou can not . ( A r ule about nev er giv in g y our passw or d t o som eone else can not be w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an enfor ced b y soft w ar e.) You m ust m ak e secur it y a par t of t h e corp orat e cu lt ur e. eff ect iv e, all- encom passing net w ork secur it y solu t ion.

This d oes not h ave t o b e done in a pun it iv e w ay . Here are t w o exam ples. A com pan y w hose policy called for p assw or d- pr ot ect ed scr een sav er s or locked w ork st at ions w henev er an em ploy ee w as not u sin g t he PC w as enfor ced b y hav ing secur it y st aff ( u nifor m ed gu ard s on pat r ol) w r it e " t ick et s" —t h ey look ed lik e par k ing t ick et s—and t aping t h em t o t h e m onit or . The t ick et s r em ind ed t h e user s of t he r ules. The gu ard s w ere t augh t how t o Ct l- Alt - Del and pick Lock W ork st a t ion , an d w er e inst r uct ed t o do so w henever issuing a t ick et . •

Table of Content s

Anot h er com pan y had gu ard s w alk ar ound af t er t he close of business looking f or lapt op s lef t • I ndex un at t ended. Th ey t ook lapt op s t hey fou nd and left a " luggage r eceip t " on t h e desk saying t h at W e b S ecur it y Fi el d Gu ide t he lost lugg age could be claimed at t he secu rit y st at ion . By St eve Kalman

Pub lish er: Cisco Press Avoiding Failure

Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7

On e su r e w ay t o m ak e a p olicy f ail is t o apply it unev en ly. I f cert ain people, b ecause of t h eir Pages: 60 8lu en ce, can by pass policies wit h im pun it y, t he p olicies w ill all become posit ion or inf un en for ceab le. You m ust get m anag em ent buy - in, ev en if d oin g so is painf ul.

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions.

Practice What You Preach Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a y -ant conscious ir oj onm As a secur con suit lt , t he w orenv st pr ecten I t ook on w as a v ir us ex t er m inat ion t ask. This w as in t he ear ly day s of net w or king , sm all har d dr ives, and ext ensiv e use of f lop pies. I n how t o ect hared dent he Window u ltwor i- u ser p lat for m s, inclu 2 000 , and w entLear in and d isinf ser vers, m t he k st at ions, and ever ding y f lopNT, py in plain sighXP t. I w as n ot allow ed t o open desk dr aw er s. I also inst alled an an t iv ir us p rod uct ( AVP) Under st and e inst op t ions f orf ile. Wind on ev er y PC. ( I t secur inst alled inallat t he ion aut oex ec. bat ) ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions A w eek lat er , I w as called back because t he v ir us h ad r esur faced . I f ound t w o I m prs.ove secur at tahe end s esk w or dr kstaw at er ion,w as inclu w eb b row pr oblem One w asit tyhat f lop py user' in a d infding ect ed, and t heser ot hs,erdesk w ast ops, an d lapt op s t hat t he user disab led t h e AVP because it m ad e t he PC t ak e t oo long t o b oot up . I r ed isinf ect ed, t his t im e w it h per mission t o open desk dr aw er s and w as accom panied Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n by a secur it y g uar d. I also recom mend ed t h at m anag em ent imp lem ent a policy Cer t ificat ion Au t hor it y st at ing t hat disabling t he AVP w ould r esult in t er m inat ion. Th ey agr eed. Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco Tw o w eeks af t er t hat , I w as called back . This t im e, I t r aced t he pr oblem t o t he of fice st andar d and ex t en ded access list s of a v ice pr esident of t he com pan y w ho br ough t an inf ect ed flopp y fr om h ome and disabled t he AVP. I ask ed t he CI O if t he VP w as going t o be dism issed. He lau ghed Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e and said t hat t he VP was t oo v aluable t o let go and t hat I shou ld j ust clean it up and for g et about . age end users as par t of t h e ov er all n et w or k secu rit y solut ion Lear n t o it eng By t h teh w t here wast ranot hermsolut ion im t hat t hey hav Dur ing vWor While e ay, I nt er net has ansfor ed and pr ov ed tcould h e w ay wee em do ployed. business, t his ast ld net w or k and War I I , Gener al Geor ge S. Pat t on was mad e t o apologize pu blicly t o his t roop s—t it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of securhe it y t h reat s. alt ern at ive bein cou rt m art and wdisgr ace. Het oapologized. Th at mt oight b een The ch alleng e forgsuccessfu l, ial pu blic eb sit es is encour age (access t h ehav sit ee w hile elim inat ing har der on him t han t he cour t m art ial. ) By doing t hat , General Eisen how er kept un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it houta const r aining com der or w ho really w oomvaluab le t o org lose, but ions he also madeeon it clear no t o p er f orm per forman m ance scalabilit y .as Tht e ore reliant anizat b ecom t he I nt that er net one w as abov e t he r ules. I sug gest ed t hat t he com pan y follow t h is m odel by m ak daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secuing rit y has. Just t he VP sen d em a ms ea culpa ot einn t o ovat ev ery nat e t too dismissal. They as Cisco Sy st h as beenn an orone in uas sinan g t alt h eerI nt eriv net conduct business, so t oo is it a . mdeclin ar keted leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est I t old t hem n ot t o call m e again. link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Summary This f irst par t of t he book set t he st age w it h a ch apt er on essent ial inf or mat ion and a ch apt er on secur it y p olicies. Par t I I d eals wit h t h in gs y ou sh ould do t o har d en t he ser ver sof t w are befor e inst alling a w eb ser ver . •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Part II: Hardening the Server • • Web

A n ew ly inst alled ser ver is t h e easiest plat f or m in t he w or ld t o br eak int o. That ap plies w het her t h e ser v er is a f ile ser ver ( NT 4, Win dow s 20 00, or Window s XP) , a w eb ser ver ( I I S4 orTable I I S5) or anys ot her k in d of ser ver ( FTP, SNMP, dat abase, and so on ) . I n t his par t , of, Content y ou seeI ndex sev er al t ech niqu es f or har d en in g t he t h ree f ile ser ver p lat f or m s. Par t I I I t hen d eals it hit tywFioelw ser ver v ersions. Sw ecur d eb Gu ide

By St eve Kalman Ther e' s no

such t hing as don e, but y ou can be sur e t hat f ollowin g t he sugg est ions out lined her e w ill yield a r esu lt t hat 's m uch m or e secur e t han w hat y ou st ar t ed w it h.

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02

Ch apt er 31-W dow s -7 Sy st em Secur it y I SBN: 58in 705 -0 92 ThisPages: is t he60only chap t er in t h is par t . Th is ch apt er assum es t hat you k now h ow t o inst all t he 8 oper at ing syst em . I n m an y cases, you 'll b uy t h e w eb serv er plat f or m w it h t he oper at ing syst em p reinst alled any w ay . This chap t er focuses on mak ing it secur e. Be aw ar e of an und er ly in g assum pt ion —t he w eb ser v er is a st and alon e m ach ine, not par t of a dom ain. No users are st at ion ed t h er e; on ly t he ad minist r at or n eeds t o log in at t he con sole. All ot h er access is t hr ough t h e net w or k. Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Chapter 3. Windows System Security This chap t er cov er s t he f ollowin g t opics: • •

Table of Content s

NT 4 Secur it y I ndex

W e b SWind ecur it yows Fi el d Gu ide 200 0/ XP

Secur it y

By St eve Kalman

All v er sions of Win dow s hav e one t hing in com m on: as inst alled , t hey h ave v er y w eak secur it y. ThePub m lish oster:egCisco regiou s ex am ple of t h is is t hat aft er logg ing in, all u ser s hav e f ull cont r ol ( all Press per m issions) at t he r oot of ev er y dr ive, an d n ear ly all it s su bdir ect or ies and files. Bey ond t h at , Pub Dat e: Novem ber 08 , 20 02 som e ser v ices ar e ext r em ely op en ( such as t he Messenger Serv ice) and allow t h e deviou s t o 58 705 -0 92 -7 by passI SBN: logg1-ing in. This ch apt er t each es you abou t t w o t hing s: Pages: 60 8

Which r ig ht s an d p er m issions t o ap ply, how t o app ly t hem , and how t o m ak e sur e t hat new ly inst alled app licat ions don' t u ndo you r w or k How t o har den t he op er at ing sy st em Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. NT 4 w as t h e fir st Win dow s oper at ing syst em t o in t r oduce a dist in ct ion b et w een r igh t s and per m issions. A ect r ighivt eap pliesit yt opolicies accessing esour of for t h eop oper ating ing insyand st emmitaint selfaining , such aas t he Cr eat e eff secur andt he estrab lish ces r ules er at r ight secur t o shuitty d- ow n t he syst em or t he r ight t o log on locally . A per m ission ap plies t o accessing t he conscious env ir onm en t file sy st em ' s r esour ces, such as r eading, mod ify ing, or er asing a f ile. Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP NT 4 w as also t h e fir st Win dow s pr odu ct w it h Discr et ionar y Access Con t r ol ( DAC) . Th is en ables per m issions o besecur set on f ilesallat andion f olders for f or indWind ividu ows al user s and oup m ighce t hav e Under sttand e inst op t ions w eb ser vgr ers ans.d One how ut oserenhan fu ll cont r ol,it yanot er mig t o r ead t he f ile, an d a t hir d mig ht hav e no access at all. secur on hexist inghtw be eb able an d FTP ser von er lyin st allat ions To su ppor t all t he ad dit ional f ile and folder at t rib ut es, a new f ile syst em called New Tech nology File Sy st pr emove ( NTFS) wyasatdeveloped. I t is r eq for DAC. Im secur it t he end user' sw or uired kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y

TI P

Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco Micr osofdt im plem ed DAC by list assign st andar and ex ten entded access s in g an Access Con t rol List ( ACL) t o ever y f ile an d fold er . Each ACL h as t w o sub par t s. One, t h e Discr et ionar y Access Con t r ol List ( DACL) , det Discover er min es w ay w hs ich t o tper estson t hes cur or p r en rocesses t st at e of havsecur e f ull, it ypar and t ial, k eep or nitoup access t o datt oe t he ob ject . The ot her, called t he Sy st em Access Cont r ol List ( SACL) , is u sed t o m an age logg in g Learaud n t oit eng and ing. age end users as par t of t h e ov er all n et w or k secu rit y solut ion WhileThis t h e chap I nt ert net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and er focuses on DACLs. it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining Iper n NT for m 4,ance eachorw ork scalabilit st at iony . and Th eser m ore v er reliant had it s org ow anizat n dat abase ions bof ecom user e son and t hegrI oup n t ersnet w ittho wp herich f orm DAC daily w as mj obs anagoredcond . As uct t he t num ran sact berions, of st at t hions e gr eat gr ew er ,t he cent imr alized pact a ubr ser each account of n ets wman or k agem secu rit enyt has. becam Just ea ras eqCisco uir emSy entst. em This s hwas asbeen accom anp lished inn ovatby or crineat u sin in gg dom t h e ains, I nt er net w hich t o conduct ar e m ade business, up of m emb so t oo er is it a mor w arkst ketatleader ions and in tser he vdevelopm er s. The dat ent abase an d sale of user of p srod and uctgr s oup and st echnologies w as cen t r alized t h at at p rot the ect dom d atain a t r av eling cont r oller .acr A oss usert he w itIhntan er net account . Yet ainnet t he w or dom k secur ain could it y solut logion on is at only any as m emb st r ong er ( as w ork it sstwat eak ionest or linkv. er) ser Netin w ork t he at dom t ack ain. s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an Ieff n ect man t his passing w as su ffnet icient . For lar ger comt panies, it w as n ot . They w ould oft en hav e iv ye, cases, all- encom w ork secur it y solu ion.

m ult iple d omain s based on t heir size or secu rit y need s. These d om ain s could, op t ionally, be t old t o t ru st anot her dom ain' s users. How ever , t h ese t r ust s w er e one w ay . For t w o dom ains t o t r ust each ot h er , t w o diff erent t r ust s h ad t o be est ablished, A t o B and B t o A. As t h e nu mb er of dom ains g r ew , t his t oo b ecam e un m anageable. ( Mat h em at ically, if ev er y d omain t r ust s ev er y ot her d omain , t he num ber of t r ust s is N x N–1 w her e N is t he nu m ber of dom ains. ) The solut ion t o t hat pr oblem came w it h Win dow s 20 00 Ser v er . I t is called Act iv e D ir ect ory ( AD) . AD is a Lig ht w eight Dir ect or y Access Pr ot ocol ( LD AP) d at abase loosely based on t he X. 500 • Table of Content s st andar d . •

I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

TI P

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02

X. 500 is an int er nat ional st andar d cr eat ed b y t he I SO for dir ect or y dat abases. I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Act ive D irect or y sim plif ies an d cent r alizes t he m ult iple d om ain , m ult iple t r ust over head t hat dev elop ed w it h t he w ide ex pansion of NT 4- based net w or k s. There's mor e on t h is lat er in t h e chapt er in t he sect ion, " Wind ows 200 0/ XP Secur it y . " Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

NT 4 Security This sect ion ex amin es W in dow s NT 4's built - in secur it y f eat u res an d is d ivided int o four par t s:

• •

Ex planat Table ion of of Content t h e NTs 4 File Sy st em Secu rit y Model I ndex

ion W e b SDem ecur itonst y Fi elrdatGu ideof

w eak nesses and w ay s t o p rot ect against t hem

By St eve Kalman

Ex planat ion of op er at ing syst em w eakn esses

PubDem lish er:onst Cisco r atPress ion

of h ard en ing t he op er at ing sy st em

Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 8 NT 4Pages: File60System Security

NT 4 int r od uced f iv e com ponent par t s t o it s secu rit y st r uct u re, as d ef ined in Table 3 - 1.

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions.

Tab le 3 -1 . NT 4 Se cu r it y Com pone nt s Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Acron ym D e fin it i on how t o ionar har den Window sm i- u ser p lat for ding has NT, a2 000 , and XP con t ains DACLLear n Discret y Access Con t r uollt List — Ever y fm iles,aninclu d folder DACL, w hich ACEs. Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce ACE secur itAccess Coning t rolw Ent ry — Eachser ACE asst tallat w o pions art s: t he SI D t o w h ich it ap plies and t he y on exist eb an d FTP v er hin per m issions assig ned t o t h at SI D. I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d SI D Secu rit y I d en t ifier— Th e SI D is a r ecor d locat or in t o t h e SAM dat abase. SI Ds poin t t o lapt op s t he recor ds allocat ed t o user s or gr oups e t he os an d tcons of inerst— alling cer tis ificat e serv er and becom in g you owall n u ser s SAM Ev aluatSecu rit pr y Accoun s Manag Th e aSAM a dat abase con t aining r ecor ds rf or Cer t ificat horThese it y andion gr Au ou tps. recor ds r efer t o each ot her in t he sense t hat gr oup r ecor ds list t he SI D s of it s m em ber s w hile user r ecor ds list t he SI Ds of t h e gr oup s t he u ser Lear n belongs t he Ciscot o. PI These X Fir ewr all CiscomIaint OS ain Firew chit ect usuch re and t o ht app ly Cisco t o ecoran dsd also ot all h erardet ails, as how t h e rig s assigned st andara dg rand ex t en ded access list s oup or a u ser 's passw or d. SAT Discover Secu rit sy tAccess Wt hen logsit yin,and t hek sy st em es ea t em por ar y SAT. w ay o t est tToken— he cur r en st atae user of secur eep it upcrteat o dat The SAT cont ains t he user' s SI D, p lus t h e SI D of ever y gr oup t h at t h e user belongs Lear n t o. o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat edt rt ies ech tnologies e opened t he d oor t os an easinarg en com um ber it yACEs t h reat When a u ser o access hav a f ile or folder , t he SI D in tincr he SAT parof edsecur t o t he ins.t he The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ingis ACL. I f t he p er m issions r equest ed ar e g ran t ed b y any ACE or by a com bin at ion of ACEs, access un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining gr ant ed . I f not , access is d en ied. Table 3 - 2 sh ows t he ACL f or a f older called New- W eb - Pages. per for 3 m-ance or scalabilit . ThWend e m ore relianta org ionserb. ecom e ony tthe net on t o ep er Table 3 sh ows t he SATyfor y Dean, w ebanizat d ev elop I f Wend r iesI nt toeredit of f torm he files daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. in t hat folder , t he SI D s in h er SAT w ill be com par ed t o t h e SI D s in her DACL in t he f ollow in gJust as Cisco: Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m anner m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link at t ack occu an yACE. point , including t h e net w ork con nect ion , t he fir ew all, t h e 1 .. Net Testw ork t o see if SIsDcan 4 086 is rinatt he w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff2ect iv e, tallencom passing . Not here, t r y SI D 101 .net w ork secur it y solu t ion.

2. 3 . Not t here, t r y SI D 305 . 4 . Mat ch. Gr ant perm ission s r eq uest ed.



Table of Content s



TI P

I ndex

W e b S ecur it y Fi el d Gu ide By St eve Ther Kalman e is one

special- case ACE called No Access. I f t his is assigned t o a user or g rou p, it ov er r ides any p er m issions t hat w ould h ave ot her wise been gr ant ed.

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

NO TE SATs cont ain only SI Ds, n ot t h e nam es of t he ob ject s t he SI Ds refer t o. They ar e included in t hese t ables for clar it y. Also, f or t h e sak e of clar it y, t he SI Ds an d SATs ar e er lyt echniqu simp lif ied They ar einm m ore plicat h an t hese t ables Handov s- on es .for secur g uch Window s( rcom ) serv ers,edb rt owser s, and net wimp ork ly. com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how tTab o harle den Window s m ufltor i- u ser s, inclu NT, 000de , and 3 -2 . DACL t hep lat Neforwm-W e b- ding Page s 2Fol r XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce SI D secur it y on exist ing w eb an d FTP ser v er Piner i ssi on stm allat ions 30 5

Full Con t r ol I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y

Tab le 3 -3 . SAT f or a W e b D ev e lope r Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s SI D Nam e secur it Dean y and k eep it up t o dat e 40 86Discover w ay s t o t est t he cur r en t st at e ofWendy 10 1 Lear n t o eng age end users as par t of t h e Ev one overy er all n etGr woup or k secu rit y solut ion 30 5 Web Developers Gr oup While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it93 s associat 8 ed t ech nologies hav e opened t he d oor Webt oUsers an incr Greasin oup g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for 3 m-ance or scalabilit . ThQuincy e m oreBoles, relianta org ecom I n t erShould net t o pQuin er f orm Table 4 sh ows t he SATyfor w ebanizat u ser ions w ho bis not ea on d evt he eloper. cy t ry daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just t o access files in t h e New- W eb - Pages fold er , t h e same st eps will b e r ep eat ed, but w it h no m at ch as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a against his SI Ds, access w ill be denied . m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Tab le 3 -4 . SAT f or a W e b U se r SI D

Nam e

53 77

Qu in cy Boles

10 1

Ev ery one Gr oup

•93 8

Table of Content s



I ndex

Web Users Gr oup

W e b S ecur it y Fi el d Gu ide

Securing the NT 4 File System By St eve Kalman

er:ault Cisco NT Pub 4 'slish d ef forPress p er m issions is t hat t he Ever yon e gr oup get s f ull cont rol fr om t h e root of each Dat e: 08 , 20 02 dr ivPub e dow n.Novem For abersingle user w or kst at ion , such as a lapt op , t hat m ight be ok ay , bu t t h is is clear ly I SBN: not accept 1- 58 705ab -0 92 le-7for a file serv er or a w eb serv er. I f left in place, any user w ho log ged in , no m at t er how Pages: 60 8 ( ev en v ia t h e anon ym ous guest - like account cr eat ed dur ing w eb ser ver inst allat ion) wou ld h ave full con t rol.

HandTI s- on P t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. I n all of t he Win dow s oper at ing syst em s, a dif fer en ce ex ist s bet w een All Perm ission s Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a and Full Cont r ol. The f or mer m eans Read , Wr it e, Chan ge, and Delet e, wh er eas t he secur it y - conscious env ir onm en t lat t er m ean s All Per mission s plus t he ab ilit y t o chang e t hose per m issions an d t o t ak e ow ner ip of e file f older .s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Lear n sh how t ot h har denorWindow Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions You can ad just per mission s using Wind ows Ex plor er . Rig ht - click t he f old er w here y ou w ant you r changI es t oove begin and P rope rt i es. 1 sh owsding t hiswact at ser t h es,wdesk eb serv er'an s d m pr secur it ychoose at t he end user' s w Figur or kst e at3ion, inclu ebion b row t ops, docum ent r oot , and Figur e 32 d isp lays t he r esult . Fr om t he t abb ed d ialog , choose Se curi ty t o lapt op s get t he screen sh own in Figur e 3- 3 . Click t h e P er m i ssi ons b ox t o see t h e cu r rent per missions for t his f older. Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar t enng dedW access list s s Expl or er t o Acce ss t he Pr ope r t i es Pa ge Figu r e d3 and - 1 . ex Usi in dow Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o Figu har den u lt i- u ser p lat m s, inclu ding rNT, 2 000 e , and XP r eWindow 3 - 2 . sWmSFGhom e \ for Docs Pr ope t y Pag Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions

Figu r e 3 - 3 . Se cu r it y Ta b on t he Pr ope r t ie s Pag e

I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce The r esult show in Figur 3- 4an isdt he orstNT 4 ions secu rit y —ev er y u ser logg ed in on t he secur it y onn exist ing e w eb FTPdef serault v er f in allat syst em ( t h e Ev ery one g r oup) has Full Cont r ol. This leav es t he syst em w ide op en t o any k ind of un autIhor m prized ove access. secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n CerFigu t ificat ion it y 4 D ef a ul t w i t h Eve r yon e Get t i ng Fu ll Cont r ol r e Au 3 - t4hor . NT Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. To cor r ect t hat , you should f ir st cr eat e t w o g rou ps. On e w ill ser v e aut hor ized web users and t he ot her w ill b e for d ev elopers. To creat e g rou ps in NT 4 , st art U se r Ma na ge r for D om a i ns, as eat e effeect secur it y policies and abitlish er at ing in meaint aining a show nCrin Figur 3-iv 5 e. Th en click t h e U se r mest enu em r tules o getfort oop t he p lace t o and cr eat a new local secur it y conscious env ir onm en t gr oup . This is show n in Figur e 3- 6 . Click in g Cre at e N ew Local Group g ives t h e dialog sh ow n in Figur e 3- 7 . Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions

Figu r e 3 - 5 . St ar t i ng User M an ag er for Dom a ins

I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Figu r e 3 - 6 . Lau nchi ng t h e Ne w Loca l Gr oup Di al og



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s

Figu r e 3 - 7 . Cr e at in g a Gr ou p

Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w ebinser or t hnam e client Har in g t hea def en ipt sesion at ; all t hese point s is key yt ooucreat ing anbox Fill t hver e gr, oup e an. d, opdten ionally, descr click Ad d. Th is gives a d ialog eff ect iv e, all- encom passing net w ork secur it y solu t ion.

( show n in Figur e 3- 8 ) t hat off er s t h e opt ion of w hich u ser s t o add t o t he new ly creat ed gr oup. I f y ou ar e a m em ber of a dom ain, y ou can choose d omain user s and gr oup s ( by click ing t h e dr opd ow n b ox and select ing t he ap pr opr iat e dom ain) as w ell as local user s. Click t h e user ' s nam e t h at y ou w ant t o ad d ( w h ich causes t he Add b ut t on t o go f r om gr ay t o black) , and click Ad d. Th e r esult of all t his is show n in Figur e 3- 9 , w her e Joseph has b een mad e a m em ber of t he WebDev ( Web Developer s) gr oup . •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide

Figu r e 3 - 8 . Ch oosin g t h e Use r

By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s

Figu r e 3 - 9 . On e User Add ed Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

NO TE Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. As st at ed in t h e int r odu ct ion t o t his par t , t he assum pt ion is t hat y ou ar e b uilding a st and- alon e ser v er . An int r an et ser v er does not hav e t o b e in t he d omain. User s w ho Crow eatse e eff iv e et secur y policies est ab lish op er at andanmony aint aining br t o ect in t ran ser viters will au and t om at ically anrdules t r anfor sp arent lying u seint he mou s a secur it y conscious env ir onm en t accou nt . For m or e int er nal secur it y, you can ch ange t he I I S conf ig ur at ion t o hav e each user' s access d ep en d on his user r igh t s and f ile sy st em perm ission s. I f y ou do t hat , Learinng how har den Window s me.u Iltti-allow u ser sp lat forinmist s,r at inclu 2 000 , and sXP join t he dt oomain is app rop riat adm ionding of allNT, user account in one place.Ch apt er 5, " Enhan cin g Web Serv er Secu rit y , " p rov ides det ails on how t o m ak e st and tUnder hat chang e. secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I f you int end t o join t he dom ain an d u se t he access cont r ols cov er ed in Ch apt er 5, y ou Im pr ove secur it y at t hebot end user'ssan w or kst at ion, inclu dingt he w eb b row s, desk t ops, an d m ust cr eat e gr oup s for h user d developer s using m et hod ser s descr ibed here. lapt op s How ev er , if you ar e cr eat in g a st andalone ser ver , y ou need t o cr eat e only t he dev elop er s' gr oup and accou nt s; u ser access w ill b e hand led v ia t h e aut om at ically Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n creat ed Anony m ous account . Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Figur e 3- 1 0 sh ows t he p rocess repeat ed t o cr eat e t he WebUser s g rou p. Th is gr oup should hav e bot h uDiscover ser s andwdev s bt he ecause dev elop st ill need read access if ye t h at user s can ay selop t o ter est cur r en t st at eerofs secur it y and k eep it upt ot ov er dat access t he appr opr iat e sect ion s of t he sit e. You m ig ht w ant t o r emov e d ev elop er s af t er t he w eb sit e isLear in pr ion. ding t h em now lat er n oduct t o eng ageAd end users asinpar t ofmt hakes e ov yerour all jnob et weasier or k secu rit.y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. Figul, rpu e blic 3 - 1w0eb. W e bUser s Grage ou paccess Cr eat ot et hde sit e w hile elim inat ing The ch alleng e for successfu sit es is t o encour un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Aft er y ou hav e t h e necessary g r oups cr eat ed , y ou can app ly gr oup per mission s t o t he w eb root fold er . Rep eat t he st eps sh own in Figur es 3- 1 t o 3- 3 t o get back t o t he dialog show n in Figur e 34 ( t he st ar t ing Dir ect or y Per mission s dialog, repeat ed here in Figur e 3- 1 1) . Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect ivFigu e secur fory op erratm ing in and m aint aining a r eit y3 policies - 1 1 . Stand a r test inab g lish Dirreules ct or Pe issions secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily Ad j obs cond sactof ions, t h es gr im pact each click of n ett he w orWk eb secu rit yg roup has. Just Click d tor o br ing uct up t hran e list gr oup kneat ow er n t tohe y our serv a erbr . Then D ev as Cisco Sy st em as been innclick ovat or sinatg gt hiveesI nt er net conduct business, soe t3oo1 2. is it a ( scrolling dow n tsohget t o it ) ,anand Adin d. uTh y ou t het odialog show n in Figur m ar keta leader t he developm of p is rodRead. uct s and t hrow at p rot d at a pe of When g rou p in is added, t he defent aultanp der sale m ission Clickt echnologies t h e dow n ar labect eled Ty t r av elinganacr t he Full I nt erCont net . Yet net or k secur it y esolut ion is only as st r ong as it s w eak est Access d oss ch oose r ol,aas shwown in Figur 3- 1 3. link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Figu r e 3 - 1 2 . Gr ou ps t o Ch oose Fr om



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d Figu r e 3 - 1 3 . Gr a nt in g Pr ope r Pe r m issi ons lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Click OK Under t o add st and t h secur is gr oup, e instand allatr ep ioneat op t his ionsp frocess or Wind t oows ad dwt eb he ser Web v ers Users an dgrhow oup t o w itenhan h Read ce per m issions. secur it yFigur on exist e 3- ing 1 4 sh w eb ows ant d heFTP r esuser lt .v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s

Figu r e 3 - 1 4 . I nt er i m Per m i ssi on s f or t h e Docs Fold er

Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Aft er y ou add t h e new gr oup s, click Ev er yon e an d t hen Re m ove t o lim it access t o user s in t he specif ied gr oup s. Figur e 3- 1 5 sh ows t he r esu lt .



Table of Content s



I ndex

Figu r e 3 - 1 5 . Upd at ed Per m i ssion s on t he D oc Fold er

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d Theselapt perop missions need t o be pr opagat ed t hr oug hout t he w eb sit e, so click t h e ch eck box n ex t t o s Re pl ace P er m i ssi ons on Sub di re ct or ie s an d OK. Th e r esult is t he w ar ning show n in Figur e 316 . Click Ev aluat Y ese ttohe prpr oceed os an . d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco ex t en ded le access list st h e W ar n in g a nd Pr opa gat in g t he Cha nge s Figustrandar e 3 - 1d 6and . Ack now dgi ng Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a You w on' t be able t o t est t his un t il y ou in st all t he w eb ser ver . How ever , if y ou d id t r y t o access m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t he web ser v er now y ou w ouldn 't get in. I I S default s t o access v ia an anon ym ou s accoun t n am ed t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est I USR_ m achine- nam e ( for ex amp le, I USR_ pc3) . I f y ou' re going t o r ely on anony m ous access, y ou link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e hav e t o put t hat accou nt int o t he WebUser s gr ou p, t oo. w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

To g ive a user dir ect or y p er m issions, r epeat t h e st ep s show n in Figur es 3- 1 t o 3- 3 , b ut t his t im e click t h e Sh ow Use rs b ut t on . That add s indiv idual user s t o t he list f or y ou t o select . Choose t he I nt e rn et Gu est accoun t and click Ad d; t hen click OK.



NO TE Table of Content s



ndex Dist inguIish in g bet w een access via I nt ern et Ex plor er ( or any ot her br ow ser ) and access ( or any ot h er file m anager ) is essen t ial. I n t h e for m er case, t h e By St eve anon Kalman ym ous accoun t is u sed and t he result is a com binat ion of file syst em ACL per m issions g ran t ed t o t hat accou nt plus w eb ser ver p er m issions gr ant ed t o t h at dir ect y . Press Pub lish er:or Cisco W e b Svecur it y Fi el d GuEx ideplor er ia Wind ows

Pub Dat e: Novem ber 08 , 20 02

I n t he lat t er case, access is con t r olled ex clusively by ACL. A user in t h e dom ain cou ld SBN: 1- 58 705 -0 92 -7 mIap a dr iv e t o t he w eb ser ver and r ead or upd at e w eb p ages w hen t he Ev er yon e gr oup Pages: 8 has Fu ll60Cont r ol. Af t er m aking t h e changes show n her e, only w eb d ev elopers can up dat e t h e sit e, an d only w eb u ser s can r ead t he cont ent s. Ch apt er 5 ex plains h ow t o r em ov e anon ym ou s access for in t r anet serv ers.

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions.

NT 4 Operating System Security Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a Ther esecur is a lot ore t o secu rinirgonm a wen ebt serv er t han h ard en in g t he f ile sy st em . Her e's a list of ot her it y -mconscious env t hin gs t h at y ou need t o do: Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Set account policies. Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions Ed it gr oup r igh t s. I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d Renam lapt op se cr it ical accoun t s. Tur n oneaudit ing Ev aluat t he pr os. an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Rem ove or disable un necessary or dang er ous ser vices. Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco The sect ions dt hand at f ollow amaccess ine t h ese st andar ex t enex ded list st ask s in g r eat er d et ail. For t un at ely , ex cept for t he last it em, m ost of t he w or k is d one in one pr og ram —User Manager f or Dom ains. Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e LearAccount n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion Setting Policies While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and Accou nt policies t ak e eff ect w hen a new account is creat ed. Set t in gs her e r ev olv e ar ound it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. passw ord an d login issu es. As sh own in Figur e 3- 1 7, click ing Poli ci es an d t hen Account in User The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing Man ager for D om ain s launches t h e Accou nt Policies page. un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a r e 3ent - 1an 7 .d User an uct a ger Pol icie s M en m ar ket leader in t he Figu developm sale of M p rod s and t echnologies t hu at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Figur e 3- 1 8 sh ows t he r esu lt . Sever al it ems on t hat p age h ave alr eady b een ch anged t o t heir r ecomLear m ennded Table 3 - 5 shsows ef ault alue d gives lanat ion XP of t he howvalues. t o har den Window m u ltt he i- u dser p lat vfor m s,an inclu ding an NT,exp 2 000 , and sugg est ed ch ange. Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove securFigu it y at rtehe3end s w orfikst ion, inclunt ding w eb b row ser s, desk t ops, an d - 1 8user' . M odi edatAccou Policie s Page lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s

Tab le d3cons -5 . of Accoun t Pol Ree com en da t ion Ev aluat e t he pr os an in st alling a cericy t ificat serv ermand becom in s g you r ow n Cer t ificat ion Au t hor it y Account Re com m e nde d Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco Poli cy D e fa ult V a lue Ex pla na t ion st andar d and ex t en ded access list s Max im um Never 28 day s User s should chang e passwor d s at least Discover s tires o t est t he cur r en t st at e of secur it y yand k eep it up o dat Passw or d Agew ay exp ever m ont h on infrtequ enet ly accessed m achines. Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion Minim um Blank 9 char act er s Serv er s sh ould be w ell pr ot ect ed . Accou nt s While has ed t r ansfor m ed and im pr ov ed t should h e w ay hav w e edopassw business, t his astt han net w or k and Passwt h oredI nt er net allow or ds gr eatver eight itLeng s associat ed t ech nologies hav e opened t he d oor t ochar an act increreasin n um y t h reat th s t o gskir t aber flawof insecur t h e itpassw ords. The ch alleng e for successfu l, pu blic w eb sit es is t o encour t o t hhat e sit w hile elim encry ptage ion access p rog ram meakes shor t erinat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient els of secur hout const r aining passwlev ord s far easierit yt owgituess. per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm Minim um or condI uct m mediat e ions, On tehday Wit hou ta tbr h eeach r est rof ictnion user s canritcy cle Just daily j obs t ran sact e gr eat er t he im pact et w, or k secu y has. Passw or d Age chang e t hr ou gh a series of passw ord s t o g et as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t ooback is it tao allow ed t heir f avor it e. This m ak es t hat t ech nique m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a pr action ical. t r av eling acr oss t he I nt er net . Yet a net w or k secur it yimsolut is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net ork ion , at he fir few all,it es. the Passw or d No h ist or y 24 passw or ds Pr ohibit s altwer natcon ingnect am ong few avor wUniqueness eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Accou nt Lock out

None

En abled

En ables t he conf igur at ion choices in t he next t hr ee r ow s of t his t ab le.

Lock out Aft er N Bad At t em pt s

5

3

User s ar e exp ect ed t o k now t heir passw or ds.

Reset Cou nt

15

15

Fift een m inu t es is en ough t im e t o st ar t t he count er ov er .

30 m ins

The Ad m in ist r at or accoun t cann ot be lock ed out for ev er . I ncr easing t h is value also incr eases help desk calls f or passwor d r eset s fr om t hose w ho can not or w ill not wait .

• Aft er

Table of Content s



I ndex

out it y Fi el d Gu 15idem ins WLock e b S ecur Du rat ion

By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7

Editing Group Rights Pages: 60 8 NT 4 also assigns r igh t s t o gr oups. Usin g t he sam e pr ogr am , click Poli ci es an d t hen U se r Ri ght s t o br ing up t h e User Rig ht s Policy dialog box . Click t he dow n ar row an d select Sh ut dow n t he sy st e m , as seen in Figur e 3- 1 9, t o br ing y ou t o t he dialog show n in Figur e 3- 2 0. Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions.

- 1 9 . Sel inlish g t rhe o ing M od y m aint aining a Cr eat e eff ect iv eFigu securritey 3 policies and ect est ab ulesRigh for opt ert at in if and secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies anps incrw easin umRigh ber of tsecur it y t h reat s. Figu r ehav 3 -e2opened 0 . D eft he audltoorGrt oou it h gt nhe The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Delet e t he User s g rou p. Ever y accou nt , b y defau lt , is m ade a mem ber of t h is gr oup. ( The dif fer en ce b et ween Users and t he Ever yon e gr oup is t h at y ou can r emov e m em bers f r om User s. ) Unt il y ou rem ov e User s fr om t h e r ig ht s list , an y user can shu t dow n t h e sy st em. That ' s a r igh t t hat should be rest r ict ed. Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur TI P it y - conscious env ir onm en t LearSh n how t o har denUser Window u lt i- ubox ser patlatt hfor s, t om incluofding NT, 2 000 The ow Adv anced Righst smcheck em bot Figur e 32 0, ,wand hen XP select ed , m or e t han dou bles t he n um ber of r ig ht s t hat can be m an aged. On e of t hose ex t ra Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce r ight s is called Debug Progr am s. By d ef ault , on ly Adm inist rat ors can use t h at r igh t . secur it y on exist ing w eb an d FTP ser v er in st allat ions Your web dev eloper s m ight ask y ou t o gr ant t hem t h e r ight by ad ding in t heir gr oup. I f possible, resist t heir eff or t s. Developm ent sh ould not be don e on t he p rod uct ion ser ver . I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d Debu gging belong s on t est m ach in es. lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y

Renaming Critical Accounts Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s An int r uder t r y ing t o g ain access t o a ser ver w ill of t en t r y t o br eak int o t he Adm inist r at or accou nt . Th is is for t w o r eason s: Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion The accoun t is cr eat ed by d ef ault and, so, is usually t her e. While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and I f su ccessf ul, t h e int r ud er w ill h ave f ull cont rol of t he sy st em . it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The alleng e for You ch can t h w art intsuccessfu r ud er s in l,t wpu o blic w ayw s:eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily Ch j obs or cond uct teran t h e rgr t he nt im. pact a br each of n et w or k secu rit y has. Just ange t he nam of sact t h e ions, Adm inist ateat or er accou as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a Cr eat e a ninewt he accou nt andent mak a mof emb er uct of tshe Ad tmin ist r at or s gr Then m ar ket leader developm aneditsale p rod and echnologies t houp at p.rot ect dr em at aov e t he Admacr inist r attor g rou ps. t r av eling oss heaccou I nt er nt netfr. om Yet all a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e Figur e 3-ver 2 1, dorem st r at es chan ging amen e ses of t he Ad min ist rpoint at or saccount Usering Manager , w eb ser t hon e client . Har d en in g tthe he ndef at all t hese is key t. oI ncreat an simp se r, click Re na mw e,ork an dsecur chanit ge t h et ion. nam e of t h e Adm inist rat or accoun t . Pick a eff ectlyiv click e, all-Uencom passing net y solu

nam e t h at m at ches y our n am in g con vent ion so t h at if a u ser d oes man age t o lear n t he nam es of t he accoun t s on t he com pu t er , t he accou nt nam e it self does n ot ind icat e it s sp ecial n at ur e.

Figu r e 3 - 2 1 . Cha ngi ng t h e Ad m in ist r a t or N am e •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s As pr ev iou sly st at ed, anot her p opular w ay t o t h war t w ould- b e int r uder s is t o cr eat e a new accou nt , m ak e it a m emb er of t he Adm inist r at or s gr oup , and r em ov e t h e Adm inist rat or accoun t Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n fr om all gr oups. You can ev en assign t he Adm in ist r at or accoun t t h e special N o Acce ss f ile Cer t ificat ion Au t hor it y syst em p er m ission t o all f iles an d folder s. This w ay , even if t he int r ud er is su ccessf ul, n ot hing is lost . This h e Cisco r ecomPI mXenFir ded t echn The now p ower less Ad min r at orhow account st ill Lear is n tthe ew all an ique. d Cisco I OS Firew all ar chit ect u reistand t o appwlyill Cisco at t r act w ou ld be h ack ers. I f y ou log at t em pt ed logins t o t hat accou nt , you 'll k now righ t aw ay if st andar d and ex t en ded access list s y ou' re u nder at t ack . Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o Auditing eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion Turning On While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and NT 4 u ses t h e t erm aud it ing in m uch t he sam e w ay as ot h er operat in g sy st em s u se t he t er m it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. loggin g. Wh ich ev er w ord y ou use, it is a m ean s t o r ecor d cer t ain, select ed event s. Th ose ev ent s The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing com e in t w o cat eg ories. The easy w ay t o divid e t hem is b y t hing s t hat concer n t he op er at ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining syst em , such as failed log in s or r eboot ing , and by t hings t hat con cer n files and folder s, such as per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm delet in g t hem or t ak ing ow ner sh ip. daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a To enab le eit h er operat in g sy st em ev ent logging , or f ile sy st em ev ent log ging , st art in U se r m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a Ma na ge r for D om ai ns an d click Poli ci es an d t hen Au dit . t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net t ackt he s can occu at antyo point , including net .wWhen ork con nect ion , tphe fir up ew ,all, Figur e 3-w2ork 2 shat ows p lace t or click launch t he au ditt hd eialog t he dialog ops t h et hDeo w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an N ot Aud it b ut t on is checked and t he rest of t h e it em s ar e g ray ed out . Click t h e Au dit The se eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Ev en t s b ut t on t o get t h e scr een show n in Figur e 3- 2 3. Fr om t hat scr een, click b ot h t he Su cce ss and Fai lu re ch eck box es on t h e File an d Obj ect Access lin e t o enab le file syst em aud it ing.

Figu r e 3 - 2 2 . User M an a ger Au dit M e nu •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s

Figu r e of 3 -in2st3alling . D efaau Audi t i ng Di albecom og in g you r ow n Ev aluat e t he pr os an d cons cerltt ificat e serv er and Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Table 3 - 6 d ef ines t he possib le audit ing choices. Figur e 3- 2 4 sh ows t he sug gest ed ent r ies f or a w eb ser ver . All f ailu res ar e aud it ed , as w ell as successful changes t o File, Secur it y, and Rest art . You can au dit m or e, bu t choosing some of t hese it em s ( such as successful logins) ad ds signif icant ly t o t h e w eb ser v er' s log w it hout addin g v er y mu ch t o it s secu rit y . Doin g so also risk s a d en ial- of- serv ice at t ack. When log f iles f ill, ser ver s shut dow n un less conf ig ur ed ot h er w ise. You m ust m ak e sur e t hat t h er e is alw ay s plent y of r oom in y our log file. •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide

Figu r e 3 - 2 4 . M odi fi ed Audi t i ng Di al og

By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d Tab le 3 -6 . Au di t in g Ch oice s in N T-4 lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Au dit Eve nt Re com m e nde d? Su cce ss Fai lu re Cer t ificat ion Au t hor it y Log on an d Not for w eb ser ver s Record s ever y successful Record s failed log on Lear n t he Cisco PI X Fir ew all an d Cisco I OS inclu Firewding all ar chit ect res and o app ly Cisco Log off logon, anon ym uou at thow em ptt s. st andar d and ex t en ded access list s w eb u ser s. File and Discover w ay Yes, s t ocou t estpled t hewcur it hr en t st at Cou e of pled secur w itithy file andankdeep f older it up t oRecord dat e s r eq uest s t o Ob ject Access caref ul select ion of loggin g, w ill show wh en f iles chang e files or f old er s Lear n t o engfiles age and end fusers ov ered, all dn elet et w ed, or k or secu rit y solut old er sas t opar t ofarteh ecreat t hat ion f ailed due t o lack of m onit or chang ed ; also show s per m issions. While t h e I nt er net has t r ansfor m ed and im ov sh ed ipt hter an w ay owprner sf erw. e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. Usech ofalleng User e for Not for w eb serblic ver sw eb sit Record hen user ht s, t o Record t emelim pt s tinat o do The successfu l, pu es is tsowencour agerig access t h e sit es wathile ing Righ t s able or malicious t r aff ic and t o pr ovid gr ant ia User , itsom h in g const for wrhaining ich t he un desir e ed su ffvicient levMan els ager of secur y w itethout ar e org emp loyed. r ight ant ed. per for m ance or scalabilit y . Th e m ore reliant anizat ions b ecom e on t he I n tw eras netnot t o gr p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just User an d No Record s successful ch anges Record s un su ccessf ul as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a Gr oup t o gr oups, includ ing at t em pt s t o chang e m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a Man agement creat ing , delet ing, an d gr oup s or m emb er ships. t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est edit ing m em b er ship. link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Secu rit y Policy Yes Ch anges



Table of Content s

Rest ar t , Yes I ndex Shu t dow n and W e b S ecur it y Fi el d Gu ide Sy st em •

By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: Pr ocess Tr ackPages: ing

1- 58 705Never -0 92 -7 60 8

f or w eb serv er s

I nt r ud er s u su ally t ry t o m ake ch anges t o secur it y policies. Recor ding successful at t emp t s helps r econst r uct an in t r usion or alert y ou t h at on e is ong oin g.

