Comp Ti a Security

Security+ACompTIACertification

CHUCK SWANSON

ANDREW LAPAGE

ROBYN FEIOCK

NANCY CURTIS

S T U D E N T M A N U A L

Security+ ACompTIA

Certification

Chuck Swanson

Andrew LaPage

Robyn Feiock

Nancy Curtis

Security+ A CompTIA CertificationPart Number: 085544Course Edition: 2.0

ACKNOWLEDGMENTS

Project TeamCurriculum Developers/Technical Writers: Chuck Swanson (Security+, MCT, MCSE+I—Windows NT 4, MCSE—Windows2000, MCNI, MCNE, CTT), Andrew LaPage (Security+, MCP), Robyn Feiock and Nancy Curtis (Security+, Network+, MCSE—Windows NT 4/Windows 2000, MCT, CNA) • Development Assistance: Alan J. Meeks (MCSE—Windows NT 4/Windows 2000,MCT, Network+, CIWA) • Development Assistance: Mike Casper • Content Manager: Clare Dygert • Copy Editors: Angie J.French and Jay Smith • Reviewing Editors: Christy D. Johnson and Laura Thomas • Technical Editor: Cory Brown • QualityAssurance Coordinator: Frank Wosnick • Graphic Designer: Isolina Salgado • Project Technical Specialist: Michael Toscano

NOTICESDISCLAIMER: While Element K Courseware LLC takes care to ensure the accuracy and quality of these materials, we cannot guarantee their accuracy, and all materials are provided without any warrantywhatsoever, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. The name used in the data files for this course is that of a fictitious company. Anyresemblance to current or future companies is purely coincidental. We do not believe we have used anyone’s name in creating this course, but if we have, please notify us and we will change the name inthe next revision of the course. Element K is an independent provider of integrated training solutions for individuals, businesses, educational institutions, and government agencies. Use of screenshots oranother entity’s product name or service in this book is for editorial purposes only. No such use should be construed to imply sponsorship or endorsement of the book by, nor any affiliation of suchentity with Element K. Certain exercises in this course manual assume that the user has access to various software products. Element K is not responsible for providing the user of this course manualwith access to those software products. Each user of this course manual is responsible for complying with the terms of any and all software licensing agreements associated with such software products.Some of the tools and procedures presented in this course could cause problems if used improperly or maliciously in a live network environment. These tools are not a threat in any simulated activitiespresented here, nor are they a threat when presented as part of instructor-led training in a closed classroom environment. However, the installation and use of the programs or procedures presentedoutside of a controlled environment is the sole responsibility of the end-user and may result in criminal prosecution. Element K does not endorse or recommend the illegal use of any of the scanning orhacking tools described in this course. This courseware contains links to sites on the Internet that are owned and operated by third parties (the “External Sites”). Element K is not responsible for theavailability of, or the content located on or through, any External Site. Please contact Element K if you have any concerns regarding such links or External Sites.

TRADEMARK NOTICES Element K and the Element K logo are trademarks of Element K LLC.

Microsoft and Windows are registered trademarks of Microsoft Corporation in the U.S. and other countries. Novell and NetWare are registered trademarks of Novell, Inc. in the U.S. and other countries.Sun, Solaris, and Sun Microsystems are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. All other product names and services used throughout this bookmay be common law or registered trademarks of their respective proprietors.

Copyright © 2003 Element K Content LLC. All rights reserved. Screenshots used for illustrative purposes are the property of the software proprietor. This publication, or any part thereof, may not bereproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, storage in an information retrieval system, or otherwise, without express writtenpermission of Element K, 500 Canal View Boulevard, Rochester, NY 14623, (585) 240-7500, (800) 434-3466. Element K Courseware LLC’s World Wide Web site is located atwww.elementkcourseware.com.

This book conveys no rights in the software or other products about which it was written; all use or licensing of such software or other products is the responsibility of the user according to terms andconditions of the owner. Do not make illegal copies of books or software. If you believe that this book, related materials, or any other Element K materials are being reproduced or transmitted withoutpermission, please call 1-800-478-7788.

The logo of the CompTIA Authorized Curriculum Program and the status of this or other training material as "Authorized" under the CompTIA Authorized Curriculum Program signifies that, in CompTIA’sopinion, such training material covers the content of the CompTIA’s related certification exam. CompTIA has not reviewed or approved the accuracy of the contents of this training material and specificallydisclaims any warranties of merchantability or fitness for a particular purpose. CompTIA makes no guarantee concerning the success of persons using any such "Authorized" or other training material inorder to prepare for any CompTIA certification exam. The contents of this training material were created for the CompTIA IT Security+ exam covering CompTIA certification exam objectives that werecurrent as of December, 2002.

How to Become CompTIA Certified: This training material can help you prepare for and pass a related CompTIA certification exam or exams. In order to achieve CompTIA certification, you must registerfor and pass a CompTIA certification exam or exams. In order to become CompTIA certified, you must:

1. Select a certification exam provider. For more information please visit http://www.comptia.org/certification/general_information/test_locations.asp.

2. Register for and schedule a time to take the CompTIA certification exam(s) at a convenient location.

3. Read and sign the Candidate Agreement, which will be presented at the time of the exam(s). The text of the Candidate Agreement can be found at http://www.comptia.org/certification/general_information/candidate_agreement.asp.

Security+ A CompTIA Certificationii

4. Take and pass the CompTIA certification exam(s).

For more information about CompTIA’s certifications, such as their industry acceptance, benefits, or program news, please visit http://www.comptia.org/certification/default.asp. CompTIA is a non-profitinformation technology (IT) trade association. CompTIA’s certifications are designed by subject matter experts from across the IT industry. Each CompTIA certification is vendor-neutral, covers multipletechnologies, and requires demonstration of skills and knowledge widely sought after by the IT industry. To contact CompTIA with any questions or comments: Please call + 1 630 268 [email protected]

iii

Security+ A CompTIA Certificationiv

NOTES

SECURITY+ A COMPTIA CERTIFICATION

LESSON 1: IDENTIFYING SECURITY THREATS

A. Identify Social Engineering Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

B. Classify Software Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Software Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Port Scanning Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Eavesdropping Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

IP Spoofing Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Hijacking Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Replay Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Man-in-the-Middle Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Denial of Service/Distributed Denial of Service (DoS/DDoS) Attacks . . 12

Malicious Code Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Attacks Against the Default Security Configuration . . . . . . . . . . . . . . . . 16

Software Exploitation Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Misuse of Privilege Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Password Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Backdoor Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Takeover Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

CONTENTS

Contents v

C. Identify Hardware Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

LESSON 2: HARDENING INTERNAL SYSTEMS AND SERVICES

A. Harden Base Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Corporate Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

System Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Hardened Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Security Baselines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Microsoft Baseline Security Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Windows 2000 and Windows XP Security Policy Settings. . . . . . . . . . . . . 39

Windows 2000 and Windows XP Security Audits. . . . . . . . . . . . . . . . . . . . 42

Unnecessary Services, NLMs, and Daemons . . . . . . . . . . . . . . . . . . . . . . 44

Security Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

B. Harden Directory Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Directory Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

The Lightweight Directory Access Protocol (LDAP) . . . . . . . . . . . . . . . . . 78

Directory Service Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Hardened Directory Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

C. Harden DHCP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

DHCP Server Vulnerabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Hardened DHCP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

D. Harden Network File and Print Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

SMB Signing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Hardened File and Print Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

LESSON 3: HARDENING INTERNETWORK DEVICES AND SERVICES

A. Harden Internetwork Connection Devices. . . . . . . . . . . . . . . . . . . . . . . . . . 98

Internetwork Device Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Hardened Internetwork Connection Devices . . . . . . . . . . . . . . . . . . . . . 99

B. Harden DNS and BIND Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

DNS and BIND Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Hardened DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

CONTENTS

Security+ A CompTIA Certificationvi

C. Harden Web Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Web Server Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Web Server Vulnerabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Hardened Web Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Microsoft IIS Lockdown Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

D. Harden FTP Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

FTP Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Hardened FTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

E. Harden Network News Transport Protocol (NNTP) Servers . . . . . . . . . . . . . . 130

Hardened NNTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

F. Harden Email Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Email Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Hardened Email Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Email Security Using S/MIME and PGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

G. Harden Conferencing and Messaging Servers . . . . . . . . . . . . . . . . . . . . . . 145

Instant Messaging Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Hardened Conferencing and Messaging Server. . . . . . . . . . . . . . . . . . . 146

LESSON 4: SECURING NETWORK COMMUNICATIONS

A. Secure Network Traffic Using IP Security (IPSec) . . . . . . . . . . . . . . . . . . . . . 154

Data Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Data Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Internet Protocol Security (IPSec). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Data Integrity and Encryption in IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

IPSec Transport Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Internet Key Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

IPSec Security Associations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Windows 2000 and Windows XP IPSec Policy Agent . . . . . . . . . . . . . . . . 160

Windows 2000 and Windows XP IPSec Driver . . . . . . . . . . . . . . . . . . . . . . 160

Default IPSec Policies in Windows 2000 and Windows XP . . . . . . . . . . . . 160

Windows XP IPSec Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

CONTENTS

Contents vii

B. Secure Wireless Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Wireless Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Mobile Device Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Wireless Security Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

C. Secure Client Internet Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Browser Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Internet Explorer Security Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Hardened Web Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

D. Secure the Remote Access Channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Remote Access Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Hardened Remote Access Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

LESSON 5: MANAGING PUBLIC KEY INFRASTRUCTURE (PKI)A. Install a Certificate Authority (CA) Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . 198

Public Key Infrastructure (PKI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

CA Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

B. Harden a Certificate Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Certificate Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

The Certificate Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

CA Vulnerabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Hardened CA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

C. Back Up Certificate Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

D. Restore a Certificate Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

LESSON 6: MANAGING CERTIFICATES

A. Enroll Certificates for Entities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Certificate Enrollment Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

B. Secure Network Traffic Using Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

Secure Socket Layer (SSL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

Transport Layer Security (TLS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

C. Renew Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

D. Revoke Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Certificate Revocation List (CRL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

CONTENTS

Security+ A CompTIA Certificationviii

E. Back Up Certificates and Private Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

F. Restore Certificates and Private Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Private Key Replacement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Private Key Restoration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

LESSON 7: ENFORCING ORGANIZATIONAL SECURITY POLICY

A. Enforce Corporate Security Policy Compliance . . . . . . . . . . . . . . . . . . . . . 252

B. Enforce Legal Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

Legal Security Compliance Requirements . . . . . . . . . . . . . . . . . . . . . . . . 255

C. Enforce Physical Security Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Physical Resource Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

D. Educate Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

The Employee Education Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

End User Responsibility for Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

LESSON 8: MONITORING THE SECURITY INFRASTRUCTURE

A. Scan for Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

The Hacking Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

Vulnerability Scanning Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

Types of Security Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

Vulnerable TCP and UDP Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

B. Monitor for Intruders. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

Intrusion Detection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

C. Set Up a Honeypot. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

D. Respond to Security Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

Incident Response Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

CONTENTS

Contents ix

APPENDIX A: AUTHENTICATION AND AUTHORIZATION

APPENDIX B: UNDERSTANDING MEDIA

A. Removable Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

Tape Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

Disk Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324

CD-ROM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

Floppy Disks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

B. Cabling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

Bounded and Unbounded Media. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

Coaxial Cable (Coax). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Twisted Pair (UTP/STP) Cable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

APPENDIX C: SECURESYSTEMS.DOC

APPENDIX D: SECURITY+ EXAM OBJECTIVES MAPPING

APPENDIX E: AUTOMATED SETUP INSTRUCTIONS

LESSON LABS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

SOLUTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397

INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

CONTENTS

Security+ A CompTIA Certificationx

ABOUT THIS COURSESecurity+™: A CompTIA Certification is the primary course you will need to take if your jobresponsibilities include securing network services, network devices, and network traffic. It isalso the main course you will take to prepare for the CompTIA Security+ examination (examnumber SY0-101). In this course, you’ll build on your knowledge and professional experiencewith computer hardware, operating systems, and networks as you acquire the specific skillsrequired to implement basic security services on any type of computer network.

This course can benefit you in two ways. If you intend to pass the CompTIA Security+ exami-nation (exam number SY0-101), this course can be a significant part of your preparation. Butcertification is not the only key to professional success in the field of computing security.Today’s job market demands individuals with demonstrable skills, and the information andactivities in this course can help you build your security-related skill set so that you can confi-dently perform your duties in any security-related professional role.

Course DescriptionTarget StudentThis course is targeted toward an Information Technology (IT) professional who has network-ing and administrative skills in Windows-based TCP/IP networks and familiarity with otheroperating systems, such as NetWare, Macintosh, UNIX/Linux, and OS/2, who wants to: furthera career in IT by acquiring a foundational knowledge of security topics; prepare for theCompTIA Security+ Certification examination; or use Security+ as the foundation for advancedsecurity certifications or career roles.

Course PrerequisitesCompTIA A+ and Network+ certifications, or equivalent knowledge, and six to nine monthsexperience in networking, including experience configuring and managing TCP/IP. Studentscan obtain this level of skill and knowledge by taking the following Element K courses:

• A+ Certification: Core Hardware

• A+ Certification: Operating Systems

• Network+ Certification: 3rd Edition

Students can obtain additional TCP/IP knowledge from the Element K course Windows 2000:Network and Operating System Basics.

INTRODUCTION

Introduction xi

Although not required, students might find it helpful to obtain foundational information fromintroductory operating system administration courses.

How to Use This Book

As a Learning GuideEach lesson covers one broad topic or set of related topics. Lessons are arranged in order ofincreasing proficiency with Security+™; skills you acquire in one lesson are used and devel-oped in subsequent lessons. For this reason, you should work through the lessons in sequence.

We organized each lesson into results-oriented topics. Topics include all the relevant and sup-porting information you need to master Security+™, and activities allow you to apply thisinformation to practical hands-on examples.

Through the use of sample files, hands-on activities, illustrations that give you feedback at cru-cial steps, and supporting background information, this book provides you with the foundationand structure to learn Security+™ quickly and easily.

As a Review ToolAny method of instruction is only as effective as the time and effort you are willing to investin it. In addition, some of the information that you learn in class may not be important to youimmediately, but it may become important later on. For this reason, we encourage you tospend some time reviewing the topics and activities after the course. For additional challengewhen reviewing activities, try the “What You Do” column before looking at the “How You DoIt” column.

As a ReferenceThe organization and layout of the book make it easy to use as a learning tool and as an after-class reference. You can use this book as a first source for definitions of terms, backgroundinformation on given topics, and summaries of procedures.

Course ObjectivesIn this course, you will implement and monitor security on networks and computer systems,and respond to security breaches.

You will:

• identify security threats.

• harden internal systems and services.

• harden internetwork devices and services.

• secure network communications.

• manage a PKI.

• manage certificates.

• enforce an organizational security policy.

INTRODUCTION

Security+ A CompTIA Certificationxii

• monitor the security infrastructure.

• identify the characteristics of various media.

Course Requirements

HardwareTo run this course make sure all equipment is on the Microsoft Hardware Compatibility List(HCL) for Microsoft Windows 2000 Server and Microsoft Windows XP Professional. TheMicrosoft Windows HCL can be found at: www.microsoft.com/hcl. You will need one com-puter for each student and one for the instructor. Each computer will need:

• Pentium processor, 300 MHz or greater.

• 256 megabytes (MB) of Random Access Memory (RAM) or greater.

• 10 gigabyte (GB) hard disk or larger.

• Super VGA (SVGA) or higher resolution monitor capable of a screen resolution of atleast 800 x 600 pixels, at least 256-color display, and a video adapter with at least 4 MBof memory.

• 3.5” 1.44 MB floppy disk drive.

• Bootable CD-ROM drive.

• Mouse or compatible tracking device.

• Network adapter and cabling connecting each classroom computer.

• Network interface card and network cabling.

• Internet access is recommended as some activities require Internet access. This will alsoallow access to the numerous URLs that are referenced throughout the book. Students willbenefit from being able to access the latest information about security such as new typesof attacks and the latest security breaches to different products. Make sure to use IPaddresses that do not conflict with other portions of your network.

• The instructor computer will need a display system to project the instructor’s computerscreen.

Software• Microsoft Windows 2000 Server or Windows 2000 Advanced Server with sufficient

licenses.

• Microsoft Windows 2000 Service Pack 2.

• Microsoft Windows 2000 Service Pack 3.

• Internet Explorer 6.0 with Service Pack1. If you will have Internet access during class,you can download the installation setup file from www.microsoft.com/windows/ie/downloads/ie6sp1/download.asp. If you will not have Internet access during class, youwill need to order the Internet Explorer 6 CD from www.microsoft.com/windows/ie/ordercd/ie6sp1.asp.

• Microsoft Windows 2000 Security Rollup Package 1 (January, 2002). (W2KSP2SRP1.exe)Download the Network Installation package from www.microsoft.com/windows2000/downloads/critical/q311401/default.asp.

INTRODUCTION

Introduction xiii

• Microsoft Baseline Security Analyzer version 1.0 (MBSASetup.msi):www.microsoft.com/technet/security/tools/Tools/MBSAhome.asp.

• Microsoft Internet Information Server (IIS) Security Rollup Package (Q319733)(Q319733_W2K_SP3_X86_EN.exe): www.microsoft.com/Windows2000/downloads/security/q319733.

• Microsoft IIS Lockdown Tool version 2.1 (IISLockd.exe). Go to www.microsoft.com/downloads and search for Lockdown Tool.

• Microsoft Windows XP Professional with sufficient licenses. Be sure that you meet theactivation requirements for your classroom situation.

• Microsoft Windows XP Service Pack 1.

• The Cumulative Patch for Windows Media Player (Q320920). Go to www.microsoft.com/technet/security/bulletin/ms02-032.asp. Download the executable for Windows MediaPlayer 6.4 (wm320920_64.exe).

• Microsoft Exchange Server 2000 Standard Edition or Enterprise Edition with sufficientlicenses.

• Microsoft Exchange 2000 Service Pack 3.

• Microsoft Exchange Instant Messaging client for Windows 2000 (mmssetup.exe):www.microsoft.com/exchange/downloads/2000/IMclient.asp.

• Microsoft Network Monitor 2.0, Service Pack 1 (available with Systems ManagementServer 2.0 with Service Pack 2), with sufficient licenses.

• Intrusion SecurityAnalyst. Go to www.intrusion.com/products. Click Other Products, andthen click the Downloads link for SecurityAnalyst. Download the evaluation version (SA_SP2.exe). You will have to register.

• Smbrelay.exe: www.phreak.org/archives/exploits/microsoft.

• L0phtCrack 4 (LC4) (LC4Setup.exe): www.atstake.com/research/lc/download.html.

• Internet Security Systems (ISS) RealSecure Desktop Protector version 3.4 evaluation copy(RSDPEvalSetup.exe): www.iss.net/products_services/enterprise_protection/rsdesktop/protector_desktop.php. Click Download Trial. You will have to register.

• Foundstone Tools. Go to www.foundstone.com/knowledge/free_tools.html and individu-ally download SuperScan v3.0 (superscan.exe), UDPFlood v2.0 (udpflood.zip) andDDosPing v2.0 (ddosping.zip). Or, if you would like to have all the tools available inclass, you can select Download All Tools (approximately 3.38MB).

Class SetupThe classroom computers will be configured to dual-boot between Windows 2000 Server andWindows XP Professional. In the following procedures you will set up the instructor computerfirst so that you can copy the Windows 2000 Server and Windows XP Professional source filesto the instructor computer’s hard drive and share them. Then, you can install the student com-puters over the network. On all computers, you will install and configure Windows 2000Server first, then Windows XP Professional.

INTRODUCTION

Security+ A CompTIA Certificationxiv

Optional: Automated Setup InstructionsTo help streamline the classroom setup process, Element K has provided two setup scripts andspecial instructions for using the scripts to set up the instructor and student computers. Whilethese instructions may be used in place of the manual instructions that follow, all the hardwareand software requirements for this course still apply. Our testing has shown that these scriptsmay reduce the time required for classroom setup by up to 50 percent, depending on your spe-cific hardware configuration. For detailed setup instructions using these scripts, refer to . Note:These scripts will set up only the computers for the classroom; they will not set up theoptional Lesson Labs. Those still must be set up manually, and as always, they are completelyoptional and not required for the lesson activities to key in the classroom.

Instructor Computer—Windows 2000 Server:

See your manufacturer’s reference manual for hardware considerations that apply to your specific hardwaresetup.

When installing over the network with MS-DOS boot disks, it is best to use SMARTDRV.EXE and HIMEM.SYS togreatly reduce setup times. Also, Windows 98 Startup disks can be used to access local CD-ROM drives.

Approximate setup time: 16 hours for a base system, plus time to image other computers. Imaging the systemsis highly recommended, as this will make it easier to set up class or lab activities repeatedly.

1. Start the Windows 2000 Server setup program. (You can either boot the computer withthe Windows 2000 Server installation compact disc inserted into the CD-ROM drive, orshare the installation source files on a network drive and create MS-DOS network bootdisks to install over the network from the shared drive.)

2. Install a new copy of Windows 2000 Server (clean install) using the following parameters:

• Accept the license agreement.

• Create a new 6 GB C drive.

• Install Windows 2000 Server on the C drive. Format the drive to NTFS.

• Select the appropriate regional and language settings for your country.

• Enter the appropriate name and organization for your environment.

• Enter the product key, if necessary.

• Specify the appropriate number of per-server licenses for all classroom computers toconnect to this server. For example, with 10 students, set the number to 10.

• Use a computer name of Server100.

• Set the Administrator password to !Pass1234.

• On the Windows 2000 Components page, select (do not check) Internet InformationServices (IIS) and click Details. Check both File Transfer Protocol (FTP) Server andNNTP Service and click OK. Then select Networking Services and click Details.Check Dynamic Host Configuration Protocol (DHCP) and click OK. Click Next.

• Set the date and time settings appropriate for your location.

• On the Network Settings page, select Custom Settings and click Next. Open theproperties of the TCP/IP protocol and configure it with a static IP address of192.168.y.100, where y is a unique number on your local subnet. For example, if thisis the only classroom in your location, then the instructor’s IP address would be

INTRODUCTION

Introduction xv

192.168.1.100. Enter this same IP address as the Preferred DNS Server address. (Youwill install and configure DNS later.) Enter a subnet mask of 255.255.255.0.

• Accept the default workgroup name of Workgroup.

Note: The activities in this course require static IP addresses. If you are attached to a corporate net-work, consult with your TCP/IP or network administrator to verify that this IP configuration does notconflict with any other addresses in your location. Internet access is recommended in this class, soyou should also consult with them on an appropriate method of providing access (for example, Net-work Address Translation (NAT)). Also, check with them on any additional parameters that may beneeded for Internet access; for example, a default gateway and additional DNS servers. If you do addadditional DNS servers for Internet access for each computer, make sure you always leave the class-room configured DNS server IP address as first in the list.

3. When installation is complete, log on as Administrator with a password of !Pass1234.Then complete the following steps:

a. Select I Will Configure This Server Later and click Next.

b. Uncheck Show This Screen At Startup.

c. Close the Windows 2000 Configure Your Server window.

4. Change your display settings by completing the following steps:

a. Right-click the desktop and choose Properties.

b. On the Settings tab, change the screen area to 800 by 600 pixels. Click OK twice,and then click Yes.

5. Create a new E drive on the computer by completing the following steps:

a. Right-click My Computer and choose Manage. Click Disk Management.

b. Right-click in the area of unallocated space on Drive 0 and choose Create Partition.

c. Use the Create Partition Wizard to create a new partition with the following param-eters:

• Primary Partition.

• 4000 MB disk space.

• Drive letter E.

• File format: FAT32.

• Volume label: XPVolume.

6. In Computer Management, configure the FTP Publishing service and the Telnet service bycompleting the following steps:

a. Expand Services And Applications. Select Services.

b. In the right pane, verify that the FTP Publishing Service is started and that its startuptype is Automatic.

c. Double-click the Telnet servce and select Automatic as the startup type. Click Start.After the service starts, click OK.

d. Close Computer Management.

7. Open Windows Explorer and create a C:\SPlus folder. Share the SPlus folder with thedefault share settings. In the C:\SPlus folder, create the following subfolders and add thespecified contents:

• Srv2000: From the Microsoft Windows 2000 server compact disc, copy the I386folder and its contents.

• W2KSP2: Copy the Microsoft Windows 2000 Service Pack 2 files.

INTRODUCTION

Security+ A CompTIA Certificationxvi


• W2KSRP: Copy the Microsoft Windows 2000 Security Rollup Package 1.

• IIS: This will contain the following subdirectories:

• SecRollup: Copy the Microsoft Internet Information Server (IIS) Security RollupPackage.

• Lockdown: Copy the Microsoft IIS Lockdown Tool.

• IE6: Copy Microsoft Internet Explorer 6 setup files from the IE6 installationCD-ROM so students can do a full installation without Internet access, or, if you willbe setting up Internet access in the classrom, you can simply copy the small fileie6setup.exe that you downloaded from Microsoft. There are steps for both types ofinstalls in the activity.

• WMPPatch: Copy the Cumulative Patch for Windows Media Player.

• XPPro: Copy the \I386 folder and its contents from the Microsoft Windows XP Pro-fessional compact disc.

• XPProSP1: Copy the Microsoft Windows XP Service Pack 1 files.

• MBSA: Copy the Microsoft Baseline Security Analyzer.

• E2K: Copy the Microsoft Exchange 2000 Standard or Enterprise Edition compactdisc.

• E2KSP: Copy the Microsoft Exchange 2000 Service Pack 3 files.

• E2KIM: Copy the Microsoft Exchange Instant Messaging Client.

• SMS: Copy the SMSSetup folder and the NMext folder from the Microsoft SystemsManagement Server 2.0 with Service Pack 2 installation compact disc.

• SecurityAnalyst: Extract the Intrusion SecurityAnalyst setup files from the zippedsource file. Place the extracted files directly in the \SPlus\SecurityAnalyst folder, nota subfolder.

• SMBRelay: Copy smbrelay.exe.

• LC4: Copy L0phtCrack4.

• RealSecureDP: Copy RSDPEvalSetup.exe.

• Tools: Copy the Foundstone Tools. If you used the option to download all the tools,extract foundstone_tools.zip to \Tools. Otherwise, use the following subdirectories:

1. SuperScan: Copy SuperScan v2.0.

2. UDPFlood: Extract the UDPFlood v2.0 files from the zipped source file.

3. DDosPing: Extract the DDosPing v2.0 files from the zipped source file.

• CourseCD: Copy the PowerPoint slides for the course and the PowerPoint viewerapplication from the course compact disc that shipped with this book. (If you prefer,you can run the slides directly from the CD’s Autorun interface.)

• Student: Extract the data files from the course compact disc that shipped with thisbook to the \Student directory. Remove the Read-only attribute from the data filesafter extracting them.

8. Create a domain controller by completing the following steps:

a. Choose Start→Run.

b. In the Open text box, type dcpromo to start the Active Directory Installation Wizard,and click Next.

INTRODUCTION

Introduction xvii

c. Use the Active Directory Installation Wizard to promote the server to domain con-troller using the following parameters:

• Domain Controller For A New Domain.

• Create A New Domain Tree.

• Create A New Forest Of Domain Trees.

• Full DNS Name: domain100.internal.

• Domain NetBIOS name: accept the default of DOMAIN100.

• Accept the default locations for the Active Directory database and log.

• Accept the default location for the SYSVOL folder.

• Click OK in the DNS message box.

• Verify that Yes, Install And Configure DNS On This Computer is selected.

• Select Permissions Compatible Only With Windows 2000 Servers.

• Directory Services Restore Mode Administrator Password: password.

d. On the Summary screen, click Next.

e. After the Active Directory Installation Wizard completes, click Finish.

f. Click Restart Now when prompted.

g. Log on as Administrator with a password of !Pass1234.

9. Change your DNS zone type from Active Directory-integrated to Standard Primary bycompleting the following steps:

• From the Start menu, choose Programs→Administrative Tools→DNS.

• Expand your DNS server and expand Forward Lookup Zones. Select and right-clickthe Domain100.internal zone object and choose Properties.

• Change the Type to Standard Primary. Click OK twice.

• Change Allow Dynamic Updates to Yes. Click OK.

• Close DNS.

10. Create a DHCP scope by completing the following steps:

a. From the Start menu, choose Programs→Administrative Tools→DHCP.

b. Right-click the DHCP server object (server100), and choose New Scope.

c. Use the New Scope Wizard to create a DHCP scope using the following parameters:

• Scope Name: Local100

• Address Range: 192.168.#.101-101/24, where # is your unique number for theclassroom. (A range of just one address.)

• Do not add exclusions.

• Accept the default lease duration.

• Do not configure DHCP scope options.

• Do not activate the scope.

• Close DHCP.

11. Install the Microsoft Loopback Adapter by completing the following steps:

a. In Control Panel, run Add/Remove Hardware. Click Next.

b. Verify that Add/Troubleshoot A Device is selected and click Next.

c. In the Devices list, select Add A New Device and click Next.

INTRODUCTION

Security+ A CompTIA Certificationxviii

d. Select No, I Want To Select The Hardware From A List and click Next.

e. In the Hardware Types list, select Network Adapters. Click Next.

f. In the Manufacturers list, select Microsoft. The Loopback Adapter is the only adapterlisted. Click Next twice, and then click Finish.

g. In Control Panel, open Network And Dial-Up Connections.

h. Right-click Local Area Connection 2 (the loopback adapter) and choose Rename.

i. Type Loopback Adapter and press Enter.

j. Close Network and Dial-Up Connections.

12. Configure and enable RRAS by completing the following steps:

a. From the Start menu, choose Programs→Administrative Tools→Routing And RemoteAccess.

b. Right-click the server object (Server100) and choose Configure And Enable RoutingAnd Remote Access using the following settings:

• Select Virtual Private Network (VPN) Server.

• Accept the default protocols (TCP/IP).

• Select the Loopback Adapter as the Internet connection.

• Assign IP addresses automatically.

• Don’t use RADIUS.

• Click OK to close the DHCP Relay Agent message box.

c. Expand the RRAS server object, expand IP Routing, and open the properties of theDHCP Relay Agent. Configure the agent with the server’s IP address.

d. Right-click DHCP Relay Agent and choose New Interface. Select the LoopbackAdapter. Accept the default relay agent properties.

e. Collapse all the expanded nodes of the tree and close Routing And Remote Access.

13. Allow authenticated users to log on to the domain controller by completing the followingsteps:

a. From the Start menu, choose Programs→Administrative Tools→Domain ControllerSecurity Policy.

b. Expand Security Settings, Local Policies.

c. Select User Rights Assignment.

d. In the details pane, double-click Log On Locally.

e. In the Security Policy Setting dialog box, click Add.

f. In the Add User Or Group dialog box, click Browse.

g. In the Select Users Or Groups dialog box, click Authenticated Users.

h. Click Add, and then OK.

i. Click OK twice more. Close Domain Controller Security Policy.

14. Double-click the Connect To The Internet icon. Run the Internet Connection Wizard toconfigure Internet Explorer as appropriate for your classroom. If you’re not connected tothe Internet, you can choose I Connect Thru A LAN.

15. Install the Microsoft Windows 2000 Service Pack 2 from the C:\SPlus\W2KSP2 directory.Accept the license agreement, back up the installation files, and click Install. Restart thecomputer when prompted and log back on as Administrator with a password of!Pass1234.

INTRODUCTION

Introduction xix

16. Install Microsoft Exchange 2000 Standard Edition (or optionally Enterprise Edition) byrunning C:\SPlus\E2K\Launch.exe. Click Exchange Server Setup and install using the fol-lowing parameters:

• Agree to the license agreement.


• For the Microsoft Exchange 2000 component, choose the Custom installation action.

• Verify Install is selected for Microsoft Exchange Messaging and CollaborationServices.

• Verify Install is selected for Microsoft Exchange System Management Tools.

• Choose Install for Microsoft Exchange Instant Messaging Service.

• Create a new Exchange Organization named Organization100.


17. Install Exchange 2000 Service Pack 3 from the C:\SPlus\E2KSP\ folder. (The exact pathto the installation file might vary depending on how you obtained the Service Pack.) ClickInstall Service Pack 3. Accept all the update defaults.

When you rename the files, be careful not to create a double extension (Default.htm.htm), which can hap-pen with the file extensions view turned off.

18. Create the Web sites you’ll use in class by completing the following steps:

a. Copy the Northeast.htm, Boc2.gif, and Swashtop.gif files from the student data filesto C:\Inetpub\wwwroot. Rename Northeast.htm to Default.htm. (This creates theNuclear Plant Training Site home page.)

b. Create a C:\Register directory. Copy the Register.htm and Dac10001.gif files fromthe student data files to this folder.

c. In the C:\Register directory, rename Register.htm to Default.htm. This creates theStudent Registration Web page.

d. From the Start menu, choose Programs→Administrative Tools→Internet ServicesManager.

e. Expand the Server100 object and select the Default Web Site.

f. Right-click the Default Web site and choose New→Virtual Directory.

g. Use the Virtual Directory Creation Wizard to create a new virtual directory with thefollowing parameters:

• Alias: Register

• Directory: C:\Register

• Access Permissions: Use the defaults.

h. Close Internet Services Manager.

i. Open Internet Explorer and connect to http://Server100 to verify that you can see thedefault Web site (the Nuclear Plant Training Site).

j. Connect to http://Server100/Register to verify that you can see the Registration WebPage. Close Internet Explorer.

19. Open the PowerPoint slides from C:\SPlus\CourseCD to verify that they display properly.

INTRODUCTION

Security+ A CompTIA Certificationxx

Instructor Computer—Windows XP Professional:1. Run Windows XP Professional Setup: reboot the computer from the Microsoft Windows

XP Professional installation compact disc, or, from within Windows 2000 Server, run the\I386Winnt32.exe program from the Windows XP Professional installation source files.

2. Install a new copy of Microsoft Windows XP Professional (clean install) using the follow-ing parameters:


• Install on the 4 GB E drive. Leave the file system (FAT32) intact.




• Name the instructor computer Client100.



• On the Network Settings page, select Custom Settings. Click Next. Open the proper-ties of the TCP/IP protocol and configure the TCP/IP protocol settings with a staticIP address of 192.168.y.200 where y is your unique number for the classroom. Entera subnet mask of 255.255.255.0. Do not enter a classroom DNS server address.

• Accept the default workgroup name.

3. After the computer restarts, use the Welcome To Microsoft Windows Wizard to configurethe computer by completing the following steps:

a. Set up your Internet connection as appropriate for your classroom. If you’re not con-nected to the Internet, you can skip this Internet step.

b. Do not activate Windows.

c. Create a user account named Admin100. This user should become part of the Admin-istrators group by default. When you finish the Wizard, the system should log you onautomatically as this user.

4. Create and configure user accounts by completing the following steps:

a. Right-click My Computer and choose Manage.

b. Expand Local Users And Groups, and select the Users folder.

c. Right-click the Admin100 account and choose Set Password. Click Proceed.

d. Enter and confirm a password of password and click OK twice. (This user’s pass-word will change during the course of the class.)

e. Right-click the Users folder and choose New User.

f. Create a new user named ChrisC.

g. Enter and confirm a password of Certification1 (observe the capitalization). UncheckUser Must Change Password At Next Logon and click Create. Click Close.

h. Close Computer Management.

5. Configure sharing on the C:\SPlus folder by completing the following steps:

a. Use Windows Explorer or My Computer to open the C drive.

b. Right-click the SPlus folder and choose Sharing And Security.

c. Click the If You Understand The Security Risks But Want To Share Files WithoutRunning The Wizard Click Here link.

INTRODUCTION

Introduction xxi

d. Select Just Enable File Sharing and click OK.

e. In the SPlus Properties dialog box, under Network Sharing And Security, checkShare This Folder On The Network.

f. Uncheck Allow Network Users To Change My Files. Click OK. It will take a fewminutes for the permissions to be set on all the subfolders.

g. Close My Computer or Windows Explorer.

6. Install Microsoft Network Monitor 2.0 from the C:\SPlus\SMS\NMext\I386 directory, bydouble-clicking the Setup.exe file. When prompted, accept the license agreement andselect all default choices.

7. Configure Windows 2000 Server to be the default choice in the boot loader menu by com-pleting the following steps:

a. From the Start menu, right-click My Computer and choose Properties.

b. Select the Advanced tab.

c. Under Startup And Recovery, click Settings.

d. From the Default Operating System drop-down list, select Microsoft Windows 2000Server /fastdetect.

e. Click OK twice. The first hands-on activity in the course uses the Windows XP Pro-fessional installation.

Student Computers—Windows 2000 Server:Now that the Instructor computer has finished and the shares have been created on the instruc-tor’s computer (\\Server100 or \\Client100) you can now install all the student computersimultaneously using the following procedure.

If possible, set up a few additional computers as spares if you have the available resources.

1. Start the Windows 2000 Server setup program. (You can either boot the computer withthe Windows 2000 Server installation compact disc inserted into the CD-ROM drive, orcreate MS-DOS network boot disks to install over the network. These bootable disksshould connect to the \\Client100\SPlus\Srv2000 share, which contains the Windows 2000Server installation compact disc source files, and then run the command winnt.)

When installing over the network with MS-DOS boot disks, it is recommended to use SMARTDRV.EXE andHIMEM.SYS to greatly reduce setup times. Also, Windows 98 Startup disks can be used to access localCD-ROM drives.




• Install Windows 2000 Server on the C drive. Format the drive to NTFS.




• Specify the appropriate number of per-server licenses for all classroom computers toconnect to this server. For example, with 10 students, set the number to 10.

INTRODUCTION

Security+ A CompTIA Certificationxxii

• Name each student computer Server#, where # is a unique integer you assign to eachstudent.


• On the Windows 2000 Components page, select (do not check) Internet InformationServices (IIS) and click Details. Check both File Transfer Protocol (FTP) Server andNNTP Service and click OK. Then select Networking Services and click Details.Check Dynamic Host Configuration Protocol (DHCP) and click OK. Click Next.


• On the Network Settings page, select Custom Settings and click Next. Open theproperties of the TCP/IP protocol and configure the TCP/IP protocol settings with astatic IP address of 192.168.y.#, where y is your unique number for the classroomand # is the unique integer you assigned to each student. For example, if this is theonly classroom in your location, and this is the third student computer you areinstalling, then the student computer name would be Server3 and the IP addresswould be 192.168.1.3. Enter a subnet mask of 255.255.255.0. Enter this same IPaddress as the Preferred DNS Server address. (You will install and configure DNS ina later step.)


• When installation is complete, log on as Administrator with a password of !Pass1234.

3. When installation is complete, log on as Administrator with a password of !Pass1234.Then complete the following steps:

a. Select I Will Configure This Server Later and click Next.

b. Uncheck Show This Screen At Startup.

c. Close the Windows 2000 Configure Your Server window.

4. Change your display settings by completing the following steps:

a. Right-click the desktop and choose Properties.

b. On the Settings tab, change the screen area to 800 by 600 pixels. Click OK twice,and then click Yes.

5. Create a new E drive on the computer by completing the following steps:

a. Right-click My Computer and choose Manage. Click Disk Management.

b. Right-click in the area of unallocated space on Drive 0 and choose Create Partition.

c. Use the Create Partition Wizard to create a new partition with the following param-eters:

• Primary Partition.

• 4000 MB disk space.

• Drive letter E.

• File format: FAT32.

• Volume label: XPVolume.

6. In Computer Management, configure the FTP Publishing service and the Telnet service bycompleting the following steps:

a. Expand Services And Applications. Select Services.

b. In the right pane, verify that the FTP Publishing Service is started and that its startuptype is Automatic.

c. Double-click the Telnet servce and select Automatic as the startup type. Click Start.After the service starts, click OK.

INTRODUCTION

Introduction xxiii

d. Close Computer Management.

7. Create a domain controller by completing the following steps:

a. Choose Start→Run.

b. In the Open text box, type dcpromo to start the Active Directory Installation Wizard,and click Next.

c. Use the Active Directory Installation Wizard to promote the server to domain con-troller using the following parameters:

• Domain Controller For A New Domain.

• Create A New Domain Tree.

• Create A New Forest Of Domain Trees.

• Full DNS Name: domain#.internal, where # is the unique number assigned tothis student/computer.

• Domain NetBIOS name: accept the default of DOMAIN#.




• Verify that Yes, Install And Configure DNS On This Computer is selected.


• Directory Services Restore Mode Administrator Password: password.

d. On the Summary screen, click Next.

e. After the Active Directory Installation Wizard completes, click Finish.

f. Click Restart Now when prompted.

g. Log on as Administrator with a password of !Pass1234.


• From the Start menu, choose Programs→Administrative Tools→DNS.

• Expand your DNS server and expand Forward Lookup Zones. Select and right-clickthe Domain#.internal zone object and choose Properties.

• Change the Type to Standard Primary. Click OK twice.

• Change Allow Dynamic Updates to Yes. Click OK.

• Close DNS.



b. Right-click the DHCP server object (server#), and choose New Scope.


• Scope Name: Local#, where # is the student/computer’s unique number.

• Address Range: 192.168.y.50+#/24, where y is your unique number for theclassroom and # is a unique integer you assigned to each student. For example,for Server6 in classroom 1, create a range of 192.168.1.56 – 192.168.1.56 (arange of just one address).

• Do not add exclusions.

• Accept the default lease duration.

INTRODUCTION

Security+ A CompTIA Certificationxxiv

• Do not configure DHCP scope options.

• Do not activate the scope.

• Close DHCP.

10. Install the Microsoft Loopback Adapter by completing the following steps:

a. In Control Panel, run Add/Remove Hardware. Click Next.

b. Verify that Add/Troubleshoot A Device is selected and click Next.

c. In the Devices list, select Add A New Device and click Next.

d. Select No, I Want To Select The Hardware From A List and click Next.

e. In the Hardware Types list, select Network Adapters. Click Next.

f. In the Manufacturers list, select Microsoft. The Loopback Adapter is the only adapterlisted. Click Next twice, and then click Finish.

g. In Control Panel, open Network And Dial-Up Connections.

h. Right-click Local Area Connection 2 (the loopback adapter) and choose Rename.

i. Type Loopback Adapter and press Enter.

j. Close Network and Dial-Up Connections.



b. Right-click the server object (Server#) and choose Configure And Enable RoutingAnd Remote Access using the following settings:

• Select Virtual Private Network (VPN) Server.

• Accept the default protocols (TCP/IP).

• Select the Loopback Adapter as the Internet connection.

• Assign IP addresses automatically.

• Don’t use RADIUS.

• Click OK to close the DHCP Relay Agent message box.













INTRODUCTION

Introduction xxv


13. Double-click the Connect To The Internet icon. Run the Internet Connection Wizard toconfigure Internet Explorer as appropriate for your classroom. If you’re not connected tothe Internet, you can choose I Connect Thru A LAN.

14. Install the Microsoft Windows 2000 Service Pack 2 from the \\Client100\SPlus\W2KSP2directory. Accept the license agreement, back up the installation files, and click Install.Restart the computer when prompted and log back on as Administrator with a passwordof !Pass1234.

15. Install Microsoft Exchange 2000 Standard Edition (or optionally Enterprise Edition) byrunning \\Client100\SPlus\E2K\Launch.exe. Click Exchange Server Setup and install usingthe following parameters:



• For the Microsoft Exchange 2000 component, choose the Custom installation action.

• Verify Install is selected for Microsoft Exchange Messaging and CollaborationServices.

• Verify Install is selected for Microsoft Exchange System Management Tools.

• Choose Install for Microsoft Exchange Instant Messaging Service.

• Create a new Exchange Organization named Organization#.


16. Install Exchange 2000 Service Pack 3 from the \\Client100\SPlus\E2KSP\ folder. (Theexact path to the installation file might vary depending on how you obtained the ServicePack.) Click Install Service Pack 3. Accept all the update defaults.

When you rename the files, be careful not to create a double extension (Default.htm.htm), which can hap-pen with the file extensions view turned off.

17. Create the Web sites you’ll be using in class by completing the following steps:

a. Copy the Northeast.htm, Boc2.gif, and Swashtop.gif files from the student data filesto C:\Inetpub\wwwroot. Rename Northeast.htm to Default.htm. (This creates theNuclear Plant Training Site home page.)

b. Create a C:\Register directory. Copy the Register.htm and Dac10001.gif files fromthe student data files to this folder.


d. From the Start menu, choose Programs→Administrative Tools→Internet ServicesManager.

e. Expand the Server# object and select the Default Web Site.

f. Right-click the Default Web Site and choose New→Virtual Directory.

g. Use the Virtual Directory Creation Wizard to create a new virtual directory with thefollowing parameters:

• Alias: Register

• Directory: C:\Register

• Access Permissions: Use the defaults.

h. Close Internet Services Manager.

INTRODUCTION

Security+ A CompTIA Certificationxxvi

i. Open Internet Explorer and connect to http://Server# to verify that you can see thedefault Web site (the Nuclear Plant Training Site).

j. Connect to http://Server#/Register to verify that you can see the Registration WebPage. Close Internet Explorer.

Student Computers—Windows XP Professional:1. Run Windows XP Professional setup: Reboot the computer from the Microsoft Windows

XP Professional installation compact disc, or create MS-DOS network boot disks to installover the network. These bootable disks should connect to the \\Client100\SPlus\XPProshare, which contains the Microsoft Windows XP Professional installation compact discsource files, and then run the command winnt.





• Install on the 4 GB partition, drive E. Leave the file system (FAT32) intact.



• For each student computer: name the computer Client#, where # is a unique integeryou assigned to each student.



• On the Network Settings page, select Custom Settings. Click Next. Open the proper-ties of the TCP/IP protocol and configure the TCP/IP protocol settings with a staticIP address of 192.168.y.200+#, where y is your unique number for the classroom andwhere # is a unique integer you assigned to each student. For example, in classroom1, the address for Client6 would be 192.168.1.206. Enter a subnet mask of 255.255.255.0. Do not enter a classroom DNS server address.


3. After the computer restarts, use the Welcome To Microsoft Windows Wizard to configurethe computer as follows:

• Set up your Internet connection as appropriate for your classroom. If you’re not con-nected to the Internet, you can skip the Internet connection.

• Do not activate Windows.

• Create a user account named Admin#. This user should become part of the Adminis-trators group by default. When you finish the Wizard, the system should log you onautomatically as this user.




c. Right-click the Admin# account and choose Set Password. Click Proceed.

INTRODUCTION

Introduction xxvii

d. Enter and confirm a password of password and click OK twice. (This user’s pass-word will change during the course of the class.)

e. Right-click the Users folder and choose New User.

f. Create a new user named ChrisC.

g. Enter and confirm a password of Certification1 (observe the capitalization). UncheckUser Must Change Password At Next Logon and click Create.

h. Create another user with Admin100 as the user name. Enter and confirm a passwordof !Pass1234. Uncheck User Must Change Password At Next Logon and clickCreate. Click Close.

i. Right-click the Admin100 user and choose Properties. Select the Member Of tab.Click Add. Enter Administrators and click OK twice.

j. Close Computer Management.

5. Install Microsoft Network Monitor 2.0 from the C:\SPlus\SMS\NMext\I386 directory, bydouble-clicking the Setup.exe file. When prompted, accept the license agreement andselect all default choices.






e. Click OK twice. The first hands-on activity in the course uses the Windows XP Pro-fessional installation.

IMPORTANT: The following instructions are for the optional Lesson Labs at the endof this book. Lesson Labs are meant to be self-guided practice activities for studentsto reinforce what they learned in class and are completely separate from the activitiesyou’ll present in the classroom. There are eight Lesson Labs in this course (one foreach lesson). Only the labs for Lesson 1 and Lesson 7 can be completed in the class-room immediately following the lessons because they are question/answer labs anddo not have any hands-on activities. The other six labs use different computer andnetwork configurations and must be setup up independently outside the classroom ifyou choose to have students complete them.

Optional: For the Lesson 2, Lab 1 DomainController:

Unless otherwise noted, the hardware and software requirements for the lesson-level lab activity computers arethe same as for the course as a whole.

Check with your lab supervisor to see if unique numbers are required in your lab. Your unique number is desig-nated as #, and the unique lab room number is designated as y (y will generally be 1 if you only have one labroom).

1. Start the Windows 2000 Server setup program.

INTRODUCTION

Security+ A CompTIA Certificationxxviii





• Install Windows 2000 Server on drive C. Format the drive to NTFS.




• Specify the appropriate number of per-server licenses for all lab computers to con-nect to this server. For example, with 10 students in the lab, set the number to 10.

• Name the computer NUC01.


• Accept all the default Windows components.


• On the Network Settings page, select Custom Settings and click Next. Open theproperties of the TCP/IP protocol and configure the TCP/IP protocol settings with astatic IP address of 192.168.y.#, where y is your unique number for the lab and # isthe unique integer assigned to you. For example, if your lab number is 3, then thestudent computer name would be Server3 and the IP address would be 192.168.1.3.Enter a subnet mask of 255.255.255.0. Enter this same IP address as the PreferredDNS Server address. (You will install and configure DNS in a later step.)



The activities in this course require static IP addresses. Internet access is recommended in thisclass, so consult with your TCP/IP or network administrator or lab supervisor to verify that this IPconfiguration does not conflict with any other addresses in your location. Also, check with them onany additional parameters that may be needed for Internet access; for example, a default gateway andDNS servers.

3. Select I Will Configure This Server Later and click Next.

4. Uncheck Show This Screen At Startup.

5. Close the Windows 2000 Configure Your Server window.

6. Right-click the desktop and choose Properties.

7. On the Settings tab, change the screen area to 800x600 pixels.

8. Right-click My Computer and choose Properties.

9. Select the Network Identification tab and click Properties.

10. Click More and enter nuclear.internal as the primary DNS suffix, where # is a uniqueinteger. (Make sure this name doesn’t conflict with another domain name on the network.)

11. Click OK to close any open dialog boxes and click Yes to restart the computer whenprompted.

12. Log on as Administrator with a password of !Pass1234.

13. Choose Start→Run.

INTRODUCTION

Introduction xxix

14. In the Open text box, type dcpromo to start the Active Directory Installation Wizard, andclick Next.

15. Use the Active Directory Installation Wizard to promote the server to domain controllerusing the following parameters:

• Select Domain Controller For A New Domain.

• Select Create A New Domain Tree.

• Select Create A New Forest Of Domain Trees.

• Full DNS Name: nuclear.internal.

• Domain NetBIOS name: accept the default of NUCLEAR.




• Select Yes, Install And Configure DNS On This Computer.


• Directory Services Restore Mode Password: password.

16. On the Summary screen, click Next.

17. After the Active Directory Installation Wizard completes, click Finish. Click Restart Nowwhen prompted.

18. Log on as Administrator with a password of password.

19. Choose Start→Programs→Administrative Tools→DNS.

20. Expand the DNS server object and Forward Lookup Zones. Right-click the new zone andchoose Properties.

21. Change the Type to Standard Primary. Click Yes to accept.

22. In the Allow Dynamic Update drop-down list, select Yes. Click OK.

23. Close DNS.

24. Open Windows Explorer and create a C:\SPlus folder.

25. In the C:\SPlus folder, create the following subfolders:




• IE6: Copy Microsoft Internet Explorer 6 setup files.

• WMPPatch: Copy the Cumulative Patches for Windows Media Player (wm320920_64.exe).


26. Double-click the Internet Explorer icon.

27. Use the Internet Connection Wizard to configure Internet Explorer as appropriate for yournetwork setup.

INTRODUCTION

Security+ A CompTIA Certificationxxx

Optional: For the Lesson 3, Lab 1 Server:












• Name the computer Server#, where # is a unique integer assigned to each student inyour lab.




• On the Network Settings page, select Custom Settings and click Next. Open theproperties of the TCP/IP protocol and configure the TCP/IP protocol settings with astatic IP address of 192.168.y.#, where y is your unique number for the lab and # isthe unique integer assigned to you. For example, if your lab number is 3, then thestudent computer name would be Server3 and the IP address would be 192.168.1.3.Enter a subnet mask of 255.255.255.0.



Note: The activities in this course require static IP addresses. Internet access is recommended in thisclass, so consult with your TCP/IP or network administrator or lab supervisor to verify that this IPconfiguration does not conflict with any other addresses in your location. Also, check with them onany additional parameters that may be needed for Internet access; for example, a default gateway andDNS servers.





7. On the Settings tab, change the screen area to 800x600 pixels.

8. Choose Start→Settings→Control Panel, and open Add/Remove Programs.

INTRODUCTION

Introduction xxxi

9. Click Add/Remove Windows Components.

10. On the Windows 2000 Components page, select the words (don’t check the check box)Internet Information Services and then click Details.

11. Check FTP Server and NNTP Service and then click OK. Click Next.

12. On the Completing The Windows Components wizard page, click Finish.

13. Close Add/Remove Programs and Control Panel.

14. Open Computer Management and expand Services And Applications. Select Services.

15. In the right pane, verify that the FTP Publishing Service is started and that its startup typeis Automatic.

16. Close Computer Management.

17. In the C:\SPlus folder, create the following subfolders:

• IIS\SecRollup: Copy the Microsoft Internet Information Server (IIS) Security RollupPackage.

• IIS\Lockdown: Copy the Microsoft IIS Lockdown Tool.


19. Use the Internet Connection Wizard to configure Internet Explorer as appropriate for yourlab.

20. Install Microsoft Windows 2000 Service Pack 2. Accept the license agreement. Restart thecomputer when prompted, and log back on as Administrator.

21. Install the Microsoft Windows 2000 Security Rollup Package.

22. Install Microsoft Internet Explorer 6.

Optional: For the Lesson 4, Lab 1 Client Computers:

When installing over the network with MS-DOS boot disks, it is recommended to use SMARTDRV.EXE andHIMEM.SYS to greatly reduce setup times. Also, Windows 98 Startup disks can be used to access local CD-ROMdrives.


1. You will need two Windows XP computers for this activity. Run Windows XP Profes-sional setup: Install a new copy of Microsoft Windows XP Professional (clean install)using the following parameters:



• Create a new 4 GB C drive and format it using NTFS.



• For the computers: name the first computer NUCXP1 and the second NUCXP2.



INTRODUCTION

Security+ A CompTIA Certificationxxxii

• On the Network Settings page, select Custom Settings. Click Next. Open the proper-ties of the TCP/IP protocol and configure the TCP/IP protocol settings with a staticIP address of 192.168.y.200+#, where y is your unique number for the lab and where# is a unique integer assigned to you. Do not enter a lab DNS server address.



• Set up your Internet connection as appropriate for your lab.


• Create a user account named Admin#. This user should become part of the Adminis-trators group by default. When you finish the Wizard, the system should log you onautomatically as this user.

3. Open Control Panel, User Accounts. Click the Admin# account and click Create APassword.

4. Enter and confirm a password of password, click Create Password, and then click Yes,Make Private.

5. Close User Accounts and Control Panel.

6. Obtain Microsoft Systems Management Server 2.0. Install Microsoft Network Monitor 2.0by double-clicking the Setup.exe in the \NMext\I386 directory on the Microsoft SystemsManagement Server 2.0 installation files. When prompted, accept the license agreementand select all default choices.

Optional: For the Lesson 5, Lab 1 DomainControllers:






• Install Windows 2000 Server on a new 6 GB C drive. Format the drive to NTFS.





• Name the computers BROKERSRV1 and BROKERSRV2.



INTRODUCTION

Introduction xxxiii


• On the Network Settings page, select Custom Settings and click Next. Open theproperties of the TCP/IP protocol and configure the TCP/IP protocol settings with astatic IP address of 192.168.y.#, where y is your unique number for the lab and # isthe unique integer assigned to you. For example, if your lab number is 3, then thestudent computer name would be Server3 and the IP address would be 192.168.1.3.Enter a subnet mask of 255.255.255.0. Enter this same IP address as the PreferredDNS Server address. (You will install and configure DNS in a later step.)








7. On the Settings tab, change the Screen area to 800x600 pixels.

8. Right-click My Computer and choose Properties.

9. Select the Network Identification tab and click Properties.

10. Click More and enter brokers.internal as the primary DNS suffix. (Make sure this namedoesn’t conflict with another domain name on the network.)

11. Click OK to close any open dialog boxes and click Yes to restart the computer whenprompted.


13. Choose Start→Run. In the Open text box, type dcpromo to start the Active DirectoryInstallation Wizard, and click Next. Use the Active Directory Installation Wizard to pro-mote the server to domain controller using the following parameters:

• For the first computer, select Domain Controller For A New Domain. For the secondcomputer, select Join An Existing Domain.

• For the first computer, select Create A New Domain Tree.

• For the first computer, select Create A New Forest Of Domain Trees.

• Full DNS Name: brokers.internal.

• Domain NetBIOS name: accept the default of BROKERS.




