Hardening: Theory and General Practice - Some General Hardening Suggestions: Software Considerations
(Page 5 of 6 )
Let’s begin with the behemoth: service packs. Service packs are applications that are released after the public release of a software package. More specifically, they’re collections of hotfixes, or patches to flaws that are found after an appli-cation’s mainstream availability. Most of these service packs include security to correct areas of the program code that weren’t secured by the developers and therefore have vulnerabilities. You can be sure that your system will be examined by nefarious users looking for these vulnerabilities; you can be equally certain new vulnerabilities are being searched out as you read this by these same miscreants. The bottom line: Keep all machines on the network updated and check with the operating system and application vendors on a regular basis for service releases and hotfix patches.
Next on the list are viruses, a rapidly growing irritation. As you may be aware, many new viruses are released weekly. Because of this, if an Internet connection comes anywhere near any machine, you should use antivirus software. It should be kept up-to-date on a regular basis. To protect yourself, take a look at these guidelines:
- Any software downloaded from the Internet should be stored and installed on test systems before any production deployment, and the system should be scanned for viruses after the software has been tested.
- Like safe sex, don’t download software from unknown sources; a prominent violation of this policy is the retrieval of programs from peer-to-peer file transfer services. This not only endangers the host computer, but the entire network. Lately, viruses are beginning spread after initial execution onto network shares and, depending on the strain of virus, it can cause many hours of downtime, which results in a significant financial liability.
- For best results, you should configure your virus software to the most restrictive level, thereby ensuring that any virus activity is contained to one computer without infecting the network.
- Most modern antivirus programs include the option to attempt to repair an infected file—you will likely have mixed results with this feature. It’s acceptable to repair the infected file for a period of time so that the system can become operational.
- As a matter of practice, I always recommend that infected systems be wiped clean and reinstalled from an empty hard disk as soon as possible. As hard as the antivirus companies try, they may never completely penetrate a virus’s payload; they might not ever realize the true extent of a virus’s damage to a system, so to be safe, restarting the system from a known clean baseline is always the cheapest insurance.
- Block all potentially malicious file types, such as VBS, EXE, COM, and SCR, from your mail server. These file types are rarely used for legitimate business purposes and can accidentally be executed by unsuspecting users. This can compromise your entire network. Remember the Melissa virus?
- Set your antivirus to scan the selected extension for virus patterns that may exist. This ensures that a virus doesn’t slip past your firewall.
 This chapter is from Hardening Windows, by Jonathan Hassell (Apress, 2004, ISBN: 1-59059-266-2). Check it out at your favorite bookstore today.
Buy this book now. |
{mospagebreak title=Some General Hardening Suggestions: Hardware and Network Considerations}
In this section, you’ll look at some considerations about hardening your hardware. Because this book focuses on Windows, it doesn’t contain room anywhere else for these kinds of suggestions, but I’d be remiss not to include them. In any case, Windows depends as much on external hardware devices for security as it does on its own internal mechanisms.
The most obvious piece of the physical-device puzzle is the firewall, an integral part of any network that is connected to the Internet. Without a firewall, any Internet-connected machine can be subjected to denial-of-service attacks, targeted service attacks, network-penetration efforts, and other bad events. All of these attacks are very difficult to trace back to their origin, too, making a “forensic analysis” next to impossible. Consider the following firewall suggestions:
- Block TCP ports 135, 139, and 445, and UDP ports 135, 137, and 445. These are Microsoft Windows’s networking ports that have been traditionally vulnerable to a great many distributed service attacks, and there’s little use for them over the Internet.
- Block all other unused ports. Each time you open a port you create a hole in the wall that you’ve built around your network, and you replace it with a window. The more ports you open—the more windows you install in your wall—the more transparent your network becomes to the outside. The bottom line? Open ports invite attacks.
The firewall’s brother in the security family is an intrusion detection system (IDS), another vital part of hardening a Windows-based network. An IDS “sniffs out” or inspects all traffic going in and coming out of a network, and distinguishes patterns inside that traffic that could indicate suspicious activity. An IDS differs from a firewall in that a firewall looks for intrusions in order to stop them from happening. The firewall limits the access between networks in order to prevent intrusion and doesn’t signal an attack from inside the network. An IDS, on the other hand, evaluates a suspected intrusion once it has taken place, and signals an alarm. An IDS also watches for attacks that originate from within a system. It’s a beneficial addition to your network, and I highly recommend it.
Remote access remains one of the weakest links in network security if it’s incorrectly implemented, and in many cases it’s the holy grail for intruders looking to do damage. If you allow remote access to your network either through dial-up connections or through a virtual private network (VPN) connection, you should restrict dial-up access to trusted users, and limit the functionality of those users from remote locations. Policies can be designed in such a way that user activity will be traced. I would recommend a VPN connection: Data that travels over a VPN is much less susceptible to interception than normal point-to-point protocol (PPP) connections over the plain old telephone networks. If your data is particularly critical, you might consider putting systems in place that require credential validation for any resource that is accessed remotely, like client-side certificates and strong password authentication methods.
Also, it’s a safe bet to say that intruders would rather use the convenience and availability of the Internet than work harder at “war dialing,” which is when an intruder generates phone numbers on a random basis and dials them to see if a modem answers. However, if your business needs require a modem bank to answer incoming calls, you might consider mandating a dial-back setting to a predetermined number; this is a great way to ensure that a connection is made only between the appropriate parties.
Physical segmentation of the network is always a good choice for security. If your hardware devices allow you to perform this segregation easily, then there’s little reason to not segment them. Virtual LANs (VLANs) are a great way to wall off large sections of your network. If you place your firewall within a separate VLAN from your network and specify that only your firewall can access your network, then you’ve just eliminated the chance that an intruder could use another window of entry into your network. Segmenting a network can also add an element of security from an internal perspective, because you can segment a network in such a way that all users can see the servers but no user can see each other. This reduces the possibility of hacking user data stored on user machines and greatly reduces the chance of a virus spreading around the computers. If the virus code can’t find other computers to infect, it cannot spread.
I feel compelled to include this bit here, even though a later chapter is devoted completely to Internet Information Services (IIS) hardening tips, because it’s so vital to security. Many exploits are targeted against IIS because it’s a very generic and widely used web server, and it’s left on by default in most instances. Because of this prevalence of worms, which travel at great speeds and exploit unsecured IIS web servers on publicly accessible networks, it’s highly recommended—imperative, even. Systems running IIS should be installed on an isolated network segment, or with no network cable attached, until the latest service packs and hotfixes are installed. Microsoft has published an IIS Lockdown tool, which is now part of the Microsoft Baseline Security Analyzer for Windows 2000 Server computers running IIS. It’s very important that this tool be used to harden the IIS box.
This chapter is from Hardening Windows, by Jonathan Hassell (Apress, 2004, ISBN: 1-59059-266-2). Check it out at your favorite bookstore today. Buy this book now. |
Next: Checkpoints >>
More Windows Security Articles
More By Jonathan Hassell