Hav in g a hist or y of un su ccessf ul at t em pt s t o chang e secur it y policy helps t r ack dow n int r ud er s b ef or e t hey succeed.

Nor mal r est ar t s m ar k t he log w it h k now n event s. Unexp ect ed rest ar t s show pot ent ial m isbehav ing pr ogr am s or successfu l int r ud er s w h o t r y t o cov er t heir t r acks.

Failed r est ar t at t em p t s show in t ru der s w ho t ry t o cov er t heir t r acks and help id en t ify b adly m isb eh avin g p rog ram s.

Cr eat es an en t ry ev ery t im e a p r ogr am or pr ocess st ar t s, filling logs v ery quickly .

Cr eat es en t r ies w h en pr ocesses fail t o st ar t .

Ch anges t o t he au dit ing pr ofile ar e r ecor ded in t he secu rit y log . You can see t he chan ges using Hand ont View t echniqu for Window r )ivserv ers, (bCom r owser s, and net ork com uncuri icat ions. t he Evs-en er p es r ogr amsecur on tin heg Ad min ists( r at e Tools m on) menu .w Select t hemSe ty Log an d open t he log file ent r y t o see t h e policy ch ange sh own in Figur e 3- 2 5. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t

r eden 3 - Window 2 5 . Log ry ses, of a ding PolNT, icy 2Cha Lear n howFigu t o har s mEnt u lt i- u serBecau p lat for m inclu 000 , ng ande XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect Aft er iv y ou e, allhavencom e t u rn ed passing on aud net it in w gork in secur User it Manager y solu t ion. f or Dom ains, y ou can begin aud it in g in t h e

file sy st em . To get t o t he Prop er t ies dialog sh ow n in Figur e 3- 2 6, laun ch Win dow s Ex plor er, nav igat e t o and select t he dir ect or y y ou w ant t o au dit , r ight - click and choose P rope rt i es, an d select t h e Se curi t y t ab.

Figu r e 3 - 2 6 . Audi t i ng on t he Se cur i t y Ta b i n t h e Fold er ' s Pr op er t i es •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Click Au dit i ng t o br ing up t h e Dir ect or y Aud it ing box show n in Figur e 3- 2 7. You hav e t h e abilit y Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n t o audit t he act ions of b ot h indiv idual u ser s and g rou p ob ject s. I n ad dit ion, t he choices y ou m ake Cer t ificat ion Au t hor it y for one ob ject aud it don 't hav e t o be t h e sam e as t he choices you m ak e for an ot her . Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s

e 3t he - 2cur 7 . rD au ir e ctit or y Audi Didat al eog Discover w ayFigu s t o trest enef t st at elt ofDsecur y and k eep titi ng up t o Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions Click Ad d t o br ing up t h e list of users an d gr oups for y our ser ver ( show n in Figur e 3- 2 8) , select t he EvIer yon e gsecur r oup,it yanatd tclick Ad d an ds OK. Because t his is t h ewm gener ou p, y ou'an ll duse it m pr ove he end user' w or kst at ion, inclu ding ebost b row seral s, gr desk t ops, w hen lapt youop wsant t o audit ev ery one' s act ions. The r ecom m ended it ems t o aud it ar e show n in t he check box es in Figur e 3- 2 9. Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y

3 -Fir 2 8ew. all User a n dI OS GrFirew ou ps Auect dit s ly Cisco Lear n t heFigu Ciscor e PI X an d sCisco all aarschit u reCan and dida how ttoeapp st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

Figu r e 3 - 2 9 . Recom m e nd ed Au dit in g Sel ect i on s

Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d

TI laptPop s

You can eau dit pr t he one Gr ev en ifa ycer out ificat hav eer serv em ov t hat g r oup' st em Ev aluat t he os Ev anery d cons of oup in st alling eredand becom in sg file yousy r ow n per m issions. Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e

NO TE Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion Som e fold er s shou ld alw ay s be au dit ed. I n par t icu lar, t hr ee folder s un der While%t h e I em nt err oot net% has ansfor m edem and prdovRepair) ed t h e w ay w ebe dombusiness, hisch v ast net w or k and syst ( Syt rst em , Syst 32,iman should on it ored tfor anges. it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm Removing or Disabling Unnecessary or Dangerous Services daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a The on lyleader foolprin ooft he w ay t o guar an anofintp ru der se a par t icular piece t waar e is m ar ket developm entt ee antdhat sale rod uctws on' andt ut echnologies t h at p rotof ectsof d at tt o rem ov e it f rom you r syst em . When possib le, do ex act ly t hat . A second best alt ern at ive, r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est esp useful w it hs can a sp occu ecialr cat of pr, ogr am s called serwvork icescon is tnect o disable t h em . Ex amine link ecially . Net w ork at t ack at egor an y ypoint including t h e net ion , t he fir ew all, the twhe list of ser vices r unn in g on y our com pu t er and disable t h e ones t hat y ou d on' t need. Use eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an Con t rol and t hpassing en laun ch e Ser v ices plett ion. t o see y our com pu t er ' s list of ser v ices. eff ect iv e,Panel all- encom nettwh ork secur it yapsolu

On e ser v ice t h at h as a h ig h- r isk fact or is t h e Messeng er ser vice. I t can be used in a social engineer in g t yp e of at t ack, fooling cooperat iv e u ser s int o doing t hin gs t h at t h e at t acker w an t s. To d isab le t he Messen ger ser v ice, laun ch Cont rol Pan el , t h en t h e Se rv ice s ap plet , and select Me sse ng er . Th at g iv es y ou t he dialog box show n in Figur e 3- 3 0. D ouble- click St a rt u p t o get t o t he Ser v ice b ox show n in Figur e 3- 3 1 an d set t he St ar t up Ty pe t o D isa ble d. Click OK t o get back t o t he m ain ser vices scr een an d t hen click St op . You get t he w ar ning show n in Figur e 3- 3 2. Click Y es t o com plet e t he t ask . •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Figu r e 3 - 3 0 . Cont r ol Pa ne l' s Se r vi ce s Appl et

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s

r e t3he - 3cur 1 .r en D isabl t heit yMand e sse nge r Ser v ice Discover w ayFigu s t o t est t st at ein of gsecur k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a Figu r e 3 - 3 2 . St oppi ng t h e M essen ger Se r v ice I m m ed ia t el y secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y

Securing the NTPI4X Web Server Lear n t he Cisco Fir ew all an d Cisco

I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s I n Januar y 2 002, Microsoft issu ed an int er nal m em o sayin g t hat secur it y is t he t op p rior it y , and Discover w an ay tsed t o ttoest curnr en of ed secur and Th k eep it upo tw o as datmead e available t o t hat Micr osof t w bet he k now fort itstsatt reust sof titwy are. is mem and w idely r ep ort ed in t he t r ade pr ess. Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion Ev en assum ing t hat t his new init iat ive is w ild ly su ccessf ul, it will d o n ot hing for t he op er at ing While I nt er r ansfor im pr ovinedd ist t hreibut w ay do business, t his vorast netovin w orgk and syst emt hs eand ot net her has Micr tosoft sofmt wedarand e already ionw. eFinding and f ixing r em it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. v ulner able soft w ar e is a man dat or y st ep in secur ing a w eb ser v er or net w or k. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desirpable or tmalicious r aff icual and t o ect pr ovid e su ff ply icient els of secur w it hout const r aining Accom lishing h e job by t man insp ion is sim n otlev p ossible. Newit yv ulner abilit ies in old per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er soft w ar e and u nk now n vu ln er abilit ies in b ot h new and old soft w ar e ar e so nu m er ous t hatf orm t hey daily or ut cond t ranchsact grteat erely t he br each n etion, w or ksev secu y has. Justn need jaobs comp er tuct o sear f orions, t h emt h. eFor un at , yim oupact hav ea one. I n of addit er alritwellk now as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is scan ner s are available. The next few p ages giv e y ou a br ief ov er view of t h e I n t ern et Scannerit a m ar ket in t heit developm an doper saleatofing p rod and4 tenv echnologies fr om I n tleader er net Secur y Sy st em sent ( I SS) in uct t h esNT iron ment .t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

NO TE The I SS I n t ern et Scanner is one of sev er al in t h e field. I t is in clu ded b ecause it is a leading ex am ple in it s cat egor y. I t is a com plex pr ogr am w it h m any m or e f eat u res t h an ar e descr ibed her e.



Table of Content s

I SS I nt er net Scann er com es w it h about 20 bu ilt - in p olicies. I n t his con t ex t , a policy is a set of • I ndex pot ent ial secur it y holes t o ch eck f or . Diff erent policies ex ist because diff erent comp ut er s ar e used W e b S ecur it y Fi el d Gu ide in diff er ent m anner s; act ions t h at ar e ever y day , nor m al occur rences on one m igh t be a secu rit y By St eve hole onKalman anot her. An ex am ple of t his is som et hing cover ed ear lier in t his chap t er. NT 4 giv es t he Ev ery one gr oup t he Full Cont r ol p er m ission at t he r oot of each dr iv e. For NT 4 Wor k st at ions, t his is usually pr opr iat e. For NT 4 Ser v ers, it almost never is. Anot her r eason is t hat t he it em s Pub lish er:ap Cisco Press scanPub ned for on Wind ow s-02 b ased comp ut er s diff er fr om scans on t h ose r u nning UNI X, and bot h Dat e: Novem ber 08 , 20 hav e wI ildly dif fer en t scanning n eeds t han rou t ers. Finally , some t est s t ak e q uit e a bit of t im e SBN: 1- 58 705 -0 92 -7 ( bot h elapsed t im e an d CPU r esour ces) . To accom m odat e t he n eed t o scan ev ery t hin g on som e Pages: 60 8 m achines w hile hav ing t he ab ilit y t o p er for m less int r usiv e scans on ot hers, sever al levels of scan s ar e av ailab le. High er - level n um ber s ar e m ore det ailed. Wit h t hat in min d, t h e fir st j ob is t o pick a policy . I f t he pr ed ef ined p olicies don 't mat ch y our needs, y ou cou ld decide t o build y our ow n, mod eling it on on e of t he ex ist in g policies. Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. St ar t I n t er net Scan ner and click OK t o cr eat e a new session. Figur e 3- 3 3 sh ows t he b eg in ning of a session w it h I SS w ait in g for p olicy select ion. Click ing Ad d Poli cy b eg ins a sim ple t h r ee- st ep Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a pr ocess: secur it y - conscious env ir onm en t St e p 1 . Select a policy t o clone. ( Th er e is a pr edefined blank p olicy f or t he t ru ly Lear n how adv ent ur out os. har ) den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce St e p st 2 and . Ed itsecur t h e epolicy . secur it y on exist ing w eb an d FTP ser v er in st allat ions St e p 3 . Nam e and save it . I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Figu Cer t ificat ion Au t hor it y r e 3 - 3 3 . I SS Poli cy Sel ect ion Pa ge Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Figur e 3- 3 4 illust r at es st ep 1 . The b uilt - in L5 NT Web Ser v er policy is a good place t o st art . SelectLear L5 N W etbo Se er an d clicks N h e for session a descr iv e2nam an dXP click Fini sh. n Thow harrv den Window meuxt lt i-. uGiv sere pt lat m s, inclu dingipt NT, 000 ,eand From t he Policy m en u, select Edi t Cur re nt . Exp and V ul ne ra bil it i e s an d t hen D e nia l of Under st and secur inst ion top ows ew3eb3 ser v ers d how t o ex enhan ce of Se rv ice b r anches. Thate br in allat gs y ou o tthions e scrf or eenWind in Figur 5, w hichanshow s an pan sion secur it y on exist ing w eb an d FTP ser v er in st allat ions t he FTP Vulner abilit ies b ran ch . Six com mer cial FTP ser v er s ar e list ed . On e of t hem is Ser v- U, a pr odu ct discussed in Ch apt er 6, " Enhan cin g t h e FTP Serv er ." I SS user s w it h sy st em s t h at h ave pr ove t her elev end ant user' sw kstm atake ion, sur inclu rows ser desk t ops, Serv - IUmshou ld secur selectit yallatt he t est s or and e tding h at tw heebotbher ar es,deselect ed .an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it yFigu r e 3 - 3 4 . I SS Sam p le Poli cie s Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

Figu r e 3 - 3 5 . I SS Poli cy Edi t in g

Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Aft er m ak ing all desired chang es an d sav ing t he policy , I SS ask s for t he I P addr esses t o scan using t hat policy. This inq uiry scr een is show n in Figur e 3- 3 6. Th e bullet ed ent r y , Ping v alid host s in y our k ey, need s som e special exp lanat ion.

Figu r e 3 - 3 6 . I SS, Specif yi ng t h e De st in at ion Ad dr esses t o Scan •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n I n one im por t ant w ay, a com mer cial scan ner is lik e a loaded g un; it can be u sed for defense or Cer t ificat ion Au t hor it y for off en se. I n t he hands of aut hor ized secur it y st aff , it can fin d h oles t h at n eed t o b e pat ched. How ev er , nint he t heCisco han ds an ew intall r udan erd, it can Ij OS ust Firew as easily d hect oles exphow loit . tWhen you Lear PIof X Fir Cisco all arfin chit u ret oand o app ly Cisco pu rchase I SS or any r eput ab le scann er , t he v en dor n eeds t o k now t he I P ad dr ess r ang e t hat y ou st andar d and ex t en ded access list s w ant t o scan. I f y ou ch oose an I ANA- r eg ist er ed I P addr ess, y ou need t o pr ov e t hat y ou ar e aut h or ized t o scan add resses. e rsecur eg ist ritat pletee, I SS issues y ou a Discover w ay st hose t o t est t he cur r enWh t sten at et hof y ion andprk ocess eep it is upcom t o dat k ey t hat is lim it ed t o y our r ang e of add resses. ( This is som et im es called an I P Lock . ) Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion St ill, y ou p rob ably do not w ant t o scan all you r m ach ines at t h e same t ime. D oin g so t ak es t oo long eases net wt ror k t r aff am at Also, ore man ageable hav Whileand t h eincr I nt er net has ansfor miceddrand imically pr ov.ed t h e itw is aymwuch e dombusiness, t his v astt onet w eorone k and ritep or t f or one achine. Th at w eayopened , y ou can it ov det erm if ait ypar icular s associat ed tm ech nologies hav t her un d oor t o er, an as incrneeded, easin g nt oum ber ofine secur t htreat s. secur it yalleng h ole eisfor patsuccessfu ched. Figur e blic 3- 3 7wdeb emsit onesst risattes select ing addrtess r ange of ad dr esses The ch l, pu o encour aget he access o t hor e sit e w hile elim inat ing tun o desir scan.able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm Figu r eent 3 - an 3 7d. sale I SS, of pEnt rod uct er isng andt h t echnologies e Ad dr ess t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand on launch t echniqu es scan, for secur Window serv ers, b r owser net ws,ork mtun ions.of Aft er sy ou t he you inmgight hav es(t or ) hand le one or m ors,e and w ar ning su com ch as h eicat Denial Serv ice ( DoS) w arn in g sh own in Figur e 3- 3 8. Scann in g oft en cau ses D oS pr oblem s and should be schedu wect heniv least in it t ru e. ( This an ab ot her t o op scan onand e m ach in eaining at a t im Cr eatled e eff e secur y siv policies andis est lish rreason ules for er atonly ing in m aint a e. ) secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

Figu r e 3 - 3 8 . I SS, De n ia l of Se r vi ce W ar n in g

Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Repu t able scan ner s aler t st at ion s t hat t hey ar e b eing scanned, as sh ow n in Figur e 3- 3 9. I f y ou ever see a m essag e lik e t h is pop up w hile y ou ar e w or k ing ( and y ou'r e n ot ab solut ely sur e t h at t he scan is aut h orized) , discon nect fr om t he net w or k im mediat ely and not if y y our ad min ist r at or .

Figu r e 3 - 3 9 . I SS Sca n Al er t •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s WhenEv t he scan finishes, I SS showof s tin h st e alling secur itay cer w eakn esses byercat egor y. Figur 3- 4r 0ow d isp aluat e t he pr os an d cons t ificat e serv and becom in geyou n lays t he Vulnerab ilit ies sect ion . I t em s list ed t here ar e cat egor ized as Hig h, Mediu m, or Low risk and Cer t ificat ion Au t hor it y should be at t en ded t o in t hat or der. You can also gener at e a r epor t in a var iet y of for m at s, as show nLear in Figur 3- 4 1.PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco n t heeCisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e

Figu r e 3 - 4 0 . SS, D ispl ay in g t he Scan Resu lt s Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n howFigu t o har s m uGe lt i- une serr p inclu ding 000por , andt XP r eden 3 -Window 4 1 . I SS, atlatinforgmas, Pe rm an NT, en t2 Re Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

NO TE Alt hou gh you cann ot see it in Figur e 3- 4 0, t h e lev els of r isk s ar e color - coded. The Low r isk s u se a blue cir cle wit h an " i" in it , Med iu m r isk s h ave y ellow t r ian gles w it h an " ! , " and High r isk s ar e r ed w it h a " - ." •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Windows 2000/XP Security Wind ows 200 0 in t rod uced t h e Act ive D ir ect or y ( AD) . An AD holds in for m at ion ab out all r esour ces on t he n et wor k , includin g t he inf orm at ion abou t u ser s, gr oups, an d righ t s t h at NT 4 h eld in it s SAM dat abase. Becau se of it s en t erp risewid e, global scope, t h e secur it y sur r ound in g it is m or e •sophist icat edTable of Content s . •

I ndex

W e b S ecur it yd Fi( el d Gu ide Each r ecor called an ob ject ) in t he AD can be pr ot ect ed w it h it s ow n ACL. Lik e ACLs for f iles and f old er s, t h ese ACLs list users and gr oup s and t he k ind of access t h ey h ave t o par t icular By St eve Kalman obj ect s. To m ake t he syst em m or e secur e an d less ov er head- in t en siv e, a q uery mechanism called a Global Cat alog ( GC) is su ppor t ed. Pub lish er: Cisco Press

ber chang 08 , 20 02 On ePub of Dat t hee: bNovem ig gest es br ough t ab out by t he AD is t h e new d ep en dence on DNS. I n NT 4, I SBN: 158 705 -0 92 DNS was com m on but-7not r eq uir ed . NT 4 def ault ed t o and assum ed t h at it cou ld r ely on Net Bios nam es, Pages: alt houg 60 8 h it does sup por t DNS. The AD is a h ier ar ch ical org anizat ion of dom ains, or ganized int o for est s m ad e up of t r ees.

The AD t r ee has t he t op- lev el DNS n ame, an d t he dom ains hav e su bor dinat e nam es. For exam ple, t h e Gener al Mot or s t r ee ( GM. COM) m igh t h ave dom ain s nam ed Buick . GM. COM, Ch ev r olet . GM.COM, Pon t iac. GM.COM, an d so for t h. Fu rt herm or e, t he Chevr olet . GM. COM dom ain Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. m ight it self be su bdiv ided in t o dom ains Tru ck s. Chev rolet . GM. COM, Car s. Chev rolet . GM. COM, and so on . On t he ot her hand , I suzu mig ht hav e it s ow n I suzu . com t ree. Becau se GM own s I su zu, t her e Cr is eat a close r elat sh ipitby et w een t hem and he t rwules o t r ees f orer mataing f or in estand . Queries ain stat he e eff ect iv eion secur policies and est abtlish for op m aint ag aining GC could look at t h e ent ir e for est or at a specific t r ee or dom ain. Sim ilar ly, AD m anag em ent can secur it y - conscious env ir onm en t be d elegat ed at t hose lev els, t oo. Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions

NO TE

I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d Just becau lapt op s se AD is av ailable st ar t ing w it h Win dow s 20 00 does not m ean t h at it has t o be u sed . St and alon e m ach ines can st ill exist . Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Wind ows ion 200Au 0 wt hor eb it ser Cer t ificat y v er s in t he DMZ shou ld b e config ur ed as if t h ey w er e NT 4 ser v ers. Creat e local user s and gr oup s and m anage accor ding ly . W eb ser v ers in t h e tLear r ust ed n t he in t rCisco anet can PI X belong Fir ew allt oant hdeCisco AD, or I OS t hey Firew canallb earcreat chit ect eduas re st and andalones. how t o app The ly Cisco decision st andar disand based ex t on en ded w het access h er you listws ant int er nal user s t o access t hem w it h t heir usern am es an d passw or ds or by t h e Anony m ous accoun t . Ch apt er 5 p r ovides Discover w ay s tim o tplem est tent he in curg rten at e of secur it y and k eep it up t o dat e inst r uct ions f or h ist st decision. Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and 2K/XP File Security Templates it s associat ed tSystem ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir malicious t r affher ic and t oion pr ovid su ff icient els of secur it y .w(itTo hout Secu rit yable Temorplat es ar e anot addit t hat eshipp ed w itlev h Window s 2 000 be const fair , trhaining ey w er e per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er also included in an NT 4 ser vice pack , bu t n ot w it h all of t he Window s 2 000 f unct ionalit y .)f orm These daily obs or cond ran sact ions, e grreat er t he a br each w orr ies, k secu rit y has. Just ar e mjodel secur it yuct f ort mat s t hat cant hcont ol righ t s, im perpact missions, r egof ist rnyetent gr oup as Cisco Sy st em been ane.inn inmb u sin er net so t oo is it a m em b er ships, ans dh as m uch m or A ovat lar geornu er goft ht e emI nt p lat es art oe conduct sup pliedbusiness, w it h Window s 2000 m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a ( and w it h Window s XP, w hich cont in ues t o u se t hem ) . You can f ind ev en mor e t em plat es at tMicr r av eling acr oss sit t he I nt erat net Yet Window a net w or secur it yorsolut ionsit ises only r ong as it s w eak est osof t 's web e and ot. her s ksecur it yient ed on as t hestweb. link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

CAUTI ON

• •

Soph ist icat ed in t ru der s hav e int r odu ced secur it y t em plat es t hat int ent ionally inst all secur it y h oles. They t r ack t h e I P add ress of t hose t h at v isit t heir w eb sit e t o dow nload t he t em p lat e and use t he holes t hey plant ed t o lau nch an at t ack . I f y ou d o d own load t em plat es, be sur e t hat t hey com e fr om a r ep ut ab le sou rce. ( On e such r eput able sour ce, b y t he way , is w w w .n sa. g ov, w her e y ou' ll find som e t r uly excellen t secu rit y Table of Content s r esour ces, in clu ding one t hat is used lat er in t his chapt er . ) I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

This f irst su bsect ion on Window s 2 000 / XP Secur it y int r odu ces y ou t o t h e defau lt ser v er t emp lat e. I f you w er t o apPress ply it u nchang ed , y our Wind ow s 20 00 Ser v er ' s secur it y w ould be t he sam e as Pub lish er:e Cisco aft erPuba Dat fr esh op er at ing sy st em in st allat ion. e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

TI P Ru nning t h e defau lt scr ipt w eakens secur it y for alr eady r un ning w eb serv er s. Take y our v ert echniqu off t h e es netfor w orsecur k befor r un nings(itr.) serv ers, b r owser s, and net w ork com m un icat ions. Handser s- on in ge Window Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a Ru nning t hiteydefau lt scr iptenv is iresp ecially secur - conscious onm en t imp or t ant if y ou up gr aded f r om NT 4 w or kst at ion or ser v er r at her t han per for m ed a fr esh inst all. Upg rad es in herit t heir pr edecessors' secu rit y set t inLear gs. The n how Micr t oosoft har den t emWindow plat es generally s m u lt i- u ser assum p latefor t hat m s,t he inclu default ding sNT, are2in 000 place, , and so XPt h ey d on' t chang e t hing s t hat ar e alr ead y assum ed t o b e okay . Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce Also, secur be awitar y eont hexist at y ou ingdon' w ebt an h ave d FTP t o rser un vt er he in t em st allat p lations es. You could, f or ex amp le, f ollow t he inst r uct ions in t he NT 4 sect ions w it h t he min or m odificat ions n eeded t o ad just t o t h e new Im pr syst ove em secur it y at t he ple, end User user' Manager s w or kst atf or ion, inclu ding eb b row deskadd t ops, ansdand oper at ing . ( For exam Dom ains is gwone, bu t ser y ous, can u ser op s Com put er Man agem en t in Cont r ol Panel' s Adm inist r at ive Tools. ) gr ouplapt s fr om Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y

Installing Templates

Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco Wind ows 200d0 and signex if icant ly enhan ced st andar t en ded access listt he s Managem en t Console t hat cam e w it h Serv ice Pack 4 for NT 4. Window s XP added a lit t le m or e. The easiest way t o laun ch t h e Manag em ent Console w it h eit Discover h er operat w ayins gt osyt est st em t heis cur to u r en set t st heatSt e ar of t secur / Ru n… it yd ialog and k box eep and it up en t ot er datt he e p rog r am nam e, m m c, w hich t ak es you t o t he screen sh own in Figur e 3- 4 2. Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav er e opened o an g n um ber of secur it y t h reat s. Figu 3 - 4 2t.heMdaoor natge mincr en easin t Console The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t As inst alled, t h e Manag em ent Console doesn' t do m uch. You hav e t o add f unct ion- specific m odules st art add secu ritfor y con ion snap, click e an d Learcalled n how snapt o harins. denToWindow s minu glt i-t he u ser p lat m s,figur incluatding NT, 2in 000 , andConsol XP Ad d/ Re m ov e Sn ap - in , as sh ow n in Figur e 3- 4 3. Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur he end user' at ion, Rem inclu ding row ser desk Figu r e 3 it- y4 3at. t La un ch in sg wt or hekstAdd/ ovew eb SnbapI n s,Fu nctt ops, ion an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t From t he scr een sh ow n in Figur e 3- 4 4, click t he Ad d b ut t on t o get t h e list of st andalon e sn apins. Scr ollndow t h eden bot tWindow om and sselect curi t y for Confi at ding i on an d An al ysis; hen click Lear hown ttoo har m u lt i-Se u ser p lat m s,gur inclu NT, 2 000 , and tXP Ad d, as sh own in Figur e 3- 4 5. Rep eat t he p r ocess t o ad d t he Secur it y Tem p lat es; t hen click e inst allat ion op ions ef or3-Wind ows w ebt ser v ers an dt ohow o ain enhan ce CloseUnder t o givsteand y ousecur t he screen sh own in tFigur 4 6. Click OK o get back t he tm Console secur it y on exist ing w eb an d FTP ser v er in st allat ions scr een show n in Figur e 3- 4 7. Not ice t he t w o snap- in s ar e loaded. I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s

Figu r e 3 - 4 4 . Addin g a Sn ap- i n t o t he M a na ge me n t Console

Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Figu r e 3 - 4 5 . Th e Sn ap- I n List Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s

Figu r e 3 - 4 6 . Tw o Sna p- I n s Re ad y t o Add t o t he M a na ge me n t Console Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y r e 3 - 4 7 . M M C w it h Sn ap- I ns Adde d Figu Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Secu rit y t em plat es can be in any of sever al locat ions. Anot h er sou r ce of Micr osoft su pplied t em plat esnishow in C: NF. To add t emp lats,e,inclu righding t - click Se2curi Te m Lear t o\ WI harNNT\ den IWindow s m ualt secur i- u serit py lat for m NT, 000 ,t yand XPp la t es an d chooseN e w Te m p la t e Se a rch P a t h. Figur e 3- 4 8 d em on st r at es t h is. Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y rat s wg or kst ion, w eb ser s,ion desk t ops, an d Figu e t3he - 4end 8 . user' Addin Anatot heinclu r Teding m pla t eb row Locat lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

TI P Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y osoft on exist ing w eb anpdlatFTP sert he v er C: in\st allat ions The Micr supplied t em es in WI NNT\ I NF folder com e w it h Window s 2 000 Serv er , but not Wind ows 200 0 Pr of essional. I f you 'r e inst alling on t he lat t er p lat for m , m prcan ovedow secur it y at endlat user' w orMicr kst at ion,t 'sinclu yI ou n load t h tehe t emp es frsom osof webding sit e.w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cert toificat Au thhor y t he sup plem ent al t emp lat es, show n in Figur e 3- 4 9, an d click OK t o Br ow se t h e ion folder olditing br ing y ou t o t h e rev ised Console show n in Figur e 3- 5 0. Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e

Figu r e 3 - 4 9 . Br ow si ng f or Supp le m en t a l Te m pla t e s

Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst t ions f or Wind owsgem w eb eser an d how t o enhan ce Figu r e allat 3 - 5ion 0 .op Rev ised M a na ntv ers Console secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Ex pan d t he new \ in f br anch, scr oll dow n t o t h e defau lt t em plat es, and select de fl t sv, w hich st ands for d ef ault ser ver an d is sh own in Figur e 3- 5 1. Exp and t hat br anch, click t he it em labeled Fil e Sy st e m , an d scr oll dow n t o t h e it em called % Sy st e m Root % t o pr ov ide y ou w it h t h e scr een show n in Figur e 3- 5 2. D ouble- click t hat line t o br ing up a d ialog b ox sh ow n in Figur e 353 . •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Figu r e 3 - 5 1 . Sel ect in g t he D ef a ul t Ser v e r Tem p la t e

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s

Figu r e 3 - 5 2 . D ispla yi ng t h e De f au lt Se r v er I t em s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har sm u lt ti-eu ser p latrfor m s, inclu ding 2 000 and XP Figu r e den 3 - 5Window 3 . Te m pla Secu it y Policy SeNT, t t i ng D, ia log Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

TI P

• •

% Sy st em Root % is an env ir onm ent var iable . Env ir on ment v ariab les ar e set on boot up and can be v iew ed by openin g a comm an d p rom p t and t y pin g t h e comm an d set . Figur e 3- 5 4 sh ows t he env iron m en t v ar iab les on t h e Wind ows 200 0 t est m achine, W2K- Sr vTable r . of Content s I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Figu r e 3 - 5 4 . D ispla yi ng t h e Env ir on m en t Var i abl es

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s w ay s t on t in estFigur t he e cur st at e Edi of secur it y itand k eepsee it up dat e sh own in Figur e From Discover t he d ialog show 3-r 5en3,t click t Secur y ; you t het oscreen 3- 5 5. Alt h ough t his f igur e d escr ib es t he set t ings if t h is t emp lat e is applied, it does not Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion necessar ily r eflect t h e cur rent set t in gs. Af t er ex am ining t he f igur e, click Can ce l t wice t o r et u rn t o t he Console. Click Se curi t y Confi gur at i on an d A nal y si s in t h e lef t colum n; y ou m igh t h ave t o While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and scr oll u p t o see it . You sh ould now see t he scr een show n in Figur e 3- 5 6. it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm r e 3t h- 5 Preroposed Fi le daily j obs or cond uct t ranFigu sact ions, e5 gr.eat t he im pact a brSet eacht in of gs n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear nFigu t he Cisco all anitd yCisco Firew ar chit u re al and howScr t o app ly Cisco r e 3PI - 5X6Fir . ew Secur ConI OS fi gu r atall ion an ect d An ysis e en st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t

Analyzing the Server

Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

The Console giv eesinst t heallat in stion r u ctop ion s t o fcr e a ows n ew wdat or an open an texist ing one. Under stscr andeen secur t ions oreat Wind eb abase ser v ers d how o enhan ce Assu m in g tithat is ying ourwfeb irstant ime t hrser ough h estpr ogrions am , y ou sh ould cr eat e a n ew dat ab ase. secur y ont his exist d FTP v er t in allat Righ t - click t h e Se curi t y a nd Conf ig ura t i on A nal y si s scope ( result ing in t he screen sh own in Figur eI m3-pr5 ove 7) and click n D at auser' ba ses (wyielding t he scr een show n in Figur 5 8) .t ops, Ty pean indt h e secur it y Ope at t he end or kst at ion, inclu ding w eb b row seres,3-desk filenam e op or su se t he one in dicat ed in t he figur e as a m odel, and t h en click Ope n. lapt Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y

Figu r e 3 - 5 7 . Cr ea t i ng a Ne w Da t a ba se

Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har denFigu Window p lat for m NT, 2 000 , and XP r e s3m - 5u 8lt i-. uNser am i ng t hs,einclu Da ding t a base Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Syisstaem s huest as been an tinn in ush sinown g t hin e IFigur nt er net o 9. conduct business, so ptroo is it a TheCisco r esult r eq for t he emovat plat eorf ile, e 3-t 5 Because y ou h ave ev iously m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a ident if ied m ore t han one locat ion for t he t em plat e f ile, be aw are t hat t he open I m port tTe r av oss t he I ntterdef net . Yet netwr w or y solut iony ou is only r ong ase itt o sw eakcor estr ect meling p la t eacr d ialog m igh ault t oat he onkgsecur locatition. I f so, needast ostnav igat t he link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, the locat ion ( C: \ Winnt \ in f, in t h is case) . Click once on t he t em p lat e called de fl t sv, click t he w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an check box at t h e low er left t o clear t h e dat abase, and click Ope n. Th at b ring s y ou b ack t o t h e eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Con sole ( see Figur e 3- 6 0) , r eady t o analy ze or conf igur e y our serv er .

Figu r e 3 - 5 9 . Choosin g t he Tem p la t e



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions

Figu r e 3 - 6 0 . M M C, Re a dy t o Ana ly z e or Con f igu r e t h e Se r ve r

I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Righ t - click Se curi t y a nd Conf ig ura t i on A nal y si s scope ag ain ( see Figur e 3- 6 1) , b ut t his t im e chooseAn al yz e Com p ut e r N ow . You 'll b e ask ed for a pat h f or t he er r or log ( see Figur e 3- 6 2) , and y ou can t ak e t h e default . Click OK t o begin t he analysis p rocess. Th is t ak es a w hile. To b id e y our t im e, comp ar e you r im age t o t he on e sh ow n in Figur e 3- 6 3. •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide

Figu r e 3 - 6 1 . St a r t in g t he Ana ly sis

By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s

Figu r e 3 - 6 2 . N am i ng t h e Er r or Log Loca t ion

Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Figu r e 3 - 6 3 . Ana ly si s in Pr ogr e ss Scr e en



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. When t he analysis pr ocess finishes, rig ht - click t he Se curi t y a nd Conf ig ura t i on A nal y si s scope eat choose e eff ect iv ew secur it yFil policies for sop and againCr and Vie Log e . Figurand e 3- est 6 4 ab shlish ows r tules he log' f irer statping ageinw it h am maint ismaining at ch a secur it y conscious env ir onm en t bet w een t h e cu r rent v alu e of a u ser r igh t and t h e t emp lat e v alu e. Figur e 3- 6 5 sh ows t he sam e log, t his t im e lookin g at sev eral m ism at ches in Regist ry k ey s. ( The par t icular k eys list ed f or y our Learpr n ob how t o whar Window m u ltei-because u ser p latof fort m inclu 2 000 , and XP su ch as m achine ably on'den t m at ch t hesf igur hes,sm all ding d if ferNT, ences in m achines, v ideo and ot h er p er iph er als, dr iv er s, up dat es and pat ch es ap plied , and soft war e inst alled. ) I f st andg secur insty allat ionnop ions f or t Wind how o enhan y ou arUnder e f ollowin alon ge on our ow mtachine, ak e aows f ew wmeb omser envt ers s t o an exdplor e tthe log . ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s

Figu r e 3 - 6 4 . User Ri gh t s Por t ion of t he Ana ly ze Log

Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how Figu t o harrden s m u st lt i-ruyserPor p lattfor m s,ofinclu NT,ly2ze 000Log , and XP e 3Window - 6 5 . Regi ion t heding Ana Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Configuring the Server Perf or m t he next st ep only w h en y ou w ant t o set a ser ver 's secur it y set t in gs t o t he in st alled defau lt . I f t hat is t he case, r ig ht - click t he Se curi t y a nd Conf ig ura t i on A nal y si s scope ( also sh ow n in Figur e 3- 6 5) and ch oose Confi gur e Com pu t er N ow . Af t er t he conf igur at ion is comp let e, y ou t he log file. ( You m ight need t o r ef r esh t he log. ) •need t o v iew Table of Content s •

I ndex

This im e,it yt hFieelimag es fr om t he log f ile ( ref er t o Figur e 3- 6 6 an d Figur e 3- 6 7) sh ow t hat t he W e b St ecur d Gu ide m ism at ches w er e cor r ect ed. Com par e Figur es 3- 6 4 an d 3- 6 6 f or t h e r ig ht s chan ges and Figur es By St eve Kalman 3- 6 5 an d 3- 6 7 f or t h e Regist r y ch anges. Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02

Figu r e 3 - 6 6 . User Ri gh t s Por t ion of t he Conf igu r e Log

I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and Figu r e 3 - 6 7 . Regi st r y Por t ion of t he Con f igu r e Log it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t

2K/XP System LearOperating n how t o har den WindowSecurity s m u lt i- u ser p lat for m s,

inclu ding NT, 2 000 , and XP

Ther eUnder is a lot st and m ore secur t o secu e inst ritallat y t han ion top het ions f ile sy f or st em. WindAlt ows houg w eb h itser isveasy ers an t od point how tout o enhan t he obv ce iou s pit f alls, secur f aritm y or one exist t r apsing ar ew eb w ellanhidd d FTP en .ser For v ert his in st r eason, allat ions r un ning a secu r it y scann er is a m ust . The " Secu rin g t he NT 4 Web Ser v er" sect ion ear lier in t h e ch apt er described r unn ing t he I SS I m pr ove secur y atNT t he end er user' s wand or kst ion, pet inclu w eebWind b rowows ser s, desk t ops, an d s I nt er net Scann er onitan 4 serv . I SS it satcom it ording s hav 200 0 an d Window ops,s as w ell. Rat her t h an repeat an essen t ially id en t ical pr ocess, you ar e encour aged t o XP p r lapt oduct r ef er t o t he NT 4 sect ion . Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y

Modifying Templates forI OS Web Servers Lear n t heSecurity Cisco PI X Fir ew all an d Cisco Firew all ar chit ect u re

and how t o app ly Cisco st andar d and ex t en ded access list s The W in dow s 20 00 Serv er defau lt r ight s and per missions ar e far t oo lenient t o be used in a ay sI ft oy ou t estju tstheinst curalled r en t ystour at e ser of secur it yy ou andr an k eep up t oltdat e plat e d escrib ed in pr oduDiscover ct ion servwer. ver , or t h eitdefau t em t he pr ev ious sect ion s, you w ill hav e j ust such a con figur at ion . You need t o mak e chan ges t o eng age end t of t h e sy ovsterem all. n et w or k secu rit y solut ion secur Lear e b otnh t tohe f ile sy st emusers and tas he par op er at ing While t h e, It nt er netg has ed and pr ov ed e ev w ay do business, t his v ast orioned, k and Nor mally r ackin d owtnr ansfor all t hemchang es im w ould be tah n er - w eneding t ask. As pr eviou slynet mw ent it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. t he Nat ion al Secu r it y Agency ( NSA) , a U. S. g over nm en t ag en cy , h as don e a lot of t he w or k for The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing y ou. I t cr eat ed a Window s 200 0 Ser ver t em plat e f ile called W2K_ Ser v er . inf, an d you can un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining dow n load it wit h out ch arg e fr om ht t p: / / nsa1. w w w . con xion .com / w in2k / dow n load . ht m . per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling TI Pacr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser versit , es or chan t h e client . Harcan d enget in g t tohe ses at all t hese point s is on keyt ht oe creat ing an Web ge. You t h def at den ow nload page f r om a link NSA h ome eff ectpag iv e,e,allnet w ork secur it y solu t ion. w wencom w .n sa.passing g ov.

The W 2K_Ser ver . in f t em p lat e w ill secur e a d ef ault ser ver . How ever , t h e NSA aut h or s hav e no w ay of k now ing any t hing ab out y our local secur it y policy or locally in st alled folder s. The good new s is t h at y ou can edit t heir t emp lat e t o in clud e t hat inf orm at ion. Figur e 3- 6 8 illust r at es t he NSA t emp lat e fu lly ex pan ded t o show all t he policies it supp ort s. This • Table of Content s pr ov ides a conv enient w ay t o exam ine t he conf igur at ion set t ing s t hat y ou sh ould em ploy . The •policies ar e as I ndex follow s: W e b S ecur it y Fi el d Gu ide By St eve Kalman

Accou nt Policies Pub lish er: Cisco Press

Local Policies

Pub Dat e: Novem ber 08 , 20 02

Ev I SBN: ent 1Log 58 705 -0 92 -7 Pages: 60 8

Rest r ict ed Gr oups Sy st em Ser v ices Regist r y Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. File Sy st em Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t

Figu r e 3 - 6 8 . N SA Secu r it y Tem pl at e

Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

TI P I f you d own load t h e NSA t em plat e, a good dest in at ion is t he I NF fold er . I t already h as t em plat es in it and y ou'v e alr eady add ed t h e folder t o y our Man agem en t Con sole.