• Select Yes, Install And Configure DNS On This Computer.


• Directory Services Restore Mode Password: password.

14. On the Summary screen, click Next.

INTRODUCTION

Security+ A CompTIA Certificationxxxiv

15. After the Active Directory Installation Wizard completes, click Finish.

16. Click Restart Now when prompted.


18. Choose Start→Programs→Administrative Tools→DNS.

19. Expand the DNS server object and Forward Lookup Zones. Right-click the brokers.internal zone and choose Properties.

20. Change the Type to Standard Primary. Click OK to accept.

21. Change Allow Dynamic Update to Yes. Click OK. Close DNS.

22. Double-click the Internet Explorer icon. Use the Internet Connection Wizard to configureInternet Explorer as appropriate for your lab.

23. Install Microsoft Windows 2000 Service Pack 2. Accept the license agreement. Restart thecomputer when prompted and log back on as Administrator.

Optional: For the Lesson 6, Lab 1 Server:












• Name the computer BankSRV1.




• On the Network Settings page, select Custom Settings and click Next. Open theproperties of the TCP/IP protocol and configure the TCP/IP protocol settings with astatic IP address of 192.168.y.#, where y is your unique number for the lab and # isthe unique integer assigned to you. For example, if your lab number is 3, then thestudent computer name would be Server3 and the IP address would be 192.168.1.3.Enter a subnet mask of 255.255.255.0.


• When installation is complete, log on as Administrator with a password of password.

INTRODUCTION

Introduction xxxv






7. On the Settings tab, change the Screen area to 800x600 pixels.

8. In Control Panel, open Add/Remove Programs.

9. Click Add/Remove Windows Components.

10. Check Certificate Services.

11. Click Yes in the message box, and then click Next.

12. On the Certificate Authority page select Standalone root CA, and then click Next.

13. On the CA Identifying Information page enter the following:

• CA Name: StandaloneRootCA

• Organization: InternationalBank

• Organizational unit: Education

• City: Chicago

• State or Province: Illinois

• Country/Region: US

• E-mail: [email protected]

• CA description: Standalone Root CA for Chicago

• Valid for: 1 Year On the CA Identifying Information page, click Next.

14. On the Data Storage Location page, click Next.

15. Click OK when prompted to stop IIS. Complete the wizard.

16. Close Add/Remove Programs and Control Panel.


18. Use the Internet Connection Wizard to configure Internet Explorer for Internet access asappropriate for your lab.

19. Install Microsoft Windows 2000 Service Pack 2. Accept the license agreement. Restart thecomputer when prompted and log back on as Administrator.

Optional: For the Lesson 8, Lab 1 Client Computers:


1. You will need two Windows XP computers for this activity.

INTRODUCTION

Security+ A CompTIA Certificationxxxvi




• Create a new 4 GB C drive. Install on the C drive and format it using NTFS.




• Name the computers ITSTAFF1 and SCIFACULTY1



• On the Network Settings page, select Custom Settings. Click Next. Open the proper-ties of the TCP/IP protocol and configure the TCP/IP protocol settings with a staticIP address of 192.168.y.200+#, where y is your unique number for the lab and where# is a unique integer assigned to you. For example, in lab 1, the address for Client6would be 192.168.1.206. Enter a subnet mask of 255.255.255.0. Do not enter a labDNS server address.



• Skip the Internet configuration (you won’t need an Internet connection for this lab).


• Create a user account named Admin#. (Create the same Admin# on both computers.)This user should become part of the Administrators group by default. When you fin-ish the wizard, the system should log you on automatically as this user.

4. Open Control Panel, User Accounts. Click the Admin# account and click Create APassword. Enter and confirm a password of !Pass1234 and click Create Password, andthen click Yes, Make Private.

5. On ITStaff1, create a user account named ITTest and make it a limited account. Then giveit a password of password. Close User Accounts and Control Panel.

6. On the ITStaff1 and SciFaculty1 computers, open My Computer and create a C:\SPlusfolder.

7. On the ITStaff1 computer, create the following subfolders and add the associated tool:

• SuperScan: Copy the SuperScan v2.0 setup file.

• @stakeLC4: LC4setup.exe.

8. On the SciFaculty1 computer, create the following subfolders and add the associated tool:

• RealSecureDP: Internet Security Systems (ISS) RealSecure Desktop Protector evalua-tion (RSDPEvalSetup.exe).

• BackOfficer: NFR BackOfficer Friendly (both the nfrbofl executable file and the asso-ciated bof folder). You can download bof-1-01.zip from http://online.securityfocus.com/tools/2222.

INTRODUCTION

Introduction xxxvii

9. On SciFaculty1, open My Computer. Choose Tools→Folder Options. On the View tab,uncheck Use Simple File Sharing.

10. On SciFaculty1, create a folder on the C drive named Physics Exams.

List of Additional FilesPrinted with each activity is a list of files students open to complete that activity. Many activi-ties also require additional files that students do not open, but are needed to support the file(s)students are working with. These supporting files are included with the student data files on thecourse CD-ROM or data disk. Do not delete these files.

INTRODUCTION

Security+ A CompTIA Certificationxxxviii

Identifying Security Threats

Lesson Objectives:In this lesson, you will identify security threats.

You will:

• Identify social engineering attacks.

• Describe audit attacks.

• Identify hardware attacks.

Lesson Time2 hour(s)LESSON 1

LESSON 1

Lesson 1: Identifying Security Threats 1

IntroductionComputer security is an ongoing process that includes setting up the security systems, harden-ing them, monitoring them, responding to attacks in progress, and deterring attackers. As asecurity professional, you’ll be involved in all phases of that process. But, in order for thatprocess to be effective, you need to understand the threats you’ll be protecting your systemsagainst. In this lesson, you’ll learn to identify the various types of security threats that youmight encounter.

You’re at home, eating dinner. Your phone rings. A credible-sounding operator explains thatyou have won a free family vacation to Disney World. There is just a small processing fee thatneeds to be paid by credit card. Could you read your card number and expiration date, please?

You are probably a savvy enough consumer that you would never give your credit card num-ber out over the phone to an unsolicited caller. Yet, phone scams like this bilk thousands ofunsuspecting people out of their money every year. How could this be? It is because somepeople do not recognize this as an attack against their personal credit. They can’t protect them-selves against a threat they don’t understand, and in the realm of computing security, neithercan you. That’s why it’s so important to understand the computing security threats you mightencounter before you can protect your systems and network. Valuable data can be lost alongwith the financial costs associated with a recovery. As a matter of fact, in February, 2001,economist Frank Bernhard, then at the University of California – Davis, found that U.S. com-panies lose 5.7 percent of their annual revenue to security-related losses(www.newsfactor.com/perl/story/7349.html). If you know how to recognize those securitythreats, maybe you can keep this kind of loss from happening at your company.

TOPIC AIdentify Social Engineering AttacksWhen you think about attacks against information systems, you might think most about pro-tecting the technological components of those systems. But people, the system users, are asmuch a part of an information system as the technological components; they have their ownvulnerabilities, and they can be the first part of the system to succumb to certain types ofattacks. In this first topic, you’ll learn to identify social engineering attacks—threats against thehuman factors in your technology environment.

For technical people, it can be easy to forget that one of the most important components ofinformation systems is the people using those systems. Computers and technology don’t existin a vacuum; their only benefit comes from the way people use them and interact with them.Attackers know this, and so they know that the people in the system are as good a target forattack as any other. If you want to protect your systems and data, you need to be able to rec-ognize this kind of attack when it happens.

Identify Social Engineering AttacksDefinition:

A social engineering attack is a type of attack where the goal is to obtain sensitivedata, including user names and passwords, from network users through deception andtrickery. While this attack isn’t always aimed directly at computer hardware or networkinfrastructure, it can turn out to be just as destructive, because this type of attack is

LESSON 1

Security+ A CompTIA Certification2

usually a precursor to another type of attack, such as a software attack, or even anattack against your private branch exchange (PBX) or internal telecommunicationssystem. Symptoms of a social engineering attack are often invisible or appear assecond-hand stories that somebody got a strange phone call or email asking them to doone thing or another. Social engineering attacks work because they take advantage ofusers who aren’t particularly technically savvy and who are usually willing to helpsolve what are presented as problems. On the other hand, these attacks can also takeadvantage of technically savvy users, such as those on a help desk, if the attacker pre-tends to be a user who needs help.

Figure 1-1: Social engineering attacks.

Example:Some examples of a social engineering attack are listed below. In each example, anattacker deceives a trusting user into giving up some sensitive information.

• An attacker calls an employee and pretends to be calling from the help desk. Theattacker tells the employee he’s reprogramming the order-entry database and heneeds the employee’s user name and password to make sure it gets entered intothe new system.

• An attacker creates an executable (for example, a file with a .vbs or .exe fileextension) that prompts a network user for his user name and password. He thenemails the executable to the user with the story that he needs the user to double-click the file and log on to the network again to clear up some logon problems theorganization’s been experiencing that morning.

• An attacker contacts the help desk pretending to be a remote sales representativewho needs assistance setting up his dial-in access. Through a series of phonecalls, the attacker obtains the phone number for remote access and the phonenumber for accessing the organization’s PBX and voicemail system.

We’ll cover spam and email hoaxes later in the course.

LESSON 1


• An attacker sends an executable file disguised as an electronic greeting card(e-card) or as a patch for the operating system or a specific application. Theunsuspecting user launches the executable, which might disable his operating sys-tem or corrupt files stored on the hard disk.

Hackers, Crackers, and AttackersAs with any area of knowledge, a sound understanding of computer and network secu-rity depends on the understanding of important words or phrases. When reading andlearning about computer security, you’ll often see the terms hacker, cracker, andattacker, and you should be able to distinguish the meaning of these terms. Originally,a hacker was a user who excelled at computer programming and who enjoyed every-thing about working with computer systems. As time went by and network and systemintrusions started happening with increasing frequency, those reporting these incidentsstarted calling those intruders “hackers,” while those in the hacker community pre-ferred the term cracker, a term that is used to describe someone who breaks into anetwork or a single system with malicious intent. You’ll also often see such an intruderreferred to as an attacker, a term which clearly represents the malicious intent of thosewho intrude into others’ computer systems.

Additionally, there are two other terms that you should be familiar with (and will befamiliar to fans of old Hollywood Westerns): white hat and black hat. A white hat is ahacker who exposes security flaws in applications and operating systems so manufac-turers can fix them before they become widespread problems, often working for anorganization dedicated to helping uncover security vulnerability or working for themanufacturer itself. As you can probably guess then, a black hat is a hacker whoexposes vulnerabilities for financial gain or for some malicious purpose. White hatsand black hats get their names from characters in old Westerns: the good guys alwayswore white hats, while the bad guys wore black hats.

ACTIVITY 1-1Identifying Social Engineering Attacks

Scenario:Your IT department wants to know when they are being attacked and what type of attacks areoccurring. As the new security administrator for your organization, you will be responsible fordetermining which events are true social engineering attacks and which are false alarms. Theorganization is concerned about these false alarms and tightening security too much inresponse, and they want to make sure they know the difference between attacks and normalactivity. They do not want customers or users to be halted in their tracks when they are per-forming normal tasks with no malicious intent. They have asked you to analyze a list of recentnetwork interactions and classify them as true social engineering attacks or as false alarms.

LESSON 1


What You Do How You Do It

1. True or False? A supposed customer calls the help desk stating that she can-not connect to the e-commerce Web site to check order status. She would also like auser name and password. The user gives a valid customer company name, but is notlisted as a contact in the customer database. The user doesn’t know the correct com-pany code or customer ID.

2. True or False? The VP of Sales is in the middle of a presentation to a group ofkey customers and accidently logged off. She urgently needs to continue with the pre-sentation, but forgot her password. You recognize her voice on the line, but she issupposed to have her boss make the request according to the company password secu-rity policy.

3. True or False? A new accountant was hired and is requesting that a copy ofthe accounting software be installed on his computer so he can start workingimmediately. Last year, someone internal compromised company accounting records,so distribution of the accounting application is tightly controlled. You have received allthe proper documentation for the request from his supervisor and there is an availablelicense for the software.

4. True or False? Christine receives a message in her instant messaging softwareasking for her account and password. The person sending the message states that therequest comes from the IT department, because they need to do a backup of Chris-tine’s local hard drive.

5. True or False? Rachel gets an email with an attachment that is namedNewVirusDefinitions.vbs.

6. True or False? A user calls the help desk stating that he is a phone technicianneeding the password to configure the PBX and voice mail system.

7. True or False? A security guard lets a vendor team though without a requiredescort as they have shirts on from the preferred vendor, and they stated they werecalled in to fix an urgent problem. The guard attempted to call the authorization con-tact in the organization, but the phone was busy for over 10 minutes.

8. True or False? The CEO of the organization needs to get access to dataimmediately. You definitely recognize her voice, but a proper request form hasn’tbeen filled out to modify the permissions. She states that normally she would fill outthe form and should not be an exception, but she urgently needs the data.

LESSON 1


TOPIC BClassify Software AttacksIn Topic 1A, you learned about attacks against the human component of information systems,but there are many, many other types of security threats that can be aimed directly against thetechnological elements of the system as well. In this lesson, we’ll divide the major types ofcomputer security attacks into two roughly defined categories. In this topic, you’ll identify thetypes of attacks that target your computers and devices and the applications, operating systems,and protocols that they use.

The network is the lifeblood of today’s business, whether it is your company’s Local AreaNetwork (LAN) or your e-commerce connection to the Internet. A software attack against thecomputers in your network can bring your company to its knees, and part of your job as asecurity professional will be to prevent that. But, as you know, you can’t protect against whatyou can’t recognize. This topic will help you identify the software attacks that you’ll need tobe on guard against.

Software AttacksDefinition:

A software attack is any attack that targets an application, an operating system, or aprotocol. The goal of a software attack is to disrupt or disable the applications, operat-ing systems, and protocols running on the computers in your enterprise, or to exploitthem in some way to gain access to a single or multiple systems or a network. A soft-ware attack might be used by itself or in combination with another type of attack, suchas a social engineering attack, and the different types of software attacks might be usedalone or in combination with each other.

Example: EavesdroppingEavesdropping on network communications is an example of a software attack. In thistype of attack, an attacker captures unsecured packets as they travel across a network.The attacker then examines the packets to retrieve usernames or passwords so he canlater gain access to secured resources. In this example of a software attack, the attackertargets the protocols used to transport the packets across the network.

Port Scanning AttacksDefinition:

A port scanning attack is a type of software attack where a potential attacker scans thecomputers and devices you have connected to the Internet to see which TCP and UDPports are listening and which services on the system are active. Depending on whichtype of monitoring software you have installed and how it’s configured, you might bealerted that a foreign host scanned certain ports on your system, or the port scansmight happen without your knowledge. Port scanning attacks are often the first step ahacker takes to determine where your systems are vulnerable.

LESSON 1


Figure 1-2: Port scanning attacks.

Example:An example of a port scanning attack is when an attacker uses a utility to contact acomputer on the Internet to see which ports are open and which services are usingthose open ports. For example, on a Web server, port 80 (and probably others) will belistening, and the HTTP service will be using that port. An attacker can use this infor-mation to exploit the Web server’s operating system to gain access to the computer andthe network it’s connected to. There are many utilities available that potential attackerscan use to scan ports on remote networks, including Nmap, SuperScan, and Strobe.

Eavesdropping AttacksDefinition:

An eavesdropping attack, also sometimes called sniffıng, is a type of software attackwhere an attacker tries to gain access to private network communications, using a util-ity such as Dsniff or Network Monitor, in order to steal the content of thecommunication itself or to obtain user names and passwords for future softwareattacks, such as a takeover attack. These attacks can be made against both traditionalcommunications across the network wire and wireless communications. For an attackerto eavesdrop on a private network, the attacker must have physical access to the net-work or the ability to physically tap into the network wire somewhere within theorganization. On the other hand, to eavesdrop on wireless communications, an attackerneed only have the proper software, receiving device, and a location somewhere inclose proximity to the wireless network. In most cases, you’ll never know somebody iseavesdropping on your network, unless perhaps you spot an unknown computer leasingan IP address from a DHCP server.

LESSON 1


Figure 1-3: Eavesdropping attacks.

Example:An example of an eavesdropping attack is a disgruntled employee who installs packet-sniffing software on a network host and then analyzes the packets to obtain user namesand passwords he can use to access network resources with administrative privileges.Similarly, an attacker could sit with a laptop in the parking lot of an organization anduse a wireless device and packet-sniffing software to access data as it passes through awireless network.

IP Spoofing AttacksDefinition:

An IP spoofing attack is a type of software attack where an attacker creates IP packetswith a forged source IP address and uses those packets to gain access to a remotesystem. IP spoofing attacks take advantage of:

• Applications and services that authenticate based on source IP address.

• Devices that run Sun RPC, X Windows.

• Services that have been secured using TCP wrappers.

• Network File System (NFS) and UNIX r commands (such as rlogin).

• Applications that use authentication based on IP addresses.

Generally, UNIX hosts and services that do not use Kerberos authentication are moreprone to spoofing attacks than NetWare and Windows systems, because trust relation-ships on UNIX hosts are more easily exploited and can be configured to use address-based authentication. Spoofing attacks also take advantage of routers that have notbeen configured to drop incoming external packets with internal IP addresses as thesource addresses. One signal of a potential IP spoofing attack is to find incoming pack-ets at your border routers with internal IP addresses as the source IP address.

LESSON 1


Figure 1-4: IP spoofing attacks.

Example:For example, imagine a scenario where an attacker wants to gain access to a UNIXhost with an IP address of 192.168.100.101 and an application that authenticates onlyhosts with 192.168.100.x addresses. With an IP address of 10.10.125.252, the applica-tion isn’t going to authenticate the attacker, whose IP address is 10.10.100.252. So theattacker creates IP packets with the forged source IP address of 192.168.100.186 andsends those packets to the UNIX host. Because the network’s border router hasn’t beenconfigured to reject packets from outside the network with internal IP addresses, therouter forwards the packets to the UNIX host, where the attacker is authenticated andgiven access to the system.

Hijacking AttacksDefinition:

A hijacking attack is a software attack where the attacker takes control of (hijacks) aTCP session (after authentication at the beginning of the session) to gain access to dataor network resources using the identity of a legitimate network user. During a hijack-ing attack, the attacker can either participate in the TCP session and access the packetsas they pass from one host to another, or take control of a TCP session between twohosts, disconnect one of the hosts, and continue communication with the other host asif it were one of the original parties to the session. A hijacking attack might manifestitself in a sudden dropped connection, but most likely you’ll never know a session hasbeen hijacked.

LESSON 1


Figure 1-5: Hijacking attacks.

Example:For example, suppose an attacker is monitoring communications between client andserver using a tool such as Hunt or Juggernaut. After the client has authenticated to theserver, the attacker can use the tool to insert himself into the communication stream,disconnect the user at the client, and take control of the user’s session with the server,while the server is never aware that it’s now communicating with a different host. Theattacker has then taken control of, or hijacked, the session, and can manage the sessionin any way he wants, sending commands to the server to do just about anything theoriginal user could do.

Replay AttacksDefinition:

A replay attack is a software attack where an attacker captures (through eavesdroppingor sniffing) network traffic in the form of packets and stores it for retransmittal at alater time to gain unauthorized access to a specific host or a network. This attack isparticularly successful when an attacker captures packets that contain user names, pass-words, or other authentication data. Replay attacks differ from eavesdropping attacksbecause, in eavesdropping attacks, the attacker just listens to network communication,while in a replay attack, the attacker saves the packets for reuse at a later time. Inmost cases, replay attacks are never discovered.

LESSON 1


Figure 1-6: Replay attacks.

Example:For example, an attacker uses sniffer software to intercept and store a user’s logon traf-fic as that user is signing on to a network connected to the Internet. To later gainaccess to that network, the attacker can replay those stored packets to masquerade asthat user and have all that user’s privileges in that network.

Man-in-the-Middle AttacksDefinition:

A man-in-the-middle attack is a type of software attack where an attacker inserts him-self between two hosts to gain access to their data transmissions. Typically in a man-in-the-middle attack, an attacker intercepts data transmitted from a source computerand responds to the data as if it (the attacker) were the intended destination. Theattacker then forwards the data to the intended destination and then intercepts andresponds to the reply as if it (the attacker) were the original source computer. Man-in-the-middle attacks are used to gain access to user names, passwords, and networkinfrastructure information for future attacks or to gain access to the content of thepackets being transmitted. Man-in-the-middle attacks are similar to eavesdroppingattacks in that both types of attacks monitor network traffic and capture IP packets asthey make their way through the network. Man-in-the-middle attacks differ from eaves-dropping attacks because instead of just listening to and capturing network traffic, in aman-in-the-middle attack, the attacker is actually making the sender and receiver

LESSON 1


believe they are communicating with each other, when in fact they’re communicatingwith the attacker’s computer. This deception allows attackers to manipulate the com-munication rather than just observe it passively. Like eavesdropping attacks, there willbe no signs that a man-in-the-middle attack is in progress or has just taken place.

Figure 1-7: Man-in-the-middle attacks.

Example:A typical man-in-the-middle attack might happen like this: An attacker sets up a hoston a network with IP forwarding enabled and a utility like Dsniff installed to captureand analyze packets. After analyzing network traffic to determine which server wouldmake an attractive target, the attack might proceed in the following way:

1. The attacker intercepts packets from a client that are destined for the server.

2. The attacker’s computer sends a fake reply to the client.

3. The attacker’s computer forwards a fake packet to the server, modified to looklike the attacker’s computer is the original sender.

4. The server replies to the attacker’s computer.

5. The attacker’s computer replies to the server as it if were the original client.

In this way, the attacker has access to both sides of a session between a client andserver and in the process can access valuable information, including sensitive data anduser credentials.

Denial of Service/Distributed Denial of Service(DoS/DDoS) AttacksDefinition:

A DoS attack is a type of software attack in which an attacker attempts to disable sys-tems that provide network services (usually computers or routers connected directly tothe Internet) in one of the following ways:

• Flooding a network link with more data than the available bandwidth can manage.

• Sending data that’s meant to exploit flaws in an application.

• Consuming a system’s resources to the point that it shuts down.

LESSON 1


Figure 1-8: DoS Attacks.

A DDoS attack is a software attack in which an attacker hijacks or manipulates mul-tiple computers (through the use of zombies or drones) on disparate networks to carryout a DoS attack. The main purpose of a DoS or DDoS attack is to disrupt an organi-zation’s Internet communications to cause embarrassment or to force the organizationto waste time and money in responding to the attack and bringing their systems backonline.

Figure 1-9: DDoS attacks.

DoS/DDoS attacks manifest themselves in a variety of ways, including:

• Sudden and overwhelming requests from a single or multiple hosts from outsideyour network.

• Sudden and unexplained drop in the amount of available Internet bandwidth.

• Sudden and overwhelming drain on a specific resource in a system, such as thesystem’s processor, which causes the system to freeze.

LESSON 1


Example: Smurf AttackA Smurf attack is an example of a DoS attack. In a Smurf attack, three parties areinvolved: the attacker, the intermediary network, and the victim. The attacker sends abroadcast IP ping request to the intermediary network (generally, a network with doz-ens of hosts that the attacker knows will respond to broadcast ping requests). Butinstead of using his address as the destination that the hosts in the intermediary net-work will respond to, the attacker modifies the ping request so it contains the victim’sIP address. Because the ping was broadcast to the entire intermediary network, all thehosts on that network will respond to the victim’s IP address, and the ensuing flood ofpackets will bring down the victim’s system, most likely a computer or router on theInternet. Smurf is also an example of a DDoS attack because a single attacker usesmultiple systems to carry out the attack.

Teardrop is another example of a DoS attack.

Example: SYN FloodA SYN flood is also an example of a DoS attack. In a SYN flood attack, an attackersends countless requests (SYN messages) for a TCP connection to an FTP server, Webserver, or any other target system attached to the Internet. The target server thenresponds to the request with a SYN-ACK message and, in doing so, creates a space inmemory that will be used for the TCP session when the remote host (in this case, theattacker) responds with its own SYN-ACK message. However, because the attacker hascrafted the SYN message (usually through IP spoofing) so that the target server replieswith a SYN-ACK message to a computer that will never reply with its own SYN-ACKmessage to complete the TCP connection, the target server has reserved memory fornumerous TCP connections that will never be completed. Eventually, the target serverwill stop responding to legitimate requests because its memory resources are floodedwith incomplete TCP connections.

Example: Buffer Overflow AttackA buffer overflow attack is another example of a DoS attack. In a buffer overflowattack, the attacker takes advantage of an application’s or operating system’s limitationof a fixed data buffer size by sending data to a system that the attacker knows the sys-tem can’t handle, because the data is too large for the buffer. When the application oroperating system tries to process the data, the system crashes. Ping of Death, where anattacker sends an oversized ping request, is an example of a buffer overflow attack.

For more information on DoS and DDoS attacks, see www.microsoft.com/technet/security/bestprac/netdefnd.asp and Microsoft Knowledge Base (KB) article Q142641.

Malicious Code AttacksDefinition:

A malicious code attack is a type of software attack where an attacker inserts mali-cious code into a user’s system to disrupt or disable the operating system or anapplication. A malicious code attack can also make an operating system or an applica-tion take action to disrupt or disable other systems on the same network or on aremote network. In many cases there’s an element of social engineering involved,especially when an attacker makes it appear as if the executable that launches the mali-

LESSON 1


cious code is from a trusted or benign source. Sometimes the code itself exploits auser’s system to perpetrate a social engineering attack on a remote system. Typically,you’ll see the results of malicious code in corrupted applications, data files, and systemfiles, which will result in malfunctioning applications and operating systems.

An attacker can use a worm to install a zombie as a precursor to a DDoS attack.

Figure 1-10: Malicious code attack.

Example: VirusesA virus is an example of a malicious code attack. A virus is a sample of code thatspreads from one computer to another by attaching itself to other files. The code in avirus corrupts and erases files on a user’s computer, including executable files, whenthe file to which it was attached is opened or executed. A recent example of a destruc-tive virus is the Melissa virus, which spread throughout the world attached toMicrosoft Word documents that were sent as email attachments.

Example: WormsAnother example of malicious code is a worm. A worm is a piece of code that spreadsfrom one computer to another on its own, not by attaching itself to another file. Like avirus, a worm can corrupt or erase files on your hard drive. An example of a worm isthe Code Red worm, which propagated itself through email attachments, Web files, andshared files on local networks.

Example: TrojansA third example of malicious code is a Trojan horse. A Trojan horse is malicious codethat masquerades as a harmless file. When a user executes it, thinking it’s a harmlessapplication, it destroys and corrupts data on the user’s hard drive.

Example: Logic BombsA fourth example of malicious code is a logic bomb. A logic bomb is a piece of codethat sits dormant on a user’s computer until it’s triggered by a specific event, such as aspecific date. Once the code is triggered, the logic bomb “detonates,” erasing and cor-rupting data on the user’s computer.

LESSON 1


Attacks Against the Default SecurityConfigurationDefinition:

An attack against the default security configuration is a type of software attack wherean attacker attempts to gain access to or disrupt the operation of a computer byexploiting the security flaws that exist in the computer’s operating system as it’sinstalled out of the box. Because there are many potential avenues of attack against thedefault installation of an operating system, there is no single, telltale sign that this typeof attack has taken place.

Figure 1-11: Attacks against default security configuration.

Example:For example, a default installation of Windows 2000 Server brings with it IIS 5.0 withWeb services enabled. As just about any network administrator can tell you, IIS is afrequent target for hackers, and for unsuspecting administrators or users, it’s a wide-open door into the operating system and the computer it’s running on.

LESSON 1


Software Exploitation AttacksDefinition:

A software exploitation attack is a type of software attack where an attacker attemptsto gain access to a system or to sensitive data by exploiting a flaw or feature in anapplication. This type of attack is closely related to attacks against the default installa-tion of an operating system, but where that type of attack is focused on vulnerabilitiesin an operating system, software exploitation attacks focus on vulnerabilities in appli-cations, such as Outlook or Oracle. Typically, a software exploitation attack willmanifest itself in disabled applications or a malfunctioning system.

Figure 1-12: Software exploitation attacks.

Example: AOL Instant Messenger Buffer OverflowIn early 2002, users of AOL Instant Messenger (AIM) were warned of a security vul-nerability that attackers could use to gain access to a user’s computer and take controlof it. Apparently, an attacker could send a request to play a game that had been modi-fied to increase its size. Because of the increased size, AIM code wasn’t able tocorrectly parse the request, resulting in a buffer overflow, which gave attackers an opendoor into the computer without ever leaving a clue as to their identities. This is a well-known example of a software exploitation attack.

Example: Mathematical AttacksWeak keys and mathematical (algebraic) attacks are two more examples of softwareexploitation attacks, both of which affect block ciphers, an encryption method that usesa combination of an encryption algorithm and cryptographic key to encrypt blocks oftext rather than individual bits of data. In a weak keys attack, an attacker attempts todecipher encrypted text by exploiting flaws in a block cipher that produces encryptionkeys with known patterns. Similarly, in a mathematical attack, an attacker attempts todecipher encrypted text using a block cipher that has a highly (and thus predictableand easily discernible) mathematical structure. Both types of attacks take advantage ofprogramming flaws in the block ciphers.

LESSON 1


Misuse of Privilege AttacksDefinition:

A misuse of privilege attack is a type of software attack in which an attacker misuseshis or her administrative privileges to gain access to sensitive data. This type of attackgenerally involves an employee with some level of administrative privileges, whether itbe over a single machine, a group of machines, or some portion of the network. Anemployee who misuses his or her privileges can, among other things, steal sensitivedata, delete or modify data, create users or groups to provide access to those outsidethe organization, or disrupt network operations by disabling user accounts and networkservices or by changing user access to network resources. Misuse of privilege willoften show up in audit logs, which can detail everything the attacker attempted on aparticular system, depending on how well you’ve configured auditing on your systems.

Figure 1-13: Misuse of privilege attacks.

Example:An example of a misuse of privilege attack is an employee who has found a marketfor his company’s sensitive data. Imagine a scenario where a network administrator isable to give himself access to private personnel files stored in a database in the humanresources department. From private employee files, he’s able to obtain full names,addresses, Social Security Numbers, and other data, which he can then sell to otherswho can use it for crimes involving identity fraud.

Password AttacksDefinition:

A password attack is a type of software attack in which the attacker tries to guesspasswords or crack encrypted password files. In a password guessing attack, anattacker attempts to guess user passwords, either manually or through the use ofscripts, in order to gain access to a single system, an application, or a network.Because users tend to use simple passwords that are easy to remember, such as birth-days and anniversaries, rather than more complex alphanumeric passwords, an attackercan script an almost unending series of password guesses using the most popular andcommon “simple” passwords. In a password cracking attack, an attacker tries to crack

LESSON 1


(decrypt) encrypted passwords in a directory database or other system file, such as theRegistry or Security Accounts Manager (SAM) in Windows 2000 and Windows XP.Like misuse of privilege, depending on how you’ve configured auditing on your sys-tems, password attacks will show up in audit logs as failed or successful logonattempts.

Figure 1-14: Password attacks.

Example:The simplest example of a password attack is somebody who doesn’t have access toyour network sitting down at a workstation and typing in guess after guess at a username and password. On the other extreme is a brute force attack, where an attackeremploys an application, such as L0phtCrack, to exhaustively try every possible alpha-numeric combination to try to crack encrypted passwords, such as those in a WindowsNT or Windows 2000 computer’s local SAM database. In both examples, givenenough time and lax security policies, an attacker will eventually find the necessarypassword to gain access to the system. This is especially true of brute force attacks.

Backdoor AttacksDefinition:

A backdoor attack is a type of software attack where an attacker creates a mechanismfor gaining access to a computer using a piece of software or by creating a bogus useraccount. The mechanism itself is called the backdoor, and if it isn’t found andremoved, it can survive forever, listening on one of the ports and giving an attacker aneasy way to get into the system and execute just about any command. This mechanismoften survives even after the initial intrusion has been discovered and resolved. Typi-cally, a backdoor is delivered through use of a Trojan horse or some other maliciouscode, and backdoor attacks are often impossible to spot because they generally leaveno trace, other than a few innocent looking files.

LESSON 1


Figure 1-15: Backdoor attacks.

Example:Back Orifice (BO) is an example of a backdoor that an attacker can insert into a Win-dows system using a Trojan horse or any executable file. By default, in Windows2000, Back Orifice installs itself into a system file and hides there listening on TCPport 54320 or UDP port 54321 for commands from the attacker.

Takeover AttacksDefinition:

A takeover attack is a type of software attack where an attacker gains access to aremote host and takes control of the system. An attacker can use any of the attackswe’ve identified so far to gain access to the system, including IP spoofing andbackdoors. A takeover attack will manifest itself in loss of control over the particularsystem that’s under attack.

LESSON 1


Figure 1-16: Takeover attacks.

NetBus and SubSeven are other backdoors that attackers can use to take control of a system.

Example:An example of a takeover attack is using BO to take complete control over a targetmachine. BO is started every time the computer is started and is hidden from view inTask Manager. Once installed, an attacker can use BO to basically take control of aremote system, including shutting down the system, copying and deleting files, modify-ing the Registry, and starting and stopping services. An attacker can also use BO to logkeystrokes and obtain system information, including the name of the logged-on user,cached passwords, and memory, CPU, and processor data.

Audit AttacksDefinition:

An audit attack is a type of software attack where an attacker covers his trail by delet-ing audit entries that might point to an intrusion. Operating systems such as NetWare6.0 and Windows 2000 Server have native auditing capabilities, and when used prop-erly, auditing can give valuable clues to system administrators of attacks that are inprogress or that have happened some time in the past. By clearing audit logs, anattacker can cover up an intrusion and leave a system or network without any trace,allowing him later access. The most common signals that an audit attack has takenplace are:

• Empty audit logs when they should contain audit entries.

• Gaps in the audit logs where it appears entries that cover a specific time havebeen deleted.

• Audit entries that show the audit logs have been erased.

LESSON 1


Figure 1-17: Audit attacks.

Example:Suppose an attacker has found a way into a Windows 2000 Server and has spent sometime trying to browse files and crack the local SAM database to obtain somepasswords. If auditing had been properly configured on his system, an administratorwho understands how to read the audit logs could probably trace many of the attack-er’s activities as he worked his way through the system. However, if the attacker knewenough to clear the audit logs after he was done, most of the evidence of his intrusionwill be gone, although an experienced and alert administrator might see the audit loghad been cleared and be alerted to a possible intrusion.

ACTIVITY 1-2Classifying Software Attacks

Scenario:Your IT department wants to know why the performance of some of your computer systems isdegrading. In all the cases of poor performance, your IT administrator, Ronald, has alreadyused existing network baseline data to rule out the possibility of this performance degradationoccurring as either a temporary spike in traffic or insufficient hardware resources. You andRonald believe your systems are under attack, but now you need to know the type of attackthat is occurring in each instance so that you can devise an appropriate response.


1. Kim, a help-desk staffer, gets a phone call from Alex in human resources stating thathe can’t log on. Kim looks up the account information for Alex and sees that theaccount is locked. This is the third time the account has locked this week. Alex insiststhat he was typing in his password correctly. Kim notices that the account was lockedat 6 A.M.; Alex says he was at a meeting at a client’s site until 10 A.M. today. It seemslike a case of .

LESSON 1


2. Judi, who does backups, states that according to her log files, an IT administrator per-formed a restoration on the accounting server last night. You send out an email askingall the members of the IT department whether there were any problems with the serv-ers last night as you see nothing entered on the IT problem log forms. All of ITresponds stating no problems occurred last night. Something isn’t right, and it all addsup to .

3. You find out the security log was cleared on the file and print server. No one in ITclaims responsibility. No matter who did this, you consider it .

4. Your antivirus software has detected the ILOVEYOU virus. You’re under attack from.

5. While administering user accounts you notice that a new account called LyleBullockhas been created on your server. You know of no user in your organization with thatname. The account also is part of the administrators group. It’s a classic

.

6. While you are connected to another host on your network, the connection is suddenlydropped. When you review the logs at the other host, it appears as if the connection isstill active. You suspect .

7. Your e-commerce Web server is getting extremely slow. Customers are calling statingthat it is taking a long time to place an order on your site. This could be

.

8. Your intranet Webmaster, Tim, has noticed an entry in a log file from an IP addressthat is within the range of addresses used on your network. Tim does not recognizethe computer name as valid. Your network administrator, Deb, checks the DHCP serverand finds out the IP address is not in any of the scopes. This seems to be a case of

.

9. Tina, the network analysis guru in your organization, analyzes a network trace capturefile and finds out that packets have been intercepted and retransmitted to both asender and a receiver. You’ve experienced .

10. You get an email from an outside user letting you know in a friendly way that shefound it very easy to determine the correct password to access your FTP server. Toprove it, she includes the FTP password in the email. All your files are still on the FTPserver and have not been modified. Although this person had no malicious intent, youstill consider it .

LESSON 1


TOPIC CIdentify Hardware AttacksIn Topic 1B, you classified types of threats that target the software running on the computersin your network. The other major class of computer security threats includes attacks that targetthe computers, peripherals, and other network devices themselves. In this topic, you’ll identifythe types of attacks that are directed against the physical devices in your enterprise.

It’s important to keep attackers off your network’s computers, but it’s also important to keepthem from stealing, compromising, or destroying the hardware you’ve invested in. In order todo that, you need to know about the kinds of attacks that can be mounted against the hardwareinside those systems. As in the case of software attacks, you can’t defend against attacks thatyou don’t understand. This topic will give you that understanding.

Identify Hardware AttacksDefinition:

A hardware attack is an attack that targets a computer’s physical components andperipherals, including its hard disk, motherboard, keyboard, network cabling, or smartcard reader. One goal of a hardware attack is the destruction of the hardware itself oracquisition of sensitive information through theft or other means. A second goal of ahardware attack is to make important data or devices unavailable through theft orvandalism. Much like a DoS attack, this second goal is meant to disrupt a company’sbusiness or cause embarrassment due to the loss of the data.

Example:If an intruder breaks into a locked server room and steals the hard disks out of aserver, this is an example of a hardware attack because the attack is targeting thephysical hardware of the computer and not the computer’s applications or operatingsystems.

LESSON 1


ACTIVITY 1-3Identify Hardware Attacks

Scenario:Your manager, the security administrator in your organization, has asked that you help com-plete a report for senior management about the possible security risks you face and somesuggested solutions. You’ve been presented with a list of scenarios and have been asked toidentify whether the type of attack described in each scenario is a hardware attack.


1. An intruder enters a locked building at night and steals five laptops from various usersin the software development department. What type of attack is this?

2. An intruder enters a locked building at night, sits at a user’s desk, and tries to enter auser name and password to log on to the computer based on notes he finds taped tothe user’s monitor. What type of attack is this?

3. To obtain user names and passwords, an attacker installs a device on a keyboard thatrecords the user’s keystrokes. What type of attack is this?

4. An attacker removes the battery backup on a critical server system and then cutspower to the system, causing irreparable data loss. What type of attack is this?

5. An attacker tricks a user into running an executable that modifies an application onthe user’s mobile device so it consumes more power than normal and depletes thedevice’s battery, causing data loss. What type of attack is this?

LESSON 1


Lesson 1 Follow-upIn this lesson, you identified the three main types of security threats you will face: social engi-neering attacks, software attacks, and hardware attacks. Understanding the types of threats youface is an important first step in learning how to protect your network and respond to anintrusion.

1. What type of attack do you think is most dangerous?

2. Which type of attack do you think it might be most difficult to guard against?

LESSON 1


Hardening Internal Systemsand Services

Lesson Objectives:In this lesson, you will harden internal systems and services.

You will:

• Harden a computer’s operating system.

• Harden directory services.

• Harden a DHCP server.

• Harden file and print servers.

Lesson Time7 hour(s)LESSON 2

LESSON 2

Lesson 2: Hardening Internal Systems and Services 27

IntroductionSecuring your computer networks against attacks and damage from inside or outside yourorganization is an ongoing process, not a single task. There are several phases in the process,and this course is going to explore each of them in turn. The first step in the process is to cre-ate as secure an environment as you possibly can. In this course, we’ll take an “inside-out”approach to configuring security, starting with the systems and services that are closest to yourinternal users, and then moving out to securing the perimeter of your network. So, in this les-son, you’ll learn to secure the systems and services that your internal users interact with everyday.

Securing your computers and networks against intruders isn’t that different from securing yourown home. You can secure the perimeter of your home by locking the doors and installingalarm systems, but once the burglars get past those, they’ll have access to everything inside.And, there’s always the possibility of an “inside job”; someone who might come into yourhome with a legitimate excuse, but who really wants to cause some damage. So, you can’t justsecure from the outside in; you need to secure from the inside out, by doing things like lock-ing up your valuables in a home safe or even moving them to a bank’s safe deposit. Then,even if the crooks do get inside, they won’t be able to simply grab your jewelry and go.Securing your internal computer systems is like setting up security inside your house; it pro-tects against the burglars who get in, and it even helps to protect against people on your ownnetwork who might have mischief in mind.

INSTRUCTOR ACTIVITY 2-1Assessing Vulnerabilities

Setup:Your computer is configured to dual-boot between Windows XP Professional and Windows2000 Server. You are booted to Windows XP Professional and logged on as an administrator.All necessary security tools are in the C:\SPlus folder on your hard drive. The Administratorpassword for Windows 2000 Server is !Pass1234.

Scenario:You’re a network security expert who’s been asked to evaluate the vulnerabilities in a client’snetwork. The client currently has a network of Windows 2000 Server and Windows XP Profes-sional computers. You’ve decided to use L0phtcrack to check for password strength andSuperscan to scan for listening ports.

LESSON 2



1. In Windows XP, use L0phtcrack toperform a strong password audit onyour computer.

a. In the C:\SPlus\LC4 folder, double-clickLc4setup. Use the wizard to complete adefault installation.

b. Choose Start→All Programs→LC4→LC4.Click Trial.

c. Click Next to advance the wizard.

d. On the Get Encrypted Passwords page ofthe wizard, verify Retrieve From LocalMachine is selected. Click Next.

e. On the next page of the wizard, selectStrong Password Audit. Click Next.

f. On the next page of the wizard, select alloptions and click Next. Click Finish.

g. Click Cancel to skip registering theproduct. The brute force attack is notavailable in the trial version.

h. Click OK when the auditing session iscomplete.

i. Close LC4 without saving changes.

2. What type of attack is this?

LESSON 2


3. In Windows XP, use Superscan toperform a port scan on yourcomputer.

a. In the C:\SPlus\Tools\Superscan folder,double-click Superscan. Use the wizardto complete a default installation.

b. In the Superscan window, click Port ListSetup.

c. In the Select Ports area, click Select All.

d. Click OK.

e. Click No. There is no need to savechanges to the list file.

f. Back in the main window, click Start.

g. When the scan is complete, double-clickthe computer in the host list to displaythe results of the scan.

h. Close Superscan.


5. Reboot into Windows 2000 Server. a. Restart the computer and choose Win-dows 2000 Server from the boot loadermenu.

b. Log on as Administrator with a passwordof !Pass1234.

6. In Windows 2000, use L0phtcrack toperform a strong password audit onyour computer.

a. Install L0phtcrack and perform a strongpassword audit on the system.

b. Close L0phtcrack.

7. In Windows 2000, use Superscan toperform a port scan on yourcomputer.

a. Install Superscan and perform a portscan.

b. Close Superscan.

LESSON 2


TOPIC AHarden Base Operating SystemsThere are many different computing systems and services running on your network, and theyall have their own security needs. However, all those computers have one thing in common;they all have an operating system. So, increasing the security on the operating system is goingto be part of your security plan no matter what kind of network services you run on thosecomputers. In this topic, you’ll learn standard ways to tighten up the security on all the operat-ing systems in your environment.

Attackers know that the presence of an operating system is the common denominator on allyour systems, so they consider the operating system a good place to start their attack. Thatmakes it a good place to start your defense. Once attackers get control of an operating system,they can do almost anything they want to bring down the applications and services that run ontop of that system. Tightening up operating system security will make any kind of computerharder to attack.

Corporate Security PolicyDefinition:

A corporate security policy is a collection of policies that defines how security will beimplemented within a particular organization. The security policy is usually a fairlylengthy document consisting of individual policies for each resource within theorganization. No matter how many individual policies an organization has, each policyis written for the same purpose: to protect the availability, confidentiality, and integrityof sensitive data and resources within an organization. This includes the network infra-structure, the physical and electronic data, the applications, and the physicalenvironment of the organization. Ultimately, the final corporate security policy is aresult of extensive research and due care on the part of many individuals within anorganization to be certain that the assets are as safe as possible.

Within each individual policy section, there is specific information that outlines exactlywhat is being covered by that particular policy, such as:

• The policy statement, which outlines the plan for the individual securitycomponent.

• A standard, which defines how adherence to the policy will be measured.

• Guidelines, which are suggestions for meeting the policy standard or bestpractices.

• Procedures, which are step-by-step instructions that detail specifically how toimplement the policy.

Analogy:A good security policy provides functions similar to a government’s foreign policy.The policy is determined by the needs of the organization. Just as the United Statesneeds a foreign policy because of real and perceived threats from other countries, orga-nizations also need a policy to protect their data and resources. The United States’foreign policy defines what the threats are and how the government will handle those

LESSON 2


threats. A security policy does the same for an organization; it defines threats to itsresources and how those threats will be handled. Policy forms the plan that ties every-thing together. Without a formal policy, you can only react to threats instead ofanticipating them and preparing accordingly.

Individual Security PoliciesThe SANS (SysAdmin, Audit, Networking and Security) Institute has identified a listof approximately 25 different possible security policies ranging from an AcceptableUse Policy (AUP) to a Wireless Standards Policy. There are other organizations, suchas the Internet Engineering Task Force (IETF), that provide templates like Request forComments (RFC) 2196 for different security policies. The corporate security policy ofa particular organization cannot include every possible individual security policy, butthere are several common policies that are almost always included:

• Acceptable Use Policy—This policy defines the acceptable use of an organiza-tion’s physical and intellectual resources.

• Audit Policy—This policy details the requirements and parameters for risk assess-ment and audits of the organization’s information and resources.

• Extranet Policy—This policy sets the requirements for third-party entities thatdesire access to an organization’s networks.

• Password Policy—This policy defines standards for creating strong passwords. Italso defines what an organization considers weak passwords and the guidelines forprotecting the safety of passwords.

• Wireless Standards Policy—This policy defines what wireless devices can connectto an organization’s network and how to use them in a safe manner that protectsthe organization’s security.

To view the complete list of policies from the SANS Institute, see www.sans.org/newlook/resources/policies/policies.htm#template.

To view RFC 2196, see www.cis.ohio-state.edu/cgi-bin/rfc/rfc2196.html.

ISO 17799 is a standard for information security that is currently under development by the Interna-tional Standards Organization (ISO). To view information on ISO 17799, see http://enterprisesecurity.symantec.com/article.cfm?articleid=356&PID=470086, www.securityauditor.net/iso17799/index.htm, and https://www.bspsl.com/secure/iso17799software/cvm.cfm.

Separation of DutiesIn addition to the policies developed within the information security department, otherdepartments will have policies that overlap with information security such as humanresources, building security, and finance. These policies may be not be owned or man-aged by the information security department; in fact, it is good business practice tohave the responsibility for individual policies distributed throughout the organization indifferent departments. This is often referred to as a separation of duties. No one personor department should be exclusively responsible for all security issues. This conceptapplies to policies, procedures, and ownership of an organization’s assets, whetherphysical or virtual. Regardless of who owns a policy and the procedures and theresponsibility for enforcing it, security professionals must work with each departmentas a main point of contact to ensure continuity in the overall corporate policy.

LESSON 2


Documentation HandlingAs a security administrator, you might be called upon to manage, maintain, and updatethe documentation relating to your organization’s security policies and networkorganization. These documents include the security policies themselves, as well as sup-porting documents such as a network map, inventories, and activity logs. Eachdocument should include change-tracking information including the current revisionnumber, the revision date, the revision author, and the contents of each revision.

You might want to assign each security document a classification level. Commonlyused classifications include Public, Internal Use Only, Confidential, and Restricted. Theclassification of a document not only determines who has the right to see or alter thedocument, but also determines the correct procedure for storing, archiving, and han-dling the document. Storage, archival, and destruction procedures involve the mediathe document is stored on (disks, tape, paper) as well as the way the document issecured. Proper destruction procedures can range from simply recycling a printed pub-lic document, to reformatting disks seven or more times, to shredding, thenincinerating restricted documents.

Example: Nuclear Plant Password PolicyA nuclear plant has a password policy that all employees must adhere to. Eachemployee is responsible for using strong passwords and protecting those passwordsaccordingly. It contains guidelines for strong passwords to use and weak passwords toavoid.

ACTIVITY 2-2Examining a Security Policy

Data Files:

• NuclearPlantPasswordPolicy.rtf

Setup:You’re using a Windows XP Professional computer named Client#, where # is a uniquenumber. There’s an administrative account named Admin#, where # is also a unique number,which has a password of password.

Scenario:As the new security administrator for a nuclear plant, you will be responsible for maintainingand updating the documentation related to security policies, as well as for understanding andenforcing the policies. Before you can be effective in these new duties, you’ve decided thatyou need to familiarize yourself with the existing policy documents in the organization. Usethe \\Client100\SPlus\Student\NuclearPlantPasswordPolicy.rtf file to answer the followingquestions.

LESSON 2



1. If necessary, log on to Windows XP. a. Reboot the computer and choose Win-dows XP Professional from the bootloader menu.

b. Log on as Admin# with a password ofpassword.

2. Examine the policy document. a. Connect to \\Client100\SPlus\Student.

b. Open the NuclearPlantPasswordPolicy.rtf file.

c. When you have answered the followingquestions, close WordPad.

3. What type of security policy document is this?

4. What other types of policy documents might you need in order to create a completesecurity policy?

5. Which of the general components of a policy document are represented in this docu-ment?

6. How often must users change their passwords in order to adhere to this policy?

7. What is the minimum length for a password according to this policy?

8. Would “gandalf8” be an acceptable password according to this policy? Why or why not?

LESSON 2


System VulnerabilitiesEach operating system has unique vulnerabilities that also present a variety of opportunities forwould-be attackers and can lead to the threats you learned about previously. The followingfour tables list some common security vulnerabilities in Windows 2000, Windows XP, NetWare6, and Sun Solaris. (These tables are meant to describe some well-known vulnerabilities; theyare not exhaustive lists. For up-to-date information about security vulnerabilities, check themanufacturers’ Web sites and other security references.)

The following table lists some vulnerabilities in Windows 2000 Server.

Vulnerability DescriptionDNS zone transfers DNS zone transfers can provide a wealth of information about

the internal structure of a network because they include DNSrecords for every host in an organization. By default, zone trans-fers are allowed to any DNS server.

Telnet service To gain unauthorized access, an attacker could exploit the pre-dictability of the name of the pipe created during theestablishment of a Telnet session. Code could be placed on theserver and executed when the pipe is opened.

Internet Information Services Because IIS is installed and enabled by default, it can provideeasy access to a Windows 2000 server.

Directory Services Restore ModeAdministrator password

Allows an attacker to boot into Directory Services Restore modeand access Active Directory data.

Local SAM attack Member servers’ Security Accounts Manager (SAM) databasesare vulnerable to password-cracking utilities because of how thepasswords are stored. Also, in some circumstances, deleting theSAM on a member server will reset the Administrator account’spassword to blank.

Remote Datagram Protocol (RDP) When multiple malformed packets are sent to the RDP port on aWindows 2000 server, it could cause the system to suddenlycrash, resulting in a DoS.

The next table lists some vulnerabilities in Windows XP Professional.

Vulnerability DescriptionUniversal Plug and Play (UPnP)buffer overflow

This vulnerability involves sending a fake notification messageto the UPnP service on a Windows XP machine. The resultingbuffer overflow could lead to a takeover attack.

RAS phonebook The Remote Access Service (RAS) phonebook module in Win-dows XP does not properly check a specific attribute value,which can cause malformed data requests to lead to an attackerreceiving LocalSystem privileges and the ability to execute mali-cious code on the target system.

SNMP buffer overrun When malformed data is sent to the Simple Network Manage-ment Protocol (SNMP) service running on Windows XP, aspecially designed malicious management request could lead to aDoS, a takeover attack, or a malicious code attack.

LESSON 2


Vulnerability DescriptionOutlook Express and InternetExplorer

Two of the most frequent targets—Outlook Express and InternetExplorer—are vehicles for malicious code, takeover, and DoSattacks that exploit numerous security vulnerabilities in bothapplications, both of which are installed by default with Win-dows XP.

Internet Connection Firewall (ICF) Protects inbound communication but doesn’t stop Trojans andviruses from connecting to the Internet from your system.

The following table describes some NetWare 6 vulnerabilities.

Vulnerability DescriptionNetWare Loadable Modules (NLMs) Because NetWare systems rely on NLMs, they are vulnerable to

fake NLMs that grant an attacker access to the system in someway. A popular malicious NLM allows the attacker to change thesupervisor’s password on the server. There are also Trojan NLMsthat mimic real NLMs, and attackers can use flaws in real NLMsto compromise the system.

NetWare Core Protocol (NCP)requests

Attackers can flood the NetWare server with malicious and fakeNCP requests, which results in a DoS attack when the servercrashes and stops responding.

Server console Anyone with physical access to the server console can run NLMsto gain administrative access to the server.

RCONSOLE The RCONSOLE password is not encrypted by default.

The following table lists some of the vulnerabilities of the UNIX operating system and someknown vulnerabilities of Sun Solaris 9 specifically.

Vulnerability DescriptionTrusts and address-based authentica-tion

By masquerading as another host, an attacker can bypass the.rhosts security implementation to gain access to a remote Solarissystem.

Daemons Improperly configured daemons, or daemons with security flaws,could lead to system compromise.

setuid programs A security flaw in a setuid program, especially a setuid root pro-gram, could give an attacker elevated privileges or access to theroot (or both).

r services Weak authentication mechanisms for these services provideopportunities for spoofing attacks.

Berkeley Internet Name Domain(BIND) DNS

Because BIND runs with root privileges, BIND vulnerabilitiescan lead to unauthorized root access.

Samba 2.0.8 and 2.0.9 If Solaris is running either of these versions of Samba, anattacker can exploit a symbolic link condition to gain elevatedaccess and overwrite and destroy system files.

LESSON 2


Hardened Operating SystemDefinition:

A hardened operating system is an operating system that has been configured to pro-tect against software and hardware attacks according to a defined security policy. Ahardened operating system may include some or all of the following security configu-ration settings:

• The latest operating system patches to close any security holes in the defaultinstallation of the operating system. Operating system patches can remove vulner-abilities in services and add-ons, such as the DNS service, the Telnet service, andIIS, and vulnerabilities in the operating system itself, such as programming flawsthat could lead to UPnP buffer overflows, RAS phonebook attacks, SNMP bufferoverruns, and exploitation of Windows XP’s firewall (ICF). Operating systempatches can also protect against flaws in the implementation of protocols, such asRDP, in the operating system.

• Strong passwords to protect against password-cracking utilities, to keep passwordssuch as the Directory Services Restore Mode Administrator password secure, andto protect SAM databases.

• The latest application patches, which are independent of the operating systempatches, to close application vulnerabilities, such as those in Outlook Express andInternet Explorer, that could lead an attacker into the operating system.

• Antivirus software to protect against malicious code.

• Disabled unnecessary services to prevent attackers from exploiting them. Forexample, disabling or removing IIS on a Windows 2000 Server computer willremove a host of vulnerabilities associated with that service, and disabling SNMPon Windows XP can resolve the SNMP buffer overrun vulnerability.

• Disabled or deleted guest accounts or other unnecessary accounts, and renameddefault accounts, all of which an attacker could use to gain access to the system.(If an attacker has a user name, he or she has half of what’s necessary to enter asystem.)

• Restricted access permissions so that only those users who absolutely need accessare allowed into the system.

• Security policies to control, limit, or restrict user interaction with the system.

• Warning messages or banners displayed at user logon to warn users that onlyauthorized use is allowed. These banners could be important in future civil litiga-tion or criminal prosecution, and can put all users on notice that their activitymight be monitored. All warning banners should comply with the legal require-ments of your jurisdiction.

• Audit policies to track resource and directory access.

• Locked rooms to physically secure mission-critical servers and devices, to whichonly trusted administrators have access.

• Backup strategies to protect sensitive data and restore it in the event of an attack.Backup media should be stored offsite. Backups help ensure business continuity inthe event of an attack.