Table of Content s

Account Policies • I ndex

W e b S ecur it y Fi el d Gu ide

The Accoun t Policies p ort ion of t he t em p lat e is com p rised of t w o par t s, Passw or d Policy an d By St eve Kalman Accou nt Lockou t . Figur e 3- 6 9 sh ows t he d ef ault Passw or d Policy. The Passwor d age is set at it s m axim um , 90 day s, but a 2 8- day period m akes m or e sen se. D ouble- click P assw or d Pol icy t o Pub lish er: Cisco Press br ing up t h e Tem p lat e Secur it y Policy Set t ing dialog b ox, sh ow n in Figur e 3- 7 0, w her e y ou can e: pr Novem 20 02ber of day s. Click OK t o accep t y our chan ge t o t he t em plat e. t y pePub in Dat t he ef erber r ed08n, um I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Figu r e 3 - 6 9 . Pa ssw or d Poli cy Page

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining Figu r ee m 3 ore - 7 0reliant . Edi torg in g a Pa ssw or de Pol icyI n t er net t o p er f orm per for m ance or scalabilit y . Th anizat ions b ecom on t he daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

P t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. HandTI s- on The Ker ber os policy set t in gs ar e v alid only on a Dom ain Cont r oller ( DC) , an d t he assu mepteff ion is t hat w eb ser ot a rDC. Cr eat ecthere iv e secur it yt he policies andver estisabn lish ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce

TI secur P it y on exist ing w eb an d FTP ser v er in st allat ions Anot I m prhove er itsecur em init Figur y at tehe3-end 7 0 isuser' worst hw not or kst in at g. ion, A chinclu eck box dinglabeled, w eb b row " D ser ef ine s, tdesk h is Policy t ops, an in d tlapt he Tem op s plat e, " is select ed by def ault f or near ly ever y policy in t h e t em plat e. That m ean s t hat w hen t he t em plat e is ap plied , ever y secur it y p olicy includ ed in it w ill be Ev aluat t hey our pr osman d consnot of in st alling a cerytou ificat serv er becom youset r ow n e inst allede on achine, j ust t h e ones cheange. I f and y ou w ou ld rinatgher som ion eAuitt hor y " rem emb er t o clear t his checkb ox. itCer emt ificat t o " leav alonite, Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s The ot her par t of t he Accou nt Policies cont r ols Accou nt Lockou t . The NSA defau lt is show n in ay sout t o tper estiod t heofcur t st tat of mor secur it y andvat k eep up ist or ecom dat e m ended. Chan ge Figur eDiscover 3- 7 1. A wlock 3 0r en m inu ese is e conser iv e it and t his set t ing using t h e pr ev ious p r ocedu re. Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. Figu r e 3 - 7 1 . Accou nt Lock ou t Pol icy The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

TI P Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce onit imat existeing w eb an d tFTP seryvpe er tin st allat ionsor ds fr equent ly , t h ey w ill Isecur f you it r yleg user s t end o m ist heir passw ov er w helm t h e help d esk w it h r eq uest s t o r eset t he lock out t im e. Hav e t he help d esk I m pr ove secur y at tehe user' w or tkst ion,t im inclu ebeck b row log t hose calls. itBefor agend reeing t osshor enatt he e p ding er iod,w ch t o ser sees, ifdesk t h ert eops, isn'an t d lapt op s som e gr oup of users, a depar t m en t , or a locat ion t h at is h aving d if ficult y . I f so, t r y add it ion al t r aining or sup plement ar y d ocu m en t at ion in st ead. Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco

Localst andar Policies d and ex t en ded access list s

Discover w aysect s t oion t esthas t het hr cur t st The Local Policies eer en p ar t s:at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion Aud it Policy While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed ht t ech nologiesent hav User Rig s Assignm s e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing Secu rit or y Opt ions un desir able malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm Figur 3- 7 or 2 sh owsuct t het ran Audsact it Policy. ing ersuccessfu l accou log on enrit t er quit eJust a daily ej obs cond ions, t hAudit e gr eat t he im pact a brnt each of nevetent w ors kcan secu y has. bit Cisco of redu a int o t he stovat em log; it inggt it Figur e 3-business, 7 3 ( failurso e only as Syndan st emt sdhatas been an sy inn or in ed u sin h ,e as I ntshow er netnt oin conduct t oo )is, is it a rmecom en ded.in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a ar ketmleader t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an Figu e 3 secur - 7 2 .it Audi Pol icy D ef a ul t s eff ect iv e, all- encom passing net wr ork y solu ttion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

Figu r e 3 - 7 3 . Edi t in g Accoun t Logon Ev e nt s

Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . NO Net wTE ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an o sim ilar it em s ar e ofnet t enw ork confsecur using.it yAudit eff ectTw iv e, all- encom passing solu tlog ion.on ev ent s logs int eract ive log ons, w hile

Aud it accou nt logon ev ent s log s net w or k log ons. A f ailed int er act iv e login is f ar m ore im por t ant t o log ( and inv est ig at e) t h an a failed n et wor k log on.

• •

TI P

Table of Content s I ndex

Figur e 3- 2 4, in t he sect ion d iscussing t ur ning on NT 4 Aud it ing, sh ows t he r ecom m en ded audit set t ing s. You are encou rag ed t o use t hat fig ur e and t he By St eve surKalman r ound in g d iscussion t o gu ide y our Win dow s 20 00 and XP conf igur at ions. W e b S ecur it y Fi el d Gu ide

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02

Figur e 3- 7 4 sh ows t he NSA ch oices for User Righ t s secur it y . Man y of t he r igh t s hav e I SBN: 1- 58 705 -0 92 -7 app rop riat ely been allocat ed ex clusiv ely t o ad min ist r at or s. How ev er , t he r igh t t o access t his Pages: 60 8 com put er f rom t he n et w or k sh ould b e chang ed t o pr ev ent a w ide v ar iet y of Net BI OS hacks. Dou ble- click D e ny a cce ss t o t hi s com p ut e r f rom t he ne t w ork t o br ing up t h e scr een show n in Figur e 3- 7 5. Click Ad d t o laun ch t h e pop- u p win dow show n in Figur e 3- 7 6. Click t h e Brow se bu t t on, an d select t he g r oup W eb Use rs. Click OK t o deny t his gr oup t h at r igh t . Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions.

Figu r e 3 - 7 4 . User Ri gh t s Tem p la t e

Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork pointht , including t h e net w ork con nect fir ewt all, Figu r e at3t-ack 7 5s.can Edioccu t in rgatt haney Rig t o Access Thi s Com puion t e ,r t fhe r om he t h e w eb ser ver , or t h e client . Har d en in g t he defNe en ses at all t hese point s is key t o creat ing an t w or k eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Figu r e 3 - 7 6 . Sel ect in g t he Gr ou p t o D en y Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily cond sact ions, h eit hin gr eat er Local t he imPolicies pact a tbr each n et w oritkysecu rit y has. Just Figur ej obs 3- 7 or 7 sh owsuct t het ran f inal sect ion t w t he em platof e—Secur Op t ions. as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a Accept in g it as t h ey w r ot e it is r ecom m en ded. m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or Figu t h e client in g t he Poli def ency sesSe at cu all trhese point s is skey r e .3Har - 7 7d en . Local it y Op t ion Det ofacreat u lt ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

TI P Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions The it em t hat cont rols r enam ing t he Ad m in ist r at or accoun t is h ig hlight ed . I n t h e NT- 4 sect ion of t his chap t er , t here is a discussion on t he m er it s of doing j ust t h at . ( Ref er t o I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d " Renam ing Cr it ical Accou nt s" su bsect ion. ) You ar e encour aged t o r ead t h ose pages, lapt op s even if you hav e n o NT- 4 ser v er s. Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco Event Log st andar d and ex t en ded access list s Figur e 3- 7 8 sh ows t he Event Log sect ion of t he NSA t emp lat e. The def ault act ion t o t ak e if log Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e files f ill up is t o h alt t he sy st em. I n m ost cases t hat ' s fin e, but if you hav e a ser v er t hat m u st alw ays benup consider let t users in g it as r unpar even logs upw. or The w ayritt o e t he set t ing is t o Lear t o, eng age end t of ift ht he e ov er allf illn et k secu y chang solut ion dou ble- click t he b ot t om it em , Sh ut d ow n t h e com pu t er w he n t he se cur it y aud it log is ful l. That t he has set t ing box sh own in im Figur e ed 3- 7t9, ould select D isa d k and Whilebrt hings e I ntup er net t r ansfor m ed and pr ov h ewwher ay ewyeou doshbusiness, t hist he v ast netble w or bu t on and ed click OK. it s tassociat t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm Figu r e 3t-h7e8gr. eat D ef enat brLog ge daily j obs or cond uct t ran sact ions, er au t heltimEv pact eachPa of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window lat for s, ginclu dingleNT, 2 000 , and XP Figu rs em 3u lt- i-7u9ser . Mpodi fymin a Ru Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining Restricted per for m anceGroups or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco h as innains ovatt h ore in u sin t h esI gr nt er netelem t o conduct so t oo is it aes The Rest rSy ictst edemGrs ou psbeen pag ean cont Pow er gUser oup ent . Th ebusiness, NSA t em plat e r emov m arr ight ket sleader inivileges t he developm ent gr anoup d sale of pse rod uctgsrou and t echnologies at ap st rotand ectalone d at a all and pr fr om t hat becau t he p is not n eededt hon t r avv eling acreoss er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est ser er. Figur 3- 8t he 0 shI nt ows t his t r ivial page. link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Figu r e 3 - 8 0 . Rest r i ct e d G r ou ps Pa ge



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

System Services Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions On e of t he p rim ar y job s t o perf or m w hen h ar dening a serv er is t o rem ov e or disable an y ser v ice I m prneeded. ove secur at t he end user' s swall or kst ion, row ser s, desk t ops, d es t hat isn't Thitey NSA t em plat e list of at t he serinclu vicesding t hatwyeb oubshou ld consider b ut an m ak lapt op s no decisions f or y ou. Figur e 3- 8 1 sh ows one ser v ice t hat you 'll n ev er need on a w eb ser v er ( DHCP Client ) bein g rem ov ed . Table 3 - 7 p r ovides a list of ser v ices t hat y ou can disable on y our Ev aluat w eb ser ver s. e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s

Figu r e 3 - 8 1 . D isabl in g a Se r vi ce vi a t h e Tem pl at e

Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t

Tab 3 -7 . sSer Beding Di sa Lear n how t o har den le Window m u ltvi-ice u sers pTha lat fort mCa s, n inclu NT,bl 2 ed 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce Se rv ice N a m e D e scri pt i on secur it y on exist ing w eb an d FTP ser v er in st allat ions Clipb ook View er En ables t he Clip book Viewer t o creat e an d sh are " pages" of dat a t o be I m pr ove secur it yv iew at ted he by endr em user' w or kst ion, inclu ding w eb b row ser s, desk t ops, an d ot es com pu tat ers. lapt op s Com pu t er Brow ser Maint ain s an up- t o- dat e list of com put er s on y our net w or k and supp lies t he t o p rog s t h ata rcer equest Com p utbecom er Br ow serv icen is used Ev aluat e t he pr os anlist d cons of inram st alling t ificatite. The serv er and in gseryou r ow by W in dow sbased com put er s t h at n eed t o v iew net w or k dom ains an d Cer t ificat ion Au t hor it y r esour ces. Lear n t he Cisco PI Fir ew anConfig d CiscourIat OS ar Client chit ectm u re and how DHCP Client DyXnam ic all Host ionFirew Pr otall ocol anages n et wt oorapp k ly Cisco st andar d and ex tconf en ded access list s ig ur at ion by r eg ist er ing and up dat ing I P ad dr esses and Dom ain Nam e Serv er ( DNS) nam es for t his comp ut er . Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e DHCP Serv er Allocat es I P addr esses and allow s t he ad van ced conf ig ur at ion of n et wor k Lear n t o eng age set end t inusers gs. as par t of t h e ov er all n et w or k secu rit y solut ion DNS Ser ameim resolut iont hby q uer ies ant d u pdat requ While t h ev Iernt er net hasEnt rables ansforDNS m ednand pr ov ed e wansw ay werin e dog business, his v ast enet w orest k sand for DNS n ames. it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The alleng l, pu blict owsend eb sitan esdisr eceiv t o encour Fax ch Ser v ice e for successfu En ables you e fax age es. access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining FileforSer v er for En ables u serorg s t oanizat st oreions an d baccess on It nhis ows ver per m ance or scalabilit y . Th eMacin m oret osh reliant ecom e files on t he t erWind net t o p erser f orm Macint osh m achine. daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco st em s h as Pr been inn ovattor sindgpr t hinet Irnt er netces t o on conduct business, Gat ew aySy Serv ice ovidan es access o fin ileuan esour Net w are net w orksos. t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a for Net W are t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est I nt er netw ork at t ack s Pr ovid es rn et ad dr ess t ran slattion ( NAT) , ad dr essing, link . Net can occu at wor an yk point , including h e net w ork con nect ion ,and t he nam fir eweall, t h e Con nect ion Shar ing r esolut ion ser v ices f or all com put er s on y our h ome or sm alloff w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ingiceannet w ork t hr ou gh p or itbr d conn ect ion. eff ect iv e, all- encom passing netawdialork usecur y oadban solu t ion.

Net Meet in g Rem ot e Allow s aut hor ized user s t o r em ot ely access y our Wind ow s deskt op f rom Deskt op Sh aring anot h er PC ov er a cor por at e in t ran et using Micr osof t Net Meet ing. Pr int Ser v er for Macint osh

En ables Macin t osh clien t s t o rou t e pr int in g t o a p r in t spooler locat ed on a com put er r un ning Window s 200 0 Ser ver .

Pr int Sp ooler

Qu eu es an d man ages pr int job s.

Rem ot e Access Br ings u p a dialog t hat off er s t o m ak e a dialup conn ect ion t o a r em ot e Table of Content s Aut o Conn ect ion com put er w hen t her e is no net w or k access. •Man ager I ndex •

W e b S ecur it y Fi el d Gu ide

Rem ot e Pr oced ur e Call ( RPC) Locat or

By St eve Kalman

Pr ovid es t he nam e ser vices for RPC clien t s.

Rem otlish e er: Regist y Allow s rem ot e Reg ist r y m anipu lat ion. Pub Ciscor Press Serv ice Pub Dat e: Novem ber 08 , 20 02 Rou t ing I SBN: and 1- 58 705 -0 92 -7 Of fer s r out ing ser v ices in local ar ea and WAN env ir onm en t s. Rem ot e Access Pages: 60 8 Ru nAs Serv ice

Allow s you t o r un sp ecific t ools and pr ogr am s w it h diff er ent perm ission s t han y our cu rr ent log on pr ovid es.

SAP Ag en t

Adv ert ises net w or k ser v ices on an I PX net w or k.

Hand SMTPs- on t echniqu es Sim for secur ple Mail in g Tr Window anspors( t rPr ) ot serv ocol ers, t r anspor b r owser t s s,e-and m ailnet acrwoss ork t hcom e net m un w ork icat. ions. Sim ple TCP/ I P I m plem ent s su ppor t for Ech o, Discar d , Char act er Gener at or ( Ch arGen ) , Serv ices t im and Quot e of helish Dayr ules ( QOTD) . er at ing in and m aint aining a Cr eat e eff ect iv e Day secur it ye,policies and esttab for op ir onm t r ols access t o a smar t card insert ed int o a sm ar t car d Sm arsecur t Caritdy - conscious Manenv ages anden cont r ead er at t ached t o t he com pu t er. Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP TCP/ I P Prin t Ser ver En ables TCP/ I P- based p rin t ing using t he Line Pr int er Daem on p r ot ocol. Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce Telep hony Pr ovid es Telephon y API ( TAPI ) sup por t f or pr og ram s t h at cont r ol secur it y on exist ing w eb an d FTP ser v er in st allat ions t elep hony d ev ices. I m pr ove secur it yAllow at t he user' s w ort o kstlog at ion, eband b row serconsole s, desk t ops, Telnet s aend r emot e user on t inclu o t h eding systw em r un pr ogran amd s lapt op s using t he com m and line. WindEv ows Time Set com eralling clocka. cer t ificat e serv er and becom in g you r ow n aluat e t he pr os ans dt he cons ofpu intst Serv ice Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e TI P LearNSA n t o secur eng age users asset part ot of ovact er all secu rit y page. solut ion The it y end t em plat e is t akt heeno ionn et onwtor hek ser vices I f y ou use it t o disable an y or all t h e ser v ices list ed in Table 3 - 7, y ou need t o r em em ber t o act iv at e While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and t hat select ion. Figur e 3- 8 1 sh ows you t h e ch eck box ( called Def in e t his p olicy set t ing in it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. t he t em p lat e) t hat you m ust select . The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just Registry as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a tThe r av eling I nt YetAny a net w or y solut is only as st r ong as ithav s w eak Reg istacr r y oss is at he high - rer isknet ar.ea. one w hk osecur can it mak e a ion ch ange t here can w r eak oc. est The link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all,ges the NSA t em plat e select a num b er of Reg ist r y k eys wit h st r ong secur it y im plicat ions and chan w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an t heir p er m issions so t hat only m em b er s of t h e Adm inist rat ors gr oup can chan ge t h em . Figur e 3eff ect iv e, all- encom passing net w ork secur it y solu t ion.

82 sh ows t he d ef ault p age.

Figu r e 3 - 8 2 . D ef au lt Regi st r y Page



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d

File System lapt op s Ev aluat t hesy prstos anpdercons of in st cer thificat serv and becom in gf iles you an r ow n Ch anging t h ee file em m issions isalling easy .aThe ard pe art iserdeciding w hich d folder s Cer t ificat ion Au t hor it y need ch anging . Alt houg h t here is no lit m us t est , a good r ule of t h um b is t hat if t he fold er cont ains ex ecu t able f iles or scr ip t s ( such as t he Pr og ram Files folder or web r oot ) , or t he f ile is a Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco syst em f ile or ut ilit y ( such as boot . ini or r eg ed t 32. exe) , it should be p r ot ect ed w it h an ACL t h at st andar d and ex t en ded access list s limit s access t o au t hor ized user s or chang es t he p er m issions t o t he min im u m needed. The files m en t ioned in t h e pr evious sent ence, f or exam ple, need only Read and Ex ecu t e per mission s, not Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e t he Fu ll Cont r ol t hat t he Ever yon e gr oup aut om at ically r eceiv es. The ex amp le t hat follow s add s t he locally edage w ebend r ootusers t o t he emt hplat e.er all n et w or k secu rit y solut ion Lear n defin t o eng as NSA par t tof e ov Figur 3-e8I3ntsh t he File Systm em fr om t he ad business, d anot her t fhis ile vorast folder o kt he Whileet h erows net has t r ansfor ed pag ande im pr ov ed ttem h e plat w aye.wTo e do net wtor and list , r ig ht click in any em pt y sp ace t o b ring u p t he pop up ( it is alr eady v isible on t h e pag e) , s. and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat click Adalleng d Fil ee. for Th at g iv es y ou t he w indow Figur eage 3- 8access 4, w hert o e yt hou nav e telim o t he The ch successfu l, pu blic w eb sitsh esow isnt oinencour e sit e ig w at hile inat ing fold er t hat you w ant t o p r ot ect . Select it an d click OK. un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a Figu rent e 3an- 8d 3sale . Fil Syuct st em m pl at es t h at p rot ect d at a m ar ket leader in t he developm of ep rod s andTe t echnologies t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har denFigu Window ser p lat for m s, NT, 2 000 , and XP r e s3m- u8lt4i-.uAddin g a Neinclu w ding Fol der Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

You see a page lik e t h e one show n in Figur e 3- 8 5. You can see t h at t h e defau lt is t o giv e Ev ery one t he Full Cont r ol per m ission. ( By t he w ay , t h is is t he p er m ission t hat w ill be assig ned, not necessar ily t h e one t hat is cu rr ent ly in place—t he Man agement Con sole d oes not ch eck t h e cur r en t ACL. ) •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide

Figu r e 3 - 8 5 . D ef au lt Fil e Pe r m issions

By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir or malicious affselect ic anding t o tpr e su ffand icient levsels y w it houtt hconst Ed it t h eable list by click ing Adt rd, heovid gr oups user y ouof wsecur ant , it assigning e perr aining missions, per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t er f orm and , fin ally , r emov ing t h e Ev er y one g rou p. Wh en y ou finish, y ou should hav e a pageo tphat look s daily j obsshorown cond t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just like t hat in uct Figur e 38 6. as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net wFigu ork atrte ack3s- can r at lan pointie , including h e net w ork conanect t he der fir ew all, t h e 8 6 .occu M ode Myodif d Pe r m tissions for Neion w , Fol w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco

TI P d and ex t en ded access list s st andar IDiscover I S creat es t wso t accoun s wcur hen it tisstinst Onitey isand t hekan ony , nam ed w ay o t est tthe r en at e alled. of secur eep it m upous t o account dat e I USR_m achin e nam e. You should add it t o t h e docum ent root dir ect or y separ at ely and Lear o eng age endn.users as par t h e ov all nchoose et w or k tsecu rit yadv solut let it nprtopagat e dow Th is com es tinofhand y iferyou o t ake antion age of an I I S feat u re t hat allow s ind ividu al user aut hent icat ion . While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir or malicious r aff and t o nprin ovid e sueff3icient lev elst hof secur it ybu w llet it hout Click OKable t o get t o t h e set ttin g bicox show Figur 8 7. Click e second ( it const beginrs,aining perpl forace m ance oring scalabilit . Th m oreanreliant anizat ions b ecom on t he n t er net p eref orm Re e xi st pe rm iyssi one s…) d t henorg OK. Wh en y ou finishe mak ing I chang es,t osav y our daily obsr igh or tcond h e grchoosing eat er t heSa imvpact br each of, ny et or k ksecu Just w or k jby - clickuct in gt tran he sact t emions, plat et and e. I f ay ou p r ef er ouwcan eep rit t hye has. or ig inal as Cisco emAs s han asdbeen an ginn in uiat sin t h eeI for nt eryou netr talt o conduct business, so t oo is it a by u sin g Sy Sast ve ch oosin anovat apporr opr e gnam ered t emp lat e. m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver ,Figu or t hreeclient d en in ir gm t hei ng def en t hese is key t o creat ing an 3 - 8. 7Har . Conf anses d at Prall opa ga tpoint i ng sYou r Cha n ges eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

One Final Task On e m ore t ask r em ains, no mat t er wh ich oper at ing syst em y ou are usin g. Most of t he ex t ensions t hat y ou see at t ached t o f iles ar e associat ed w it h an ex ecu t able file on y our sy st em . Som e ar e har m less, such as . t x t , w h ich is associat ed w it h Not epad . Ot h er s ar e r at her d anger ous. For • Table exam ple, w hen a fofileContent w it h as . r eg ex t ension is lau nched ( d ouble- click ing, t yp ing it s nam e at a •com man d p r omp I ndext , includin g it in a bat ch file, and so on ) , it st ar t s Reg ed t 32 and causes it t o W e b ig S ecur Fi elReg d Gu ide conf ur eittyhe ist r y w it h set t ings cont ain ed in t he . r eg f ile. This is t oo gr eat a r isk t o leav e unStpat By eveched. Kalman To cor r ect it , open W ind ow s Exp lore r, click Tools, an d t hen click Folde r Opt i ons, as sh own in Pub lish er: Cisco Press Figur e 3- 8 8. Th is br ings u p t he Folder Opt ion s pag e ( Figur e 3- 8 9) . Click t h e Fil e Typ es t ab, Pub Dat e: Novem ber 08 , 20 02 scr oll d ow n t o t he REG ext ension, and click Cha nge t o br ing up t h e box show n in Figur e 3- 9 0. 58 705 -0 92 Ch ooseI SBN: N ot e1-pa d an d -7 click OK sev er al t im es t o ex it . Fr om t hat point on, lau nching a file w it h t he 60 8 causes it t o open in Not epad . As an adm inist r at or , if you w ant t o ru n a . r eg file . r eg exPages: t ension using t he Regist ry Edit or , t y pe Re ge dt 3 2 f il en am e .r eg at t h e com m and pr om pt or f rom t he Ru n d ialog b ox.

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions.

Figu r e 3 - 8 8 . O pe ni ng Fol der O pt i ons i n W i nd ow s Ex plor e r

Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a 9 .wVi in git yFi le Associa i ons t r av eling acr oss t he I ntFigu er net .r e Yet3 a- 8net or kew secur solut ion is only tas st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t ren list ngi s Figu eded 3 - 9access 0 . Cha ng a D an ger ou s Associa t ion Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Table 3 - 8 sh ows t he ot h er ex t ensions t h at shou ld be re- associat ed t o r un w it h Not epad. Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions

Tab le 3 -8 . Da n ger ou s Ext en si ons I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ex t en si on Fil e Typ e Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n . inf Set up File Cer t ificat ion Au t hor it y . m si Wind ows I n st allat ion File Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco . vb e st andar d and ex t en ded access list s Visual Basic En cod ed Scrip t . vb s Discover w ay s t o t est t he cur r en t st at e of secur Visual Basick eep Script it y and it up t o dat e . w sf

Wind ows Scr ipt in g File Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion . w sh Wind ows Scr ipt in g Host While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Summary This chap t er closely ex am ined t he issu es in volv ed w it h secu ring a Window s Ser ver . Th e fir st par t concen t r at ed on NT 4 , w her eas t he r emain der focused on Win dow s 20 00. The sam e t ech niques used in Wind ow s 200 0 can also be used in Window s XP. •

Table of Content s

•The n ex t par It ndex of t he book , d ev ot ed t o w eb ser vices, con t ains t h ree chap t er s, one each on W e balling S ecur ittyhe Fi el Guser ide ver , enhan cin g it s secur it y, and secur ing FTP. inst wdeb By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Part III: Installing and Protecting IIS • •

The w eb ser v er wit h t h e larg est inst alled base is Micr osof t ' s I n t ern et I nf orm at ion Ser v er ( I I S) . The v ast m aj orit y of t hose inst allat ion s ar e I I S4 , bu t n ew er sit es are beginning t o use I I S5 . Table of Content s I ndex

W e b S ecur it y Fi el d Gu ide

Ch apt er 4 I I S I n st allat ion This chap t er pr ov id es in st ru ct ion s for in st alling I I S4 on NT –4 and I I S5 on bot h Win dow s 20 00 Serv er and Wind ow s XP.

By St eve Kalman

Pub lish er: Cisco Press

Ch apt er 5 Enhan cin g W eb Serv er Secu rit y Pub Dat e: Novem ber 08 , 20 02 This chap t er cov er s w hat happ en s aft er t h e w eb serv er soft w ar e has been inst alled on t h e I SBN: 1- 58 705 -0 92 -7 v ariou s plat f orm s. The next logical st ep s ar e t o p r ot ect t he serv er as a w hole and lim it access Pages: t o som e of60it8 s p ages. Ch apt er 6 Enhan cin g t he FTP Ser ver This chap t er looks at w ay s t o ad d SSL t o FTP so t h at w ell- kn ow n FTP secur it y flaw s can be av oided. Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Chapter 4. IIS Installation This chap t er cov er s t he f ollowin g t opics: • •

Table of Content s

I nst allin g I I S4 I ndex

W e b SIecur y Fi el nstitallin g dI IGu S5ide By St eve Kalman

This chap t er is div id ed int o t hr ee par t s, each d ealing w it h Microsof t I nt er net I n for m at ion Ser ver ( I I S) inst allat ion. Th e fir st p art exp lain s I I S4 inst allat ion on an NT 4 serv er , t he second sh ow s Pub lish er: Cisco Press I I S5 inst allat ion on Win dow s 2 000 Serv er, and t he t hir d cov er s in st alling I I S5 on Wind ow s XP. Pub Dat e: Novem ber 08 , 20 02 Each por t ion cov er s t he t op ic independ en t ly w it hout r ef er ence t o t he ot h er . I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Installing IIS4 The p r er equisit e t o in st alling I I S4 is acq uir in g t he f ree- for - t h e- d own load NT 4 Opt ion Pack. I t is a m u lt im egab yt e f ile in self- ex t ract ing zip for m . Af t er it is inst alled an d unpack ed, y ou are ready t o begin. Be su re t hat y ou ar e logged in on an NT 4 serv er as a m em ber of t h e local •adm inist r at orTable of Content s s gr oup . •

I ndex

W e b S ecur it y Fi el d Gu ide

Installing the NT-4 Option Pack By St eve Kalman

Pub lish er: Cisco Press Dat e: Novem 08 , 20 02 St arPub t t he inst all bber y launching t h e Opt ion Pack' s Set up .ex e. That generat es t he w ar ning show n n Figur e I41 . 1Click s. -7Su ff icient field ex perience has sh own t h at I I S4 ru ns w ell on SP6a, t h e SBN: 58 705Ye -0 92 v er sion on t60 h e8 dev elopm ent m ach in e, so t his w ar nin g can be saf ely ign ored. Pages:

Figu r e 4 - 1 . Se r vi ce Pack W ar n in g M essa ge Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions ove y at loads t he end s w or kstare at ion, inclued ding deskwt ops, ane d Aft er It m heprset upsecur pr ogrit am somuser' e f iles, y ou p r esent witwheb t h be row Optser ions,Pack elcom lapt op s scr een ( Figur e 4- 2 ) and t hen, as sh ow n in Figur e 4- 3 , t h e En d User License Ag reem en t ( EULA) . Accept t he license agr eem ent befor e cont inu ing. Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco Figu r e 4 - 2 . Op t ion Pa ck W e lcom e Scr e en st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

Figu r e 4 - 3 . I I S4 on N T-4 Li ce nse Ag r ee m en t

Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Installing IIS4 on NT-4 Clickin g Accep t at t h e EULA scr een br ings you t o t he Op t ion Pack in st allat ion scr een , as show n in Figur e 4- 4 . •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Figu r e 4 - 4 . W in dow s N T 4 .0 O pt ion Pack Se t u p

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e

TI P n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion Lear he Op Pack m also eatim espraov pred ogrt am r oup " Window s NT 4. 0net Opt WhileI nst t h eallin I nt g er tnet hast ion t r ansfor ed cr and h e wgay w ecalled do business, t his v ast w ion or k and Pack" ed un der Pr og ram enu in tthe User p rof ile. Th isg gr oupber cont it s associat t echt he nologies havs emopened he All d oor t o san incr easin n um of ains secursev it yert halreat s. subg rouepsfor ansuccessfu d a pr ogrl,am " Win 4 .0 Opt ionaccess Pack Set Click g t elim his inat ing The ch alleng pucalled blic w eb sitdow es iss tNT o encour age to u t hp. e "sit e w in hile pr ogr amorismalicious an ot her w t o and br ing t he escrsueen showlev n els in Figur e 4- it 4 y. w it hout const r aining un desir able t ray aff ic t o up pr ovid ff icient of secur per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a Ch oosing t h e Mi m udevelopm m in st allat ion, show Figur 4- 4 ,t echnologies is saf e and pr Th at m ar ket leader inni t he ent an as d sale ofnpin rod uct seand t hact at pical. rot ect d atinst a alls tt he web ser v er alone. Mor e im por t ant ly , it d oes not in st all t he d anger ous w eb developm ent r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est tlink ools, such as at Frtont plorr er Ob s Fusion. shoucon ld nect n ev er on fir t h ew e wall, eb t h e . Net w ork ackPage s canEx occu at and an y Net point , ject including t h e They net w ork ionbe , t he ser v er. You can inst all t hese t ools on a d ev elopm en t p lat for m in t he u nlikely event t h at y our w eb w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an dev elop er s ar en't using m or e sop hist icat ed t ools alr ead y. eff ect iv e, all- encom passing net w ork secur it y solu t ion.

The f ir st pag e fr om t h e Minim um in st allat ion, sh ow n h er e as Figur e 4- 5 , ask s y ou t o choose a fold er for t h e w eb serv er 's p ages and anot h er folder f or t he w eb ser v er ' s pr ogr am f iles. Ch oose t he default s by click ing N e xt , b ut be aw ar e t hat t he h om e dir ect or y locat ion n eeds t o b e m odified lat er . Th e beginn ing of Ch apt er 5, " Enhan cin g Web Serv er Secu rit y , " in clud es a discussion of how t o m odif y t he h om e dir ect or y locat ion an d wh y t his m odif icat ion is necessar y.



Table of Content s



I ndex

Figu r e 4 - 5 . I n st al la t i on Ty pe Sel ect ion

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s

TI P Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e For secur it y p ur poses, in st all t he w eb ser ver p ages and pr ogr am s in separ at e b r anches Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion of t he direct or y t r ee or, ev en bet t er , on d if fer ent d r iv es. While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing Spend a few m inut es look ing at t he pr ogr ess bar show n in Figur e 4- 6 an d t hen pr oceed t o t h e un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining t han k- you scr een show n in Figur e 4- 7 . Af t er you click Fini sh, y ou' ll suff er t he in ev it able r eboot . per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a Figu e 4t he - 6 I. ntCom et in g IwI or S4 on NT4 Iion n stisalonly la t ias onst rPr ogr Barest t r av eling acrross er netpl . Yet a net k secur it y solut ong as eit ss s w eak link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

Figu r e 4 - 7 . Su cce ssf ul I I S4 I nst a lla t i on Com pl et ion Page

Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Aft er r eboot in g, y ou' ll find a new subg r oup added t o t h e Wind ows NT 4. 0 Op t ion Pack gr ou p on t he St art m enu. Figur e 4- 8 sh ows t hat su bgr oup an d it s t wo t ools, t he Fr ont Pag e Serv er Adm inist r at or and t h e I nt ern et Serv ice Manag er . Th is lat t er t ool m anag es an d reconf ig ur es t he I I S4 w eb ser ver . I t will soon become one of y our m ost f r eq uent ly used pr ogr am s on t he w eb ser v er. You'll pr obably w ant t o dr ag it s sh or t cu t t o t he t ask bar or t he d esk t op. •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Figu r e 4 - 8 . Ne w I I S Subgr ou p i n NT- 4

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco Regarst dless eat e tded he shor t cutlist ors not , t he n ex t st ep is t o lau nch t he pr ogr am . D on't be andarif dyou andcrex t en access sur pr ised t hat it is called t h e Microsof t Man agem en t Con sole ( MMC) . Micr osoft uses t he MMC as a un if orDiscover m w ay t owman m any er at ing sy st em s' feat ineclu ding I I S4 . Figur e ay s tage o t est t he of curitrsenWindow t st at e sofop secur it y and k eep it upurt es, o dat 4- 9 sh ows t he MMC j ust af t er launch . Ex pand b ot h t he t op it em ( called I nt er net I nf orm at ion Serv er ) and e next em users un dernas eat h It nt I ner for v er (rit wh cont Lear n t ot heng ageitend par ofert hnet e ov allmnatetion w orSer k secu y ich solut ionains t he PC' s nam e) . While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious r aff ic osoft and t o pr su ffm icient els of secur y w houtPag const Figu r e 4 - 9 . tM icr Movid a nae ge en t lev Console O itpe niitng er aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t To m an age t h e ser v er , r ight - click D e fa ult W eb Si t e an d ch oose P rope rt i es, as sh own in Figur e 4- 1 0.Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions

Figu r e 4 - 1 0 . M a na gin g t h e I I S4 W e b Ser v e r

I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t The p r opert ies dialog is a p age w it h m ult iple t ab s. Select t h e D ir ect or y Se cu rit y t ab an d fr om t hat choose Edi tt ou nder An on ym ous Au hes,ntinclu ica t ding ion. A dialog ilarXP t o t hat Lear n how har den Window s mAcce u lt i- uss seranpdlat fort m NT, 2 000sim , and show n in Figur e 4- 1 1 r esult s. Clear t he ch eck box nex t t o Wind ow s NT Ch alleng e/ Respon se. You Under st and secur eAnon inst ym allat ionAccess op t ionschf or ows wed. eb ser anop d how ce should leave t h e Allow ous eckWind box select ( Allv ters hr ee t ionst oonenhan t his popup secur it y on exist ing w eb an d FTP ser v er in st allat ions ar e discussed in d et ail in Ch apt er 5. ) Click OK t o r et ur n t o t h e Prop er t ies pag e. I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s

Figu r e 4 - 1 1 . I I S4 Au t h en t i ca t ion M e t h ods Pop up

Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Ch oose t he H om e D ire ct ory t ab. Ch ange t he local pat h t o w her ev er y ou d ecide t o pu t t h e cont ent of you r w eb sit e. When possib le, ch oose a dedicat ed, separ at e ph ysical dr iv e on t he w eb ser v er. I n t h e ex am ple show n in Figur e 4- 1 2, t h e D: dr ive h olds t h e w eb cont ent . A m or e com plet e discu ssion of t his it em and it s im plicat ions is f ound at t he b eg in ning of Ch apt er 5. •

Table of Content s



I ndex

Figu r e 4 - 1 2 . Cha ngi ng t h e I I S4 Hom e Di r ect or y

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e n t o eng end users as par of t h eOK ov tero all n et w secu rit yit solut Aft er Lear ch anging t h eage hom e pag e locat ion ,t click br ing uportkh e I nher ance ion Ov er r ides scr een show n in Figur e 4- 1 3. Wit h I nh er it ance Ov er rides y ou can f or ce t he sam e aut hent icat ion t y pe on While e I nt er Inet has t r ansfor edlower and im ov can ed t hbe ew ay igur w e do v ast ed net or k tand all w ebt hpages. ndiv idual pagesmat levprels conf ed business, d iff er ent lyt,his if need .w Click he it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. Se le ct A ll b ut t on and t h en OK. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just Figu r e 4 - 1 3 . I I S4 I nh er i t a nce O v er r i de W in dow as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions When t he Managem ent Console page refr eshes ( see Figur e 4- 1 4) , y ou see t he fold er s t h at y ate tdir he ect end w or kst ion, inclu w eb b row ser desk ops, anThey d alr eadI m y pr ex ove ist insecur t he it hom or yuser' . Fors our p urat poses, fourding dir ect or ies hav e s, been crt eat ed. lapt op ar e used in st h e next t w o chap t ers t o t est t h e secur it y enh ancem ent s t h at y ou m ake. Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y

Figu r e 4 - 1 4 . I I S4 M a na gem e nt Console Show in g H om e Pa ge Folde r s Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

NO TE Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secureit yinst onalling exist ing FTP ser vderir ect in stories allat ions Befor t he w eb an serdver , f our and a defau lt hom e p age w ere creat ed. The hom e p age has lin ks t o a sing le file in each of t hose d ir ect ories. They 'r e Im pr ove securnitamed y at t he sw kst ion, inclu eb b dem row ser s, r desk ops, an m nem onically andend ar euser' used inorlat eratchapt er s tding o t estw and onst at e vt ariou s d lapt op s access opt ion s. ( I f t he pag e defined by t he f ile is d isp lay ed, access w as su ccessf ul. ) The I PADDRESS p age, for ex am ple, says, " I PADDRESS is wor k ing. " When con figu red, it aluat t he pr osleanunless d consreached of in st alling t ificat and becom in ress. g youThis r ow n wEv on' t b ee accessib fr om aa cer client at eanserv auter h orized I P Add Cer t ificat ion Au t hor it y subd irect or y st ru ct u r e and t he h om e page t hat accesses it ar e d et ailed in App en dix C, " Con t en t s of t h e WSFG Web Sit e. " Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e I nst allat ion isn' t com plet e w it hout a t est . St art I nt er net Ex plor er and pu t in t he PC's nam e as t h e URL. Figur e 4- 1 5 sh ows t he r esu lt s. Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. Figu r e 4 -e1for 5 .successfu Figu r el,4pu - 1blic 5 W e bsitSe t y Fieage ld Gu idet oHt hom eePa ge elim in Iinat I S4 The ch alleng w eb es cur is t oi encour access e sit w hile ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Becau se t he hom e p age d isplay s, it is ev ident t hat t he inst allat ion w as su ccessf ul. Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP I f you 'r e int er est ed in I I S5, read on. I f not , y ou'r e f inished w it h t his chap t er. Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Installing IIS5 Unlike it s pr ed ecessor , y ou don' t n eed t o acq uir e I I S5 sep arat ely . I t com es w it h b ot h Window s 20 00 Ser v er and Window s XP Pr ofession al. Bef or e beginnin g t he inst all on eit her plat f orm , b e sur e t hat y ou ar e log ged in as a mem ber of t h e local adm inist rat or s g r oup. •

Table of Content s

•I nst allat ion st I ndex eps on Wind ow s 20 00 and Window s XP ar e near ly t he sam e. Howev er , en ough W e b le S ecur y Fi el d Guex ideist t o w arr ant sep ar at e discu ssions. subt d iffiter ences By St eve Kalman

Windows 2000 Pub lish er: Cisco Press Installation Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7

Wind ows 200 0 Ser v er h as a b uilt - in t ool called Confi gur e You r Ser v er . I t s shor t cut is in t he Pages: 60 8 Ad m i ni st r at i v e Tools p r ogr am gr oup , as show n in Figur e 4- 1 6.

Figu r e 4 - 1 6 . W i ndow s 2 0 0 0 Conf ig ur e Your Se r ve r Tool

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket NOleader TE in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . These Net w ork t ackions s can occuer tat anIyI Spoint including t h e( or netev w ork nect ion t he fir instatr uct assum hat w as, not inst alled en pcon art ially inst, alled ) dew urall, ing t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an t he Window s 2 000 Serv er I nst allat ion. I f it w er e, t her e w ill be som e diff erences, but eff ect iv e, all- encom passing net w ork secur it y solu t ion.

y ou sh ould st ill b e able t o follow along .

A w izar d launches af t er you click t he shor t cut . Click t h e W eb / Me dia Se rv er it em in t he lef t colum n t o exp and it ( t he r esult s are sh own in Figur e 4- 1 7) , an d click W eb Se rv e r t o cont inu e. The scr een show n in Figur e 4- 1 8 t ells y ou t o click t he un der lin ed St a rt k ey wor d t o lau nch t he Com pon en t s w izar d. That br ing s y ou t o t he scr een show n in Figur e 4- 1 9. •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide

Figu r e 4 - 1 7 . Ex pan di ng t h e W e b/ M e dia Ser v e r s Br an ch

By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s

Figu r e 4 - 1 8 . La un ch Poin t for t h e W in dow s Com pone nt s W iz ar d

Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t

Figu r e 4 - 1 9 . I I S5 on W 2 K W in dow s Com pon en t s Sel ect ion Tool

Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an TI P eff ect iv e, all- encom passing net w ork secur it y solu t ion.

As is of t en t h e case in Wind ow s, you can get t o t his p oin t in ot her w ay s. Con t rol Panel's Ad d/ Re m ov e P rogr am s f ollow ed by W ind ow s Com pon ent s d oes t he t r ick, t oo. You can ch oose w h ich ev er pat h y ou pr ef er .

Click t he check box nex t t o I nt er net I nf orm at ion Serv ices ( I I S) and click t h e D e t ai ls b ut t on . •

Table of Content s

Som e of t he d ef ault s n eed t o be chang ed t o increase secur it y on t h e pub licly accessib le ser v er . • I ndex Clear t he ch eck box n ex t t o Front P a ge 2 0 0 0 Se rv er Ex t en si ons. Th at b ring s up t h e w arn in g W e b S ecur it y Fi el d Gu ide show n in Figur e 4- 2 0. Click Y es an d let t he d ep en dent s g o, t oo. By St eve Kalman

Pub lish er: Cisco Press

Figu r ee: Novem 4 - 2 0ber. I08I, S20 02 Com pone nt s Af t e r Cle ar i ng t h e Fr on t Pa ge Ch eck box Pub Dat I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e LearTE n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion NO WhileFron t h et IPage nt er net has t r ansfor m ed pr ov ed e w ay, but w e do t hisFor v ast or k and ex t ension s m ake weband devim elopm entt heasier f ar business, less secu re. ex net ampwle, it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat t hey allow u ser s t o upload new or m od if ied w eb pages using t h e w eb ser v er it self . This s. The ch e ien for t successfu l, pu blic eb irsit es is t ohen t h eleft sit eon w hile elim inat ing is alleng conv en in a d ev elopm en t wenv onm enttobencour ut in vitage es t raccess oub le w a w eb un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining ser v er t hat any one can access. That ' s w hy t h ey 'r e specifically omit t ed fr om t he per forinst m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm allat ion h er e. daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling Mak e sur eacr t hat ossneit t heher I nt er New nets. (Yet NNTP) a net n or w or FTP k secur ar e select it y solut ed ion ( as isshonly own as in st Figur r onge as 4- 2it1) s wand eakclick est link . Click OK. Net w N ork e xtat in t ack t hse can Window occusr Comp at an yonent points, scr including een. You the r eceiv net weork a wcon ar nin nect g ion m essag , t he efirask ew ing all, yt hou e twoeb beser surver e t,hat or tthhee client Window . Har s 2d000 en indist g t he r ibut defion en ses diskatisall h andy t hese . Af point t er you s is 'vkey e loaded t o creat it ,ing click an OK teff her ect e,ivte, oo.all- encom passing net w ork secur it y solu t ion.

Figu r e 4 - 2 1 . I I S Com pone nt Pa ge, Re ady f or Se cur e I nst a ll



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions

NO TE I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s I f you alr ead y app lied Window s 2 000 Ser vice Pack 2, y ou' ll be ask ed for it rat her t han t he dist rib ut ion CD. Ap ply in g Ser v ice Pack s, pat ches, and up gr ades ar e all cover ed in Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n det ail in Ch apt er 11 , " Main t aining On going Secur it y . " Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Spend a few m inut es look ing at t he pr ogr ess bar show n in Figur e 4- 2 2 an d t hen pr oceed t o t h e com plet ion screen Figur 4- 2t 3. Click h e Fini b ut on and t he Discover w ay ssht oown t estint he curer en st at e of tsecur it ysh and k teep it upclose t o dat e Config ur e Your Serv er t ool. Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat Figu edr e t ech 4 -nologies 2 2 . Com havple e opened t i ng tIhe I S5 d oor ont o W ani ndow incr easin s g2n0um 0 0ber Profogr secur e ss it y Bar t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it env iron onmW enin t dow s 2 0 0 0 Su ccessf u l Com ple t i on Pa ge Figu r ye- 4conscious - 2 3 . I I S5 Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a The in st allat ogrI nt am emw tor o kt he Ad it myi ni st r at e only Tools r ogr amasgritoup called t r av eling acrion oss pr t he er ad netded . Yetana itnet secur solut ioni vis aspst r ong s w eak est Ilink nt e. rn et Se rv ice s Ma na ge r. ( See Figur e 42 4. ) Th is t ool m anag es an d reconf ig ur es t heall, I I S5 Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew the w eb ser ver . I t w ill soon becom e on e of you r m ost f requ en t ly used p rog r ams on t h e w eb serv er . w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an You' ll pr obab ly w ant t o dr ag it s shor t cut t o t h e t askb ar or d esk t op. eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Figu r e 4 - 2 4 . N ew I nt er n et Ser v ices M a na ge r M e nu I t e m



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions Regar dless if you cr eat e t he shor t cut or not , t he n ex t st ep is t o lau nch t he pr ogr am . Click t h e I m prt cut ovet o secur kst ateion, new shor get itt oy tat het he scr end een user' sh owsn winorFigur 4- 2inclu 5. ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n CerFigu t ificat ion r e Au 4 - t2hor 5 .it Iy I S5 I nt e r n et Se r v ice s M an a ger Op en in g Pa ge Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t To m an age t h e ser v er , r ight - click t he D e fa ult W eb Si t e it em an d ch oose P rope rt i es, as sh own in Figur e 4-n 2how 6. t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Lear Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions

Figu r e 4 - 2 6 . M a na gin g t h e I I S5 W e b Ser v e r in W i nd ow s 2 0 0 0

I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t The p r opert ies dialog is a p age w it h m ult iple t ab s. Select t h e D ir ect or y Se cu rit y t ab an d choose Edint how u nder ymWindow ous Acce A ut hefor nt im cas,t iinclu on. You simXP ilar t o Figur e Lear t o An haron den s mss u ltan i- udser p lat dingsee NT,a2dialog 000 , and 4- 2 7. Clear t h e check box next t o I nt e gr at e d W ind ow s aut hen t ica t ion. Mak e sur e t h at t h e st and securche eck instbox allatision opselect t ions ed f or. (Wind owsop w teb seron v ers anpdopup how ar t oeenhan ce in An onUnder ym ous access st ill All f our ions t his discussed secur it y on exist ing w eb an d FTP ser v er in st allat ions det ail in t he next chapt er . ) Click OK t o r et ur n t o t h e Prop er t ies pag e. I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s

Figu r e 4 - 2 7 . I I S5 Au t h en t i ca t ion M e t h ods Pop up in W i ndow s 2 0 0 0 Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y

Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Ch oose t he H om e D ire ct ory t ab. Ch ange t he local pat h t o w her ev er y ou d ecide t o pu t t h e Under st and allatpossib ion ople, t ions f or Wind ows wed, eb separ ser v ers how t o cont ent of you r w secur eb sitee.inst When ch oose a dedicat at ean phd ysical dr enhan iv e on ce t he w eb secur it y on exist ing w eb an d FTP ser v er in st allat ions ser v er. I n t h e ex am ple show n in Figur e 4- 2 8, t h e D: dr ive h olds t h e w eb cont ent . A m or e com plet e discu ssion of t his it em and it s im plicat ions is f ound at t he b eg in ning of Ch apt er 5. I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Figu r e 4 - 2 8 . Cha ngi ng t h e I I S5 Hom e Di r ect or y in W i ndow s 2 0 0 0 Cer t ificat ion Au t hor it y

Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions Aft er ch anging t h e hom e pag e, click OK t o br ing up t h e I nh er it a nce Ov er ri de s scr een ( show n I me pr it y at end aut user' s wicat or kst inclu b row sercan s, desk ops,chan d in Figur 4-ove 2 9) secur t o f orce t h et he same hent ionatt yion, pe on allding w ebwpeb ages. You alwtays ange lapt oppages s indiv idual at low er lev els lat er if t h e sit u at ion war r ant s. Click t h e Se le ct A ll b ut t on and t hen OK. Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear nr et he Fir ew all er anidt a Cisco all ar u re in andW how t o app Figu 4 -Cisco 2 9 . PI I IXS5 I nh nce I OS O vFirew er r i de Wchit inect dow i ndow sly2 Cisco 00 0 st andar d and ex t en ded access list s

Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions When t he I n t er net Ser v ice Manager p age r efr esh es ( see Figur e 4- 3 0) you see t he f olders t hat alr eadI m y pr ex ove ist insecur t he it hom y ate tdir he ect end or yuser' . Fors exam w or kst ple at ion, p ur poses, inclu ding f ourw direct eb b row or ies serhs,ave desk been t ops, cr an eatded. They lapt ar e op used s in t h e nex t t w o ch apt er s t o t est t he secur it y enh ancem ent s t hat you m ak e. Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y

Figu r e 4 - 3 0 . I nt er n et Ser v ice M an age r w it h Hom e Pag e Fol der s f or Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco W in dow s 2 0 0 0 st andar d and ex t en ded access list s

Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

NO TE Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secureit yinst onalling exist ing FTP ser vderir ect in stories allat ions Befor t he w eb an serdver , f our and a defau lt hom e p age w ere creat ed. The hom e p age has lin ks t o a sing le file in each of t hose d ir ect ories. They 'r e Im pr ove securnitamed y at t he sw kst ion, inclu eb b dem row ser s, r desk ops, an m nem onically andend ar euser' used inorlat eratchapt er s tding o t estw and onst at e vt ariou s d lapt op s access opt ion s. ( I f t he pag e defined by t he f ile d isp lay s, access w as successfu l. ) The I PADDRESS p age, for ex am ple, says, " I PADDRESS is wor k ing. " When con figu red, it aluat t he pr osleanunless d consreached of in st alling t ificat and becom in ress. g youThis r ow n wEv on' t b ee accessib fr om aa cer client at eanserv auter h orized I P Add Cer t ificat ion Au t hor it y subd irect or y st ru ct u r e and t he h om e page t hat accesses it ar e d et ailed in App en dix C. Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s I nst allat ion isn' t com plet e w it hout a t est . St art I nt er net Ex plor er and ent er t h e PC' s nam e as t h e Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e URL. Figur e 4- 3 1 sh ows t he r esu lt s. Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and Figu r eed4t-ech 3 1nologies . W e b hav Secur i t y Fie Gui Hom e Pa geber onoft he Wit iynd ow s.s it s associat e opened t he ld d oor t o de an incr easin g n um secur t h reat 0 0is tSe r ve r age access t o t h e sit e w hile elim inat ing The ch alleng e for successfu l, pu blic w eb 2 sit0es o encour un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Becau se t he hom e p age d isplay s, it is ev ident t hat t he inst allat ion w as su ccessf ul. Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce Administration Server secur it y on exist ing w eb an d FTP ser v er in st allat ions

I I S5 inst alls Winditows Seruser' ver w Default Web Sit ew an t he ser Adm ion Web I m pr oveonsecur y at 200 t he 0end s itwhort he kst at ion, inclu ding eb db row s, inist deskr at t ops, an d Sit e act ive. Figur e 43 2 sh ows t he I nt er net Ser v ice Man ager display ing t he t w o sit es. lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y

Figu r e 4 - 3 2 . I nt er n et Ser v ice M an age r Show in g Bot h I nst a lle d W eb Lear n t he Cisco PI X Fir ew all an d Cisco Ser I OSvFirew er s all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t You can u se t he Adm inist r at ion Web Sit e t o m anage t he Defau lt Web Sit e ju st as y ou can u se t he Pr oper t iesndhow ialogt.o The t wo Window k ey d iff er Lear har den s ences m u lt i- ufollow ser p :lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce The in ist r at ion is HTMLb ased, so you securAd it ymon exist ing Web w eb Sit an e d FTP ser v er in st allat ions u se a br ow ser in st ead of MMC f or m anagem ent . I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d By ault , t h e Adm inist rat ion Web Sit e can b e accessed only f rom t he w eb ser v er it self. laptdef op s To g etEvr aluat eady et ot he access hedHTML code, ou mu st t ake n ot er e ofand t hebecom ran dom ort rnu mb pr os tan cons of in st yalling a st cerf irt ificat e serv in gpyou ow n er assig ned t o t he Adm inist rat ion sit e. I n t h is case, Figur e 43 2 sh ows t hat t he sit e is r un ning on Cer t ificat ion Au t hor it y por t 997 4. Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco Lau nch t he Adm inist r at ion Web Sit e list b y sst art in g I nt er net Ex plor er an d key in g in t h e follow ing st andar d and ex t en ded access URL: ht t p :/ / l oca lh ost : 9 9 7 4 . Th at g iv es y ou t he scr een show n in Figur e 4- 3 3. Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion

Figu r e 4 - 3 3 . Adm in ist r a t i on W e b Sit e Hom e Pag e

While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Click t he pl us sign nex t t o t he D e fa ult W eb Si t e link t o ex pand t he br anch. Th is is t he sam e list t hat tLear he I nnt ern er sp rm oduces ( see Figur e s, 4- inclu 3 4) . ding NT, 2 000 , and XP howett oServ harice denManag Window u lt i- u ser p lat for m Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions

Figu r e 4 - 3 4 . Adm in ist r a t i on W e b Sit e Sh ow i ng De f au lt Sit e D et ai ls I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t To see how t he Ad min ist r at ion Web Sit e can be u sed t o man age it self or any ot her w eb sit e on y our PC, le-tclick he uWindow nder lin ed t he pAd at i on W eNT, b Sit e. Figur e 43 5 sh ows Leardoub n how o hartden s mlink u lt i-t ou ser latm fori ni mst s, rinclu ding 2 000 , and XP t he result . Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur user' sinwist or kst b row ser s, desk Figuit yr eat4t he - 3 5end . Adm r aatt iion, on inclu W e ding b SitweebHom e Pag e t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Click t he Se curi t y link t o see t he scr een sh ow n in Figur e 4- 3 6, an d click t he m idd le Edi t b ut t on ( I P AdLear dr ess an d tDo omain e Rest ictuions) t o pb lat ring dialog n how har denNam Window s rm lt i- u ser forump s,t he inclu ding box NT, show 2 000n, in andFigur XP e 4- 3 7. That pag e denies access t o all requ est s ex cept t hose t h at or iginat e on t he local host , 1 27. 0 .0 .1 . secur ion op orotWind ows you w ebneed ser v ers anddithow t o ess enhan I f youUnder w ant stt oand man age et hinst e wallat eb serv er tfrions om fan her PC, t o ad s addr usinceg t his secur it y on exist ing w eb an d FTP ser v er in st allat ions pag e. I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s

Figu r e 4 - 3 6 . Adm in ist r a t i on Sit e Se cu r it y Pa ge

Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har denFigu Window ser p lat s, inclu r e s4m- u3lt7i-.uRest r ifor ct m i ng I P ding Tr afNT, f ic 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

A com plet e discussion of t he I P add ress- b ased secur it y f eat ur e is fou nd in Ch apt er 5 in t h e " I P Add ress- Based Rest rict ions" sect ion . I f you 'r e int er est ed in I I S5 on Window s XP, read on. I f not , you 'r e f inish ed w it h t his chap t er.

Windows XP Installation •

Table of Content s



I ndex

The W e b easy S ecur itwy ay Fi elt d o Gu inst ideall I I S5 on Wind ows XP is t o inser t t he Wind ow s XP d ist r ibu t ion CD an d let tBy he aut or un pr ogr am g ive y ou t he scr een show n in Figur e 4- 3 8. You 'll n eed t he CD's con t en t s St eve Kalman lat er w hen t he inst allat ion cop ies f iles f r om it an yw ay . I f y ou copied t he CD t o a d isk som ew here, t he best alt ern at ive is t o r un t he set u p. ex e f ile fr om t h at locat ion. Pub lish er: Cisco Press

Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Figu r e 4 - 3 8 . W i ndow s XP's Set up Pr ogr am

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing NO TEor malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining un desir able per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm Wind ows XP Pr ofession al, lik e Win dow s 20 00 Prof essional, h as a lim it of on e w eb daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just ser v er per PC. Neit her NT- 4 nor Window s 2 000 Ser ver has su ch a lim it at ion, nor d o t h e as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a new . NET ser v er s. Alt hou gh t he . NET inst all w ill r ep or t ed ly be t h e sam e as XP, at t he m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t im e of t his w r it ing, . NET is st ill in ear ly b et a, and t est in g t h at t h eor y isn' t p ossible. The t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est XP in st allat ion inst r uct ions ar e included her e t o assist r ead er s w h o w ind up using t h is link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e book in a new . NET env ir onm ent . Th er e ar e likely be mor e sim ilar it ies t han dif fer en ces. w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Click I nst a ll opt i ona l W ind ow s com pone nt s t o br ing y ou t o t h e scr een show n in Figur e 4- 3 9.

Figu r e 4 - 3 9 . I I S5 on XP W i ndow s Com pon en t s Sel ect ion Tool •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Click t he check box nex t t o I nt e rn et I nf orm at ion Se rv ices ( I I S) an d click t he D e t ai ls b ut t on . Cer t ificat ion Au t hor it y Som e of t he d ef ault s n eed t o be chang ed . Clear t he ch eck box n ex t t o Front P a ge 2 0 0 0 Se rv er Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco Ex t en si ons t o get t o t h e scr een show n in Figur e 4- 4 0. st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e

Figu r en t4o- eng 4 0 age . I IS ntt of s Af h e rit Fryon t Pa Lear endCom userspone as par t h et e ovrerCle all nar etiwng or k tsecu solut ionge Ch eck box While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t

NO TE

Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

Fron t Page ex t ension s m ake web dev elopm ent easier , but f ar less secu re. For ex amp le, Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce t hey allow u ser s t o upload new or m od if ied w eb pages using t h e w eb ser v er it self . This secur it y on exist ing w eb an d FTP ser v er in st allat ions is conv en ien t in a d ev elopm en t env ir onm en t b ut in vit es t r oub le w hen left on a w eb ser v er t hat any one can access. That ' s w hy t h ey 'r e specifically omit t ed fr om t he I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d inst allat ion h er e. lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Mak e sur e t hat neit her New s ( NNTP) n or FTP is select ed an d click OK. I n t he W in dow s Com pon ennt st he scrCisco een, click N eew xtall . Th w here y ou need hechit Wind XP dist r ibut . I f it is Lear PI X Fir anisdisCisco I OS Firew allt ar ectow u res and how t o ion appdisk ly Cisco not alr ead y in t h e CD dr iv e, m ak e sur e y ou hav e access t o it s con t en t s. st andar d and ex t en ded access list s SpendDiscover a few mwinut t he prtogr ess in Figur e 4-k4eep 1 anitdup t hen pr oceed t o the ay sest olook t esting t heatcur r en st at e ofbar secur it y and t o dat e com plet ion screen sh own in Figur e 4- 4 2. Click t h e Fini sh b ut t on and Ex it f r om t he Welcom e t o Micr osof t Win XP end scr een. Lear n t o dow engsage users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng Figu e for r e successfu 4 - 4 1 . Com l, pu blic plewt ieb ngsitIes I S5 is t oon encour W i ndow age access s XPt o Pr t h eogr sit eewss hileBar elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

Figu r e 4 - 4 2 . I I S5 on W in dow s X P Su cce ssf ul Com ple t i on Pa ge

Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions

I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

The I nt e rn et I nf orm at ion Se rv ices p r ogr am m anages I I S5 on Win dow s XP. Th e sh or t cu t t o launch it is f air ly well b ur ied . ( XP's philosophy seem s t o be t o m ak e t hing s users need easy t o fin d w h ile p lacin g ad min ist r at or t ools in ob scur e locat ions. ) To get t o t he shor t cut , launch Con t rol Panel, place it in Classic View , an d select Ad m i ni st r at i v e Tools. Th is is sh ow n in Figur e 4- 4 3. •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide

Figu r e 4 - 4 3 . Adm in ist r a t i ve Tools i n W ind ow s XP' s Con t r ol Pan el

By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco Figur est 44 4 sh het en v ar iouaccess s adm inist andar d ows and tex ded list sr at ive t ools, in clu ding t he I I S shor t cut . Right - click it an d chooseP in t o S t ar t M en u, as sh own in Figur e 4- 4 5, u nless y ou w ant t o g o t hr ou gh Cont r ol PanelDiscover each t im w e ay y ou laun t ht estpr . s tw o ant t estt ot he curch r en atogr e ofam secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er netr e has ed and imtpr ovtedUnd t h e er w ayAdm w e do business, v ast snet w or k and Figu 4 -t r4ansfor 4 . I ImS5 Sh or cu i ni st r at ivt ehisTool it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how u lt i-I uI ser latan for a mgem s, inclu dingTool NT, 2Easy 000 , and Figu r et o4 har - 4 5den . MWindow a k in gs tmhe S5 pM e nt t o XP Fin d Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Click I nt e rn et I nf orm at ion Se rv ices t o get t o t h e scr een show n in Figur e 4- 4 6.

Figu r e 4 - 4 6 . I I S5 I nt e r n et Se r v ice s M an a ger Op en in g Pa ge



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d To m an age t h e ser v er , ex pand t he t r ee, r ight - click t he D e fa ult W eb Si t e s it em , an d choose lapt op s P rope rt i es. Th at g iv es y ou t he scr een show n in Figur e 4- 4 7. Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y

e 4 - 4PI7X. Fir M ew a na t h eI OS I I S5 Wall e barSer v eurreinand Whow i ndtow s ly XPCisco LearFigu n t her Cisco all gin an dgCisco Firew chit ect o app st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions The PrI m oppr erove t iessecur dialog e w ituser' h mus ltwiple t abs. Even t hou ghwI eb I S5b is supp osed t ot ops, b e t he it yisata tpag he end or kst at ion, inclu ding row ser s, desk an dsam e for bot h Wind ows 200 0 an d Win dow s XP, t his dialog is sligh t ly dif ferent . I f you com par e Figur e lapt op s 4- 4 7 w it h t h e backg r ound dialog sh ow n in Figur e 4- 2 8 f r om t he sect ion on inst alling I I S5 on Wind ows 200e0t Ser v er ou' see of t hat t here f ewt ificat er d ialog This is because ent Ev aluat he pr os, yan d llcons in st allingare a cer e servt ab er s.and becom in g youmr anagem ow n for som e t ask s has been m ov ed . For ex am ple, t h e Window s 2 000 v er sion has a Per f orm ance t ab . Cer t ificat ion Au t hor it y I n Window s XP, t hose cont r ols ar e locat ed in t he Per for m ance applicat ion t hat is also sh ow n in Figur eLear 4- 4n4 t (he Adm in istPI r at e ew Tools shor t cut s) I.OS Firew all ar chit ect u re and how t o app ly Cisco Cisco XivFir all an d Cisco st andar d and ex t en ded access list s The f ir st st ep in m anaging t h e w eb serv er is t o select t he D ir ect or y Se cu rit y t ab an d ch oose Edi t uDiscover nder An on ym Acce d tAstutathe nt isecur ca t i on. You ksee w ay s tous o t est t hess curan r en e of it y and eepa itscreen up t o sim dat eilar t o Figur e 4- 4 8. Clear t he ch eck box n ex t t o An on ym ous Acce ss an d A ut he nt i ca t i on Cont r ol, b ut mak e sur e t hat tLear he Anony n t o eng m ous ageAccess end users checkb as ox parist of st illt hselect e ov ered. all (nAll et wfou or kr opt secu ion ritsy on solut t his ionpop up ar e discussed in d et ail in t he nex t chap t er . ) Click OK t o r et ur n t o t h e Prop er t ies pag e. While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing unFigu desir able ic and prnt ovid e su icient levhods els of secur it ypwiitnhout const r aining r e 4or- 4malicious 8 . Th e tIr aff I S5 Autt ohe ica t i ffon M et Popu W in dow s XP per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions Ch oose t he H om e D ire ct ory t ab. Ch ange t he local pat h t o w her ev er y ou d ecide t o pu t t h e I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d cont ent of you r w eb sit e. When possib le, ch oose a dedicat ed, separ at e ph ysical dr iv e on t he w eb lapt op s ser v er. I n t h e ex am ple show n in Figur e 4- 4 9, t h e D: dr ive h olds t h e w eb cont ent . A m or e com plet e discu ssion of t his it em and it s im plicat ions is f ound at t he b eg in ning of Ch apt er 5. Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco Figu 4 - 4ex 9 t.enCha ng list t hse I I S5 Hom e Di r ect or y in W i ndow s XP st andarr de and ded ngi access Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions Aft er Ich t h e hom e pag click OK t oorbrkst ing up t hinclu e I nh er itwaeb nce Ov ser er ris,dedesk s scrt ops, een show manging pr ove secur it y at t he e, end user' sw at ion, ding b row an d n in Figur elapt 4- op 5 0 st o f orce t h e same au t hent icat ion t yp e on all w eb p ages. You can chang e lower - level pag es in dependent ly if y our n eeds w arr ant it . Click t h e Se le ct A ll b ut t on and t h en click OK. Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y

Figu e 4Cisco - 5 0 PI . IXIFir S5ewIall nhanerd iCisco t a nce OFirew v er rall i de W in in how W i ndow s Cisco XP Lear n trhe I OS ar chit ectdow u re and t o app ly st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions WhenI m t he I n t ersecur net Ser icet he Manager p age efr esh es ( see Figur 5 1) , y ou t he fold er an s t hd at pr ove it y vat end user' s w ror kst at ion, inclu dinge w4-eb b row sersee s, desk t ops, alr eadlapt y ex opist s in t he hom e dir ect or y . For t his b ook' s pu rp oses, f our d ir ect ories hav e b een creat ed. They 'll b e used in t he next t w o chap t ers t o t est t h e secur it y enhan cem ent s t h at y ou m ake. Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Learrnet he X er Firn ewet allSer an d vCisco I OS u re e and howe t Fol o app ly Cisco Figu 4 - Cisco 5 1 . IPInt ice M anFirew ageall r waritchit h ect Hom Pag der s f or st andar d and ex t en ded access list s W in dow s XP Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

NO TE Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secureit yinst onalling exist ing FTP ser vderir ect in stories allat ions Befor t he w eb an serdver , f our and a defau lt hom e p age w ere creat ed. The hom e p age has lin ks t o a sing le file in each of t hose d ir ect ories. They 'r e Im pr ove securnitamed y at t he w orin kstlat ater ion, ding eb an b row m nem onically andend ar euser' be ussed chinclu apt ers to w t est d dser ems, ondesk st r att eops, an d lapt op s v ariou s access opt ions. ( I f t h e page defined by t h e file display s, access w as successful. ) The I PADD RESS page, f or exam ple, say s, " I PAD DRESS is w or king . " Wh en conf ig ur ed, pr os an dun cons in st ed alling a cer t ificatat e serv er t and becom in gdryou n itEvwaluat on 't ebet he accessible less of r each fr om a client an au hor ized I P Ad ess.r ow Th is Cer t ificat ion Au t hor it y subd irect or y st ru ct u r e and t he h om e page t hat accesses it ar e d et ailed in App en dix C. Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s I nst allat ion isn' t com plet e w it hout a t est . St art I nt er net Ex plor er and ent er t h e PC' s nam e as t h e Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e URL. Figur e 4- 5 2 sh ows t he r esu lt s. Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and r e 4ed- 5t ech 2 . nologies W e b Secur i t y Fiet he ld dGui Hom e Pagge hesecur W i itnd s s.XP it Figu s associat hav e opened oor de t o an incr easin n umon bert of y tow h reat The ch alleng e for successfu l, pu blic w eb sit esSer is t v o er encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Becau se t he hom e p age d isplay s, it is ev ident t hat t he inst allat ion w as su ccessf ul. Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Summary This chap t er t ook a car eful look at in st alling I I S4 on NT4 and I I S5 on bot h Win dow s 20 00 Ser v er and Wind ow s XP Pr ofession al. •Ch apt er 5 g uides Table y ofou Content s t hr ough t h e pr ocess of r econ figu rin g I I S t o m ake it m or e secur e and •exp lain s m any I ndex of t h e ch oices t h at y ou need t o m ake. W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Chapter 5. Enhancing Web Server Security • s This chap t er Table cov erofs Content t he f ollowin g t opics: •

I ndex

W e b S ecur it y Fi el d Gu ide

Secu rin g t he Web Ser v er

By St eve Kalman

Web Ser v er s Ver su s Dev elopm ent Ser v ers Pub lish er: Cisco Press

Locat Docum Root Pub Dat e:ing Novem ber 08ent , 20 02 I SBN: 1- 58 705 -0 92 -7

Log ging

Pages: 60 8

Lim it ing Access t o Your Web Ser v er Miscellaneous Secur it y En hancement s Host Mult iple Web Serviners Hand son ing t echniqu es for secur g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. A f r eshly in st alled web ser v er is a com plet ely d ef enseless plat for m . Befor e m ak ing it av ailable for access, y our j obect isivt eo secur it e yit policies . Her e's and h ow est . ab lish r ules for op er at ing in and m aint aining a Cr eat e eff secur it y - conscious env ir onm en t Aft er t he w eb ser ver is inst alled, y ou can t ak e sever al st eps t o secur e it . You can pr ev ent anon ym ous access by den lim it Window in g access h for pr eablish ed user and XP passw or ds, Lear n how t o har s mtuoltti-h uose ser wit p lat mest s, inclu ding NT, nam 2 000es , and t hose w it h accou nt s in t he Dom ain Cont r oller or Act iv e Dir ect or y , or t hose com ing f rom cer t ain I P ad dr Under esses st and or net secur w oreks. inst Thallat is chion aptop er t ions coverf or s t hWind ese it ows em s. w eb Forser t he v ers m ost an dp art how , tthe o enhan st eps ce ar e t h e sam esecur w hetither y on y ou exist u seing Inw t ereb n et anIdnfor FTP m ser at ion v erSer in st v er allat Ver ions sion 4 . 0 ( I I S4) or I I S5. Wh er e slight dif fer en ces ex ist , t hey' ll be show n . I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d You can lapttop ak s e an ot her st ep b ey ond t h ose u ser - based lim it at ions. You can add Secur e Sock et s Lay er ( SSL or , m ore com m only , HTTPS) t o f orce dat a encr yp t ion, and y ou can r equir e t h e Ev aluat t he pr os t an cons of ser in stvalling cer t ificat e serv ereand becom in g allow you r ed owin. n Those br ow ser s t h ate conn ect o ydour web er t o paresen t a cer t ificat b ef or e being ion it y er 9, " Becom in g a Cer t ificat ion Au t hor it y ( CA) . " t opicsCer ar et ificat cov er edAu in t hor Ch apt Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Web Servers Versus Development Servers Web ser ver s, as t he t er m is used in t h is book , r ef er t o d ed icat ed ser v er s w it h cont ent t hat w ill be accessed ov er an I n t er net or int r anet usin g t he HTTP pr ot ocol. This is in con t r ast t o d ev elopm en t •ser v ers, w hich Table s ions t hat h ave I I S load ed on t o t h em so t hat w eb dev elop er s can t est ar eofwContent ork st at •t heir w or k . I ndex W e b S ecur it y Fi el d Gu ide

You m ig ht be t em pt ed t o d o t h e developm ent wor k on t h e pub lic w eb ser v er, but t his is a By St eve Kalman m ist ak e f or sev er al r easons: Pub lish er: Cisco Press Pub SeDat curi e: Novem t y— ber Many 08 , 20 of02t h e

developm ent t ools w er e w r it t en assum ing t hat t hey w ou ld nev er be deploy ed t h92 e -7dedicat ed serv er. To u se t hem, t he d ev elop er need s a m uch high er lev el of I SBN: 158 on 705 -0 secur y 8access t h an t he an ony mou s, guest - like u ser account t hat is used t o access p ages Pages:it60 on t he d ed icat ed ser v er . Th e t ools t h em selv es ar e oft en inst alled as serv ices w it h pr iv ileges of t heir ow n. Leavin g t h ese t ools on t h e w eb serv er is like leav ing t he k eys t o t h e st ore on t he sidew alk by t he f ron t d oor.

I nt e gr it y — Ad - hoc chan ges should nev er be m ade t o live env ir onm en t s. Web sit e u ser s Hand sonnot t echniqu es for secur g Window s( r ) not serv ers,dbm r owser comoccur m un icat ions. w ill appr eciat e br okeninlink s or page- foun essags,esand t hatnet in w evork it ably w h en pag es are edit ed in real t im e. Cr eat ectIiv policies and ules for op at ing aining U sa bielieff t y— f e t hsecur e w ebit ypag es, w eb serest v erab , lish an d rbr owser ar eerall on in t heand sammeaint com put er ,a p age secur it y conscious env ir onm en t access t im es can not possib ly repr esent t h e t yp ical user ' s exp er ience. The LAN w ill slow t hose on t h e int r anet d ow n a lit t le. Those on t he I nt er net w ill b e ev en mor e const r ained by Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP net w or k congest ion an d t heir ow n access d at a r at es. I n addit ion, su ppor t files, such as dy namsticand linksecur libr are ies DLLs) , any heref or in Wind t h e sear p atser h wv ers ill be o t he ce local Under inst( allat ion op twions owsch w eb andeliver d how ed t o tenhan user bu t m ight not be av ailable t o t he r em ot e user. Developer s need t o m easur e secur it y on exist ing w eb an d FTP ser v er in st allat ions accessib ilit y and usabilit y in a w ay t hat m imics t h eir u ser s' real- w or ld env ir onm en t s. I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d Aft er lapt separ opat s ing t he developm ent machin es f r om t hose w her e t h e w eb sit es are deployed, you need a secur e w ay t o t r ansfer p ages t o t he w eb ser ver . The t ool of choice here is secur e FTP, a t opic Ev d iscussed in det ailan indCh apt er g tt hificat e FTP Servererand ." becom in g you r ow n aluat e t he pr os cons of 6, in st" Enhan alling acincer e serv Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Locating Document Root When a w eb page is accessed via it s dom ain nam e w it h n o ot h er qualifier s ( for ex am ple, ht t p: / / pc3. ex amp le. com ) , t he web ser v er looks f or a page w it h one of sev er al p ossible n ames •( ind ex . ht m l, Table of Content def ault . ht m l, sand so f or t h) in t h e docum ent root dir ect or y ident if ied d ur in g •inst allat ion. I ndex W e b S ecur it y Fi el d Gu ide

Docum ent root can be locat ed in any of sever al possible places ( in in cr easin g ord er of secur it y) : By St eve Kalman PubAs lishaer:su Cisco bdirPress ect or y

of t h e I I S soft w ar e

Pub Dat e: Novem ber 08 , 20 02

On t he1-sam e -0d92 riv-7e as t h e I I S soft w ar e, but in a dif fer en t d ir ect ory t r ee I SBN: 58 705 Pages: 60 8

On t he sam e serv er as t h e I I S soft w ar e, but on a d if fer ent p hy sical d riv e or p art it ion On a diff er ent ser v er A cor r espon ding descr ipt iv e list w ould be Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Sub dir ect or y - > Pr om iscu ous Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a Sam eitdr e - > Per missiv e secur y -ivconscious env ir onm en t Sam ser v er d iffden er entWindow dr ive -s> mPru udent Lear ne how t o, har lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Dif ferent ser secur v er - >e inst Par anoid Under st and allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions The f ir st t w o op t ions ar e t oo insecur e. The last is not so m uch a secur it y choice as it is a loadbalancing . The hirtdhe choice is t hse wone imat plem t ed ding her e.w See he ser d iscussion in Ch I m pr opt oveion secur it y t at end user' or kst ion,en inclu eb b trow s, desk tsops, anapt d er 4, " I I S I nst allat ion, " of Figur es 41 2, 42 9, an d 45 0 f or ex amp les of chan ging docum ent r oot in lapt op s I I S4 , I I S5 on Wind ow s 200 0 Ser v er , an d I I S5 on Window s XP, respect iv ely. Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Logging Maint ain in g secur e logs is essent ial t o a secur e w eb en vir onm ent . Ch apt er 11 , " Main t aining On going Secu rit y , " d eals w it h logs in considerab le det ail, but t his is t he m or e appr op riat e p lace t o lear n how t o m anage web ser v er logging . •

Table of Content s

•Op en t he I I SI ndex man agem en t pr og ram , ex pand t h e t r ee, r igh t - click D e fa ult W eb Si t e , an d choose W e b S ecur it y FiFr el d Gu ide P rope rt i es. om t her e, pick t he W eb Si t e t ab t o see t he r esu lt show n in Figur e 5- 1 . By St eve Kalman

Pub lish er: Cisco Press

Figu r e 5 - 1 . M an ag ing Logg in g O pt ions f or I I S Se r ve r s

Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The alleng for of successfu puablic w eb ox sit es is cont t o encour age access t o t ld h ealr siteady e w hile inat Nearcht he b ot teom t h e pagel, is checkb t hat r ols logging . I t shou be elim ch eck eding un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining ( enabled) . I I S su ppor t s f our log file f or mat s, each w it h v ar yin g t yp es an d quant it ies of d at a per for m ance scalabilit e tm reliant org b ecom on det t heailed I n t eran netd top op er f orm collect ed. Th eordefault , W y3.CTh Ex enore de d Log Fi leanizat Formions a t , is t h e meost t ionladen. daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Mak e sur e t hat it is select ed and click t h e P rope rt i es b ut t on t o br ing up t he scr een show n inJust as Cisco Figur e 5-Sy 2 . st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an Figu r e 5 - 2 . Ext e n ded Loggi ng Pr ope r t ie s Pag e eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions By def ault , a new log file w ill be cr eat ed ever y day , st ar t ing w it h t he f irst en t r y t hat occur s af t er m idnigh t . The locat ion is a su bdir ect or y of y our % Sy st emRoot % d irect or y ( possib ly you r WI NNT I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d dir ect or y ) . How ever , y ou can and shou ld chan ge t h is t o poin t t o anot h er ser ver . On e of t he m ain lapt op s obj ect iv es of int r uder s is t o hide t h eir t rack s by alt er ing or delet ing t he log file. I f t hey m anaged t o t ake con t rol r PC, log in h is locat ion is vt ificat ulnereable. By and shunbecom t ing itinofgf you t o an ot her Ev aluat e t of he you pr os an dacons of tin st alling a cer serv er r ow n locat ion ( p ref er ably on t h e ot her side of a fir ew all) , y ou' ll hav e incr eased secur it y . You can use a Cer t ificat ion Au t hor it y shar e or a Window s- based sy slog d for t h is pur pose. Eit h er w ay, be caref ul t o r est r ict access t o it . The wLear eb ser er Cisco sh ould able t o an wrd it eCisco only ItOS o t he log all file. otuher app how licat ions shou ld b e n tvhe PI be X Fir ew all Firew ar Most chit ect re and t o app ly Cisco able tst o andar r ead only d andit .ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Limiting Access to Your Web Server The in st allat ion inst r uct ions in Ch apt er 4 set an ony m ous login as t h e only w ay t o access w eb ser v er con t ent . Upon inst allat ion, I I S cr eat ed t w o u ser accoun t s: • •

Table of Content s

I USR_mI ndex achin e- n am e

W e b S ecur it y Fi el d Gu ide

I WAM_m achin e- n am e

By St eve Kalman

The f or m er is m ost ly used for an ony mou s access and is m uch like a guest accoun t . The lat t er is Pubby lishter: Press used heCisco operat in g sy st em t o st ar t t he I I S ser v er and for cer t ain out - of - pr ocess t ask s, su ch as execut Pub ing Dat e:act Novem iv e ber con08 t ent , 20.02For access ov er t he I nt er net , t his is t he easiest opt ion. I t allow s any one, an yw her o -7 access you r cont ent . I SBN: 1- 58 705e-0t92 Pages: 60 8

I f, how ev er , you w ant t o rest r ict access t o user s w ho hav e som e pr e- ex ist in g relat ionship w it h y ou, y ou hav e some addit ional ch oices. You can ad d u ser account s and hav e t he w eb ser v er v alid at e against t hose account s. Wh en y ou apply t h ese ad dit ional r est rict ions, y ou can choose t o limit t hem t o a p art of y our d ocu ment s dir ect or y t r ee r at her t han t h e en t ir e w eb sit e. Table 5 - 1 list s t he f our au t hent icat ion met hod s and t h eir lim it at ions an d r equir em en t s. Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t

Tab le 5 -1 . Com p ar i son of Aut h en t i ca t ion M e t h ods

Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Li m it a t ion or Re st rict i on Au t he nt ica t ion Me t hod s Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce Can Be ser U sev er d by y Brow secur it y on exist ing w eb an d FTP in stAn allat ions se r , An y Com pu t er Re qui re s W in dow s I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d Ba si c Cha lle ng elapt op s An on ym ous Au t he nt ica t ion D ig est e d Re sponse Ev aluat t hewpr os an Any one can euse it hou t d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y pr ior r elat ion sh ip Learcan n t he Cisco Any one use bu t PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and t en ded access list s r eq uir es pr ior relatex ionship Man yDiscover user s shar e sa t o sint est gle t he cur r en t st at e of Op t ional w ay secur it y and k eep it up t o dat e accou nt Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion I nt er net St an dar d While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and Requ ir es Act ive Direct or y it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The chiralleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing Requ es I I S5 un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per MD5 for m h ash ance ed or passw scalabilit ord y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just Passw orSy d m st ored as Cisco stust em sb he as beeninan inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a clear t ex t in Act iv e m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a or yacr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est t rDir av ect eling link . Net went ork fat s ed can Tr anspar ort ack logg - inoccu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e wusers eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Sup por t f or Wind ows 20 00/ XP only Passw or ds hashed an d secur ed

ew ly av •Digest ed Access TableisofnContent s ailable w it h I I S5. RFC 2 617 com par es Basic Au t hent icat ion wit h •Digest ed Au t Ihent ndexicat ion and con t ains a list of six m aj or w eak nesses of t his sch em e, along w it h exp and dGur ecomm end at ion s for imp rov em en t . Digest ed Au t hent icat ion is not yet W e blanat S ecurions it y Fi el ide r ecom m en ded for d ep loy m ent and is not fur t h er discussed in t his b ook. By St eve Kalman

Pub lish er: Cisco Press

Enabling Basic Authentication Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7

The f ollow in g ex am ple uses I I S4 on NT 4 f or t he p ar t s t hat ar e comm on t o all t hr ee plat f orm s, Pages: 60 8 w it h a f ew ex am ples fr om I I S5 w here n eeded. Op en t he Managem ent Console or I nt er net Ser vices Manag er , as appr opr iat e f or y our p lat f or m . For t he t est case, r ight - click t he f older t hat y ou w an t t o use f or Basic Au t hent icat ion. ( The exam ple h er e u ses a folder n amed BASI C t h at w as cr eat ed j ust f or t h is pur pose.) That br ing s up Hand s- onsim t echniqu forshsecur Window serv ers, b r owser s, and orkor com m un a scr een ilar t o es t hat ow n in ingFigur e 5-s( 3 .r )Choose P rope rt i es, t h ennet D irwect y Se cu icat rit yions. , an d click Edi t . I f y ou' re u sin g I I S4, you see t he screen sh own in Figur e 5- 4 , b ut if y ou used I I S5, y ou see t he screen sh own in Figur e 5- 5 . Uncheck Al low A nony m ous Access ( it w as inh er it ed Crteat effallat ect ivion e secur it y policies andBaest lishhren ules fort ion. op erAll at ing m naint du rin g h e einst p hase) and check si ab c Aut t ica t hisinisand show in aining Figur e a5- 4 . secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

5 - 3e .inst Accessi t h ef or PrWind oper t iewsebDiser alvog f ord how t he t oBaenhan si c ce UnderFigu st andr e secur allat ion ng op t ions ows ers an t h en caint ion Te st Pag e secur it y on exist ing w eb anAu d FTP sertvier st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Figu r e 5 - 4 . I I S4 M od if ie d Aut he nt ica t i on M et hods Pa ge



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt opFigu s r e 5 - 5 . I I S5 M od if ie d Aut he nt ica t i on M et hods Pa ge Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce Whensecur y ou it select Ba siing c Aut h en t ion, the w ar ning show n in Figur e 5- 6 . Th e t ext says y on exist w eb ant ica d FTP seryvou er see in st allat ions t hat t he dat a is not en cr y pt ed, b ut t hat isn 't t he sam e as plain t ext . I t is an int er m ed iat e st age k now n 4 encoded. es t o enable Basic Aut hent ionb. row ser s, desk t ops, an d I mas pr Base6 ove secur it y at t heClick end Yuser' sw or kst at ion, inclu dingicat w eb lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y 5 - 6 . Pa ssw or d V ul ne r abi li t y W a r ni ng Figu re Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb dser or t h e client . Har enhod in g tcalled he defBase6 en ses 4, at wall t hese point saissch key o tcreat ing ver an t s t hr ee The at aver is , encoded using a md et h ich em ploys emt e hat con eff ectact iv e, net ws) orkintsecur it ychar soluact t ion. char er sallof encom b in arypassing dat a ( 24 bit o f our er s of ASCI I ( by t ak ing 6 bit s at a t im e and

add in g t w o hig h or der 0 s) . I t w as or iginally cr eat ed t o f acilit at e send in g binar y files v ia syst em s t hat car ried only 7 dat a bit s per b yt e. A slew of encoder s and d ecoder s ar e av ailab le on t h e I nt er net , bu t t h e han diest decod er is built in t o Win Zip . App en dix B, " D ecoding Base64, " descr ibes a t ech nique for capt u rin g a user aut h en t icat ion using a popu lar net w ork mon it or and decoding t he Base64 encoded dat a t o discover t h e usern am e and passwor d . Aft er log in h as been r equir ed, b uild u ser account s using t he n orm al accoun t m anag em ent pr ogr am f or y our op er at ing sy st em . Th ey ar e n orm al accoun t s in ev ery way . One of y our • Table of Content s essent ial j obs is t o see t o it t hat t hose accou nt s cann ot b e used f or any ot her pu rp ose. An easy • I ndex w ay t o do t his is t o gr ant t hem t he No Access per m ission f or ev er y f ile an d folder except t hose W e b S ecur it y Fi el d Gu ide un der docum ent root . Ch apt er 3, " Win dow s Sy st em Secur it y ," cover s t his p r ocess. By St eve Kalman

Figur es 5- 7 an d 5- 8 sh ow t he p r ocess of addin g a user in t he NT 4 env ir onm en t an d in t h e Wind ows 200 0 env ir onm ent , r esp ect iv ely . To cr eat e a user in NT 4, st ar t U se r Ma na ge r for Pub lish er: Cisco Press D om ai ns, click U se r, an d t hen click N e w U se r. I n Window s 2000 ( an d in Wind ow s XP) , st ar t Pub Dat e: Novem ber 08 , 20 02 t he Com p ut e r M a na gem e nt ap plicat ion , exp and t he Loca l User s a nd Gr oups b r anch, an d I SBN: 1- 58 705 -0 92 -7 click U se rs, Act i ons, an d t hen N e w U se r. I n eit h er case, t y pe in t he user nam e an d passw or d, 60 8 clear tPages: he U se r Mu st Ch an ge P assw or d ch eck box , and select t h e U se r Ca nn ot Cha nge P assw or d an d P assw or d N ev e r Ex pi re s ch eck box es. Finally, click Ad d ( in NT) or Cre at e ( in 2K or XP) .