LESSON 2


Example: USA Travel’s ServersUSA Travel has a security policy that requires their servers to have the latest operatingsystem patches and antivirus software, and to be kept in a locked room. So eachbranch office administrator checks for and applies operating system updates weekly,keeps all servers up-to-date with the latest antivirus software, and keeps the servers ina locked room to which only she and the branch manager have keys. These servers arehardened because they have been secured according to USA Travel’s security policy.

Security BaselinesA security baseline is a collection of security configuration settings that are to be applied to aparticular system in the enterprise. Generally speaking, a specific security baseline will outlinea minimum security configuration that you can use as criteria against which you can compareother systems in your network. When creating a baseline for a particular computer, the settingsyou decide to include will depend on its operating system and its function in your organizationand should include manufacturer recommendations. So you will have separate baselines fordesktop clients, file and print servers, DNS/BIND servers, application servers, directory ser-vices servers, and for all those same types of systems depending on whether they’re runningWindows, NetWare, or a version of UNIX or Linux.

Baselines should be documented so they can be applied consistently throughout your organiza-tion, and they will include all the hardening methods that you’re employing for each operatingsystem and type of computer. Once you’ve decided on a baseline, you can implement it witheach new deployment or upgrade.

Microsoft Baseline Security AnalyzerMicrosoft provides a free tool that you can use to scan computers running Windows NT 4.0(with SP4 or higher), Windows 2000, and Windows XP and compare them against Microsoft’srecommended security baselines. It’s called the Microsoft Baseline Security Analyzer (MBSA),and you can download it from the Microsoft Security Web site at www.microsoft.com/security. To run MBSA, your computer must be running Windows 2000 or Windows XP andhave Internet Explorer 5.01 or later. You can use MBSA to scan any computer on the networkto which you have administrative rights. If you’re going to scan a computer with IIS, you musthave the IIS files installed on the computer on which you’re running MBSA.

When you run MBSA, it scans the computers you specify and searches for improperly config-ured settings and missing service packs and hotfixes in the following:

• Windows operating system (including password expiration and complexity, file system, theGuest account, the number of local Administrators, and unnecessary services)

• IIS 4.0 and IIS 5.0

• SQL Server 7.0 and SQL Server 2000

• Applications such as Microsoft Office, Internet Explorer, and Outlook Express

If it finds misconfigurations in the operating system or any of the features or applicationsabove, it will report them in an easy-to-read format, much like the one you see in Figure 2-1.You can then use that security report to fix any problems by installing hotfixes or service packsor by implementing the configuration recommendations.

LESSON 2


Figure 2-1: MBSA displays the results of a scan.

Windows 2000 and Windows XP Security PolicySettingsBuried in the hundreds of Group Policy settings on Windows 2000 and Windows XP comput-ers is a set of policies devoted solely to securing the operating systems. The security policysettings can be found in the main Group Policy window under Computer Configuration, Win-dows Settings. You can also find the security policy settings in the following locations:

• The Domain Controller Security Policy utility (where you’ll find just the security policysettings) on the Administrative Tools menu on Windows 2000 domain controllers.

• In the Local Security Policy utility on all Windows 2000 Server and Windows XP Profes-sional computers.

You can use security policies to configure a wide variety of security-related settings. Table 2-1lists security policy settings in Windows 2000 and how you can use them to configure securityon your servers. You can use security policy settings to configure security locally, or you canuse them to configure security on Windows 2000 computers across the network using GroupPolicy.

On a Windows 2000 server computer, you’ll be able to configure only Account Policies, Local Policies, Public KeyPolicies, and IP Security Policies using the Local Security Policy utility.

LESSON 2


Table 2-1: Windows 2000 Security Policy Settings

Security Policy Setting Use it ToAccount Policies Define password policy and account lockout policy.

Local Policies Set an audit policy, user rights assignments, and machine-specific security options (like suppressing the display of the lastuser who logged on in the Log On To Windows dialog box).

Event Log Set event log parameters, such as maximum log sizes and useraccess to the logs.

Restricted Groups Track and control membership of groups that you consider sensi-tive or privileged. If an unauthorized user is added to the group,this policy setting can remove the user automatically.

System Services Configure service startup values and configure security for criti-cal system services, such as the Server and Workstation services.

Registry Set security on Registry keys.

File System Set security for file system objects.

Public Key Policies Have computers automatically submit a certificate request to anenterprise CA and install the issued certificate; create and dis-tribute a certificate trust list; establish common trust root CAs;and add encrypted data recovery agents and change yourencrypted data recovery policy settings.

IP Security Policies Create and configure IPSec to secure IP traffic on the network.

Table 2-2 lists the security policy settings you can configure on a Windows XP Professionalcomputer using Local Security Policy. You can use these settings to configure Windows XPcomputers that are part of a domain or workgroup, although they would most likely be used toconfigure security on Windows XP computers in a workgroup setting.

Table 2-2: Local Security Policy Settings on a Windows XP Computer

Security Policy Setting Use it ToAccount Policies Define password policy and account lockout policy.

Local Policies Set an audit policy, user rights assignments, and machine-specific security options (like suppressing the display of the lastuser who logged on in the Log On To Windows dialog box).

Public Key Policies Add encrypted data recovery agents.

Software Restriction Policies Restrict users’ ability to install and run applications on theircomputers.

IP Security Policies Create and configure IPSec to secure IP traffic on the network.

Like all Group Policy settings, you can configure security policy at the local, site, domain, ororganizational unit (OU) level. And like other Group Policy settings, security settings areinheritable, but OU settings override domain settings, which override site settings, which over-ride local settings, unless of course you force Group Policy inheritance.

LESSON 2


ACTIVITY 2-3Investigating Windows XP Security Policy Settings

Scenario:You’re the security administrator for a large national bank, and you’ve been asked to investi-gate the security settings that you can configure in Windows XP as part of the bank’s attemptto create a corporate security policy. Your manager has submitted a list of questions she needsanswered before she can go ahead with the next stage in the creation of the security policy.


1. On the Windows XP computer, openLocal Security Policy.

a. Choose Start→Control Panel.

b. Click Performance And Maintenance,and click Administrative Tools.

c. Double-click Local Security Policy.

2. Is there a password policy setting that lets you set a minimum password age?

3. By default, how long are passwords valid on a Windows XP computer?

4. Is there a way to lock out a user after he or she has entered the wrong username orpassword three times?

5. By default, which users have been assigned the right to log on locally to a Windows XPcomputer?

6. Is there a security option that will allow you to create and display a warning bannerwhen users log on?

7. Under Public Key Policies, what setting can you configure?

LESSON 2


8. What are the three default IP Security policies?

9. True or False? Security settings configured at the domain level will overridelocal policy settings on Windows XP computers in that domain.

Windows 2000 and Windows XP Security AuditsJust about everything that happens on a Windows 2000 or Windows XP computer is logged inone of the logs in Event Viewer. After a typical installation, Windows 2000 and Windows XPcomputers have three logs in Event Viewer: the application log, the security log, and the sys-tem log. Depending on the services installed on a Windows 2000 server, Event Viewer mightalso have a DNS server log, a directory service log, and a file replication service log. Bydefault, system events are written to all logs except the security log, which requires you toselect and configure which security-related events you want to log. Table 2-3 describes thesecurity events you can log.

Table 2-3: Security Audit Events

Security Event Used to TrackAccount logon events User logon events at remote computers that use this computer to

validate the logon. Can be used on domain controllers to trackuser logons at remote workstations.

Account management Changes to or additions of user and group accounts. Can also beused to track account deletions.

Directory service access User access of directory service objects. In a separate step, audit-ing must also be enabled on the objects you want to monitor.

Logon events Users logging on to this computer.

Object access User access of objects on the computer, including files, folders,and Registry keys. In a separate step, auditing must also beenabled on the objects you want to monitor.

Policy change Changes to user rights assignment, audit, and trust policies.

Privilege use Use of privileged rights, such as changing the system time.

Process tracking Actions or operations performed by a program or procedure. Thisinformation is most useful to programmers who might be track-ing a program’s execution.

System events Restarts, shutdowns, and events that impact system security.

Because auditing is configured as a policy, you can apply an audit policy at the local computerusing local policy or across the organization using Group Policy. To apply an audit policy, youmust first enable the policy and then decide whether to log successes or failures, or both,depending on your audit strategy and security policy. For example, your security policy mightrequire the auditing of only account logon failures and not successes, or it might not requirethe audit of policy changes at all. Once you’ve enabled and configure auditing, all events willbe written to the security log in Event Viewer, which will require careful monitoring to detectpossible attackers or intruders. Monitoring Event Viewer should be part of your overall net-work monitoring strategy.

LESSON 2


ACTIVITY 2-4Investigating Auditing of Security Events

Scenario:As part of the process of creating the bank’s security policy, you’ve been asked to answer sev-eral questions about the process and potential value of enabling security audits on theWindows XP computers.


1. What are some of the benefits of setting up an audit policy?

2. In addition to monitoring the overall security of a network and its resources, why elsemight events in the security log be important?

3. What might a series of unsuccessful logon events indicate?

4. What type of threat or attack could you discover by monitoring successful user logons?

5. What type of attack could you discover by monitoring successful changes to user orgroup accounts?

6. What type of attack might an empty security log indicate?

LESSON 2


Unnecessary Services, NLMs, and DaemonsWhen deciding which Windows 2000 services to disable, be sure to thoroughly investigateeach candidate to see if you can safely disable it based on the server’s network role. Someservices might be required for a server performing a certain function, while others might beperforming no service at all. For example, on a Windows 2000 server that you’re using as aprint server, you shouldn’t disable the Print Spooler service. However, on a Windows 2000server that’s being used only to store departmental files, the Print Spooler service can easily bedisabled. Again, researching the Windows 2000 Server documentation and controlled testingwill tell you which services you can disable.

On the other hand, NetWare and UNIX/Solaris default installations don’t have many unneces-sary services installed. When installing these operating systems you must select which servicesto install, so unlike Windows 2000 Server, if you don’t choose to install a service explicitly, itisn’t installed. However, as in Windows 2000, keeping the number of services running to theabsolute minimum gives attackers less of an opportunity to find a way into the system.Because of that, and because of the nature of the NetWare and UNIX/Solaris default installa-tions, what you should be looking for with those two operating systems are not which servicesto disable but which services should you not enable to begin with.

Table 2-4 contains some examples of Windows 2000 services, NetWare 6 NLMs, and Solaris 9daemons that you can safely disable or not enable at all on most computers (again dependingon the server’s role).

Because servers are likely to have more services running than a workstation, we’re not focusing on Windows XPin this section. However, you can usually disable many of the same core operating system services on WindowsXP that you can on Windows 2000 Server.

Table 2-4: Services, NLMs, and Daemons You Can Safely Disable or Not Enable

Operating Sys-tem

Service, NLM, or Dae-mon Comment

Windows 2000 Alerter service Used to forward alerts generated on the local computerto users or remote computers. Disable to prevent asocial engineering attack.

Clipbook service Used only to transfer clipboard data betweencomputers.

Fax service Used only if users will be sending and receiving faxesfrom the system.

Messenger service Used for sending pop-up messages between users. Dis-able to prevent a social engineering attack.

Print Spooler service Can be safely disabled on computers not accessingprinters.

World Wide Web Publish-ing service

Unnecessary if the server isn’t a Web server.

NetWare 6 Portal.nlm and nsweb.nlm Not necessary if the server isn’t a Web server.

Nwftpd.nlm Used only for FTP access.

Named.nlm Used only on DNS servers.

Dhcpsrvr.nlm Used only on DHCP servers.

Java.nlm Unnecessary unless you support Java applications onthe server.

LESSON 2


Operating Sys-tem

Service, NLM, or Dae-mon Comment

Solaris 9 nfsd Necessary only on file servers.

dhcpd Used only on DHCP servers.

named Used only on BIND servers.

Samba Unnecessary unless you need the server to connect toMicrosoft systems to share data.

anonftp Allows anonymous FTP access; use only when abso-lutely necessary.

UNIX /etc/inetd.conf Remove unnecessary Internet services from this con-figuration file to strengthen against port scanningattacks.

Security TemplatesDefinition:

Security templates are text files that specify security settings in the areas of accountpolicies, local policies, the event log, restricted groups, system services, and theRegistry. Security templates give you a way to standardize security settings based oncomputer role and the level of security you require and to apply those settings consis-tently to multiple computers. They also help automate the task of applying separatesecurity settings when you harden your systems—a task which can involve configuringsettings in several different utilities. Windows 2000 and Windows XP security tem-plates are stored in %systemroot%\Security\Templates.

You can use Windows 2000 security templates on Windows 2000 Server and Windows 2000 Profes-sional computers.

LESSON 2


Figure 2-2: A portion of a Windows 2000 security template.

Example: Windows 2000 Security TemplatesThere are several types of Windows 2000 security templates, which are described inTable 2-5. A sample of a Windows 2000 security template is displayed in Figure 2-2.

Table 2-5: Windows 2000 Security Templates

Category Templates DescriptionBasic Basicdc (domain con-

trollers) and Basicsv(servers)

These templates are used to apply the defaultsecurity settings that are configured when youcomplete a clean install of Windows 2000. Youcan use these templates to apply the default secu-rity configuration to computers you’ve upgradedto Windows 2000 or to restore the defaults on aWindows 2000 computer.

Secure Securedc and Securews This template is used to apply increased securitysettings in the areas of account policy, auditing,and some security-related Registry keys.

Highly Secure Hisecdc and Hisecws This template applies security settings that createthe most secure Windows 2000 environment. Itrequires that all network communications be digi-tally signed and encrypted at a level that can beprovided only by Windows 2000. This means youcan’t communicate with any downlevel Windowsclients.

LESSON 2


Example: Windows XP Security TemplatesTable 2-6 describes the security templates available in Windows XP. While you willsee the Hisecdc and Securedc security templates in Windows XP, you wouldn’t applythem to a Windows XP computer because they contain system settings for domaincontrollers.

Table 2-6: Windows XP Security Templates

Category Templates DescriptionCompatible Compatws This template is used so that members of the

Users group can run applications that don’t meetWindows 2000/XP application specificationswithout being members of the Power Usersgroup.

Secure Securews Like the similar Windows 2000 security template,this template is used to apply increased securitysettings in the areas of account and passwordpolicy, auditing, and some security-related Regis-try keys.

Highly Secure Hisecws This template applies the most restrictive securitysettings, especially those settings that apply toauthentication and directory access.

System rootsecurity

Rootsec You can use this template to apply default secu-rity settings to the system root (used to reapplythe default settings in the event the settings aremodified).

Default securityconfiguration

Setup security You use this template to reapply the system-widesecurity settings that come with a default installa-tion of Windows XP.

You can also use security templates to analyze your current system settings by comparing your current settingsto those that Microsoft recommends and includes as part of the template.

You can use the Security Configuration And Analysis tool, a Microsoft ManagementConsole (MMC) snap-in, to apply a security template. If you want to examine ormodify template settings, you can use the Security Templates snap-in. You can applyone of the default templates without modifying it, or you can choose one that is simi-lar to your needs and then modify it accordingly. Before you apply any of thetemplates, be sure to examine them closely to see which settings they contain. You canalso automate the deployment of security templates by using Group Policy.

For more information on how to deploy security templates, see Windows 2000 Help orwww.microsoft.com/windows2000/techinfo/howitworks/security/sctoolset.asp.

LESSON 2


ACTIVITY 2-5Investigating Security Templates

Scenario:As part of the ongoing effort to create the bank’s security policy, you’ve been asked to investi-gate ways to automate the deployment of mandatory security settings throughout the company.You’ve recently discussed the security templates that ship with Windows 2000 and WindowsXP in a strategy meeting, and now you’ve been asked to provide answers to some follow-upquestions.


1. Open a blank MMC and snap in theSecurity Templates tool.

a. Choose Start→Run, and enter MMC.

b. Choose File→Add/Remove Snap-in.

c. In the Add/Remove Snap-in dialog box,click Add.

d. Scroll to find the Security Templatessnap-in, select it, and click Add. ClickClose.

e. In the Add/Remove Snap-in dialog box,click OK.

f. Maximize the Console Root window andthen the Console1 window.

g. Expand Security Templates,D:\Windows\Security\Templates.

h. If necessary, resize the panes so you cansee all the security templates.

2. How do the password policy settings differ in the compatws and securews templates?

3. If you want to audit account logon events and account management, but not objectaccess, which security template would you use?

LESSON 2


4. Which workstation template uses restricted groups to protect the Administrators andPower Users groups?

5. If you want to reset the system-wide security policy settings to the default configura-tion, you would apply the template.

If you want to reset the security settings on the system root, you would apply thetemplate.

6. Why would you choose to use Group Policy to apply security templates instead ofapplying the templates locally to individual computers?

7. Close the Console1 window withoutsaving changes.

a. Close the Console1 window.

b. Click No when prompted to makechanges.

Harden Base Operating SystemsProcedure Reference: Harden a Windows XP Operating System

To harden a Windows XP operating system:

1. Apply the latest service packs or hotfixes to close any security holes in the operat-ing system.

a. Connect to the Windows Update Web site at http://windowsupdate.microsoft.com or run the executable for the service pack orhotfix, which you can obtain from Microsoft’s Web site.

b. Use the wizards to complete the installations and restart when prompted.

2. Disable the Welcome screen to remove the list of Windows XP users.

a. Open Control Panel and click User Accounts.

b. Under Pick A Task, click Change The Way Users Log On Or Off.

c. Uncheck Use The Welcome Screen.

On a Windows XP Professional computer in a domain, implement policies at the domain level. Onstand-alone or workgroup Windows XP computers, implement policies locally.

3. Change account passwords to comply with security policy requirements, whichshould include enforcing the use of strong passwords.

a. Open Control Panel and User Accounts.

b. Select the account you want to change and click Change My Password.

c. Enter and confirm a new password.

LESSON 2


4. Set appropriate password policies to make passwords more difficult to crack orguess.

a. Open Control Panel, click Performance And Maintenance, click Administra-tive Tools, and open Local Security Policy.

b. Expand Account Policies and select Password Policy.

c. In the details pane, double-click the settings, and enable and configure pass-word policies according to your security policy.

5. Set appropriate account lockout policies to restrict user logon attempts.

a. In Local Security Settings, under Security Settings, Account Policies, selectAccount Lockout Policy.

b. In the details pane, double-click the settings, and enable and configureaccount lockout policies according to your security policy.

6. Set appropriate audit policies to monitor resource and directory access.

a. In Local Security Settings, expand Local Policies.

b. Select Audit Policy.

c. In the details pane, double-click the settings, and enable audit policiesaccording to your security policy.

7. Set appropriate user rights assignments to restrict user access to the system.

a. In Local Security Settings, under Local Policies, select User RightsAssignments.

b. In the details pane, double-click the settings, and configure user rights assign-ments according to your security policy.

8. Set the appropriate security options, which can include warning banners, to con-trol user interaction with the system.

a. In Local Security Settings, under Local Policies, select Security Options.

b. In the details pane, double-click the settings, and enable and configure thesecurity options according to your security policy.

9. Configure the Event Log settings as part of your implementation of an auditpolicy.

10. Convert any FAT or FAT32 drives to NTFS to enable NTFS security and restrictaccess to only those users and groups that need access.

a. Determine the volume label of the drive you want to convert.

b. In a command prompt window, enter the command convert drive:/fs:ntfs, where drive is the letter of the drive you want to convert.

c. When prompted, enter the volume label.

d. Enter N to skip dismounting the drive, and then enter a Y to schedule theconversion for the next system restart.

e. Restart the computer.

11. Use the Microsoft Baseline Security Analyzer to establish a security baseline towhich vulnerabilities might still exist.

12. Install the latest application patches for applications such as Outlook Express andInternet Explorer.

13. Install antivirus software to protect against malicious code.

LESSON 2


14. Disable unnecessary services to prevent attackers from exploiting them.

a. Open Control Panel, and then open Performance And Maintenance.

b. Open Administrative Tools, and then double-click Services.

c. Double-click the service you want to disable and, from the Startup Typemenu, select Disabled.

15. Disable or delete guest accounts or other unnecessary accounts, and renamedefault accounts.

16. Secure critical systems in locked rooms to prevent tampering and sabotage.

17. Establish a regular backup schedule to back up the operating system’s criticalcomponents and services.

Procedure Reference: Harden the Windows 2000 Operating System

To harden a Microsoft Windows 2000 Server operating system:

If you are deploying multiple hotfixes at once in your own environment, you can chain them togetherby using the Qchain tool. This will make it easier to deploy hotfixes so you don’t have to rebootbetween each one. For more information, visit: www.microsoft.com/downloads/release.asp?ReleaseID=29821.

1. Apply the latest service packs or hotfixes to close any security holes in the operat-ing system.

a. Connect to the Windows Update Web site at http://windowsupdate.microsoft.com or run the executable for the service pack orhotfix, which you can obtain from Microsoft’s Web site.

b. Use the wizards to complete the installations and restart when prompted.

2. Disable unnecessary services to prevent hackers from exploiting the services togain access or control of the system.


b. Expand Services And Applications and select Services.

c. In the details pane, disable any unnecessary services by double-clicking theservice and choosing Disabled from the Startup Type drop-down list.

3. Install Internet Explorer 6 to update the server’s browser and remove the vulner-abilities found in Internet Explorer 5.x. (Install Internet Explorer from theWindows Update Web site.)

4. Configure strict access control on the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg Registry key.

a. Choose Start→Run and enter regedt32.

b. In the Registry Editor window, in HKEY_LOCAL_MACHINE, expand\SYSTEM\CurrentControlSet\Control\SecurePipeServers.

c. Select the Winreg subkey.

d. Choose Security→Permissions.

e. In the Name list, configure access only for the most trusted group ofadministrators.

LESSON 2


5. Set RestrictAnonymous=1 in the Registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA to restrict user access to the systemusing null sessions.

a. Choose Start→Run and enter regedt32.

b. In the Registry Editor window, in HKEY_LOCAL_MACHINE, expand\SYSTEM\CurrentControlSet\Control.

c. Select Lsa.

d. In the right pane, double-click restrictanonymous, and in the Data text box,type 1.

6. Install the Windows Media Player security patch.

7. Use the Microsoft Baseline Security Analyzer to establish a security baseline.

8. Enforce the use of strong password to protect against password cracking utilities.

9. Install antivirus software to protect against malicious code.

10. Disable or delete guest accounts or other unnecessary accounts, and renamedefault accounts.

a. On a Windows 2000 domain controller, open Active Directory Users AndComputers, and delete unnecessary accounts and rename default accounts.

b. On a Windows 2000 server, open Computer Management. In the Local UsersAnd Groups folder, delete unnecessary accounts and rename default accounts.

11. Configure security policy settings to control or limit user interaction with thesystem. In a domain setting, deploy security policy settings using Group Policy. Ina workgroup setting, use Local Security Policy to deploy security policy settings.

12. Create messages or banners to warn users against unauthorized use of the system.

13. Deploy an audit policy to track resource and directory access.

14. Secure critical systems in locked rooms to prevent tampering and sabotage.

15. Establish a regular backup schedule to back up the operating system’s criticalcomponents and services.

Solaris 9 Automated Security Enhancement Tool (ASET)Solaris 9 provides a similar set of templates that you can use to secure Solaris 9 serv-ers called the Automated Security Enhancement Tool (ASET). You can use ASET tosecure Solaris servers using one of three predefined levels of security, which aredescribed in Table 2-7. When ASET runs, it performs a series of checks on the follow-ing components:

• System files

• System configuration files

• File permissions

• Users and groups

• Environment variables

• eeprom security

• Firewall

You can disable the firewall check if the server isn’t a firewall by editing the ASET environmentfile (asetenv).

LESSON 2


ASET checks settings and configures them to correspond to the level of securityyou’ve chosen. If there are any security issues ASET can’t fix, it reports them to youso you can configure those settings manually. ASET reports are stored in the /usr/aset/reports directory. Like Windows 2000 security templates, you can edit the ASETenvironment file to add custom settings by configuring the user environment variablessection.

Table 2-7: ASET security levels.

Security Level DescriptionLow ASET checks components and reports vulnerabilities. Mini-

mal configuration changes made at this level.

Medium ASET checks components and configures system to restrictaccess.

High ASET sets most restrictive access permissions at this level,giving security the priority over system access.

Hardening Application ServersNetwork servers that aren’t dedicated to providing a specific network service, such asDNS or DHCP, are often used as application servers, providing applications such asOracle, Exchange, or a custom application, to network users. When you need to hardenapplication servers, use the same procedure to harden their operating systems as wasdescribed in this topic. Additionally, you need to work with your vendor to make surethe application or applications running on those servers are patched or otherwisesecurely configured to prevent attackers from exploiting that software to find a wayinto your network.

ACTIVITY 2-6Hardening a Stand-alone Windows XP OperatingSystem

Data Files:

• SecureSystems.doc

Setup:Tools, Service Packs, and data files you will need for this activity are available on the networkin the \\Client100\SPlus share in the following folders:

• Windows XP Service Pack: \XPProSP1

• Microsoft Baseline Security Analyzer: \MBSA

• SecureSystems.doc: \Student

Scenario:As the security administrator for a large national bank, you need to make sure your new Win-dows XP Professional client computers are secure. For now, these computers will be deployedin a workgroup. With the current Windows 98 systems, the bank’s IT department has hadproblems in the past with viruses; with short or non-existent passwords; with users bypassing

LESSON 2


the logon and accessing confidential data, such as background investigation checks; and withusers logging on with Guest access. Before connecting the new Windows XP Professionalcomputers to your network, you need to make sure that the base operating system is hardenedto minimize the likelihood of attacks from users and to provide auditing trails in order to beable to catch someone who has attempted to breach the security on your system.

The IT department has designed a security deployment plan for all new systems, including theWindows XP Professional desktops, and you as the security administrator need to make surethe plan is implemented. Your new antivirus software will arrive soon, but for now you willuse the bank’s security design document, SecureSystems.doc, and implement the appropriatechanges on your Windows XP Professional systems.

Your first task is to harden a Windows XP computer named Client#, where # is a uniquenumber. The default administrator account has been set up with a password of !Pass1234.There is also an administrative-level account named Admin#, where # is the computer number.The password for this account is password. There is also a workgroup administrative accountnamed Admin100. The password for this account is !Pass1234.

LESSON 2



1. Install the Windows XP ServicePack.

a. Use the Start→Run command to openthe \\Client100\SPlus shared folder.

b. Run the \XPProSP1\XPSP1 self-extractingcabinet file. The Service Pack files areautomatically extracted and the SetupWizard runs.

c. Complete the Setup Wizard with the fol-lowing parameters:• Accept the license agreement.

• Archive the files to the defaultuninstall folder.

d. When the setup is complete, click Finish.The computer will restart.

e. Reboot to Windows XP Professional andlog back on as Admin#.

f. To verify that the Service Pack installationwas successful, open the System Proper-ties dialog box. The System versionshould display with Service Pack 1.

g. Close the System Properties dialog box.

LESSON 2


2. Disable the Welcome screen. a. From the Start menu, choose ControlPanel and click User Accounts.

b. Under Pick A Task, click Change The WayUsers Log On Or Off.

c. Uncheck Use The Welcome Screen. UseFast User Switching is automaticallyunchecked as well.

d. Click Apply Options.

e. Close User Accounts and Control Panel.

f. Log off. Instead of the Welcome Screen,you now can log on using the Log On ToWindows dialog box.

g. Log on as Admin#.

3. Change the Admin# account pass-word to !Pass1234 to comply withthe password security requirementsas specified in theSecureSystems.doc file.

For your convenience, this file is printedas an Appendix in the back of the coursemanual.

a. Open the \\Client100\SPlus\Student\SecureSystems.doc file and locate thepassword policy settings.

b. Open Control Panel and User Accounts.

c. In User Accounts, click the Admin#account and click Change My Password.

d. In the Type Your Current Password textbox, type password.

e. Enter and confirm !Pass1234 as the newpassword for the Admin# account.

f. Click Change Password.

g. Close User Accounts.

LESSON 2


4. Set the appropriate Password Policyas specified in theSecureSystems.doc file.

a. In Control Panel, click Performance AndMaintenance.

b. Click Administrative Tools.

c. Open Local Security Policy.

d. Expand Account Policies and select Pass-word Policy.

e. Double-click Enforce Password History.

f. Enter the appropriate value for thispolicy as specified inSecureSystems.doc.

g. Click OK.

h. Set the appropriate value for the Maxi-mum Password Age policy.

i. Set the appropriate value for the Mini-mum Password Age policy.

j. Set the appropriate value for the Mini-mum Password Length policy.

k. Double-click Password Must Meet Com-plexity Requirements.

l. Select Enabled.

m. Click OK.

5. Set the appropriate Account Lock-out Policy as specified in theSecureSystems.doc file.

a. In Local Security Settings, under AccountPolicies, select Account Lockout Policy.

b. Double-click Account LockoutThreshold.

c. Enter the appropriate value for thispolicy as specified inSecureSystems.doc.

d. Click OK.

LESSON 2


e. Click OK to accept the Suggested ValueChanges for the related Account LockoutPolicy settings.

6. Set the appropriate Audit Policy asspecified in the SecureSystems.docfile.

a. In Local Security Settings, under LocalPolicies, select Audit Policy.

b. Double-click Audit Account LogonEvents.

c. Check Success and Failure.

d. Click OK.

e. Configure the appropriate auditing set-tings for the Audit Account Managementpolicy.

f. Configure the appropriate auditing set-tings for the Audit Logon Events policy.

g. Configure the appropriate auditing set-tings for the Audit Object Access policy.

h. Configure the appropriate auditing set-tings for the Audit Policy Change policy.

i. Configure the appropriate auditing set-tings for the Audit Privilege Use policy.

j. Configure the appropriate auditing set-tings for the Audit System Events policy.

7. Set the appropriate User RightsAssignment as specified in theSecureSystems.doc file. You willonly need to change policies if thedefault setting for a given policy doesnot match the recommended settingin the SecureSystems.doc file.

a. In Local Security Settings, under LocalPolicies, select User Rights Assignment.

b. Double-click Access This Computer FromThe Network.

LESSON 2


c. Select the Everyone group and clickRemove.

d. Click OK.

e. Configure the appropriate rights assign-ments for the Change The System Timepolicy.

f. Configure the appropriate rights assign-ments for the Log On Locally policy.

8. Set the appropriate SecurityOptions as specified in theSecureSystems.doc file.

a. In Local Security Settings, under LocalPolicies, select Security Options.

b. Configure the appropriate policy settingfor the Accounts: Limit Local AccountUse Of Blank Passwords To ConsoleLogon Only policy.

c. Double-click Accounts: Rename Adminis-trator Account.

LESSON 2


d. In the text box, type your first name.

e. Click OK.

f. Configure the appropriate policy settingfor the Accounts: Rename GuestAccount policy.

g. Configure the appropriate policy settingfor the Audit: Audit The Access Of Glo-bal System Objects policy.

h. Configure the appropriate policy settingfor the Audit: Audit The Use Of BackupAnd Restore Privilege policy.

i. Configure the appropriate policy settingfor the Audit: Shut Down System Imme-diately If Unable To Log Security Auditspolicy.

j. Configure the appropriate policy settingfor the Devices: Allow Undock WithoutHaving To Log On policy.

k. Configure the appropriate policy settingfor the Devices: Prevent Users FromInstalling Printer Drivers policy.

l. Configure the appropriate policy settingfor the Devices: Restrict CD-ROM AccessTo Locally Logged-on User Only policy.

m. Configure the appropriate policy settingfor the Devices: Restrict Floppy AccessTo Locally Logged-on User Only policy.

n. Double-click the Devices: Unsigned

LESSON 2


Driver Installation Behavior policy.

o. From the drop-down list, select Do NotAllow Installation.

p. Click OK.

q. Configure the appropriate policy settingfor the Interactive Logon: Do Not DisplayLast User Name policy.

r. Configure the appropriate policy settingfor the Interactive Logon: Do NotRequire CTRL+ALT+DEL policy.

s. Double-click the Interactive Logon: Mes-sage Text For Users Attempting To LogOn policy.

t. In the text box, type the text in the CodeSample.

See Code Sample 1

u. Click OK.

v. Configure the appropriate policy settingfor the Interactive Logon: Message TitleFor Users Attempting To Log On policy.

w. Configure the appropriate policy settingfor the Interactive Logon: Number OfPrevious Logons To Cache policy.

x. Configure the appropriate policy settingfor the Interactive Logon: Smart CardRemoval Behavior policy.

y. Configure the appropriate policy settingfor the Network Access: Sharing AndSecurity Model For Local Accountspolicy.

z. Configure the appropriate policy settingfor the Network Security: Force LogoffWhen Logon Hours Expire policy.

aa. Configure the appropriate policy settingfor the Shutdown: Allow System To BeShut Down Without Having To Log Onpolicy.

LESSON 2


ab. Close Local Security Settings and theAdministrative Tools window.

Code Sample 1

Warning! This system is for authorized users only. Anyone using thissystem without authorization is subject to prosecution. In addition,the system may be monitored. By using this system, you consent tomonitoring. Any suspicious activity may be reported to the properauthorities.

LESSON 2


9. Test some of the Security Optionspolicy settings.

a. Open Computer Management andexpand Local Users and Groups. (Toopen Computer Management, open theStart menu, right-click the My Computerobject, and choose Manage.)

b. Select the Users folder. The Administra-tor account has been renamed with yourfirst name. The Guest user account hasbeen renamed and disabled.

c. Close Computer Management.

d. Open My Computer.

e. Right-click any folder or drive andchoose Sharing And Security. The Sharingtab appears with the settings for the Clas-sic sharing and security model.

f. Close the property sheet and MyComputer.

g. From the Start menu, choose Log Off.

h. In the Log Off Windows message box, clickLog Off.

i. Press Ctrl+Alt+Delete to open the Log OnTo Windows dialog box. The new security

LESSON 2


warning dialog box appears.

j. Click OK to close the security warning dia-log box. The Log On To Windows dialogbox opens. The name of the last-logged-on user is not visible.

k. Click Options. The Shut Down button inthis dialog box is grayed out.

10. Test the Account Lockout policysettings.

a. In the Log On To Windows dialog box,enter Admin# as the user name.

b. Enter pass as the password.

c. Click OK to attempt to log on with anincorrect password. A warning boxappears informing you that your logon hasfailed.

d. Click OK to close the warning box.

e. Attempt to log on with an incorrectpassword repeatedly. After severalattempts, you should see a message thatyour account has been locked out. Youcan also lock the account out immediatelyby attempting to log on with a blankpassword. Windows XP Professional inter-prets this as the start of a dictionary-based password attack.

f. Click OK to close the message box.

g. Log on as your first name with a pass-word of !Pass1234. The Administratoraccount name is now your first name.

h. Open Computer Management, expandLocal Users and Groups, and select theUsers folder.

i. Right-click the Admin# account andchoose Properties.

j. Uncheck Account Is Locked Out and clickOK.

LESSON 2


11. Test the Password policy settings. a. Log off and log back on as Admin#.

b. From the Start menu, choose ControlPanel→User Accounts.

c. Click the Admin# account and clickChange My Password.

d. In the Type Your Current Password textbox, type !Pass1234.

e. Click Change Password to attempt to cre-ate a blank password.

f. Click OK to close the User Accounts mes-sage box.

g. Click Cancel to close the User Accountsdialog box.

h. Close User Accounts.

12. Configure the appropriate EventLog settings as specified in theSecureSystems.doc file.

a. In Control Panel, click Performance AndMaintenance.

b. Click Administrative Tools.

c. From the Administrative Tools group,open Event Viewer.

d. Right-click the Application log andchoose Properties.

e. Set the value for the Maximum Log Sizeas specified in the SecureSystems.docfile.

f. Select the appropriate option underWhen Maximum Log Size Is Reached.

g. Click OK.

h. Follow a similar procedure to configurethe security properties for the SecurityLog and the System Log.

i. Close Event Viewer and the Administra-tive Tools window.

LESSON 2


13. Convert the E drive to NTFS.

When converting drives to NTFS makesure to always use the Convert commandas opposed to the Format command soyou do not lose data.

a. Open My Computer and determine thevolume label for Drive E. You will needthe volume label to confirm the file sys-tem conversion.

b. Close My Computer.

c. Open a command prompt window. (Fromthe Start menu, click Run and enter cmd,or choose All Programs→Accessories→Command Prompt.)

d. Enter the command convert e: /fs:ntfs.

e. When prompted for the volume label fordrive E, enter xpvolume.

f. Type N and press Enter. You do not needto force a dismount of drive E.

g. Type Y and press Enter to schedule theconversion for system restart.

h. Close the command prompt window.

i. Reboot the computer to Windows XPProfessional. The system checks the diskand converts the file system during thereboot. The computer will restart multipletimes. You might receive a STOP error,but the conversion should completesuccessfully.

j. Log on as Admin100 with a password of!Pass1234.

k. Open My Computer and select Drive E toverify the file-system conversion. The filesystem should display in the Details sec-tion as NTFS.

LESSON 2


14. Install the Microsoft Baseline Secu-rity Analyzer.

a. Open the \\Client100\SPlus\MBSA folderand run the MBSAsetup.msi installationpackage.

b. Complete the Microsoft Baseline Secu-rity Analyzer Setup Wizard by using thefollowing parameters:• Accept the license agreement.

• Accept the default User Informationsettings.

• Accept the default DestinationFolder settings.

• On the Choose Install Options page,uncheck Show Readme File AfterInstallation and uncheck LaunchApplication After Installation.

• Accept the default program featureselections.

LESSON 2


15. Scan your system to establish asecurity baseline.

a. On the desktop, double-click theMicrosoft Baseline Security Analyzershortcut.

b. Click Scan A Computer.

c. Verify that your computer name appearsin the Computer Name box and clickStart Scan.

d. Review the scan results and click anyResult Details or How To Correct Thislinks to determine the security recom-mendations reported by MBSA. Don’t fixanything based on the suggestions now, asyou will harden the system more in lateractivities.

e. Close MBSA.

16. Can you tell if all current security patches have been implemented on the Windows XPProfessional system? If not, why?

17. How would you fix some of the problems the scan has detected?

LESSON 2


ACTIVITY 2-7Hardening a Windows 2000 domain member

Data Files:


Setup:Tools, Service Packs, and data files for this activity are available on the network at\\Server100\SPlus in the following folders:

• Windows 2000 Security Rollup Package 1: \W2KSRP

• Internet Explorer 6: \IE6

• Windows Media Player Security Patch: \WMPPatch



Scenario:Your next task as the bank’s security administrator is to make sure your new servers aresecure. With the current Windows NT server systems, the bank’s IT department has had addi-tional problems in the past with users, both internal and external, accessing services they werenot supposed to, as well as some problems with attacks on the default Internet InformationServer (IIS) configuration from Internet users. The bank wants to minimize the possibility ofthose attacks without removing IIS altogether, as many of the systems will be deployed later asWeb servers, or will host applications that require IIS. For now, you as the security administra-tor will disable these services until you harden them later on as you need them. Also, thesecurity plan calls for disabling the Print Spooler service on servers that are not being used asprint servers. Before connecting the new Windows 2000 Servers to your network and joiningthe computers to the domain, you want to make sure that the server operating system is hard-ened to minimize the likelihood of attacks from both internal and external users. Because thesewill be domain member computers, all security-related policies will be set at the domain level,so there is no need for you to configure them individually, but you will need to perform otherhardening steps individually on each system.

The IT department has designed a security deployment plan for all new systems, including theWindows 2000 Server systems, and you as the security administrator need to make sure theplan is implemented. Using the deployment design document SecureSystems.doc, implementthe changes on your Windows 2000 Server system, named Server#, in domain Domain#. Thedefault administrator account has been set up with a password of !Pass1234.

LESSON 2



1. If necessary, reboot your computerinto Windows 2000 Server and logon as Administrator.

a. Restart the computer.

b. Choose Windows 2000 Server from theboot loader menu.

c. Log on as Administrator.

2. Install the Windows 2000 SecurityRollup Package 1.

a. While logged on as Administrator, open\\Server100\SPlus\W2KSRP.

b. Double-click the rollup installation fileto extract the files for the security rollup.

c. In the Choose Directory For ExtractedFiles dialog box, enter C:\rollup and clickOK to specify a directory for theextracted rollup files.

d. In the Setup Wizard, click Next.

e. To accept the license agreement, select IAgree and click Next. The security rollupis installed.

f. When prompted, click Finish to restartthe computer.

g. Log back on as Administrator.

LESSON 2


3. Stop the unnecessary services. a. On the desktop, right-click My Computerand choose Manage to open ComputerManagement.

b. Expand Services And Applications andselect Services.

c. Right-click the FTP Publishing Serviceand choose Properties.

d. From the Startup Type drop-down list,select Disabled.

e. Click Stop.

f. After the service stops, click OK.

g. Use a similar procedure to disable andstop the Network News Transport Proto-col service.

h. Use a similar procedure to disable andstop the Print Spooler service.

i. Use a similar procedure to disable andstop the World Wide Web Publishingservice.

j. Close Computer Management.

LESSON 2


If You Have Internet Access

4. Install Internet Explorer 6. a. Open the \\Server100\SPlus\IE6 folder.

b. Double-click the IE6Setup file.

c. Select I Accept the Agreement and clickNext.

d. Click Next. The Setup file connects to theInternet Explorer download site onMicrosoft’s Web site to obtain therequired files. The amount of timerequired for the download will varydepending upon the speed of yourInternet connection.

e. If you see a list of incomplete installationcomponents, click Next.

f. When the installation is finished, clickFinish to restart the computer.

g. Log on as Administrator. Windows Updateupdates various files.

If You Do Not Have Internet Access

5. Install Internet Explorer 6. a. Open the \\Server100\SPlus\IE6 folder.

b. Open the \I386 folder and double-clickSetup.exe.

c. Click Install Internet Explorer 6 AndInternet Tools.

d. Select I Accept The Agreement and clickNext.

e. Click Next. Setup installs the updatedcomponents.

f. When the installation is finished, clickFinish to restart the computer.

g. Log on as Administrator. Windows Updateupdates various files.

h. If you are prompted to resume Setup,click Next, and then click Finish.

LESSON 2


6. Make the appropriate registrychanges.

a. From the Start menu, choose Run.

b. Enter regedt32 and click OK.

c. Maximize the Registry Editor window.

d. Select and maximize the HKEY_LOCAL_MACHINE window.

e. Select and expand the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers key.

f. Select the Winreg subkey.

g. Choose Security→Permissions.

h. In the Name list, select the Administra-tors (DOMAIN#\Administrators) group.

i. In the Permissions list, check the Allowcheck box for Full Control. Click Apply.

j. In the Name list, select the BackupOperators group. Click Remove.

k. Click OK.

l. Select the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSAkey.

m. Double-click the Restrictanonymousvalue.

n. In the Data text box, type 1.

o. Click OK.

p. Close the Registry Editor.

LESSON 2


7. Apply the Windows Media PlayerSecurity Patch.

The installation steps might vary depend-ing on the current version of the patch.

a. Open the \\Server100\SPlus\WMPPatchfolder.

b. Run the Windows Media Player 6.4Update installation file (wm320920_64.exe).

c. When installation is complete, click OK.

8. Install the Microsoft Baseline Secu-rity Analyzer.

a. Open the \\Server100\SPlus\MBSA folderand run the MBSASetup.msi installationpackage.

b. Complete the Microsoft Baseline Secu-rity Analyzer Setup wizard by using thefollowing parameters:• Accept the license agreement.

• Accept the default User Informationsettings.

• Accept the default DestinationFolder settings.

• On the Choose Install Options page,uncheck Show Readme File AfterInstallation and uncheck LaunchApplication After Installation.

• Accept the default program featureselections.

LESSON 2


9. Scan your system to establish asecurity baseline.

a. On the desktop, double-click theMicrosoft Baseline Security Analyzershortcut.

b. Click Scan A Computer.

c. Verify that your computer name appearsin the Computer Name box and clickStart Scan.

d. Review the scan results and click anyResult Details or How To Correct Thislinks to determine the security recom-mendations reported by MBSA.

e. Close MBSA.

10. Can you tell if all current security patches have been implemented on the Windows2000 Server system? If not, why?


LESSON 2


DISCOVERY ACTIVITY 2-8Applying a Service Pack

Activity Time:

30 minutes

Setup:Service Pack 3 is available on the network at \\Server100\SPlus\W2KSP3.

Scenario:You have completed a basic hardening procedure on all Windows 2000 domain membercomputers. However, Microsoft has just released a new Service Pack that postdates the lastsecurity patches that you applied when you hardened your servers. The bank’s security policyrecommends applying the newest service packs as soon as possible.

1. If necessary, reboot your computer into Windows 2000 Server.

2. Install Windows 2000 Service Pack 3, accepting all defaults.

The location of the installation file might vary depending upon the source of the Service Pack. For example,it might be in the Update folder.

TOPIC BHarden Directory ServicesIn Topic 2A, you learned to increase security on base operating systems to make any kind ofcomputer service more secure. But system security doesn’t stop there, because, for each spe-cialized service you run in your environment, there are also specialized security problems andholes that attackers are just longing to find and exploit. In the remainder of this lesson, you’lllearn how to increase security on a variety of internal network services, starting with one ofthe most fundamental and wide-ranging: the directory service that your organization dependson for day-to-day user operations.

Have you ever lost your personal organizer? You know, the book, device, or calendar that hasyour whole life in it—your appointments, key phone numbers, addresses? Remember how lostand desperate you felt? Well, the directory service for your network is like the organizer foryour whole business. Your business really doesn’t want to lose that service to an attacker whomight get inside your network to attack it. By increasing directory security, you can make theservice a much tougher nut to crack.

LESSON 2


Directory ServicesDefinition:

A directory service is a network service that stores information about all the objects ina particular network, including users, groups, servers, client computers, and printers.Users can use the directory service to access network resources, such as folders, print-ers, and other network services, such as DNS or DHCP. Directory services can also beused to centralize security and to secure access to network resources through accesscontrol lists (ACLs) on network objects such as users, groups, computers, printers, andfolders. There is a set of rules in a directory service as to how objects are created andwhat their characteristics (attributes) can be, and that set of rules is called the schema.While schemas define a directory and its objects and containers, most schemas areextensible, meaning they can be extended, or modified, to support the specific needs ofan organization.

Example:Novell Directory Services (NDS) is an example of a directory service. NDS holdsinformation about all the users, groups, servers, printers, and other objects in a NovellNetWare network. Users can use NDS to find network resources, such as printers, andadministrators can control access to such resources through access control lists. NDSalso has a schema that controls how objects are created and what attributes an adminis-trator may assign to them. NDS is illustrated in Figure 2-3 as an example of adirectory service.

Figure 2-3: NDS is an example of a directory service.

LESSON 2


Example:Microsoft Active Directory service, which can be installed on any of the Windows2000 Server or Windows .NET Server operating systems, is another example of adirectory service. Active Directory holds information about all network objects for asingle Windows 2000 domain or multiple Windows 2000 domains. Active Directoryallows administrators to centrally manage and control access to resources using accesscontrol lists. Active Directory also allows users to find resources anywhere on thenetwork. Active Directory also has a schema that controls how objects are created andwhat attributes an administrator may assign to them.

The Lightweight Directory Access Protocol (LDAP)The Lightweight Directory Access Protocol (LDAP) is a protocol that is used on TCP/IP net-works to access an LDAP directory service database or a directory service such as ActiveDirectory or NDS. Like directory services, LDAP has a schema that defines exactly what youcan and can’t do with it while accessing a directory database and the form your query musttake when accessing the directory and how the directory server will respond. And like aschema for a directory service, the LDAP’s schema is extensible, which means you can makechanges or add on to it.

Directory Service VulnerabilitiesBecause directory services are the heart and sole of any network, they’re highly prized by net-work attackers as a rich store of information. Once the directory database has beencompromised, an attacker can do just about anything in the network—almost nothing’s offlimits.

Besides the security threats and operating system vulnerabilities we’ve covered so far, there aresome vulnerabilities that are unique to a directory service. Some examples of these vulnerabili-ties are listed in Table 2-8.

LESSON 2


Table 2-8: Directory Service Vulnerabilities

Directory Service Vulnerability DescriptionActive Directory Pre-Windows 2000 Com-

patible Access groupThis group allows read-only access to the securitycontext Everyone if you install the domain controllerto be compatible with pre-Windows 2000 servers.

Default permissions onSysvol

Default NTFS permissions on volumes and, espe-cially, the SYSVOL file structure leave the door openfor attackers to gain unauthorized access through nullsessions and the Everyone security context.

Null sessions By default, Windows 2000 machines allow null ses-sions and anonymous enumeration of accountinformation. The right utility, such as Netcat orNmap, or even a simple UNC connection to a Win-dows 2000 machine in the right format, can use anull NetBIOS session to find out system information,which can then be used for later attacks.

NTLM version 1 An attacker using a sniffer can detect passwords anduser names by simply viewing packets on networksegments that contain downlevel (Windows 9x andpre-SP4 Windows NT 4.0) computers when theyauthenticate with Windows 2000 domain controllers.With user names and passwords, unauthorized accessto Active Directory can be attained quite easily.

NDS Public Read access toNDS tree

Public Read access to the NDS tree after a defaultinstallation of NDS allows the display of accountnames and other directory info to non-logged-inusers. This information could be used to gain accessto the NDS tree later on during an attack.

NDS Common GatewayInterface (CGI) security

It’s possible to remotely browse the NDS tree if aparticular CGI (/lcgi/ndsobj.nlm) is available and anattacker exploits it by sending it malformed data.Remote browsing will reveal directory information touse in subsequent attacks.

NDS for NT elevatedsecurity access

If an attacker has a valid Novell NDS account of anysecurity level, it may be possible to gain access toany NT domain machine as Domain Admin by usinganother NDS account that has been checked as havingdomain administrative rights over the NT domain.

Hardened Directory ServiceDefinition:

A hardened directory service is a directory service that has been configured to protectagainst software and hardware attacks according to a defined security policy. A hard-ened directory service may include some or all of the following security configurationsettings:

• A hardened operating system to prevent attackers from exploiting operating sys-tem vulnerabilities to attack the directory service.

• Current security patches for the directory service to close security holes in thedirectory service itself.

LESSON 2


• An established backup schedule for the directory service database.

• Restricted user and administrative access. For example, to secure a Windows 2000domain controller, you should limit access to the Sysvol share and not use thePre-Windows 2000 Compatible Access group.

• On a Windows 2000 domain controller, restricted null sessions.

• In a Windows 2000 domain, NTMLv2 for all downlevel clients.

Example: USA Travel’s Directory ServicesAccording to USA Travel’s security policy, only the network administrator can admin-ister the directory service, all operating system patches must be kept current, and thedirectory services server must be kept in a locked room. Therefore, administrativerights have been restricted on the directory services server to only the network admin-istrator, and the server is kept in a locked room. The administrator has also configuredautomatic updates to alert him to new updates to the server’s operating system.Because the directory service and the directory service server have been configuredaccording to the company’s security policy, this is an example of a hardened directoryservice.

Harden Directory ServicesProcedure Reference: Harden Active Directory Domain Controllers

To harden a Windows 2000 Active Directory domain controller:

1. Harden the domain controller’s operating system to prevent attackers fromexploiting operating system vulnerabilities to attack the directory service.

2. Establish a regular backup schedule for the directory service database.

3. Use the Security Configuration And Analysis tool to analyze the domain controllersettings using the Hisecdc template as the criterion.

a. Snap the Security Configuration And Analysis utility into a blank MMC.

b. In the console tree, right-click the Security Configuration And Analysisobject and choose Open Database.

c. Name the new database and click Open.

d. Select the Hisecdc security template and click Open.

e. In the console tree, right-click the Security Configuration And Analysisobject and choose Analyze Computer Now. Click OK.

f. Review the results by expanding the nodes in the console tree and by exam-ining settings in the details pane.

4. For a single domain controller, apply the Hisecdc template directly to the domaincontroller to restrict user and administrative access.

a. In the console tree, right-click the Security Configuration And Analysisobject and choose Configure Computer Now.

b. Accept the default path for the error log file.

5. For multiple domain controllers, deploy the Hisecdc template through GroupPolicy to restrict user and administrative access.

a. In Active Directory Users And Computers, open the properties of the DomainControllers Organizational Unit (OU) and select the Group Policy tab.

LESSON 2


b. With the Default Domain Controllers Policy selected, click Edit.

c. Expand Computer Configuration/Windows Settings.

d. Select and right-click Security Settings and choose Import Policy.

e. Select the Hisecdc template and click Open.

f. Close Group Policy, click OK in the property sheet, and close Active Direc-tory Users And Computers.

6. Re-analyze the domain controller to verify the settings have been configured.

7. Apply the latest security patches for the directory service to close security holesin the directory service itself.

8. Restrict null sessions to the domain controller.

9. Configure the downlevel client to use NTLMv2 for authentication to the domaincontroller.

Directory Management ToolsYou can use a plain LDAP browser or editor, such as the Active Directory Administra-tion Tool (Ldp.exe) seen in Figure 2-4, that ships with the Windows 2000 ServerSupport Tools, to work with a directory database. But in most cases, especially withWindows 2000 and NetWare 6, you’ll probably use a GUI utility, such as ActiveDirectory Users And Computers or ConsoleOne to manipulate directory data, creatingusers and groups, populating groups, and setting security on the objects.

Figure 2-4: Using Ldp to access the Active Directory directory service.

While the plain text editor might be useful in troubleshooting situations, the GUI utili-ties are easier to work with, as you can see when you compare Figure 2-5 with Figure2-4. In addition, you can create scripts that use LDAP to automate routine directorymaintenance tasks, such as adding large numbers of users or groups and checking forblank passwords or disabled or obsolete user accounts.

LESSON 2


Figure 2-5: Using Active Directory Users And Computers to access the ActiveDirectory directory service.

LDAP is defined in RFC 1777.

ACTIVITY 2-9Hardening Directory Services

Data Files:


Scenario:Your next task as the bank’s security administrator is to make sure Active Directory is secure.With the current Windows NT domain environment, the bank’s IT department has had prob-lems in the past with users, both internal and external, logging on with user accounts that werenot their own. They also had problems with users not changing their passwords in the domainand using easy-to-guess passwords. There were also some problems with attacks on serversfrom Internet users. The bank wants to minimize the possibility of the attacks to the ActiveDirectory domain. Before connecting the new Active Directory domain controllers to your net-work and joining the new Windows XP professional computers to the domain, you want tomake sure that Active Directory is hardened to minimize the likelihood of attacks from bothinternal and external users.

The IT Department and Active Directory design team has created a deployment plan for theWindows 2000 Active Directory servers and you as the security administrator need to makesure the plan is implemented. Using the deployment design document SecureSystems.doc,implement the changes on your Windows 2000 server systems.

LESSON 2



1. Analyze the domain controller secu-rity settings against the appropriatesecurity template as specified inthe SecureSystems.doc file.

a. Open the \\Server100\SPlus\Student\SecureSystems.doc file and determinethe required security template.

b. From the Start menu, choose Run.

c. Enter mmc and click OK.

d. Maximize the Console1 and Console Rootwindows.

e. Choose Console→Add/Remove Snap-in.

f. Click Add.

g. Select Security Configuration And Analy-sis and click Add. Click Close.

h. Click OK.

i. Right-click Security Configuration AndAnalysis and choose Open Database. Youneed to create a database of desiredsecurity settings to analyze against thecurrent settings.

j. In the File Name text box, enter DC.sdb.Click Open.

k. In the Import Template dialog box, selectHisecdc.inf and click Open.

l. Right-click Security Configuration AndAnalysis and choose Analyze ComputerNow.

m. Click OK to accept the default error logfile.

LESSON 2


n. In the console tree, expand Security Con-figuration And Analysis, expand LocalPolicies, and select Audit Policy. Thereare several policy settings in the templatefor this category that differ from the cur-rent setting on the domain controller.

o. Select Security Options. There are sev-eral policy settings in this category thatdiffer.

There are also policy settings in the PasswordPolicy and Account Lockout Policy categoriesof the template that differ from the currentcomputer settings. However, these policies canonly be set at the domain level, not on a lowerOU such as the Domain Controllers OU. Forexample, applying this template to the DomainControllers OU will not affect the domain’spassword policy.

p. Minimize the MMC console.