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions.

Figu r e 5 - 7 . Add ing a User in N T-4 Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t heFigu I nt errnet net wing or k secur it y solut only as e .5Yet - 8 .a Add a User in ion W i is ndow s 2st0r ong 0 0 as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s

TI P

Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Be car ef ul ab out t he Passw ord Never Exp ir es set t ing. Ch apt er 3 sh owed how t o set a Cer t ificat ion Au t hor it y policy t hat included t he m ax imu m du rat ion of p assw or ds on user accou nt s. These special pose account s will h ave diff erI OS ent Firew need s. sh ect ould e ahow m anu r em er Lear n t pur he Cisco PI X Fir ew all an d Cisco allYou ar chit u rehav and t o al app ly ind Cisco tst o andar you rself t o chan ge t hose p assw or ds p er iodically ( and send t h e app rop riat e n ot ices t o d and ex t en ded access list s t he user s of t h ose accoun t s) , but do not for ce t hem t o exp ir e af t er some fix ed nu mb er of day s. w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Discover Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion To t estt hyou r w st ar tt rIansfor n t ern et Ex plor e pbusiness, age, showt his n invFigur e 59 .k and While e I nt erork net, has m ed anderimand pr ovaccess ed t h eywour ay hom w e do ast net w or Then access p age y ou set for Basic Audt oor hentticat b yeasin clickging t heber secon d it em y ours. it s associat edt he t ech nologies havup e opened t he o anion incr n um of secur it y on t h reat hom e palleng age. This ring s up tl,h pu e login n in Figur e 5- 1 0.t o Ent t hee user an ing d The ch e for bsuccessfu blic wdialog, eb sit esasisshow t o encour age access t her e sit w hile- nam elimeinat passw y ou eat ed in t rhaff e pr ious and click OK. lev els of secur it y w it hout const r aining un desirord able or crmalicious ic ev and t o st prep ovid e su ff icient per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a Figu r e 5in- 9t he . W SFG H ent ome geof, Re ad ys tand o Te st Ba si c tAu enect t icat m ar ket leader developm an dPa sale p rod uct t echnologies h att phrot d at aion t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har sm lt i- ut ser for mion s, inclu ding NT, , and Figu r e den 5 - 1Window 0 . Ba si c uAu h enp lat t icat Passw or d2 000 Pr om p tXP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for The r esult m ance , show or scalabilit n in Figur y .e Th 5- e1 1, m ore d emreliant onst r atorg es anizat t hat t he ions prbocess ecomw e or onked t hewIhen n t er net t he cor t o prect er f orm daily jam usern obse or and cond passw uct ord t ranwsact ereions, en t ert h ed. e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork Figu at t ackrsecan at si ancy Au point including t h e net ork ssf con nect ion , t he 5 - 1occu 1 . rBa t h, en t icat ion Suwcce ul Acce ssfir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t To com plet e t h e t est , close t h e br ow ser t o clear t h e cach ed cr ed en t ials. Open it again and br ing up y our h ome Click h e Basics Au icatpion t estmpage link again, ut t his t imXP e ent er an Lear n howpage. t o har den tWindow m ut hent lt i- u ser lat for s, inclu ding NT, 2b 000 , and incor rect u ser nam e or p assw or d. You g et t hr ee chances befor e seeing t h e m essage show n in andensecur inst allat ioncan op tclose ions ftor ows. w eb ser v ers an d how t o enhan ce Figur eUnder 5- 1 2.st Wh y ouefinish, y ou he Wind br owser secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op sFigu r e 5 - 1 2 . St a nda r d Au t he nt icat i on Fa il ed M e ssag e Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t

Setting Authentication Lear nSecure how t o har den Window s m u lt i- u ser p lat for m s,

inclu ding NT, 2 000 , and XP

I I S4 calls Underit st s secur and secur e au tehent insticat allation ionopt opion t ions NTf or Challenge/ Wind owsResp w ebonse ser v.ers I I S5 an calls d howit tIon tenhan egrat ed ce Window secur s Au it yt hent on exist icat ion ing. Iwneb eitan h erd FTP case,ser a vdom er inain st allat contions roller or Act ive Direct or y is r eq uir ed t o im plem ent it . I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d I n t helapt I I S4 op sex am ple show n in Figur e 5- 1 3, t h e ent ir e sit e is set up for b ot h Anony m ous Access and Ch alleng e/ Respon se. Th is is a w ay t o int egr at e p er - user or p er - g rou p NTFS access con t rol Evoaluat hesecur pr os itan of ent in st.alling serv er g t you r ow n list s int t he ew teb y dencons vir onm To doa t cer his,t ificat r ighte- click D eand fa ultbecom W ebinSi e , choose ificat ion Au t hor P ropeCer rt ites, select t he D it iryect or y Se cu rit y t ab, an d click t he Edi t b ut t on in t he An ony mou s Access sect ion. Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e

Figu r e 5 - 1 3 . Set t in g Ov er l ap pin g Aut he nt ica t i on M et hods

Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t When accessin g t he w eb ser ver w it h anony m ous access, t h e user accou nt I USR_m achin e- n am e is used. Thn at account be g r ant sy stpem r ead er m ission w herev you XP w ant any one Lear how t o harshould den Window s med u lt fi-ile u ser lat for m s,pinclu ding NT, 2 000er, and t o be able t o access w eb cont en t . ( Som e w eb cont ent r equir es mor e r igh t s. A det ailed d iscussion Under and e inst allat op tev ions orhen Wind ows w eb v ers d how is pr esen t edstlat er secur in t his chapt er .ion ) How er , f w y ou w an t t oser r est r ictan cont ent t o enhan cer t ainceu ser s secur it y on exist ing w eb an d FTP ser v er in st allat ions or g rou ps, r em ov e per m ission fr om t he anony m ous account and gr ant it t o specif ic users. I I S w ill t r y t he anony m ous user f ir st and if it fails it w ill t ry t he u ser 's account . I f you ar e on an I m pr ovet he secur it yisatalrt he endlogg user' w ort he kstpr atocess ion, inclu dingspwareb ser,s,t he desk t ops, d int r anet and u ser eady edsin, is t ran enbt .row I f not user w illanbe lapt op s pr om pt ed for a usern am e, passw or d, and dom ain n am e t o u se. Figur e 5- 1 4 sh ows su ch a pr om pt . These cr edent ials should not , of cou rse, be sh ared. Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco Figu r e 5 - 1 4 . Pr om pt f or Ch al le ng e Re spon se Aut he nt icat i on st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Restricting Access Based on IP Address Access can also be cont r olled based on t he PC' s I P ad dr ess. You can set specific ad dr esses, add ress r anges, or D NS nam es fr om w h ich access w ill be eit her allow ed or denied . •

Table of Content s

•Figur e 5- 1 5 sh I ndex ows t he WSFG hom e pag e, as accessed fr om a Window s XP- based PC. The t h ir d W e b Son ecurt he it y Fi d Gu ide s t o t he p age t o be used t o t est I P access con t r ols, so click t hat link . it em p el age link By St eve Kalman

Pub lish er: Cisco Press

Figu r e 5 - 1 5 . W SFG Hom e Pag e, Rea dy t o Be gin Addr e ss Te st

Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Figur e 5- 1 6 sh ows t hat access is perm it t ed by d ef ault . Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. Figuer e - 1 6 . Successfu l Access t h eage I P access Add r tess eck Pag einat ing The ch alleng for5successfu l, pu blic w eb sit es is t oof encour o t h eCh sit e w hile elim un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t To p r ohibit access fr om t he PC w h ose I P addr ess is 192 . 168. 1 .2 0, laun ch t h e I I S m anagem en t app licat ion - click he f older you pwlat ant o s, setinclu I P addr r ict, ion Figur e 5- 1 7 Lear n and how rtight o har den tWindow s mwuhere lt i- u ser fortm ding ess NT,rest 2 000 ands. XP show s an exam ple u sin g t he fold er I PAD DRESS. Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur itFigu y at t he w eblicat b row ion ser s, desk t ops, an d r e end 5 - 1user' 7 . IsI wSorMkst a at n ion, ageinclu m ending t App lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t That br ings up t he p rop er t ies dialog. Click t he D ir ect or y Se cu rit y t ab t o get t he NT 4 im age show nLear in Figur 8. den ( WinWindow dow s XP 000 hav e a ding sligh NT, t ly diff erent v erXP sion. ) n howe t5o 1har s an m udlt Window i- u ser p slat2for m s, inclu 2 000 , and Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions

Figu r e 5 - 1 8 . I PAD DR Fol de r a t t he D ir e ct or y Secur i t y Tab

I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce Click Edi t init yt hon e I exist P Ading drewss om a inv N mst e allat Re stions r ict ion s sect ion. That br ing s y ou t h e secur eban anddDFTP ser era in dialog box show n in Figur e 5- 1 9. I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr osr an in stpt alling a ceret ificat e serv g you r ow n Figu e d5 -cons 1 9 .ofEm y Addr ss Re st rer ictand ionbecom s Diainlog Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ectdiv e, allencom w ork secur it yher solu ion.s ( t he d ef ault ) or denies access t o all This ialog box needpassing s carefunet l r eading. I t eit grtant

add resses ex cept t h e ones y ou ad d m an ually. Go ah ead and click Ad d t o br ing up t h e scr een show n in Figur e 5- 2 0.

Figu r e 5 - 2 0 . D en y Access on Page f or a Sin gl e Addr e ss •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a I f you j ust w an t t o deny access t o one p art icular ad dr ess, y ou can k ey it in her e. Bef ore doing secur it y - conscious env ir onm en t t hat , it is w or t h t he t im e t o exp lore t he ot her op t ions. You can p roh ibit access t o all st at ions in a par t icular t h e but t on t t opD om am eding . Th at s ,up t h eXP perf or man ce Lear ndom howain t o by harclicking den Window sm u ltni-ex u ser lat forai mns, Ninclu NT,b ring 2 000 and w ar ning m essage show n in Figur e 5- 2 1. Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions

Figu eove 5 - 2secur 1. W ngend Bef orsewDoren ng inclu Access Ba d on om tai n Na I mrpr it yaatr ni t he user' kst yi at ion, ding w ebse b row ser s,D desk ops, an dm e lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and Aft er y ou v iew t he dialog box , click OK t o close it , but don 't key in a d om ain nam e. I nst ead, click it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. t he but t on n ex t t o Group of Com pu t er s. Th at chan ges t he in put fields and g iv es y ou t he im age The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing show n in Figur e 5- 2 2. Her e, you can ex clude a r ange of I P addr esses by u sin g an ap pr opr iat e un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining net w or k nu mb er and m ask . You can also repeat t hese st eps t o ex clud e m or e t han one r ang e. per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a Figu r e 5 - 2 2 . D en y Access Pag e for a Gr oup of Add r esse s t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Click t he Si ngl e Com p ut e r b ut t on and ent er t h e I P add r ess t o r est r ict , 1 9 2 . 1 6 8 . 1 .2 0 . Click OK t o get t o t he com plet ed r est rict ions list show n her e in Figur e 5- 2 3. Wit h t h is rest r ict ion in place, all com put er s w ill be allow ed access ex cep t t h e one at t he sp ecified I P addr ess. You can exclude add it ion al single ad dr esses by r epeat ing t hese st ep s. You can also comb ine single ad dr esses and es for secur Window r ) serv ers, b r owser s, and net w ork com m un icat ions. IHand P ad sdron esst echniqu r ang es and dom ain inn gam es, as ns(eeded. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious en t ple t e d Acce ss Re st r ict ions Pa ge Figu r e env 5 - 2ir3onm . Com Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. St ar tch ing at t he m achine w it h heblic pr ohibit edes addr b rin gage u p access t he WSFG asing The alleng e for successfu l, tpu w eb sit is tess, o encour t o t hhom e sitee page w hileagain, elim inat show n in Figur 5- 2 4, r eady o and t est t o heprnew r estlev r ictels ionof . Click hey twhir d linkconst t o init iat e t h e un desir able or emalicious t r afftic ovidadd e suress ff icient securt it it hout r aining tper estfor . Figur e 5- or 2 5 scalabilit sh ows t he r esu lt inore g access bidd en ions er rorbmessage. m ance y . Th em reliant for org anizat ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling Figu acr oss r e t5he - 2I nt 4 .erW netSFG . Yet a Hom net weorPag k secur e, itRea y solut dyiont ois Fi only ni sh as stAddr r ong as e ss it s Te w eak st est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t oFigu har den m u lt i-ss u serFor p latbid for m s, inclu NT, 2 000ge , and XP r e Window 5 - 2 5 .sAcce den Er rding or M essa Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Miscellaneous Security Enhancements I I S has q uit e a few n ooks an d cr ann ies w h er e y ou can f ind secur it y enhan cem en t op t ions. The nex t sever al subsect ions poin t t h em out . •Whet h er y ou Table of Content s set t ing s t hat follow is a m at t er of ex per ien ce, j ud gm en t , and y our im plem ent t he •Secu rit y Policy I ndex . The b est cou r se of act ion oft en depend s on t he needs an d size of y our w eb sit e, W e b S ecurw it it yh Fi el ide coupled t hdeGu k in d of use ( int r anet or I n t ern et ) y ou ex pect . By St eve Kalman

Moving Pub lish er:the Cisco Metabase Press Pub Dat e: Novem ber 08 , 20 02

I I S5 ( fIor bot1-h58Win dow SBN: 705 -0 92 -7s 20 00 and XP) m aint ain s a d at abase cont aining all t he conf ig ur at ion v alues, in clu ding r ead and w r it e per m issions called t he Met abase. ( Th e act ual f ilenam e is Pages: 60 8 m et aBase. bin. ) I t s default locat ion is % sy st em r oot % \ sy st em 32\ in et sr v . An int r uder w h o can cor r upt or r eplace t he Met ab ase com plet ely com p rom ises t he serv er. The safest cour se of act ion is t o m ove it . Doing so m eans m ak ing a Regist r y chang e. Bef or e st art in g, m ake su re you hav e a com p let e b ack up copy of t h e Regist r y. Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Begin by cr eat in g a new locat ion f or t h e Met abase. A lik ely locat ion is as a n ew folder u nder an alr ead y ex ist ing, well- k now n, an d g en er ally un int erest ing fold er . A good candidat e is t he Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a Wind ows NT f old er und er t he Pr ogr am Files f older . Figur e 5- 2 6 sh ows Window s Exp lor er w it h t he secur it y - conscious env ir onm en t Pr ogr am Files f older select ed . Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce

Figu 5 - 2exist 6 . ing W iw ndow Expl erinSh owions i ng t h e Pr ogr am Fi le s Fol der securritey on eb an ds FTP seror v er st allat I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Op en t he W ind ow s N T f older and add a new f old er und er it called I I S- Cont r ol. Th e r esult m at ches t he scr een show n in Figur e 5- 2 7.

• •

Figu r e 5Table - 2 7of. Content W i ndow s Expl or er Sh ow i ng t h e Ne w I I S-Cont r ol Fold er s I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n The n ex t st ep is t o st op t h e I I S ser v ices. I n som e v ersions, w hen I I S is r unn in g, t he Met abase is Cer t ificat ion Au t hor it y open and lock ed, w h ich w ould pr event it s m ov e. I n any case, be conser vat iv e. Begin b y launch in g nt he S contPIr ol p rog appr opr iatI OS e t oFirew y ourall plat or mect and andin t h app e serlyv Cisco er t r ee. Lear t heI ICisco X Fir ewram all an d Cisco arfchit u reexp and howgt o Selectsttandar he D edfaand ult ex W eb Se rv e r t o begin . St op t he serv er by usin g one of t w o m et hod s: t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Click t he squ ar e box icon highligh t ed in Figur e 5- 2 8. Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and Figu 5 - 2 8 .t he Stdoppi Seeasin r v er aber I con it s associat ed t ech nologies havreeopened oor t ong an aincr g nvi um of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a Righ t -itclick t h e ser v er nam e and secur y - conscious env ir onm en t choose St op . I f youLear h ave m or et ot hhar an den on e Window w eb serv er uon PC, youmshould ep eat t his st ep for each n how sm lt i- you u serr p lat for s, inclu rding NT, 2 000 , and XP of t hem t o st op t h em all. Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce Aft er secur t he ser are st op w ped, laun ch Re di tin(st Stallat a rt /ions Ru n is pr obably t h e easiest w ay ) t o get it yv ers on exist ing eb an d FTP serge v er t he scr een show n in Figur e 5- 2 9. I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons a cer e serv er Scr and ee becom Figu r e of 5 - in 2 st 9 alling . Rege di ttificat O pe ni ng n in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Ex pan d t he H KEY _ LOCAL_ MA CH I N E b r anch an d dr ill dow n unt il you get t o H KEYLear _ LOCAL_ CH den I N E\Window SOFTWs AR \ Im ne Pa raNT, m et2er s. , Th is is n how MA t o har m uE\ lt i-M u icr ser osof p lat tfor s,t Mgr inclu\ ding 000 and XPsh ow n in Figur e 5- 3 0. Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y atr e t he s w or at ion, inclu b rowaser s, ydesk t ops, an d Figu 5 -end 3 0 user' . Rege dikst t Posit ioneding d tw o eb Add Ke lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Add a new k ey b y click ing on Edi t , t h en N e w , an d Ke y . Figur e 5- 3 1 sh ows t his in act ion an d Figur eLear 5- 3n2 how sh ows t he den r esuWindow lt . t o har s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions

Figu r e 5 - 3 1 . Addin g a Ne w Ke y in Rege di t

I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har s m udi lt i-t uw seri t phlatafor m s, 2 000 , anddXP Figu r eden 5 - Window 3 2 . Rege Ne w inclu Emding pt y NT, Key Adde Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Ch ange t he nam e of t h e k ey t o Me t a da t a Fil e. I t is case- sen sit iv e and t h e sin gle space is r eq uir ed . Dou ble- click t he w or d ( D e fa ult ) in t h e r ig ht - h and colu mn . That br ings you t o t he scr een show n in Figur e 5- 3 3.

Figu r e 5 - 3 3 . Va lu e Da t a D ia log for t h e Ne w Ke y •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Ty pe t h e new pat h n ame, C:\ P rogr am Fi le s\ W i ndow s N T\ I I S- Cont r ol in t o t h e Value Dat a field and click out itofy Regedit d rest et ur to W in dow Exer plor er . in Fr om ov e t a he file Cr eat e effOK. ect ivExit e secur policies an and abnlish r ules fors op at ing andt here, m aint m aining Met aBase. bin t o t he n ew folder . Figur e 53 4 sh ows t he r esu lt . secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and Figu secur er e inst f or Wind serew v ersLocat an d how 5 allat - 3 4ion . Mop e t ions a Base .b in ows in Iwteb sN iont o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

To f ur t her enh ance t he secur it y, hide t h e new f older by r igh t - click in g on I I S- Cont r ol, select ing P rope rt i es, an d clicking t h e ch eck box t o m ake it H id de n, as sh ow n in Figur e 5- 3 5.



Figu rse Table of Content



I ndex

5 - 3 5 . H idi ng t h e I I S-Cont r ol Folde r

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat nologies opened d ooricon t o an um ber of secur it y t h reat s. Rest ar t t h eed sert vech er s. This t imhav e, e click t he t rt he iangle instincr eadeasin of t hgenbox . The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un or plet malicious t r affaict est and. St t o art pr ovid e net su ffEx icient els of secur it hout hconst Notdesir hin gable is com e w it hout I nt er plor lev er and laun ch it t hyewWSFG ome rpaining age. per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net to p Figur e 5- 3 6 sh ows t he r esu lt . Assu min g y ou get y our hom e w eb p age, I I S is w or king anerdf orm is daily or cond uct t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just using j tobs he new locat iont ran f orsact it s ions, Met abase. as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net wFigu ork atrteack r at an y point including h er net w ork con nect M ione, ttahe fir ew all, t h e 5s- 3can 6 . occu W SFG Hom e ,Pag e Af tt e M ov in g t he base w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t

Managing Web Server Access Lear n how t o har den Window s m u lt i-Permissions u ser p lat for m s, inclu ding

NT, 2 000 , and XP

Each Under page can st and hav secur e aney inst of fou allat r access ion op tper ionsmissions. f or WindDir owsectwor ebies seratv ers low an er dlev how els twoillenhan inherce it per m issions secur it yset on f or exist a ping arent w ebdir anect d ory FTP. ser Table v er 5in- 2st list allat s ions t h e fou r opt ions and t heir im plicat ion s. I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he prTab os anle d cons st alling ificat e servPer er and becom in 5 -2 .ofWineb Serav cer er t Access m i ssion sg you r ow n Cer t ificat ion Au t hor it y P er m i ssinon SeXcuri t y all I man pldicat i on I OS ( W hFirew en Che ckchit e d)ect u re and how t o app ly Cisco Lear t he Cisco PI Fir ew Cisco all ar st andar d and ex t en ded access list s Scrip t Sour ce User s can access scr ipt sou rce f iles. This cont rol wor k s in con ju nct ion w it h Access ( not h tthhe e Read Wreitof e perm s and Discover w ay s t obot t est cur r enand t st at securission it y and k eepw it it hupt he t o Execut dat e e Per m issions. av ailab le in I I S4) Readasis par also select scr ipt rceion ( w hich m ig ht Lear n t o eng age When end users t of t h e ed ov ,erusers all n etcan w orsee k secu rit y sou solut cont ain passwor d s or ot her n onpu blic m at er ial) . While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and I f Wr ithav e ise also select edd, oor users canincr subm it new or ber alt er script it s associat ed t ech nologies opened t he t o an easin g n um ofedsecur it ys.t hThis reat s. should be select ed only if Rem ot e Aut h orin g is n ecessar y . The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious ic and ovid e su levtels w it hout const r aining Read Usert rsaff can see ttoheprsou rce of ffpicient ages in his of dirsecur ect or it y y. This is n ecessar y f or per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net p ers ftorm m ost pag es. Th e except ion w ould be f or pages w h er e t h e usert oget o daily j obs or cond uct twran ions, t hge tgr eatshou er t he each online. of n et w(or k esecu rit yalhas. Just r it sact e som et hin h at ld nim otpact b e r aet br r ieved Lik a post as Cisco Sy st em s h as m been an inn ovat or dr inop u sin g tthere in I nt, er t o cannot conductr ead business, t oo is ed it a.) ailb ox—you can a let bunet t y ou it on cesodeposit m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a e User s can ew new iles orit yover w rit e ex in gas f iles in t has is dir or y.est t rWr aviteling acr oss t he I nt er net . Yetcraeat net or k f secur solut ion is ist only st r ong it s ect w eak link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e Dir ect or y Br ow sin g Allow s user s t o see a hy per t ext list in g of sub dir ect or ies ( inclu ding t he w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an DOS- st y le " . . " link t o t he par en t ) . Th is opt ion sh ould NOT b e select ed . eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Righ t - click an y folder in y our def ault w eb sit e and select P rope rt i es or , as done in Figur e 5- 3 7, r ight - click D e fa ult W eb Si t e , select Prope rt i es, an d click t he H om e D ire ct ory t ab t o conf ig ur e per m issions f or t he en t ir e w eb sit e. All pages in or un der t he h om e dir ect or y w ill inher it chan ges y ou m ak e her e. Low er - lev el pages can be alt er ed ind ividu ally lat er , as n eeded. •

Table of Content s



I ndex

Figu r e 5 - 3 7 . H om e D ir e ct or y w i t h Access Set t o Re ad

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion Managing IIS5 Execute Permissions While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and Figur e 5- 3 8ed shtows t he d rophav dowenopened box f or t the he dExecut Per m issions. 5 -of 3 list s t hitey tthr ee s. it s associat ech nologies oor t o ean incr easin g nTable um ber secur h reat choices an d teheir licat ions. The ch alleng for imp successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just Figuan r einn 5 -ovat 3 8 or . I in I S5 t eer net Pert m i ssi on business, s as Cisco Sy st em s h as been u sinExe g t h ecu I nt o conduct so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Tab le 5 -3 . Exe cu t e Pe r m issi on Choi ce s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Se t t Cer i ngt ificat ion Eff Au ect t hor it y None Neit her scr ipt s n or app licat ions can be lau nched. Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco Scripstt sandar Only d andOnex lyt en scrded ipt saccess w hoselist f iles ex t ensions h ave p rev iously been m app ed t o scr ipt ing app licat ions can r un. Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e This is t he defau lt p er m ission. Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion Use NTFS perm ission s t o p roh ibit r ead access t o an ony mou s users t o k eep t he While t h e I nt er netscr has r ansfor m ede and ipt tsour ce cod securim e.pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. Scrip s and e for Allow s anyl, ap including bot h scr ip t saccess and com suchelim as inat . dll ing The chtalleng successfu puplicat blic wion eb , sit es is t o encour age t o tpiled h e sitf eiles w hile Exdesir ecu table ablesor malicious and . exet r aff ex ecu t ables t oovid r une. su ff icient lev els of secur it y w it hout const r aining un ic and t o pr per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm ld NOT t he om eadir or yoflevel. f need edritf yor has. a lowJust er daily j obs or condThis uct t shou ran sact ions, bt eh eselect gr eated er at t he imhpact brect each n et wIor k secu d ir ectan oryinn , bovat e sur t hat NTFS it eeraccess pr ohibit ed for anso onyt oo m ous as Cisco Sy st em s level h as been ore in u sin g t h ew Ir nt net t o is conduct business, is it a Failur eent t o do w ould it suser o subm it an dt hru heir m ar ket leader in tusers. he developm an dsosale of pperm rod uct ands ttechnologies atnptrot ectown d at a execut abnet les. on . t r av eling acr oss t he I nt er Yet yaour netserv w or er k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Managing Application Isolation You can t ell I I S h ow and w her e ( in mem or y) t o r u n ap plicat ion s launched by v ar ious w eb p ages. Table 5 - 4 list s t h e t hr ee choices an d t heir im p licat ions.



Table of Content s



I ndex

Tab le 5 -4 . Ap pli ca t ion Pr ot e ct ion Ch oice s

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Se t t i ng

Me m ory U sag e I m p li ca t i on

Low I I Ser: Pub(lish Pr ocess) Pub Dat e:

App licat ions Cisco Press

r u n in t he sam e m em ory sp ace as t he I I S pr ocess. I f t h e applicat ion crash es, it w ill t ake I I S d ow n w it h it . Th is is NOT r ecomm end ed . Novem ber 08 , 20 02

I SBN: Medium ( Pooled) Pages:

1- 58 705 -0 92 -7 App licat ions

r u n in a separ at e m em ory space t h an t he I I S pr ocess, b ut in t h e sp ace as each ot her . An app licat ion cr ash here w ill t ake d ow n all ru nnin g app licat ions but m ig ht not t ake dow n t he serv er. When mu lt iple users ru n t he sam e applicat ion, t h e code space w ill be shar ed. Th is is t he d ef ault and is r ecom m en ded.

60 8sam e

High App licat ions r u n in sep arat e m em or y spaces, n ot on ly fr om t h e I I S pr ocess bu t Hand s- on foreach securotinher g Window s( r ) serv b rhowser and lik netely w ork comemany un icat ions. ( I solat ed )t echniqu also fes rom . An applicat ion ers, cr ash er e iss,least t o hav aff ect on any ot h er user or on t he w eb ser ver it self. Th is ch oice can use m assiv e am ount s of m em or y and CPU r esour ces, w hich can pu t y ou at r isk for denial- ofCr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a ser v ice at t acks. secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Figur e 5- 3 9 sh ows t he t h ree ap plicat ion pr ot ect ion choices on t he d rop dow n menu in t he H om e Under inst ion Si opt et ions f or rtWind v ers an d how t o enhan D ir ect or y tst aband of tsecur h e D e fa ultallat W eb P rope i es, ows w it hwteb he ser default ch oice highligh t ed ce . secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Figu r e 5 - 3 9 . Appli ca t i on Pr ot e ct ion Ch oices Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions

Setting Advanced Configuration Options I m pr ove secur it y atSecurity t he end user' s w or kst at ion, inclu ding w eb b row ser s,

desk t ops, an d lapt op s Also cont ained in t he H om e D ire ct ory t ab is a Confi gur at i on b ut t on . That lead s t o a dialog box Evhaluat e ee t heorprfou os rant abs. d cons intst t ificat e ions) serv erappear and becom you rprow w it h eit er t hr Th eofex r aalling t ab ( a Pr cer ocess Opt s only inifgHigh otnect ion is selectCer ed .t ificat ion Au t hor it y n teheD ire Cisco PI Xt Fir all an d dr Cisco I OS all tart ochit re t and how et octapp Cisco I n t heLear H om ct ory ab,ew click t he opd ow n Firew b ox nex Apect pliuca i on Prot ionly , select st andar d and ex t en ded access list s H ig h, an d click t he Confi gur at i on b ut t on . Tw o of t h e Ex ecu t e Perm ission s ( descr ibed in Table 5- 3 ) allow scr ipt s t o r un if t hey hav e been p r ev iously m apped. Figur e 5- 4 0 sh ows t hose Discover w ay t o tt he est fir t he t stleatin e tof it yinand k eep. it up t o dat e m appin gs ind icat eds in st tcur abr ven isib h esecur r esult g d ialog Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and Figu r e 5 - 4 0 . Appli ca t i on Conf ig ur a t i on D ia log, APP M a ppi ngs it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Deleting Unnecessary Application Mappings Cer t ificat ion Au t hor it y

App licat ion one e darCisco eas t hat enar t rchit ev ision betand w een I I S4 and lyI I Cisco S5. I n Lear n tm heapping CiscosPIarXeFir ewof allt han I OSunder Firewwall ect u re how t o app t he old er ver sion , m appin gs list ed pr ohib it ed HTML com man ds ( k now n t her e as V e rbs) und er st andar d and ex t en ded access list s t he heading Ex clu sion s, as show n in Figur e 5- 4 1. Ver bs on t he ex clude list p rev en t ed . dll pr ogr Discover am s t h at wcor t o cur parr ten icular gs fitrom ex kecu ob ayrespond s t o t estedt he t st atm e appin of secur y and eept ing. it upThe t o pr dat e lem w it h t his sch em e is t hat n ew v er bs cou ld be in t r oduced and w ould b e allow ed by d ef ault . Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t echFigu nologies hav oor ca t o tan incrVe easin n um ber of secur re 5 - 4e1opened . I I S4t he Apd pli ion r b gEx cl usion s it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I I S5 t ak es a m or e conserv at iv e appr oach. Applicat ion m app ings ar e list ed alon g w it h t he ver bs t hat ar e pr specif f t heuser' m app isnat 't ion, on t he list , it is n otb allow eds,t odesk r unt ops, at all. Im ove ically secur itallow y at ed t he. Iend s wing or kst inclu ding w eb row ser anI df it is t her e,lapt only t h e ver bs list ed w it h it ar e p er m it t ed. Nev er t heless, t he m ost of t en r epeat ed t enet of op s secur it y is if y ou don 't need it , get r id of it . Ap plicat ion m app ings ar e on e of t he p rim ar y places t o im pEv lem ente t that ruos le. an I f dy our sitstealling is alr eady un ning , scan t h e folder aluat he pr consw eb of in a cer trificat e serv er and becoms inun g der youyr our ow nw eb hom eCer p age and list t h e ex t ensions in use. I f it is u nder const r uct ion, ask t h e developer s w hat t ificat ion Au t hor it y t heir p lan s ar e. Be aw are t hat you can also mod ify t h e allow ed v er bs f or a sp ecific m ap ping by click ing t he b ut t on map s t hat ar Firew en 't inallu se by ect select linet ocor r espon ding t o Lear n tEdit he Cisco PI.XDelet Fir ewe all anping d Cisco I OS ar chit u reing andt he how app ly Cisco t he map ping dand Re m ove . Table st andar andclick ex ting en ded access list s 5 - 5 is a list of ext ensions and t he cat egor y of app licat ions t hat t hey cont r ol. Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er netle has t r ansfor edca and im pr ed t hngs e w ay we hisi ons v ast net w or k and Tab 5 -5 . Ap m pli t ion Mov a ppi an d do Thbusiness, ei r Funtct it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Ex t en si on

Ap pli ca t i on Ty pe

. cdx

Act ive Chann el Definit ion File

. asa

Act ive Ser v er Ap plicat ion

. asp

Act ive Ser v er Pag e

. cer

Table of Content s

• . ht w , . ida, .id I ndex g W e b S ecur it y Fi el d Gu ide

Cer t ificat es I ndex Ser ver

. idc

I nt er net Dat abase Conn ect or

. pr int er

I nt er net Pr int ing

By St eve Kalman

. htPub r lish er:

Cisco Press

Passw or d Chan ges

Pub Dat e: Novem ber 08 , 20 02

. st m, I.SBN: sh t m, . sh tm l -7 1- 58 705 -0 92

Serv er Side I nclud es

Pages: 60 8

Disabling the Sample Applications The I I S d ef ault inst all creat es sev er al dir ect or ies con t aining sam ple app licat ions, w hich cou ld Hand s- on t echniqu es for Window serv ers, b rIowser and dir netect w ork com icat ions. pr ov ide a sev er e secu rit y secur hazarind.g Figur e 5-s(4r2) sh ows t he I S4 d s, ef ault or ies, anmdun Figur e 543 sh ows t he I I S5 equ ivalent . These d irect or ies can be in clud ed or om it t ed dur ing t h e inst allat ionepeff hase, , if initclu ded, t h ey can . For ser ver Cr eat ect ivbut e secur y policies and estbe abrem lish oved r ules now for op er atall ingb ut in developm and m aintent aining a s, t hey shou ld b e r em ov ed . Dir ect or ies can b e r em ov ed in t he r igh t p ane of y our D ef ault W eb Sit e secur it y - conscious env ir onm en t by r igh t - click ing t he d ir ect ory and select in g D e le t e. Be car eful, t houg h, because som e dir ectLear or iesn m ust troem ain ( f or exam ps le, s an d _for vt im_bin if yding ou arNT, e u sing how har den Window m uScr lt i-ipt u ser p lat s, inclu 2 000Web , andServ XP er Ex t ensions) . Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end kst atDe ion,f au inclu w ebor b row Figu r e 5user' - 4 2s. wI or I S4 lt ding Di r ect ie sser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window lat for m s, dingor NT, Figu r e 5 s- 4m3u .lt i-I uI ser S5 pDe f au lt inclu Di r ect ie 2s000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Table 5 - 6 list s t h e dir ect or y nam e, it s cont en t s, and it s defau lt inst allat ion locat ion for Window s 20 00. The locat ion p at hs includ e t erm s sur r oun ded b y per cent signs. These ar e Set Var iab les an d com e fr om t h e syst em conf ig ur at ion. Th ey w ill v ar y by m achine. Th e easiest w ay t o r esolve t he par t icular v alues assign ed is t o open a com m and pr om pt an d t yp e SET. Figur e 5- 4 4 sh ows an exam ple f r om I I S5 on Wind ow s 200 0.



Table of Content s



I ndex

Figu r e 5 - 4 4 . W i ndow s 2 0 0 0 Set Va r ia bl es

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco Tab le 5 -6 . Sam pl e App licat ions st andar d and ex t en ded access list s I I S DDiscover ir ect or yw ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Nam e Cont e nt s Loca t ion Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion \ I I SSamp les Sam ple Files % syst em dr ive% \ inet p ub\ iissam ples While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and SHelp ed t ech nologies Docum enteatopened ion % wdindir h elp\ it\sI Iassociat hav t he oor t% o \an incriishelp easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t hcom e sitm e on w hile elim inat ing \ MSADC Dat a Access % syst em dr ive% \ p rog ram files\ un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining files\ sy st em\ m sadc per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily \ pr intj obs er s or cond uct tWeb ran sact Based ions, t h e gr eat %w erindir t he% im\ w pact eb\ pr a br inteach er s of n et w or k secu rit y has. Just as Cisco Sy st em s h as Pr been int ing an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a I I SAdm Dev eloper indirit%y \ solut sy st em et sras v \ IstI Sad t r\ av eling in acr oss t he I nt er net . YetTools a net w or%k wsecur ion32is\ in only r ongmin as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ectmivige,htallYou beencom sur pr ised passing t o find nettwhork at afsecur t er reboot it y solu in tg, ion. t h e delet ed pr int er s f old er ret ur n s

aut om at ically. To r eally g et r id of it , you m ust d o t h e follow ing: St e p 1 . Delet e t he f older in t he cont r ol p rog r am ( I nt er net Ser vices Manager ) . St e p 2 . Using Win dow s Ex plor er, go t o t he par en t d ir ect ory , % win dir% \ w eb , r ig ht - click , and choose Prope rt i es. • •

St e p 3 . I n t he Secur it y t ab, r em ove all en t r ies in t he ACL ex cep t Ad min ist r at or an d Table of Content s SYSTEM. I ndex

W e b S ecur it y Fi el d Gu ide

St e p 4 . Add t h e Web User s gr oup ( or w hat ev er y ou n amed t he gr oup t hat has access t o pages) an d select t he box mar k ed D e ny acr oss fr om t he Full Con t r ol per m ission. This au t om at ically m ar ks all t he ind ividu al per m issions as Den y.

By St evey Kalman our w eb

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02

Setting I SBN: Session 1- 58 705 -0Timeout 92 -7 Pages: 60 8

Figur e 5- 4 5 sh ows t he Ap p Op t ion s p age. ( I t ' s t he Ap p Opt ions t ab on t h e Applicat ion Con figu rat ion s page, if y ou' re not alr eady t h er e. ) Mak e sur e t h at t h e fir st checkb ox, Ena bl e session st at e , is checked. This causes Act iv e Ser ver Pag es ( ASPs) t o cr eat e a n ew session f or each u ser . Along w it h t he nex t op t ion, Se ssi on t im eou t , t h is lim it s t he t im e t hat a scr ip t w ait s for user . I t also causes of t er at eders, sessions t os,beand w r itnet t enw ork t o t hcom e Serv ericat Evions. ent Hand s- oninput t echniqu es for secura inr ecord g Window s(min r ) serv b r owser m un Log . The d ef ault is 20 m in ut es, w hich is a long t im e t o leav e t he sy st em open f or hack ing. Wor k w it h you r dev eloper s t o det er m ine t h e t y pe an d d ur at ion of t he f unct ions t h at t he scr ipt s pr ovid e and t hCreeat ex pect e effed ectuivser e secur d elay it yt im policies es. This and nuest m ber ab lish should r ulesbeforset oplow er aten ingough in and t o avoid m aint denialaining a ofser v ice secur pr oblem it y - conscious s, b ut high env enirough onm en sot t hat u ser s don 't need t o r est ar t t heir sessions. Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under inst allat op t ions eb serca v ers an dOhow t o enhan Figustr eand 5 -secur 4 5 . eSessi onionTim e ouftor s Wind on tows he w Appli t ion pt ions Pa ce ge secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s On t hat sam ee page ion called bl ea pa nt pat hs. er Beand sur ebecom t h at tin his is NOT Ev aluat t he prisosananop d tcons of in stEna alling cerre t ificat e serv g you r owch n eck ed . I t w ouCer ld tallow scrip t s t o use t he " . . " sy nt ax t o t r av er se t he dir ect or y t r ee. ificat ion Au t hor it y Figur eLear 5- 4n6 t sh a similar op all t ionanon a t ab Icalled Process is t ab is tavailable on ly heows Cisco PI X Fir ew d Cisco OS Firew all ar Opt chitions. ect u reThand how o app ly Cisco w hen stHig h Applicat iont en Prded ot ectaccess ion is ulist sed andar d and ex s ( discussed in t he sect ion called Manag ing Applicat ion I solat ion ear lier in t his chap t er ) . This pag e has an opt ion t h at set s t he t im eout for CGI scrip t s. TheseDiscover ar e gener allys tof ucht he shor ASP s, so a shor t ere t im eout is w ay o tmest curt er r endur t stat ation e oft han secur it y session and k eep it up t o dat r easonab le. The def ault is 5 m inut es ( 300 second s) . Again, you r developer s should be ab le t o off er Lear gu id ance. n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu sit es encour age t o t h et ssit e w hile elim inat ing Figu rl,epu5blic - 4 6w.eb Set t inisgt oCGI Scr i ptaccess Ti m eou un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling Assigning Web Server Operators Cer t ificat ion Au t hor it y

a cer t ificat e serv er and becom in g you r ow n

Du ring inst SX adFir dsew t hall e Adm r atIors oup all t o ar t he list Web v ert oOper s. You Lear n allat t he ion, CiscoI I PI an dinist Cisco OS gr Firew chit ectof u re andSer how appat lyorCisco can see t h is by select t he Ope r atlist or ss t ab on Def ault Web Sit e Pr oper t ies. Th is is an st andar d and exing t en ded access app rop riat e st ar t because it t ak es Adm inist r at or pr ivileges t o in st all t he w eb ser v er ; how ev er , for ong oin g main t en ance, is inap pr opr e.atUn less chang , t hose Discover w ay s t o titest t he cur r eniat t st e of secur it y ed and k eep ritesponsible up t o dat ef or m anaging t h e w eb ser ver w ould need t o be mad e m em ber s of t he Adm inist rat or s g rou p. Th is w ould alm ost Leargnive t o teng age end righ users as par t of t hes e ov er all n etneed w or k or secu y solut cer t ainly hem m ore t s and p riv ileg t han t hey shrit ould hav ion e. While t h eion I ntis er tnet hast hose t r ansfor m ed immin pr ov w elist do of business, net orsit k and The solut o add w eb ser and ver ad isted r att horeswt oayt he op er at ort shis f orv ast y our wweb e. it s associat t echneed nologies e opened d oor t o pr anivincr easin ofysecur it y tas h reat s. They w oulded t hen ap pr hav opr iat e NTFS tfhe ile sy st em ileges in gt hneum dirber ect or n amed The ch ent alleng e for l, pu w eb sitapt es is aget his access t o t hine d siteteail. w hile elim inat ing docum r oot ( ansuccessfu d it s su bdir ectblic or ies) . Ch er t3o dencour escr ibes p rocess un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining User sm add ed tor o tscalabilit he Operat s elist g et reliant t he follow g righions t s on t he web v erI n: t er net t o p er f orm per for ance y .orTh m ore orginanizat b ecom e onser t he daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a Adm inist er eb developm cont ent ( add delet e, ch m ar ket leader in wt he ent ,an d sale ofange) p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est Con t rol logging link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an Man age defau lt w eb docum en t s eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Set w eb ser ver access p er m issions Man age exp irat ion dat es an d t im es f or cont ent Add it ion al r ight s st ill h eld only b y Adm inist r at ors are as follow s:

• •

Cr eat e or alt er v irt ual dir ect ories Table of Content s

Ch angeI ndex t he Anon ym ous user nam e or passw or d

W e b S ecur it y Fi el d Gu ide

AltKalman er t he By St eve

conf igur at ion of a w eb sit e

Ch ange Ap plicat ion I solat ion Pub lish er: Cisco Press Pub Dat e: Novem 08 , 20 02 To accom plish t h ber is goal, st ar t t h e Manag em ent pr ogr am f or y our p lat for m , choose you r w eb sit e, and open I SBN:t he 1- 58 Prop 705 -0 er92 t ies -7 dialog. Click t h e Ope r at or s t ab. Th e ex am ple her e is f rom I I S5 on Wind ows 200 0 an d is sh ow n in Figur e 5- 4 7. Click Ad d t o get t o t h e scr een show n in Figur e 5- 4 8, Pages: 60 8 and dou ble- click t he nam e of t he u ser or gr oup t hat is t o b e giv en m ost w eb ser v er adm inist r at ion p r iv ileg es. Click OK t o save you r w or k. Figur e 5- 4 9 sh ows t he r esu lt .

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions.

Figu r e 5 - 4 7 . D ef au lt W e b Sit e Op er a t or s Pag e

Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Figu r e 5 - 4 8 . Addin g a W eb Si t e O pe r at or



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

5 -allat 4 9 ion . Mop odi fi ed e b ows Sit e Ope t or Under st and Figu secur reeinst t ions f orW Wind w eb ser rv a ers ansd Page how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d laptPop s TI aluat he pr osaan d cons, of in st alling cer t ain ificat serv er IEv f you areet par t of d omain you can addaDom Gre oups t o and t he becom Oper atin orgs you list .r Iow f nn ot , ificatadd ion only Au t hor it y u ser s. I n n eit h er case can new local gr oup s be ad ded. yCer ou tcan local Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Hosting Multiple Web Servers So f ar , t his chap t er has assum ed t hat t here w ill b e only one w eb sit e on you r ser v er . I n m ost cases, t h at 's t ru e, but t her e ar e ex cept ions. These ar e sit es w it h m ult iple log ical ser ver s on one ph ysical comp ut er . Wind ows 200 0 Ser ver sup por t s Web host ing, but neit her Wind ow s 200 0 •Pr ofession al nor TableWofinContent s Prof essional d o. On int r anet s, t h is is an im por t an t b en ef it f or sit es dow s XP •t hat exp ect t Iondex g row dr am at ically —it is m uch easier t o mov e a logically separ at e serv er t han t o W e bfor S ecur el dgery Gu idenecessar y t o m ove a par t of a series of int egr at ed w eb pag es. per m tithyeFisur By St eve Kalman

To cr eat e a n ew w eb serv er in I I S5 inst alled on a Win dow s 20 00 Ser v er , lau nch I n t er net Serv ices Manager , r ight - click t he ser ver nam e, an d t h en choose N e w an d W eb Si t e ( see Figur e Pub lish er: Cisco Press 5- 5 0) . Th e Web Sit e Cr eat ion Wizar d guides y ou in cr eat in g a new w eb sit e. Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Figu r e 5 - 5 0 . Addin g a Ne w Logi cal W e b Ser v e r

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. All t h e t asks id en t ified in t his ch apt er w or k just t he sam e f or sin gle ser v er sit es as for m ult iple The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing w eb ser ver sit es. How ev er , k eep on e con sid er at ion in m ind : un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm Any chan ges y ou m ak e at t he t op level of t he I nt er net Ser vices Manag er t ree ap ply t o all daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just ser v ers d ef ined und er it . as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m het ified developm ent an dy ou sale p rod uct t echnologies t h at lev p rot ect d atev a er , Noart ket ask leader can beinid ten as one t hat shof ould alw ayssand def in e at t he hig hest el. How tt rher av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est e ar e some can didat es: link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ectLog iv e,ging all- encom passing net w ork secur it y solu t ion.

Session t imeout s Aut h en t icat ion Also, keep in m ind t hat t h er e is only on e Met abase on a sing le phy sical ser ver . Mov ing it f or one m oves it for all. •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Summary This chap t er pr esent ed w ays t o h ard en I I S. Nex t up is a sim ilar ch apt er on FTP, including som e m or e secur e alt ern at ives t o t he built - in Micr osoft pr odu ct . •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Chapter 6. Enhancing the FTP Server This chap t er cov er s t he f ollowin g t opics: • •

Table of Content s

I nner Wor k ings of FTP I ndex

W e b SSecu ecur it re y FiFTP el d Gu ide By St eve Kalman

Ex am ple of Secu r e FTP Pr oduct Pub lish er: Cisco Press

I I S comes w it h a f r ee File Tr ansfer Pr ot ocol ( FTP) Ser v er , y et y ou w er e ad vised in Ch apt er 4, Dat e: Novem ber 08 , 20 02 " I I SPub I nst allat ion, " n ot t o inst all it . Clear ly, a bet t er solut ion exist s. I SBN: 1- 58 705 -0 92 -7

FTP is Pages: n ot oriou 60 8 sly insecur e. Un less y ou ask car ef ully , it w ill t r y t o open a new con nect ion t hr ou gh y our f irew all or f ilt er ing r out er f rom t he ou t sid e. Even if you d o m anage t o av oid t hat pr oblem, it w ill st ill send ev er y t hing in t he clear—an d t hat in clu des t he p assw or d you use t o log in t o t he FTP ser v er it self! This chap t er sh ow s y ou h ow FTP w or k s, t he eff or t t o cr eat e a new st andar d def in ing secur e FTP Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. ser v ers, an d h ow t o acq uir e and inst all an FTP ser v er t hat uses SSL ( t he sam e t ech niqu e t hat t ur n s HTTP int o HTTPS) . Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Inner Workings of FTP Unlike m ost TCP- based p r ot ocols, FTP u ses t w o diff erent w ell- k now n por t s. To mak e an d cont rol t he con nect ion , por t 21 is used . How ever , FTP uses por t 20 t o t ran sf er t he d at a. •When t he I n tTable er netofwContent as news an d t h e need f or secu rit y w as low , FTP' s st r uct ur e w as an adv ant ag e. •Com m and s t o I ndex r ead or w rit e a f ile or gr oup of files used t h e cont r ol chan nel ( por t 21) , wh ile t he W e b St ecur y Fi el d Gu ide t h e dat a channel ( por t 2 0) . Th is plan br ough t sever al adv ant ag es: files hemitselv es used By St eve Kalman

Mu lt ip le, concu rr ent dat a t ran sf ers cou ld p roceed sim ult aneously. Pub lish er: Cisco Press Pub Ou Dat t -e:of-Novem b andbercon 08 ,t r20 ol02inf orm at ion

did not slow t he d at a chan nel t r ansfer .

I SBN: 1- 58 705 -0 92 -7

The con t rol infor m at ion cou ld n ot int er r upt ( or w or se, cor r up t ) t h e dat a. Pages: 60 8 As t im e w ent by , secur it y chan ged f r om none- n eeded t o op t ional t o m ust - hav e. The d esign of sep arat e con t r ol and dat a chann els r em ained. As a r esult , FTP w as m odified t o allow a mor e secur e m eans of est ablishing t he conn ect ion bet w een clien t and serv er . New nom enclat ur e w as add ed t o dist ingu ish t he n ew FTP fr om t he old. Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. The or igin al FTP becam e kn ow n as PORT m ode FTP, an d t he new v ersion w as nam ed PASV FTP. The n ex t t w o sect ion s descr ibe t h em and t heir dif fer en ces in det ail. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

TI P

Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur exist ing eb an d FTP v ernced in st allat The letittyeron s PASV ar e wcom mon ly prser onou as if ions t hey spelled ou t t h e w ord passiv e. You w ill occasionally see a r eference t o PORT m ode FTP as act iv e FTP or as ACTV FTP, but m pr ove secur t he w orstkst ion, tIhese t er ms do itnyotatex ist end in anuser' y of st he anat dar ds inclu d ocu ding mentw s.eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y

Network Diagram for FTP Examples

Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Figur e 6- 1 sh ows t he sam ple net w or k used in t h is discu ssion of how FTP w or k s. There is a clien t at 19 2. 168 . 1. 100 and an FTP serv er at 172. 1 6. 1. 101 . Ther e is, of cour se, a r out er bet w een t hem . Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion

Figu e 6im - 1pr. ov Ne orwkayDi agdor am While t h e I nt er net has t r ansfor m ed rand edt w the we business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 PORT Mode FTP Pages: 60 8

Figur e 6- 2 sh ows an FTP session bet w een t h e client called dell- 8 0 and t he FTP ser ver , called ft p. ex am ple. com . Figur e 6- 3 sh ows Et her eal capt ur ing t hat sam e session .

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions.

Figu r e 6 - 2 . FTP Session Usin g PO RT M ode Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining Figu r e 6 - 3 . Et he r e al Ca pt ur e of a PO RT M od e Tr an sf e r per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

NO TE Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y m onandexist w ebclient an d tFTP v er winitst The com lining e FTP hat ser ships h allat all vions er sions of Win dow s uses PORT m ode. I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s To m an age t h e discu ssion of t he session' s st ep s, t he d at a t h at m ade up Figur e 6- 2 is br oken int o e t he osEach an d of cons st alling a cerfollow t ificatm e at serv in g lines you r or owsm n all sev er Ev al aluat smaller parpr t s. t heofexinam ples t hat ch er upand t o inbecom divid ual Au nt hor y e 6- 3 . Th e sou r ce an d dest in at ion n ames w er e ed it ed t o Clien t an d gr oupCer s oft ificat linesion sh ow in it Figur Serv er t o in cr ease clar it y an d r educe t h e line w idt h . By t he way , line 12 in t h e fig ur e came f r om PI X all tan I OS Firew alldur ar chit u re and how ly Cisco Net BILear OS (nt r tyhe ingCisco t o t alk t oFir a ew host h atd wCisco as d isconn ect ed ing ect t his capt ur e) . I tt ois app ign ored in t he st andar d and ex t en ded access list s follow ing discussion . ay s tt he o t est t he t st atinit e of secur itThe y and k eep it ed up an t o ephem dat e er al por t , in t his Ex amDiscover ple 6- 1 shwows conn ectcur ionr en being ialized. clien t pick case por t 2 631 , and connect ed t o t he ser ver u sing t h e nor m al FTP p ort , 21. The capt u re sof t w are Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion aut om at ically t r anslat es well- k now n por t n um bers t o t h eir n am es, w hich is w hy t h e pr ot ocol colum n u ses t he nam e ft p. While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. As discussed in det ail in Ch apt er 1, " Essent ial I nf or m at ion f or Web Secur it y Adm inist r at or s, " TCP The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing sessions b eg in w it h a t h ree- w ay han dshak e. The ser v er play ed it s p art by r espond in g fr om t h e FTP un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining por t t o t h e client on por t 2 631 ( t h e por t t hat t he clien t set up f or t he con t rol connect ion) . Th e per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm client com plet ed t he t hr ee- w ay h andshak e, r esult ing in an open TCP session. daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a Exa m placr e 6oss - 1t.heOpe nnet in g t he Con ne ct ion t r av eling I nt er . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

No.

Source

Destination

Protocol

Info

1

Client

Server

TCP

2631 > ftp [SYN]

2

Server

Client

TCP

ftp > 2631 [SYN, ACK]

3

Client

Server

TCP

2631 > ftp [ACK]



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By eveple Kalman ExStam 6- 2 sh ows

t hat aft er t h e hand sh ake com plet ed, t h e ser v er respon ded w it h it s ident if icat ion. The FTP clien t ack now led ged it ( in lin e 5) and gener at ed a user n ame pr omp t . Af t er t he Pub user lish er: keyCisco ed itPress in ( anon ym ous) , t h e client sen t line 6 t o t he ser ver . Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7

Exa mPages: pl e 6068- 2 . Re que st in g a nd Ge t t ing t h e User n am e

No.

Source

Destination

Protocol

Info

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. 4 Server Client FTP Response: 220 Serv-U FTP Server v4.0

5 6

for Cr eat e eff ect iv e secur it y policies and est ab lishWinSock r ules for ready... op er at ing in and m aint aining a secur it y - conscious env ir onm en t Client Server TCP 2631 > ftp [ACK] Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Client Server FTP Request: USER anonymous Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions

I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d op fsir st lin e in Ex am ple 6- 3) sh ows t he serv er r esp onding t h at t h e User nam e is ok ay . Lin e 7lapt ( t he Lat er in t his ch apt er, you w ill see how t o config ur e a serv er and ad d u ser nam es t hat it w ill Evize. aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n r ecogn Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s

CAUTI ON Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e I f you ar e using t h e FTP ser v er t hat com es w it h I I S, y ou can log in w it h y our dom ain Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion credent ials. As an ad min ist r at or , y ou will n ot h ave t o add a list of aut hor ized user s an d assw or ds. ev er ,mt his is a im m ajor because ( as tyhis ou vcan inorline Whilet heir t h e Ipnt er net hasHow t r ansfor ed and pr ovsecu ed t hr it e ywbr ayeach w e do business, ast see net w k and 9) t hose cr ed en t ials are passed in t he clear . A solu t ion t o t his pr oblem is off er ed lat er ins. it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat t his ch apt er. successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing The ch alleng e for un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just The p assw or d con vent ion f or anon ym ous FTP login is t he e- m ail nam e of t h e user . Ser v er s can be as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a conf ig ur ed t o check t he f orm at of t he p assw or d, b ut t hey don' t act u ally ver if y t h e addr ess. m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a tI rf av eling ossing t healong I nt erwnet a net w k secur ion is asest10 r ong as you it s w eakeen, est j ust you 'r e facr ollow it h. tYet he lines inorFigur e 6-it2y, solut t h e cont entonly of lin is on r scr link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, the befor e t he ft p> p r omp t ( w h ich is gener at ed b y t he clien t ) . w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Exa m pl e 6 - 3 . Loggin g in on t h e FTP Se r ve r

No.

Source

Destination

Protocol

Info

7

Server

Client

FTP

"Response: 331 User name okay, please



Table of Content s



I ndex

send complete E-mail ...

W e b S ecur it y Fi el d Gu ide

8 By St eveClient Kalman

Server

TCP

2631 > ftp [ACK]

9

Server

FTP

Request: PASS [email protected]

10

Client

Pub lish er: Cisco Press

Pub Dat e: Novem ber 08 , 20 02

Server

Client

FTP

"Response: 230 User logged in, proceed."

I SBN: 1- 58 705 -0 92 -7

11

Pages: 60 8 Client

Server

TCP

2631 > ftp [ACK]

The an d es entfor er ed b y in t he u ser is pw Th at com and s, is and com m onw ork t o all vermsion s ofions. UNI X Handf irs-stoncomm t echniqu secur g Window s( r )d.serv ers, b rm owser net com un icat and is an acron ym for P r in t W or king D irect or y. I t is t he equ iv alent of t he DOS com man d, cd ( wit h no ar gum ent s) . I n fact , m any FTP client s will accept sim ple DOS com man ds, such as re na m e an d e slat eff ect e secur y oper policies lishmr ules and in m aint aining di r anCr d eat t ran e tiv hem int oitpr FTPand contest r olabcom ands.forThop e er fir at st ing t w oinlines Ex am ple 6-a4 sh ow secur it y conscious env ir onm en t t he pw d com m and being t r ansm it t ed t o t he ser ver and t h e ser v er ' s r espon se say ing t hat t he client is at t he r oot . Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions

TI P

I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt got op s it s st ar t in t h e UNI X env ir onm en t an d as a r esu lt , it alw ay s un derst an ds t he FTP UNI X file syst em com m ands. Th is is t ru e even if t he FTP ser ver is r un ning on a Wind ow s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n plat f or m. ( This one is ru nning on a Win dow s 2 000 Serv er. ) Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s

Exa m pl e 6 - 4 . Re que st in g D at a fr om t h e Se r ve r

Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion No. Source Destination Protocol Info While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t echServer nologies hav e opened t he d Request: oor t o an incr easin g n um ber of secur it y t h reat s. 12 Client FTP XPWD The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un able or malicious t o pr ovid"Response: e su ff icient lev els ""/"" of securis it y current w it hout const r aining 13 desir Server Clientt r aff ic and FTP 257 directory." per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j Client obs or cond uct t ran sact ions,TCP t h e gr eat er2631 t he im br each of n et w or k secu rit y has. Just 14 Server > pact ftp a[ACK] as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m leader in t he developm entFTP an d sale of"Request: p rod uct s and t echnologies t h at p rot ect d at a 15ar ketClient Server PORT 192,168,1,100,10,74" t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link w ork at t ack s can occu r atFTP an y point , including t h e200 net wPORT ork con nect ion successful. , t he fir ew all, t h e 16 . Net Server Client Response: Command w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

17

Client

Server

FTP

Request: NLST

This is n ot t h e r eal root of t he dr ive. I t is mer ely t he t op of t he user ' s dir ect or y st r uct ur e. I f t her e w ere su bdir ect or ies, t he user w ould be f r ee t o t r av er se dow n t o t hem . How ev er, t he serv er w ill not allow t he user t o n avigat e higher in t o t h e real st r uct u re. • Table of Content s •

I ndex

The n ex t com m and issu ed b y t he u ser is ls, w hich is t he equ ivalent of DOS' s di r. Th at com m and gener at ed lines 1 5 t h r ough 17 . Line 15 is a PORT com m and. I t asks t he ser v er t o set u p a new By St eve Kalmanu sing p ort 26 34 as t he d est inat ion p ort on t he clien t . TCP session W e b S ecur it y Fi el d Gu ide

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 NO TE Pages: 60 8

You should pay special at t ent ion t o t wo t hin gs in lin e 15 . The f irst is t hat t he clien t 's I P add ress is in t he PORT com m and. This creat es a pr oblem for t hose using Net w or k Add ress Tr anslat ion ( NAT) because t he I P addr ess con figu red int o t he clien t is d if fer ent t han t h e one t h e ser v er sees across t h e I nt er net . Most , b ut not all, r ou t er s an d f irew alls hat t he NAT er sions ill r ep lace he add ress in t hes,PORT com and w itmhun a icat valid Handtson do t echniqu es conv for secur in g wWindow s( r )t serv ers, b r owser and net wm ork com ions. out side ad dr ess an d will f or w ard t h e dat a t o t h e client . The Cr eat oteher eff ect it em iv eofsecur int erest it y policies is t he wand ay t est h atab t hlish e client r ulespor fort op n um er at ber ingis in r epr and esent m aint ed.aining Because a por secur t num it y - ber conscious s ar e 16env - bitirnonm um ber en t s, t hey hav e t o be r epr esent ed in t w o 8- b it by t es. The nu mb er s y ou see ar e t h e decimal eq uivalent s of t he cont ent s of each of t hose by t es. To Lear n how o sion, har den Window sm u ser for and m s, ad inclu NT, 2 000 do t he conv ter m ult iply t he firustlt i-by t e bpy lat 256 d tding he second b yt ,e.and I n tXP his exam ple, t h at w ou ld y ield 25 6 x 10 ( 256 0) plus 7 4, g iv ing 26 34. Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I mple pr ove secur t he user' w orakst at ion, inclu ding eb ver b row t ops, I n Ex am 6- 5, linesit y19atan d 2end 0 are sims ply response f r om t hewser t oser t hes, lsdesk r equ est (an linde 17 in lapt op s Ex am ple 6- 4) and t he clien t 's ack now ledgm ent . Th e im por t ant lin es for t h is discu ssion ar e 18, 21, and 22 . They r epr esent a n ew t hr ee- w ay h andshak e or iginat ing f rom t he ser ver on ft p- dat a por t , Ev aluat 20 ( line 1 8) . e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco

Exa m pl e 6d -and 5 . Ope in gaccess t he Da st andar ex t ennded list st a Cha n ne l

Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e n t o eng age end usersProtocol as par t of t Info h e ov er all n et w or k secu rit y solut ion No. Lear Source Destination While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e > w ay w e do business, t his v ast net w or k and 18 Server Client TCP ftp-data 2634 [SYN] it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The alleng e for successfu l, puFTP blic w eb sit es is t o encour ageOpening access t oASCII t h e sitmode e w hile elim inat ing 19 chServer Client Response: 150 data un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliantconnection org anizat ions b ecom e on t he I n t er net t o p er f orm for /bin/ls. daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Sy st emServer s h as been an inn ovat or in u sin g t>h eftp I nt er net t o conduct business, so t oo is it a 20 Cisco Client TCP 2631 [ACK] m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t21 r av eling acr ossServer t he I nt er net . Yet a net w or"2634 k secur> it yftp-data solut ion is[SYN, only asACK] st r ong as it s w eak est Client TCP link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w ver , or tClient h e client . Har d en in g t he defftp-data en ses at all> t hese s is key t o creat ing an 22eb ser Server TCP 2634 point [ACK] eff ect iv e, all- encom passing net w ork secur it y solu t ion.

This conn ect ion on por t 2 0 or igin at ing out side y our n et w or k is t h e secur it y p rob lem . Wh en one of y our u ser s init iat es a conn ect ion, responses ar e ok ay. Howev er , out siders n or mally h ave n o bu sin ess st ar t ing a t r ansact ion. As a r esu lt , one of t h e fir st st eps in config ur ing a f ir ew all is t o block new TCP conn ect ions or iginat in g out side y our n et w or k . •

Table of Content s

As w it h m anyI ndex solut ions, b anning out side user s f r om m aking conn ect ions t o inside h ost s solv ed a • big pr oblem —but int r odu ced a sm all one. I t br oke FTP. The FTP serv er 's r esp onse t o t he ls r equ est W e b S ecur it y Fi el d Gu ide t r ies t o op en a n ew connect ion, and t h e fir ew all t hat w as set up t o pr ot ect t he n et w or k b lock s t his By eve Kalman ot St her w ise legit im at e r equest as a pot ent ial t hr eat com ing fr om out side. PASV m ode FTP w as inv ent ed t o solve t hat p r oblem . Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

NO TE

The m essag e P ORT Com m and successful in Ex am ple 6- 4 or igin at ed on t he ser ver an d w as sen t v ia t he cont r ol chan nel. I f t he dat a chann el con nect ion init iat ion had been block ed by t he screening r out er f ir ew all, t he session w ould hang j ust af t er t hat m essage Handar s- ron t echniqu esufor in ghav Window ers, b r owser s, and net w ork com m un icat ions. iv ed and t he ser secur w ould e h ad s( t or )intserv er vene. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a securinit yEx - am conscious ir onm t a t ran sf er and t he n or mal closing of t he d at a chan nel The lines ple 6- 6 env sh ow t he en d at session. Som e cont r ol chan nel m essages ar e m ixed in on lines 2 6 an d 29. Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce

Exa m pl eit y6on - 6 .exist Closin hed D atser a vCh l ions secur ing w g eb tan FTP er an in stne allat

I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s No. Source Destination Protocol Info Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n 23 Cer Server t ificat ion Client Au t hor it y FTP-DATA FTP Data: 19 bytes 24 25 26

Lear n t he Cisco PI X Fir ew all an d Cisco I OS all ar chit bytes ect u re and how t o app ly Cisco Server Client FTP-DATA FTPFirew Data: 116 st andar d and ex t en ded access list s Client Server TCP 2634 > ftp-data [ACK Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Server Client FTP Response: 226 Transfer complete. Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion

27 Client Server TCP "2634 > ftp-data [FIN, ACK] While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. 28 Server Client TCP ftp-data > 2634 [ACK] The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining 29 Client Server TCP 2631 > ftp [ACK] per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est Finally, Ex am ple 6- 7 sh ows t he FTP session ending nor m ally as a result of t he user sen ding t he link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e qu it com m and. w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Exa m pl e 6 - 7 . En di ng t h e FTP Session

No.

Source

Destination

Protocol

Info

30

Client

Server

FTP

Request: QUIT



ServerI ndex Client

FTP

Response: 221 Goodbye!

Server

TCP

"2631 > ftp [FIN, ACK]

Pub Server lish er: Cisco Client Press

TCP

ftp > 2631 [ACK]

Client

TCP

"ftp > 2631 [FIN, ACK]

Server

TCP

2631 > ftp [ACK]



31

Table of Content s

W e b S ecur it y Fi el d Gu ide By St eveClient Kalman 32

33

Pub Dat e: Novem ber 08 , 20 02

34 35

Server

I SBN: 1- 58 705 -0 92 -7

Pages: 60 8

Client

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions.

PASV Mode FTP

Cr eat e eff ectt iv e secur it y policies and lish ror ules for op er at in and m aint FTP sessions st ar out t he sam e w ay, wh et est herab PASV PORT m od e ing is being used . Exaining am ple a6- 8 secur it y conscious env ir onm en t show s t h e hand sh ake for t h is PASV session. Th e client is using por t 264 5. Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

Exa m pl est6and - 8 .secur Est a ishi w f or FTP Se ssion Under e bl inst allatng ion a opNe t ions Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d No. lapt Source op s Destination Protocol Info 1 2 3

Ev aluat e t he pr os an d consTCP of in st alling2645 a cer>t ificat serv er and becom in g you r ow n Client Server ftp e[SYN] Cer t ificat ion Au t hor it y Server Client TCP "ftp > 2645 [SYN, ACK] Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco stClient andar d andServer ex t en ded access TCP list s 2645 > ftp [ACK] Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion

The in it andhas passw or d (m inedt he clear ey ar e d uplicat es of While t hial e Ilogin nt er net t r ansfor and im )prlin oves ed wt hereewom ay itwt ed. e doThbusiness, t his v ast nett he w orlines k and show n in Ex am ples 62 an d 63 . D ue t o t he pw d com m and, t he f irst t hr ee lin es ( 12 t o 1 4) in it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. Ex am 6- 4 earfor e also d uplicat esblic andwweber sit e also t ed. Lines w ere r enu it yinat in ting hese The chple alleng successfu l, pu es isom t o itencour age access t o t mb h e er sited e wfor hileclar elim exam ples. I f t he clien t is conf igur ed for PASV, it w ill not send t h e PORT comm and , so lines 15 un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining an d abov inance pr eceding ex amp e ore d iffer ent . org anizat ions b ecom e on t he I n t er net t o p er f orm per fore m or scalabilit y .les Th ar em reliant daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just Ex am ple 6- 9 b eg ins on line 4 w it h t he r equest f rom t he clien t t o t he ser ver f or a PASV connect ion. as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a Lin e 5 sh ows t he serv er' s r esp onse, t elling t h e client t hat it is ex pect in g t he client t o open a dat a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a chann el using por t 1 043 ( 4 x 25 6 plus 1 9) . Lin es 6, 7 , and 8 show t h e t hr ee- w ay h andshak e t h at t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est t he client in it iat ed . link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Exa m pl e 6 - 9 . I n it i at in g a PASV M ode Tr an sfe r

No.

Source

Destination

Protocol

Info

4

Client

Server

FTP

Request: PASV

FTP

"Response: 227 Entering Passive Mode



5 •

Table of Content s

ServerI ndex Client

W e b S ecur it y Fi el d Gu ide

(172,16,1,101,4,19)"

By St eve Kalman

6

Client

Server

TCP

2646 > 1043 [SYN]

TCP

"1043 > 2646 [SYN, ACK]

Pub lish er: Cisco Press

7

PubServer Dat e: Novem ber 08 , 20 02 Client I SBN: 1- 58 705 -0 92 -7

8

Client Pages: 60 8

Server

TCP

2646 > 1043 [ACK]

9

Client

Server

FTP

Request: NLST

10

Server

Client

FTP

Response: 150 Opening ASCII mode data

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. connection for /bin/ls. 11 12

Server Client FTP-DATA FTP Data: 19for bytes Cr eat e eff ect iv e secur it y policies and est ab lish r ules op er at ing in and m aint aining a secur it y - conscious env ir onm en t Server Client FTP-DATA FTP Data: 116 bytes Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions The r em ainder of t h e cap t ur e w as om it t ed. I t sim ply r epor t ed on t h e success of t he t ran sf er and pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d closedI mt he session. lapt op s That ' s t h e big diff erence bet w een PORT an d PASV. I n t h e for m er , t he ser v er in it iat ed t he dat a e t he cons in st alling cert ht ificat e serv er and g you ow na chann el, channEv el aluat con nect ionpr . os I n tan hed lat t er ,oft he ser ver taold e client w hich p ortbecom t o useinfor t her dat t ificat ion iat Aued t hor it yconnect ion usin g t hat por t . I n PASV m ode, t h e client init iat es bot h t he and t hCer e clien t init t he cont r ol session and t he d at a session, so t he FTP ser ver is alw ay s r espon ding , nev er in it iat in g. Th is t he Cisco rPI X er Firfew allall ancrit d Cisco I OS allput arin chit m eet sLear t henscreening out ir ew er ia f or safFirew e com g. ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion NO TE While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and Alt hou gh t his plan is a big st ep t ow ar d saf e t r ansfer s, it isn' t enoug h. Fir ew alls hav e it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. gr ow n far st r ong er and hav e m ore sop hist icat ed secur it y t ools t o use. A m or e det ailed The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing discussion of fir ew alls an d how t h ey wor k is in Ch apt er 10 , " Fir ew alls." un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est TI P link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser vernet , orExp t h elorclient Har daren in g wt he ses5)atdef allault t hese s is keye.t oFigur creat I nt er er ( I .E—st t ing it h def veren sion s t opoint PORT mod e ing 6- 4 an sh ows eff ect iv e, all- encom passing net w ork secur it y solu t ion.

t he I n t er n et Opt ion s Adv anced t ab ( g et t o it fr om t he Tools m enu) focused on t h e check box t hat for ces I E t o use PASV m ode.

Figu r e 6 - 4 . Con fi gur i ng I E f or PASV M od e •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Secure FTP PASV m ode FTP w en t a long w ay t ow ar d solv in g t he secu rit y p r oblem —m ost FTP ser ver s ar e no m or e sop hist icat ed t han t h at . How ev er , t w o b ig h oles r em ain : •

Table of Content s

• Web

The u serI ndex nam e an d p assw or d are sent in t he clear . User s w ho access FTP serv ers w it h t h eir user nide ame and passw or d ar e br oadcast ing t hose credent ials f or all t o see. Sdom ecur itain y Fi el d Gu

By St eve Kalman

The con t en t s of t he files bein g t ran sf err ed are also unp rot ect ed.

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7

NO TE60 8 Pages: Et h er eal is a fr ee, rob ust , and w ell- kn own n et w or k analy sis t ool t h at can ev en r econst r uct a TCP session. Wit h a sing le click , t he con t en t s of t he dat a t ran sf err ed t o or fr om t he FTP serv er display on a scr een w her e it can be v iew ed, p r in t ed, or sav ed . Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Ther e is, how ever , a solut ion f or pr ot ect in g t he user nam e, passw or d, and file cont ent s bein g Cr eat eff ectcan iv e ad secur policies abcer lisht ificat r ulesesfor er atmak ing ing in and a ion t r ansfer r ede. You d t hitey pow er of and SSL est and t o op FTP, t he m enaint t ireaining t ran sact secur it y conscious env ir onm en t secur e. Bot h SSL and cer t if icat es ar e discussed in d et ail in Ch apt er 9, " Becom in g a Cer t ificat ion Aut h orit y ( CA) . " Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions

NO TE I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Just as SSL is imp ort ant t o est ablish in g secur e and pr iv at e FTP, it h as t he sam e r ole in SMTP ( Mail) sen d m ailofbin y st walling ay of yaour our ermail ver . Fr omyou t her e, nit Ev aluat e t he. User pr os san d cons cer tLAN ificatt oe yserv andser becom in g r ow leaves y our com pany en r out e t o t h e dest in at ion m ail ser ver . While st ill on y our LAN, Cer t ificat ion Au t hor it y any cu rious user s w it h a n et wor k an alysis t ool, such as Et h er eal, could cap t ur e and rLear ead nallt he of Cisco t h e e-PI mX ailFir passin b yd tCisco heir stI OS at ion. SSLs prt oevent . ew allgan Firew allenabled ar chit ectmuail re ser andver how app lyt hat Cisco st andar d and ex t en ded access list s Alt hou gh t hose sam e t ools could read e- mail w h ile it is t r av er sing t he I nt er net , t h e qu ant it y of t r af e diff a pitlace t o kplug t het olist ening st at ion Discover w ay s fic t o and t est tt hhe cur icu r enltt ystof at efind of ing secur y and eep itinup dat e low er t his r isk t o n ear ly non ex ist en t st at u s. Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. RFC Status The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm Requ enttsran ( RFCs) ar e tt he ehicle for a est ntwern st andar s. New daily est j obsfororComm cond uct sact ions, h e pr gr imar eat ery tvhe im pact brablish each ing of nIet or ket secu rit y dhas. Just st andar d s and m odificat ions t o exist ing ones ar e cr eat ed by RFCs being off er ed for com m as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo en is titan ad event u ally becom ing accep t ed by t he I nt er net Engin eer ing Task For ce ( I ETF) . m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est PASV m ode FTP is an ex am ple of t h is pr ocess. RFC 9 59 w as t he orig in al RFC t hat defined FTP. link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e That RFC also defined t he PASV com m and b ut left det ails f or fu t ur e dev elopm ent , w hich cam e in w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an Feb ru ar y 199 4 w it h t h e release of RFC 1 579. eff ect iv e, all- encom passing net w ork secur it y solu t ion.

NO TE

• •

The RFC p rocess has long been for m alized. New pr oposals st art out as I nt er net D raf t s and m ov e t hr oug h sever al st ages of r eview b ef ore get t ing an RFC n um ber . RFC 202 6 descr ibes t h eofstContent ep s a sp rop osal goes t hr ou gh on t he w ay t o becom ing an RFC. Table I ndex

e itdet om W e b SOn ecur y Fiail el dfrGu ide RFC

2 026 m ight for est all some con fusion. RFCs ar e num b er ed seq uent ially as t hey r ise fr om I nt er net Dr aft s t o RFC st at us. How ev er , t he d at e By St eve Kalman assig ned t o t he RFC is b ased on t he d at e t hat it w as sub m it t ed as an I nt er net D raf t . A high er - n um ber ed RFC can h ave an ear lier d at e t han m any of t h ose w hose num ber s Pub er: Cisco prlish ecede it . Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Table 6 - 1 list s sever al of t he key RFCs dealin g w it h secur ing FTP.

HandNO s- onTE t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Any RFC can be locat ed at t he official r eposit ory at w w w . iet f . org / rf c/ rf cxx x x. t x t , w h er e e teff iv ebsecur y policies ab venient lish r uleslocat for ion op erisatwing xCr xxeat x is h eect num er of itt he RFC. A and m or est e con w win .r f and c- m aint aining a secur it y conscious env ir onm en t edit or . org / rf csear ch. ht m l, w her e y ou can sear ch for RFCs by n am e, n um ber , k ey w or d, or , if y ou d on't m ind t he d elay , ev en cont ent . Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d Tab le 6 -1 . RFCs t ha t Ena ble Se cur e FTP lapt op s he le pr os an d cons of in st alling a cer t ificat e serv er andDbecom RFC Ev aluat e tTit a t e in g you r ow n N umCer b ert ificat ion Au t hor it y RFC 222 Secur y ew Ex tall ension ober 1 997 Lear8n t he FTP Cisco PI X itFir an d sCisco I OS Firew all ar chit ect u reOct and how t o app ly Cisco st andar d and ex t en ded access list s RFC 224 6 The TLS Pr ot ocol Janu ary 199 9 RFC 238 Discover 9 wFeat ay sutroe tnegot est t he iatcur ionr m enechan t st at eism of fsecur or t h ite yFile andTrkansf eep er it up Aug t oust dat1e998 Pr ot ocol Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion I nt er net Secu rin g FTP wit h TLS Janu ary 200 0, r evised Ap ril Dr aft 20 02 t his v ast net w or k and While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily NO j obsTE or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket Tr anspor leadert in Lay t he er developm Secur it y (ent TLS)anisd an sale I ETF of pst rod and uct ard s and based t echnologies on Secur e t Socket h at p rot s ect Layer d at a t r av eling ( SSL)acr v er oss sion t he3 .I nt The er net b iggest . Yet ad ifnet ferwence or k secur is t hatit yTLS solut uses ion st isr ong onlyerascrst y pt r ong og rap as hic it s w eak est link . algor Net w it ork hmat s.t ack Supspor cant foccu or bot r at h SSL an y and pointTLS , including is bu ilt int t h eo net most w ork m odern con nect br ow ionser , t he s an firdew all, t h e w eb ser ver v ers. , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Example of Secure FTP Product Sever al secu re FTP ser ver s and clien t s ar e av ailab le for Win dow s- based com put er s. This sect ion uses an FTP ser v er called Ser v - U and an FTP client called FTP Voy ager, bot h fr om Rh in oSoft . com . You' ll lear n how t o inst all t he ser v er and t he client , an d h ow t o en able and •cont r ol secu re Table of Content s FTP. •

I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

NO TE

Pub lish er: Cisco Press Pub e: Novem ber t 08 AsDat used here, he, 20 t er02m

secur e FTP h as t w o m eaning s. One is t hat t he passw or d is I SBN: 1-(58 -0 92 m -7 ed in t o a usually shor t er fix ed - len gt h valu e or k ey t hat repr esen t s hashed t r 705 ansfor t he Pages: orig60in8 al st r in g) . Th e ot her is t h at t h e cont ent s of t he files being t r ansfer r ed can be encry pt ed using SSL or TLS.

Man y client s an d ser ver s allow hashed passw ord s but don 't suppor t SSL. Th is is a g ood st ep f or war d bu t d oes n ot com plet ely fix t he pr oblem. As an aside, m an y FTP client s t hat do supp ort SSL also hash t he passw or d. That 's r edun dant , t houg h not par t icu lar ly Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. har m fu l. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

No Under Standard Leads No st and secur e instto allat ion Interoperability op t ions f or Wind ows w eb

ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I t w as m y in t en t t o use t h e secur e ser v er fr om RhinoSof t and t h e client fr om I nsigh t . secur it yf rat he ion endt ruser' at ion,t oinclu b row ser s,I desk Aft erI m mpr anove y hour s of ustt rat y ing st ow or g etkstt hem w or ding k w it hw eb each ot her, gav et ops, up an d and lapt sw itop ch sed t o Rhin oSoft ' s client , w hich I 'v e u sed for year s. I also t r ied I nsight 's ser v er against bot h client s. Each serv er connect ed f lawlessly w it h it s clien t b ut Ev aluat e t he pr os d cons of inpan st alling a cer e ld serv er tand becom in g you r ef used t o t alk secu relyanacr oss com y lin es. Bott ificat h w ou t alk o any n onsecur e r ow n t ificat ion tAu hor it yst y le FTP client . This is a com m on pr oblem w hen dealin g clientCer , including h et DOSw it h t echn ology t h at isn' t y et st and ard ized . Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e

Secure Server Installation

Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion To in st all Ser v - U, t he RhinoSoft secu re FTP ser ver , t h e fir st st ep is t o dow n load t h e fu lly While t h e I3nt net t has t r ansfor edt oand pr ov ed t h e.com w ay, click w e dot he business, t his, van astd tnet w or k and fu nct ional 0-erday r ial ver sion . m Go w wim w .Rhinosoft Ser v- U link hen click it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat t he dow nload lin k and save t he p rog ram in an app rop r iat e dir ect or y . While y ou' re t here, g ets.t he The e for successfu clientch, alleng FTP Voy ager, t oo. l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for FTP serv m ance ers are or scalabilit most oft en y . Th inst e alled m oreinreliant one oforg t wanizat o locations ions.b ecom Th e fir e st onist he as Ian tgener er net alt or ep p erosit f orm or y of daily av files j obs ailab orlecond t o som uct et ran gr oup sact of ions, user t hse( gr possibly eat er t including he im pactt ha ebrgener each al of pub n et lic) w or. kThe secu otrit her y has. com m Just on as Cisco locat ion is Syt st h eem w sebh as serv been er . Ian n t hat inn ovat case, or tin heuFTP sin gser the ver I ntr er eceiv net es t o tconduct he f iles tbusiness, h at m ak e so up t too h e isw it eba m arv ket ser er' s leader cont ent in. tBot he hdevelopm cases need ent ad andit d sale ionalofsecu p rod r ituct y . s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est Mak surweork t hatatyt ack ou' re log ged w itan h yadm inist rat or r ig htt hs ean d lau nchcon t he inst all, tphe rogfirram by t h e link .eNet s can occuinr at point , including net w ork nect ion ew all, click it . You' an im pordt an t w ning heres in 6- 5 . As ou' ll w eb ing ser ver , or ll t hsee e client . Har en in g ar t he defscr en een, ses atr epr all oduced t hese point is Figur key t oe creat ing yan discover Chencom apt er passing 9, SSL r net eq uir es tsecur he u se a cer t ificat e. Dozens of fir ms are willing t o sell y ou eff ect iv e,inallw ork it yofsolu t ion.

one, or you can generat e you r ow n. Ser v- U t akes t h e lat t er appr oach and gener at es it s ow n cer t if icat e. I t does t hat aft er y ou fill in app rop riat e field s on one of it s p ages.