LESSON 2


2. As the domain administrator, useGroup Policy to deploy the appro-priate security template to domaincontrollers in your domain.

a. From the Start menu, choose Programs→Administrative Tools→Active DirectoryUsers And Computers.

b. Expand your Domain# object.

c. Right-click the Domain Controllers OUand choose Properties.

d. Select the Group Policy tab.

e. With the Default Domain ControllersPolicy selected, click Edit.

f. Expand Computer Configuration/Windows Settings and select SecuritySettings.

g. Right-click Security Settings and chooseImport Policy.

h. Select the Hisecdc.inf security templateand click Open.

i. Close Group Policy.

j. In the Domain Controllers Properties dia-log box, click OK.

k. Close Active Directory Users AndComputers.

3. What other security templates are available in a default installation of Windows 2000?

LESSON 2


4. Refresh the group policy settings onthe domain controller.

a. Open a command prompt window.

b. Enter secedit /refreshpolicy machine_policy.

c. Close the command prompt window.

5. Reanalyze the system to verify thatthe policy changes from the tem-plate are in effect.

a. Switch to the MMC console window.

b. Right-click Security Configuration AndAnalysis and choose Analyze ComputerNow.

c. Click OK to accept the default error logfile.

d. Expand Local Policies and select AuditPolicy. The policy settings on the domaincontroller are now consistent with thesettings in the template.

e. Select Security Options. The policy set-tings on the domain controller are nowconsistent with the settings in the tem-plate, with the exception of theAutomatically Log Off Users When LogonTime Expires setting, which is applied atthe domain level.

f. Close the MMC console. There is no needto save the console.

LESSON 2


TOPIC CHarden DHCP ServersIn Topic 2B, you learned to increase the security on one of your most important internal net-work services, your directory. Clients who connect to that directory internally will need to getnetwork addressing information from another important network service: DHCP. In this topic,you’ll learn to increase the security on your company’s DHCP servers.

If your DHCP servers go down, or start handing out bad address information, it actually won’taffect your network infrastructure too much. After all, the major systems on your network willhave hard-coded IP addresses and don’t need to rely on DHCP. But those systems and servicesexist to serve your network clients, and if DHCP is compromised, the clients are the ones whowon’t be able to connect, and the network team is going to start getting phone calls from irateusers. Avoid this nightmare by making your DHCP servers as hard to hijack as you possiblycan.

DHCP Server VulnerabilitiesIn addition to the base operating system vulnerabilities we’ve already covered, DHCP serversalso have some specific vulnerabilities, some examples of which are described in Table 2-9.

Table 2-9: DHCP Server Vulnerabilities

Vulnerability DescriptionMAC address spoofing An attacker leases an IP address by pretending to

be hardware that’s part of the corporate network.As a result, they can communicate with the othercomputers on that network.

Novell DHCP server buffer overflow The DHCP server shipped with NetWare 6.0 SP1has been found to contain various buffer overflowsin the handling of malformed DHCP requests,which causes the service to ABEND (ABnormalEND), and potentially causes the entire server toreboot.

Scope modification An attacker gains access to a DHCP server andmodifies the scope, causing incorrect IP addressleases and disrupting communications on thenetwork.

Rogue DHCP servers Anyone with administrative access to a server caninstall the DHCP service, create a scope with falseaddresses, and begin handing them out to DHCPclients, thus preventing the clients from communi-cating on the network.

DHCP for remote clients A remote access server that uses DHCP to assignremote clients IP addresses can provide attackerswith IP addresses and other network configurationinformation if they can connect to the remoteaccess server.

LESSON 2


Hardened DHCP ServerDefinition:

A hardened DHCP server is a DHCP server that has been configured to protect againstsoftware and hardware attacks according to a defined security policy. A hardenedDHCP server may include some or all of the following security configuration settings:

• A hardened operating system to prevent attackers from exploiting operating sys-tem vulnerabilities to attack the DHCP server.

• The latest security patches for the DHCP service to remove any vulnerabilities inthe DHCP service itself, such as the DHCP server buffer overflow vulnerability inthe DHCP server shipped with NetWare 6.0 SP1.

• An established backup plan for the DHCP database so it can be restored if it’sever deleted or corrupted as the result of an attack.

• Authorization in Active Directory in a Windows 2000 network to prevent rogueDHCP servers from disrupting network communications.

• DHCP broadcast packets that do not traverse border routers.

• Restricted administrative access to prevent attackers from gaining unauthorizedadministrative access and modifying scope or server properties.

Example: USA Travel’s DHCP ServerAccording to USA Travel’s security policy, only the network administrator can admin-ister the DHCP server, all operating system patches must be kept current, and theDHCP server must be kept in a locked room. Therefore, administrative rights havebeen restricted on the DHCP server to only the network administrator, and the server iskept in a locked room. The administrator has also configured automatic updates to alerthim to new updates to the server’s operating system. Because the DHCP server hasbeen configured according to the company’s security policy, this is an example of ahardened directory service.

Harden DHCP ServersProcedure Reference: Harden a Windows 2000 DHCP Server

To harden a Windows 2000 DHCP server:

1. Harden the operating system to prevent attackers from exploiting operating systemvulnerabilities to attack the DHCP server.

2. Install the latest security patches for the DHCP service to remove any vulnerabili-ties in the DHCP service itself.

3. Establish a backup plan for the DHCP database so it can be restored if it’s everdeleted or corrupted as the result of an attack.

4. In the DHCP administrative tool, right-click the DHCP server object and chooseAuthorize to guard against rogue DHCP servers in an Active Directory domain.

5. Remove the DHCP Relay Agent to prevent DHCP broadcast packets from travers-ing the router.

a. From the Administrative Tools menu, choose Routing And Remote Access.

b. Expand the server object and IP Routing.

c. Select and right-click DHCP Relay Agent, and choose Delete.

LESSON 2


6. Restrict administrative access to prevent attackers from gaining unauthorizedadministrative access and modifying scope or server properties.

ACTIVITY 2-10Hardening DHCP

Scenario:One of the next tasks as the bank’s security administrator is to make sure DHCP is secure.With the current Windows NT Server systems, the bank’s IT department has had problems inthe past with rogue DHCP servers being set up on the network and giving out unauthorized IPaddresses. The bank also had problems with some Windows NT DHCP servers giving outaddresses on subnets they were not supposed to. Before connecting the new Windows 2000DHCP Servers to your network, you want to make sure that DHCP is hardened to minimizethe likelihood of attacks from both internal and external users.

Although DHCP is running on a domain controller for classroom and testing purposes, DHCP servers should notbe running on domain controllers, as this is a security risk. This will allow the possibility of client spoofs ofdomain controllers. Also, if you have Active-Directory-integrated DNS zones and you have more than one DHCPserver covering the same subnet (for redundancy), you may need to add them to the DNSUpdate Proxy group.

To prevent rogue Windows 2000 DHCP servers from being installed on the network, theActive Directory design team has decided to have all the Windows 2000 DHCP servers autho-rized in Active Directory. To prevent DHCP addresses from passing to inappropriate subnets,they have decided to eliminate the DHCP Relay Agent from all Windows 2000 routers. As thesecurity administrator, you need to make sure these changes are implemented.


1. Authorize the DHCP server.

Do not activate the DHCP scope.


b. Select and right-click the DHCP serverobject, and choose Authorize.

c. Choose Action→Refresh until the serverobject appears with a green upward-pointing arrow.

d. Close DHCP.

LESSON 2


2. Remove the DHCP Relay Agent inRouting and Remote Access.

You can also harden RRAS itself so thatit does not use DHCP.

a. From the Start menu, choose Programs→Administrative Tools→Routing AndRemote Access.

b. Expand your server object, and expandIP Routing.

c. Select and right-click DHCP Relay Agent,and choose Delete.

d. Click Yes to confirm the deletion.

e. Close Routing And Remote Access.

3. Why would you delete the DHCP relay agent?

TOPIC DHarden Network File and Print ServersOnce clients connect to your network with their DHCP address and get authenticated by thedirectory service, they are going to want to access basic network resources, like shared filesand network printers, in order to get their day-to-day work accomplished. The servers that hostyour shared files and printers might not be as specialized as the other network services we’vediscussed, but they do have their own security needs. In this topic, you’ll learn to increase thesecurity of the basic file and print sharing services on your network.

File and print servers might not seem like the most interesting or exciting network services,but they are in need of your protection. For one thing, if these servers are compromised, so isthe ability of network users to do their day-to-day jobs. For another thing, you don’t wantattackers getting access to sensitive company information that might be stored in files on thoseservers. So, these basic services are as worthy of your security attention as anything else that’srunning on your network.

SMB SigningThe Server Message Block (SMB) protocol runs on top of protocols such as TCP/IP, IPX/SPX,and NetBEUI, and is used to access shared network resources, such as files and printers. SMBtypically works in this way:

1. A client computer sends SMB packets to a server to establish a connection.

2. After a client computer makes the initial connection to the server, it uses SMB packets tosend requests for shared data or commands to a shared printer.

LESSON 2


3. The server that received the request responds, returning SMBs containing the data that theclient requested or responses to commands sent to a printer.

Because this type of two-way communication is prone to man-in-the-middle attacks (andmaybe a subsequent DoS attack if the attackers sends the server a malformed SMB packet),depending on the level of security your network data requires, you should implement SMBsigning to help secure this type of communication. When you implement SMB signing, yourclient computer will insert a digital signature into each SMB it sends between it and the server.The server will then examine the digital signature to verify it was sent from the client it’s sup-posed to be communicating with. In this way both the client and server can authenticate eachother and ensure that their communications have not been intercepted. In the same way, forespecially sensitive data, you can configure your servers and clients to require SMB signing,and if one or the other of the two isn’t configured to use SMB signing, they won’t be able toinitiate a session.

SMB is used in Windows 95, Windows 98, and Windows NT 4.0 (SP3 or higher). It’s alsoused in NetWare 6 (CIFS.NLM) and is available for the UNIX environment, including Solaris,as Samba. SMB is implemented in Windows 2000 and Windows XP as the new standardcalled Common Internet File System (CIFS).

Hardened File and Print ServerDefinition:

A hardened file and print server is a file and print server that has been configured toprotect against software and hardware attacks according to a defined security policy. Ahardened file and print server may include some or all of the following security con-figuration settings:

• A hardened operating system to remove any vulnerabilities in the file-sharing andprint services.

• An established backup plan to protect sensitive files in the event of an attack.

• Restricted access to file and print resources.

• Disabled administrative shares.

• SMB signing enabled to prevent man-in-the-middle attacks.

• File encryption enabled to protect sensitive files.

• Restricted physical access to the printer or the paper tray on the printer.

Example: USA Travel’s File and Print ServersAccording to USA Travel’s security policy, all operating system patches must be keptcurrent on all file and print servers. Therefore, the administrator has configured auto-matic updates to alert him to new updates to all the file and print servers’ operatingsystems. Because the file and print servers have been configured according to the com-pany’s security policy, they are examples of hardened file and print servers.

Harden Network File and Print ServersProcedure Reference: Harden a Windows 2000 File and Print Server

To harden Windows 2000 file and print servers:

1. Harden the operating system to remove any vulnerabilities in the file-sharing andprint services.

LESSON 2


2. Establish a regular backup schedule to protect sensitive files in the event of anattack.

3. Use NTFS permissions to secure files and folders.

a. Open Windows Explorer or My Computer.

b. Browse to the file or folder you want to secure.

c. Right-click the file or folder and choose Properties.

d. Select the Security tab and configure the appropriate NTFS permissions.

e. For a shared folder, select the Sharing tab and configure the appropriate sharepermissions.

4. Remove administrative shares as specified in your security policy.

a. In Regedt32, expand HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer. Select the Parameters key.

b. Choose Edit→Add Value, and type AutoShareServer in the Value Name textbox.

c. From the Data Type drop-down list, select REG_DWORD, and click OK.

d. In the DWORD Editor dialog box, in the Data text box, type 0. Click OK.

e. Reboot the computer and verify that the administrative shares have beenremoved.

5. Force SMB signing to prevent man-in-the-middle attacks.

a. From the Administrative Tools menu, choose Domain Controller SecurityPolicy.

b. Expand Windows Settings, Security Settings, and Local Policies, and selectSecurity Options.

c. Enable the Digitally Sign Client Communication (Always) policy.

6. Encrypt sensitive files and folders using the Encrypting File System (EFS).

a. In Windows Explorer or My Computer, right-click the file or folder you wantto encrypt and choose Properties.

b. On the General page of the property sheet, click Advanced.

c. Check Encrypt Contents To Secure Data.

7. Restrict physical access to printers that may contain sensitive documents.

LESSON 2


ACTIVITY 2-11Hardening File and Print Servers

Data Files:


Scenario:One of the next tasks as the bank’s security administrator is to make sure your file and printservers are secure. With the current Windows NT Server systems, the bank’s IT department hashad problems in the past with users accessing resources that they were not supposed to haveaccess to. There were also SMB man-in-the-middle attacks. The bank also had problems withsome confidential print jobs being taken from printers. Before connecting the new Windows2000 file and print servers to your network, you want to make sure that your file and printservers are hardened to minimize the likelihood of attacks from both internal and externalusers.

Although the file and print server is running on a domain controller for classroom and testing purposes, youshould not use a domain controller as a file and print server because it poses a security risk.

To prevent users from accessing information that they are not supposed to and to preventattackers from getting data, the bank’s IT department has decided to tighten permissions andimplement appropriate countermeasures to prevent these attacks. As shares are created on thesystems by the desktop support group, the IT department will verify that only the minimal per-missions necessary are assigned. As the security administrator, your job is to implement anyrequired system-wide security changes on all servers that will function as file and print servers.The underlying operating systems for these servers were hardened at installation time accord-ing to the general OS hardening guidelines of the organization. In some cases, you need toalter that configuration to permit the systems to function in their new roles. The IT departmenthas provided you with a security recommendations document, SecureSystems.doc, that containsthe desired security configuration information for file and print servers.


1. Enable the Print Spooler service. a. Open Computer Management.

b. In Computer Management, expand Ser-vices And Applications and selectServices.

c. Double-click the Print Spooler service.

d. Set the Startup Type to Automatic andclick Apply.

e. Click Start.

f. Once the service has started, click OK.

LESSON 2


2. How can you prevent users from stealing print jobs from the printers?

3. Determine which folders are cur-rently shared on the Windows 2000Server.

a. In Computer Management, expand SharedFolders and select Shares.

b. When you have identified all the shares,close Computer Management.

4. What shares are currently available on the Windows 2000 server?

5. What could you do with the default administrative shares to harden the Windows 2000server?

6. Remove the administrative sharesas specified in theSecureSystems.doc file.

a. Open the \\Server100\SPlus\Student\SecureSystems.doc file and locate theFile And Print Server Hardening Recom-mendations section.

b. From the Start menu, choose Run.

c. Enter regedt32 and click OK.

d. Expand the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters key.

e. Choose Edit→Add Value.

f. In the Value Name text box, typeAutoShareServer.

LESSON 2


g. From the Data Type drop-down list, selectREG_DWORD and click OK.

h. In the DWORD Editor dialog box, in theData text box, type 0.

i. Click OK.

j. Close Registry Editor.

7. Verify that the administrativeshares are not re-created on thenext restart.

a. Reboot the computer to Windows 2000Server. The reboot will take longer thanusual.

b. Log on as Administrator.

c. Open Computer Management.

d. Expand Shared Folders and selectShares. The administrative shares, withthe exception of the CD-ROM drive shareand the Inter-Process Communication(IPC$) share, are no longer present.

e. Close Computer Management.

LESSON 2


8. Force SMB signing for all communi-cations as specified in theSecureSystems.doc file.

With this setting enabled, users can print,but will not be able to see the printqueue.


Don’t choose Domain Security Policy.

b. Expand Windows Settings, Security Set-tings, and Local Policies, and selectSecurity Options.

c. Verify that the Digitally Sign Client Com-munication (Always) policy is Enabled.

d. Close Domain Controller Security Policy.

Lesson 2 Follow-upIn this lesson, you hardened your internal servers and the services they provide. Because yourinternal systems hold much of your organization’s sensitive data, it’s important to make surethey’re as secure as possible.

1. Does your organization stay current with all the latest operating system patches? Whyor why not?

2. Which operating system do you think is most secure: Windows 2000, NetWare 6, orSolaris 9? Why?

LESSON 2


Hardening InternetworkDevices and Services

Lesson Objectives:In this lesson, you will harden internetwork devices and services.

You will:

• Harden internetwork connection devices.

• Harden DNS and BIND servers.

• Harden Web servers.

• Harden FTP servers.

• Harden NNTP servers.

• Harden email servers.

• Harden conferencing and messaging servers.

Lesson Time5 hour(s), 30 minutesLESSON 3

LESSON 3

Lesson 3: Hardening Internetwork Devices and Services 97

IntroductionSecuring internal systems is like putting your valuables in a safe inside your home. It makes itharder for an intruder to abscond with your jewelry. Ideally, however, you’d like to preventthat intruder from getting inside your house at all, by locking the doors, installing alarms,planting bushes, or getting a barking dog. Securing the perimeter of your network is as impor-tant as securing the perimeter of your home, if you want to keep the bad guys from getting inin the first place.

TOPIC AHarden Internetwork ConnectionDevicesTightening the perimeter of your network means increasing security anywhere that traffic canflow between your internal systems and external systems, whether the external systems are onthe Internet or on other private networks. At the most basic level, this means making sure thatonly desired network packets can make it past the connection devices, such as routers,firewalls, and gateways, that create the physical connection between your private networks andthe outside world. In this topic, you’ll learn how to secure the internetwork connection devicesthat sit between your valuable private systems and the attackers that want to get at them.

Attackers that attack from outside your private network have a fundamental challenge: theyhave to get their packets onto your private network before they can start doing anything bad toyour systems. That means that they have to get their traffic past your border guards—yourrouters and other internet connection devices. If you secure these devices properly, your legiti-mate business communications can go through, but attackers’ communications will be stoppedat the border.

Internetwork Device VulnerabilitiesLike every computer in your network, the network connection devices in your network havetheir own set of security vulnerabilities. You’ll often find that the routers you have connectingyour network to the Internet are some of the most frequently scanned systems you have andare favorite targets, especially for DoS/DDoS attacks. The following table lists some examplesof vulnerabilities in your routers, bridges, and switches that attackers are looking to exploit.

Vulnerability DescriptionSNMP SNMPv1 uses clear text to send SNMP community names,

which can be used to gain administrative access and take overnetwork connection devices. If you’re using SNMP, try to useSNMPv2 or higher. If you have no need for SNMP, disable it.

Telnet Because Telnet communications are unencrypted by default,attackers can more easily hijack the session.

Router configuration files If you improperly store copies of router configuration files onunsecured servers, attackers could gain administrative access tothe devices.

LESSON 3


Vulnerability DescriptionFinger An attacker can attempt to determine the type of router you’re

using by sending a request to this service. Once the attackerknows the type of service, he can work on known exploits forthat type of device.

Small servers (for example, echo onport 7 and chargen on port 19)

These rarely-used Cisco services could be exploited for a CPUDoS attack if bombarded with requests from an attacker.

Improperly configured IP filters Improperly configured incoming and outgoing IP filters couldlead to an attacker either gaining entry into your network usinga spoofed IP address (incoming) or using your network to launcha DoS attack (outgoing).

Default ports An attacker can learn the type of device by trying to attach tomanufacturer’s default ports. Again, once the type of device isdiscovered, the attacker can exploit its known vulnerabilities.

IP source routing Using source-routed packets with spoofed source addresses, anattacker can use an internal host to gain information about theinternal network and open ports on internal systems.

ICMP redirect packets Attackers can use ICMP redirects in two ways: to flood a routerand cause a DoS attack by consuming memory resources; and toreconfigure routing tables using forged packets.

RIPv1 RIPv1 provides a weak level of authentication, which can pro-vide opportunities for an attacker to connect to a device andmanipulate the routing table possibly to cause a DoS attack.

See www.cisco.com for more information on small servers.

Hardened Internetwork Connection DevicesDefinition:

A hardened internetwork connection device is an internetwork connection device thathas been configured to protect against software and hardware attacks according to adefined security policy. A hardened internetwork connection device may include someor all of the following security configuration settings:

• A hardened operating system to close security holes in services such as Telnet orFinger, or the Cisco small servers.

• Secret SNMP community names to prevent attackers from using the names togain administrative access to the device. You can also upgrade to SNMPv2 for agreater level of SNMP security.

• Secured router configuration files to keep configuration details secret.

• Appropriate ingress and egress filters to help prevent IP spoofing (incoming) andDoS (outgoing) attacks.

• Disabled or reconfigured default ports to prevent attackers from trying to attach tomanufacturers’ default ports.

• Disabled IP source routing to prevent attackers from gaining information aboutthe internal network.

• Blocked ICMP redirects to prevent DoS attacks and attacks against routing tables.

LESSON 3


• RIPv2 to enable a greater level of security and authentication and to help preventunauthorized changes to routing tables.

Example: USA Travel’s Border RoutersAs part of the security policy, all border routers at all USA Travel branch offices arerequired to have IP source routing disabled and must be configured to drop incomingpackets with internal source IP addresses. The network administrator in the Seattlebranch office has configured his border router to drop incoming IP packets with inter-nal source addresses, and he has disabled IP routing. Because this router has beenconfigured according to USA Travel’s security policy, it can be considered hardened.

Harden Internetwork Connection DevicesProcedure Reference: Harden a Windows 2000 Router

To harden a Windows 2000 router:

1. Harden the operating system to close security holes in operating system services.

2. Disable SNMP if not in use. If in use, try to upgrade to SNMPv2. Keep SNMPcommunity names secret.

3. Physically secure router configuration files to keep configuration details secret.

4. Configure appropriate ingress and egress filters to help prevent IP spoofing(incoming) and DoS (outgoing) attacks.

5. Disable or reconfigure default ports to prevent attackers from trying to attach tomanufacturers’ default ports.

6. Disable IP source routing to prevent attackers from gaining information about theinternal network.

7. Block ICMP redirects to prevent DoS attacks and attacks against routing tables.

8. Implement RIPv2 to enable a greater level of security and authentication.

a. In Routing And Remote Access, expand IP Routing and select the Generalobject.

b. Right-click the General object and choose New Routing Protocol.

c. Select RIP Version 2 for Internet Protocol and click OK.

d. Right-click the RIP object and choose New Interface. Select the internalinterface, modify any properties, and click OK.

9. Configure RIP peer-to-peer security to prevent updates from authorized routers.

a. In Routing And Remote Access, under IP Routing, open the properties of theRIP object and select the Security tab.

b. Select Accept Announcements From Listed Routers Only.

c. Add the addresses of the desired peer routers and click OK.

VLAN and NAT DevicesDevices other than routers, such as VLAN and NAT devices, can also present targetsfor attackers.

LESSON 3


• Improperly configured VLAN devices and associated switches give attackers theopportunity to redirect packets from one VLAN to another (VLAN hopping) andto capture those packets and the data they contain.

• Relying solely on NAT devices (without a properly configured firewall) canexpose your network to attack if the attackers are able to gain access through anyopen ports in the device. In addition, NAT does not hide host information, whichmeans attackers could gain access to host-specific information and then useknown exploits to compromise the device. Also, improperly configured NATdevices may be vulnerable to IP spoofing attacks.

ACTIVITY 3-1Hardening a Windows 2000 Router

Scenario:One of the next tasks as the bank’s security administrator is to make sure your routers aresecure. In the past, the bank has had problems with attackers accessing services and data thatthey were not supposed to have access to through the routers. Before connecting the new Win-dows 2000 routers behind a firewall on your network, you want to make sure that your routersare hardened to minimize the likelihood of attacks, especially DDoS and spoofing attacks, fromexternal users. After you configure the routers, the bank’s desktop team will test the connec-tions from laptops to make sure the security is not too restrictive.

To prevent users from accessing information that they are not supposed to and to preventattackers from getting data, the bank’s IT department has decided to create a demilitarizedzone (DMZ) by implementing two software-based routers using Windows 2000 Routing andRemote Access Server. These routers will be installed behind the existing hardware-basedfirewall, which has already been hardened. To help ensure security on these software-basedrouters, they will run RIPv2 and will communicate with each other securely by RIP peersecurity. The bank also wants to implement packet filters to drop incoming external packetswith internal private IP addresses as the source addresses to prevent attackers from spoofinginternal IP addresses on the private subnet.

LESSON 3



1. Install RIP version 2 for IP as a newrouting protocol on the Routing andRemote Access Server, using theLocal Area Connection as the RIPprotocol interface.


b. Expand your server object and expandIP Routing.

c. Select and right-click the Generalobject, and choose New RoutingProtocol.

d. In the Routing Protocols list, select RIPVersion 2 For Internet Protocol and clickOK.

e. Under IP Routing, select and right-clickthe RIP object and choose NewInterface.

f. In the Interfaces list, select Local AreaConnection and click OK. The RIP Proper-ties – Local Area Connection Propertiessheet opens. You will use the default set-tings on the General page.

You can use the Help button to investigate the vari-ous property settings.

LESSON 3


g. Select the Advanced tab. You will use thedefault Advanced settings.

h. Click OK.

2. Why would you not check Activate Authentication in the General properties for RIP onthe Local Area Connection interface?

3. What type of attacks do the default Advanced settings for RIP on the Local Area Con-nection interface protect against?

LESSON 3


4. Modify the RIP protocol’s securityproperties with the appropriatepeer router settings.

a. In the Tree pane, right-click the RIPobject and choose Properties.

b. Select the Security tab.

c. Select Accept Announcements FromListed Routers Only.

d. In the Router IP Address text box, enteryour partner’s IP address.

e. Click Add.

f. Click OK.

g. Close Routing and Remote Access.

5. What is the security benefit of the peer security feature that you have just enabled?

6. What basic operating-system hardening procedures will also protect a software-basedrouter such as this?

7. This software-based router does not have a live connection to another subnet. If thecomputer was a true multi-homed router with multiple network cards, what additionalhardening steps should you take on this router to accomplish the additional securitygoals in the scenario?

LESSON 3


TOPIC BHarden DNS and BIND ServersOnce you’ve hardened the devices that provide the communications channel outside your net-work, as you did in Topic 3A, you can turn your attention to securing the services you provideto users across that channel. Because DNS provides name resolution, DNS queries andresponses are going to be some of the most common elements in network communicationsbetween your internal systems and the Internet. So, in this topic, we’ll start the process oflocking down network services by hardening DNS servers.

Without DNS name resolution, the Internet would be almost unusable. Unfortunately, DNSservers also can provide unscrupulous attackers with too much useful information about yourbusiness and its systems. Also, if your DNS infrastructure goes down, so can your business.You need to make sure your DNS servers are secure from attack and are configured to give outinformation only to authorized parties.

DNS and BIND VulnerabilitiesIn addition to the security threats we’ve already covered, there are some threats that are uniqueto the DNS service and to UNIX-based Berkeley Internet Name Domain (BIND) servers.Those threats are listed in the following table.

Vulnerability DescriptionDNS spoofing An attacker manipulates DNS records to send DNS clients to

fraudulent Web sites where the attacker can record datatransmissions.

DNS hijacking An attacker gains administrative access to a DNS server andmodifies or deletes records, which can eliminate a company’sInternet presence until the problem is found and resolved.

Cache corruptions (aka cache poison-ing or cache pollution)

Some Microsoft DNS servers are vulnerable to malformed que-ries, or accepting malicious data from a remote name server,which may result in corruption of the DNS cache and can resultin a DoS attack. It can also allow an attacker to redirect the Websites that use the vulnerable DNS.

Input validation On a BIND server, specially formatted user input, when improp-erly validated, may be used to execute code with the permissionsof the BIND user.

Environment variables A specially executed query may expose environment variablesvia the program stack on a BIND server. This can providepotentially sensitive information that may result in furtherattacks.

LESSON 3


Hardened DNS ServersDefinition:

A hardened DNS server is a DNS server that has been configured to protect againstsoftware and hardware attacks according to a defined security policy. A hardened DNSserver may include some or all of the following security configuration settings:

• A hardened operating system to prevent attackers from exploiting OS vulnerabili-ties to attack the DNS service.

• A regular backup schedule to preserve the DNS database in case of attack.

• Limited administrative access to help prevent DNS hijacking.

• Required authentication on InterNIC domain records to help prevent DNShijacking.

• Active Directory-integrated zones on internal Windows 2000 DNS servers withsecure dynamic updates to prevent DNS hijacking, DNS spoofing, and cachecorruption.

• Up-to-date security fixes for the DNS service to help prevent malicious codeattacks that could result from improper input validation or that can expose envi-ronment variables to an attacker.

Example: USA Travel’s DNS ServersIn the corporate security policy, all internal Windows 2000 DNS servers at USA Trav-el’s corporate offices are required to have Active Directory-integrated zones and securedynamic updates enabled. The DNS administrator has installed DNS on all domaincontrollers, created Active Directory-integrated zones, and enabled secure dynamicupdates on those zones. Because the DNS servers have been configured according toUSA Travel’s security policy, they can be considered hardened.

Harden DNS and BIND ServersProcedure Reference: Harden a Windows 2000 DNS Server

To harden a Windows 2000 DNS server:

1. Harden the operating system to prevent attackers from exploiting OS vulnerabili-ties to attack the DNS service.

2. Establish a regular backup schedule to preserve the DNS database in case ofattack.

3. Limit the number of administrators and keep user names and passwords secure tohelp prevent a hijacking attack.

4. Require authentication for changes to InterNIC domain records to help preventDNS hijacking attacks.

5. Switch your domain to Native mode and change DNS zones to Active Directory-integrated, and enable secure dynamic updates to prevent DNS hijacking, DNSspoofing, and cache corruption.

a. Open Active Directory Users And Computers.

b. Right-click your domain and choose Properties.

c. Click Change Mode. Click Yes to confirm the change.

d. Open DNS.

LESSON 3


e. Right-click the DNS zone you want to change and choose Properties.

f. In the Type section, click Change.

g. Select Active Directory-integrated and click OK.

h. In the zone’s Properties dialog box, from the Allow Dynamic Updates drop-down list, select Only Secure Updates.

6. Secure the DNS cache against pollution.

a. In DNS, right-click the DNS server object and choose Properties.


c. Check Secure Cache Against Pollution.

7. Install up-to-date security fixes for the DNS service to help prevent maliciouscode attacks or other attacks that target the service’s vulnerabilities.

ACTIVITY 3-2Hardening DNS

Data Files:


Scenario:One of the next tasks as the bank’s security administrator is to make sure your DNS serversare secure. In the past, when the bank managed its own DNS, without assistance from the ISP,it has had problems with DNS hijack attempts, where attackers redirected users to a fake bankWeb page. All Windows NT domain controllers and DNS servers at the bank have now beenupgraded to Windows 2000. Before connecting the new Windows 2000 DNS Server to yournetwork, you want to make sure that your DNS server is hardened to minimize the likelihoodof attacks from both internal and external users. To prevent attackers from hijacking DNSrecords, the bank’s IT department has decided to implement a secure DNS server.

The IT department has designed a security deployment plan for all new systems, including theWindows 2000 DNS Servers, and you as the security administrator need to make sure the planis implemented. The IT department has already established a DNS solution with the ISP forother DNS servers running BIND, so you do not have to configure those servers. Using thedeployment design document SecureSystems.doc, implement the changes on your Windows2000 DNS server.

LESSON 3



1. As the domain administrator, switchActive Directory to Native mode.


b. Right-click the domain#.internal objectand choose Properties.

c. Click Change Mode.

d. Click Yes in the message box to confirmthe mode switch.

e. Click OK twice.

f. Close Active Directory Users AndComputers.

2. Change DNS zones to ActiveDirectory-integrated.

a. From the Start menu, choose Programs→Administrative Tools→DNS.

b. Expand your DNS Server object andexpand the Forward Lookup Zonesfolder.

c. Select and right-click the domain#.internal DNS zone, and chooseProperties.

d. In the Type section, click Change.

e. Select Active Directory-integrated andclick OK.

f. Click OK to confirm the change.

g. Click Apply to apply the change and keepthe property sheet open.

3. Enable Secure Dynamic Updates inDNS.

a. In the domain#.internal DNS zone propertysheet, from the Allow Dynamic Updatesdrop-down list, select Only SecureUpdates.

b. Click OK.

LESSON 3


4. Secure the DNS cache againstpollution.

a. Right-click the DNS server object andchoose Properties.

b. In the property sheet for your DNS server,select the Advanced tab.

c. Verify that Secure Cache Against Pollu-tion is checked and click Cancel.

d. Close DNS.

TOPIC CHarden Web ServersIn Topic 3B, you hardened the DNS servers that provide name resolution between your inter-nal systems and the Internet. One of the most common reasons to provide DNS services is sothat outside users can access your company’s own Web sites. Because nearly every companyin today’s business environment has a Web presence, many security specialists will have theresponsibility of securing Web services. In this topic, you’ll perform the steps you need tosecure your Web servers.

A functioning Web site is a major part of your company’s public persona. Most companiestoday wouldn’t be without a Web site any more than they would be without a phone number.Hacking or defacing an informational Web site can be a terrible embarrassment for yourcompany. But even beyond that, for many companies, a Web presence is essential to how theydo business; in e-commerce, the Web site is the business. If the Web site goes down, so doesyour ability to take orders, respond to customer service requests, and ship products. Therefore,your Web site is one of your company’s most important assets. It’s your responsibility to doeverything you can to protect it from attack.

Web Server Authentication MethodsWhile every organization has a public Web site with information that’s freely available to any-one who wants it, there are often situations when you want to restrict access to sensitiveinformation and allow only trusted users to read and modify it. In such situations, you musthave a method for ensuring that only certain users can access that data, which means you needto have a way to authenticate users and then control their access to specific files and folders.Authenticating users and providing access to Web resources on the Internet is much likeauthenticating users in the local network and allowing them access to local network resources.The difference is it happens across the Internet and not on the local network.

When you authenticate users you want to ensure they’re who they say they are and providesome method for securely transferring the user name and password and eventually data oncethe user is authenticated. When it comes to controlling access to specific files, folders, or direc-tories, you can employ access control lists on your Web server in the same way you would onany other server in your network. To build access control lists, you can use accounts that are

LESSON 3


local to the Web server, such as a local SAM database on a Windows 2000 Web server, or youcan use a larger enterprise-wide directory service, such as Active Directory or NDS eDirectory.You can use both directory services to set permissions on specific files and folders to controlaccess to private or sensitive data on your Web server.

There are several methods available for authenticating users and protecting data transfer,depending on which Web server version you use. These methods are described in the followingtable.

Don’t forget that you must still configure access control lists to provide user access to files; this step is separatefrom configuring these Web security features.

Security Method DescriptionAddress-based authentication Authentication based on host’s IP address. As we’ve seen,

because of its vulnerability to IP spoofing, you should avoid theuse of address-based authentication.

Anonymous authentication As the name states, anonymous access means users don’t have toenter a user name or password to gain access to the files on yourWeb server. You should generally reserve this type of access forpublic Web sites.

Basic authentication Users are prompted to provide a user name and password, whichis authenticated against a local accounts database. User namesand passwords are often sent in clear text, making them vulner-able to network sniffers. Can be combined with Secure SocketsLayer (SSL) to encrypt credentials.

Digest Similar to basic authentication, except user name and passwordare encrypted using a hashing algorithm. The hashing algorithmis applied to the credentials, and the result, called a hash or adigest, is sent instead of clear text. Digest is highly secure andworks through proxy servers and firewalls. In Windows 2000,you may need to configure user passwords to be stored usingreversible encryption when using Digest authentication, forexample, when you use authentication with Instant Messaging.Without reversible encryption, this is similar to storing clear textpasswords, and is a security risk.

Integrated Windows authentication(in Windows 2000 networks)

Uses Kerberos version 5 with Active Directory or NT challenge/response authentication method (using a password hash). Doesnot work through a proxy server, so it’s best for intranet use in aMicrosoft network. Requires IE 2.0 or higher or a browser thatsupports HTTP 1.1.

Certificates Certificates can be used for access in place of or as a supplementto user name and password. (Required for SSL.)

Web Server VulnerabilitiesLike every other type of server or network device, Web servers have some vulnerabilities thatare unique. The following table lists some examples of these vulnerabilities.

Because attackers are finding new ways to exploit Web servers every day, you must constantly check with yourvendor for new threats and available patches.

LESSON 3


Vulnerability DescriptionFormat string An attacker passes invalid parameters to a format string func-

tion, such as the printf or sprintf functions in the C standardlibrary. This results in a buffer overflow, which may allow theattacker to execute arbitrary code on the server.

Improper input validation If your Web developers have not coded proper input validation(that is, a mechanism for accepting only valid user input),attackers can send malicious code and have it executed locallyon the Web server.

CGI scripts CGI scripts can provide system information to an attacker or canbe used to execute commands locally on the Web server.

Execution of code outside the Webroot

An attacker executes files outside of the Web root. These fileswill generally be accessed and executed with the same permis-sions as the Web server. One common method is by accessingfiles at a URL with multiple“..” directories, to break above theWeb root. For example, ../../../../Windows/System32/cmd.exe toget to the root hard disk and execute the Microsoft Windowscommand interpreter.

Web server applications Web servers running applications (for example, servers usingActive Server Pages (ASP), Internet Services Application Pro-gramming Interface (ISAPI), PHP (a recursive acronym thatsimply stands for PHP: Hypertext Processor), Practical Extrac-tion and Report Language (Perl), and Java 2 Platform EnterpriseEdition (J2EE)) are more susceptible to attacks that exploitweaknesses in these technologies. Such servers may also accessdatabases, further opening the window for potential exploits.

Weak authentication User name and password are sent across the Internet in cleartext, which makes them particularly vulnerable to eavesdroppersand sniffers.

Clear text transmissions Exchange of sensitive information in clear text is a perfect targetfor an attacker.

HTML source code Viewing a Web page’s source code can reveal data about a com-pany that an attacker can later use for another type of attack.

Hardened Web ServerDefinition:

A hardened Web server is a Web server that has been configured to protect againstsoftware and hardware attacks according to a defined security policy. A hardened Webserver may include some or all of the following security configuration settings:

• A hardened operating system to prevent attackers from exploiting the operatingsystem to attack the Web server service.

• An auditing and logging strategy to track suspect activity on a Web server.

• The latest Web server patches and fixes to protect against programming errors thatmay cause buffer overflows or allow attackers to execute code on the Web server.

• Appropriate access controls on Web sites and Web data files to prevent maliciouscode attacks.

LESSON 3


• Limited script execution permissions to prevent malicious code attacks.

• Limited virtual directories to remove potential targets for attack.

• Disabled unnecessary Web services and applications to prevent attackers fromexploiting the services and applications to gain access to the Web server.

• Strong authentication to prevent sensitive data, such as passwords, from beingsent across the Internet in clear text.

• Encrypted communications where appropriate to prevent sensitive data from beingtransmitted in clear text.

• Clean HTML source code that does not reveal any confidential information.

Example: USA Travel’s Web ServerUSA Travel’s corporate policy requires any Web servers to have a hardened operatingsystem and the latest Web server security fixes. The Web administrator has hardenedthe Windows 2000 operating system on the Web server, and has configured automaticupdate notification to stay on top of any new Windows 2000 security fixes. She’s alsoinstalled the latest IIS 5.0 security patches, and regularly scans Microsoft’s site fornews on new security threats. Because the Web server is configured according to thesecurity policy, it can be considered hardened.

Microsoft IIS Lockdown ToolMicrosoft has created a utility called the IIS Lockdown tool, which is freely downloadablefrom their Web site, that you can use to automate the process of hardening an IIS 4.0 or IIS5.0 Web server running on Windows NT Server 4.0 or Windows 2000 Server. The IISLockdown tool uses templates, much like Windows 2000 and Windows XP security templates,to apply a security configuration to your IIS server based on the role the server is going toplay and the type of software that’s installed. The wizard will apply a security configurationthat matches the role you’ve selected and enables the software to function properly but willdisable services and lockdown settings that aren’t explicitly necessary for the role and softwareyou’ve chosen.

For more information on hardening IIS, visit: www.microsoft.com/technet/security/tools/ChkList/wsrvSec.asp.

As you work through the wizard, you can use the pages shown in the following table to con-figure your IIS settings.

Page DescriptionSelect Server Template You can select the role that the server will play in your network.

These roles include Small Business Server, Proxy Server, BizTalkServer, Static Web Server, and Server That Does Not RequireIIS. Which role you choose will determine which settings areconfigured and which services are enabled or disabled. You mustcheck View Template Settings on this page to see the next threepages.

LESSON 3


Page DescriptionInternet Services You can enable or disable Web Service (HTTP), File Transfer

Service (FTP), Email Service (SMTP), and News Service(NNTP). You can also choose to remove a specific servicecompletely. The template you choose on the previous page deter-mines which services are selected by default. You can customizethe default depending on what services you need.

Script Maps You can enable or disable support for specific script maps,including .asp, .shtml, and .htr.

Additional Security You can remove selected virtual directories, set file permissionsfor anonymous users on specific utilities and directories, and dis-able Web-based Distributed Authoring and Versioning(WebDAV). Again, depending on which template you choose atthe beginning of the wizard, some or all of these options mightbe selected. You can customize to fit your needs.

URLScan You can choose to install URLScan, which is a utility that youcan configure to filter out certain types of HTTP requests madeto your IIS server. If requests meet certain predefined andcustomizable criteria, URLScan will deny the request, log therequest and the reason it was denied, and present an error mes-sage to the user who made the request.

You can see more detailed information about URLScan in the IIS Lockdown tool Help files orwww.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/urlscan.asp.

After you’ve completed the wizard, Microsoft recommends that you test your Web server toensure that it provides the services that you need it to provide. If you find that the server is toosecure, you can run the tool again to restore the server’s previous settings, or you can makeminor adjustments in settings to meet your needs.

LESSON 3


ACTIVITY 3-3Investigating the Microsoft IIS Lockdown Tool

Setup:The IIS Lockdown tool is on the network at \\Server100\SPlus\IIS\Lockdown.

Scenario:As you plan ways to secure your Web servers, you’ve suggested to those planning the securityimplementation that you use the IIS Lockdown tool to help automate the hardening process foryour Web servers, which currently run Solaris 9, Windows NT 4.0 (with IIS 4.0), and Win-dows 2000 (with IIS 5.0). You’ve been asked to answer some questions and submit a reportthat outlines the benefits of the tool.


1. Why use the IIS Lockdown tool?

2. Of the three Web servers you currently have, which can you use the IIS Lockdown toolto secure?

3. Why would you choose to enable URLScan?

4. True or False? You can use the IIS Lockdown tool to completely remove IISfrom a server.

5. True or False? You may not make any manual changes after running the IISLockdown tool.

Harden Web ServersProcedure Reference: Harden a Windows 2000 Web Server

To harden a Windows 2000 Web server:

1. Harden the operating system to prevent attackers from exploiting the operatingsystem to attack the Web server service.

2. Enable IIS logging to track suspect activity on a Web server.

a. From the Administrative Tools menu, choose Internet Services Manager.

LESSON 3


b. Expand the IIS server object.

c. Select and right-click the Default Web Site and choose Properties.

d. On the Web Site page, check Enable Logging.

3. Install the latest Web server patches and fixes, including the IIS Security Rollup,to protect against programming errors.

4. Run the IIS Lockdown Wizard to lock down the Web server by setting appropriateaccess controls, disable unnecessary services, limit script execution, and limit vir-tual directories.

a. Run the IIS Lockdown executable.

b. In the Server Templates list, select Static Web Server.

c. Check View Template Settings and click Next.

d. Click Next three times.

e. Verify that Install URLScan Filter On The Server is checked. Click Nexttwice.

5. Implement strong authorization where appropriate to secure user logons to theWeb server.

6. Encrypt communications with the Web server when appropriate to prevent sensi-tive data from being transmitted in clear text.

7. Remove confidential company information from the HTML source code on anypublicly available Web pages.

ACTIVITY 3-4Hardening a Web Server

Data Files:


Setup:Data files and other resources are located on the network in \\Server100\SPlus in the followingfolders:

• IIS Security Rollup: \IIS\SecRollup

• IIS Lockdown Wizard: \IIS\Lockdown


Scenario:You disabled the World Wide Web Publishing service until you were ready to harden IIS anddeploy your Web server. Well, now you’re ready! As the bank’s security administrator youneed to make sure your Web servers are secure. In the past, the bank has had problems withattackers running code on the Web servers and either bringing down the Web site or stealinginformation. Before connecting the new Windows 2000 IIS Servers to your network, you wantto make sure that your Web server is hardened to minimize the likelihood of attacks from both

LESSON 3


internal and external users. To prevent attackers from compromising IIS, the bank’s IT depart-ment has decided to implement a secure static Web server. The IT department has designed asecurity deployment plan for the IIS servers and documented it in SecureSystems.doc. It’s yourjob, as the security administrator, to implement the plan.


1. Uninstall Windows Service Pack 3before beginning this activity toavoid conflicts with the IIS SecurityRollup Package.

a. Open Control Panel and run Add/RemovePrograms.

b. In the Currently Installed Programs list,click Windows 2000 Service Pack 3.

c. Click Change/Remove.

d. Click Yes to confirm that you want toremove the Service Pack.

e. When prompted, click OK to restart thecomputer. Log back on as Administrator.

2. Enable and start the World WideWeb Publishing service.

a. Open Computer Management.


c. Double-click World Wide Web PublishingService.

d. From the Startup Type drop-down list,select Automatic. Click Apply.

e. Click Start.

f. After the service has started, click OK.

g. Close Computer Management.

LESSON 3


3. Enable IIS logging on the defaultWeb site.

a. From the Start menu, choose Programs→Administrative Tools→Internet ServicesManager.

b. Expand your IIS server object.

c. Under your server, select and right-clickthe Default Web Site, and chooseProperties.

d. On the Web Site page, verify that EnableLogging is checked and click OK.

e. Close Internet Information Services.

4. Install the IIS Security RollupPackage.

a. Open the \\Server100\SPlus\IIS\SecRollupfolder. (Now that the Server100 systemhas been hardened, you will need to con-nect to this share as the Domain100\Administrator user with a password of!Pass1234.)

b. Double-click the Security Rollup installa-tion file.

c. In the Choose Directory For ExtractedFiles dialog box, type C:\secrollup andclick OK.

d. In the Windows 2000 Hotfix Setup window,click Continue to stop the necessaryservices.

e. When prompted to reboot, click Continueand reboot the computer to Windows2000 Server.

f. Log on as Administrator.

LESSON 3


5. Run the IIS Lockdown Wizard withthe appropriate choices to lockdown the Web server.

Make sure to read the important note onthe first screen regarding service packsand hotfixes.

a. Open the \\Server100\SPlus\IIS\Lockdown folder.

b. Run the IIS Lockdown file to launch theIIS Lockdown Wizard.

c. Click Next.

d. Select I Agree and click Next to acceptthe license agreement.

e. In the Server Templates list, select StaticWeb Server.

f. Check View Template Settings and clickNext.

g. Click Next three times to accept thedefault template settings for Internet Ser-vices, Script Maps, and AdditionalSecurity.

h. Verify that Install URLScan Filter On TheServer is checked and click Next twiceto start the lockdown.

i. When the lockdown is complete, clickView Report.

You will see errors in the report, but theserelate to other services that are running on thisserver and do not relate to the Web serverhardening.

j. After you review the report, closeNotepad.

k. Click Next, and then click Finish to com-plete the wizard.

LESSON 3


TOPIC DHarden FTP ServersIn Topic 3C, you learned to harden the Web services that enable your company to shareInternet information with the outside world. Another Internet service that many companiesoffer to facilitate two-way file sharing across the Internet is the File Transfer Protocol (FTP).In this topic, you’ll learn to secure the FTP servers running on your network.

FTP is a unique Internet protocol because you can use it not only to get file information froma server, but also to transfer files to the FTP server. For this reason, it’s a good target for anattacker who might want to introduce malicious code or other undesirable files into yournetwork. Attackers also might want to grab user credentials from the FTP server; you’ll seehow easy it is to do this in the following activity. Using the techniques in this topic can helpyou restrict access to your FTP server to authorized parties and limit the amount of damageattackers can do if they are able to connect.

ACTIVITY 3-5Identifying FTP Password Vulnerabilities

Setup:You will work with a partner in this activity; both partners’ servers are running the FTPservice. You can log on to the FTP servers using any user name or password. Each partner willconnect to the other partner’s FTP server. Installation source files for Network Monitor ServicePack 1 are available at \\Server100\SPlus\SMS\NMext\I386.

Scenario:Part of the security deployment plan at your firm will involve hardening the FTP servers. Cur-rently, the FTP servers are configured to accept any user name and password forauthentication, and users generally log on with their Windows 2000 domain user accounts. Thefirm is particularly concerned with verifying that your FTP servers are not vulnerable to pass-word eavesdropping attacks. You want to see if this is a valid concern by taking a look to seehow vulnerable your FTP user names and passwords are.

LESSON 3



1. Enable the FTP service. a. Open Computer Management, expandServices And Applications, and selectServices.

b. Open the properties of the FTP Publish-ing Service.

c. Set the Startup Type to Automatic, clickApply, and then click Start.

d. When the service has started, close theproperty sheet and ComputerManagement.

2. Determine the MAC address of yournetwork adapter.


b. Enter ipconfig /all. Make a note of thePhysical Address value for the Local AreaConnection adapter.

c. Close the command prompt window.

3. Install Network Monitor. a. Run the \\Server100\SPlus\SMS\NMext\I386\Setup.exe file.

b. Click Next. The license agreement fileautomatically opens in WordPad.

c. Close WordPad.

d. Select I Accept The License Agreementand click Next.

e. Click Next to begin the installation.

f. Click Finish.

LESSON 3


4. Begin capturing network data sentbetween your computer and otherdestinations on your local network.

a. From the Start menu, choose Programs→Administrative Tools→Network AnalysisTools→Network Monitor.

b. In the Select Default Network messagebox, click OK.

c. In the Select A Network dialog box,expand Local Computer and select theinterface with the MAC address youidentified in the previous step.

d. Click OK.

e. Maximize the Network Monitor windowand the Capture window.

f. Choose Capture→Filter.

g. Double-click INCLUDE ANY <—> ANY.

h. In the Station 1 area, select the entrywith a Name of LOCAL and an Addressthat matches your Local Area Connec-tion’s MAC address.

i. Click OK twice.

j. Choose Capture→Start.

5. Use FTP to access the FTP serverand log on as a domain useraccount.

a. Open a command prompt and enter ftpServer# where # is your partner’s com-puter number.

b. Enter Administrator as the user nameand !Pass1234 as the password. Youshould then see a message that says,“User administrator logged in.”

c. Enter bye to disconnect your FTP session.

d. Close the command prompt.

LESSON 3


6. Stop the capture and review thecapture log.

a. Choose Capture→Stop and View. Yourcapture should look similar to the follow-ing screen shot.

b. After you have located a frame containinga clear-text password, close NetworkMonitor without saving the capture orany unsaved address database entries.

7. How did you identify the frame containing the clear-text password?

FTP VulnerabilitiesBesides the vulnerabilities covered already in this course, FTP servers have some specific vul-nerabilities that are listed in the following table.

Vulnerability DescriptionBasic authentication Like Web servers, basic authentication on an FTP server passes

user names and passwords in clear text.

Anonymous access (blind FTP) There are no authentication or access control mechanisms thatcan prevent malicious activity. Additionally, a blind FTP servercould be used for illegal activity; for example, it could becomea warez server.

Unnecessary services Extra unnecessary services running on the FTP server could pro-vide an avenue of attack.

Clear text transmissions By default, FTP data transfers are not encrypted, which leavesthe data open to sniffers and eavesdroppers on the local networkor across the Internet.

LESSON 3


Vulnerability DescriptionFirewall configuration Because it’s sometimes difficult to configure communication

through a firewall, such as FTP traffic, administrators may erron the side of permissiveness and open holes in their securityperimeter.

Hardened FTP ServerDefinition:

A hardened FTP server is an FTP server that has been configured to protect againstsoftware and hardware attacks according to a defined security policy. A hardened FTPserver may include some or all of the following security configuration settings:

• A hardened operating system to prevent attackers from exploiting the operatingsystem to attack the FTP server.

• Strong authentication to prevent user names and passwords from being transmittedin clear text and to prevent the FTP server from being used anonymously for ille-gal activity.

• Strict access controls to prevent anonymous access to the server.

• Disable unnecessary services to prevent attackers from exploiting those services toattack the FTP service.

• Encrypted communications where appropriate to prevent data from being sent inclear text.

• Physical location behind a properly configured firewall.

Example: USA Travel’s FTP ServerUSA Travel has one FTP server that employees and customers use to exchange data.USA Travel’s security policy requires strong authentication for the FTP server. There-fore, the network administrator for USA Travel configured digest authentication forFTP users. Because the FTP server has been configured according to USA Travel’ssecurity policy, it is considered hardened.

Harden FTP ServersProcedure Reference: Harden a Windows 2000 FTP Server

To harden a Windows 2000 FTP server:

1. Harden the operating system to prevent attackers from exploiting the OS to attackthe FTP server.

2. Configure strong authentication to prevent clear text transmissions during userlogon and to prevent anonymous access.

3. Run the IIS Lockdown Wizard to lock down the FTP server by setting strictaccess controls and disabling unnecessary services.


b. In the Server Templates list, select Dynamic Web Server (ASP Enabled).


LESSON 3


d. Check File Transfer Service (FTP) and click Next.

e. Click Next twice.

f. Verify that Install URLScan Filter On The Server is checked. Click Nexttwice.

4. Encrypt communications where appropriate to prevent data from being sent inclear text.

5. Put the server behind a properly configured firewall.

Secure Shell (SSH) and Secure FTP (SFTP)Secure Shell (SSH) and Secure FTP (SFTP) are protocols for the secure remote loginand transfer of data. SSH is essentially a secure replacement for the rsh application onLinux and UNIX systems. Most SSH clients also implement terminal software, similarto rlogin, allowing them to be used as a replacement for the telnet protocol for loginand access of remote servers. SSH is a secure way to replace both rlogin and telnetbecause both rsh and telnet are non-encrypted protocols that transfer all of their infor-mation, including the login/password, over the network in plaintext. SSH uses a varietyof encryption methods and the entire session, including authentication, is encrypted toensure security.

The OpenSSH project (www.openssh.org) is currently the leading command-line open source imple-mentation of SSH. There are two versions of SSH. The current version, Version 2, is considered to besignificantly more secure than the original, SSH Version 1. SSH Clients and Servers are available fornearly all operating systems in a commercial or open source implementation.

SFTP is simply a secure, SSH-encrypted, version of the FTP protocol. Users may alsouse the scp command, which is a secure, drop-in replacement for the rcp command onLinux and UNIX hosts. This command is used for transferring files over a secure, SSHconnection. Many SSH implementations have a corresponding SFTP implementation(and nearly all have an SCP implementation). While there are other protocols availablefor secure login and file transfer, including FTP over SSL and Telnet over SSL, thesetools have mostly been replaced by SSH/SCP/SFTP at most installations.

The Microsoft IIS Lockdown ToolYou can use the Microsoft IIS Lockdown Tool to automate some of the FTP hardeningsteps. If you have previously run the Lockdown Tool to harden other services on yourserver, you will need to re-run the tool to undo those changes before hardening FTP.

LESSON 3


ACTIVITY 3-6Hardening an FTP Server

Setup:Resources are located on the network in \\Server100\SPlus in the following folder:


Although the FTP service is running on a domain controller for classroom and testing purposes, this isa security risk.

Scenario:National Bank is preparing to deploy FTP servers on the network on top of dynamic Webservers. The IT department has enabled FTP on your Windows 2000 Server; now, as thebank’s security administrator, you need to make sure the FTP server is secure. In the past, thebank has had problems with users accessing files they should not have had access to. Beforeconnecting the new Windows 2000 FTP Server to your network, you want to make sure thatyour FTP server is hardened to minimize the likelihood of attacks from both internal and exter-nal users. The IT department also wants to prevent anyone sending genuine user names andcredentials when they log on to the FTP server.


1. Run the IIS Lockdown Wizard toundo changes.

If the Lockdown Tool hangs and stopsresponding, or the undo procedure fails,try re-running the tool. If it fails again,reboot your computer. The undo proce-dure can take 20 minutes or more.

a. Run \\Server100\SPlus\IIS\Lockdown\IISLockd.exe.

b. Click Next, and then click Yes to restorethe original server settings.

c. When the settings have been restored,click Next, and then click Finish.

LESSON 3


2. Run the IIS lockdown wizard withthe appropriate choices to lockdown the FTP server.

a. Run the IISLockd.exe file to launch theIIS Lockdown Wizard.

b. Click Next.

c. Select I Agree and click Next to acceptthe license agreement.

d. In the Server Templates list, selectDynamic Web Server (ASP Enabled).

e. Check View Template Settings and clickNext.

f. Check File Transfer Service (FTP) andclick Next.

g. Click Next twice to accept the defaultchoices for Script Maps and AdditionalSecurity.



You will see errors in the report. These are forother services and are not related to FTPhardening.


k. Click Next, and then click Finish to closethe wizard.

LESSON 3


3. Configure the Default FTP Site toaccept only anonymous logons.


b. In the tree pane, expand your serverobject.

c. Select and right-click the Default FTPSite, and choose Properties.

d. Select the Security Accounts tab.

e. Check Allow Only AnonymousConnections.

f. Click OK.

g. Close Internet Information Services.

LESSON 3


ACTIVITY 3-7Verifying FTP Password Security

Scenario:You have hardened your FTP server and restricted its logon configuration. You want to makesure that you have really solved the problem of domain users transmitting their user names andpasswords to your FTP server in clear text.


1. Start capturing all data sentbetween the local computer and allother destinations on the network.


b. Choose Capture→Filter.

c. Double-click INCLUDE ANY <—> ANY.

d. In the Station 1 area, select the entrywith a Name of LOCAL and an Addressthat matches your Local Area Connec-tion’s MAC address.

e. Click OK twice.

f. Choose Capture→Start.

2. Use FTP to access the FTP serverand attempt to log on as a domainuser account.

a. Open a command prompt and enter ftpserver# where # is your partner’s com-puter number.

b. Enter Administrator as the user nameand !Pass1234 as the password. Youreceive a Login Failed error message. Youare still connected to the FTP server,however.

LESSON 3


3. Attempt to log on to the FTP serveranonymously.

a. At the FTP prompt, enter useranonymous.

b. When prompted for the password, enterpassword. You should then see a messagethat says, “230 Anonymous user loggedin.”

It is a convention on the Internet to supplyyour email address as the password when youlog on to an FTP server as “anonymous.” How-ever, you can enter any password you like.

c. Enter bye to disconnect your FTP session.

d. Close the command prompt.


a. Choose Capture→Stop and View.

b. After you have located the frames show-ing the successful and unsuccessfullogons, close Network Monitor withoutsaving the capture or unsaved databaseentries.

5. What security problems can remain with anonymous-only logons?

6. Other than restricting logons, how else could you protect against an eavesdroppingattack against clear text FTP passwords?

LESSON 3


TOPIC EHarden Network News TransportProtocol (NNTP) ServersIn the last two topics, you learned to secure two very common Internet services that your com-pany might offer: Web services and FTP services. Although perhaps less common, anotherstandard Internet service your company might provide is hosting newsgroup communicationsthrough servers running the Network News Transfer Protocol (NNTP). If your company main-tains NNTP servers, you can use the procedures in this topic to secure them.

Security on NNTP servers is important for some of the same reasons that security on Web andFTP servers is important. You don’t want attackers posting inappropriate content in yournewsgroups, and you don’t want attackers grabbing user credentials from your news server andusing them to poke around on other services in your network. Securing NNTP properly canhelp prevent these problems and security breaches.

Hardened NNTP ServerDefinition:

A hardened NNTP server is an NNTP server that has been configured to protectagainst software and hardware attacks according to a defined security policy. A hard-ened NNTP server may include some or all of the following security configurationsettings:

• A hardened operating system to prevent attackers from exploiting the operatingsystem to attack the NNTP server.

• Strong authentication to prevent user names and passwords from being transmittedin clear text and to prevent the NNTP server from being used anonymously forillegal activity.

• Strict access controls to prevent anonymous access to the server.

• Disable unnecessary services to prevent attackers from exploiting those services toattack the NNTP server.

Example: USA Travel’s NNTP ServerUSA Travel hosts one NNTP server for its registered clients. According to USA Trav-el’s security policy, the NNTP server must have strong authentication enabled. Thenetwork administrator enabled digest authentication on the NNTP server, and becausethat setting complies with USA Travel’s security policy, the NNTP server can be con-sidered hardened.

Harden NNTP ServersProcedure Reference: Harden a Windows 2000 NNTP Server

To harden a Windows 2000 NNTP server:

1. Harden the operating system to prevent attackers from exploiting the operatingsystem to attack the NNTP server.

LESSON 3


2. Configure strong authentication to prevent usernames and passwords from beingtransmitted in clear text and to prevent the NNTP server from being used anony-mously for illegal activity.

3. Run the IIS Lockdown Wizard to lock down the NNTP server by setting strictaccess controls and disabling unnecessary services.


b. In the Server Templates list, select Dynamic Web Server.


d. Check News Service (NNTP), and click Next.

e. Click Next twice.


The Microsoft IIS Lockdown ToolYou can use the Microsoft IIS Lockdown Tool to automate some of the NNTP harden-ing steps. If you have previously run the Lockdown Tool to harden other services onyour server, you will need to re-run the tool to undo those changes before hardeningNNTP.

ACTIVITY 3-8Hardening an NNTP Server

Activity Time:

30 minutes

Setup:Your Windows 2000 server is running as a Web and FTP server, and it has been locked downby using the IIS Lockdown Wizard. The NNTP service was disabled when the base operatingsystem was hardened. Resources are located on the network in \\Server100\SPlus in the follow-ing folder:


Scenario:You disabled the NNTP service until you were ready to harden IIS and deploy your NNTPserver. The bank has decided that they now want to use NNTP, FTP, and enable ASP on theIIS server. As the bank’s security administrator you need to make sure your NNTP servers aresecure. In the past, the bank has had problems with users accessing newsgroups that theyshould not have had access to. Before connecting the new Windows 2000 NNTP Server toyour network, you want to make sure that your NNTP server is hardened to minimize the like-lihood of attacks from both internal and external users. To prevent attackers from attackingNNTP the bank’s IT department has decided to implement a secure NNTP server.

The IT department has designed a security deployment plan for all new systems, including theWindows 2000 NNTP Servers, and you as the security administrator need to make sure theplan is implemented.

LESSON 3



1. As the domain administrator, enableand start the NNTP service.

a. Open Computer Management, expandServices And Applications, and clickServices.

b. Double-click the Network News Trans-port Protocol service.

c. From the Startup Type drop-down list,select Automatic.

d. Click Apply.

e. Click Start.

f. When the service has started, click OK.


2. Run the IIS Lockdown Wizard toundo changes.

If the Lockdown Tool hangs, or if theundo procedure fails, try re-running thetool. If it fails again, reboot yourcomputer. The undo procedure can take20 minutes or more.




LESSON 3


3. Run the IIS Lockdown Wizard withthe appropriate choices to lockdown the NNTP server.

a. Run the IIS Lockdown file to launch theIIS Lockdown Wizard.

b. Click Next.


d. In the Server Templates list, selectDynamic Web Server.


f. Check File Transfer Service (FTP) andNews Service (NNTP), and click Next.

g. Click Next twice to accept the defaultchoices for Script Maps and AdditionalSecurity.



You will see errors in the report. These arefrom services unrelated to NNTP.


k. Click Next, and then click Finish to closethe wizard.

LESSON 3


TOPIC FHarden Email ServersThe Internet services we’ve discussed in the last three topics are important reasons why theInternet is useful for businesses today. But the “killer app” of the Internet has always beenemail. If your company maintains its own email servers, hardening them will be anotherimportant component in tightening up the perimeter of your network. So, in this topic, you’lllearn to increase security on your company’s email servers.

There are very few businesses today who don’t provide email for their employees, and theemail stream is a major source of traffic flow between the corporate network and the Internet.Lots of bad things can come into your network through email, including all sorts of maliciouscode. Your users’ email credentials can be a gateway for attackers into other parts of yournetwork. For these reasons, it’s important to make sure that your email servers are secure.

Email VulnerabilitiesThere are numerous known email vulnerabilities, and there seem to be new ones discoveredevery week. The following table lists some examples of common email vulnerabilities.

Vulnerability DescriptionEmail worms Users with an email client that uses a particular version of

Microsoft Internet Explorer may be vulnerable to the automaticexecution of arbitrary code in an email. This can result in thespread of the code to other clients using other email addressesfound in a variety of places on the computer, including theuser’s contact management application (for example, MicrosoftOutlook), the Web browser’s local cache, and the contents ofemail messages received and stored on the system. Nimda is anexample of an email worm.

Malicious code A user who opens and executes malicious code disguised as anattachment may infect their machine and others on theirnetwork. The malicious code may reveal sensitive informationon the system, fill the hard disk to maximum capacity, or recur-sively delete files. For example, in some versions of Outlookand some instant messaging applications, files that don’t meetthe 8.3 filenaming convention are truncated with an ellipsis. Thiscould mean a user will execute a file because he or she can’t seethe file extension or the complete file name, leading to a seriouscode attack.

Data buffers There have been numerous buffer overflows found in Sendmail,Microsoft Exchange Server, and other email protocols (includingSMTP, POP, and IMAP) servers throughout the years.

Spam A malicious user can flood a network with emails and effectivelycause a DoS by overloading an organization’s email servers. Anattacker can also use target servers set up as SMTP relays tolaunch spam attacks against other networks.

LESSON 3


Vulnerability DescriptionHoaxes Email hoaxes are examples of social engineering attacks. Hoaxes

can cause users to delete “dangerous” files that are actuallycritical system files or otherwise misconfigure their systems toprevent against bogus threats.

Hardened Email ServerDefinition:

A hardened email server is an email server that has been configured to protect againstsoftware and hardware attacks according to a defined security policy. A hardened emailserver may include some or all of the following security configuration settings:

• A hardened operating system to prevent attackers from exploiting the OS to attackthe email server software.

• The latest security patches and fixes for the email server software to help protectagainst threats such as buffer overflows, worms, and other malicious code.

• Enterprise antivirus software to protect against worms and viruses.

• Message tracking to monitor communications and detect potentially maliciousactivity, such as email hoaxes and spam.

• An established logging and auditing strategy to track server performance anddetect suspicious activity.

• Message size limitations to prevent attackers from sending oversized messages tooverload email systems.

• Blocked SMTP traffic from specific domains or IP addresses to protect againstspam or malicious activity.

• Disabled unnecessary services and applications to prevent an attacker fromexploiting them to gain access to the OS or email server software using suchmethods as buffer overflows.

• Encrypted communication where appropriate to protect sensitive data.

Example: USA Travel’s Email ServersUSA Travel’s corporate security policy dictates that its email servers have all the latestoperating system and server software patches, have enterprise antivirus software, havemessage size limitations, and are backed up regularly. Therefore, USA Travel’sExchange administrator searches for and installs the latest Windows 2000 andExchange 2000 security hotfixes every week, has installed an enterprise antivirus soft-ware package on all Exchange servers, has limited message sizes to 1 MB, and backsup the mail servers every night. Because all these steps comply with USA Travel’ssecurity policy, the email servers are hardened.

Email Security Using S/MIME and PGPTo help protect email and ensure that what the sender sends is exactly what the recipientreceives, two methods have been developed to secure email: Pretty Good Privacy (PGP) andSecure Multipurpose Internet Mail Extensions (S/MIME). Both methods are described in thefollowing table.

LESSON 3


Method DescriptionPGP PGP uses a variation of public key cryptography to encrypt

emails: the sender encrypts the contents of the email messageand then encrypts the key that was used to encrypt the contents.The encrypted key is sent with the email, and the receiverdecrypts the key and then uses the key to decrypt the contents.PGP also uses public key cryptography to digitally sign emailsto authenticate the sender and the contents.

S/MIME S/MIME is an extension of MIME, which was originally createdto allow users to share attachments to the original email, such asJPEG and MPEG files. S/MIME was created to prevent attackersfrom intercepting and manipulating email and attachments byencrypting and digitally signing the contents of the email usingpublic key cryptography. S/MIME ensures that the email that’sreceived is the same email that was sent, and that its contentsare the original contents included by the sender.

Public key cryptography and certificates will be covered later in this course.

Harden Email ServersProcedure Reference: Harden an Exchange Server

To harden an Exchange server:

1. Harden the operating system to prevent attackers from exploiting the OS to attackthe email server software.

2. Install the latest security patches and fixes for the email server software to helpprotect against threats such as buffer overflows.

3. Install enterprise antivirus software to protect against worms and viruses.

4. Enable message tracking on the Exchange server object to monitor communica-tions and detect potentially malicious activity, such as email hoaxes and spam.

a. On the Exchange server, open Exchange System Manager.

b. Expand Servers and select your server.

c. Right-click your server and choose Properties.

d. On the General page, check Enable Message Tracking.

5. Enable minimum diagnostic logging for MSExchangeIS/Mailbox/Logons for yourExchange server object to track server performance and detect suspicious activity.


b. Expand Servers, and select your server.

c. Right-click your server and choose Properties.

d. Select the Diagnostics Logging tab.

e. In the Services list, expand MSExchangeIS and select Mailbox.

f. In the Categories list, select Logons.

LESSON 3


g. Under Logging Level, select Minimum.

6. Enable message size limits to prevent attackers from sending oversized messagesto overload email systems.


b. Expand Servers and your Exchange server.

c. Select a storage group.

d. In the details pane, right-click the Mailbox Store and choose Properties.

e. Select the Limits tab.

f. Configure storage limit settings as appropriate for your system.

7. Enable SMTP logging for the SMTP protocol’s SMTP Virtual Server object.

a. In Exchange System Manager, under your server, expand Protocols.

b. Select SMTP.

c. In the details pane, right-click the Default SMTP Virtual Server and chooseProperties.

d. On the General page, check Enable Logging.

8. If necessary, block inbound SMTP traffic to protect against spam or maliciousactivity.

a. In Exchange System Manager, under your server, expand Protocols.

b. Select SMTP.

c. In the details pane, right-click the Default SMTP Virtual Server and chooseProperties.

d. Select the Access tab.

e. Click Connection.

f. In the Connection dialog box, verify that All Except The List Below isselected and click Add.

g. Block SMTP traffic based on IP addresses or domain names.

9. Run the IIS Lockdown Wizard to lock down the Exchange server to disableunnecessary services and applications.


b. In the Server Templates list, select Exchange Server 2000.


d. Verify that E-mail Service (SMTP) is checked.

e. Click Next three times.


10. Encrypt communication where appropriate to protect sensitive data.

The Microsoft IIS Lockdown ToolYou can use the Microsoft IIS Lockdown Tool to automate some of the hardeningsteps for an Exchange server. If you have previously run the Lockdown Tool to hardenother services on your server, you will need to re-run the tool to undo those changesbefore hardening Exchange.

LESSON 3


ACTIVITY 3-9Hardening an SMTP Server

Data Files:


Setup:The Exchange server is also an IIS server running the WWW and FTP services. These serviceswere previously hardened by running the IIS Lockdown Wizard. The SMTP service isdisabled. Data files and other resources are located on the network in \\Server100\SPlus in thefollowing folders:



• Windows 2000 Server installation files: \Srv2000

Scenario:National Bank supports SMTP email services by using Microsoft Exchange 2000 Server. Oneof the next tasks as the bank’s security administrator is to enable SMTP and to make surethese SMTP servers are secure. In the past, the bank has had problems with DoS attacks onthe Exchange Servers. Before connecting the new Exchange 2000 Server to your network, youwant to make sure that your Exchange 2000 server is hardened to minimize the likelihood ofattacks from both internal and external users. To prevent attackers from attacking Exchange2000 Server, the bank’s IT department has decided to implement a secure Exchange 2000Server.

The IT department and the Exchange 2000 design team have designed a security deploymentplan for all new systems, including the Windows 2000 Exchange 2000 Servers, and you as thesecurity administrator need to make sure the plan is implemented. One part of the plan is tomake sure that FTP is not running on any SMTP servers, in order to eliminate any possibleattacks on the mail servers through FTP. The Exchange 2000 design team is planning to installvirus protection software on the Exchange server when you are done hardening.

LESSON 3



1. Enable message tracking on theExchange server object.

a. Open the \\Server100\SPlus\Student\SecureSystems.doc file and locate theExchange 2000 HardeningRecommendations.

b. From the Start menu, choose Programs→Microsoft Exchange→System Manager.

c. Expand Servers and select your server.

d. Right-click your server and chooseProperties.

e. On the General page, check Enable Mes-sage Tracking and click Apply to keepthe property sheet open.

LESSON 3


2. Enable minimum diagnostic loggingfor MSExchangeIS/Mailbox/Logonson your Exchange server object.

a. On your server’s property sheet, selectthe Diagnostics Logging tab.

b. In the Services list, expand MSExchangeISand select Mailbox.

c. In the Categories list, select Logons.

d. Under Logging Level, select Minimum.

e. Click OK.

3. In the First Storage group, enableMessage size limits on the MailboxStore and Public Store, according tothe specifications in theSecureSystems.doc file.

a. In the Tree pane of Exchange System Man-ager, expand your server and select theFirst Storage Group.

b. Right-click Mailbox Store and chooseProperties.

c. Select the Limits tab.

LESSON 3


d. In the Storage Limits section, check allthree check boxes.

e. In the Issue Warning At (KB) text box,enter 40000 to set a Warning limit of40000 KB.

f. Set a Prohibit Send limit of 50000 KB.

g. Set a Prohibit Send And Receive limit of60000 KB.

h. Click OK.

i. Open the properties of the Public FolderStore and select the Limits tab.

j. Set the same limit values and click OK.

4. Why would you enable message size limits?

LESSON 3


5. Enable and start the SMTP service. a. Open Computer Management.


c. Double-click the Simple Mail TransportProtocol service.

d. From the Startup Type drop-down list,select Automatic. Click Apply.

e. Click Start.

f. When the service has started, click OK.


6. Enable SMTP logging for the SMTPprotocol’s SMTP Virtual Serverobject.

When hardening Exchange 2000 Server,you should also enable IIS logging. Youdid this in an earlier activity.

a. In the Exchange System Manager Treepane, under your server, expand the Pro-tocols folder and select SMTP.

b. Right-click the Default SMTP VirtualServer and choose Properties.

c. On the General page, check EnableLogging.

d. Click Apply to keep the property sheetopen.

7. Block inbound SMTP traffic for thedomains specified in theSecureSystems.doc file by addingthem to the Access/ConnectionControl list for the SMTP Serverobject.

a. In the Default SMTP Virtual Server Proper-ties sheet, select the Access tab.

b. Click Connection.

c. In the Connection dialog box, verify thatAll Except The List Below is selected,and click Add.

d. Select Domain.

LESSON 3


e. In the SMTP Configuration message box,click OK.

f. In the Name text box, enter hacker.comand click OK.

g. Add the intruder.com domain to the list.

h. Click OK twice to close the Connectiondialog box and the Default SMTP VirtualServer Properties sheet.

i. Close Exchange System Manager.

8. Run the IIS lockdown wizard toundo changes.

If the Lockdown Tool hangs and stopsresponding, or the undo procedure fails,try re-running the tool. If it fails again,reboot your computer. The undo proce-dure can take 20 minutes or more.




LESSON 3


9. Run the IIS lockdown wizard withthe appropriate choices to lockdown the Exchange server.

If you did not key the preceding optionalactivity, NNTP will not be installed, sothat check box will be grayed out.

a. Run the IIS Lockdown file to launch theIIS Lockdown Wizard.

b. Click Next.


d. In the Server Templates list, selectExchange Server 2000.


f. Verify that Web Service (HTTP), E-mailService (SMTP), and News Service(NNTP) are checked, and that File Trans-fer Service (FTP) is unchecked. CheckRemove Unselected Services.

g. Click Yes to verify that you want toremove FTP.

h. Click Next three times to accept thedefault choices for Script Maps and Addi-tional Security.

i. Verify that Install URLScan Filter On TheServer is checked and click Next twiceto start the lockdown. The Windows Com-ponents Wizard will run automatically toremove the FTP service.

j. If you are prompted for the location ofthe Windows 2000 Server installation files,enter the path \\Server100\SPlus\Srv2000\I386 and click OK.

k. When the lockdown is complete, clickView Report.

LESSON 3


You will see errors in the report. These arefrom other services unrelated to Exchange.

l. After you review the report, closeNotepad.

m. Click Next, and then click Finish to closethe wizard.

10. Verify that FTP is no longerinstalled.


b. Expand your server object. The defaultFTP site is no longer installed.

c. Close Internet Services Manager.

TOPIC GHarden Conferencing andMessaging ServersAnother way that your company might be communicating across the Internet with foreign net-works is through the use of various types of collaboration services. Tools like instantmessaging and video conferencing are no longer novelties but, instead, are commonplace andlegitimate tools for business communications. In this topic, you’ll learn to secure communica-tions that use these real-time interactive services.

With collaboration services, such as instant messaging, your employees are communicatingwith the outside world in real time. The communication is instantaneous and performance is ofthe essence. Before you know it, an attacker could insert something undesirable into the com-munication and you wouldn’t have time to stop it. It’s better to secure these systems so that anattacker can’t connect to them in the first place.

Instant Messaging VulnerabilitiesWhile both conferencing and instant messaging servers are vulnerable to the same exploitscovered so far in this course, including sniffing or eavesdropping, it’s important to note that apopular social engineering attack has had success in the recent past against instant messagingusers. The attack happens like this: The attacker contacts the target and masquerades as a staffmember of the instant messaging network that the target is using. The attacker then elicits per-

LESSON 3


sonal or financial information from the target by requesting it to verify the target’s identity orlicensing information. While this attack isn’t the sort of high-tech attack you might expectagainst your network, it’s another example of how a clever attacker can use plain old decep-tion to exploit your users and gain access to your network.

Hardened Conferencing and Messaging ServerDefinition:

A hardened conferencing and messaging server is a conferencing and messaging serverthat has been configured to protect against software and hardware attacks according toa defined security policy. A hardened conferencing and messaging server may includesome or all of the following security configuration:

• A hardened operating system to prevent attackers from exploiting the OS to attackthe server software.

• Appropriate access controls to prevent unauthorized users from accessing thesystem.

• Encrypted communication where appropriate to protect sensitive data.

• Educated users to help prevent against social engineering attacks.

Example: USA Travel’s Instant Messaging ServerUSA Travel’s corporate security policy requires users to log on to the instant messag-ing server. Therefore, the network administrator has limited access to the server only tothose users who have domain accounts. Because this configuration is protected accord-ing to the corporate security policy, this instant messaging server is consideredhardened.

Harden Conferencing and Messaging ServersProcedure Reference: Harden Exchange Messaging Servers

To harden an Exchange messaging server:

1. Harden the operating system to prevent attackers from exploiting the OS to attackthe server software.

2. Set appropriate authentication properties on the IIS Instant Messaging virtualdirectory to prevent unauthorized users from accessing the system.

a. Open Internet Services Manager.

b. Expand your server and expand the Default Web Site.

c. Select and right-click the InstMsg virtual directory and choose Properties.

d. Select the Directory Security tab.

e. In the Anonymous Access And Authentication Control area, click Edit.

f. Configure anonymous authentication and authenticated access as appropriatefor your system.

3. Encrypt communication where appropriate to protect sensitive data.

4. Educate users to help prevent against social engineering attacks.

LESSON 3


ACTIVITY 3-10Hardening an Instant Messaging Server

Data Files:


Setup:You have a new installation of a Windows 2000 Server setup as an Exchange 2000 Server withInstant Messaging installed. The computer is named Server#, and it is in a domain namedDomain#, where # is a unique integer assigned to you by the instructor. The default adminis-trator account has been set up with a password of !Pass1234. The Exchange 2000 Server hasbeen hardened along with running the IIS Lockdown Tool. Data files are located in\\Server100\SPlus\Student and the IM Client is at \\Server100\SPlus\E2KIM. Your emailaddress is administrator@server#.

Although the Exchange Server with Instant Messaging is running on a domain controller for classroom and test-ing purposes, this is a security risk.

Scenario:You have already hardened your Exchange 2000 Server and IIS with the IIS Lockdown Tool.Now, one of the next tasks as the bank’s security administrator is to make sure your InstantMessaging servers are secure. In the past, the bank has had problems with users using InstantMessaging with unauthorized users. Before connecting the new Instant Messaging server toyour network, you want to make sure that your Instant Messaging server is hardened to mini-mize the likelihood of attacks from both internal and external users. To prevent attackers fromattacking Instant Messaging, the bank’s IT department has decided to implement a secureInstant Messaging server.

The IT department and the Exchange 2000 Server design team have designed a securitydeployment plan for all new systems, including the Instant Messaging servers, and you as thesecurity administrator need to make sure the plan is implemented. After you implement thechanges on your Exchange 2000 server, you should be sure to verify the IM clients can con-nect to the IM server with the new security configuration. The network administrators will thenplace the server behind the firewall.

Because the DNS hierarchy for each class domain is independent, this activity will not enable you to send InstantMessages between classroom computers.

LESSON 3



1. Create a new Instant Messaginghome server using the appropriateparameters as documented inSecureSystems.doc.

a. Open \\Server100\SPlus\Student\SecureSystems.doc.

b. From the Start menu, choose Programs→Microsoft Exchange→System Manager.

c. Expand the Servers object, expand yourserver, and expand the Protocols folder.

d. Select the Instant Messaging (RVP)object.

e. Right-click Instant Messaging (RVP) andchoose New→Instant Messaging VirtualServer to launch the New Instant Messag-ing Virtual Server Wizard.

f. Click Next.

g. Complete the wizard using the followingparameters (substitute your computer’snumber for the # sign when appropri-ate):• Display Name: IMServer#

• Enable the Default Web Site forInstant Messaging.

• DNS Domain Name: Server#

• Allow the server to host useraccounts.

h. Close Exchange System Manager.

LESSON 3


2. Set the appropriate authenticationproperties on the Internet Informa-tion Server (IIS) Instant Messagingvirtual directory.


b. Expand your server and expand theDefault Web Site.

c. In the Default Web Site, select and right-click the InstMsg virtual directory, andchoose Properties.


e. In the Anonymous Access And Authentica-tion Control area, click Edit.

f. Uncheck Anonymous Access.

g. In the Authenticated Access area,uncheck Digest Authentication For Win-dows Domain Servers. Only IntegratedWindows Authentication should bechecked.

h. Click OK twice.

i. Close Internet Services Manager.

LESSON 3


3. What authentication methods should be enabled on the Instant Messaging Virtual Direc-tory if users log on through a proxy server?

a) Anonymous access

b) Basic authentication

c) Digest authentication

d) Integrated Windows authentication

4. True or False? If you use Digest Authentication, you must configure user pass-words to be stored using reversible encryption.

5. Modify the Exchange Features prop-erties of your Active Directory useraccount to enable Instant Messagingand use your Instant Messagingserver as your home server.


b. Expand your domain and select theUsers folder.

c. Right-click the Administrator user andchoose Exchange Tasks to launch theExchange Task Wizard.

d. Click Next.

e. Complete the wizard using the followingsettings:• Enable Instant Messaging.

• Browse to select IMServer# as theInstant Messaging Home Server.

• Instant Messaging Domain Name:Server#.

f. Close Active Directory Users AndComputers.

6. Install the IM client. a. Open \\Server100\SPlus\E2KIM and runthe MMSSetup program.

b. Click Yes to accept the licenseagreement.

c. In the MSN Messenger window, click theClick Here To Sign In link.

d. In the E-mail text box, enteradministrator@server# and click OK.MSN Messenger should sign you onautomatically.

LESSON 3


7. Verify that you can start the IM cli-ent and log on with the newauthentication settings.

a. Close the MSN Messenger window.

b. In the message box, click OK.

c. In the System Tray, right-click the MSNMessenger icon and choose Exit.

d. From the Start menu, choose Programs→MSN Messenger. MSN Messenger shouldstart and log you on automatically.

e. Close the MSN Messenger window andexit the program.

Lesson 3 Follow-upIn this lesson, you hardened the devices and computers that are exposed to the Internet andprovide services to both local and remote users. By securing the systems that act as a borderaround your network, you provide a higher level of security to your internal network resources.

1. Which internetwork connection device do you think is most important to secure?

2. Which provides a greater security threat to your organization: your border router oryour email infrastructure?

LESSON 3



NOTES

Securing NetworkCommunications

Lesson Objectives:In this lesson, you will secure network communications.

You will:

• Secure network traffic using IPSec.

• Secure wireless traffic.

• Secure client Internet access.

• Secure the remote access channel.


LESSON 4

Lesson 4: Securing Network Communications 153

IntroductionIf an attacker taps in to your network media and starts reading information directly off thewire, you might as well call it a day. The best passwords in the world won’t protect your sys-tems if an attacker pulls them out of an authentication session. The most secure email server inthe world won’t help keep your data safe if an attacker can read a sensitive email message intransit. So, you can’t just secure the systems on the ends of the communication; you need tomake sure the information flowing between them on the network is secure as well.

TOPIC ASecure Network Traffic Using IPSecurity (IPSec)When you secure network traffic, it’s not a single operation. You need to consider varioustypes of traffic, such as LAN, WAN, and wireless communications. We’ll start with a methodthat you can apply in many types of situations. In this topic, you’ll learn how to configureInternet Protocol Security (IPSec), a powerful, general-purpose technique for protecting data onIP networks.

IPSec is a flexible and powerful tool that can help you ensure not only that only authorizeddata is getting through your network systems, but also that the data can be read only by autho-rized parties. So, IPSec can prevent hackers both from hijacking a session and from scanningthe network data for information. Unfortunately, used incorrectly, IPSec can also shut downlegitimate communications on your network. So, learning to apply IPSec correctly is anindispensible skill for any network security professional.

Data IntegrityTo protect against replay or man-in-the-middle attacks, you need to provide a method that twocomputers can use to verify that the data they’re exchanging is the original, unmodified data—that is, you need to provide a way for Computer A to verify that the data it receives fromComputer B is the same data Computer B sent and vice-versa. One method is to use a mes-sage digest. A message digest, also called a digital signature, is created by using a one-wayencryption algorithm, also called a hashing algorithm, such as MD5 and SHA-1, both of whichare described in Table 4-1. The algorithm produces a numerical result, called a digest or hashvalue, of a fixed size, which is just a condensed form or representation of the original data.The data and the digest are sent to the recipient, who then decrypts the digest and recomputesthe digest from the received file using the same algorithm. If the recomputed digest matchesthe digest that was sent with the data, the file is proved to be intact and tamper-free from thesender. Digital signatures promote data integrity and non-repudiation by ensuring that data isauthentic from the source and that one party can’t deny involvement in an electronictransaction.

While message digests are a secure way to authenticate data, attackers can attempt to use the “birthday paradox”to generate a separate but identical version of a hash. For more information about birthday attacks, seewww.rsasecurity.com/rsalabs/faq/2-4-6.html.

LESSON 4


Table 4-1: Hashing Algorithms

Hashing Algorithm DescriptionSecure Hash Algorithm (SHA-1, SHA-256, SHA-384, and SHA-512)

Considered the stronger of the two hashing algo-rithms described here, SHA-1 produces a 160-bithash value, while SHA-256, SHA-384, and SHA-512 produce 256-bit, 384-bit, and 512-bit digests,respectively.

Message Digest 5 (MD-5) This algorithm produces a 128-bit message digest.

Data EncryptionOne way to protect data passing through unsecured data channels is to encrypt the data.Encryption is the process of converting the data into coded form in such a way that onlyauthorized parties can access the information. Only those with the necessary password ordecryption key can decode and read the data. Encryption promotes confidentiality of sensitivedata.

Many encryption schemes and methods are available. Electronic mail packages often offer theability to encrypt messages. Specialized encryption devices can be inserted into the data-transmission media to encrypt all the data that passes through. The level of encryption that youimplement depends on the value of the data. When considering the value, consider what losswould be incurred if your competitors or the general public were to become aware of the con-tents of the data.

Data is encrypted and decrypted using algorithms, which in turn use a private key, a publickey, or a combination of the two. Data encryption is either symmetric or asymmetric, asdescribed in Table 4-2.

Table 4-2: Encryption algorithms.

Encryption Algo-rithms Description ExamplesSymmetric/Private key Symmetric encryption, also known as private

key encryption, works with one key. All ofthe objects on the network that have this keycan encrypt and decrypt messages. Becausethis key is available only to the sender andreceiver of the message, it is referred to as aprivate key. For security, the key must bekept safely guarded and should never travelover the communications media. The admin-istrator can establish the private key or it canbe embedded in hardware coding. If the keyever changes, all devices must be upgraded.Symmetric cryptography provides a lower-level of security in exchange for a fasterencryption rate. Stream ciphers are symmet-ric encryption algorithms.

• Data Encryption Standard(DES)

• Triple DES (3DES)

• Advanced Encryption Stan-dard (AES) algorithm(Rijndael)

• Rivest Cipher (RC) 4 and 5

• Skipjack

• Blowfish

• CAST-128

LESSON 4


Encryption Algo-rithms Description ExamplesAsymmetric/Publickey

Asymmetric, or public key encryption, ismore secure than symmetric encryptionbecause it uses two keys. The public key isavailable to everyone on the network, somessages are encrypted by using the recipi-ent’s public key. Only the recipient’s privatekey can be used to decrypt the message.This dual-key system eliminates the need toshare a private key. Asymmetric encryptionwas developed by Whitfield Diffie and Mar-tin Hellman. While asymmetric cryptographyis highly secure, it isn’t as fast as symmetriccryptography.

• Rivest Shamir Adelman(RSA) cryptosystem

• Diffie-Hellman

• Elgamel

The encryption algorithms in Table 4-2 use different methods for encrypting data. Two com-monly used methods are stream cipher and block cipher:

• Stream cipher, a type of symmetric encryption, encrypts data one bit at a time. Eachplaintext bit is transformed into encrypted ciphertext. These algorithms are relatively fastto execute. The ciphertext is the same size as the original text. This method producesfewer errors than other methods, and when errors occur, they affect only one bit. RC4 isan example of a stream cipher.

• Block cipher encrypts data a block at a time, often in 64-bit blocks. It is usually moresecure, but is also slower, than stream encryption. There are several modes of blockcipher encryption. In ECB (Electronic Code Block) encryption, each block is encrypted byitself. Each occurrence of a particular word is encrypted exactly the same. In CBC(Cipher Block Chaining) encryption, before a block is encrypted, information from thepreceding block is added to the block. In this way, you can be sure that repeated data isencrypted differently each time it is encountered. The CFB (Cipher FeedBack mode)encryption model allows encryption of partial blocks rather than requiring full blocks forencryption. DES is an example of a block cipher.

Internet Protocol Security (IPSec)As you’ve seen so far in this course, there are a wide variety of ways attackers can gain accessto your network and wreak havoc on your systems and disrupt your communications. Whilethe main focus so far has been hardening your systems, we haven’t secured the actual networktraffic—that is, the packets of data as they travel along the network wire—until now.

Internet Protocol security (IPSec) is a set of open, non-proprietary standards that you can useto secure data as it travels across the network or the Internet. Many operating systems anddevices support IPSec such as Windows 2000, Windows XP, NetWare 6, Solaris 9, and routers.While IPSec is an industry standard, it is implemented differently in the various operatingsystems.

For the current state of IPSec and to view all the RFCs that describe IPSec technologies, see the Internet Engi-neering Task Force Web site at www.ietf.org/html.charters/ipsec-charter.html.

IPSec can protect your network communication in several ways:

LESSON 4


• IPSec provides data authenticity and integrity by verifying the identities of the computersthat are transmitting data to one another. In this way, IPSec can prevent IP spoofing andman-in-the-middle attacks.

• IPSec provides anti-replay protection by using sequence numbers to protect the integrityof the data being transmitted. Packets captured can’t be replayed later to be used to gainunauthorized access to your network.

• IPSec prevents repudiation by providing verification that a computer sending informationis the computer it purports to be.

• IPSec protects against eavesdropping and sniffing by providing data encryption mecha-nisms to allow you to encrypt data as it travels across the network.

While IPSec can’t always protect against every attack, as you’ll see in the coming sections,IPSec is a highly effective way to secure your network traffic through the use of authenticationand encryption. How does IPSec protect against such a variety of attacks? Through an array ofprotocols and services, which we’ll begin to examine next.

Data Integrity and Encryption in IPSecRemember that IPSec is an important security tool because it provides data integrity andencryption. The first of these properties, data integrity, is provided by using message digests.IPSec uses hash method authentication codes (HMACs) to verify data integrity, which meansthat it guarantees that the data sent from one computer in a two-computer (end-to-end) sessionis the same data that arrives at the receiving computer on the other end. IPSec can use one oftwo hashing algorithms to provide data integrity: MD5 and SHA-1.

Because of the high level of encryption, Windows 2000 and Windows XP systems must have the high encryptionpack installed to use 3DES. In addition, because of its strong level of encryption, 3DES is one of those technolo-gies that may not be available for export to some countries outside North America. See www.microsoft.com/windows2000/downloads/recommended/encryption/default.asp and www.bxa.doc.gov/Default.htm for moreinformation.

The second of these properties, encryption, is provided by one of two encryption algorithms,DES or 3DES.

• DES is a symmetric encryption algorithm that encrypts data in 64-bit blocks using whatappears to be a 64-bit key, while in fact it really has only the strength of a 56-bit keybecause 8 bits are used for parity. So only seven bits of each byte are used for DES,which results in a key length of only 56 bits.

• 3DES is a symmetric encryption algorithm that encrypts data by processing each block ofdata three times using a different key each time. It first encrypts plain text into ciphertextusing one key, it then encrypts that ciphertext with another key, and it last encrypts thesecond ciphertext with yet another key.

Depending on how you configure IPSec, you can use message digests, data encryption, orboth.

IPSec Transport ProtocolsIPSec uses two transport protocols, Authentication Header protocol and Encapsulating SecurityPayload protocol. While they’re similar in function, they use different methods to protect data,and depending on how you implement IPSec policies in your enterprise, you can use one orboth of these protocols at the same time.

LESSON 4


Figure 4-1: AH packets.• Authentication Header (AH) protocol provides data integrity through the use of MD5 and

SHA. AH takes an IP packet and uses either MD5 or SHA to hash the IP header and thedata payload, and then it adds its own header to the packet, as depicted in Figure 4-1. TheAH header is inserted into the packet behind the original IP header but ahead of the TCPor UDP header and the header inserted by the Encapsulating Security Payload protocol (ifyou’re using AH and ESP together). Among other things, the AH header consists of theSecurity Parameters Index (SPI), the sequence number of the packet, and the hash data.(The SPI helps the computer keep track of the computers it’s communicating with.) Thecomputer on the other end receives the IP packet, calculates the hash value, and comparesit to the data in the AH header to verify the integrity of the payload. If the values don’tmatch, the packet is dropped.

• The other IPSec transport protocol is the Encapsulating Security Payload (ESP) protocol,which provides data integrity as well as data confidentiality (encryption) using one of thetwo encryption algorithms, DES or 3DES. Like AH, ESP uses MD5 or SHA to hash an IPpacket’s header and payload, but it includes the hash in the ESP authentication data at theend of the packet instead of in the ESP header, which contains the packet’s sequencenumber and the SPI. The ESP header is inserted behind the IP header and the AH header(if there is one) but before the IP payload. You can see how ESP signs an IP packet inFigure 4-2. After the payload, you’ll find the ESP trailer, which contains mostly padding(required by the ESP packet format) and the ESP authentication data, where you’ll findthe hash for verifying data integrity. ESP encrypts only the payload and not the headers inIPSec’s transport mode.

Figure 4-2: ESP packets.

LESSON 4


Internet Key ExchangeAlong with the algorithms that are used to verify data integrity, IPSec uses the Internet KeyExchange (IKE) protocol to create a master key, which in turn is used to generate bulk encryp-tion keys for encrypting data. (IKE is a newer term for the Internet Security Association andKey Management Protocol and Oakley key generating protocol, usually seen as ISAKMP/Oakley.) The computers involved in the secured communication never exchange the masterkey. Instead, the Diffıe-Hellman (DH) algorithm is used separately by each computer to gener-ate the master key. Using DH, the computers agree on a prime number and a public key, whichare used along with each computer’s secret key to create another set of numbers that areshared between the computers. The computers then use the DH algorithm to each separatelycalculate matching master keys. Because no other computer can access the two computers’secret keys, no other computer can use the DH algorithm to create the master key.

Different DH groups provide different levels of encryption through varying sizes of the primenumber that the computers exchange to begin the key generation process. The higher a DHgroup, the larger the prime number and the higher the level of security the generated keyprovides. The DH group on both computers involved in the communication session mustmatch in order for the keying to be successful.

IPSec Security AssociationsA security association (SA) is the negotiated relationship between two computers using IPSec.SAs are the result of the two-stage negotiation process. These stages are known as Phase 1 andPhase 2. The Phase 1 SA is the agreement between the computers on how communication willtake place (authentication, encryption, master key generation). The resulting Phase 1 SA is abi-directional relationship. Think of this first SA as the agreement to communicate—the com-puters have established a secure channel over which to send data.

Figure 4-3: Security associations.

Phase 2 produces two one-way SAs on each computer: one inbound SA and one outbound SA.The Phase 2 SA is used for the actual transmission of data. Where the first SA was the agree-ment to communicate, this SA is the actual communication.

A computer may have several Phase 1 and Phase 2 SAs with a variety of computers: thinkabout a popular file server in your network that can have any number of users connected to itat any given time. Phase 1 SAs last for one hour by default, which allows computers toexchange data using multiple Phase 2 SAs without having to start from scratch with a Phase 1SA. You can configure SA lifetimes for a longer or shorter duration.

LESSON 4


Windows 2000 and Windows XP IPSec PolicyAgentThe IPSec Policy Agent is a service that runs on each Windows 2000 Server, Windows 2000Professional, and Windows XP Professional computer, where it’s displayed as the IPSEC Ser-vices service. The IPSec Policy Agent starts when the system starts and checks ActiveDirectory for IPSec policy for computers that are members of a domain. If the computer isn’t adomain member, then the IPSec Policy Agent checks the Registry for local IPSec policy. Whenit finds IPSec policy information, it transfers that information to the IPSec driver. The IPSecPolicy Agent checks for policy information at system startup and at regular, configurableintervals.

Windows 2000 and Windows XP IPSec DriverAfter the IPSec Policy Agent gathers the IPSec policy to be applied to the computer, the IPSecdriver has the responsibility for implementing that policy. Based on policy requirements, theIPSec driver watches packets being sent and received to determine if the packets need to besigned and encrypted. If the IPSec driver determines that packets need to be signed andencrypted (outbound) or verified and decrypted (inbound), it is responsible for managing thoseservices using the various IPSec components described previously. You might see this drivercalled the IPSec security driver in Windows XP Professional.

Default IPSec Policies in Windows 2000 andWindows XPNow that you have some of the basics of IPSec under your belt, it’s time to take a look at howall this is implemented in Windows 2000 and Windows XP. Like other security features, IPSeccan be deployed through Group Policy. And like many other security settings in Group Policy,IPSec policies are applied to the computer, not the user, and all the normal Group Policy rulesapply.

As you can imagine, because there are so many configurable settings in IPSec policies, theycould be difficult to create from scratch for a beginner or even an experienced administratorwho’s unfamiliar with IPSec. Luckily, there are three default IPSec policies that you can use asa starting point. And while these default policies do exist, they have not been assigned, whichin IPSec terms means the settings have not been applied. You must explicitly assign IPSecpolicies if you want to apply their settings. The Windows 2000 and Windows XP default IPSecpolicies are:

• Client (Respond Only)—This policy allows the computer to communicate normally untilanother computer requests security. The computer will then use the default response ruleto negotiate a secure session.

• Secure Server (Require Security)—This policy requires the computer to require securecommunications at all times. The computer will not communicate with another computerthat can’t negotiate a secure session.

• Server (Request Security)—This policy requests negotiations for a secure session but willcommunicate with a computer that does not respond to the request.

It’s important to understand that IPSec policies are meant to work in pairs, meaning that IPSecpolicies must be assigned to each computer you want to use IPSec to secure communications.For example, simply assigning an IPSec policy to a file server or client separately will notwork; you must assign an IPSec policy to the client and the file server if you want them to

LESSON 4


communicate using a secure session. If you don’t deploy policies in pairs, you’re not going toget the security you’re looking for, and you might even end up isolating some of your systemsfrom the rest of the network. So with those caveats in mind, let’s take a look at the defaultsettings and see how all the IPSec components you’ve learned about so far are implemented inWindows 2000.

IPSec policies are composed of rules. A rule has five components:

• IP filter, shown in Figure 4-4, which describes the specific protocol, port, and source com-puter or destination computer to which the rule should apply. An outgoing or incomingpacket that matches an IP filter triggers a filter action. Remember, it’s the IPSec driverthat matches IP filters to IP packets, and you can have only one IP filter selected in thelist at one time.

• Filter action, which is the action the IPSec driver should take when it encounters a packetthat matches an IP filter. The choices are Permit, Request Security (Optional), and RequireSecurity, as shown in Figure 4-5.

• Authentication method, which is the method for establishing a trust relationship as part ofthe Phase 1 SA. The three choices are Kerberos, a certificate, or a pre-shared key that youcreate. All computers must enter an identical pre-shared key.

• Tunnel setting, which allows you to configure the computer to create a tunnel to anothercomputer.

• Connection type, which lets you specify the network connection to which this ruleapplies. The three choices are all network connections, only the Local Area Network, oronly remote access connections.

Figure 4-4: IP filter list.

LESSON 4


Figure 4-5: Filter actions.

Figure 4-6: IPSec policy rules.

LESSON 4


There are multiple rules in each default policy, as you can see in Figure 4-6, and it’s thedefault Dynamic rule that you can use to set the authentication and encryption methods weexamined earlier and configure the manner in which a computer will negotiate securecommunications. All rules that are checked in a default policy are applied.

ACTIVITY 4-1Investigating the Default IPSec Policies

Scenario:You are the security administrator for an organization called MilTrack that does consulting formilitary personnel. As the organization begins the process of adopting a security policy, you’vebeen asked some questions about a report you submitted detailing the default IPSec policies inWindows 2000 and Windows XP.


1. Why use IPSec? Why isn’t it enough to harden the servers and the client computers?

2. In Windows 2000, display the defaultIPSec policies.

a. From the Administrative Tools menu,choose Domain Controller SecurityPolicy.

b. If necessary, expand Security Settingsand select IP Security Policies.

3. If you want a Windows 2000 server to request negotiations for a secure session but stillcommunicate with a computer that does not respond to the request, you would usethe default IPSec policy.

4. If you want a Windows 2000 server to require secure communications at all times andnot communicate with another computer that can’t negotiate a secure session, youwould use the default IPSec policy.

5. Display the Server default IPSecpolicy and open the All IP Trafficrule.

a. Double-click the Server (Request Secu-rity) policy.

b. In the list of security rules, double-clickAll IP Traffic.

6. How are the five components of the rule displayed?

LESSON 4


7. Match the component with its description.

IP filter a. Defines the action the IPSec drivershould take when it encounters apacket that matches an IP filter.

Filter action b. Describes the specific protocol, port,and source computer or destinationcomputer to which the rule shouldapply.

Authentication method c. Allows you to configure the computerto create a tunnel to anothercomputer.

Tunnel setting d. Lets you specify the network connec-tion to which this rule applies.

Connection type e. Establishes a trust relationship as partof the Phase 1 SA.

8. If you choose to use a pre-shared key as the authentication method, which charactersmust the key contain?

9. True or False? You must explicitly assign a policy to a computer to apply itssettings to that computer.

10. What would happen if you had a Secure Server policy assigned to a Windows 2000server but no Client policies assigned to the Windows XP computers in the network?

11. Close all windows. a. Click Cancel in the Edit Rule Propertiesdialog box.

b. Click Cancel in the Server (Request AndSecurity) Properties dialog box.

c. Close Domain Controller Security Policy.

Windows XP IPSec ToolsWindows XP Professional includes a new snap-in called IP Security Monitor that you can addto a custom MMC console. You can use the monitor to focus on a computer and monitor theIPSec implementation for that computer. You can use IP Security Monitor to view a wide vari-ety of IPSec statistics, including data on SA negotiations, IPSec driver workload, keygeneration, and the amount of data transferred using IPSec.

Windows XP also includes a snap-in called IP Security Policy Management. This snap-in con-tains the default IPSec policies in their own snap-in so you can add them to a custom MMCinstead of accessing the policies in Local Security Policy.

LESSON 4


ACTIVITY 4-2Installing IP Security Snap-ins

Scenario:Before you can begin MilTrack’s IPSec implementation, you need to install the Windows XPIPSec tools on your Windows XP computer. After installation is complete, you’re looking tobegin IPSec implementation on all your Windows XP computers and Windows 2000 servers.


1. Reboot the computer into WindowsXP Professional.

a. Restart the computer and choose Win-dows XP Professional from the bootloader menu.


LESSON 4


2. Create a custom MMC console con-taining IP Security PolicyManagement and IP SecurityMonitor.


b. Enter mmc and click OK.

c. Maximize the Console1 and Console Rootwindows.

d. Choose File→Add/Remove Snap-in.

e. Click Add.

f. In the Available Standalone Snap-ins list,select IP Security Monitor and click Add.

g. Select IP Security Policy Managementand click Add.

h. In the Select Computer Or Domain dialogbox, verify that Local Computer isselected and click Finish.

i. Click Close to close the Add StandaloneSnap-in dialog box.

j. Click OK to close the Add/Remove Snap-indialog box.

k. Choose File→Save As.

l. Enter IPSec Management as the filename.

m. Click Save to save the console to thedefault location.

3. Why are there Server and Secure Server policies on a Windows XP computer?

Secure Network Traffic Using IPSecProcedure Reference: Secure Network Traffic Using IPSec

To secure network traffic using IPSec:

1. Create an appropriate IPSec policy or identify an appropriate default policy. InWindows 2000 or Windows XP, for maximum security, choose Secure Server(Require Security). To modify an existing policy:

LESSON 4


a. Open IP Security Policy Management or Local Security Policy and displaythe default IPSec policies.

b. Right-click the appropriate security policy and choose Properties.

c. In the Properties dialog box, modify the policy according to your securitypolicy guidelines.

2. Deploy the IPSec policy by assigning it to the appropriate computers. In a Win-dows environment, you can automate this procedure by using Group Policy.

To deploy IPSec policies on the local computer, right-click the policy you want toassign and choose Assign.

To deploy IPSec policies using Group Policy, assign the appropriate IPSec policyat the site, domain, or OU level.

3. Test IPSec communications to verify that only secured hosts can communicatewith each other.

4. Verify that communications are secure by examining network data with a packetanalyzer such as Network Monitor or, in Windows environments, the Windows IPSecurity Monitor MMC snap-in. To verify communications using Windows IPSecurity Monitor:

a. In Windows IP Security Monitor, expand your computer object.

b. Expand the Main Mode folder and select the Security Associations folder.

c. Right-click the security association object and choose Properties to see theauthentication mode as well as the encryption and data integrity algorithmsnegotiated for the security association.

ACTIVITY 4-3Securing Network Traffic Using IPSec

Scenario:Most of MilTrack’s consulting is done on site at military bases throughout the world, and it isyour responsibility to set up Windows XP computers in each site, so that consultants can fillout background check applications and send them to a security officer for review. The consult-ants fill out applications while sitting at an available Windows XP system in an isolatedworkgroup. The data is then transferred to the security officer’s Windows XP computer so thatshe can review it before sending it to the government for final approval. The consultants willthen be granted or denied the appropriate clearance to enter the military installations. In thepast, MilTrack had consultants sit at the security officer’s computer and fill out the forms;however, this created a backlog of consultants waiting to use her computer. You now want touse additional isolated computers in your workgroup and transfer data securely between thecomputers using IPSec. The first workgroup you will secure by using IPSec contains two com-puters, your computer and the other Client# computer.

LESSON 4


The IT department has designed a security deployment plan for all new systems, including theWindows XP Professional desktops, and you as the security administrator need to make surethe plan is implemented. Part of the plan requires that confidential data be encrypted across thenetwork using IPSec. Because you do not have Kerberos-based authentication in yourworkgroup, or have a Certificate Authority available at the various military sites, IPSec secu-rity will be based on the use of pre-shared keys. For your implementation of IPSec, you willuse a pre-shared key of bogus123.

LESSON 4



1. Modify the appropriate IPSec policyfor your computer to use a pre-shared key of bogus123.

Enter the key exactly as it appears here.IPSec is case-sensitive.

a. In the console tree pane, select IP Secu-rity Policies On Local Computer.

b. In the details pane, right-click the SecureServer (Require Security) policy andchoose Properties.

c. In the IP Filter List, select the All IP Traf-fic filter but do not uncheck the checkbox.

d. Click Edit.

e. Select the Authentication Methods tab.

f. Click Add.

g. Select Use This String (Presharedkey).

h. In the Use This String text box, typebogus123.

i. Click OK.

LESSON 4


j. In the Authentication Method PreferenceOrder list, select Preshared Key and clickMove Up. Preshared Key should now befirst in the list.

k. Click OK.

l. Click Close.

2. Assign the policy.

After you assign the policy, you need towait for your partner before proceedingto the next step.

a. Right-click the Secure Server (RequireSecurity) policy and choose Assign. ThePolicy Assigned value for the SecureServer policy should be Yes.

3. Verify that you can connect to yourpartner’s computer using IPSecsecurity.


b. Enter ping client#, where # is your part-ner’s computer number.

c. After you receive four successful replies,close the command prompt window.

LESSON 4


4. Verify that you have an IPSec Secu-rity Association with your partner.

You might have security associationswith other computers as well, due to net-work browser broadcast traffic.

a. In the Tree pane of the IPSec Managementconsole window, expand IP SecurityMonitor and expand your computerobject. Your computer object shouldappear with a green upward-pointingarrow.

b. Expand the Main Mode folder and selectthe Security Associations folder. In theright pane, you should see a security asso-ciation between your IP address and yourpartner’s IP address.

c. Right-click the security associationobject and choose Properties. You cansee the authentication mode (presharedkey) as well as the encryption and dataintegrity algorithms negotiated for thissecurity association.

d. Click Cancel to close the property sheet.

e. Close IPSec Management. You do notneed to save console settings.

TOPIC BSecure Wireless TrafficAnother reason why you might need to implement specialized network security is because of aparticular type of networking technology that you are incorporating in your LAN. Wirelessnetworking is becoming more and more prevalent in all types of LAN environments, and wire-less devices and protocols pose their own security challenges. In this topic, you’ll learn tosecure traffic over wireless LAN connections.

Wireless networking has become more and more popular because of the mobility it gives tonetwork users, and the simplicity of connecting components to a LAN. However, that verysimplicity creates security problems, because any attacker with physical access and a laptopwith a wireless network adapter can attach to your wireless LAN, and once an attacker’s onyour network, you have trouble. If you know the right security procedures, you can providethe convenience of wireless connections to your users without compromising network security.

Wireless ProtocolsJust as wired devices on a network use protocols to communicate, so do wireless devices.Listed in the following table are the most common wireless protocols today.

LESSON 4


Figure 4-7: Wireless protocols.

Protocol DescriptionWireless Application Protocol (WAP) A protocol that’s used to transmit data to and from wireless

devices such as cell phones, PDAs, and handheld computers,sometimes over very long distances to be displayed on smallscreens. You can use WAP to transmit Web pages (using Wire-less Markup Language—WML), email, and newsgroups. WAP isan industry standard developed by companies such as Ericsson,Motorola, and Nokia. WAP has five layers: Wireless ApplicationEnvironment, Wireless Session Protocol, Wireless Transport Pro-tocol, Wireless Transport Layer Security (WTLS), and theWireless Datagram Protocol.

802.11b 802.11b (also called Wi-Fi, short for “wired fidelity”) is prob-ably the most common and certainly the least expensivewireless network protocol used to transfer data among comput-ers with wireless network cards or between a wireless computeror device and a wired LAN. 802.11b provides for an 11 Mbpstransfer rate in the 2.4 GHz frequency. (Some vendors, such asD-Link, have increased the rate on their devices to 22Mbps.)802.11b has a range up to 1000 feet in an open area and a rangeof 200 to 400 feet in an enclosed space (where walls mighthamper the signal).

802.11a 802.11a is a more expensive but faster protocol for wirelesscommunication than 802.11b. 802.11a supports speeds up to 54Mbps in the 5 GHz frequency. Unfortunately that blazing speedhas a limited range of only 60 feet, which, depending on howyou arrange your access points, could severely limit usermobility. Although more secure and faster, 802.11a isn’t aswidely deployed at 802.11b.

LESSON 4


Mobile Device VulnerabilitiesAlthough they are not stationary and not connected permanently to a network, mobile devicesshare some of the same vulnerabilities as the computers and devices that are permanently con-nected to a LAN. And, of course, they have some unique vulnerabilities. Some examples ofboth are included in the following table.