Figu r e 6 - 5 . Se r v- U I n it i al I n st a ll at ion Scr ee n •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Becau se t here is alr eady in for m at ion in t hose p ages t hat is t he sam e f or ever y inst all, t he ser ver gener at es t he d ef ault cer t ificat e f or ev er y inst allat ion . This is clearly n ot secu re becau se all Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n pu blic and pr iv at e k ey s w ould be t he sam e ( and k now n t o ev er y hack er) . To m ak e you r ser v er Cer t ificat ion Au t hor it y cer t if icat e u niqu e, you m ust chan ge t h e cont ent s of t h ose field s. This m essage war n s you ab out t hat rLear isk and t ells y ouPIhow o av For now , click e xtar tchit o prect oceed w it hhow t he tinst all.lyYou w ill n t he Cisco X Firt ew alloid anitd. Cisco I OS FirewNall u re and o app Cisco creat estyandar our ow n cer t if icat e m anually af t er t he w izar d en ds. d and ex t en ded access list s Figur eDiscover 6- 6 sh ows y ou' v et seen t imit es. Herke, you g et t o t o dat choose t h e inst allat ion w ayas screen t o t est tthat he cur r en st at e m ofany secur y and eep it up e dir ect or y . The default is near ly alway s cor r ect , so ch ange it if you m ust but be sur e t o pr ess N e xt Lear w h en are ready o pr oceed . t of t h e ov er all n et w or k secu rit y solut ion n tyoou eng age end tusers as par While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu Figu rl,e pu 6 -blic 6 . wPr ebog sitres am is t o I nencour st al la age t ion access Locat t o t hion e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. You see t h ee scr eenivshow n in e 6- 7and n exest t . ab Make re t hat allert he b oxes ar e m checked andaclick Cr eat eff ect e secur it yFigur policies lish su r ules for op at ing in and aint aining N e xt secur . it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st andFigu securreeinst ionle opct t ions ows pon w eb en ser vt s erst o anIdnst howa tllo enhan ce 6 -allat 7 . Se i ngf or t hWind e Com secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

TI P I f you w ant t o be able t o adm inist er t he ser ver f rom anot h er locat ion, you can repeat t he in st allat ion and choose t h e second box , Adm inist r at or p rog ram files.

• •

Sim ilar ly , if you hav e sever al FTP serv er s t o in st all, y ou can sk ip t h e second b ox on an y ser v er wTable hereofyou ar e ssur e t hat y ou d on' t w ant t o do local ad min ist r at ion. Content I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman The f iles will copy

over q uick ly , and an inst allat ion w izar d wh ose fir st scr een is show n in Figur e 6- 8 w ill st ar t aut om at ically . Click N e xt t o begin t he w izar d. Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Figu r e 6 - 8 . Beg in nin g t h e Se t up W iz a r d

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Figur eLear 6- 9n is cour t esy t o users FTP serv r ater orall s wnho sek scr een er sion or pr ef er small t oaeng age end as er paradm t of inist t h e ov et wuor secu rit ryead solut im ages w it h m enu it em s. Enable or disable t hem as you pr efer and click N e xt t o br ing y ou t o h e I nt er net t r ansfor andNim ov ed t h ep age w ay t w t his net w or k and tWhile he scrt een show n inhas Figur e 6- 1 m 0. ed Click e xtpr on t h at o estdo art business, t he FTP ser v erv ast alr eady it s associat t echmnologies havt heeopened n um fber secur t h reat er s. inst alled oned y our achine f or fir st t imt he e. (dI oor t w illt ostan ar tincr au teasin om atgically romofnow onit yw henev allengt he e for yThe ou rch eboot sersuccessfu ver it self .l,) pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as Figu been ran or tint iung sin gI con t h e I nt netPr t o econduct business, so t oo is it a e inn 6 - ovat 9 . Se Sierze fe r e nce m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

e 6 - 1 0es. for St secur a r t iningg tWindow he FTP er fbor Ad s, ditand iona fi gu aticat ion HandFigu s- on trechniqu s( r )Ser servvers, r owser netlwCon ork com m run ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat NO TEed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able pr ovid su ffusing icient m levenu els itofem secur it y ever w it hout const Ev ery t hor in gmalicious you do int rtaff heicw and izar dt ocan be deone s. How , using t hreaining per forwm ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm izar d p rev en t s y ou fr om skip ping necessar y st ep s. daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling Figur e 6- 1acr 1 ask ossst he y ouI nt forertnet h e .I Yet P add a rnet esswof or kt hsecur e comitpy ut solut er on ionw is hich only y ou asare st r ong in st alling as it s twheak e FTP est ser linkv. er. NetYou w ork can at thav ackes acan machin occu re at w here an y point t he I ,Pincluding ad dr ess vtar h eies. net(wTh ork is is con com nect mion on ,on t hemach fir ewinall, es t hat he use w eb dser ialuver p or , orDSL t h e lin client es, b . ut Harnot d envin ergy tcom he def m on en ses on LANs at all or t hese p ublicly pointavailable s is key t oFTP creat sering ver an s.) The exam eff ect ple iv e, haller eencom u ses apassing fix ed ad net drw ess. ork Key secur inityou y solu r ser t ion. v er ' s addr ess and click N e xt .

Figu r e 6 - 1 1 . Set t in g t he FTP Ser v er I P Add r ess



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t LearTE n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP NO and allat ionbuop f or tWind ows eb ser v ersman d how t optenhan IUnder f you rstser v ersecur has eaninst add ress t tyions ou don' kn ow it , w open a com and pr om and tce y pe secur it y on exist ing w eb an d FTP ser v er in st allat ions ip con fi g. For secu rit y , d on't leave t his blank unless you ar e using a dy nam ic addr ess. I f t his f ield is blank , t h e FTP ser v er r espon ds t o it s cur rent I P ad dr ess, w hich mig ht I m pr y at bt he hav e ove beensecur moditified y a end h ackuser' er . s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cerver t ificat ion Au t hor itipt y iv e nam e. You can use t he D NS nam e or ch oose an ot her . ( The n am e Your ser n eeds a descr is used only int er nally t o g en er at e t he cer t if icat e an d does not hav e t o b e r esolv able ext er nally Lear n) As t heshow Ciscon PI Fir ew I OS chit ect reopr and app ly w it h DNS. inXFigur e all 6- 1an 2,dk Cisco ey in w h atFirew ev er yall ouart hink apupr iathow e andt oclick N eCisco xt . st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e

Figu e 6 - 1as2 par . Set heallDn et escr i verit yNsolut am eion Lear n t o eng age end rusers t of ttin h egovt er w or ki pt secu While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

The n ex t quest ion, p resent ed in Figur e 6- 1 3, t ak es caref ul t h ough t . I f you r FTP serv er is going t o be av ailable t o people y ou don' t k now ( t y pically ov er t he I n t er net ) , you need t o allow Hand s- on t echniqu for ev secur Window r ) serv b r owser s,eat and net w orks com un icat ions. Anon ym ous access.esHow er , ifin ygou kn ow s( y our u serers, s, you can cr e account for tm h em indiv idually ( or by gr ou p) or let t hem use An ony mou s access. The m ain diff erence is in t he st ar t ing direect y . ivI ne asecur lat erit ystpolicies ep , y ou and d ef ine h elish dir ect or yfor t h at h at e user o aft er a Cr eat efforect esttab r ules op ter ing inhas andaccess m ainttaining connect ing. I f y ou define separ at e u ser account s, you can give t hem access t o diff er ent secur it y - conscious env ir onm en t dir ect or ies. How ev er, if t hey sh are an accoun t , t hey h ave t o shar e t he direct or y, t oo. For t his exam Lear ple, nallow access sand click N epxtlat . for m s, inclu ding NT, 2 000 , and XP how An t o ony harmou den sWindow m u lt i- u ser Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions

Figu r e 6 - 1 3 . Cr ea t i ng t h e An ony m ou s User Accoun t I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

TI P I f you chan ge y our m ind lat er, rem emb er t hat fr om t h e FTP ser v er' s point of v iew , t he anon ym ous u ser is j ust anot her n amed accou nt . You can add or r em ov e it as need ed .

You ar e ask ed ( on t he screen show n in Figur e 6- 1 4) if y ou w ant t o cr eat e a nam ed accou nt . You • Table of Content s w ant at least on e accoun t f or up dat ing t h e FTP ser v er con t ent . Th e defau lt is t o cr eat e one, so • I ndex ju st click N e xt . Th at leads y ou t o t h e scr een show n in Figur e 6- 1 5, w her e y ou' ll be ask ed f or t he W e b S ecur it y Fi el d Gu ide accou nt nam e. Key in som et hing appr op riat e an d click N e xt . ( " D ev elopers" is used her e.) The By St eve Kalman nex t p age ( Figur e 6- 1 6) ask s f or t he p assw or d. I t is case- sen sit iv e. This ex amp le uses WSFG, bu t a m ore com plex passw ord scheme is recom mend ed and ex amp les ar e in Ch apt er 12 , " Th e Weakest Link ." Key Pub lish er: Cisco Pressin som et hing y ou' ll r em emb er and click N e xt . Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Figu r e 6 - 1 4 . Requ est i ng a Na m e d Accou nt

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s

Figu 1 t5st. at En t ersecur i ngittyhand e User Discover w ay s t o t est t her e cur6r-en e of k eep itNa upm t oedat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

r e in 6 -g1Window 6 . En ts(er ng ers, t h ebUser Passw or Hand s- on t echniqu es Figu for secur r ) i serv r owser s, and net wd ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion Then, you ar e asked for t he account ' s hom e d irect or y. This is t he direct or y t hat t he user will b e While e Iaft nt er net has tin. r ansfor ed key and inimt he pr ov ed tion he w w e tdo t his and v ast nav netigat w or ek tand st ar t edt hin log ging You m can locat oray click h e business, Brow se icon o it it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s.t o ( show n in Figur e 6- 1 7) . Click OK af t er y ou p ick t he r ight locat ion , and click N e xt t o pr oceed The ch alleng e forn successfu t he scr een show in Figur e l, 6-pu 1 8.blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as beenr ean6inn or inect u sin I nt H er om net teo conduct business, so t oo is it a Figu - 1 ovat 7 . Sel inggt htehe Di r ect or y m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion or Wind owsinw teb v ers ran d how t o enhan ce Figu r e op 6 - t1ions 8 . fLocki ng heserUse secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader ent an d sale of p rod s and h atjupst rotchose. ect d atYou a The q uest ion t hinerteheis developm w h et h er you w ant t o lock t h e uct user t o t ht echnologies e dir ect or y yt ou tshould r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est select Y es so t hat t he u ser can access files in t he nam ed dir ect or y and in any link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, the subd irect or ies, bu t n ot ot h er dir ect or ies at or ab ove t hat lev el. The def ault , N o, is on ly w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an app rop riat e for sup er user s. Click N e xt t o pr oceed . eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Most user s ar e not able t o m anage t he FTP serv er , bu t t h e scr een show n in Figur e 6- 1 9 ask s if t he user you ar e defin in g now is an except ion. There are fiv e ch oices, as list ed an d d ef ined in Table 6 - 2. Select t he d ef ault , N o Pr iv il eg e, an d click N e xt ( it is hid in g u nder t h e dr op- d ow n m en u in t h e figu r e) t o g et t o t he screen sh own in Figur e 6- 2 0, w her e y ou en d t h e w izard b y click ing Fini sh.

• •

Table of Content s

Figu r e I ndex

6 - 1 9 . Sel ect in g t he Accou nt Adm in Pr iv il eg e

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions

r euser' 6 - 2s 0w .orFin t hding e W iz ar d ser s, desk t ops, an d I m pr ove secur it y at tFigu he end kst atishi ion, ng inclu w eb b row lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Tab le 6 -2 . FTP Se r ve r Use r Ty pes P riv i le ge N a m e

U se

No Pr iv ilege

Ty pical users.

Gr oup Adm inist r at or • •

I n ch arg e of a sect ion of t h e dir ect or y st r uct ur e, can m ak e new u ser s and giv e access w it hin t hat st ru ct ur e bu t cannot ot h er w ise mod ify t h e FTP ser v er Table of conf Content ig urs at ion. I ndex

Dom ain Adm inist r at or

A sing le in st ance of t he Ad min ist r at ion pr ogr am can m anage m u lt ip le FTP ser v ers, called a Dom ain. A Dom ain Ad minist r at or can m anage on e dom ain bu t cann ot chan ge ot her , g lob al set t in gs.

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Sy st em Pub lish er: Cisco Adm inist r at or

Can m anag e any aspect of t h e FTP ser v er .

Press

Pub Dat e: Novem ber 08 , 20 02

Read- on ly 1- 58 705 -0Can I SBN: 92 -7 see any t hing t hat t h e Syst em Adm inist r at or can see b ut can m ake no Adm inist r at or chang es. Pages: 60 8

When t he wizar d comp let es, y ou h ave a w or kin g FTP ser ver , bu t y ou m ust st ill do sev eral t hing s t o bolst er secur it y. You w er e aler t ed t o t he fir st of t h em in t he w izar d's in it ial scr een ; y ou m ust m ake t he cert if icat e you r ow n. Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. When t he wizar d finishes, y ou will b e v iew ing t he scr een show n in Figur e 6- 2 1. To ed it t h e cer t if icat e an d aut om ically en er at e and a new click Sefor t t i ngs t he just m und eraining Local a Cr eat e eff ect iv e at secur it ygpolicies eston abe, lish r ules op er(at ingone in and aint Serv er , not t he on e for t his par t icular inst ance) . Th at pr esen t s a ser ies of f our t ab s in t he lar ge secur it y - conscious env ir onm en t r ight - h and pan e. Click t h e SSLCer t if icat e t ab t o get t o t h e scr een show n in Figur e 6- 2 2. Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur Figu it y ron e 6exist - 2 1ing . Ser w ebvan -Ud FTP Adm serin v er istinrstaallat t or ions Aft er Fi ni sh in g t he W i za r d I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Figu r e 6 - 2 2 . D ef au lt SSL Ce r t i f ica t e Pa ge



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions The f ield s ove y ou secur see init yFigur 2 2 ar e t he um f ields f orbarow cert if icat e. Make he d I m pr at t ehe6-end user' s wmorinim kst at ion, incluneed dinged w eb ser s, desk t ops, t an changlapt es appr op s opr iat e t o you r sit e ( Figur e 6- 2 3 sh ows a sam ple) and exit t he pr ogr am w it h Fil e > Ex it . Th is generat es a pu blic and pr ivat e key p air based on t he dat a y ou ent er ed and places t he pu blicEvk aluat ey in ea tselfhe prsigned os an dX.cons 509 of f orm in st atalling t ed cer a tcer if icat t ificat e. I e t also serv er generat and becom es a cer in g t ificat you re ow r equest n f ile calledCer cert ificat t r eq. ion t x t and Au t hor p lace it y it in % sy st em r oot % ( t yp ically y our C: \ WI NNT or C: \ Window s d r iv e) . Theor et ically, t hat file can be sent t o a cer t ificat ion au t hor it y if y ou w an t ; h owev er , no f unct ion is n tthe ewpor all tant hdeCisco I OS ar chitin. ect u re and how t o app ly Cisco cur r enLear t ly in h e Cisco pr ogr PI amX tFir o im sig ned cerFirew t ificatall e back st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e

Figu r e 6 - 2 3 . Cust om iz in g You r Cer t if icat e

Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

NO TE Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur ingh w ebSSL an duses FTP cer ser tvificat er ines, st allat Ch apt it ery 9onexexist plains ow t heions p rocess of sig ning cer t ificat es, r eq uest in g new ones, pu blic and pr ivat e key s, and m uch mor e. I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s t heam pr os cons of set in st allingand a cer t ificat serv er ch and becom in geasiest you r owway n to do Rest arEv t aluat t h e pre ogr t o an r evdiew key t ings m ake adedit ional anges. The Autthe hornew it y t ask bar icon ( t hick gr een let t er U, near t h e clock ) an d click St a rt t hat isCer t ot ificat rig ht ion - click Ad m i ni st r at or . Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e

NO TE

Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion

As y ou read t hr oug h t he descript ion s of t hese set t in gs, y ou see t h at m or e is skipp ed While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and t han is d iscussed . That ' s because t hese nex t f ew par agr aph s ar e desig ned t o alert y ou it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. t o t he k ind of feat ur es t hat secu re FTP ser ver s of fer, not t o ex amin e t he d et ails of Ser vThe ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing U. I f you ar e using a d iff er ent ser ver , y ou w ill hav e t o r ely on t hat ser ver 's help an d un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining docum ent at ion . per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket t hesam developm ent an de,sale rod uct s and at Gene p rot ect a if not Click Se tleader t i ngs (int he e one as befor undof er pLocal Serv er ) t echnologies and t h en on tthhe r aldtat ab, tselect r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak ed b y defau lt . You' ll get t h e scr een show n in Figur e 6- 2 4. Th e fields f or secur it y and est link . Net w ork ar atet ack can occu at ant an y. point , including t h e net w ork con nect ion , t he fir ew all, t h e per for m ance espsecially impr ort w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Figu r e 6 - 2 4 . D om a in Set t i ngs: Gen e r al



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce The secur it y- in volv ed f ield is labeled Block " FTP_boun ce" at t acks and FXP. An FXP t ran sf er is secur it y on exist ing w eb an d FTP ser v er in st allat ions fr om FTP ser v er t o FTP serv er, and it h as been ab used . Maliciou s users will cop y ev ery t h in g t hey can frIom our secur serv erit yback t o end y ouruser' ser vserw(or bou g off of ding anot hwerebser ver ser ) . As ou' dt ops, imagan ine, m pryove at t he kstncin at ion, inclu b row s, ydesk d t hat qu ick ly uses up all y our b andw idt h , and shor t ly af t er t hat , all you r disk space. Checking t h is lapt op s box p r ev ent s FTP t ran sf er s f r om hap pening. Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n The pCer er f orm anion ce tAu abt hor is called Block ant i t im e- ou t schemes. I t k eeps FTP clien t s fr om sendin g t ificat it y k eepaliv e No Operat ion ( NOOP) com man ds j ust t o k eep t he conn ect ion alive. Check t his one, t oo, an d t nhen t hePIAd vaew nced t ab on t h eI OS same Setall t inar gschit pagect e.uYou'll t h et oscr een Lear t heclick Cisco X Fir all an d Cisco Firew re andget how app ly show Ciscon in Figur est 62 5. d and ex t en ded access list s andar Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng ageFigu end users t of tha e in ov erSet all nt et w or k secu solut r e 6 -as2 5par . D om i ngs: Advritaynce d ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Mak e sur e t hat t he Encr yp t Passw ord s and En able secur it y b oxes ar e checked. ( They should be checkLear ed by def ault ) Thden eseWindow st or e passwor as p MD5 h ash an dding requNT, ir e 2Ad min ist r atXP or log in t o n how t o .har s m u lt i-dusser lat for m s,es inclu 000 , and t he ser ver b ef or e allow ing m odif icat ion s, respect iv ely. Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d laptPop s TI Ev aluat e t he pr os on an d cons in st allingy ou a cer in geryou r ow When y ou clicked t he t askofbar icon, w ert ificat e ab e le serv t o ster ar and t t hebecom FTP serv and m nak e Cer t ificat ionh Au y int o it b ecause t h e Enab le secur it y box wasn' t ch eck ed on t his chang es wit outt hor log it ging ser v er. Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s s t o itt est en tt st at e of secur it yn and k eepe it e inu e. On t hat Click Discover t he ser verw ay n ame self t(he in cur t h er lef pane) , as show in Figur 6-up 2 6,t ot odat cont pag e, you should m ak e a p roact iv e secur it y set t ing. The t hr ee choices in t h e Secur it y d rop - dow n t o engs:age end users as par t of t h e ov er all n et w or k secu rit y solut ion box arLear e asn follow While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed FTP t echonly nologies hav eTLS opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. Regu lar , no SSL/ The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir ableSSL/ or malicious r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining Allow TLS and rt egular sessions per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm SSL/ daily Allow j obs oronly cond uct TLS t ransessions sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at tFigu ack s can r e 6occu - 2 6r at . Conf an y point igu ,r in including g SSLt hUse e net Re w ork qucon ir enect m en ion ,t s t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Pick eit h er of t he last t w o. I f y ou kn ow t h at all t h e aut h orized users of y our FTP ser v er hav e an SSL en abled clien choose t h e bot tsom ion. som ding e users t ,n and ot h ave Lear n how t ot , har den Window m uopt lt i- u ser How p lat ev forer m,s,if inclu NT,m2igh 000 XP t he abilit y t o use SSL, t h e m iddle op t ion w ill serv e y ou best . Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d laptTE op s NO Ev aluat t he uses pr os an st alling a cer serv becom g you r ow FTP w it he TLS pordt cons 9 90. of I f in y ou ch oose t het ificat SSL/ eTLS onerly and opt ion, t heinpor t num bn er on Au tes. hor Wh it y en using t h e Allow SSL/ TLS and r eg ular sessions op t ion, t h e tCer hat t ificat pag eion chang por t st art s out as 21 but chang es dur ing t he session init iat ion. Be su r e t hat you r Lear t heand Cisco Fir ew alllist an Ciscobot I OS Firew ar gh, chit ect re and ly Cisco fir ew nalls rouPI t erX access s dallow h por t s tall h rou as ucover ed how lat er t o in app Ch apt er st andar d and ex t en ded access list s 10 . Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e n ttot ieng end users as FTP par tserv of ter h e nam ov ereall or kon secu y solut Click Lear t he Se ngsage lab el und er t he anndett w hen t h eritLog ginion g t ab t o get t o t h e scr een show n in Figur e 6- 2 7. Logging FTP ser ver act iv it y is essen t ial f or t he sam e r eason s t hat While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and w ere d iscussed in Ch apt er 5, " Enhan cin g Web Serv er Secu rit y . " How ev er , y ou sh ould m ake on e it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. except ion. I f y ou hav e a p r ogr am t hat check s t h e av ailab ilit y of y our ser ver s ever y few minu t es The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing ( by con nect in g an d t hen closing t he conn ect ion) , you shou ld k ey t he I P addr ess of it s host int o un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining t he Do n ot log client s fr om t h ese I Ps box . D oin g so pr event s t hese maint en ance connect ions per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm fr om fillin g u p t he log. daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est Figu r e 6 - 2 7 . D om a in Set t i ngs: Loggi ng link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Fur t her t o t he r igh t on t he sam e p age is t h e Adv anced t ab . I f you r FTP ser v er is behind a NAT ser v ice, y ou need chang e an en tsrymon Lear n how t ot ohar den Window u lt it i- .u ser p lat for m s, inclu ding NT, 2 000 , and XP Unless y ou st t ell it ot h er w t he FTP serv er places it s ows act ual I Pser Addr essanind ithow s r esponse mce essage Under and secur e ise, inst allat ion op t ions f or Wind w eb v ers t o enhan t o client ' s PASV equest in Ex am plein69) . Iions f y our int er nal devices ar e hidd en behind a secur it y on r exist ing( see w ebline an d5FTP ser v er st allat r out er or f irew all t h at t r anslat es I nt er net - accessib le regist ered add resses t o int er nal ad dr esses, m prtove secur at t he s wdoing or kst at ion, inclu ding w eb byrow s, desk t ops, an d ly y ou nIeed o use t hisitfyield. On end t he user' d ev ice t he NAT t r anslat ions, ou ser n eed t o perm anent assig nlapt a rop egsist er ed ad dr ess t o t he FTP ser ver 's in t ern al net w or k I P add r ess. ( That ' s called St at ic NAT an d is descr ibed in Ch apt er 1. ) Th en , as show n in Figur e 6- 2 8, p ut t hat addr ess in t h e dat a aluat e t the d cons of e in st a tcer er and in g you r ow ent r y Ev box next o tpr heos Alan low p assiv malling ode da a ttrificat an sfeerserv s, use I P becom f ield . That w ay, t hen clien t Cer t ificat Au t hort it w ill k now w hation add ress o yuse w hen mak ing t he dat a con nect ion . Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s

Figu r e 6 - 2 8 . Adju st in g f or N AT

Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

NO TE Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on use existSSL ing acr w eb anad NATFTP ser v er in st allat You cannot oss en abled r out er ions or fir ew all. The PORT com m and or PASV r esponse w ould be encr y pt ed, so t he NAT d ev ice w ould not be able t o do t he pr ove secur y at t he of end user' w essage or kst at ion, ding eb b row s, desk t ops, tIrm anslat ions in tithe b ody the FTPs m ( t he inclu header s wwould be hser andled okay ) . an d lapt op s Ther e ar e fir ewall pr oxy ser vices t hat han dle HTTPS ( HTTP plus SSL, descr ibed in Ev apt aluat osdo anso d cons ofmin in statalling a cer t ificat e serv in g tyou r owing n to Ch er e9)t he . Thprey by t er in g t he SSL connect ioneratand t h ebecom fir ew all, r anslat Cer t ificat Auning t hortithe y con t en t s as r equir ed, and sw it ching back t o SSL. No eq uivalent clear t ext , ion scan pr odu ct s ar e cu rr ent ly av ailable f or FTP. Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover t heired cur rt o engt et st at e ofserv secur y and k eep it up t o dat eions. The next That comp let eswtay h es wt oort kest requ y our er itr ead y for secur e connect t hin g t o do is t o in st all and con figu re an SSL- en abled client . Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associatClient Secure ed t ech nologies Installation hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un or ver malicious t r aff pr ovid su ff icient lev y w it hout const r aining As desir w it h able t he ser , inst allin g ic t heand FTPt oVoy agere clien t b eg in s els w it hofitsecur s dowitnload. Aft er acqu ir ed, per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er dou ble- click it t o begin t he in st allat ion. You' ll see sever al screens t h at y ou' ve seen m an y ftorm imes daily cond ions, gr eat he s, im tpact br agr each k secu y has. Just befor ej obs sugor gest in g uct t hatt ran yousact close allt hoteher pr er ogrtam hat yaou eeoft ontet hew or End UserritLicense as Sy st em s h,as innlike ovattor u ault sin g in t hsteallat I nt er netdir t oect conduct business, oo uisntitil a AgrCisco eem ent ( EULA) anbeen d t hatanyou he in d ef ion or y . Click N e xt orsoYtes m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a y ou g et t o t he screen sh ow n in Figur e 6- 2 9. t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Figu r e 6 - 2 9 . D ef au lt in g t o PO RT M od e



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP I f you u se a pr ox y ser v er or dialup connect ion, y ou sh ould indicat e t hat her e. The u nusual Under sthet andher secur ion op t ions ows eb yser how t o renhan decision is w y oue winst antallat t o use PASV forf or allWind sit es. Un w less ouv ers hav an e adspecific easonce t o use secur it y on exist ing w eb an d FTP ser v er in st allat ions PORT m ode in some places ( f or ex amp le, an ex cept ion ally old FTP serv er t hat doesn' t d o PASV) , y ou sh ould ch eck t h is box . You can ov err ide it lat er , if n eeded. Click OK w h en y ou are ready t o I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d pr oceed. lapt op s That br ings you t o t he scr een sh ow n in Figur e 6- 3 0, w her e y ou are ask ed ab out you r Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n connect ion' s dat a rat e. This let s t he clien t set aside a pr oper ly sized t r ansfer bu ff er . Click t h e Cer t ificat ion Au t hor it y corr ect r adio but t on an d click N e xt . You get a qu est ion abou t u sing FTP Voy ager as t he def ault br ow ser , ev it hin PI I ntXerFir net lorderCisco . AnswI OS er as y ouall p ref er . N o uisrerecomm end . ly Cisco Lear n ten he wCisco ewExp all an Firew ar chit ect and how t oed app st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e

Figu r e 6 - 3 0 . Siz in g t he Tr a nsfe r B uf f er

Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t

NO TE Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP On e of t he t echnical edit or s t est ed t h is chapt er 's st eps in a lab t h at h as T1 access. His and s: secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce rUnder ep or t st f ollow secur it y on exist ing w eb an d FTP ser v er in st allat ions When I did t h e inst all I nev er got t his screen sh ot ( Fig. 6- 30) about t r ansfer I m pr bu oveff er secur it yI tatwtas he becau end user' or kst at ion, inclu ding w eb b row s, desk t ops, an d size. se I schwose t he T1 ,…ADSL select ion. As ser a side eff ect , I did lapt op s not get t he qu est ion abou t t h e defau lt br ow ser unt il aft er it h ad me select t he Finish b ut t on. Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t horv it Your mileage m ay aryy. Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e

TI P Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion I E wor k s f in e for t he occasion al FTP t r ansfer , w het her or not you m ake FTP Voyag er t he While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and defau lt . How ever , y our user s m ig ht find it awk w ar d t o h ave a pr ogr am w it h a d iff er ent it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. look and f eel p op u p in sid e I E. Unt il t h ey get used t o t h e int er face, st aying w it h I E's The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing bu ilt - in FTP f acilit y is p rob ably best . un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a You ar e lef t in t he Sit e Prof ile Manag er , as sh own in Figur e 6- 3 1. FTP Voy ager com es w it h m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a sev er al FTP sit es pr econf igur ed. Click t h e m in us sign nex t t o Sit es t o close t hem . Then, click t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est P er son al Si t e s t o get t o t h e scr een show n in Figur e 6- 3 2. Fr om t her e, click N e w Si t e an d fill in link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e t he field s in t he r ight half of t h e scr een . As soon as you n ame t he sit e, it u pdat es t h e lef t side. w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an Figur e 6- 3 3 sh ows t he f ields filled in, alm ost r eady t o connect t o t he secur e ser v er . eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Figu r e 6 - 3 1 . Sit e Pr of il e M an ag er : Ex pan de d



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it yr e at 6t he user' w or ding w ebsona b row ser s, tdesk Figu - 3 end 2 . Sit e sPr ofkst il eat ion, M aninclu ag er : Per l Si e s t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Figu r e 6 - 3 3 . N ew Sit e De fi ne d



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP I f you w er e cr eat ing a p rof ile t hat did not use SSL, y ou could con nect now . How ev er , t o t ell t he Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce client t hat y ou wan t t o use SSL, click Ad va nced an d t hen Se curi t y t o br ing up t h e scr een secur it y on exist ing w eb an d FTP ser v er in st allat ions show n in Figur e 6- 3 4. As y ou can see, t he d ef ault is St andar d ( No Secur it y ) . The Connect Usin g box hIas t he follow initgyt hr oices: m pr ove secur at ee t hechend user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s No Secur it y Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Ex plicit SSL Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco I m plicit SSL st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e

Figu r eas6par - 3 4t of . Dt hef auerltallSecur None Lear n t o eng age end users e ov n et w orikt y, secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t These t hr ee choices cor r espon d t o t h e ch oices av ailable on t he serv er conf ig ur at ion page ( show n Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP in Figur e 6- 2 6) . Th e bot t om ch oice, I m plicit SSL, means t hat t he clien t shou ld conn ect on p ort 99 0 uUnder sin g SSL f rom t hee st ar tallat . Exion pli cit y ou sh ould select showt on enhan in Figur st and secur inst opSSL t ions( wh f or ich Wind ows w eb ser v ersand an dis how cee 635 ) means he init ialwcon onv terheinststan darions d p or t , 21 , bu t an exp licit com m and t o secur ittyhat on t exist ing eb nect an d ion FTPisser allat chang e t o SSL w ill be issued. Click OK t o f in ish t h e con figu rat ion . I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an Figu d cons r e of 6 - in 3 st 5 alling . Set at in cergt ificat Ex pl e ici serv t er Seand curbecom i t y in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear nFTP how in t o har den Window s m u lt i- u ser p lat for m s, Secure Action

inclu ding NT, 2 000 , and XP

Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce All t h at 's left t est .ing I f tw h eebscr show e 6-ions 3 3 is st ill on y our m on it or , click Conne ct . secur it y is ona exist aneen d FTP sernv in er Figur in st allat I f not , u se t he Conne ct b ut t on at t he t op of t h e page. You r r esult should look like t he scr een show nI minprFigur e 6- 3 it 6.y Th boxend in tuser' he low shion, ow sinclu t he ding com mwands andser st s, at us r esp onses ove secur at et he s werorleft kst at eb b row desk t ops, an das t he con nect ion is m ade, an d t h e FTP serv er' s dir ect ory list ing is display ed . lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y

Figu r e 6 - 3 6 . Successfu ll y M ak i ng a Se cu r e Con ne ct i on Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

NO TE Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on ingt he w ebcer ant ificat d FTP v er in st You need t o exist accept e ser because it allat isn' tions sign ed by a r ecogn ized r oot cer t if icat ion aut h orit y . ( Ch apt er 9 p r ovides f ur t her d et ails on t his. ) I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s e tisheanprEt osher aneal d cons star alling cerbtef ificat serv er and becom in eg last you rt hr owee n Ex amEv plealuat 6- 10 cap t of ur einst t ed jaust ore eclickin g Conne ct . Th Cer ds t ificat ion Aube t hor it er y pr et ed ar e t h e r eq uest t o sw it ch t o SSL ( AU TH SSL) , t h e OK com man t h at can int r espon se fr om t h e ser v er , an d t he TCP ackn owledg ment of t he response. None of t he r est of t he Learbnet he Cisco PI Xbecause Fir ew allitan Cisco OS includ Firew all chituect and how t o app dat a can int er pr et ed isdencr y ptIed, in gart he seru re nam e an d passw orlyd.Cisco st andar d and ex t en ded access list s Alt hou gh not sh ow n, t h e con nect ion is ev en t ually closed, an d t hose comm an ds ar e r et ur ned in t he clear . Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and TI P it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing An opt ion on t he Tools m enu is called Ex por t Sit e Prof iles. Af t er you cr eat e and t est a un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining secur e access p rof ile, you can ex por t it and copy it t o t he FTP Voy ager inst allat ion per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm dir ect or y or t o w her ever else you inst all t h e client . daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est Exa - 1t ack 0 . sSecu r e rFTP ssion i n Act tion link . m Netpl we ork6 at can occu at anSe y point , including h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

No.

Source

Destination

Protocol

Info

1

Client

Server

TCP

2326 > ftp [SYN]

2

Server

Client

TCP

"ftp > 2326 [SYN, ACK]

3

Client

Server

TCP

2326 > ftp [ACK]



ServerI ndex Client

FTP

Response: 220 Serv-U FTP Server v4.0



4

Table of Content s

W e b S ecur it y Fi el d Gu ide By St eve Kalman

5

for WinSock ready...

Server Pub Client lish er: Cisco Press

TCP

2326 > ftp [ACK]

Server

FTP

Request: AUTH SSL

Client

FTP

Response: 234 AUTH command OK.

Pub Dat e: Novem ber 08 , 20 02

6 7

Client

I SBN: 1- 58 705 -0 92 -7

Pages: 60 8

Server

Initializing SSL connection. 8 Client Server TCP 2326 > ftp [ACK] Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. 9 Client Server FTP 10

CrServer eat e eff ect ivClient e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a FTP secur it y - conscious env ir onm en t

11

Client Server FTP Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

12 13

Server Client FTP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions Client Server FTP

14

I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d Server Client FTP lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion

While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Summary This chap t er sh ow ed y ou how t o im pr ove t he secu rit y of y our FTP t r ansact ion s. You lear ned how t o give developer s secur e access t o t heir w eb serv er and h ow t o p r ev ent ot hers fr om eavesdr oppin g. •

Table of Content s

• Par t I V sh owsI ndex you how t o secu r e t he u ser 's wor k st at ions. W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Part IV: Protecting the User • •

The u ser is t he w eakest link in any secur it y sch em e. I nt r ud er s w h o ar e m ast er s in social engineer in g find w ay s t o t r ick users in t o r un ning dan gerou s code d espit e all t he t r aining and cajoling y ou do. Scr Table of Content s ip t k idd ies t est all you r users' PCs b y lookin g f or w eak spot s. User s by pass Ior d isab le secur it y t o " en hance" t h eir sy st em s. ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Ch apt er 7 Br ow ser Secur it y This chap t er focuses on t hing s t o d o t o t he b row ser t o en hance secu rit y . Top ics includ e Pubgerou lish er: s Cisco Press dan cont ent , cook ies, an d man aging t he four secur it y zones. Pub Dat e: Novem ber 08 , 20 02

Ch apt er 8 D esk t op/ Lapt op Secu rit y I SBN: 1- 58 705 -0 92 -7 This chap t er focuses on pr ot ect in g t h e PC. Topics cov ered include p er sonal fir ew alls, v ir us 8 scanPages: ner s, 60 digit al signat ur es, an d enf or cin g secur it y policies.

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Chapter 7. Browser Security This chap t er cov er s t he f ollowin g t opics: • •

Table of Content s

Dan gerou s Cont en t I ndex

W e b SThe ecur itFour y Fi el d Gu ide Zones By St eve Kalman

Cook ies Pub lish er: Cisco Press

The t er m dan ger ous con t en t d escr ibes cod e t hat is w r it t en b y an of t en unk now n t hir d par t y , Pub Dat e: Novem ber 08 , 20 02 deliver ed v ia t h e I nt er net t o you r PC ( somet im es w it h out you r k now led ge or consent ) , and r un I SBN: 705 -0 92 -7of y our secur it y lev el. This chap t er ex plains t he r isk s of t h is dang er ous w it h t he f ull1-p58 riv ileges Pages: 8 cont ent and60show s how t o p rot ect ag ainst it . A br ief discussion of cook ies sh ow s how t hey are used and, u nf ort u nat ely, abused and pr ovid es y ou w it h som e alt er nat iv es t o consider.

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Dangerous Content Scrip t ing pr ogr am s hav e been ar ou nd a long t im e. For ex am ple, I BM h ad a pr ogr am called Scrip t t h at r an on it s m ain fr am es befor e t he I BM PC w as even inv en t ed . The Scr ipt pr ogr am w or ked by b eg in ning each line w it h com man ds, such as . p t o cr eat e a new p arag r aph, or . nl t o •indicat e a new Table of Content s line. •

I ndex

W y Fi elday d Gu I ne bit sS ecur ear itliest s,ide HTTP an d HTML w er e used as a w ay t o replace FTP. The id ea w as t o hav e a w ay t o read plain t ex t files page by pag e w it hout hav ing t o cop y t hem f ir st . Wh en Tim Ber ner sBy St eve Kalman Lee d ev elop ed t h e HTTP p rot ocol, h e used t y pical scrip t ing pr ogr am com man ds t o bu ild t he fou ndat ion of HTML. Pub lish er: Cisco Press

Novem ber follow 08 , 20 02 TimPub 's nDat ewe:pr ot ocol ed t he const r uct s of t he scr ipt ing lang uages of t he day . Back t hen, a I SBN: 158 705 -0 92 -7 at ely descr ibed as a p r ogr am r unn in g t he HTTP pr ot ocol on you r m ach ine br ow ser cou ld be accur t hat accessed Pages: 60 8t ex t on a ser ver , for m at t ed it , and used HTML con st r u ct s t o d isplay it on you r m onit or .

Ov er t im e, Tim and ot her s add ed t o t he HTML pr ot ocol, d riv en b y t he n eed and desire t o include gr aph ics an d anim at ion, up - t o- t he- m inu t e new s and st ock quot es, m usic and v ideo, and all t h e ot her t h ings t hat are n ow a nor mal par t of t he online ex per ience. I n ord er t o m ak e t his p ossible, Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. a f un dam en t al chan ge had t o occur . Ex ecut ab le pr ogr am s had t o be w r it t en , st or ed on t he ser v er, and deliv ered t o and ex ecu t ed on y our m achine t o enhan ce you r br ow ser ' s oper at ion . TheseCrpreat ogre am wiv ere oft enitwr it t en notand by est t h eab ser v err ules operat , berut by an t t hirda eff sect e secur y policies lish fororop at ing in independ and m ainten aining par t y .secur it y - conscious env ir onm en t The f irLear st itnerat iont oofhar t hese hir d- p ars t m y w licat are hding elp erNT, applicat how den tWindow u ltriti-tuen serapp p lat for ions m s, inclu 2 000 ,ions andand XP plu g- ins. They 'r e near ly t he sam e t h in g; a plu g- in depends on t h e br ow ser an d uses t he br ow ser ' s m em or y space t o secur fu ncteion. t canion notop st tan d alon Sh ockw aveb e is oodanex plet oofenhan a p lugUnder st and instI allat ions f or e. Wind ows w seravgers d am how ce in . secur it y on exist ing w eb an d FTP ser v er in st allat ions A h elp er applicat ion r un s in it s ow n space, alt hou gh it m igh t app ear t o b e r unn in g in t h e br ow ser is itaygat ood exend am ple. Alt ha andalon e ver ex ist s, s, w hen see I m .prAcr oveobat secur t he user' s houg w or kst at st ion, inclu ding w sion eb b row ser deskyt ou ops, anitd r unn ing laptinsid op s e t he b r owser w indow , you 'r e look in g at t h e helper app. Anot her ex am ple is Ex cel. You can v iew an Ex cel spr eadsheet inside y our br ow ser ev en if y ou d on' t hav e t h e Of fice pr odu ct inst alled Ev aluat on yeour t hemprachine. os an d That cons'sof b ecause in st alling Micr a osof cer t tificat pr ovides e servaerhelper and becom app f or in gt hat you pur r owp nose. Cer t ificat ion Au t hor it y The second it er at ion of t hese applicat ions is sm all code segm en t s w r it t en in v ariou s pr ogr am m Lear ingn lan t heguag Cisco es PI byX wFir ebewp all r ogr anamm d Cisco er s w I OS ho Firew hav e all varar y ing chitdegr ect u ees re and of com howpet t o ence app lyand Cisco m or al char act st andar er . d and ex t en ded access list s That ' sDiscover t h e r isk w y ou' ay sr et oprt est ot ect t he in gcur agr ainst en t sther at eeofinsecur t his sect it y and ion . kYou eep don' it upt tkonow dat ew ho w r ot e t he code t hat y ou' re ex ecu t ing. To comp licat e m at t er s f ur t her , t hat code can be deliver ed t o y ou b y Lear t o eng end users ov erallin all g n et w tor y solut v isit ing a nw eb pagage e, opening an as e- mpar ail,t of or tbhye inst sof wkarsecu e onrit y our PC.ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able NO TEor malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily Tr j obs y anorex cond per iment uct t ran . Search sact ions, yout h r ecom gr eat puter er 's t he h ar imdpact d riv es a brfor each filesofwit n et h wan or k. ocx secu exrit t ension. y has. Just as Cisco ( That Sy'sstAct emivs eX. h as) been On myanmachin inn ovat e,orI fou in und sinsom g t hee in I ntter henet Pr ogr t o conduct am Files business, st r uct u re so f r om t oo is it a m ar ket Adob leader e Acrin obtat he, DeLor developm m e, ent Canon an dCam saleerofa,p Cor rod el, uct sand andMicrosof t echnologies t Of ficet hXP. at pSev rot ect er aldw ater ae t r av eling also acr in toss he WI t heNNT\ I nt er syst netem . Yet 32 afold neterw. or You k secur should it y see solutsim ionilar is only ent r ies. as stYou r ongcan as titr ust s w eak t h ese est link . because Net w ork itatis t ack f airs can t o hav occu e ar hatigan h dy eg point r ee ,ofincluding conf idence t h einnet t he w ork comcon panies nect ion t hat , t he pr odu fir ew ced all, t h e w eb ser t hever sof, t w orart he.e How client ev. er Har , ifd en y ou in galso t hesee def.en ocx ses f iles at all anyt hese placepoint else,s pay is key cartef o ul creat at t en ingt ion an t o eff ectt iv hee,sect all-ion, encom " Act passing iveX, " lat neterw ork in t his secur chap it y tsolu er. t ion.