Vulnerability DescriptionData stored in plaintext Often, users store personal and confidential information (for

example, Social Security numbers, medical information, creditcard numbers) on their handheld devices using a built-in textediting application or the device’s contact manager (PalmDatabook or Microsoft Pocket Outlook). These contact managersdo not store their information in an encrypted format. Palm OSpermits the user to specify records as Private, but this is not anencrypted format and is easily accessible by an attacker familiarwith the inner workings of the operating system, which meansmuch of this data is accessible to crackers who have either stolenor temporarily borrowed a device.

Viruses While there are currently few viruses and Trojans that affecthandheld devices, they do exist. In fact, Symantec distributes aversion of its antivirus software for Palm OS. Like other viruses,those that affect handheld devices cause trouble typically bydeleting or corrupting data.

Buffer overflows As with desktop and server applications, it’s also possible forapplications on handheld devices to be vulnerable to buffer over-flows, which may cause the device operating system to crash orreboot, and may also cause the loss of data or execution of roguecode on devices.

SSL on WAP Many WAP gateways, through which WAP data travels betweenthe Web server and the handheld device, have been found tohave an SSL vulnerability. These gateways may not check thevalidity of the SSL certificate used for data encryption, whichmay allow rogue sites to capture personal and financial informa-tion without the user’s knowledge.

Lack of authentication By default, many wireless access points (APs) will accept com-munications from just about any wireless device. While thismight seem ideal because it means easy access to networkresources without a lot of configuration, it also creates the perfectopportunity for the wrong people to get into your network, mak-ing wardriving a very real threat.

LESSON 4


Vulnerability DescriptionWired Equivalent Privacy (WEP) WEP provides 64-bit, 128-bit, and 256-bit encryption using the

Rivest Cipher 4 (RC4) algorithm for wireless communication thatuses the 802.11a and 802.11b protocols. While WEP might soundat first like a good solution, ironically WEP currently isn’t assecure as it should be. The problem stems from the way WEPproduces the keys that are used to encrypt data. Because of aflaw in the method, attackers could easily generate their ownkeys after capturing (with a tool such as AirSnort) and analyzingas little as 10 MB of data transferred through the air. So whileWEP is the only solution for now, until the release of newer ver-sions of the 802.11 protocol, it isn’t the best one.

Wireless Transport Layer Security(WTLS)

WTLS is the security layer of WAP and is the wireless equiva-lent of TLS in wired networks. WTLS is fast becoming the defacto security standard for WAP communications. While in mostcases WTLS is meant to provide secure WAP communications, ifit’s improperly configured or implemented, it can expose wirelessdevices to attacks that include email forgery and sniffing datathat’s been sent in plain text.

Some experts believe that wireless communication is inherently insecure and that there isn’t currently any practi-cal way of really securing it.

Wireless Security MethodsAnd just as there are methods for securing wired communication on a LAN, there are methodsand protocols to secure wireless communication. The following table describes some of thecommon methods for securing wireless communication.

Security Method DescriptionKeep sensitive data private Don’t include any data on a wireless device, such as a PDA,

that you’re not willing to lose if the device is lost or stolen.

Antivirus software If it’s available for your specific device and OS, antivirus soft-ware can be just as important on a wireless device as it is on acomputer.

Software updates Updated software not only provides additional functionality butcan also close security holes in wireless devices.

WTLS Again, like WEP, WTLS has its flaws, but properly configured itdoes provide a layer of security for WAP communications.

Authentication and access control Because many wireless access points will accept connectionsfrom any devices using a compatible protocol, there must be away to filter unwanted network traffic, from a scheming attackeror even the guy across the street in the coffee shop. There areseveral methods for authentication and access control, fromMAC address filtering to authenticating users against a directoryservice such as Active Directory or NDS.

LESSON 4


Security Method Description802.1x Used to provide a port-based authentication mechanism for wire-

less communications using the 802.11a and 802.11b protocols.802.1x uses EAP to provide user authentication against a direc-tory service.

WEP While WEP has its flaws, it does provide some measure of pro-tection from all but the most determined attackers.

Secure Wireless TrafficProcedure Reference: Secure a Wireless Router

To secure wireless traffic:

1. Keep the software on your wireless router up to date.

2. Enable 802.1x to authenticate wireless clients.

3. Enable WTLS to provide authentication and privacy for your wirelesscommunications.

4. Enable MAC filtering on your wireless routers to prevent unauthorized clientsfrom connecting to the network.

a. Open the properties of your router.

b. Configure your router to only accept connections from computers with speci-fied MAC addresses.

c. Add the MAC addresses of the computers you want to connect to the wire-less router to its properties.

5. Configure and enable data encryption with WEP to prevent data theft. To config-ure your wireless router and wireless network card to use WEP:

a. Open the properties of your router.

b. Enable WEP and select an encryption level. Configure an encryption key.

c. Enable WEP on your wireless network card and select an encryption level.Configure an encryption key.

LESSON 4


ACTIVITY 4-4Securing Wireless Traffic

Data Files:

• Wireless.exe

Setup:This is a simulated activity. In this simulation, you have a Windows XP Professional computernamed elementk-ngqv7t. The Windows XP Professional computer has a wireless networkadapter with a MAC address of 00-40-05-B8-2D-7C. The adapter is configured to obtainaddressing information automatically. There is an 802.11b-compliant wireless router providingnetwork and Internet access. The router’s MAC address is 00-40-05-B7-FF-81. In the simula-tion, the router obtains IP addressing dynamically from a DHCP server and automaticallyissues IP addresses to wireless clients on the 192.168.0.x network. The IP address of theadministrative interface on the router is 192.168.0.1. Wireless clients use this IP address astheir default gateway. The default management account for the router is admin with nopassword.

This activity was written using a D-Link Enhanced 2.4 GHz Wireless Router, model 614+ and D-Link Enhanced2.4 GHz Wireless PCI adapter, model DWL 520+. For more information, visit www.dlink.com.

Scenario:You have been assigned the task of tightening security for a small insurance sales organizationcalled Eckert Insurance, Inc. Many of the employees are mobile users, and it is your responsi-bility to set up Windows XP laptop and desktop computers with wireless cards so that userscan communicate with each other without having to run any cables. The CEO, Jim McBee, isconcerned that attackers may steal customer information. Jim says that employees run applica-tions and transfer customer data and sales information on Windows XP Professional systemsconfigured in a workgroup. Jim wants to make sure that only valid computers can communi-cate with each other and also wants to encrypt the data transferred between computers.

You have successfully tested Internet access through the router on the first desktop computer.Now, you need to configure the router’s security features. First, you must configure the routerwith MAC filtering enabled and verify that the Windows XP Professional computer can com-municate with the wireless router. You will then need to configure WEP on the router to verifythat the data will be encrypted. The IT consultants for Eckert Insurance have developed a planfor wireless usage that requires all wireless traffic to be encrypted using 256-bit encryptionwith a key of all 5s. The IT consultants will later work with Eckert Insurance’s ISP to securethe router’s firewall, DMZ, and port filtering options. Configure the wireless security on yourwireless router.

LESSON 4



1. Run the Wireless.exe simulation fileand open the Web managementinterface for the router.

As you work through the simulated activ-ity, it might occasionally be necessary toclick the Next button in the simulation’snavigation box in order to advance to thenext screen.

a. From the student data files, runWireless.exe. The simulated environmentcontains a simulated computer desktop.There is a navigation box in the lower-right corner of the simulation window.

b. Within the simulation window, click theStart button.

c. Click Internet to open Internet Explorer.

d. Click in the Address Bar to select theexisting address information.

e. In the Address Bar, type http://192.168.0.1 and press Enter.

f. In the Connect To 192.168.0.1 dialog box,in the User Name text box, enter adminand click OK. (The default Admin pass-word is blank.) The Web Managementinterface page for the router opens.

LESSON 4


2. Configure and enable MAC filteringon the router.

a. Select the Advanced tab.

b. In the left pane, click the Filters button.

c. Select MAC Filters.

d. Verify that your MAC address is listed asa DHCP client and click Clone. If yourclient was not listed, you could manuallyenter the computer’s host name and MACaddress in the respective fields.

e. Select Only Allow MAC Address ListedBelow To Access Internet From LAN.

f. Click Apply to save the settings.

g. When the Settings Saved messageappears, click Continue. The client entryappears in the MAC Filter List.

3. Configure and enable WEP on therouter with the appropriatesettings.

a. Select the Home tab.

b. In the left pane, click the Wirelessbutton.

c. For WEP, select Enabled.

d. From the WEP Encryption drop-down list,select 256Bit.

e. Select the text in the Key 1 text box.

LESSON 4


f. In the Key1 text box, enter all 5s. A 256-bit key will require 58 HEX characters, soyou need to enter 58 5s. (In the simula-tion, press and hold the 5 key; the correctnumber of 5s will automatically fill in thetext box.)

In a high security environment, you may want touse random characters instead of all 5s.

You will find that the simulation only allows you toenter 38 5s. This is fine for this activity, but if youwere setting this key in the real world, you wouldneed to enter 58.

g. Click Apply to save the settings.

h. When the Settings Saved messageappears, click Continue.

In a live environment, you might get a PageCannot Be Displayed message at this point,because you might temporarily lose your con-nection to the router until the router restartsand the wireless network card detects andapplies the new WEP settings.

i. Within the simulation window, closeInternet Explorer.

4. Verify that the wireless networkcard is now automatically usingWEP.

For performance reasons, you shouldverify that the data transfer speeds of thewireless devices are at least 22 Mbps tocompensate for the additional overheadof WEP. On the D-Link 614+ router, thedefault setting is Auto, but you can forcethe setting to 22 Mbps or reposition therouter so it gets a better signal. With abetter signal, the router should automati-cally set the data transfer rate to 22Mbps.

a. In the simulation window, in the SystemTray, double-click the icon for theD-Link AirPlus Utility .

b. In the left pane, click Encryption toverify that the Authentication mode is setto Auto.

LESSON 4


c. Click Site Survey to verify that WEP isenabled.

d. Double-click the MAC address for theDefault entry to view the additionalsettings.

e. For the first network key, select 256 Bitsfrom the Key Length drop-down list.

f. In the Network Key text box for the firstnetwork key, enter all 5s.

g. Click OK. You should now be able to con-nect to the router.

h. Select Site Survey.

i. Double-click the MAC address for theDefault entry to view the additionalsettings. You should see that the dataencryption settings now match those thatyou configured on the router. However,you cannot see the 256-bit key—justasterisks.

Instead of manually entering the key information,you could wait for the wireless card to detect itautomatically.

j. Click Cancel.

k. Close the D-Link AirPlus utility.

LESSON 4


5. Verify you can still connect to theInternet with WEP enabled.

a. Open Internet Explorer.

b. Select the text in the Address Bar.

c. Type http://www.dlink.com and pressEnter.

d. Close Internet Explorer.

e. In the navigation box in the simulationwindow, click Exit to close thesimulation.

TOPIC CSecure Client Internet AccessIn addition to securing the various types of traffic on your internal network, as you did in thefirst three topics, you also have to be concerned about the security of network packets thatpass from your network to the Internet. A common source of traffic from your network out tothe Internet is ordinary client-level Web access from users’ Web browsers and other Web tools.In this topic, you’ll learn to secure the traffic that flows from your client systems onto theInternet.

You might wonder why you need to care about traffic going out of your network. It seems asif what you really need to worry about is attackers coming in. But, in fact, attackers can lookat an outbound data stream and get lots of useful information that can help them attack thenetwork. Attackers will be looking at client traffic to determine the network addresses andcomputer names of the source systems inside your network, and they will try to grab user’spasswords and personal information off the wire as well. To prevent attackers from gettinghold of information that they can use against you, be sure that the data your users send outinto the world is properly secured.

Browser VulnerabilitiesBrowsers are applications and, as such, are vulnerable to the same types of attacks thatthreaten other applications. However, browsers do have some unique vulnerabilities, examplesof which are described in the following table.

Vulnerability DescriptionJava Attackers can exploit flaws in Java code to run malicious code

of their own or gain access to the target’s file system.

LESSON 4


Vulnerability DescriptionSpyware Used to relay private information to advertisers, spyware can

also be used to relay private information to attackers to be usedfor a later attack against a system or network.

ActiveX scripts Attackers can create malicious ActiveX scripts that can bedownloaded and executed on unsuspecting users’ systems. Anattacker can embed an ActiveX script in a Web page and, if theuser’s system is improperly secured, use the script to do justabout anything. Signed scripts and applets are one way to helpreduce this threat.

Cookies Cookies can provide attackers with private user data or unautho-rized access to a Web site if stolen during transmission andreplayed at a later time (“cookie snarfing”).

Autocomplete feature Data stored by a browser’s autocomplete feature could provideusernames, passwords, and other sensitive information.

Internet Explorer Security ToolsMicrosoft’s Internet Explorer has two tools that you can use to help secure the browser againstthreats from attackers. Both tools are described in the following table.

Tool DescriptionZones You can set one of four levels of security based on the four

zones: Local Intranet (trusted intranet sites), Trusted Sites(trusted Internet sites), Restricted Sites (untrusted, potentiallydamaging sites), and Internet (unclassified sites). You can setthese zones on a per-computer basis, or you can use InternetExplorer Administration Kit (IEAK) or Group Policy to setthese zones across your organization. Each zone has default set-tings that dictate how Internet Explorer will display and accessthe sites within that zone. The settings for each zone arecustomizable. You can also configure how cookies are handledfor sites in the Internet zone (sites you haven’t put in any of theother zone—most likely sites you haven’t visited yet) using thePrivacy page of the Internet Options dialog box.

Content Advisor You can use Content Advisor to restrict access to Web sitesbased on their content, as rated by the Recreational SoftwareAdvisory Council (RSAC), using the categories Language,Nudity, Sex, and Violence. Or you can use another ratings sys-tem, such as the Internet Content Rating Association (ICRA) orSafeSurf. In addition or instead of a ratings system, you canrestrict specific sites, regardless of their content. You can alsorequire an administrative password to view restricted sites. Inaddition, you can choose to turn off the AutoComplete feature tokeep user names and private information from being enteredautomatically in Web forms.

LESSON 4


Hardened Web BrowserDefinition:

A hardened Web browser is a Web browser that has been configured to protect againstsoftware and hardware attacks according to a defined security policy. A hardened Webbrowser may include some or all of the following security configuration settings:

• The latest browser version and up-to-date security patches to prevent attackersfrom exploiting the browser software or related code, such as Java.

• Internet zone security in your browser to prevent users from visiting unsafe sitesfrom which they could download malicious code (such as ActiveX) or applica-tions (including Spyware).

• Cookie settings to prevent the download of unsecure cookies.

• Disabled autocomplete and password-saving features.

• Optionally, content ratings to prevent users from visiting sites with inappropriatecontent.

Example: USA Travel’s Web BrowsersUSA Travel’s security policy requires all Web browsers to be the latest version andhave the latest security patches. The network administrator in the Miami office hasupgraded all Web browsers to the latest version of Internet Explorer, and she monitorsMicrosoft’s security bulletins weekly to find the latest security updates. Because theWeb browsers are configured according to security policy, they are consideredhardened.

Secure Client Internet AccessProcedure Reference: Secure Internet Explorer

To secure Internet Explorer:

1. Install the latest browser version and up-to-date security patches.

2. Configure Internet zone security in your browser to prevent users from visitingunsafe sites.

a. Choose Tools→Internet Options.


c. With the Internet zone selected, click Custom Level.

d. Configure the zone appropriate for your requirements.

3. Block unsecure cookies.


b. Select the Privacy tab.

c. Move the Settings slider to High. Click Apply.

4. Allow cookies from secure, trusted sites.


b. Select the Privacy tab.

c. In the Web Sites area, click Edit.

LESSON 4


d. In the Address Of Web Site text box, enter the URLs of the Web sites fromwhich you’ll accept cookies. Click Allow.

5. Configure content ratings to prevent users from visiting sites with inappropriatecontent.


b. Select the Content tab.

c. In the Content Advisor area, click Enable.

d. Select the category you want to configure, and adjust the slider bar to set therating level for that particular category.

6. Prevent the browser from saving user passwords on Web site forms.


b. Select the Content tab.

c. Click AutoComplete.

d. Uncheck Prompt Me To Save Passwords.

e. Click Clear Passwords.

f. Click Clear Forms.

Automated Browser Security ConfigurationYou can automate this process by using an administrative tool that is specific to yourbrowser. For example, for Microsoft Internet Explorer, Microsoft provides the InternetExplorer Administration Kit (IEAK), which you can use both to deploy customizedinstallation of Internet Explorer, and to centralize the configuration of customizedInternet Explorer settings for groups of computers. For Netscape Navigator, you canuse the Netscape Client Customization Kit to perform similar tasks.

ACTIVITY 4-5Securing Client Internet Access

Data Files:

• IESecurity.rtf

Setup:Your Windows XP computer has an administrative account named Admin100 with a passwordof !Pass1234. This account has permission to access shares on the \\Client100 computer. Thereis an unrated Web site available on the network at http://Server100. Files for this activity areavailable at \\Client100\SPlus\Student\IESecurity.rtf.

Scenario:You are the security administrator for a nuclear plant and need to make sure your new Win-dows XP Professional clients with Internet Explorer are secure. In the past, the plant’s ITdepartment has had problems with users storing passwords in their Internet browsers. Theyhave also had problems with users visiting sites that contain inappropriate content, and usershave also downloaded unauthorized programs to their computers. Before connecting the newWindows XP Professional computers to your network, you need to make sure that the browseris configured properly to minimize the likelihood of attacks.

LESSON 4


The IT department has designed a security deployment plan for all new systems, including theWindows XP Professional desktops and Internet Explorer, and documented it as IESecurity.rtf.Before the IT Department uses IEAK and SMS to deploy the browser automatically to allusers, this security configuration needs to be set up manually on a test system to verify thatclients will still have the appropriate level of Web access.


1. Unassign the IPSec policies on yourcomputer.

a. From the Start menu, choose AllPrograms→Administrative Tools→IPSecManagement.

b. In the IPSec Management console, selectIP Security Policies on Local Computer.

c. Right-click the Secure Server (RequireSecurity) policy and choose Un-assign.

d. Close the MMC console. There is no needto save the console settings.

LESSON 4


2. Configure Internet Explorer withthe appropriate zone level for theInternet zone as specified in theIESecurity.rtf data file.

a. Open the \\Client100\SPlus\Student\IESecurity.rtf file.

b. From the Start menu, click Internet tolaunch Internet Explorer. Depending onwhether you are connected to theInternet, you might see a Web page, oryou might see a “page cannot be dis-played” message.

c. Choose Tools→Internet Options.

d. Select the Security tab.

e. With the Internet zone selected, clickCustom Level.

f. From the Reset To drop-down list, selectHigh.

g. Click Reset, and then click Yes to con-firm the change in security level.

h. Click OK.

LESSON 4


3. Block unsecure cookies. a. Select the Privacy tab.

b. Move the Settings slider to High to blockunsecure cookies.

c. Click Apply.

4. Configure the appropriate Web sitesto allow use of cookies.

a. In the Web Sites area, click Edit.

b. In the Address Of Web Site text box, typenrc.gov and click Allow.

c. In the Address Of Web Site text box, typeanl.gov and click Allow.

d. Click OK.

5. Set the appropriate Content Advisorrating levels without blockingapproved unrated sites.

a. Select the Content tab.

b. In the Content Advisor area, click Enable.

LESSON 4


c. With Language selected in the Select ACategory To View The Rating Levels list,adjust the rating slider to level 1.

d. Set the rating level for each of theremaining categories to 1.

e. Click Apply.

f. Select the Approved Sites tab.

g. In the Allow This Web Site text box, typehttp://Server100 and click Always.

h. Click OK.

i. Enter and confirm !Pass1234 as the Con-tent Advisor password.

j. In the Hint area, type same asAdmin100.

k. Click OK twice.

LESSON 4


6. Configure the appropriate formssettings.

a. On the Content page, under PersonalInformation, click AutoComplete.

b. Uncheck Prompt Me To Save Passwords.

c. Click Clear Passwords.

d. Click OK in the message box to confirmthat you want to clear passwords.

e. In the AutoComplete Settings dialog box,click OK.

f. Click OK to close the Internet Options dia-log box.

Instructor Only:

7. Reboot your computer to Windows2000 Server. This is to make thehttp://Server100 Web site available.

a. Restart your computer and boot to Win-dows 2000 Server.

b. Log on as Administrator.

Students:

8. Verify that you can connect to thehttp://Server100 Web site.

a. In the Internet Explorer Address bar, typehttp://Server100 and press Enter. Youshould see the default Web page on theServer100 Web site.

b. Close Internet Explorer.

LESSON 4


TOPIC DSecure the Remote Access ChannelIn Topic 4C, you secured data that flowed from internal client systems out to the Internet.Many companies also support clients who connect from the other direction; from foreign net-works into the internal network via a remote access connection. In this topic, you’ll learn tosecure data that enters your network over this type of inbound network connection.

If you provide remote access services, whether through dial-up or VPN connections, you areproviding an avenue into your network from outside your physical network boundaries. This isattractive to the many business users today who work at least part of the time from home,from a remote office, or while travelling. And you can bet it’s an attractive avenue for attack-ers, too. You can’t see the person who is connecting from a remote location, like you could ifsomeone tried to plug into an Ethernet jack in your home office. So you better take other pre-cautions to make sure that only authorized folks are accessing your network over the remoteaccess connection.

Remote Access VulnerabilitiesRemote access servers and connections are vulnerable to the same threats we’ve seen so far inthis course for other types of communications, services, servers, and operating systems. How-ever, there are a few special vulnerabilities you should keep in mind, including those againstyour telecommunications and PBX infrastructure. Some examples are shown in the followingtable.

Vulnerability DescriptionPPTP Microsoft’s implementation of PPTP is susceptible to a number

of attacks, including a dictionary attack against its LAN Man-ager (LM) password authentication mechanism.

DHCP for remote access clients If an attacker can connect to a remote access server that assignsclients’ IP addresses using DHCP, the attacker can get a valid IPaddress and have the run of the network.

Improperly configured remote accesssecurity

While most administrators might never think of allowing unlim-ited access attempts or being lax with user name and passwordrequirements on the local network, sometimes the same careisn’t given to remote access. Such an improper configurationcould lead to brute force attacks against a dial-in remote accessserver.

Wardialers These tools are used to dial every available phone number in anorganization to find which numbers can be used to accessmodems, fax machines, and voicemail systems. This informationcan then be used to launch another attack. Wardialers includeToneLoc and PhoneSweep.

LESSON 4


Vulnerability DescriptionPBX systems Some PBX systems ship with default user names and passwords

for administrative purposes. A wardialer can detect the type ofPBX system, and then an attacker can use the manufacturer’sdefault to exploit the system. Once inside the PBX system, anattacker can access private information that can be used for fur-ther attacks, including social engineering attacks.

Hardened Remote Access ServerDefinition:

A hardened remote access server is a remote access server that has been configured toprotect against software and hardware attacks according to a defined security policy. Ahardened remote access server may include some or all of the following security con-figuration settings:

• A hardened operating system to prevent attackers from exploiting the OS to attackthe remote access service.

• PPTP disabled on your remote access server to prevent a dictionary attack againstLM password authentication.

• A static IP address pool for remote access clients with just enough network infor-mation to allow a remote connection and network connectivity.

• Properly configured security on your firewall to only allow valid traffic to yourremote access server.

• Restricted remote access to the telephone system, fax machines, and any otherdevice that can accept outside connections to prevent wardialing and other attacksagainst your PBX/phone system and other devices.

• An established audit or logging policy to detect and stop suspicious activity.

Example: USA Travel’s Remote Access ServersAll Windows 2000 RAS servers in USA Travel’s branch office are required to have aDHCP address pool for clients dialing in to the server and the latest operating systempatches, according to USA Travel’s security policy. Therefore, the network administra-tor for the Los Angeles office has configured automatic OS update notification on theWindows 2000 RAS server, and has configured a static IP address pool to assignaddresses for the five employees who normally dial in to the server. Because this con-figuration matches USA Travel’s security policy, the RAS server can be consideredhardened.

Secure the Remote Access ChannelProcedure Reference: Secure the Remote Access Channel

To secure the remote access channel to a Windows 2000 RAS server:

1. Disable PPTP on your remote access server.


b. Below your server object, select the Ports object.

LESSON 4


c. Right-click the Ports object and choose Properties.

d. Select the WAN Miniport (PPTP) and click Configure.

e. Uncheck Remote Access Connections (Inbound Only).

f. Uncheck Demand-dial Routing Connections (Inbound And Outbound).

g. Click OK twice.

2. Configure input and output filters to allow only valid traffic to your server. Forexample, block traffic on ports for protocols you do not use on your remote accessserver. To filter out incoming PPTP traffic from external networks:

a. In Routing And Remote Access, under IP Routing, select the General object.

b. Right-click the appropriate interface object and choose Properties.

c. Click Input Filters. Select the filter for Protocol 47 and click Remove.

d. Remove the TCP filters with Source and Destination ports of 1723.

e. Click OK twice.

3. Set up a static pool of addresses to give out to remote access clients so thatattackers can’t get addresses from a DHCP server.

a. In Routing And Remote Access, right-click your RRAS server object andchoose Properties.

b. Select the IP tab.

c. Select Static Address Pool.

d. Click Add.

e. Create a static IP address pool using an appropriate addressing scheme.

4. Configure security on your firewall to only allow valid traffic to your remoteaccess server.

5. Restrict remote access to the telephone system, fax machines, and any otherdevice that can accept outside connections.

6. Enabling auditing or logging to record any suspicious activity.

Common Remote Access PortsA remote access server only needs to communicate with clients on a limited number ofports. The following table lists the ports for the common remote access protocols. Youshould only open other ports on your remote access server if there is a specific need todo so.

Table 4-3: Remote Access Protocol Port Numbers

Port Number Service500 ISAKMP

1701 L2TP

1723 PPTP

LESSON 4


If you are running Windows 2000 on a RRAS server, you should be sure to apply Ser-vice Pack 1. The Windows 2000 Service Packs increase security on your RRAS serverby implementing a default set of filters on your external router interface. The defaultfilters permit inbound and outbound TCP and UDP traffic on ports 500, 1701, and 1723only. They also permit traffic for Protocol 47, or Generic Route Encapsulation (GRE),the data encapsulation protocol for PPTP. See Microsoft Knowledge Base articleQ260926 for more information.

ACTIVITY 4-6Hardening a Remote Access Server

Setup:The Windows 2000 Server computer has a physical LAN adapter and also a virtual MicrosoftLoopback Adapter to simulate the presence of an external connection object. The MicrosoftLoopback Adapter has been configured with default IP settings. The RRAS server is configuredto use DHCP to distribute IP addresses to remote access clients.

Although the Routing and Remote Access Server (RRAS) is running on a domain controller for classroom andtesting purposes, Routing and Remote Access Server (RRAS) should not be running on domain controllers asthis is a security risk.

Scenario:One of the next tasks as the bank’s security administrator is to make sure your Remote Accessservers are secure. In the past, the bank has had problems with attackers accessing services anddata that they were not supposed to have access to through VPN connections. You will nowprovide VPN services through new Windows 2000 Routing and Remote Access Servers. Toprevent users from accessing information that they are not supposed to and to prevent attackersfrom getting data, the bank’s IT department has decided to place the new VPN Routing andRemote Access Server behind the existing hardware firewall to set up a demilitarized zone(DMZ). The hardware-based firewall has already been secured. Also, the Active Directory teamhas already created a remote access security policy to determine who will have VPN access toRRAS servers in your domain. Before connecting the new VPN server to your network, youwant to make sure that the VPN servers are hardened to minimize the likelihood of attacksfrom external users. In particular, the bank does not want legacy PPTP Remote Access clientsto connect, but only clients that support L2TP with IPSec encryption. Because you will not usePPTP on your server, you want to block PPTP packets that come from external networks. Youalso want to configure the incoming clients with a reserved pool of static addresses on yourinternal network. The network administration team has reserved the address range of192.168.x.10-20 for this purpose. After you configure the VPN server, the bank’s desktop teamwill test the connections from laptop VPN clients to make sure the security is not toorestrictive.

LESSON 4



1. If necessary, reboot to Windows2000 Server.

a. Restart the computer and choose Win-dows 2000 Server from the boot menu.


2. Disable PPTP on the RRAS server. a. From the Start menu, choose Programs→Administrative Tools→Routing AndRemote Access.

b. Below your server object, select thePorts object.

c. Right-click the Ports object and chooseProperties.

d. Select the WAN Miniport (PPTP) andclick Configure.

Do not select the WAN Miniport (L2TP).

e. Uncheck Remote Access Connections(Inbound Only).

f. Uncheck Demand-dial Routing Connec-tions (Inbound And Outbound).

g. Click OK. The Used By status of the WANMiniport (PPTP) object should appear asNone.

h. Click OK. All the WAN Miniport (PPTP)objects disappear from the Ports list.

LESSON 4


3. Filter out incoming PPTP trafficfrom external networks.

On a production system, if you decide toremove any default filters, you shouldkeep a record of the original filter con-figuration (a screen shot or note will do)in case you need to re-enable them at alater time.

a. Under IP Routing, select the Generalobject.

b. Right-click the Loopback Adapter inter-face object and choose Properties.

c. Click Input Filters.

d. Select the filter for Protocol 47 and clickRemove.

e. Remove the TCP filters with Source andDestination ports of 1723.

f. Click OK twice.

4. Set up the static IP address pool. a. Right-click your RRAS server object andchoose Properties.

b. Select the IP tab. The server is configuredto use DHCP to assign IP addresses.

c. Select Static Address Pool.

d. Click Add.

e. Enter 192.168.1.10 as the Start IPAddress.

f. Enter 192.168.1.20 as the End IPAddress.

g. Click OK twice.

h. Close Routing And Remote Access.

LESSON 4


Lesson 4 Follow-upIn this lesson, you took the next step in securing your network by securing the actual networkcommunication itself. This includes using IPSec to authenticate and encrypt communicationsbetween two computers, securing wireless communications, securing users’ Internet access, andsecuring remote access to your network. This is an important step because network securitydoesn’t mean just securing your systems, it means making sure attackers can’t access the datatransfer between your systems.

1. How do you secure the network traffic in your organization?

2. What do you think is the biggest challenge in securing remote access?

LESSON 4


Managing Public KeyInfrastructure (PKI)

Lesson Objectives:In this lesson, you will manage a PKI.

You will:

• Install a Certificate Authority (CA) Hierarchy.

• Harden a Certificate Authority.

• Back up CAs.

• Restore the CA.


LESSON 5

Lesson 5: Managing Public Key Infrastructure (PKI) 197

IntroductionCertificate-based security is becoming more and more prevalent in today’s computing environ-ment, as even the most casual Internet user is now exposed to the familiar software publishercertificate window that pops up to verify the authenticity of a piece of software they aredownloading. Many companies opt to implement certificate-based security in securing bothpublic and private network communications, network servers, and user connections. If yourcompany implements a PKI infrastructure to issue certificates, then, as a security professional,it certainly will be part of your job to create, manage, and support that infrastructure.

TOPIC AInstall a Certificate Authority (CA)HierarchyYou can implement certificate-based security either by obtaining certificates from a public Cer-tificate Authority (CA), or by establishing your own CA. If you plan to use your own CAservers to issue certificates on your network, then the first step in the process of setting uppublic key security is installing the CA servers. In this topic, you’ll install CA servers into aCA hierarchy.

You can only trust a certificate if you can trust the CA that issued it, and you can only trustthat CA if you can trust the CA above it in the chain. The entire certificate security system willfail if the basic CA hierarchy is not properly established and authorized. If your job as a secu-rity professional requires you to implement a CA design by installing CAs, you can use theskills in this topic to make sure it’s done properly.

Public Key Infrastructure (PKI)

For more information on PKCS, visit www.rsasecurity.com/rsalabs/pkcs/index.html.

A public key infrastructure (PKI) is a system that is composed of a CA, certificates, software,services, and other cryptographic components for the purpose of enabling authenticity and vali-dation of data and/or entities—for example, to secure transactions over the Internet. A PKI iscomposed of:

• Digital certificates—Electronic documents that bind the entity’s public key to the informa-tion regarding that entity, to verify that an entity is who it claims to be.

• A Certificate Authority (CA)—The Certificate Authority is responsible for issuing digitalcertificates to computers, users, or applications.

• A registration authority (RA)—The registration authority is responsible for verifying usersidentity and approving or denying requests for digital certificates.

• A certificate repository—The database that contains the digital certificates.

• A certificate management system—A system that provides the software tools to performthe day-to-day functions of the PKI.

LESSON 5


Each of these components works together to provide digital certificate management services.The components may all be housed on one server or they may be spread out over multipleservers and even in different parts of the world.

CA HierarchyA PKI is implemented through a trust model or as it is more commonly called, a CAhierarchy. A CA hierarchy is a single CA or group of CAs that work together to issue digitalcertificates. At any given time, there may be thousands of issued certificates circulating in alarge corporation. A CA Hierarchy provides a way for multiple CAs to distribute the workloadand provide certificate services more efficiently.

Figure 5-1: Components of a CA hierarchy.

In addition, if a CA lower in the hierarchy is compromised, only those certificates issued bythat particular CA, or under that CA, are invalid. The remaining CAs that have not been com-promised can continue issuing certificates and provide certificate services until thecompromised CA is restored or replaced. Figure 5-1 and the following paragraphs describe thecomponents of a CA hierarchy.

In Windows 2000, do not install Certificate Services on a domain controller because it could pose a security risk.

LESSON 5


Figure 5-2: The root CA.

The root CA is the top-most CA in the hierarchy and consequently, the most trusted authorityin the hierarchy. The root CA issues the first certificate (a self-signed certificate) in thehierarchy. In a centralized system, root CAs then issue end-user certificates and perform theday-to-day management of certificate. In a decentralized system, the root CA issues certificatesto subordinate CAs and the subordinate CAs handle the day-to-day functions of the certificates.In the Microsoft world, a CA is considered an enterprise CA if it’s integrated with ActiveDirectory while it’s considered a stand-alone CA if it’s not. In the Novell world, a root iseither organizational if it is created in-house by a particular organization or a global root if itis housed at Novell. Unix does not make any further distinctions for root CAs.

Root CAs can be designated either private or public:

— A private root CA is created by a company for use primarily within the company itself.The root will be set up using CA software and configured in-house.

— A public root CA is created by a third-party vendor (or commercial vendor such asVerisign) after they consult with a company and determine the company’s particular CAneeds and requirements. Commercial CA vendors offer a wide variety of services to makesetting up a PKI easier from creating the root CA to issuing the initial certificates to endusers.

Subordinate CAs, whether there is one or there are a hundred, also issue certificates, but theirmain function is to provide day-to-day management of the certificates including renewal, sus-pension, and revocation. An organization may create as many subordinate CAs as resourceswill allow. Depending on your company’s particular needs, you may opt for one of the imple-mentations shown in Table 5-1. A subordinate CA has a parent-child relationship its root CA.

LESSON 5


Figure 5-3: The subordinate CA.

Table 5-1: CA Hierarchy Implementation Options

Business or Security Requirement CA Hierarchy ImplementationA company with thousands of employeesworldwide.

The subordinate CAs are designated by geographic locationto balance the number of issued certificates among the indi-vidual CAs.

A company that wants individuals toaccess specific applications only.

The subordinate CAs are designated by function or depart-ment so the individual CAs serve groups of people withspecific resource needs.

A company that has tight security andallows individuals differing levels ofaccess to the same resources.

The subordinate CAs are designated by the securityrequired to obtain a certificate. Some CAs may be set up toissue a certificate with a network ID and password, otherCAs may require a person to present a valid driver’slicense.

Root CA SecurityTo provide the most secure environment possible for the root CA, companies will oftenset up the entire CA hierarchy and then take the root offline, allowing the subordinateCAs to issue all certificates. This strategy ensures that the root CA is not accessible byanyone on the network and thus, it is much less likely to be compromised.

Install a Certificate Authority (CA) HierarchyProcedure Reference: Install a Certificate Authority Hierarchy

Depending on your CA hierarchy design, you might need to install root CAs as well assubordinate CAs. The general steps you will use to install a CA hierarchy are:

1. Install the root CA if you are not using a third-party CA. To install a Windows2000 CA:

a. Open Add/Remove Programs and click Add/Remove Windows Components.

b. Select the CA type.

c. Enter the CA identifying information.

LESSON 5


d. Select the storage location for the CA database and log.

e. Stop Internet Information Services if prompted.

Refer to RFC 3280 for standards for identifying information for CAs. You can find this RFC atwww.ietf.org/rfc/rfc3280.txt.

2. Verify the CA installation by checking the properties of the installed CA.

3. If you will maintain your own root CA, secure the root CA by removing it fromyour network. Once the root CA is offline, you will need to use file-based requeststo obtain the certificates for your subordinate CAs, as you will not be able totransmit the requests across the network.

4. Install the subordinate CAs. To install a Windows 2000 subordinate CA:

a. If you are maintaining your own Windows 2000 root server, retrieve the rootserver certificate from http://root-server/certsrv (substitute your server namefor “root-server”), and install the certification path into the Root Store on theserver where you will install the subordinate CA.

b. Install the subordinate CA using the Add/Remove Windows Components wiz-ard in the same manner that you installed the root server.

c. During the installation, request a server certificate from the root CA. (If theroot CA is offline, you will have to save the request as a file, take the file tothe root CA, and request the certificate.)

d. At the root CA, issue the certificate for the subordinate CA. If the root CA isoffline, you will need to save the certificate as a file and take the file to thenew subordinate CA.

e. Start the CA service at the subordinate CA and install the new CA servercertificate.

5. If your design plan calls for additional levels of issuing CAs, install those CAs aswell.

LESSON 5


ACTIVITY 5-1Installing a Certificate Authority Hierarchy

Data Files:

• UniversityCAspecs.rtf

Setup:The data file for this activity is available at \\Server100\SPlus\Student\UniversityCAspecs.rtf.The installation source files for Windows 2000 server are available at \\Server100\SPlus\Srv2000. You will need a floppy disk for this activity.

Scenario:As the security administrator for a private university located in Rochester, NY, one of your jobfunctions is to make sure the Certificate Authority hierarchy designed by the IT department isimplemented correctly. In the past, the university has had problems with CAs being set up asstand-alone and having unauthorized users being granted certificates. To prevent users fromreceiving unapproved certificates and accessing information that they are not supposed to, andalso to prevent attackers from getting data, the university has decided to implement a newsecure CA hierarchy using Windows 2000 Servers. The IT design team has created and docu-mented a CA implementation plan in UniveristyCASpecs.doc. The plan calls for installing aroot CA for the entire university, taking the root CA offline, and then installing subordinateCAs for each college. The Windows 2000 Servers on which you will install Certificate Ser-vices have already been hardened to minimize the likelihood of attacks against the operatingsystem itself from external users.

Although Certificate Services is running on a domain controller for classroom and testing purposes, this is asecurity risk.

You and your partner will need to decide on who will be the root CA (University CA) and who will be the subordi-nate CA (College CA).


On the Server Designated as the Root CA:

1. Install Certificate Services on theroot CA.


b. Click Add/Remove WindowsComponents.

c. In the Windows Components list, checkCertificate Services.

LESSON 5


d. In the message box, click Yes.

e. Click Next.

f. Select Stand-alone Root CA and clickNext.

g. As the CA Name, enterUniversityRootCA#.

h. As the Organization, enter SecurityOrg.

i. As the Organizational Unit, enterEducation.

j. As the City, enter Rochester.

k. As the State Or Province, enter NewYork.

l. As the Country/Region, verify that US isselected.

m. As the E-mail, entersecadmin@domain#.internal.

n. As the CA Description, enter Stand-aloneCA Root for Rochester.

o. Set the Valid For value to 1 Years. ClickNext.

LESSON 5


p. Click Next to accept the default databaseand log storage locations.

q. Click OK when prompted to stop IIS.

r. If prompted for the path to the Windows2000 Server installation files, enter thepath \\Server100\SPlus\Srv2000\I386. (Ifprompted for credentials, enterdomain100\administrator with a passwordof !Pass1234.)

s. When the installation is complete, clickFinish.

t. Close Add/Remove Programs and ControlPanel.

2. Verify that Certificate Services wasinstalled properly.

a. From the Start menu, choose Programs→Administrative Tools→CertificationAuthority. The UniversityRootCA# objectshould appear in the MMC console.

b. Open the properties of theUniversityRootCA# object. The Descrip-tion should appear as you configured itduring the installation.

c. Click View Certificate. The certificateshould expire in one year.

d. Click OK to close the certificate.

e. Click OK to close the property sheet. Youcan leave Certification Authority open.

Wait until your lab partner has completed the previous steps before proceeding.

LESSON 5


On the Server Designated as theSubordinate CA:

3. Retrieve the root CA certificate andinstall the CA certificate path fromyour lab partner’s root CA.

a. Run Internet Explorer.

b. In the Address text box, enter http://server#/certsrv where # is your partner’scomputer number.

c. Select Retrieve The CA Certificate OrCertificate Revocation List. Click Next.

d. Click Install This CA Certification Path.

e. Click Yes when prompted to add the cer-tificate to the Root Store.

f. Close Internet Explorer.

4. Why do you need to install the CA certification path?

5. What should you do to secure your root CA physically after it is installed?


6. Install Certificate Services on thesubordinate CA.

You will save the certificate request as afile because, in a secure environment, theroot CA is kept offline on an isolatedsubnet. Certificates and requests aremoved to and from the root CA onremovable storage media such as floppydisks. Although, in the classroom, yourroot CA is online, you will perform theprocedures that are appropriate for asecure, offline CA.



c. In the Windows Components list, checkCertificate Services.

LESSON 5


d. In the message box, click Yes.

e. Click Next.

f. Select Stand-alone Subordinate CA andclick Next.

g. As the CA Name, enterCollegeSubordinateCA#.

h. As the Organization, enter SecurityOrg.

i. As the Organizational Unit, enterEducation.

j. As the City, enter Rochester.

k. As the State Or Province, enter NewYork.

l. As the Country/Region, verify that US isselected.

m. As the E-mail, entersecadmin@domain#.internal.

n. As the CA Description, enter Stand-aloneSubordinate CA for Rochester.

o. The certificate validity period will bedetermined by the parent CA. Click Next.

p. Click Next to accept the default databaseand log storage locations.

q. Select Save The Request To A File andclick Next. By default, the request filewill be saved to the root of the C drive.

r. Click OK when prompted to stop IIS.

s. If prompted for the path to the Windows2000 Server installation files, browse toselect \\Server100\SPlus\Srv2000\I386.

LESSON 5


t. Click OK in the message about requestinga certificate from the parent CA.

u. When the installation is complete, clickFinish.

v. Close Add/Remove Programs and ControlPanel.

w. Copy the certificate request file fromthe C directory to a floppy disk. Therequest file will have a .req extension.

Wait until your lab partner has completed the previous step before proceeding.

LESSON 5


On the Server Designated as the Root CA:

7. Use the certificate request file torequest a certificate for your labpartner’s subordinate CA.

a. Insert the floppy disk containing the cer-tificate request file into your floppy diskdrive.

b. Open the A drive.

c. Right-click the certificate request fileand choose Open With.

d. Select Notepad and click OK.

e. Choose Edit→Select All, and thenchoose Edit→Copy.

f. Close Notepad.

g. Run Internet Explorer and connect tothe URL http://server#/certsrv, where #is your own student number.

h. Verify that Request A Certificate isselected and click Next.

i. Select Advanced Request and click Next.

j. Select Submit A Certificate RequestUsing A Base64 Encoded PKCS #10 FileOr A Renewal Request Using A Base64Encoded PKCS #7 File and click Next.

k. Click in the Saved Request text box andchoose Edit→Paste. Click Submit.

l. Click the Home link in the CertificatePending Web page.

8. Issue the pending certificaterequest.

a. In Certification Authority, expand theUniversityRootCA# object and select thePending Requests folder.

b. In the details pane, right-click the pend-ing request and choose All Tasks→Issue.

c. Select the Issued Certificates folder. Thenewly-issued certificate for the subordi-nate CA should appear in the details pane.

LESSON 5


9. Create a certificate file for your labpartner’s subordinate CA.

a. Switch to Internet Explorer.

b. Select Check On A Pending Certificateand click Next twice.

c. On the Certificate Issued Web page, clickDownload CA Certificate.

d. In the File Download dialog box, clickSave.

e. Save the file as A:\Certnew.cer.

f. In the Download Complete dialog box,click Close.

g. Close Internet Explorer.

Wait until your lab partner has completed the previous steps before proceeding.

LESSON 5



10. Start the Certificate Server andinstall the CA certificate for thesubordinate CA.

a. Insert the floppy disk containing thedownloaded server certificate file intoyour floppy disk drive.

b. From the Start menu, choose Programs→Administrative Tools→CertificationAuthority. The CollegeSubordinateCAobject should appear in the MMC consolewith a red square icon, indicating that itis not started.

c. Select and right-click theCollegeSubordinateCA object and chooseAll Tasks→Start Service.

d. Click Yes when prompted to install thecertificate.

e. Browse to select and open theA:\Certnew.cer file. (You will need toselect .cer from the Files Of Type drop-down list.)

f. Click OK to close the message that therevocation server is offline. The servicewill start and the CA object will appearwith a green check mark.

LESSON 5


TOPIC BHarden a Certificate AuthorityIn Topic 5A, you installed a CA. Before you begin allowing the CA to issue certificates onyour network, you should set up security on all the CA servers themselves. In this topic, you’lllearn hardening techniques for your CA servers.

You put a certification hierarchy in place so that you can use trusted certificates to secure alltypes of devices, services, and users in your network. But how much can you trust that hierar-chy? If one of your CA servers is hacked and compromised, the answer is, not at all.Certificate security is no good if the source of the certificates is insecure, so before you rollout your certificate program, make sure your CA servers are as secure as you need them to be.

Certificate PoliciesDefinition:

A certificate policy (CP) is a security policy that determines what information a digitalcertificate will contain, what the requirements are to obtain a certificate, and the speci-fications for the information in the certificate. The CP is developed by representativesfrom the entire company including management, security, and network architecture.The CP is formalized and an official certificate policy document is created. After theCP is finalized, the CA software is configured to implement the stated policy.

Some companies make the document available on the Internet. For an example of a certificate policyand certificate practice statement, go to www.entrust.com/resources/pdf/cps.pdf.

Once the certificate policy is finalized into a formal document and the CA software isconfigured to conform to that policy, a separate certificate practice statement (CPS) isdeveloped. The CPS specifies how a particular CA will manage its certificates based onthe certificate policy for that CA. For example, the CP may require a photo ID be pre-sented to obtain a certificate. The CPS will state that users can go to a designated localregistration authority and present their driver’s license to meet this requirement.

Each certificate policy is specifically created for a particular set of business require-ments and security needs. The certificate policy can vary widely depending on itspurpose. A company may have several certificate policies at the same time and thushave several types of certificates available to entities both inside and outside theorganization.

This variety of policies results in end users with several certificates. The end users thenhave multiple key pairs depending on the purpose each certificate is used for. Endusers may also have a single certificate that combines services such as encryption anddigital signatures. This is known as a dual key pair because the keys perform morethan one purpose.

Table 5-2 shows some of the ways certificate policies can vary.

LESSON 5


Table 5-2: Certificate Policy Considerations

Consideration OptionsHow will users be authenticated tothe CA?

There is a variety of ways (or combination of ways) userscan be authenticated, from filling out a form on theInternet to showing up in person and having a photo IDrequired.

What are the legal implications ifthe CA is compromised?

Who is responsible if the issued certificates are misusedby some individuals? The individual that misused them orthe company that issued them?

What is the certificate going to beused for?

The certificate may be used for access to specificapplications.

How will the user’s private key bestored?

Companies have several options to choose from thatinclude storing the private key on the hard drive of theuser’s computer, a separate device such as a smart card,or on the user’s PDA. Any of these can be further pro-tected by requiring a password before the key can beaccessed.

What is the user responsible for? Do user’s need a specific security clearance? What does auser do if their private key is compromised or lost?

Can the user’s private key beexported?

Exporting a private key can be useful if it is lost. It isalso a greater security risk. The more places a private keyis available in, the more exposed it is to attackers.

What are the requirements torenew a certificate?

Will the certificate be automatically renewed? Will theuser be required to go through the enrollment processagain? Will there be a separate authentication process forrenewals?

How long will the certificate life-time be?

What is the length of time a certificate is valid for? Thelonger it is valid, the more time an attacker has to find away to access it. On the other hand, a certificate thatneeds to be renewed often can create a lot of administra-tive overhead.

What type of cryptographic algo-rithm will the certificate use?

More complex algorithms require numerous high levelmathematical calculations and are more difficult to break.Depending on your companies needs, you may notrequire extremely complex algorithms. The less complexones are still very secure. Complex algorithms take moretime to encrypt/decrypt data.

What will be the length of the pub-lic and private key pair?

Longer key pairs contain more data bits and thus are gen-erally more secure. Again, this makes it more difficult forattackers to compromise the private key.

Example: University ProjectA private university has several professors and graduate students working on a projectthat they hope results in a patent for the college. Some of the students working on theproject are out-of-state. The university needs to be sure that only the individuals work-ing directly on the project have access to it. The data integrity is critical to the project.Because the information is expected to be patented, confidentiality is absolutelynecessary. All these elements can be built into the certificate policy.

LESSON 5


Consideration Requirement ImplementationHighly sensitive data. Cannot betampered with or stolen.

Integrity,confidentiality.

Strong cryptographic algorithm.

Users located in different parts ofthe world.

Identity verification. Users will go to local registrationauthority and present photo IDwith notarized letter fromuniversity.

Only specific individuals areallowed to access the project.Although the information resideson the university servers, not allthe students can access the data.

User’s private keymust be secure.

Store private key on a smart cardthat requires a password.

Project will take several years. Long certificatelifetime.

Require a long key pair.

Example: Shopping On The InternetAn Internet company that sells clothing needs certificates as well, but they have totallydifferent requirements. To obtain a certificate, a user applies online with a valid creditcard. The certificate is configured to set spending limits on each user based on theircredit history in an effort to limit the clothing company’s liability. In addition, the cer-tificate will also need to have a built-in parameter for non-repudiation so sales cannotbe denied once they are processed.

Consideration Requirement ImplementationEasy access to makepurchases. Users from all overthe world.

Simple enrollment form viaInternet.

Users fill out form on Internetto access site.

Users must be who they saythey are to purchasemerchandise.

Non-repudiation. Users supply valid credit cardnumber to make purchases.

The Certificate Life CycleThe parameters specified in your certificate policy will determine your certificate life cycle.The following diagram describes the certificate life cycle. The life cycle consists of: issuance,revocation, expiration, and renewal.

LESSON 5


Figure 5-4: The Certificate Life Cycle.1. Issuance—The life cycle begins when the root CA is issued its self-signed key pair. The

root CA then begins issuing certificates to other CAs and end users.

2. Revocation—For a variety of reasons (misuse, lost keys, security compromise) certificatescan be revoked.

3. Expiration—Certificates expire per the parameters set in the certificate policy.

4. Renewal—Some expired certificates will be renewed. Certificates can be renewed morethan once, again, depending on the CP parameters. The entire cycle ends when the rootCA’s self-signed certificate is revoked or expired.

As a general rule, the longer the life cycle is, the less administrative overhead involved. Thiscould pose a higher security risk, however, because a longer life cycle also gives attackersmore time to break the cryptography of the key pair or otherwise compromise the system.Also, with a shortened lifetime, new developments in cryptography could allow you have enti-ties renew certificates that are more secure.

The actual life cycle of your certificates will be based on your business requirements and secu-rity needs. Table 5-3 shows the most common factors that affect a certificate life cycle,although this is not a comprehensive list.

Table 5-3: Certificate Life Cycle Factors

Factor Variables ImplicationsThe length of the CA’sprivate key

What length key is appropri-ate? 56-bit, 128-bit, or more?

The longer the key, the more data bits towork with. Long keys require moreresources (number of computers, timeinvolved, etc.) to break. Attackers may notthink it’s worth the effort.

LESSON 5


Factor Variables ImplicationsStrength of the cryptogra-phy used

How complex will the algo-rithm be? Will it be createdby a programmer or devel-oped by algorithm software?

The more complex the mathematical func-tions are that are used in the algorithm, theharder it is for an attacker to decrypt.

Physical security of theCA and private key

Where is the CA kept? Is itin a locked area or just pro-tected by a password? Whohas access to it?

Higher physical security is essential forlonger life cycles. All the policy in theworld won’t protect a private key if it isnot physically secure. Keep in mind thatphysical security may be expensive.

Security of issued certifi-cates and their privatekeys

Where is the private keystored? On a smart card? Onthe desktop? Is a passwordrequired?

The more secure the user’s private keys are,the better it is for the security of the overallsystem. Conversely, users can forget pass-words or lose smart cards and that meansmore work for administrators.

Risk of attack Is your CA offline or online?Is your root CA within yourcompany or handled by athird-party company? Whattype of business are you in?Does your company have anintranet?

Your CA may be secure but an attacker canuse another access point that is not assecure on your network to gain access tothe CA.

User trust Who is using the issued cer-tificates? External or internalusers?

You can generally trust internal users(employees on the corporate network) morethan external users (individuals accessingthrough the Internet).

Administrative involve-ment

Long life cycles require lessadministrative work. Shortlife cycles require moreadministrative work.

Although a long life cycle requires lessadministrative work (renewals, revocations,etc.), it also gives attackers more time togain access.

CA VulnerabilitiesWhile CA servers are vulnerable to the same exploits covered so far in this course, includingeavesdropping and malicious code, CAs also have unique vulnerabilities, all of which centeraround the security of certificates and keys. If there isn’t tight control placed on the issuanceof certificates and keys, attackers could obtain certificates and exploit those trust relationships.The following table describes a few common vulnerabilities.

Vulnerability DescriptionUnauthorized users Your CA should issue certificates only to autho-

rized users. If access control is too loose, attackerscould obtain and exploit certificates from your CA.

Physical security If an attacker can physically access your CA,there’s no limit to what he or she can accomplish.

Private keys Weak private keys threaten the security of yourentire CA hierarchy because they can more easilybe broken and exploited by an attacker.

LESSON 5


Hardened CADefinition:

A hardened CA is a CA that has been configured to protect against software and hard-ware attacks according to a defined security policy. A hardened CA may include someor all of the following security configuration settings:

• A hardened operating system to prevent attackers from exploiting the OS to attackthe CA server software.

• Strict access controls on certificate requests to prevent unauthorized users fromobtaining certificates.

• Location behind a firewall to prevent unauthorized users from connecting to theserver for any reason.

• Tight physical security to prevent attackers from accessing the server itself.

• Longer key lengths to make keys and your entire CA hierarchy more secure.

Example: USA Travel’s Windows 2000 CAUSA Travel’s security policy requires their root CA to be located in a locked room towhich there is limited physical access. In addition, only authorized users must beallowed to obtain a certificate. The network administrator for the main corporate officehas placed the server in a locked room to which only he and two other administratorshave access. In addition, the administrator has configured security on the CA server sothat only authenticated network users may request certificates. Because the CA is con-figured according to the established security policy, it can be considered hardened.

Harden a Certificate AuthorityProcedure Reference: Harden a Windows 2000 Certificate Authority

To harden a Windows 2000 Certificate Authority:

1. Harden the operating system.

2. Use Active Directory Sites And Services to set permissions for individual certifi-cate templates so that only authorized entities can obtain certificates. To setpermissions for individual certificate templates:

a. Choose Programs→Administrative Tools→Active Directory Sites AndServices.

b. If necessary, choose View→Show Services Node.

c. Expand Services, then Public Key Services, and select Certificate Templates.

d. Double-click the template you want to secure, and configure security asnecessary.

3. Place all CA servers behind a firewall.

4. Physically secure the CAs.

5. For greater security and to make it more difficult for attackers to crack your keys,use longer key lengths.

LESSON 5


Balance Security and AccessibilityAlthough it would seem that a long key pair combined with a very complex algorithmwould provide the longest life cycle and less administrative overhead, this combinationcan reduce the speed of encrypting and decrypting data on the network. A long lifecycle also allows attackers more time to break the code.

ACTIVITY 5-2Hardening a Windows 2000 Certificate Authority

Data Files:


Scenario:One of the next tasks as the university’s security administrator is to make sure the certificateserver is hardened based on the design documents of the IT department. In the past, the uni-versity has had problems with unauthorized users being granted certificates. You have installednew Windows 2000 CAs as Enterprise CAs in your domain so that you have the ability toconfigure the certificate server to restrict user access to certificate templates. The IT departmenthas documented the required certificate template permission settings in the UniversityCAspecs.rtf security guidelines document.

In the classroom, your CA is actually installed as a stand-alone CA. You will still be able to perform the requiredpermissions configurations in the Active Directory.


1. Use Active Directory Public Key Ser-vices to configure the appropriatepermissions on the User template asspecified in the UniversityCAspecs.rtf file.

a. From the Start menu, choose Programs→Administrative Tools→Active DirectorySites And Services.

b. Choose View→Show Services Node.

c. Expand Services, then Public Key Ser-vices, and select Certificate Templates.

d. In the Templates list, double-click User.

e. Select the Security tab.

f. With Authenticated Users selected, verifythat Read and Enroll are checked andclick OK.

LESSON 5


2. Use Active Directory Public Key Ser-vices to configure the appropriatepermissions on the WebServer tem-plate as specified in theUniversityCAspecs.rtf file.

a. In the Templates list, double-clickWebServer.


c. With Authenticated Users selected, verifythat Read and Enroll are checked andclick OK.

d. Close Active Directory Sites andServices.

3. Suppose the University wanted only faculty members to be able to enroll certificatesfrom its Enterprise CAs. How would you configure security?

TOPIC CBack Up Certificate AuthoritiesAs a network administrator, you’re probably used to backing up data and services on a regularbasis, so that you can restore the information in case of damage or loss. Your CA database isno different. You should always have a valid CA backup on hand as a safety net for your CAservers.

Back Up Certificate AuthoritiesProcedure Reference: Back Up a Certificate Authority

To prepare for the worst, back up your CA. The backup steps will vary dependingupon the CA software you are using. To back up a Windows 2000 CA:

1. Open Certification Authority.

2. Right-click your CA object and choose All Tasks→Backup CA.

3. Use the Certification Authority Backup Wizard to back up the CA’s private key,CA certificate, log, and request queue.

4. Back up the CA configuration information by performing a System State backup.See the Windows 2000 Help system for more information on using WindowsBackup to back up the System State.

You should also periodically back up your entire CA server, by using a third-partybackup tool.

LESSON 5


ACTIVITY 5-3Backing up a Certificate Authority

Data Files:


Scenario:One of the next tasks as the university’s security administrator is to make sure the certificateserver is backed up based on the design document of the IT department. The university is con-cerned about the possibility of the certificate server failing or being breached by an attackerand wants to implement a backup strategy.

LESSON 5



1. Back up your certificate server. a. In Certification Authority, right-click yourCA object and choose All Tasks→BackupCA to launch the Certification AuthorityBackup Wizard.

b. Click Next.

c. Check Private Key And CA Certificate.Check Issued Certificate Log And Pend-ing Certificate Request Queue.Configuration information can only bebacked up as part of a Windows 2000 Sys-tem State backup.

d. In the Back Up To This Location text box,enter C:\CABackup. Click Next.

e. Click OK to create the new C:\CABackupdirectory.

f. Enter and confirm !Pass1234 as the pass-word for the private key and certificatefile backup.

g. Click Next, and then click Finish to per-form the backup.

2. If you did lose your root CA due to system failure and you did not have the password torestore, what would happen to the certificates that have already been issued?

LESSON 5


3. Verify that the backup wassuccessful.

a. Open the C:\CABackup folder. It shouldcontain the backup copy of the server cer-tificate and a DataBase folder containingthe remaining backup items.

b. Close the C:\CABackup folder window.

TOPIC DRestore a Certificate AuthorityIn Topic 5C, you learned to back up your CA to prevent against disaster. With luck, you’llnever have to use that backup, but you should be ready to do so just in case the CA ever doesgo down. In this topic, you’ll learn to restore a CA server from a backup.

There are lots of things that can bring a CA server down. Ordinary problems such as a badhard disk or a loss of power can affect the system just like any other system, or, despite yourbest efforts at hardening the server, an attacker might target and compromise the CA to obtainuser IDs, issue false certificates, or simply deny CA services. In these cases, restoring yourclean backup will be part of your plan for a speedy, safe, and effective CA restoration.

Restore a Certificate AuthorityProcedure Reference: Restore a Certificate Authority

Thankfully, you backed up your CA. Now you can restore it. To restore a CA:


2. Right-click your CA object and choose All Tasks→Restore CA.

3. Use the Certification Authority Restore Wizard to restore the CA’s private key,CA certificate, log, and request queue from the backup location.

4. Restore the CA configuration information by performing a System Staterestoration. See the Windows 2000 Help system for more information on restoringthe System State.

LESSON 5


ACTIVITY 5-4Restoring a Certificate Authority

Setup:A certificate for Server authentication has been issued and the CA has been backed up. TheCA log files are stored in C:\WINNT\System32\Certlog.

Scenario:Some of the files for your CA server have become corrupted. Fortunately, you have a backupcopy that you can use to restore your CA.


1. Delete your CA server’sedb00001.log file.

a. Open the C:\WINNT\System32\CertLogfolder.

b. Delete the Edb00001.log file.

c. Minimize the C:\WINNT\System32\CertLog folder window.

LESSON 5


2. Restore your certificate server. a. In Certification Authority, right-click yourserver object and choose All Tasks→Restore CA.

b. Click OK when prompted to stop Certifi-cate Services.

c. In the Certification Authority Restore Wiz-ard, click Next.

d. Check the Private Key And CA Certifi-cate check box, and check the IssuedCertificate Log And Pending CertificateRequest Queue check box.

e. In the Restore From This Location textbox, enter C:\CABackup and click Next.

f. In the Password text box, enter!Pass1234 and click Next.

g. Click Finish.

h. Click Yes when prompted to start Certifi-cate Services when the restore iscomplete.

3. Verify that the restore wassuccessful.

a. Switch to the C:\WINNT\System32\CertLog folder window. The log file ispresent in the folder.

b. Close the C:\WINNT\System32\CertLogfolder and Certification Authority.

Lesson 5 Follow-upIn this lesson, you learned to manage a certificate-based security system through a public keyinfrastructure (PKI). The tasks involved in managing a PKI range from implementing a CAhierarchy to understanding how to restore the CA and restore lost keys. As a security profes-sional, these skills will be vitally important if your company implements a PKI. You will bethe person they call on to get the services up and running.

1. What types of CAs are you familiar with?

2. Have you been involved in implementing a PKI? Explain.

LESSON 5


Managing Certificates

Lesson Objectives:In this lesson, you will manage certificates.

You will:

• Enroll certificates for entities.

• Secure network traffic using certificates.

• Renew certificates.

• Revoke certificates.

• Back up certificates and private keys.

• Restore certificates and private keys.


LESSON 6

Lesson 6: Managing Certificates 225

IntroductionDigital certificates are a versatile method for authenticating a variety of network transactions.Properly used, certificates enable servers, clients, and applications to prove their identities andvalidate their communications across almost any network connection. To get the full benefit ofcertificate security, you should be able to manage all the phases of the certificate process, fromenrollment to revocation, and that’s what we’ll do in this lesson.

TOPIC AEnroll Certificates for EntitiesUsing certificates is a process that has several stages. The first stage is enrolling and installingcertificates for the entities (users, devices, and services) who need them. In this topic, you’lllearn to enroll certificates for various entities that require them.

A CA by itself doesn’t do you any good. You have to get the certificates enrolled properly forthe appropriate entities in order to implement certificate-based security. If a user, server, orclient machine doesn’t have the right certificate, there is nothing you can do to secure commu-nications to or from that entity. The skills you’ll learn in this topic will help you request andinstall the proper certificates for each security situation.

Certificate Enrollment ProcessCertificate enrollment depends on the level of security the CA requires from an entity to obtainthe certificate. The exact process of certificate enrollment is determined by the certificatepolicy (CP) for that particular CA.

Table 6-1: Steps in the Certificate Enrollment Process

Enrollment Step ExplanationEntity submits request for certificate. An entity follows the procedure (for example, filling

out an online form) to obtain a certificate.

User authenticated by the RA. Authentication is determined by the certificate policyrequirements (for example, network userid and pass-word, driver’s license, or other unique identifier).

Policy applied to request. The CP for the particular CA issuing the certificateapplies the certificate policy to the request.

Request sent to CA. If the identity of the entity is authenticated success-fully and the policy requirements are met, thecertificate request is sent on to the CA.

CA issues certificate. The certificate is created and put in the repository.

User is notified certificate is complete. The entity is notified that the certificate is availableand the certificate is delivered.

LESSON 6


Example: Thousands of Certificates to EnrollWithin corporations that have a large number of entities to issue certificates to, a vari-ety of tools may be used to speed up the process. For instance, if a corporation of10,000 employees scattered throughout the world decided to implement a PKI, therewould be a tremendous amount of administrative overhead involved to enroll eachemployee for a certificate. In this case, the corporation could pull existing employeeinformation from a human resource database to initially authenticate users. Thenemployees could be given a telephone number to call to complete the process. As analternative, the employees could fill out automated forms on an intranet. Very often,however, large corporations will have the third-party vendor that is setting up the rootCA handle the entire process of certificate enrollment for the employees. There are twodrawbacks to this option: it can be very cost prohibitive, and you can’t identify eachuser’s identity individually, which can be a security risk.

Enroll Certificates for EntitiesProcedure Reference: Enroll a Certificate for a Windows 2000 Web Server

Nothing happens in a CA hierarchy until certificates are enrolled for each entity. Toenroll a certificate for a Windows 2000 Web server:

1. Request the certificate. The certificate request can be saved as a file or submittedacross the network.

• You can request certificates for users by using the Web-based enrollmentform on your certificate server’s home page at http://servername/certsrv.

• Or, you can request a Web server certificate by using the Web Server Certifi-cate Wizard in Internet Services Manager.

a. In Internet Services Manager, right-click your server and chooseProperties.

b. Select the Directory Security tab.

c. Click Server Certificate.

d. Complete the wizard with all the appropriate information.

2. If the certificate request is saved as a file, take the file to the issuing CA and sub-mit it manually. If the CA is not configured to issue certificates automatically, theCA administrator will issue the certificate manually.

3. After the certificate has been issued, install it. To install a certificate on a Webserver:

a. Download and save the certificate.

b. In Internet Services Manager, open the properties of the Default Web Site.

c. Select the Directory Security tab and click Server Certificate. Click Next.

d. Verify that Process The Pending Request And Install The Certificate isselected and click Next.

e. Verify that the correct certificate is selected.

f. Click Next, and then click Finish to install the certificate.

LESSON 6


ACTIVITY 6-1Enrolling Certificates

Data Files:


Scenario:Now that your certificate server is functional, one of the next tasks as the university’s securityadministrator is to enroll certificates for entities that require them. The university maintains aWeb-based student registration system. Internet Information Services has already been hard-ened on your CAs and all University Web servers. One of the first implementations of usingcertificates will be to make sure the data being transferred is secure on the student registrationWeb servers. In order to do so, you will need to enroll a certificate for the Web server accord-ing to the specifications in the UniversityCAspecs.rtf file.

The focus of this activity is on enrolling the certificate, not setting up the secure Web communications.

LESSON 6



1. Create a file-based request for anew Web server certificate fromyour CA.


b. Expand your Web server object.

c. Select and right-click the Default WebSite object, and choose Properties.


e. Click Server Certificate to launch theWeb Server Certificate Wizard.

f. Click Next.

g. Verify that Create A New Certificate isselected and click Next.

h. Verify that Prepare The Request NowBut Send It Later is selected and clickNext.

The other option is grayed out because yourserver does not permit immediate submission.

i. Click Next to accept the default Nameand Bit Length settings.

j. Enter Security Org as the Organizationand Education as the Organizational Unit.Click Next.

k. Enter Server# Web Server as the Com-mon Name. Click Next.

l. Enter New York as the State/Provinceand enter Rochester as the City/Locality.Click Next.

m. Click Next to accept the default file nameand location for the certificate requestfile. By default, it is saved asC:\Certreq.txt.

n. Click Next, and then click Finish to gen-erate and save the request file.

LESSON 6


o. Click Cancel to close the property sheet.

2. Submit the request to your certifi-cate server.

a. Use Notepad to open the C:\Certreq.txtfile.

b. Choose Edit→Select All, and thenchoose Edit→Copy.

c. Close Notepad.

d. Use Internet Explorer to connect tohttp://server#/certsrv.

e. Verify that Request A Certificate isselected and click Next.

f. Select Advanced Request and click Next.

g. Select Submit A Certificate RequestUsing A Base64 Encoded PKCS #10 FileOr A Renewal Request Using A Base64Encoded PKCS #7 File and click Next.

h. Click in the Saved Request text box andchoose Edit→Paste. Click Submit.

i. Click the Home link in the CertificatePending Web page.

3. Issue the requested servercertificate.

a. In Certification Authority, select thePending Requests folder.

b. Right-click the pending request with aRequest Common Name of Server# WebServer and choose All Tasks→Issue. Youmay have to scroll to the right a bit inorder to view the Request Common Name.

c. Select the Issued Certificates folder. Thenewly-issued certificate should appear inthe details pane.

LESSON 6


4. Download the newly-issued certifi-cate as a file.

a. Switch to Internet Explorer.

b. Select Check On A Pending Certificateand click Next.

c. Select the Saved-Request Certificate andclick Next.

d. On the Certificate Issued Web page, clickDownload CA Certificate.

e. In the File Download dialog box, clickSave.

f. Save the file as C:\Certnew.cer.

g. In the Download Complete dialog box,click Close.

h. Close Internet Explorer.

5. Install and verify the certificate. a. In Internet Services Manager, open theproperties of the Default Web Site.

b. Select the Directory Security tab andclick Server Certificate.

c. Click Next.

d. Verify that Process The Pending RequestAnd Install The Certificate is selectedand click Next.

e. Verify that the C:\Certnew.cer file isselected and click Next.

f. Click Next, and then click Finish toinstall the certificate.

g. Click View Certificate. The details of thecertificate match your request, whichverifies that this is the correct certificate.

h. Click OK to close the certificate.

i. Click Cancel to close the property sheet.

LESSON 6


TOPIC BSecure Network Traffic UsingCertificatesOnce an entity has a certificate enrolled, as you did in Topic 6A, you can use the certificate tosecure network traffic flowing to and from that entity. Setting up the security is the next step inthe process, so, in this topic, you’ll use certificates to secure network communications.

The end result of all your PKI planning, installation, and configuration is a mechanism forsecuring network communications. As you know by now, unsecure network communication isopen to a variety of attacks, including eavesdropping. Attackers can use simple tools to stealdata as it travels across the network and, most importantly, capture user names and passwordsto get into your most sensitive systems. In this topic, you’ll learn how to secure data usingcertificates—another method for keeping attackers out of the critical components in yournetwork.

Secure Socket Layer (SSL)Secure Socket Layer (SSL) is a stateful security protocol that combines digital certificates forauthentication with RSA public key, symmetric encryption. As illustrated in Figure 6-1, SSLcommunication starts with a client requesting a session with a server. The server responds bysending its digital certificate and public key to the client. The server and client then negotiatean encryption level. Once they agree on a level, the client generates a session key, encrypts it,and sends it with the public key from the server. The session key then becomes the key usedin the conversation.

Figure 6-1: SSL.

LESSON 6


SSL is widely deployed on Web sites and the Internet because it’s a server-driven process. Theclient simply has to support SSL; it doesn’t need a registered certificate. This means that anyof 60 million Internet users can connect to a Web site through a secure connection, as long astheir browsers can support SSL. Web sites that begin with https:// are sites that require SSL.

Transport Layer Security (TLS)Transport Layer Security (TLS), the next generation of SSL, uses certificates and public keycryptography for mutual authentication and data encryption over a TCP/IP connection. TLSprovides a mechanism for two computers to verify each other’s identity (mutual authentica-tion), to establish a secure, tamper-resistant channel for communication, and to encrypt datausing negotiated secret keys. Like SSL, TLS is an important security mechanism because itprotects sensitive communication from eavesdropping and tampering by using a secure,encrypted, and authenticated channel.

For more information on TLS, see RFC 2246. For more information on SSL, visit http://wp.netscape.com/eng/ssl3/.

Secure Network Traffic Using CertificatesProcedure Reference: Secure Network Traffic with Certificates

The purpose of using certificates is securing communication to and from your network.The Internet plays a large part in how much traffic your network has to handle. Themethod you will use to secure network traffic with certificates will vary depending onthe types of network services you maintain. To secure a Windows 2000 Web site withcertificates:

1. In Internet Information Services, open the properties of the Web site and selectthe Directory Security tab.

2. In the Secure Communications area, click Edit.

3. Check Require Secure Channel (SSL).

4. Configure the desired channel settings, such as 128-bit encryption.

5. Click OK.

6. If this Web site has subordinate virtual directories, select the directories you wantto inherit the new security configuration and click OK.

LESSON 6


ACTIVITY 6-2Securing Network Traffic with Certificates

Data Files:


Setup:A certificate has been installed on the Web server. There is a home page for a student registra-tion Web site on the server at the URL http://server#/register. The data file for this activity isavailable at \\Server100\SPlus\Student\UniversityCAspecs.rtf.

Scenario:Now that you have obtained and installed the required certificate, your next task as the univer-sity’s security administrator is to enable secure communications on the student registrationWeb site, which the University’s Webmaster has created on the Web server at http://server#/register. You need to ensure that the enrollment data being transferred to and from theregistration Web site is secured according to the specifications in the UniversityCAspecs.rtffile.


1. Verify that you can connect to thestudent registration Web site.


b. In the Address box, enter http://server#/register where # is your student number.You should see the home page for the stu-dent registration Web site.

c. Close Internet Explorer.

LESSON 6


2. Enable the appropriate secure com-munications method and encryptionlevel for the student registrationWeb site.

a. In Internet Information Services, underthe Default Web Site, open the proper-ties of the Register virtual directory.

b. Select the Directory Security tab.

c. In the Secure Communications area, clickEdit.

d. Check Require Secure Channel (SSL).

e. Check Require 128-bit Encryption.

f. Click OK twice.

3. Test unsecure communications withthe student enrollment Web site.


b. In the Address box, enter http://server#/register where # is your student number.You should receive a message that thepage must be accessed over a securechannel.

4. Why did it fail?

LESSON 6


5. Test secure communication withthe student enrollment Web site.

a. In the Address box, enter https://server#/register where # is your studentnumber.

b. Click OK to acknowledge that you aremaking a secure connection.

c. In the Security Alert dialog box, clickView Certificate. Even though the nameon the certificate does not match the sitename, you can see that it is the WebServer certificate you issued for thisserver.

d. Click OK to close the certificate.

e. In the Security Alert dialog box, click Yesto connect to the secure site.

f. Close Internet Explorer.

6. Were you successful? Why?

TOPIC CRenew CertificatesAfter you initially configure certificate-based security, as you did in Topic 6B, the remainder ofyour certificate management tasks have to do with maintaining the certificates over the rest oftheir life cycle. Because certificates are temporary and can expire, your first concern will bewith renewing existing certificates at the appropriate intervals. In this topic, you’ll learn torenew certificates.

Just like a driver’s license, certificates are designed to expire at regular intervals. If the driver’slicense was good indefinitely, society would have no way to verify over time that the driverwas still qualified to drive. And if certificates didn’t expire, an entity on the network could useone indefinitely even if its job role or function had changed. So that drivers can keep theirlicense past the expiration period, most motor vehicle departments have a renewal process inplace that doesn’t interrupt a driver’s right to be on the road. It’s the same way withcertificates. You should renew certificates appropriately so that you don’t have any interrup-tions in your security services.

LESSON 6


Renew CertificatesProcedure Reference: Renew Certificates

The procedures for renewing a certificate will vary depending upon the entity forwhom you are renewing, and on your CA software. For example, Windows users canuse the Certificates MMC console to renew certificates in their personal store, whileCA administrators can use Certification Authority to renew their CA certificate.

To renew a CA certificate in Windows 2000:


2. Right-click your CA object and choose All Tasks→Renew CA Certificate.

3. Stop Certificate Services when prompted.

4. Choose whether or not to generate a new key pair when prompted.

5. View the new certificate to verify that the expiration date has been extended.

ACTIVITY 6-3Renewing a CA Certificate

Scenario:Your root CA key has been compromised! To avoid student records being accessed inappropri-ately, you need to correct the root CA key problem immediately.

You will perform this activity on the root CA server only.

LESSON 6



On the Root CA server:

1. Renew the root CA certificate. a. In Certification Authority, right-click yourCA object and choose All Tasks→RenewCA Certificate.

b. When prompted to stop Certificate Ser-vices, click Yes.

c. Select Yes to generate a new key pair.

d. Click OK.

e. Open the properties of your CA object.

f. Click View Certificate. The renewed cer-tificate should expire one year from thecurrent date.

g. Click OK, and then click Cancel to closethe certificate and the property sheet.

TOPIC DRevoke CertificatesIn Topic 6C, you learned to perform certificate renewal, which is necessary when you want asecurity entity to be able to continue using a certificate past its original expiration period. Youmight sometimes encounter the opposite case, when you want a security entity to permanentlystop using a certificate for a period of time. To do that, you must revoke the certificate, whichis what we’ll do in this topic.

Remember that certificates are sort of like driver’s licenses; although they are only good for alimited period, most people can simply renew theirs to keep it valid past the originalexpiration. But sometimes, a driver loses the right to drive. In the same way, sometimes asecurity principal no longer needs a certificate or should no longer be able to authenticate witha certificate. Just like the driver’s license, the certificate has to be revoked to prevent its furtheruse.

Certificate Revocation List (CRL)A Certificate Revocation List (CRL) is a list of certificates that were revoked before the expira-tion date. A certificate may be revoked for a number of reasons including:

• The certificate owner’s private key has been compromised or lost.

LESSON 6


• The certificate was obtained by fraudulent means.

• The entity is no longer trustworthy (this can occur when an employee leaves a companyunder normal circumstances or when a subordinate CA is hacked).

Each CA has its own CRL that can be accessed through the directory services of the networkoperating system or a Web site. The CRL generally contains the owner’s name, certificatenumber, reason why the certificate was revoked, and other pertinent information. Many soft-ware programs, including email applications, will check the status of a certificate beforerelying on it by checking a CA for up-to-date CRLs.

Certificate SuspensionCertificate revocation permanently invalidates a given certificate. You can revoke cer-tificates on any type of CA. Some Unix-based certificate server systems also supportcertificate suspension, which enables you to temporarily invalidate a certificate with theoption of later reinstating it. Certificate suspension is not supported on Windows 2000CAs. Applications that check certificate status by checking CRLs will also check forsuspended certificates as part of the certificate status check.

Revoke CertificatesProcedure Reference: Revoke a Certificate

You may need to revoke certificates when an entity is compromised. To revoke a cer-tificate:

1. Revoke the certificate itself. For Windows 2000, in Certification Authority, selectthe Issued Certificates folder, right-click the certificate you want to revoke, andchoose All Tasks→Revoke Certificate. You can specify a reason why the certifi-cate was revoked.

2. Publish the CRL. The CRL is published automatically at an interval that youspecify, and can also be published manually.

• To publish a Windows 2000 CRL manually, in Certification Authority, right-click the Revoked Certificates folder and choose All Tasks→Publish.

• To modify the CRL publication interval on a Windows 2000 server, in Certi-fication Authority, open the properties of the Revoked Certificates folder andset the Publication Interval to the desired value.

Destroy Certificate FilesWhen you have revoked a certificate, you should also destroy the certificate if it hasbeen stored as a file in any other location. For example, if the revoked certificate hadbeen installed on a smart card, you should destroy or reprogram the card, to protect theconfidential information contained within the certificate itself.

LESSON 6


ACTIVITY 6-4Revoking Certificates

Setup:The certificate server has been backed up.

Scenario:One of your colleagues in IT thinks that a student has compromised the public and private keypairs on the student registration Web server. IT wants to make sure the suspect keys are nolonger used. In cases like this, the University’s CA security guidelines call for revocation ofthe compromised certificate and immediate publication of the CRL.


1. Revoke the certificate for the Webserver.

a. In Certification Authority, select theIssued Certificates folder.

b. Right-click the certificate that wasissued to Server# Web Server andchoose All Tasks→Revoke Certificate.

c. In the Certificate Revocation dialog box,from the Reason Code drop-down list,select Key Compromise.

d. Click Yes to revoke the certificate.

e. Select the Revoked Certificates folder.The certificate you revoked should appearin the folder.

2. When will users know that the certificate is revoked?

3. Suppose an attacker maliciously misuses administrative privileges to revokecertificates. What could you do to reinstate the certificates?

4. Publish the CRL manually. a. In Certification Authority, right-click theRevoked Certificates folder and chooseAll Tasks→Publish.

b. Click Yes to verify that you want to pub-lish a new CRL.

LESSON 6


5. Verify that the CRL is current. a. Open the properties for the RevokedCertificates folder.

b. Click View Current CRL. The EffectiveDate for the current CRL should be thecurrent date and time. The next auto-matic update is scheduled on the defaultweekly update schedule.

c. Select the Revocation List tab. The cer-tificate you revoked should be in the list.

The certificate only appears in the CRL on thesubordinate CA. It is not known if this is bydesign, or if it is an anomaly in the Windows2000 root CA.

d. Click OK to close the Certificate Revoca-tion List.

e. Click OK to close the Revoked Certificatesproperty sheet.

ACTIVITY 6-5Modifying the CRL Publication Interval

Setup:You have a new installation of a Windows 2000 Server configured as a certificate server. Thecomputer name is Server# and it is installed in a domain named Domain#, where # is a uniqueinteger assigned to you by the instructor. The default administrator account has been set upwith a password of !Pass1234.

Scenario:Your CA is configured with the default publication interval for the CRL. The University’s CAsecurity guidelines call for daily publication of the CRL. You’re responsible for configuringyour CA in accordance with the guidelines.

LESSON 6



1. Change the publication interval forthe CRL.

a. In Certification Authority, open the prop-erties of the Revoked Certificatesfolder.

b. In the Revoked Certificates Properties dia-log box, set the Publication Interval to 1Days.

c. Click Apply. The Next Update schedulewill change the next time the list ispublished.

If you want to see the Next Update schedulevalue change, publish the CRL manually again.

d. Click OK to close the property sheet.

TOPIC EBack Up Certificates and PrivateKeysWithout certificate keys, public-key security simply cannot function. Due to their necessity,keys should be safeguarded closely. However, despite the best precautions, keys are occasion-ally damaged or lost. You need to have backup procedures for certificates and keys so that youcan restore them when needed.

Back Up Certificates and Private KeysProcedure Reference: Back Up Certificates and Private Keys

The procedure for backing up a certificate will vary depending upon the type of certifi-cate and the operating system you are using. To back up user certificates and privatekeys in Windows 2000:

1. As the user, create a custom MMC console containing the Certificates snap-in.

2. In the Certificates console, expand Certificates, Current User.

3. Expand the Personal store and select the Certificates folder.

4. Select the certificate with the appropriate intended purpose.

5. Right-click the certificate and choose All Tasks→Export.

LESSON 6


6. Complete the appropriate steps in the Export wizard. For maximum security, use astrong password and export the certificate to a floppy disk. Store the disk in asecure location.

ACTIVITY 6-6Backing Up a Certificate and Private Key

Data Files:

• UniversityCASpecs.rtf

Setup:You will need a floppy disk for this activity.

Scenario:The University has decided to secure email communications through the use of individualemail certificates for each student and staff member. The security design team has developedrecommendations for the strength of the email certificates. They have also developed recom-mendations for maintaining backup copies of the email certificates and their associated privatekeys, to guard against loss or compromise of the certificates. As the security administrator,your job is to support enrollment for email certificates, and to maintain backups of each issuedcertificate according to the specifications in the UniversityCAspecs.rtf. You will need an emailcertificate enrolled and backed up for your own personal Administrator user account.

LESSON 6



1. Request a certificate for email pro-tection for the Administrator user.

If your system is unable to download theActiveX control to create the enrollmentform, you will need to install the Certifi-cate Enrollment Control patch fromMicrosoft Security Bulletin MS02-048(Knowledge Base article Q323172). Youcan download the patch from http://support.microsoft.com/default.aspx?scid=kb;en-us;323172.

a. Open Internet Explorer and connect tohttp://server#/certsrv, where # is yourstudent number.

b. Verify that Request A Certificate isselected and click Next.

c. Select Advanced Request and click Next.

d. Verify that Submit A Certificate RequestTo This CA Using A Form is selected andclick Next.

e. Enter administrator as the Name andadministrator@domain#.internal as theE-Mail.

f. From the Intended Purpose drop-downlist, select E-Mail Protection Certificate.

g. In the Key Size text box, enter 1024.

h. Check Mark Keys As Exportable.

i. Click Submit.

j. Click the Home link in the CertificatePending Web page.

2. Issue the pending user certificate. a. In Certification Authority, select thePending Requests folder.

b. Right-click the pending request with aRequest Common Name of Administratorand choose All Tasks→Issue.

3. Install the new email certificate forthe Administrator user.

a. In Internet Explorer, select Check On APending Certificate and click Next.

b. With the E-Mail Protection Certificateselected, click Next.

c. Click Install This Certificate.

d. Close Internet Explorer.

LESSON 6


4. Create a Certificates MMC consolefor the Administrator user.

a. Click Start and choose Run.

b. Enter mmc and click OK.

c. Choose Console→Add/Remove Snap-in.

d. Click Add.

e. Select Certificates and click Add.

f. Verify that My User Account is selectedand click Finish.

g. Click Close, and then click OK.

h. Choose Console→Save As.

i. Save the console as Certificates.msc inthe default storage location.

LESSON 6


5. Export the certificate and its pri-vate key to a floppy disk.

You should store the backup media in asecure location.

a. Insert a floppy disk in the disk drive.

b. In the Certificates console, expandCertificates—Current User. Expand thePersonal store and select the Certifi-cates folder.

c. Select the certificate with an intendedpurpose of Secure Email. (Scroll to theright to see the Intended Purposescolumn.)

d. Right-click the certificate and choose AllTasks→Export.

e. In the Certificate Export Wizard, clickNext.

f. Verify that Yes, Export The Private Keyis selected and click Next.

g. Click Next to accept the default file for-mat and strong protection.

h. Enter and confirm !Pass1234 as thepassword. Click Next.

i. Enter A:\mailcert as the file name. ClickNext.

j. Click Finish.

k. Click OK to close the message box.

l. Remove the floppy disk from the drive.

LESSON 6


TOPIC FRestore Certificates and Private KeysIn Topic 6E, you learned to create backups of certificates and private keys. That way, if thereis a problem with a certificate or private key, you can recover them from the backup. In thistopic, you’ll learn how to restore certificates and private keys.

Certificates and private keys can get lost or destroyed, and when they do, you lose access tothe data they protected. For example, if a user loses the smart card containing a certificate, theuser won’t be able to log on to your network and do work. This might not happen very often,but when it does, restoring the certificate from the backup is the way to get your securitystructure back in place quickly and easily.

Private Key ReplacementWhen a private key is lost, most people think the most important thing to do is to recover theencrypted data. However, this is just the first step in a larger process that has serious conse-quences for security. Once the data is recovered, there is still the issue of what to do about thepossible security risk caused by a lost private key. These steps allow you to recover the dataand ensure the continued security of your CA:

1. Recover the private key.

2. Decrypt any encrypted data.

3. Destroy the original private key.

4. Obtain a new key pair.

5. Re-encrypt the data.

Private Key RestorationYou know the process to replace a lost private key, but it’s the lost data that is the highestpriority. A private key can become unavailable for several reasons including: an individual for-gets the password to access the key, they leave the company voluntarily or involuntarily, orthey lose the key. To recover the data, you must first restore the private key. It is important tohave a plan to recover this data and minimize the impact of the lost or compromised keybefore it happens.

There are two primary methods for restoring a lost private key:

• Key escrow—The decryption key is split into several parts and the parts are distributed toescrow agents or trustees. The trustees can then use the parts to reconstruct the lost key ordecrypt the information directly.

• Restore from backup—A backup is made of the private key on a floppy disk or other typeof removable media. The private key can then be restored from the backup location.

M of N ControlRegardless of which recovery method you use, there are only a certain number ofagents or trustees that have the authority to recover a key. To determine how manyagents are required, the M of N Scheme is commonly used. The M of N Scheme is amathematical control that takes into account the total number of key recovery agentsalong with the number of agents required to perform a key recovery.

LESSON 6


For more information about M of N, see the RSA Web site at www.rsasecurity.com/rsalabs/faq/2-1-9.html and related links.

Restore Certificates and Private KeysProcedure Reference: Restore a Certificate and Private Key

Certificate and key restoration procedures will vary depending upon the type of certifi-cate you need to restore and the software you are using. To restore a user’s certificateand private key in Windows 2000:

1. Open a Certificates MMC console for the affected user account.

2. Open the Personal store, right-click the Certificates folder, and choose All Tasks→Import.

3. Specify the location of the backup certificate, and provide a password ifprompted. If you want to be able to create a new backup of the private key, selectMark The Private Key As Exportable.

ACTIVITY 6-7Restoring a Certificate and Private Key

Setup:There is a backup copy of the Administrator user’s email certificate and private key on afloppy disk. There is a Certificates MMC console for the Administrator user.

Scenario:A staff member’s email certificate and private keys have become corrupted. Fortunately, youhave followed the procedures in your security policy document and maintain backup copies ofall user certificates and private keys. You can use these backups to correct the user’s problem.


1. Delete the Administrator user’semail certificate.

a. In the Certificates MMC console, right-click the Secure E-mail certificate andchoose Delete.

b. Click Yes to confirm the deletion.

LESSON 6


2. Restore the certificate and privatekey from the backup.

a. Insert the floppy disk containing thebackup copy of the Administrator’semail certificate in the floppy diskdrive.

b. In the Certificates console, in the Personalstore, right-click the Certificates folderand choose All Tasks→Import.

c. Click Next.

d. Enter A:\Mailcert.pfx as the File Name.Click Next.

e. Enter !Pass1234 as the password.

f. Check Mark The Private Key AsExportable. Click Next.

g. Click Next to place the certificate in thePersonal Store.

h. Click Finish.

i. Click OK in the message box. The restoredcertificate should appear in the Certifi-cates folder in the Personal store.

j. Close Certificates. There is no need tosave console settings.

Lesson 6 Follow-upIn this lesson, you learned what is involved in the day-to-day management of certificates.Regardless of how simple or complex your certificate hierarchy is, you will still need to dodifferent tasks such as issue, revoke, renew, and eventually expire certificates. Each of thesetasks play an equally important role in managing certificates.

1. What types of certificate management functions have you performed?

2. Which function of digital certificate management do you find the most common? Whatfunction is the most complex?

LESSON 6



NOTES

Enforcing OrganizationalSecurity Policy

Lesson Objectives:In this lesson, you will enforce an organizational security policy.

You will:

• Enforce corporate security policy compliance.

• Enforce legal compliance.

• Enforce physical security compliance.

• Educate users.


LESSON 7

Lesson 7: Enforcing Organizational Security Policy 251

IntroductionIn the first six lessons of this course, you implemented your security infrastructure, completingthe first phase in the network security process. In the next two lessons, you’ll embark on thesecond phase: maintaining and monitoring the security infrastructure. In this lesson, you’ll per-form the tasks that are necessary to maintain compliance with your organization’s securityrequirements.

There were a lot of tasks related to setting up network security, from hardening an operatingsystem to managing a PKI infrastructure. It might seem as if setting up network security is themost important phase in the security process, but that’s not true. The most important phase,and the phase you should be spending the most time and energy on, is the “watchdog” phase,where you maintain your infrastructure and monitor the network for holes and attacks.Remember, once the walls to the fort are up, your job’s not done. On your network, you’re notjust watching for attacks; you’re also watching to make sure ordinary wear and tear doesn’tweaken your security structure. This lesson will give you the skills you need to make sureyour network security structure stays strong and intact.

TOPIC AEnforce Corporate Security PolicyComplianceIn the first several lessons of this course, you learned the skills you need to configure securityaccording to the requirements of your organization. After the initial configuration, you willneed to make sure that the configuration is maintained appropriately over time. In this topic,you’ll learn to enforce compliance with your own organization’s security policy.

It’s not enough to have a security policy documented or even to take the initial steps to config-ure your systems to match the policy. Unless you have a way to ensure that you conform tothe policy on an ongoing basis, cracks are going to appear in your security infrastructure, andthe attackers will be out there just waiting to pry open those cracks and jump through ontoyour network. To maintain a safe and secure environment, make sure you take the time tomake sure you are always in compliance with the security needs of your own organization.

Enforce Corporate Security Policy ComplianceEnforcing corporate security policy compliance is not an easy task. It requires the cooperationand understanding of many individuals throughout the organization. However, if you followsome basic guidelines, you can help ensure that you are keeping your company’s sensitive dataand resources safe.

GuidelinesTo enforce corporate security policy compliance:

• Read all applicable policy documents thoroughly so that you understand the stan-dards and guidelines that pertain to your organization.

• Monitor security-related activities in your organization.

• Take appropriate actions to correct the situation when a security policy is broken.

LESSON 7


Example:You discover that some users in your organization are using four-character passwords.Short passwords like this are very vulnerable to a dictionary-based or brute-force pass-word attack. Your corporate security policy states that all passwords should be at leasteight characters. You decide to implement a policy setting on your Windows domainthat requires a minimum password length of eight characters. Users will now berequired to bring their passwords in line with the corporate standard.

ACTIVITY 7-1Enforcing a Security Policy for an Organization

Data Files:

• NationalBankAcceptableUsePolicy.rtf

Scenario:As the security administrator for National Bank, a help desk employee, Randy Williams, hasgiven you a report of information gathered at the help desk. He thinks that there are some pos-sible security issues. He asks you to determine whether or not they are within the guidelines ofyour Acceptable Use security policy. You will not be responsible for terminating users, but it isyour responsibility to enforce the policy and make sure the appropriate changes are madebased on possible breaches. You will then report back to Randy with your findings.

Using the \\Server100\SPlus\Student\NationalBankAcceptableUsePolicy.rtf policy document,determine which of the following scenarios are within the guidelines of the organization’spolicy. If not, what steps would you take to enforce the security policy?


1. A user, Curt, decides to practice his skills with Network Monitor, a tool that he justlearned to use in a Microsoft SMS class.

Is this permissible? Why or why not?

2. What action, if any, should you take?

3. A user, Nancy, has been changing her password quarterly.



LESSON 7


5. Tina gets an email from a relative stating that a malicious virus has been circulating on theInternet. The email asks the user to forward the information immediately so others arenot infected. She sends it to the AllUsers distribution list.



7. Cathy’s screensaver kicks in every 30 minutes. It requires a password to unlock.



TOPIC BEnforce Legal ComplianceIn Topic 7A, you learned to enforce security policies that are designed to meet the internalneeds of your organization. But, as a security professional, you might have responsibility formeeting the security needs of outside legal authorities as well. In this lesson, you’ll enforcecompliance with any security requirements that your company might legally be required tomeet.

Legal security compliance requirements can affect your company in a variety of situations. Youmight work for a company in a publicly-regulated industry such as the nuclear power industry.Your company might have business partnerships with or provide services or products to anyone of a number of government agencies. You also have responsibilities to your local munici-pality for safety and security. As a security professional, you’ll need to be able to demonstratethat your company is in compliance with any or all of these entities’ security requirements.

LESSON 7


Legal Security Compliance RequirementsThe legal security requirements of an organization may not necessarily be neatly defined inone individual security policy. Legal requirements affecting information security may be part ofnon-security related policies such as an organization’s code of ethics. Legal security is a grayarea that is constantly changing. For these reasons, it is essential that security professionalswork closely with the legal counsel of their organization to limit liability for the organizationand protect the assets. Information security professionals, government agencies, and higher-learning educators are working together to find common ground to deal with the consequencesof the laws in different countries and industries. However, at this time there are no set stan-dards or guidelines to follow. Each incident is totally unique and is treated as such.

Legal issues involve three distinct areas of concern for the organization: the employees, thecustomers, and the business partners. Table 7-1 lists some of the considerations for each ofthese areas.

For more information on standards and regulations, including various international standards, visit http://securityresponse.symantec.com/avcenter/security/Content/security.articles/corp.security.policy.html.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is important federal legislation thatimpacts security professionals in the United States. This legislation provides standards for maintaining individu-al’s health records and guidelines for enforcing those standards. It also guarantees the security and privacy ofhealth information. Any security professional working with health care or a related industry in the United Statesmust be aware of this law.

Table 7-1: Legal Issues That Affect Corporate Security

Legal Requirement ConsiderationsEmployees Who is liable for misuse of email and Internet resources? The

organization, the employee, or both?What is the extent of liability for an organization for criminal actscommitted by its employees?What rights to privacy do employees have regarding electroniccommunications?

Customers What customer data is considered private and what is consideredpublic?How will a company protect the privacy and confidentiality ofcustomer information?

Business Partners Who is liable if the data resides in one location (country) and theprocessing takes place in another location?Who is responsible for the security and privacy of the informationtransmitted between an organization and a business partner? Thesender or the receiver?

In the legal realm, the critical issues for security professionals are:

• Evidence collection—Following the correct procedure for collecting evidence from floppydisks, hard drives, smart cards, and other media. As in any other case, evidence that isimproperly collected may not be admissible in court.

• Evidence preservation—Criminal cases can take years to resolve and the evidence needsto be properly preserved for a lengthy period of time.

LESSON 7


• Chain of custody—A complete inventory of evidence that shows who has handled specificitems and where they have been stored is essential. This document must be kept secure atall times to prevent tampering.

• Jurisdiction—Determining exactly who has the right to investigate and prosecute an infor-mation technology criminal case can be extremely difficult due to overlapping laws forcopyright, computer fraud, and mail tampering. In addition, each country has its own lawsand these laws may vary depending on what part of the country is involved.

It is imperative that security professionals work closely with law enforcement from the verybeginning when a security incident occurs. It takes the coordinated effort of security profes-sionals, local and international law enforcement, and the court systems to successfullyprosecute technology crimes. The best place to start is to consult with your organization’s legalcounsel before an incident occurs.

Requirements of Regulated IndustriesIn addition to the various local, state, federal, and international legal considerations,some organizations may have additional requirements posed by regulated industriessuch as utility companies, hazardous material manufacturers, and medical professions.The requirements can vary widely depending on the industry involved and are specificfor each organization.

Enforce Legal ComplianceEnforcing compliance with legal security requirements that affect your organization can be acomplex matter. However, if you enforce legal security compliance effectively, you will protectyour company against potentially devastating legal and financial consequences as well asenhancing your overall security.

GuidelinesTo verify that your organization is in compliance with the legal requirements of gov-ernment and regulated industries:

• Read all relevant policy documents that your organization maintains.

• Work with your organization’s legal counsel to stay current with all governmentalactions that affect security requirements for your industry, and update your inter-nal policies accordingly.

• Request periodic reviews of your internal policy documents from legal counsel.

• Monitor your organization for compliance with all relevant regulations.

• Take appropriate actions if you determine that your organization is not incompliance.

Example:You are a security administrator for a nuclear power plant, which is subject to regula-tion by the Nuclear Regulatory Commission (NRC). To keep yourself abreast of newNRC regulations, you visit the NRC’s RuleForum Web site (http://ruleforum.llnl.gov/) on a weekly basis. When new rules are proposed, you work withyour legal team to determine if your existing policies and procedures would be in com-pliance with the new rules. If not, you draft an action plan for modifying your policiesand procedures and implement the plan once the final rule is adopted.

LESSON 7


ACTIVITY 7-2Enforcing Legal Compliance for an Organization

Data Files:

• NationalBankAcceptableUsePolicy.rtf

Scenario:As the security administrator for National Bank, you have been assigned the task of determin-ing when appropriate legal action should be taken based on the bank’s Acceptable Use policy.Use the Acceptable Use policy document to determine if your security policy calls for legalaction in any of the following situations.


1. A user opens an attachment which causes a virus to spread within the organization.

2. A user emails a copy of a new type of encryption software program to a user in a for-eign country for testing.

3. A user scans your network for open ports.

4. A user forwards an email which appears to be a “Ponzi” or “Pyramid” scheme.

5. Two employees have an argument at lunchtime. During the afternoon, one user sendsa threatening email to the other. The second employee is afraid to leave the buildingunescorted that evening.

LESSON 7


TOPIC CEnforce Physical SecurityComplianceYou now have the skills to verify your company’s compliance with internal and external secu-rity policies on an ongoing basis. There’s one more piece to maintaining a complete securityinfrastructure, and that is to make sure that the physical components of your company’s secu-rity plan are in place. In this topic, you’ll learn to enforce compliance with policies forphysically securing information assets.

Your Windows 2000 Server runs one of your company’s most sensitive databases. You’vespent hours removing services, tightening ACLs, authenticating connections, and filtering trafficto and from the server. You are convinced that nobody can connect to this computer or its sen-sitive data unless they are supposed to get in. Wouldn’t it be too bad if the last employee inthe building on Friday forgot to lock the server room door, and a attacker posing as a mainte-nance worker walked in, opened the computer case, and stole the hard disk? What will you doif a disaster strikes? If you don’t want this to really happen to you, don’t neglect the physicalsecurity enforcement procedures in this topic.

Physical Resource VulnerabilitiesA physical security policy may be a part of your corporate security policy, it may be a separatepolicy, or it may be a combination of both. Because of the surge in social engineering attacks,physical security has tremendous implications for information technology security. All thefirewalls and anti-hacking software in the world won’t matter if physical security is breached.Therefore, it is critical that the IT security team works together with building security andlocal service providers to be sure there are no physical “holes” for an attacker to exploit. It isalso imperative that you are able to recover in the case of a disaster. Your organization shouldcreate a Business Continuity Plan (BCP) so that the organization can continue to operate whena crisis has occurred. You should also create a Disaster Recovery Plan (DRP) so that the orga-nization has procedures in place for protecting personnel, physical assets, and informationresources, during a natural or man-made disaster. The safety of your personnel should alwaysbe your first concern in any disaster situation, regardless of the implications for physical andinformation security.

There are numerous physical vulnerabilities in any organization including the buildings,devices (such as computers), cell phones, PDAs, and the communication links that connect allof the components. Part of an effective physical security policy is a plan to ensure businesscontinuity in the event of a major disaster. It does not matter if a disaster is the result of aman-made event (such as a phone cable being accidentally cut by construction equipment) orthe result of a natural disaster (like an electrical storm). Best practices require that an organiza-tion have a BCP in place to prepare for a significant interruption in day-to-day activitieswithout seriously affecting the business activities.

LESSON 7


Table 7-2: Physical Resource Vulnerabilities

Physical Resource Vulnerability ConsiderationsBuilding(s) Location—Is the building located in a high-crime area, or in a relatively

remote location that would be hard to access in the event of a naturaldisaster?Fire suppression—Is the building adequately covered by a fire-suppressionsystem? Are critical systems and server rooms equipped with special fireprotection methods that won’t compromise data?Shielding—Is the building protected from electrical surges and other inter-ference from the outside?

Devices Servers—Are all the servers in one location? If someone gains access to aserver room, does she have access to every server in the company?Laptops/PDAs—These items are easily misplaced or stolen and often con-tain highly sensitive information.Cell phones—Confidential conversations about proprietary company infor-mation should be held on land lines and not over wireless channels that donot use encryption. You also may want to disallow the use of wirelessdevices altogether.

Communications Phone company cables, transformers, and switches can be intentionally orunintentionally damaged or tapped.Third-party ISPs and other service providers may have security holes thatyour organization has no control over.Wireless technology is quickly becoming a popular means ofcommunicating. Protecting your wireless cells from outside intruders iscritical.

ACTIVITY 7-3Investigating Business Continuity and Disaster RecoveryPlans

Scenario:As security administrator for your company, Riordan Software Systems, you’ve been asked tojoin a committee of high-level managers to develop a Business Continuity Plan (BCP) andDisaster Recovery Plan (DRP). Before the committee’s first meeting, you decide to do someresearch on the Internet.


1. Search the Internet for informationon BCPs and DRPs.

a. Open Internet Explorer and go to yourfavorite search engine.

b. Search for information on Business Con-tinuity Plans and Disaster RecoveryPlans.

c. Examine the information you find.

LESSON 7


2. A is a policy that defines how normal day-to-day business willbe maintained in the event of a major systems failure.

3. In your own words, how is a BCP different than a DRP?

4. Why is it important to create a BCP?

5. Why is it important to create a DRP?

6. What tools are available to help you create a BCP and DRP?

7. In your opinion, which of the tools you’ve found in your research would be most help-ful to you in creating a BCP or DRP? Why?

8. You’ll probably see in your research that risk assessment is an important part of creat-ing a BCP. Why is that?

9. In your opinion, of buildings, devices, and communications, which do you think is gen-erally most vulnerable to attack? Which do you think would be most difficult torecover?

10. Close your browser window whenyou’re done.

a. Click the Close button to close yourbrowser window.

LESSON 7


Enforce Physical Security ComplianceProcedure Reference: Enforce Physical Security Compliance

Although it seems that enforcing physical security compliance would be a simple taskcompared to other areas of the security policy, it is actually a little more complicatedthan it first appears. Physical compliance is generally something you can see, but itrequires the cooperation of both security professionals and end users to be effective. Toenforce physical security:

1. Read the physical security policy document thoroughly so you can enforce itsrules, which may include provisions for the following:

• Secured facilities, with adequate protection against fire and electricalinterference.

• Secured devices, including servers, desktops, laptops, and PDAs.

• Secured land-line communications, including physical phone lines and com-munications through your telephone service provider and your ISP.

• Secured wireless communications, including restricted cell phone use.

2. Implement a backup policy that includes offsite backups of critical components,including servers and data on desktop or laptop computers, in case of a physicalattack or natural disaster.

3. Implement a Business Continuity Plan (BCP). For example, implement redundantsolutions, such as mirrored servers in remote locations or redundant links, in caseof a physical attacks or natural disasters. A BCP might also contain a plan toimplement an alternate site, depending on the nature of your business.

4. Implement a Disaster Recovery Plan (DRP). For example, identify how you willprotect your employees as well as your computing resources in the case of a dan-gerous event such as a fire. A DRP should also include a plan for securelyrecovering your systems.

5. Test your physical security by implementing planned physical breaches.

Usually security personnel are notified that you will be testing. This is critical in high securitysites such as military installations, nuclear plants, and other environments where firearms areused. Consult the legal team within the organization before testing physical security breaches.

6. Take the appropriate actions when a physical security policy procedure is broken.

Alternate SitesDepending on the nature of your business, you might need to implement alternate sitesto ensure that an attack doesn’t cause any disruption in your operations. Alternate sitesare in different geographic regions and are used to continue your business in the eventof a failure at your primary physical location. Alternate sites are generally one of threetypes, as described in Table 7-3. Which site you implement depends on the needs ofyour organization.

LESSON 7


Table 7-3: Types of Alternate Sites

Type of Alternate Site DescriptionHot This type of alternate site is in constant contact with your

primary site. It has the resources and infrastructure—including computers, software, network and Internetconnections, electricity, and security—necessary to immedi-ately continue operations after a failure at your primarysite, almost eliminating any downtime.

Warm A warm site is in periodic contact with the primary site,and has most of the resources necessary to continueoperations. However, it will take longer to switch opera-tions to this site.

Cold This site will take longest to switch to in the event of afailure at the primary site. This type of site may be littlemore than a secure physical location without the computer,software, and networking resources necessary to avoid whatcould be days of downtime.

Secure RecoveryWhen creating a DRP, it’s important to include provisions for securely recovering data,systems, and other sensitive resources. The DRP should include steps necessary tosecure not only physical resources, such as computers, the network infrastructure, andany physical backup media, but steps to secure the recovery process itself. This mightmean designating a trusted administrator to administer the DRP and any steps taken torestore systems or processes necessary to recover from disaster and continue operationseither at the primary site or an alternate site.

ACTIVITY 7-4Implementing a Physical Security Policy for anOrganization

Data Files:

• UKSecurityPolicy.rtf

Scenario:As the security administrator for your organization located in London, you have been assignedthe task of implementing a security policy. You are basing your policy, UKSecurityPolicy.rtf,on the sample template available from www.ruskwig.com/security_policies.htm. Currently,the top priority at your organization is physical security, as someone recently broke into com-pany headquarters and stole hardware and data. You need to protect over £100,000 worth ofnew equipment that is now centrally stored in your computing center. At the minimum, youwill be implementing the following security measures in the computing center:

1. Locks will be placed on computer room doors.

2. Blinds will be installed on windows.

3. No computers will be placed by windows.

LESSON 7


4. Locks will be placed on windows.

5. Motion-detection and perimeter intruder alarms will be installed.

6. All contractors will be escorted in and out of the facility.

Your task is to determine which other security recommendations in the UKSecurityPolicy.rtfdocument your organization should adopt, and to enforce the policy once it is finalized. Usethe security policy to determine appropriate answers to the following questions:


1. Which security level does your organization fall under? Why?

2. Besides using blinds and locks on the windows, what else could you recommend usingto secure the windows from unauthorized access?

3. Once the motion-detection alarms are installed, what procedure will you need to fol-low to verify they are working properly?

4. Given the security requirements of this company and the category of risk the comput-ing center falls into, what other physical security recommendations could you make,based on this document?

LESSON 7


TOPIC DEducate UsersIn the first three topics, you acquired the skills you need to keep your security infrastructurehealthy. But security is the responsibility of all the individuals in the organization, not just theprofessional security team. In this topic, you’ll learn how to give users the information theyneed to follow appropriate security practices in their day-to-day work.

An attacker calls Mary, poses as a network administrator, and hangs up after a brief conversa-tion, knowing Mary’s user ID and password. John leaves his laptop on his desk, unlocked,over the weekend, and it is stolen by a member of the cleaning crew. Tina always logs into hercomputer as Administrator with a blank password because it’s easier. It’s clear that none ofthese users are following good security practices, and, if nobody told them how to do thingsany better, it’s not necessarily their fault. How can you prevent this scenario? It is yourresponsibility to educate or coach your users about their individual security responsibilities. Aneducated user will make far fewer calls to support technicians for help with simple how-toquestions and prevent security breaches.

The Employee Education ProcessMost employees know that the security policy is put in place for a reason, but they may notfully understand exactly why strict compliance is so important. It is up to security profession-als to educate employees and encourage their compliance. When employees are partners withthe security team, they are much more likely to respond positively to the security needs of anorganization. A security professional can create this attitude of teamwork by performing thesteps shown in Table 7-4.

Table 7-4: The Employee Security Education Process

Step ExplanationAwareness Education begins with awareness. An employee can’t be responsible

for what they don’t know. The partnership between an employee and asecurity professional begins when the security professional creates anawareness of the potential threats to corporate security. Employees alsoneed to be aware of the role they play to protect those assets andresources. A security professional can create awareness through semi-nars, email, or information on a company intranet.

Communication Once employees are aware of security issues and the role they play inprotecting the organization’s assets, the lines of communication areopen. It is important that the lines of communication stay open. Secu-rity professionals can accomplish this by encouraging employees toask questions and provide feedback on security issues.

LESSON 7


Step ExplanationEducation Finally, employees should be educated from the moment they walk

through the door for the first time. Security starts the second theybecome an employee and have access to the physical building andresources, as well as the intellectual property inside. Newly hiredemployees should be trained as soon as possible in correct securityprocedures. Education should continue as the technology changes andnew information becomes available. Education takes many forms, fromtraining sessions to online courses employees can take at work. Edu-cated users are one of your best defenses against social engineeringattacks.

End User Responsibility for SecurityEmployee responsibility is one of the most easily overlooked aspects of a organization’s secu-rity policy. However, employees can be your biggest ally in protecting the organization’sassets. Unfortunately, many employees view their responsibilities for corporate security policyas unimportant compared to their day-to-day workload. The fact is, security is every employ-ee’s responsibility, and it is more commonly breached at the employee level than anywhereelse in an organization. As easy as it would be for security professionals to overlook thisaspect of the security structure, it would be dangerous. Attackers need to gain access and rightsto mount an attack. The easiest way for them to accomplish this is through employees.Examples of employee’s security responsibilities are shown in Table 7-5.

Table 7-5: Employee Security Responsibilities

Security Requirement Examples of Employee ResponsibilitiesAccess to resources Physical—Employees should not allow anyone in the building

without an ID badge. Employee should not allow other individualsto “piggyback” on a single ID badge.Systems—Proper use of user IDs and passwords. This informationshould never be shared or written down where it is accessible toothers.Devices—Properly storing laptops, cell phones, and PDAs whennot in use.