Ov er t im e, t he f our d if fer en t k ind s of dang er ous con t en t t h at h ave gained mar k et accept ance ar e ( in increasing ord er of risk ) as f ollows: Jav a • •

Table of Content s

Jav aScrIipt ndex

W e b S ecur it y Fi el d Gu ide

VBScrip t

By St eve Kalman

Act iveX Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02

Java I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Jav a b eg an lif e in 1 991 in t he labs at Su n Micr osyst em s as a p r ogr amm ing lang uage called OAK. Sun had in m in d a lang uage t h at w ou ld cont r ol t he m icr ocont r oller s in t oast ers, VCRs, m icr ow av es, cof feep ot s, and ot her sim ilar devices. The OAK com piler w ould creat e by t ecode t hat could ru n on an y of t hese t iny CPUs. Becau se it w as b yt ecode, t he appliance m anu fact ur ers cou ld Hand s-eon t echniqu es sfor Window s( r )ement serv ers, b r owser ork com chang t hese chipset at secur w ill; tin hg e only r equir w ould be a s, r evand isednet bywt ecod e intmerun pricat et erions. . Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t

NO TE

Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

By t ecode is an in t er m ediat e st ep b et ween t he sour ce code t h at a pr ogr am mer Underat stes and secur inst allat t ionses f oronWind ows eb. By sert vecod ers e' ansdadv how enhan gener and obj eect cod e t ion hat op execut a com putwer antt oages t o tce he secur it y on exist ing w eb an d FTP ser v er in st allat ions dev elop er ar e t h at it can r un on any com pu t er t hat has an int er pr et er and t hat it k eep s t he sou rce code h idden. ( The int er pr et er pr ocesses t he by t ecode and ex ecut es it on t he I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d com put er . ) The disad van t age is t hat it t ak es t ime t o int er pr et t h e cod e, so t he dancing lapt op s bear s dan ce a lit t le bit slow er . Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y BecauLear se of k et f orces bey ond t hed scope t h Firew is book t hechit in ect t enuded audience er lyadopt n mar t he Cisco PI X Fir ew all an Cisco of I OS all, ar re and how t onev app Ciscoed t he OAK p rog ram m ing langu age. The developers, in a st r ok e of br illian ce, r eposit ioned it t o wor k st andar d and ex t en ded access list s in t he w or ld of m u lt im edia publishing . I t w as r enam ed Java. Th is r ep ur posing cr eat ed a pr oblem . Jav a w as n ow int end t o meet t wo it h diam et rkically it y Discover w ay s ted o t est t he cur r enaud t stiences at e of w secur it y and eep itopposed up t o datsecur e r eq uir em ent s. Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion I n one case, Java is desig ned t o be a m ult ipu rp ose lan guag e for cr eat ing any ap plicat ion fr om m ail client or dhas pr ocessors. ram allyw eload on t he client har dw dror ive by While t h e Isntt oerwnet t r ansfor mTh edese andp rog im pr ov sedart e h eu su w ay do ed business, t his v' sast net k and it s associat user . ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing Iun n desir t he ot h er or case, Jav a app licat n as app let s) are d esign ed t oit ybew dit own oss able malicious t r aff ic ions and t(oknprow ovid e su ff icient lev els of secur houtloaded const r acr aining tper he for netmwance ork , or p erscalabilit f orm anim at ions, or do any k ind of comp lex calculat ions. y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just Becau se Sy t hestint et er w asan or inn ig inally desig t h intgs lik e coff ee p ot s and as Cisco emers pr h as been ovat or in uned sin gt ot hcont e I ntr ol er net o conduct business, so t oo is it a m icr ow av es, secu r it y w as not a par t of t he d esign . Once it w as r ep osit ioned k ind at t he m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h att op wor rot ect a wor ld of PCs an d t he I nt er net , secu rit y had t o b e gr aft ed on. Th e dev eloper s cr eat ed a m odel t hat t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est included class t ecode v erif ier , and a san dbox t hat had con ex clusive o tall, he t h e link . Net waork at tloader, ack s cana by occu r at an y point , including t h e net w ork nect ionaccess , t he firtew disk s, mem or y, and perip herals of t h e client comp ut er . w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

NO TE

• •

Jav a's Sand box is a v irt u al com put er inside t he br ow ser ' s execut able space w h er e Jav a by t ecode execut es. Pr ogr am s in t h e sandb ox cannot int eract w it h t he com put er 's har dw ar e d ir ect ly . I t w as so nam ed becau se it r esem bles a child' s sandb ox w here t hin gs can beofbu ilt and Table Content s dest r oyed safely, wit h out aff ect ing t h e sp ace out side t h e sandb ox'I ndex s bor der s.

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Unfor t u nat ely, t he dev elop er s conf used secu r it y w it h safet y . Jav a h as sev er al safet y const r uct s lish Cisco Press bu iltPubint oer: t he p rog ram m ing langu age, such as t hose t h at k eep it f r om exh aust ing all of t he Pub Dat Novem 20 02 readin g m em ory segm ent s assigned t o ot her applicat ions. I n fact , av ailab le e: mem or yberor08f,rom t hese safet I SBN: y1-m 58easu 705 -0res 92 -7ar e j ust as lik ely t o p rot ect legit im at e code f r om causin g a bu ff er over flow as t h ey ar e 60 t o8 k eep m alw ar e f r om going int o an in finit e loop . Pages: Not only isn 't t his secu r it y , b ut it isn' t even a t ot ally saf e m odel. Ev en if it was saf e, t he m odel is flaw ed. Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions.

JavaScript

Cr eatcreeat effed ectJav iv e aScr securipitt yf or policies lish s, r ules for op er at ing in tand aint a Net scape a numand ber est of rab eason inclu ding t he need o pr m ovid e aining an appealing secur it y conscious env ir onm en t pr ogr am m ing en vir onm ent t hat r eq uired t he use of t he Net scap e ser v er and br ow ser . ( Keep in m ind t hat t his w as at t he heig ht of t he b row ser w ars w hen Micr osoft and Net scape w er e each n how t octhar Window u serb rpowser lat forsmand s, inclu and XPipt r an only add inLear g new pr odu - spden ecific f eat ur sesmt uo ltt ih eir ser vding er s. )NT, At 2 fir000 st , ,Jav aScr on Net scape b r owser s, but t hat is no longer t r ue. Jav aScrip t w as a r en aming of Net scap e' s Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce Liv eScr ipt , ridin g on t h e coat t ails of Java' s pop ular it y. Sun allow ed Net scape t o use t h e secur it y on exist ing w eb an d FTP ser v er in st allat ions t er min olog y because Net scape w as t he f ir st t o license Jav a fr om Sun . I f you v iew t he sour ce on a v er y old w ove eb psecur age, it y ou st illuser' see sref t o Liv eScr ipt . w eb b row ser s, desk t ops, an d I m pr y atmtigh he tend wer orences kst at ion, inclu ding lapt op s Micr osof t w asn' t t o be ou t don e. I t creat ed it s ow n v er sion, called Jscript . Th e bad new s for pr ogr Ev amaluat m er se w as pr t hat Jscr was enoug t ot ificat Jav aScript t o and min im ize t h g ncu rv e, t he os an d ipt cons of close in st alling a hcer e serv er becom ineg lear younr inow bu t n ot close en ough t o be un der st ood by t he op posit e com p any 's b row sers. Cer t ificat ion Au t hor it y Jav aScr iptn secur it y h ad m ajor imdprCisco ov emI ent over all Javara:chit ect u re and how t o app ly Cisco Lear t he Cisco PI Xt wo Fir ew all an OSsFirew st andar d and ex t en ded access list s No m et hod exist ed t o op en a con nect ion t o a com put er ot h er t han t o t he one t hat ser ved Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e t he JavaScr ipt cod e. Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion Jav aScr ipt pr ov ided n o w ay t o dir ect ly access t h e client comp ut er 's sy st em . While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and These limit at ion s w er e g reat for secu r it y but hind er ed usabilit y. To m eet t he d em an ds of it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. com plaining users, Net scap e int r odu ced t he concept of sig ned Jav aScr ip t ap plicat ion s. Once code The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing w as signed, access t o t h e host m achine' s r esour ces w as allow ed. un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per fortm or scalabilit y . Thee evid m ore b ecom e ont her t hee Iis n tno er net t o pce er f orm Ov er imance e, ot her flaw s b ecam enreliant t . The gorg en anizat er al p rions oblem is t hat resour daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just m anagem ent in Jav aScrip t . A p rog r am can g o int o an infinit e loop . Here' s a sam ple of t h e logic as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a t hat can t ie up a m achine f or ev er: m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser(1) ver , {or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an While eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Display "click OK to continue" Wait for response } •

Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Wit h luck, you w ould be able t o close t he b r owser . Alt er n at ely , y ou cou ld r eboot t he m achine ( and lose all un sav ed wor k in ot her w ind ow s) . Whet her a br ow ser can be closed depend s on Pub lish Cisco ion Pressm ech anisms in t h e OS. W in dow s NT/ 20 00/ XP allow app licat ion of 100 r esour ce er: allocat Pub Dat ber 08 , 20 02 per cent ofe:t Novem he CPU. This is in cont r ast t o t he v ar ious v ar iet ies of UNI X, all of w h ich r eser ve som e r esour ces OS rocesses. I SBN:for 1- 58 705p-0 92 -7 Pages: 60 8

Anot h er kind of at t ack com es fr om m em ory an d sw ap space ov er f low . Her e's t h e logic:

Text(0) = "start" Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. For I=1 to 1000000 { Cr eat=e text eff ect iv e secur y policies and est ab lish r ules for op er at ing in and m aint aining a Text(I) (I-1) + ittext (I-1) secur it y - conscious env ir onm en t I = I + 1 Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP }

Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions

I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s The r esult h er e is t h e concat enat ion of t he w or d " st art " t o it self, t he concat enat ion of t he w or ds " st ar tEv st art " t oe it self, andanso on. This quickly u pe all available m em ory comp ut er , aluat t he pr os d cons of inloop st alling a ceru tses ificat serv er and becom in g on yout hr eow n t hen all t he ion sw ap Cerof t ificat Auspace, t hor it y and fin ally cr ashes t he PC. Jav aScr iptn also suf fers t h ealllim ion t hat canall notarbchit r eak t o aand ru nning . I f y ou Lear t he Cisco PIfrXom Fir ew anitdatCisco I OSy ou Firew ectin u re how t op rog appram ly Cisco get lust ckandar y , y ou mig ht t heaccess br owser d and exclose t en ded list sbef ore t he sy st em cr ashes, but you 'll f ind t hat t he st op bu t t on doesn 't do any t hing because it w on 't be checked unt il aft er t h e loop end s. The luck in Discover w ay t he t str eading at e of secur andr ok k eep t o dat e d ur ing t he t im e closing t h e br ow sers dt oept est en ds oncur t h reen OS y our itkyeyst e or itmup ouse click slice w hile it goes t o t he begin ning of t he loop in t he p receding code. Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion At t ack s lik e t h ese f all int o a cat egor y called Denial of Ser vice ( DoS) . JavaScr ipt is par t icu larly While h e I nt netkhas t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and v ulner table t oert his ind of at t ack. it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining VBScript per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just VBScrip w as Micr ' s answ Javor aScrip t . Igt tish ea Ipow bset of Visu al Basic. as Ciscot Sy st em s hosof as tbeen an er innt oovat in u sin nt ererf netult osuconduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a The t hr eatacr t hat t em in HTML p agesit yoffsolut er s is it can e rused t o itaccess t r av eling ossVBScrip t he I nt er netbedded . Yet a net w or k secur iont hat is only asbst ong as s w eakany est web pag e on t he n et w or k . At t ack er s hav e u sed t his f eat ur e in HTMLf orm at t ed emails t o open link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e connect o w p ages w it dh en m in aliciou cont inclu iveX) and hav eing t hat w eb ser ions ver , tor t heb e client . Har g t hesdef enent ses (at all ding t heseAct point s is keyt hen t o creat an dan gerou s cont ent dow nload and execut e on clien t PCs. eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Well k now n ex am ples of VBScr ipt at t ack s inclu de Melissa, I - Love- You , and Ann a Kour nik ov a.

ActiveX Lik e t he ot her t hr ee dan gerou s cont ent en gines, Act iveX can do anim at ions, pop up w in dow s, and execut e scr ipTable t s. The t h ing st hat set s Act iv eX apar t fr om t h e ot her engin es is t hat it can also be • of Content used t o do any t hin g t h at can be accom plish ed w it h a p lu g- in or helper app licat ion. • I ndex W e b S ecur it y Fi el d Gu ide

Act iveX cont rols f all int o t w o cat egor ies. One is r elat iv ely benign in t hat it cont ains Java by t ecod e By St eve Kalman t hat r uns und er t he r est r ict ions of t h e Jav a Vir t ual Mach in e ( This w as Micr osoft ' s answ er t o Su n' s pr opr iet ar y Java. ) Pub lish er: Cisco Press

ThePub ot her eg ory Dat e:cat Novem ber is 08 ,t he 20 02d anger ous one. Act iv eX cont r ols can cont ain nat iv e m achine code. Th is can beI SBN: any t1hin w-0 r it92t en 58g 705 -7 in C, C+ + , Visual Basic, or Assem bler . Those pr ogr am s could use t he r elat ivPages: ely saf e Act iveX ap plicat ion p rog ram m ing int er faces ( API s are a libr ar y of fu nct ions m ade 60 8 av ailab le t o p rog ram m ers) or t he API s fr om any ot her sour ce, in clud ing t he Win dow s Dev eloper 's Toolk it . Even m ore dang er ously , m alicious p rog r amm er s can av oid usin g t he API s alt oget her an d w r it e code t hat accesses t he com pu t er ' s m em or y , disk, and per ip her als dir ect ly . I n ot her w or ds, Act iveX can do any t hing t hat t h e user can do on t he m achine, w it h any p r ogr am on t he m ar k et . This includes, bu t is n ot lim it ed t o, t he f ollow ing act ions: Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Er asing ar bit r ary f iles Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir s onm en t Ch anging f ile perm ission Lear howshar t o es har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Cr eatning Under st and Sending e- msecur ails e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions Form at t in g h ar d d riv es I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d I n an lapt at t em op spt t o mit ig at e t he r isk of let t in g Act iv eX loose on t he w eb com m unit y , Micr osoft creat ed t he concept of sig ned ap plicat ion s. Aut hor s of Act iv eX pr ogr am s obt ain a cod e- signin g Ev aluat e t he os an d tcons st alling t ificat er and in g you cer t if icat e f r om a ppr ublic Cer ificatof ioninAut hor it ya (cer CA) , t akee serv t he Aut hentbecom icode Pledg e (r " ow I p nrom ise t o Cer t)ificat Aut hat t horcer it y t if icat e t o sign t he code. ( CAs ar e discu ssed in det ail in Ch apt er 9, be g ood" , andion use " Becom ing a CA. " ) Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and exist t eninded At least t wo flaw s ex t hisaccess plan: list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e The p led ge is alm ost com plet ely u nenfor ceable. Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion Unlike ot her kin ds of cert if icat es, code- sig ning cer t if icat es d on't exp ir e. While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per forTI mP ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just Cr eat o saccoun t s foranyou One min tist at iv e pr ivileges; her as Cisco Syestt w em h as been innrself. ovat or in should u sin g t hhav e I entad er net o rconduct business,t he so ot t oo is it a should be in a m er edevelopm u ser . Keep h edbrsale ow ser on st he t er d esk t op tand f rom m ar ket leader t he ent tan of picon rod uct andlatt echnologies h at rem p rotov ecte ditat a t he adm inistt rat . That keeps ou fr om inad ver entonly ly mas ak st in rgong a mas ist it ake. Youest t r av eling acr oss he or I ntdesk er nett op . Yet a net w or k ysecur it y solut ion tis s w eak brsow se occu as a rprativan ileged user. I f y ou do, m alicious Act iv eX r olfirmew ight link . should Net w orknev ater t ack can y point , including t h ea net w ork con nect ioncont , t he all, t h e do ver far ,mor d amag As daen r egular ser en , t hses e only t htin gs y point ou risk e t hteo pr ogr am and w eb ser or teh e cliente. . Har in g t heu def at all hese s isarkey creat ing san ouencom own . As an adm inist r atsecur or , y ou isk t he eff ectfiles iv e, yallpassing net w ork it y rsolu ion.ent ir e m achine ( and possib ly t he ent ir e

net w or k) .

NO TE •

Table of Content s

For an int erest ing st or y of a pr og ram m er, Fr ed McLain, w ho w r ot e an Act iv eX cont r ol I ndex called " I nt er net Exp lod er " ( it d oes a syst em shut dow n aft er a 10- secon d t im er elapses) W e b S ecur it y Fi el d Gu ide and t h e t r ouble h e got in t o b ecause of it , visit h is sit e at By St eve w wKalman w .h alcy on. com / m clain/ Act iv eX. Because w eb p ages com e an d go, y ou mig ht j ust w ant t o sear ch f or him or h is pr ogr am b y nam e using y our f avor it e search engine. •

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Four Zones I n t he Micr osof t w or ld, secur it y is defin ed w it h four diff erent cat eg ories called zones. Wh en y ou access a resour ce on an ot her m achine, t h e ot her m achine's zon e r elat iv e t o you rs is det er m ined, and t h e rest r ict ion s placed on t hat zone con t rol t he in t er act ion wit h t h at r esou rce. As a user, you •can set t he secu Table ritofy Content p olicy son y our ow n m achine. As an adm inist r at or , y ou can set it on all t h e •m achines y ou I ndex cont rol. W e b S ecur it y Fi el d Gu ide

The f ourKalman zones ar e as follow s: By St eve PubI lish nt eer:rnCisco et —Press Th is

zone cont ain s all t he w eb sit es t hat are not p laced in ot her zones. The occu r in t his zone, so it should be t he one most secur ed.

Pub Novem 08 ,at 20t 02 mDat oste: dan gerber ous ack s I SBN: 1- 58 705 -0 92 -7

Loca I nt Pages:l 60 8 ra ne t — Th is zone cont ain s all t he w eb sit es t hat are on y our org anizat ion' s int r anet . I n ot her w or ds, it inclu des all sit es t hat hav e t he sam e d omain nam e t h at y our PC is using . Tru st e d Si t es— Th is zone cont ain s w eb sit es t hat y ou t r u st not t o d amag e y our d at a. Sit es m ust b e add ed t o t his list m anu ally . Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Re st ri ct e d— Th is zone cont ain s w eb sit es t hat y ou d o not t r ust becau se t hey cou ld pot ent ially d amag e y our com put er or it s dat a. Sit es m ust be add ed t o t his list m anu ally . Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t

Setting Zone sDetection Lear nYour how t oPC har for den Window m u lt i- u ser p lat for m s,

inclu ding NT, 2 000 , and XP

Under inst ion t ions f or, Wind eb hav ser veers d how enhan For aut om atsticand zonsecur e deteect ionallat to w orkoppr operly y our ows PC mwust it s an DNS namt o e configce ur ed . secur it y on exist ing w eb an d FTP ser v er in st allat ions That ' s because t h er e ar e t w o way s t h at I nt er net Ex plorer d et ect s if it sh ould u se t he int ran et or t he I n t er n et zone. The fir st w ay is t o look t o see if t he n ame you t y ped has no dot s in it . I f t h at 's I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d t he case, I nt er net Exp lor er assum es t hat it is on y our int r anet as t her e w ould be n o w ay t o reach lapt op s t he I n t er n et w it h an u nqu alif ied nam e. The second w ay is by com par ing t he dom ain n ame of t he sit e y ou ar e v isit in g w it h y our d omain nam e. I f t hey 'r e equal, t he Local I n t ran et zone set t ing s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n app ly . I f not , cont r ol is based on t he I nt er net zon e set t in gs. Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s

NO TE w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Discover ILear f youn access a w eb v er vas ia par it s It Pofadt hdre ess I nrit t erynsolut et zone t o eng age endser users ov erinallt he n etURL, w or kt he secu ion set t ings app ly , ev en if t h e w eb ser v er is on you r ow n machin e. While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing To see ifable y our nam e tis conf ig ur ted com m andlev prels om of pt secur and tit ypy ewIitPCON FI G /r aining A LL. un desir or DNS malicious r aff ic and o ,propen ovid ea su ff icient hout const (per ForforWind ows 95 w ork st at ions, t h e pr ogr am is called w in ip cf g. ) I f t h e DNS n ame is absen t , y ou m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm can en t er it v ia t he con t r ol panel' s net w ork applet . daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a Nav ig at ing t o t he cor rect p lace t o up dat e t h e DNS n ame in NT 4 is sim pler t han in Window s 2000 m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a or Win dow s XP. Figur e 7- 1 sh ows wh at y ou need t o do in W in dow s NT. t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Figu r e 7 - 1 . Ou t pu t of I PCONFI G Com m an d Sh ow i ng DN S Na me



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

First , st ar t t he Net w or k Applet in Con t r ol Panel. Then choose t he Prot ocols t ab an d double- click Hand t echniqu TCP/ sI PonP rot ocol. es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. A scr een w it h sev er al t ab s pop s up. Choose t h e D N S t ab. Ent er y our dom ain nam e in t he b ox CrD eat e ai effn, ectas iv eillust secur y policies labeled om r atited in Figur and e 7- 2est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP

Figu r est7and - 2 .secur Enteeinst r inallat g t ion he op D tNS am e vows ia twhe N et w or Appl in NceT-4 Under ionsNf or Wind eb ser v ers ankd how t oet enhan secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear plish n t he t Cisco PI Xt Fir an dow Cisco all ars chit u ren eed and thow To accom h e same askewinall Wind s 200I OS 0 orFirew Window XP,ect you o st art ot app wit hlyt hCisco e st andar d and ex t en ded access list s Con t rol Panel app let called N e t w ork and D i al - up Conne ct ions. Choose Loca l Are a Conne ct ion, r igh t - click , and choose P rope rt i es. Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e From t her e, doub le- click I nt e rn et P rot ocol ( TCP/ I P) an d, in t he r esult ing popu p, choose Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion Ad va nced . While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and A t hird p opup app ear s ( see Figur e 7- 3 ) wh er e y ou can ent er t he dom ain nam e near t h e bot t om it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. of t he page in t he box labeled D N Ssuff ix f or t hi s con ne ct i on. Ag ain , t he sam ple u ses The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing exam ple. com. un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a Figu r e 7 - 3 . Ent e r in g t he D NS N am e v ia t he N et w or k Appl et in W i nd ow s m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a 2 0 0it0y solut ion is only as st r ong as it s w eak est t r av eling acr oss t he I nt er net . Yet a net w or k secur link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear TI P n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion WhileThe t h eeasy I nt erwnet t r ansfor m edt he andn et imwpr ed plet t h e or w ay dow business, t hisupv ast w or k and ay has t o get t o eit her orov k ap thw e enet or k and dialset tnet ings it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. app let is o r igh t - click N e t w ork N ei ghb orhood or My N et w or k Pla ces ( sam e t h ing, The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing dif fer en t v ersions) an d ch oose P rope rt i es. un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a Setting Security for theent Internet m ar ket leader in t he developm an d sale Zone of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est To secur I n tsercan net occu Ex plor , choose an d tthen I ntweork rn et Opt i ons. linkset . Net w orkit yatint ack r ateran y pointTools , including h e net con nect ion , tTh heenfirselect ew all, tthhee Se curi t ab. r esult. Har looks likinegt hat in at Figur 7- 4 . point Th er es ar f our edefin w eb sert y ver , or You t h er client d en t he show def ennses all et hese is ekey t o pr creat ingedansecur it y set t in iv gs. n addit ion, you h ave t hork e abilit y titoy cu st omize eff ect e, I allencom passing net w secur solu t ion. t he set t in gs f or any or all of t he z ones.

Figu r e 7 - 4 . Se cu r it y Set t i ngs Pa ge in I nt er n et Ex plor e r



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n ificat ion Au The I nCer t ertnet zone is twhor heritey y ou need t o t ake t he m ost car e. The d ef ault set t ing her e is Medium , w hich really isn 't secur e enou gh for sur f in g t he " Wild, Wild Web. " Your f irst st ep is t o click t he LearLe n tve hel Cisco Cust om b ut t onPI. X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s The w in dow t h at ap pears has near ly t w o d ozen it em s t hat you can secur e. Figur e 7- 5 sh ows t he Discover s t o lt t est curof r ent he t stScr at eipt ofing secur y and Medium secur itwyay defau f or t the hr ee op tition s. k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and Figu 7 -nologies 5 . M edi um Se cu rt he it yd oor D eft oa ul foreasin t heg nScr i pt iofng O pt s s. it s associat edr e t ech hav e opened an tincr um ber secur it yi on t h reat The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Your fir st st ep is t o chang e t o High secu rit y . D o t h is by chang ing t he d rop dow n box fr om Me di um t ostHand ig h secur an d clickin g Reion setop . You 'll gf or et Wind a w arows ningw, eb as ser show n inanFigur e 7. Clickce Y es. Under e inst allat t ions v ers d how t o6enhan secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Figu r e 7 - 6 . Ch an gin g t he Se cur i t y Set t in g for a Zone Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat t ech nologies t heas d oor t onan easin ber comes of secur it y t IhE5. reatYou s. Tak e anot h ed er look at t h e Scrhav ipt e in opened g op t ions, show in incr Figur e 7-g7 n , um w hich f rom The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat can see t h e ch anges. Act ive scr ipt ing ( t hat 's Act iv eX r unnin g Java by t ecod e) is st ill en abled , ing un able t r aff ic and t o disabled. pr ovid e suKeep ff icient lev elst hat of secur it y wt ithhout const r aining alt desir hou gh t heorotmalicious h er opt ions h ave been in m ind Micr osof as r out inely per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er chang ed it s b row ser' s secu rit y d ef ault s w it h ever y new v er sion. Check y our br ow ser ' s set ft orm in gs daily j obs cond uctended t ran sact e gr eat br each ofow n et w or k secu rit y has. against t heorr ecomm set ions, t in g int hTable 7 -er1. t Ihe f yim ou'pact re r uanning a br ser n ew er t han I E5 .0Just , as Syy stifem s h as an inn ovat or in u sin g t h e I tnt conduct business, donCisco 't w orr y our curbeen r ent default is already ch anged o er mnet at cht ot he r ecomm endat ionso. t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or rt hee 7client Har d enSe in gcu t he sesaat hese point s is key t o creat Figu - 7 . . Hi gh r itdef y en D ef ul all t f tor t he Scr i pt i ng Op t ing ionan s eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Table 7 - 1 sh ows t he set t ing, it s m ean in g, t h e High secur it y def ault , and t h e r ecom m en ded st and secur inst allat ion ing op t ions f or ows serseem v ers an enhan ceded set t inUnder g. Only it ems t hate need chang ar e sh owWind n. Wh ile w it eb m ay thd at how t h e rt o ecom m en secur it y on exist ing w eb an d FTP ser v er in st allat ions chang es low er secu rit y by enabling it em s t hat w er e d isabled by d ef ault , t h at isn' t so. All t hose it ems are t oo sever e for nor mal oper at ion ( f or exam p le, d isab lin g cook ies) ; t he u ser s w ill figu r e I m pr secur it y at w or kst ebfigu b row desk an out how t oove m ak e chang es.t he Th end en , wuser' hile st hey ar eatinion, t heinclu secuding rit y w con ratser ions,sect iont ops, , t hey 'lldb e lapt op s t em pt ed t o enable ot her t hing s t hat ar e and should r em ain disabled. By m ak ing t he chan ges ahead of t im e on t heir behalf, you 'v e t ak en a big st ep t ow ar d main t ain ing over all secur it y . Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer itt ificat iont hAu horis it yt her e because it is a conv en ient place t o ex plain it s pu rp ose. Th e The last em on e tlist defau lt is f ine, bu t chang ing it is an easy way t o g et y our nam e on ev er y spam m er ' s m ailin g list . Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e

Tab len 7t o-1 . Cust omusers iz inas g Ipar n tt eofr ne Zer one it y Se t ingion s in I nt er n et Lear eng age end t h et ov all nSecu et w or kr secu rit y tsolut Exp lor e r While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Tit le

Purp ose

D e fa ult Re com m e nde d

Scrip t Act iv eX con t r ols m ar ked saf e f or Scr ipt in g

Allow s cer t ain sig ned Act iv eX con t r ols t o ru n.

En able

Disable

Allow Cook ies t hat are st or ed on y our com put er

En ables w eb sit es t o w r it e cookies t o y our p rof ile.

Disable

En able

En ables w eb sit es t o send you t em por ary cook ies.

Disable

En able

Allow s HTTP- based d own loads; n o eff ect on FTP.

Disable

En able

Allow s t r uet yp e fon t s.

Pr om pt

En able

Act iveX r u nning Jav a b yt ecode.

En abled Disable

Also used by FTP. The an ony m ous opt ion sen ds y our e- m ail ad dr ess t o t he FTP ser v er .

Pr om pt

ies s • Allow per - session Table ofcook Content • ( not st or ed )I ndex W e b S ecur it y Fi el d Gu ide

Dow nload s

By St eve Kalman

Font Dow nload

Pub lish er: Cisco Press

ActPub iveDat Scr e: ipt Novem ing ber

08 , 20 02

I SBN: 1- 58 705 -0 92 -7

User Logon Aut hent icat ion Pages: 60 8

Pr om pt

Disabling Act iveX occasion ally cau ses a w eb pag e t o g en er at e an er ror . Most of t he t ime, t h is is Hand for in g Window s( r ) w serv b r owser w ork un icat bet t ers-ton h ant echniqu let t ing es it ru n, secur b ut t here are p laces herers, e y ou k now s, t heand Actnet iv eX contcom r olsmcan b e ions. t r ust ed and you need t o let t h em w ork . A classic ex am ple is Micr osoft ' s Window s Upd at e sit e at w indow micr t . com . Cr sup eat edat effe. ect iv eosof secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Figur es 7- 8 sh ows an er r or m essage t h at ap pears wh en a blocked Act iv eX cont r ol f ails t o r un . I f y ou click t o cont inuden e, t he n ex t spage s in aninclu er r or. LearOK n how t o har Window m u ltlik i- uely serr esult p lat for m s, ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions

Figu r e 7 - 8 . Block e d Act iv eX Er r or M e ssag e

I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion Figur e 7- 9 sh ows t he r esu lt of a sear ch f or an upd at e t o I n t er n et Ex plor er 5. 0. Th e bot t om of t he While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and pag e has h ead in gs f or a t able, but t he con t en t s of t he t able w ere not f illed in becau se Act iv eX it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. w as block ed . The m essag e, " Er r or on page" ap pear s in t h e low er - left corn er . The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just Figu . Eran r orinnGe ne at ued Act eX W business, as Bl ocksoed as Cisco Sy st emr se h7as- 9been ovat orr in sin gBecau t h e I ntse er net t o iv conduct t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t The solut ion t o t his p rob lem is t o m ak e w ww . m icr osoft .com a t r ust ed sit e an d t o set t r ust ed sit e secur Lear it y son thow hat Act iv eX canWindow ru n. Go back o t he pageding of t he er net OptXP ions t ool and t o har den sm u lt i-int u ser p latsecur for mits,y inclu NT,I nt 2 000 , and click Tru st e d Si t es. Figur e 7- 1 0 sh ows an ex am ple. Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur user' w or kst iatt y ion, inclu eb berow ser s, t ops, Figu r e it7y- at 1 0t he . Dend ef au lt sSecur f or t hding e Trwust d Sit esdesk Zon e an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions The d ef ault secur it y f or t r ust ed sit es is Low and sh ould be chan ged t o Medium . To do t hat , dr ag t he scr ollb ar up t w oitnot . Figur e 7-inclu 1 1 sh owsw teb he br row esu ser lt . s, desk t ops, an d Im pr ove secur y atches t he and end click user'Ap s wply or kst at ion, ding lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ionr Au t hor Figu e 7 - 1it1y. Tr u st ed Si t e s Zone Set t o M ed iu m Se cu r it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions Finally, click Si t es. Clear t h e check box requ ir ing HTTPS, t y pe in t h e dom ain nam e y ou'll t ru st , and click d. secur All t his b een e ins Figur e at 7-ion, 1 2. All t hat 's lef t isbtrow o click sevt ops, er al tan imdes t o I m prAd ove it y has at t he enddon user' w or kst inclu ding w eb ser s,OK desk exit . lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y

Figu r e 7 - 1 2 . Addin g a Si t e t o t h e Tr u st ed Sit e s Zon e

Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce When y ou r ev isit t he dow n load p age and r e- ex ecu t e t h e sear ch, t h er e ar e neit her w ar ning s nor secur it y on exist ing w eb an d FTP ser v er in st allat ions err or s.Figur e 7- 1 3 sh ows t he r esu lt . Not e t h e lower - r ight corn er , w h er e it in dicat es t hat t his pag e Iismin t he Tr ust ed e. user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d pr ove secur it y Sit at es t hezon end lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Figu e 7it-y1 3 . Act i ve X i n Act ion on a M i cr osof t Page Cer t ificat ion Au rt hor Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t

Setting Intranet Lear nthe how Local t o har den Window sZone m u lt i- u ser p lat for m s,

inclu ding NT, 2 000 , and XP

The pUnder r ocessstfor andset secur t ing esecu instrit allat y inion t hop e Local t ions If or nt r Wind anet ows zonewisebt hser e same; v ers ant he d how on lyt odiff enhan er ence ce is in t he set secur t ing it s.y Table on exist 7 - 2ing d iscusses w eb an dt he FTP set ser t ings v er in you st allat should ionsconsider chang in g ( st art in g at t he defau lt level, Mediu m- Low Secur it y) . Ch apt er 5, " Enhan cin g Web Serv er Secu rit y " cov ers how t o ove secur at t he endResponse user' s w or at ion, incluTh ding w eb logon b row ser t ops, set I I ISmt pr o requ ir e NTit yChallenge/ aukst t hent icat ion. e user sets, t indesk g com pletan es dt hat lapt op s pr ocess. Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear PI X Fir ewiz allinan Cisco I OS chit e ectSe u recu and t ot app ly sCisco Tabnlet he7 Cisco -2 . Cust om gdLocal I ntFirew r an all et ar Zon r ithow y Se t i ng in st andar d and ex t en ded access list s

I nt er n et Exp lor er

Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Tit le Purp ose D e fa ult Re com m e nde d Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion Dow nload Sign ed Allow s cer t ain sig ned Pr om pt Disable un less y ou sig n y our While Act iveX t h eCont I nt er r ols net hasAct t r iveX ansfor cont m ed rols and t o im r un. pr ov ed t h e w ay w e do business, ow n. t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. UserchLogon Also used ymage ous accessAut iceLogon I ninat t raning et The alleng e for successfu l, pu by blicFTP. w ebThe sit es is t oAnon encour t o om t h eatsit w hile in elim Aut h en t icat ion anon ym ous opt ion send s Log on ( I E5. 0 zone ( alr eady d ef ault in I E un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining y oury . eadd ress t o org t he anizat defau lt ) b ecom e on 5. 5t he and e) t.o p er f orm per for m ance or scalabilit Thmeail m ore reliant ions I n abov t er net ser v er. daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser TI ver P , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

I f sev er al dom ain n ames ar e in use on y our int r anet ( for ex am ple, for d. com an d lincoln. com or feder alex pr ess. com and f ed ex . com) , you can decid e t o p ut t hose alt ern at e nam es in t he Tr ust ed Sit es zon e and conf ig ur e t hat t he sam e w ay as you w ould config ur e t he I nt ran et zone.

The Rest r ict ed Sit es zone wasn' t ment ion ed . That ' s because it is m u ch safer t o exclude t hose • Table of Content s sit es fr om y our int ran et w it h set t ing s at you r fir ewall. Th is is cov er ed in m ore d et ail in Ch apt er • I ndex 10 , " Fir ew alls." W e b S ecur it y Fi el d Gu ide By St eve Kalman

Keeping Your Settings Intact Pub lish er: Cisco Press

Pub Dat e: Novem ber 08 , 20 02

As har d as y ou w ork t o get t he set t ings t he w ay y ou w ant , u ser s w ill w or k ev en har der t o m ak e I SBN:ent 1- 58 im pr ovem s. 705 On-0e92 of-7t he p rim ar y t ools t h ey h ave t o un do you r w ork is t he Au t omat ic Up dat e Pages: 8 feat u re. I nst60alling an upd at ed v ersion of I n t ern et Ex plor er put s all t he z one set t in gs b ack t o t h e defau lt . You can, how ev er , d isab le t his f eat u re. Figur e 7- 1 4 sh ows t he I nt er net Opt ions p age w it h t he Ad van ced t ab select ed . Clear t he ch eck box nex t t o Au t om a t i ca ll y che ck for I nt e rn et Exp lor er up da t es an d you 'r e set . Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. CrFigu eat e eff r eect 7 iv - 1e 4secur . Priteyve policies nt in gand Aut estom ab lish a t ircules I nfor t e rop ne ertatEx ingplor in and e rmUp aintdat aining es a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.



Table of Content s



I ndex

W e b S ecur it y Fi el d Gu ide By St eve Kalman

Pub lish er: Cisco Press Pub Dat e: Novem ber 08 , 20 02 I SBN: 1- 58 705 -0 92 -7 Pages: 60 8

Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cr eat e eff ect iv e secur it y policies and est ab lish r ules for op er at ing in and m aint aining a secur it y - conscious env ir onm en t Lear n how t o har den Window s m u lt i- u ser p lat for m s, inclu ding NT, 2 000 , and XP Under st and secur e inst allat ion op t ions f or Wind ows w eb ser v ers an d how t o enhan ce secur it y on exist ing w eb an d FTP ser v er in st allat ions I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d lapt op s Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n Cer t ificat ion Au t hor it y Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco st andar d and ex t en ded access list s Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Lear n t o eng age end users as par t of t h e ov er all n et w or k secu rit y solut ion While t h e I nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desir able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

Cookies A lot of hy pe ex ist s about cookies and how t hey 'r e har m fu l or cr eat e secur it y holes. This shor t sect ion discu sses t h e t r ut h of t he m at t er an d sh ows how t o m anage t hem. •

Table of Content s



I ndex

How Cookies Are Used W e b S ecur it y Fi el d Gu ide By St eve Kalman

HTTP is a st at eless pr ot ocol. Ev ery t ime you v isit a w eb sit e it is as if y ou w er e nev er t here befor e. You r PC set s u p a new TCP connect ion an d requ est s a pag e via t he URL. Pub lish er: Cisco Press Pub 08 ,usable, 20 02 To m akDat e te:h eNovem net wber ork t he HTTP pr ot ocol includes som e feat u res t h at allow it t o sim ulat e a st at efulI SBN: en vir onm I f t h e pag e you v isit r eq uir es y ou t o log in, for ex amp le, t he user nam e and 1- 58 705ent -0 92. -7 passwPages: ord ar60 e 8r esu bm it t ed f or y ou ev ery t im e y ou r et u rn t o any p age in t hat dom ain. Th e only w ay t o t em p orar ily st op it is t o close y our b row ser.

Cook ies are used f or a sim ilar pur pose b ut com e in t w o cat egor ies: session cook ies an d per sist ent cook ies. Tw o m ain r u les ex ist for cook ie use. Hand s- on t echniqu es for secur in g Window s( r ) serv ers, b r owser s, and net w ork com m un icat ions. Cook ies can on ly be sen t b ack t o t h e dom ain or sit e t hat cr eat ed t h em . Cr eaties e eff ectbivee crsecur it ybpolicies ab lish you r ulesa for er at ing andpar m aint Cook can eat ed y any sitand e t h est at sends w eboppage ( or in even t of aining a w eb ap age, secur it y conscious env ir onm en t such as an im ag e or adv ert ising ban ner) . howe- tcom o har i- udser p lat s, rinclu ding , and XP I f youLear v isitn an mden er ceWindow w eb sit se m anudlt ad it em s for to m you shopp ingNT, car 2 t ,000 a session cook ie is creat ed for each it em . As you cont inu e shopp in g, t h e cookies t hat y ou accum ulat e are r et ur ned secur e inst allat ionaop f or Wind eb sit sere.v ers anudally how o enhan ce t o go t o t heUnder w eb st sitand e each t ime you click lint ions k t o any pag eows on twhat Event , ytou' ll decide secur it y on exist ing w eb an d FTP ser v er in st allat ions t o t he checkou t p age. That page get s bu ilt by p rocessing t h e cook ies sen t t o it ( t h ey generally cont ain st ock num ber s, cod es for color s and sizes, or wh at ever else is pert in en t t o t hat sale) . I m pr ove secur it y at t he end user' s w or kst at ion, inclu ding w eb b row ser s, desk t ops, an d Aft er t he checkou t com plet es, t h e session cook ie is delet ed fr om y our br ow ser m em ory . lapt op s Whenev er you g o t o a w eb sit e an d see a p er sonalized w elcome back m essage, y ou k now t hat a Ev aluat e t he pr os an d cons of in st alling a cer t ificat e serv er and becom in g you r ow n per sist ent cook ie w as u sed. Those cook ies cont ain infor m at ion about y ou an d y our accoun t . I t Cer t ificat ion Au t hor it y m ight be j ust y our nam e, or it m igh t b e a r ecor d locat or ( k ey ) t o a dat abase st or ed at t he w eb sit e. I n som e cases, it m igh t ev en be a user nam e and passw ord . When t hese cookies ar e Lear n t he Cisco PI X Fir ew all an d Cisco I OS Firew all ar chit ect u re and how t o app ly Cisco creat ed, t hey include an ex pirat ion d at e. That dat e is set at t he w eb page pr o- gr am mer 's st andar d and ex t en ded access list s discret ion. Most last d ecades. Discover w ay s t o t est t he cur r en t st at e of secur it y and k eep it up t o dat e Becau se cook ies can b e ret u rn ed only t o t he dom ain or sit e t hat cr eat ed t h em , t here isn' t mu ch r isk t hat ill bend e deliv er ed o any ent t oorsee it . (rit Som e old b r owser s had bu gs Learan cookie t o eng w age users as t par t ofone t h enot ov er allit led n et w k secu y solut ion t hat allow ed a sit e t o v iew all of you r cookies. I t is u nlikely t hat y ou'll find t h ose b row ser s st ill in use t odt hay. While e I)nt er net has t r ansfor m ed and im pr ov ed t h e w ay w e do business, t his v ast net w or k and it s associat ed t ech nologies hav e opened t he d oor t o an incr easin g n um ber of secur it y t h reat s. The ch alleng e for successfu l, pu blic w eb sit es is t o encour age access t o t h e sit e w hile elim inat ing un desirCookies able or malicious t r aff ic and t o pr ovid e su ff icient lev els of secur it y w it hout const r aining How Are Abused per for m ance or scalabilit y . Th e m ore reliant org anizat ions b ecom e on t he I n t er net t o p er f orm daily j obs or cond uct t ran sact ions, t h e gr eat er t he im pact a br each of n et w or k secu rit y has. Just That doesn't m ean t h at cook ies are com plet ely saf e. The b ig gest r isk com es fr om t he ban ner ad as Cisco Sy st em s h as been an inn ovat or in u sin g t h e I nt er net t o conduct business, so t oo is it a com panies. When you v isit a w eb page t hat h as a b anner ad , t hat ad com es dir ect ly fr om t h e m ar ket leader in t he developm ent an d sale of p rod uct s and t echnologies t h at p rot ect d at a adv ert ising com pany . Her e' s an ed it ed line f r om t he b ody of a popu lar w eb pag e: t r av eling acr oss t he I nt er net . Yet a net w or k secur it y solut ion is only as st r ong as it s w eak est link . Net w ork at t ack s can occu r at an y point , including t h e net w ork con nect ion , t he fir ew all, t h e w eb ser ver , or t h e client . Har d en in g t he def en ses at all t hese point s is key t o creat ing an eff ect iv e, all- encom passing net w ork secur it y solu t ion.

and k eep it up t o dat e

and k eep it up t o dat e