Confidentiality of information Physical—Access within the building should be restricted to onlythose areas an employee needs to access for job purposes. Hardcopies of files should be locked away at all times.Systems—All confidential files should be saved to an appropriatelocation on the network and not on a hard drive or floppy disk.Devices—Employees must use correct procedures to log off allsystems and shut down computers when not in use. Wireless com-munication devices must be approved by IT department andinstalled properly. Laptops and PDAs must be kept in a lockedcabinet or drawer when not in use.

LESSON 7


Educate UsersWhen you educate your users, you give them the ability to participate in the process of ensur-ing the security of the organization. Because many attacks involve the unwitting participationof unsuspecting users, educating uses to raise their level of awareness of proper security proce-dures can greatly increase the overall security of your organization.

GuidelinesTo educate your users on security practices:

• Train new users on how to use their computers, applications, and organizationalsecurity policies. Focus in on potential security problems throughout the training.

• Post all policies so that they are easily available to all users.

• Notify users when changes are made to policies. Educate them on the newchanges.

• Periodically test user skills after training to verify they are implementing propersecurity. For example, you can use planned social engineering attacks.

• Post information such as a link to http://hoaxbusters.ciac.org/ on the companyWeb site to assist users in determining whether or not emails are hoaxes.

Example:In new-hire orientation, all new employees at your organization are briefed on thesecurity standards of your company and connect to the company’s internal Web site,which contains links to all the company’s security policy documents. After training,you email the address of the Web site to all new employees. One new Accountingdepartment employee has difficulty creating an acceptable password for the accountspayable database system; she visits the Web site, opens the password policy documentstored there, and successfully creates a strong password in accordance with corporateguidelines.

ACTIVITY 7-5Educating Users

Scenario:As the security administrator for a nuclear power plant, one of your responsibilities is coordi-nating the employee security education program. The plant has recently experienced severalsecurity incidents involving improper user behavior. IT staff and plant management have cometo you for recommendations on how to implement proper employee training procedures to pre-vent similar problems in the future.

LESSON 7



1. A virus has spread throughout your organization, causing expensive system downtime andcorruption of data. Once you have dealt with the immediate crisis, you review networklogs to try to determine the source of the virus. It soon becomes apparent that it was sentto many users as an email attachment. The original email presented itself as a marketingsurvey and stated that if the user double-clicked the attachment, a tracking messagewould be sent to Microsoft. The user would receive $10 from PayPal as a thank you. Theemail also suggested forwarding the attachment to friends and family. You quickly deter-mine that this is a well-known email hoax that had already been posted on several hoax-related Web sites.

Most of the users in your organization received the email from the same individual insidethe company. When questioned, this employee said that he thought it sounded as if itcould be legitimate, and he couldn’t see any harm in “just trying it.”

How could better user education have helped this situation?

2. What education steps do you recommend taking in response to this incident?

3. You come in on a Monday morning to find laptops had been stolen from several employee’sdesks over the weekend. After reviewing videotapes from the security cameras, you findthat as an employee exited the building through the secure rear door on Friday night, sheheld the door open to admit another individual. You suspect this individual was the thief.When you question the employee, she states that the individual told her that he was anew employee who had not yet received his employee badge, that he only needed to be inthe building for a few minutes, and that it would save him some time if she could let himin the back door rather than having to walk around to the receptionist entrance. Yoursecurity policy states that no one without identification should be admitted through thesecurity doors at any time, but the employee says she was unaware of this policy. You askher to locate the security policy documents on the network, and she is unable to do so.


LESSON 7



5. One of your competitors has somehow obtained confidential data about your organization.There have been no obvious security breaches or physical break-ins, and you are puzzledas to the source of the leak. You begin to ask questions about any suspicious or unusualemployee activity, and you begin to hear stories about a sales representative from out oftown who didn’t have a desk in the office and was sitting down in open cubes and pluggingher laptop in to the corporate network. You suspect that the sales representative wasreally an industrial spy for your competitor. When you ask other employees why theydidn’t ask the sales representative for identification or report the incident to security, theother employees said that, giving their understanding of company policies, they didn’t seeanything unusual or problematic in the situation. You review your security policy docu-ments and, in fact, none of them refer to a situation like this one.



Lesson 7 Follow-upIn this lesson, you performed routine tasks that ensure your organization stays in compliancewith the organization security policy. Although this is not nearly as exciting as chasing attack-ers or managing a PKI, it is even more essential to the health of your security structure. Allthe effort you put into identifying potential security threats and securing the individual systemswill not protect your company’s sensitive data if the security policy is not adhered to. Whenthere is a security breach, it is the administrators that ensure policy compliance that are heldresponsible. The policy is developed to protect company assets, and it is up to the security pro-fessionals to be sure the policy is followed.

1. What are some corporate policies that you are familiar with?

2. Have you ever witnessed a policy being broken? What was the result?

LESSON 7


Monitoring the SecurityInfrastructure

Lesson Objectives:In this lesson, you will monitor the security infrastructure.

You will:

• Run vulnerability scans.

• Monitor for intruders.

• Set up a honeypot.

• Respond to security incidents.


LESSON 8

Lesson 8: Monitoring the Security Infrastructure 269

IntroductionThis lesson deals with the task that takes up the bulk of the security process; watching andwaiting for something bad that you hope never happens. It’s not an exciting job; it’s not a jobthat’s ever finished; it’s not a job that people are going to pat you on the back for every day atwork. However, it might be the most important job you can do as a security professional,because the sooner you can detect traces of unauthorized activity on your network, the sooneryou can stamp them out, and the better the chance you have of preventing any network dam-age or data loss.

TOPIC AScan for VulnerabilitiesMonitoring your security infrastructure is an ongoing job responsibility for a securityprofessional. You will need to perform a variety of tasks on a regular basis to ensure that yoursecurity is not breached. One of these regular tasks is to periodically review your system vul-nerabilities, so that you can detect them before attackers do. In this topic, you will scan forvulnerabilities on your system.

Many times, one of the first steps an attacker takes to break into a system is to scan the sys-tem for vulnerabilities. It is critical to discover where the possible points of entry are on yournetwork and systems. Even if you have taken every precaution to harden your network compo-nents and services, there will still be vulnerabilities that you may not be aware of, but that youcan be sure attackers will find. The best way to find these vulnerabilities is to perform a scanyourself and patch the holes before the attackers find them.

The Hacking Process

The hacking process typically pertains to individuals trying to get in to your network from the outside. Youshould be aware that individuals with potentially harmful intentions can be inside the network as well.

While it’s probably true that no two network attacks are the same or are carried out in thesame manner, generally speaking there is a process that most experienced attackers employwhen they carry out an attack. The more you know about this process the better you’ll be ableto recognize it in its early stages and put an end to it before it takes down your servers orcompromises your data.

Figure 8-1: The hacking process.

LESSON 8


Keep in mind that in some attacks the attacker doesn’t necessarily need to complete all four steps.

The process an attacker uses generally contains these four steps:

1. Footprinting. In this step, sometimes called profiling, the attacker chooses a target andbegins to gather information. You might be surprised at the amount of information that’sreadily, publicly available about most organizations. Just by using tools, such as a Webbrowser and an Internet connection, an attacker can determine the IP addresses of a com-pany’s DNS server; the range of addresses assigned to the company; names, emailaddresses, and phone numbers of contacts within the company; and the company’s physi-cal address. A visit to the company’s dumpster might reveal some other sensitiveinformation that the attacker can use to figure out how to proceed with the attack. Also,with the names and titles of people within the organization, the attacker can begin theprocess of social engineering to gain even more private information. Hidden within theHTML code of a company’s Web page might be other useful information, such as IPaddresses and names of Web servers, operating system versions, file paths, and names ofdevelopers or administrators. DNS servers are also a favorite target during this stepbecause, if not properly secured, they can provide a detailed map of an organization’sentire network infrastructure.

2. Scanning. The second step is scanning an organization’s infrastructure to see where vul-nerabilities might lie. In this step, the attacker will scan the target’s border routers,firewalls, Web servers, and other systems that are directly connected to the Internet to seewhich services are listening on which ports and to determine the operating systems andmanufacturers of each system. Additionally, the attacker might begin a wardialing cam-paign to determine if there are any vulnerabilities in the organization’s PBX. The attackermight even drive up to the company with a laptop and a wireless card to see if there areany wireless access points to provide a way into the network (wardriving).

3. Enumerating. After determining network vulnerabilities and software exploits, the attackerwill try to gain access to resources or other information. The attacker can obtain thesethrough social engineering, network sniffing, dumpster diving, watching a user log in,hacking tools like Legion, or searching for Post-It notes stuck to monitors or keyboards asfriendly reminders of which credentials to use on which system. If the attacker can obtainat least a valid user name he can begin the process of cracking the users passwordthrough either a brute force attack or by cracking the hashed password that’s stored in auser accounts database file.

4. Attacking. Finally, once the attacker has a clear picture of an organization’s network infra-structure, a list of possible vulnerabilities and exploits, and valid user names andpasswords, all that’s left is the actual attack.

You might never even know an attacker has accessed your network, especially if it’s an experi-enced attacker. The longer an attacker has access to your network, the more damage he can do.So it’s important to understand the preliminary stages of an attack and stop the attacker beforehe reaches the final step.

Vulnerability Scanning ToolsOnce an attacker has made a footprint of your organization, the next step in hacking a systemis to scan your network for vulnerabilities. An attacker is looking for IP addresses that can beaccessed via the Internet as well as the operating system, system architecture, and services run-ning on the device associated with an IP address. The best way to prevent this is to run

LESSON 8


vulnerability scans on a regular basis. This can be done periodically by the security administra-tors, but the most effective way is to perform an ethical hack. An ethical hack occurs whensomeone hacks into a system (planned) and report the results back to the organization. Thismethod emulates what a real attacker might do and can be very effective at finding securityholes.

Whether the scan is performed by security personnel or an attacker, the tools are the same.There are two basic types of vulnerability scanners—general vulnerability scanners andapplication-specific vulnerability scanners. General vulnerability scanners examine multipleplatforms and networks configurations for generic vulnerabilities. Application-specific scannerslook for vulnerabilities specifically in Internet-exposed applications such as Web servers andmail servers.

Although you can use application-specific vulnerability scanners if you suspect a problem in aparticular area, it is more common to start with a general vulnerability scanner. Some of themost commonly used tools for general vulnerability scanning are:

• Nessus at www.nessus.org/

• Nmap at www.insecure.org/nmap/

• ISS REALSecure at www.iss.net/

• SAINT at www.saintcorporation.com

• WebTrends Security Analyzer at www.netiq.com/webtrends/default.asp

• GFI LANGuard at www.gfi.com/lannetscan/index.htm

• CyberCop at www.mcafeeasap.com/content/cybercop_asap

Each of these tools works on multiple platforms.

Types of Security ScansThere are several types of scans that you can run on your systems to look for security vulner-abilities, and the type of scan you want to perform will dictate the tool you use to completethe scan. Table 8-1 lists types of security scans and the tools you would use to complete them.

Table 8-1: Types of Security Scans

Scan Type Tools UsedGeneral vulnerabilities MBSA, Nessus, Security Analyst, SAINT, and ISS Internet Scanner,

NMap, REALSecure, Security Analyzer, LANGuard, and Cybercop

Man-in-the-middle vulnerabilities Smbrelay

Port vulnerabilities Superscan, ShieldsUP!, NMap, and Netcat

Password vulnerabilities @stake LC4, L0phtCrack, John the Ripper, Pandora

TCP/IP vulnerabilities Security Administrator Tool for Analyzing Networks (Satan)

Web-based vulnerabilities Whisker

Vulnerable TCP and UDP PortsAttackers are very familiar with ports that are used by virtually every organization out ofnecessity. For instance, port 80 must be open to allow Internet connections. You can protect it,but you can’t close it completely. For that reason, it is important that port 80 is scanned regu-larly for abnormal activity. Table 8-2 shows some of the ports that are commonly open and inuse by an organization and therefore vulnerable to attack.

LESSON 8


For a complete list of TCP/UDP ports, see www.iana.org/assignments/port-numbers.

Table 8-2: Vulnerable TCP/UDP Ports

Port Service Description7 echo Echo service

19 chargen Character generator service

20 ftp-data FTP data

21 ftp FTP control

23 telnet Telnet service

25 SMTP Simple Mail Transfer Protocol for email services

42 nameserver Host name server use for WINS replication

53 DNS DNS server

80 http Hypertext Transfer Protocol (HTTP)

88 Kerberos Kerberos protocol

110 POP3 Post Office Protocol 3 for email services

119 NNTP Newsgroups

135 loc-srv/epmap RPC port mapper for initiating communications

137 NETBIOS-NS NetBIOS name service

138 NETBIOS-DGM NetBIOS broadcasting

139 NETBIOS-SSN NetBIOS Session service

143 IMAP Internet Message Access Protocol for email services

389 ldap Lightweight Directory Access Protocol for directory services

443 https HTTP over SSL

445 MS-DS Microsoft-DS port

464 kpassword For Kerberos authentication

500 isakmp ISAKMP/Oakley key exchange protocol

563 nntps NNTP over SSL

636 ldaps LDAP over SSL

995 POP3s POP3 over SSL

1701 L2TP Layer 2 Tunneling Protocol

1723 PPTP Point-to-Point Tunneling Protocol

If you scan a Windows system for open ports, you may see a variety of port assignments over1024. This does not mean the service associated with that port is running on the Windowssystem. Port numbers above 1024 are registered ports, not well-known ports, and they are notmanaged by the Internet Assigned Numbers Authority (IANA), although IANA maintains theregistry list. Windows assigns these ports dynamically as session ports to create networkconnections.

LESSON 8


Scan for VulnerabilitiesProcedure Reference: Scan for Vulnerabilities

Regardless of the type of vulnerability scan you are going to perform, the general pro-cedure is the same:

1. Install scanning software that is appropriate for the type of scan you want toperform. For example, install SuperScan for a port scan, Security Analyst for ageneral vulnerability scan, or LC4 for a password scan.

2. Scan your system with the parameters that are appropriate for your environment.

3. If possible, scan your system from an external network as well. You can use aWeb-based scanning tool such as ShieldsUP! at www.grc.com.

There are a variety of specialized Web-based scanning services, such as www.netscan.org,which scans for broadcast amplification vulnerabilities. Be sure to harden your network and checkwith your router administrators before using NetScan, however; if your network is not configuredproperly, NetScan might list you as a Broadcast Amplification Site that attackers might thenattempt to exploit.

4. Manually review your system audit logs as well as any logs created by the scan-ning program.

5. If possible, install a tool to automate the process of reviewing and analyzing auditlogs.

6. If vulnerabilities are found, revisit your hardening procedures to harden your oper-ating systems and devices.

7. Consider registering with Security Event Aggregators such as www.dshield.org/or www.mynetwatchman.com/. They will also analyze your firewall logs and actas a fully automated abuse escalation/management system.

LESSON 8


ACTIVITY 8-1Scanning for Port Vulnerabilities

Setup:The services running on this Windows 2000 Server computer include Active Directory, DNS,DHCP, Certificate Services, Microsoft Exchange, a secure Web site, and a news server.SuperScan is available on the network at \\Server100\SPlus\Tools\Superscan\Superscan.exe.

Do not use this tool, or any other hacking tools in class, on a computer other than those specified in the activi-ties unless the instructor grants permission. There may be serious ramifications if you use these tools outside ofthe classroom subnet. For example, they may violate certain ISP agreements.

Scenario:You are the security administrator for a large brokerage firm and need to make sure your newWindows 2000 servers are secure by scanning your servers for open ports. The brokeragefirm’s IT department has had problems in the past with attackers getting access to applicationson servers by getting through the firewall and accessing open ports on the servers. You havealready hardened your servers and now want to check your work. Before connecting the newWindows 2000 servers to your network, you need to make sure not only that the base operat-ing system is hardened, but also that no unnecessary ports are open on the servers to minimizethe likelihood of attacks. There are two Windows 2000 servers that you are responsible forscanning; your own computer, and another Windows 2000 server named Server100.


1. Install SuperScan. a. Run the \\Server100\SPlus\Tools\Superscan\Superscan.exe file. (If you areprompted for credentials, connect as thedomain100\administrator user, with apassword of !Pass1234.) The SuperScanfiles are automatically extracted and theSetup Wizard runs.

b. Click Next.

c. Click Finish to accept the default installa-tion folder.

d. Click Yes to create the installation folder.SuperScan is installed and runs.

LESSON 8


2. Scan all ports on your Windows2000 Server computer.

a. In the Hostname Lookup area, clickLookup. The localhost IP address of 127.0.0.1 should resolve to your own hostname.

b. In the Configuration area, click Port ListSetup. The default port scanning list isloaded from a file called Scanner.lst.

c. Scroll the Select Ports list to determinethe ports that are included in the defaultport scanning list.

d. Click OK.

e. In the Scan Type area, select Every PortIn List.

f. Click Start to start the scan.

g. When the scan is complete, click ExpandAll to expand the tree list of the scanresults. The list shows each open port onthe server.

h. Click Save.

i. Save the scan results as Localhost.txt inthe SuperScan folder.

j. Click OK to close the List Saved Success-fully message box.

3. What ports were open on your Windows 2000 Server? Should these ports be open?

LESSON 8


4. Scan all ports on the \\Server100computer.

a. In the Hostname Lookup text box, enterServer100.

b. Click Lookup to resolve the name and IPaddress.

c. Click Start to perform the scan.

d. Expand and review the scan results.

e. Save the scan results as Server100.txt.

f. Click OK to close the List Saved Success-fully message box.

g. Close SuperScan.

5. What ports were open on the Server100 computer? Should these ports be open?

6. If you have Internet access, connectto www.grc.com and run ShieldsUP!

Depending on the type of Internet accessyou have, the results for this step willvary. For example, if you are connectingfrom a classroom that is located behind afirewall, the scan will return results forthe firewall itself. In this way, you cansee if your firewall is properly hardened.If you are scanning the firewall, only oneperson should scan at any given time.


b. In the Address text box, enter www.grc.com.

c. After the page loads, scroll down to theHot Spots section and click theShieldsUP! link.

d. Click OK to make the secure connection.

e. Scroll down and click the Test MyShields! button.

f. Click Yes to leave the secure site and per-form the scan.

g. After you review the results of the scan,click the Probe My Ports! button.

h. After you review the results of the portprobe, close Internet Explorer.

LESSON 8


7. Did the scan or probe reveal any vulnerabilities?

ACTIVITY 8-2Scanning for System Vulnerabilities

Setup:The Intrusion SecurityAnalyst tool is available on the network at \\Server100\SPlus\SecurityAnalyst\Setup.exe.

Scenario:You are the security administrator for a small government agency. You have already hardenedall of your servers and other computer systems, but a new regulation requires that you alsoperform periodic vulnerability scans to audit system security against a high-security standardprofile. Periodic scans will enable you to see what vulnerabilities lie in your network, and alsokeep track of any changes that have been made to your systems. This will allow you to moni-tor internal users as well as detect outside attackers. You have selected SecurityAnalyst as yourvulnerability scanning tool.


1. Install Intrusion SecurityAnalyst. a. Run the \\Server100\SPlus\SecurityAnalyst\Setup.exe file.

b. Click Next.

c. Click Yes to accept the licenseagreement.

d. Click Next on all pages of the wizard toinstall the program with the defaultsettings.

e. When the installation is complete, clickFinish to restart the computer.

f. Reboot to Windows 2000 Server and logback on as Administrator.

LESSON 8


2. Determine the configuration of thecurrent Security Standard used bySecurityAnalyst.

a. Double-click the SecurityAnalyst desktopshortcut to open IntrusionSecurityAnalyst.

b. Click No to skip the network computer listrefresh.

You have more options if you refresh the net-work from within SecurityAnalyst.

c. In the Analyst Bar on the left side of thescreen, click Set Security Standard toopen the Current Security Standard pane.The current security standard is DefaultBest Practices. You will be analyzing yoursystem against this relatively high-securitybaseline.

d. In the central Current Security Standardpane, select the Windows 2000 tab. Thefirst section of the standard involvesaccount restriction baseline settings.

e. In the left-hand Set Security Standardpane, click the II. Password Strengthsection.

f. Select and review the remaining sec-tions of the Security Standard.

g. In the Current Security Standard pane,click Close.

3. Audit your system against thedefault Security Standard.

a. In the Analyst Bar, click Run SecurityAudit to open the Run Security Audit-NewSnapShot pane.

b. Click Refresh Network.

c. With the Domain radio button selected,enter your domain name and click Start.

LESSON 8


d. When the network refresh is complete, inthe Microsoft Network list, expand yourdomain and check your computer name.

e. Check all the available run options.

f. Check Save Results To Archive.

g. Click Start. When the audit is complete,you will see a report card with a score forsix different security areas. With the cur-rent system configuration and the defaultSecurity Standard, you will receive a scoreof Fail in each area.

Remember that security is relative. While yoursystem might fail against a very tight securitystandard, bringing it up to that standard mightmake it unusable for your purposes. Your taskat all times is to balance security requirementsagainst the functionality requirements for agiven system.

4. View the risks on your system. a. On the Report Card screen, click ListRisks.

b. After you have viewed the risks, clickClose to return to the Report Card.

5. What is the source of most of the failure ratings on this system?

LESSON 8


6. View the analysis information. a. From the menu bar, (not the left-handAnalyst Bar), choose Analysis→System-wide Analysis.

The system-wide analysis reports resultsfor Password Policy, Services, Disk Quotas,and assorted other settings.

b. Choose Analysis→Expert Mode Analysis.The expert mode analysis reports resultsfor Account Restrictions, PasswordStrength, Access Control, System Monitor-ing, Data Integrity, and DataConfidentiality.

c. Choose Analysis→Risk Analysis. Thisgives you a graphical summary of the riskareas on this computer. You can click thebutton under each bar of the graph toview more details.

d. Close SecurityAnalyst.

7. Given this analysis information, what steps could you take to harden your system fur-ther?

8. Is it always desirable to harden a system as much as possible?

SMBRelaySMBRelay is a command-line program that you can use to determine if Windows com-puters are vulnerable to a man-in-the-middle attack against the Server Message Block(SMB) protocol. If this protocol is compromised, an attacker can then read the datastream to gain access to Windows passwords and crack them with a password-cracking

LESSON 8


tool. If you can use the smbrelay /IL <adapter> /IR <adapter> commandto bind smbrelay to your system’s network adapter, your system is vulnerable to thistype of attack. Because SMBRelay is not graphical, you will need to use thesmbrelay /? Help command to determine the functionality and command syntaxfor its remaining switches and parameters.

SMBRelay is a small but powerful tool. Like many administrative and scanning tools,SMBRelay can be used for both legitimate and improper purposes, so you should besure to control its distribution on your network. See http://is-it-true.org/pt/ptips1.shtml and www.bugnet.com/alerts/ba0105011.html for more information onSMBRelay.

ACTIVITY 8-3Scanning for Man-in-the-Middle Vulnerabilities

Setup:SMB Signing has been implemented on your computers as part of the hardening process.

Scenario:One of the next tasks as the security administrator for the brokerage firm is to make sure yournew Windows 2000 systems are secure by scanning your systems for various vulnerabilities.The brokerage firm’s IT department wants to make sure they have done everything reasonableto prevent intrusions and that none of your security measures have been altered orcompromised. The firm is particularly concerned with verifying that the servers are not suscep-tible to man-in-the-middle attacks.


1. Copy SMBRelay from the network toa new C:\SMBRelay folder on yourlocal computer.

a. Create a folder named SMBRelay on yourC drive.

b. Connect to \\Server100\SPlus\SMBRelay.

c. Copy the \SMBRelay.exe file into thelocal C:\SMBRelay folder.

d. Close all open windows.

2. Enumerate your network interfacesand their indexes.


b. Change to the smbrelay directory (usecd \smbrelay).

c. Enter smbrelay /? to view the Help infor-mation on the various SMBRelay switches.

LESSON 8


d. Enter smbrelay /E. Your local Ethernetadapter will appear as Interface #, where# is a variable number.

3. Attempt to bind SMBRelay to theEthernet card adapter for local andrelay IP addresses.

a. Enter smbrelay /IL # /IR #. Substituteyour adapter number for the # symbol.

b. Close the command prompt window.

4. Were you successful? Why or why not?

5. Why would an attacker attempt this operation?

ACTIVITY 8-4Verifying Password Strength

Do not use this tool, or any other hacking tools, on computers other than specified in the activities unless theinstructor grants permission. There may be serious ramifications if you use these tools outside of the classroomsubnet.

Setup:On your Windows XP Professional computer, there is a non-administrative user account namedChrisC with a password of Certification1. The Windows XP Professional system has beenhardened. The @stakeLC4 evaluation software is available on the network at \\Client100\SPlus\LC4\LC4Setup.exe.

LESSON 8


Scenario:As the security administrator for a nuclear plant you need to make sure your new Windows XPProfessional systems are secure by scanning your system on a regular basis for vulnerabilities.You want to make sure that you have not left any security holes that attackers can exploit. Youhave already hardened your systems and now you want to check the strength of the passwordsfor the administrative and user-level accounts on your system. The Windows XP Professionalsystems have been set up in a workgroup on your network; you have chosen the LC4 softwareto audit the passwords to make sure that the passwords cannot be attacked. You will audit thepasswords with LC4.


1. Reboot into Windows XP Profes-sional and log on as Admin100.

a. Restart your computer and choose Win-dows XP Professional from the bootloader menu.

b. Log on as Admin100 with a password of!Pass1234.

2. Install LC4. a. Run the \\Client100\SPlus\LC4\LC4Setup.exe file.

b. Click Next twice.

c. Click Yes to accept the licenseagreement.

d. Click Next three times to accept all thedefault installation settings.

e. When the installation is complete, clickFinish.

LESSON 8


3. Attempt to retrieve passwords fromyour local computer using a quickpassword audit.

a. From the Start menu, choose AllPrograms→LC4→LC4.

b. Click Trial.

There is a significant fee for a registered ver-sion of LC4.

c. In the LC4 Wizard, click Next.

d. Verify that Retrieve From The LocalMachine is selected and click Next.

e. Verify that Quick Password Audit isselected and click Next.

f. Click Next to accept the default reportingstyle options.

g. Click Finish.

h. Click OK in the Auditing Session Com-pleted message box.

i. Maximize the LC4 window.

4. Were all the passwords received? Why or why not?

LESSON 8


5. Attempt to retrieve passwords fromyour local computer using a strongpassword audit.

a. On the LC4 toolbar, click the New Sessionbutton .

b. Click No. You do not need to save thesession.

c. Click the LC4 Wizard button .

d. Click Next.

e. Verify that Retrieve From The LocalMachine is selected and click Next.

f. Select Strong Password Audit and clickNext.

g. Click Next to accept the default reportingstyle options.

h. Click Finish. This audit session will takelonger than the quick audit session. Youcan watch the progress in the DictionaryStatus area.

i. In the Please Register message box, clickCancel. The trial version of LC4 does notinclude the brute force attack.

j. Click OK in the Auditing Session Com-pleted message box.

6. Were all the passwords retrieved? Why or why not?

7. What should you do to prevent any of the passwords on this system from being stolenby an attacker?

LESSON 8


8. Attempt to retrieve passwords froma remote computer using a strongpassword audit.

a. On the LC4 toolbar, click the New Sessionbutton.

b. Click No. You do not need to save thesession.

c. Click the LC4 Wizard button.

d. Click Next.

e. Select Retrieve From A Remote Machineand click Next.

f. Verify that Strong Password Audit isselected and click Next.

g. Click Next to accept the default reportingstyle options.

h. Click Finish.

i. In the Machine text box, enter Client#,where # is the number of another com-puter on the network.

j. Click OK.

k. Click OK twice to close the LC4 errormessage boxes.

l. Close LC4.


LESSON 8


TOPIC BMonitor for IntrudersOne of the components of monitoring your security infrastructure is performing periodic vul-nerability scans, which you did in Topic 8A. Another regular task is to watch your systems forany signs of an attack by an intruder. In this topic, you’ll use various tools to monitor theactivity within your network for signs of intrusions.

You’ve spent a lot of time securing individual network components and making sure the secu-rity policies are being followed. Everything seems to be in place. But, what if an attempt tobreak into your network is brewing on the horizon? Will you know how to recognize the signsand prevent disaster? If an attacker does manage to breach your security, how can you trackthe activity for law enforcement? If you use the appropriate security-monitoring tools and pro-cedures, you will be prepared to do battle with anyone trying to use your networkinappropriately.

Intrusion Detection SystemsDefinition:

An Intrusion Detection System (IDS) is a software and/or hardware system that scans,audits, and monitors the security infrastructure. IDS software can also analyze data andalert security administrators to potential problems within the infrastructure. Each sys-tem is totally unique depending on the type of implementation and the componentschosen to build the system. IDSs are categorized primarily by their monitoring method.The two most common implementations of an IDS are network-based IDS (NIDS) andhost-based IDS (HIDS):

• A network-based IDS is an IDS system that uses primarily passive hardware sen-sors to monitor traffic on a specific segment of the network. The system can beimplemented as software, but this is not very common. One of the main draw-backs of a network-based IDS is that is cannot analyze encrypted packets becausethey have no method for decrypting the data. An advantage of a network-basedIDS is that is uses very little network resources.

• A host-based IDS is an IDS system that uses primarily software installed on aspecific host such as a Web server. Host-based IDSs can analyze encrypted data ifit is decrypted before reaching the target host. However, host-based IDSs use theresources of the host they are installed on and this can slow down processingtime.

LESSON 8


Figure 8-2: Three types of IDS.

There are also application-based IDSs, although they are not commonly used due to the expense ofimplementation. They may be used sporadically in conjunction with a network-based or host-basedconfiguration to add another layer of protection to a critical application such as a customer database.

Many companies use a combination of network-based, host-based, and application-based monitoringIDSs.

See www.packetnexus.com/idsfaq/Section_3.html and www.dshield.org/ for more IDS information.

Table 8-3: IDS Comparison—Network-based vs. Host-based Monitoring

Network-based IDS Host-based IDSWhat is it? Primarily hardware sensors Primarily software applications

How it works Monitors traffic on specific networksegment

Monitors traffic on the host it isinstalled on

Monitors Packets for protocol anomalies andknown virus signatures

Log files, inadvisable settings orpasswords, and other policy vio-lations

Encrypted data Can’t analyze encrypted data Can analyze encrypted data if itis decrypted before it reaches thetarget host

Passive vs. active Passive Passive or active

Resource utilization Use resources on network Uses computing resources onhost they are monitoring

Capabilities Broad scope but very general Narrow scope but very specific

LESSON 8


Network-based IDS Host-based IDSAlerts Management console or email mes-

sagesManagement console or emailmessages

Best use To secure a large area with non-critical data. Provides broad-basedoverall security. Most cost effective

To secure a specific resource,such as a Web server, that hascritical data. Somewhat cost pro-hibitive

Management issues Generally not a problem installingon network

May be service agreements orother policy restrictions that pre-vent the installation on a host

Legal issues Hard to use as evidence in court May be admissible as evidence incourt

Passive vs. Active IDSA passive IDS detects potential security breaches, logs the activity, and alerts securitypersonnel. An active IDS detects a security breach according to the parameters it hasbeen configured with, logs the activity, then takes the appropriate action to block theuser from the suspicious activity. This can be accomplished by logging the user off asystem or possibly reconfiguring the firewall to block the source. IDS developers areworking toward more and more active systems.

IDS Analysis MethodsIDSs also use different methods to analyze the data that is collected. There are twoprimary methods of analysis:

• Signature-based analysis looks for network, host, or application activity that com-pares signatures in the datastream with known attack signatures.

• Anomaly-based analysis looks for network, host, or application changes comparedto preset parameters. This is also known as profile-based analysis.

Example: An IDS Implementation: State UniversityState University has approximately 4,000 student and a faculty and staff of 600employees. Each year, the university expects 1,000 to 1,500 new incoming freshman.Most of the information the new students will need for registering for classes and navi-gating the campus is on the university intranet. Although the Web site is notconsidered mission-critical, it would create tremendous problems to have it hit with avirus or hacked into and tampered with. The university gets much of its funding fromthe state and has limited personnel resources to implement an IDS.

After considering all the alternatives, State University implemented a network-basedIDS. This will give them general intrusion detection capabilities over the entirenetwork. They chose a popular IDS software package that integrates auditing, analyz-ing, and managing the system. The security administrator installed and configured thesoftware to manage sensors placed on each segment of the network. The securityadministrator would like more intrusion-detection protection on the Web server but fornow, it is too cost prohibitive to implement.

LESSON 8


Example: An IDS Implementation: National BankNational Bank is a banking institution with thousands of encrypted transactions occur-ring daily. The have offices all over the world and the transaction databases are in use24 hours a day, seven days a week. National Bank has developed several Business-to-Business (B2B) Web partnerships with brokerage houses and insurance agencies. Thehighest priority for National Bank is confidentiality and data integrity. Management hasgranted the security administration permission to do whatever is necessary to get thesystem implemented as quickly as possible.

The security administrators decided to hire a consulting firm to do the initial assess-ment and installation. The consulting firm suggested a several-tiered approach to theintrusion detection system. In addition to the firewalls already in place, National banknow has a network-based system of sensors on each segment of the network to moni-tor all traffic within the system. In addition, a host-based system is in place on eachWeb server and email server. To supplement the PKI infrastructure security requiredfor all transactions, each transaction database has an application-based system to moni-tor its own activity for anomalies.

Non-Example: Patchwork Security: XYZ Internet CompanyThe XYZ Internet Company has been in business for approximately six months. Twomonths ago they were hit with a particularly nasty email virus and as a result, the net-work administrator would like to implement an IDS. The network administrator has avery limited staff and budget. In fact, he is not only the network administrator, he isalso responsible for network security. He researched IDSs and requested the funds andtime to implement a simple network-based IDS. Management, however, does not seethe need to allocate funds to more hardware, software, and resources. They have askedthe network administrator to do what he can with what is already in place for now.

The network administrator hardened operating systems and applications, configuredalerts on the mail server to notify him when the hard disk space is low (to prevent aspammer from filling up the hard drive), and installed virus protection software. Inaddition, he set up an additional filter on the firewall to further restrict suspiciouspackets.

Intrusion Detection System ComponentsIDSs can be comprised of a variety of hardware sensors, intrusion detection software,and IDS management software. For suggestions for IDS software and comparisoncharts of several products, see www.networkintrusion.co.uk/ids.htm andwww.nss.co.uk/ids/.

IDS Legal IssuesWith the growing popularity of IDSs, new legal issues arise. From a legal point ofview, the host is the asset that you want to protect. In the event of a security incidentthat requires outside investigation and potential prosecution, a host-based orapplication-based IDS is a valuable tool for gathering evidence because the audit logsfrom these IDSs may be admissible in court. Audit logs from network-based IDSs areharder to use than host-based IDSs as evidence because they do not show the result ofthe actions—only the actual series of actions themselves which do not necessarilyprove a result.

On the other hand, service level agreements (SLAs) or other management issues mayprohibit the installation of host-based or application-based IDS software on productionservers. Companies that provide software or hardware service and support may invali-date an SLA if a host-based or application-based IDS is installed on the host. If that isthe case, the only feasible solution is a network-based IDS.

LESSON 8


Monitor for IntrudersProcedure Reference: Monitor for Intruders

To monitor for intruders:

1. Install monitoring software such as an Intrusion Detection System (IDS).

2. Configure the monitoring software according to your specific needs—for example,you can set up email alerts and configure logging.

3. Periodically, use the monitoring software to actively monitor system activity inreal time.

4. Set up a schedule to monitor and review logs on your IDS and computer systems.

ACTIVITY 8-5Installing Intrusion Detection Software

Setup:The Windows XP Professional system has been hardened and scanned for vulnerabilities. TheInternet Security Systems (ISS) RealSecure Desktop Protector evaluation software is availableon the network at \\Client100\SPlus\RealSecureDP\RSDPEvalSetup.exe.

Scenario:You are the security administrator for a large brokerage firm and need to make sure your newWindows XP Professional systems are secure by actively monitoring your system for intruders.The brokerage firm’s IT department wants to take a proactive approach to security and catchthe intruders before they do harm. You have already hardened your servers and scanned forvulnerabilities. Now, you want to be able to actively monitor for intrusions in real time, aswell as to log suspicious activity for later analysis. Before connecting the new Windows XPProfessional systems to your network, you need to make sure that the chosen intrusion detec-tion software, Internet Security Systems’ RealSecure Desktop Protector, is installed andconfigured.

LESSON 8



1. Install RealSecure DesktopProtector.

a. As Admin100, run the \\Client100\SPlus\RealSecureDP\RSDPEvalSetup.exe file.The RealSecure Desktop Protector filesare automatically extracted and the setupwizard runs.

b. Click Next.

c. Complete the setup wizard with the fol-lowing parameters:• Accept the license agreement.

• Accept the other installationdefaults.

d. When the setup is complete, uncheck IWould Like To View The README Fileand click Finish.

2. Use the IDS software to determineif any intruders have attempted toaccess your system.

RealSecure Desktop Protector also has aNotifications feature that can alert you atthe time an intrusion is detected. SeeRealSecure Desktop Protector Help formore information.

a. In the System Tray, click the RealSecureDesktop Protector icon . The entryon the Events tab shows you thatRealSecure Desktop Protector begandetecting intrusion events as soon as itwas installed.

b. Select the Intruders tab. This tab wouldreport the system name or IP address ofany intruder systems.

c. Select the History tab. This page displaysan ongoing history of critical and suspi-cious intrusion events.

3. Modify the BlackICE settings toenable packet and evidence log log-ging on the IDS.

a. Choose Tools→Edit BlackICE Settings.

b. Select the Packet Log tab.

c. Check Logging Enabled.

d. Select the Evidence Log tab. Loggingshould be enabled by default.

e. Click OK.

LESSON 8


ACTIVITY 8-6Monitoring for Intruders

Setup:The Windows XP Professional system has been hardened and the evaluation version of theRealSecure Desktop Protection intrusion detection software has been installed. Foundstone’sSuperScan port scanner has also been installed to the C:\Program Files\Superscan folder. InInternet Explorer, Content Adviser is configured to block unrated Web sites. You will workwith a partner in this activity; one partner will play the role of the intruder, and the other part-ner will play the role of the monitored system.

Scenario:One of the next tasks as the security administrator for the brokerage firm is to make sure yournew Windows XP Professional systems are secure by actively monitoring your system fromintruders. The brokerage firm’s IT department wants to make sure you catch intruders beforethey do harm. You have already hardened your servers, scanned for vulnerabilities, andinstalled intrusion detection software. You have a schedule for reviewing the IDS logs, but aspart of the security plan, you also perform periodical real-time monitoring on the IDS. If theintrusion detection software is detecting intruders properly, you might be able to catch one inthe act!

You and your lab partner will need to decide who will be the intruder and who will be monitoring their system.After completing the activity, you can reverse roles and go through the steps again.


On the Computer Designated as theIntruder:

1. Attempt to access the C$ adminis-trative share on your lab partner’scomputer.

a. While logged on as Admin100, from theStart menu, choose Run.

b. Enter \\client#\c$ and click OK. Useyour partner’s computer number for #.

c. Close the C$ share window.


LESSON 8


On the Computer Designated as theMonitored System:

3. Verify that the intrusion wasdetected.

a. In RealSecure Desktop Protector, on theHistory page, click the yellow line in theEvents graph. (If you do not see a yellowline, select Min in the Interval area toshow a more granular view.) This takesyou to the suspicious event entry on theEvents page. There should be suspiciousport probes and failed SMB logon eventsfrom the intruder computer.

b. Double-click one of the suspicious evententries from your partner’s computer.This takes you to the entry for thisintruder on the Intruders page. You cansee the available detail information aboutthe intruder computer.


4. Scan for open ports on all comput-ers on your subnet.

a. Run C:\Program Files\SuperScan\Scanner.exe.

b. In the Hostname Lookup area, click Me.

c. In the Scan Type area, select All SelectedPorts In List.

LESSON 8


d. Under IP, click the 1..254 button.

e. Click Start.


5. Verify that the intrusion wasdetected.

To see the attack in progress, select theEvents tab before your partner starts thescan in the previous step.

a. Select the Events tab. You should seevarious port probes and scans from yourpartner’s computer.

b. Select the History tab. You should see aspike in suspicious activity in the Eventsgraph. You may need to wait for the pro-gram view to refresh in order to see thenew spike.

6. What intrusions were detected?

LESSON 8


7. If you have Internet access, use theadvICE feature of Real Secure Desk-top Protector to research theintrusions.

If time permits, reverse roles and repeatthe activity.

a. Select the Events tab.

b. Select the most recent event.

c. Click the advICE button in the lower-rightcorner of the screen.

d. In the Content Advisor dialog box, selectAlways Allow This Web Site To BeViewed.

e. In the Password text box, enter!Pass1234. Click OK to permit access tothe advICE Web site.

You might need to repeat these steps as youclick other links on the advICE Web site. If youprefer, you can turn off Content Advisor inInternet Explorer instead.

f. In the advICE Web page, click the FAQlink. This page provides you with asearchable FAQ database with informationabout various security intrusions.

If time permits, click other informational linkson the advICE site.

g. Close Internet Explorer.

h. Close RealSecure Desktop Protector andSuperScan.

LESSON 8


TOPIC CSet Up a HoneypotIn Topic 8B, you monitored your network to catch attackers red-handed. A honeypot systemcan be used in conjunction with another system monitoring methods as a way to detect andstop attackers before they can cause you damage. In this topic, you’ll learn to configure ahoneypot system.

Just as with physical-world crime, there are occasions when you know that there is inappropri-ate activity going on, yet for one reason or another, you aren’t quite ready to act to apprehendthe perpetrator. In a physical-world criminal case, this might entail prolonged surveillance of aknown suspect to gather evidence. Or, there might even be a crime “sting,” which permits asuspect to do something illegal under controlled conditions to increase the chances ofconviction. Honeypot systems provide similar functionality when fighting network intrusions inthe digital world. A properly-designed and implemented honeypot system entices attackers sothat you can catch them in the act without any real damage to your systems.

HoneypotsDefinition:

A honeypot is a security tool that lures attackers away from legitimate networkresources while tracking their activities. Honeypots appear and act as a legitimate com-ponent of the network but are actually secure lockboxes where security professionalscan block the intrusion and begin logging activity for use in court or even launch acounterattack. Honeypots can be software emulation programs, hardware decoys, or anentire dummy network.

• Software-based honeypots are elaborate emulations that mimic real networkcomponents. The attacker is not really in the network or accessing actual networkcomponents. Thus, security on the actual network is never compromised. How-ever, the work involved in creating a software emulation that would fool ablackhat is quite complex. Software emulations are usually contracted out to com-panies that specialize in this type of project. If a company did build a softwareemulation honeypot poorly and an attacker discovered the facade, her only optionwould be to leave and unfortunately, if she didn’t take the bait, it may be difficultto catch anyone.

• Hardware-based honeypots are systems comprised of hardware and software com-ponents that are partially disabled and improperly configured to entice attackers.They reside within the network but have special security controls in place to pre-vent attackers from taking the honeypot over or using it to access the rest of thenetwork. A hardware-based honeypot is relatively easy to build, but there isalways the threat of an experienced attacker having more access to the actual net-work than she should have.

• A composite or dummy network honeypot system uses software emulations andactual hardware and software components to create an entire honeypot networkapart from the legitimate network. This type of deployment allows for an incred-ible amount of data to be gathered against an attacker. Although the honeypotnetwork combines the best each system, it is very expensive to build andmaintain.

LESSON 8


Regardless of what type of honeypot you deploy, the fact remains the honeypots haveone purpose—to lure individuals in and track their activities. This is an incrediblyvaluable tool for security professionals because the activity logs may be used as evi-dence in court in the event of a criminal trial. However, the act of luring individuals incould potentially be perceived as entrapment or violate the code of ethics of yourorganization. These legal and ethical issues should be discussed with the legal counseland human resources department of your organization.

A excellent real-world example of a dummy network type of honeypot is the HoneyNet Project http://project.honeynet.org. The project is a joint effort by over 30 security professionals to study attacksand share this information on the Web.

Example: Honeypot—State UniversityState University has a network-based IDS. In the last six months, the security adminis-trator has noticed an increase of suspicious activity centering on the Web servers. He isconcerned that the servers are being scoped out for an attack. He would like to set upa honeypot to gather more information and protect the Web servers from attack. How-ever, he is not certain that the servers are in being targeted, and management is notconvinced that spending money on another security system is necessary.

The security administrator decides to build a hardware-based honeypot with extra com-ponents he has and use a freeware program to set it up. He is hoping to gather enoughinformation to warrant a more complex system in the future.

Example: Honeypot—National BankNational Bank has a complex IDS system that is managed by a team of highly trainedsecurity administrators. The senior administrator has discussed the option of honeypotswith management to further protect highly sensitive data.

After discussing the options, it is decided that the best approach is a small honeypotnetwork. The senior security administrator works with an outside consulting firm tocreate simulations for their Web server, transaction database, and customer database. Inthe meantime, other members of the security team builds hardware-based honeypots tosupport the software emulations on this “network.” To divert attention away from thelegitimate network and create interest in the new honeynet, National Bank releases aninconspicuous press release about a new database installation that will make transac-tion information safer.

Set Up a HoneypotProcedure Reference: Set Up a Honeypot

To set up a honeypot:

1. Determine what type of attack or attacks you are trying to detect.

2. Install and configure the honeypot system. This can either be a third-party soft-ware package that mimics a live server, or simply a system with weak securitythat you set up manually and expose on your network.

3. Test the honeypot to verify it is working properly. Act as an attacker to verify itlooks real.

4. Monitor the honeypot, both in real time and by reviewing activity logsperiodically.

LESSON 8


5. Take the appropriate action when you catch the attacker; for example, turn themover to the appropriate legal authorities.

ACTIVITY 8-7Installing a Honeypot

Setup:Network Monitor has been installed. Microsoft Exchange is running. You will work with apartner in this activity; one partner will play the role of the monitored honeypot system, andthe other partner will play the role of an attacker.

Scenario:State University has had a problem in the past with students uploading and downloading filesfrom the university’s internal faculty FTP site and wants to catch the perpetrators. Instead ofattempting to catch the students during the last breach, the FTP server was just hardened toimmediately stop the attacks. No students have broken in since. However, now that the liveFTP servers are secure, you would really like to catch the intruders. A faculty member, DeanAllison Ager, suspected it was her account that was compromised, as she frequently uploads tothe FTP site. Her FTP account, like other faculty accounts at the University, is named with herfirst initial and last name. Dean Ager admitted that at times she wasn’t following the best prac-tices section of the university security policy, using easy passwords such as her last name andfirst name, and writing them down on sticky notes attached to the computer monitor in heroffice. She also indicated that many students and teaching assistants have access to her office.You suspect that her account would quickly become a target again if you deployed an FTPserver with no file-access controls and no anonymous user access. The IT department haschecked with the legal department in the university and they have given the green light todeploy this FTP honeypot to try to detect the intruder.

You and your lab partner will need to decide who will act as the student attacker and who will be the securityadministrator. After completing the activity, if time permits, you can reverse roles and go through the steps again.


On Both Systems:

1. If necessary, reboot into Windows2000.

a. Restart the computer and choose Win-dows 2000 Server from the boot loadermenu.


LESSON 8


On the Computer Designated as theMonitored Honeypot System:

2. Install FTP and provide one or moredummy FTP data files.



c. Select Internet Information Services (IIS)but do not uncheck the check box. ClickDetails.

d. Check File Transfer Protocol (FTP)Server and click OK.

e. Click Next. If you are prompted for thelocation of the Windows 2000 Serverinstallation files, enter \\Server100\SPlus\Srv2000\I386. If you are promptedfor credentials, connect as thedomain100\administrator user with apassword of !Pass1234.

f. Click Finish.

g. Close Add/Remove Programs and ControlPanel.

h. Copy the SecureSystems.doc file from\\Server100\SPlus\Student to C:\Inetpub\ftproot. Populating the FTP server withsome data files will make the honeypotsystem appear as normal as possible tothe potential intruder.

LESSON 8


3. Configure FTP not to permit anony-mous logons.


b. Expand your server object and open theproperties of the Default FTP Site.

c. Select the Security Accounts tab.

d. Uncheck Allow Anonymous Connections.

e. Click Yes to confirm that users will besending passwords across the networkunencrypted.

f. Click OK.

g. Close Internet Information Services.

4. Create a vulnerable user accounton the FTP honeypot computer.

a. From the Start menu, choose Programs→Administrative Tools→Active DirectoryUsers and Computers.

b. Right-click the Users folder and chooseNew→User.

c. In the Full Name text box, enter AAger.

d. In the User Logon Name text box, enterAAger. Click Next.

e. Enter and confirm password as thepassword. Click Next.

f. Uncheck Create An Exchange Mailbox.Click Next.

g. Click Finish.

h. Close Active Directory Users AndComputers.

LESSON 8


5. Begin monitoring network traffic toand from the FTP honeypotcomputer.


b. Choose Capture→Filter.

c. Double-click INCLUDE ANY <—> ANY.

d. In the Station 1 area, select the entrywith a Name of LOCAL and an Addressthat matches your Local Area Connec-tion’s MAC address.

e. Click OK twice.

f. Choose Capture→Start.

LESSON 8


On the Computer Designated as the StudentAttacker:

6. From the command line, attempt toftp to the honeypot computer.

If anonymous access is not permitted onan FTP site, attackers must obtain alegitimate user account. Attackers knowthat users all too often employ easy-to-guess passwords such as their firstname, their last name, or simply theword “password.”


b. Enter ftp server#, where # is your part-ner’s computer number.

c. When prompted for the user name, enteraager.

d. When prompted for the password, enterager. You should receive an Login Failedmessage.

e. Enter user aager.

f. When prompted for the password, enterallison. You should receive an LogonFailed message.

g. Enter user aager.

h. When prompted for the password, enterpassword. You should be able to log on.

i. Enter ls to list the files on the FTP site.

j. Enter get securesystems.doc to down-load the file.

k. Enter bye to disconnect.

l. Close the command prompt window.


LESSON 8


On the Computer Designated as theMonitored Honeypot System:


a. In Network Monitor, choose Capture→Stop And View. You can see all the logonattempts, all the attempted passwordentries, and the data transfer thatoccurred during the attacker’s session.

b. After you have reviewed the capture log,close Network Monitor without savingthe capture or any unsaved addressdatabase entries.

9. What was the source IP address of the attack? How can this assist you in finding theattacker?

10. Why would you suspect this student was the previous attacker to the FTP site?

If time permits, reverse roles and repeat the activity.

TOPIC DRespond to Security IncidentsWith this topic, we’ve arrived at the last phase of the network security cycle. This is the phasethat you hope never arrives: your network is under attack, and you need to respond. In thistopic, you’ll learn to respond to the security breaches.

You might hope that if you implement security well and monitor vigilantly, you might neverhave to live through a network attack. But, simply put, attacks are inevitable. Attackers are outthere every day, ceaselessly trolling the Internet with automated tools that can uncover andpenetrate susceptible systems. No matter how secure your network, detecting an attack is aquestion of when, not if. The skills you’ll learn in this topic will help you to respond appropri-ately when this does occur.

Incident Response PolicyOf all the security policies within an organization, an incident response policy (IRP) is one ofthe most important to the continued safety of physical and intellectual assets. The incidentresponse policy generally answers these questions:

LESSON 8


• Who will determine an actual security incident has occurred?

• Who will be notified when an incident occurs?

• How are individuals/departments notified?

• Who is responsible for responding to the incident?

• What is the appropriate response?

An IRP usually involves several departments and depending on the severity of the incident,may involve the media. The human resources and public relations department of an organiza-tion generally work together in these situations to determine the extent of the information thatwill be made available to the public. Information is released to employees, stockholders, andthe general public on a need-to-know basis.

ACTIVITY 8-8Investigating Incident Response Policies

Scenario:As security administrator for your organization, Leland Hospital Systems, you’ve been askedto join a committee of high-level managers to develop an incident response policy (IRP).Before the committee’s first meeting, you decide to do some research on the Internet.


1. Search the Internet for informationon IRPs.

a. Open Internet Explorer and go to yourfavorite search engine.

b. Search for information on incidentresponse policies.

c. Examine the information you find.

d. Compare the information you find withthe findings of other students in class.

2. In your own words, why is it important to have an incident response policy?

3. What do you think are the most important components in the policies you’ve found?

4. How do you think the policies you’ve found answer the questions in the concepts pre-ceding this activity?

LESSON 8


5. In general, do you think it’s important to notify employees of ordinary security inci-dents? Why or why not?

6. Why might you want to alert law enforcement officials of a security incident? Whymight you want to notify the media?

Respond to Security IncidentsProcedure Reference: Respond to Security Incidents

To respond to security incidents:

1. Consider doing nothing. Some types of attacks, such as a ping sweep, do no dam-age in themselves. Stopping the attack might be a waste of your effort and atip-off to the attacker.

2. For attacks from across the network, use network monitoring tools to identify thesource.

You might need to work with your ISP or your internal network or router administrators to gatherthe necessary information and respond to the attack.

3. Gather evidence, in the form of network trace files, security logs, and so on, if theattack is not causing immediate damage.

4. Block the source of a network attack if it becomes necessary to stop the attack.

5. For DDoS attacks, scan for and remove any zombie agents on your local network,using a tool such as Zombie Zapper from http://razor.bindview.com.

6. Shut down the affected systems and move them to an isolated subnet, but only ifnecessary to stop the attack or prevent further system damage.

7. Reverse the damage to the affected systems:

• For malicious code attacks, run antivirus software to disinfect the systems.

• For other attacks, restore lost files, user accounts, and other objects from abackup.

• If a backup is not available, rebuild the lost objects manually.

• As a last resort, reinstall the systems.

8. Gather any additional evidence regarding the source of the attack.

9. Perform a quantitative and qualitative damage assessment to determine a dollarvalue of the cost of the attack.

LESSON 8


10. You might need to turn evidence of the attack, including the identity of the perpe-trator (if known), over to your computer forensic team or proper authorities inaccordance with your organization’s security policies and local legal requirements.

11. Re-evaluate your system hardening and perform additional hardening steps, ifappropriate.

ACTIVITY 8-9Responding to a DoS Attack

Setup:The Windows 2000 system has been hardened, and Network Monitor has been installed andhas been used previously to capture data on your local network. Port 80 is open on the server.All computers on your network are on the 192.168.y.x subnet, where y is a number unique toyour network. You will work with a partner in this activity; one partner will play the role ofthe intruder, and the other partner will play the role of the monitored system. The tools anddata files you will need for this activity are available on the network in the \\Server100\SPlus\Tools share in the following folders: \UDPFlood\udpflood.exe and \DDosPing\ddosping.exe.

Scenario:As you are monitoring your network performance, you notice a performance degradation onone of your Web servers. The security policy for your organization states that any such perfor-mance degradation should be treated as a symptom of a possible DoS or DDoS attack untilproved otherwise.

You and your lab partner will need to decide who will be the attacker and who will be acting as the monitoringsystem. After completing the activity, you can reverse roles and go through the steps again.


On the Computer Designated as theMonitoring System:

1. Begin monitoring system perfor-mance with Task Manager.

a. Right-click the Taskbar and choose TaskManager.

b. Select the Performance tab. This pagegives you an ongoing snapshot of systemresource usage, including a graphical rep-resentation of CPU and memory usage.

c. Minimize Task Manager.

LESSON 8


2. Start capturing data between yourcomputer and other destinations onthe network.


b. Click the filter icon on the toolbar.

c. Double-click INCLUDE ANY* < -- >*ANY.

d. Select the Local entry in the Station 1Window that has the MAC address ofyour network adapter.

e. Click OK.

f. In the Capture Filter window, click OK.

g. Choose Capture→Start.

On the Computer Designated as theAttacker:

3. Use Udpflood.exe to start a30-second DoS attack on your labpartner’s Windows 2000 Server.

a. Run \\Server100\SPlus\Tools\UDPFlood\udpflood.exe. If you are prompted forcredentials, connect as the domain100\administrator user with a password of!Pass1234.

b. In the IP/Hostname text box, enterServer#, where # is your partner’s com-puter number.

c. In the Port text box, enter 80.

d. In the Max Duration (Secs) text box, enter30.

e. Move the Speed slider to Max to gener-ate the maximum number of packetsduring the attack.

f. Click Go.

g. When the attack is complete, close UDPFlooder.

LESSON 8


On the Computer Designated as theMonitoring System:

4. During the attack, examine TaskManager for signs of a performancedegradation.

a. Switch to Task Manager. The CPU UsageHistory shows signs of increased activity.However, depending on the hardwareresources in your system, the actualimpact on system performance will prob-ably be minor.

b. When the activity subsides, close TaskManager.

5. Analyze the captured data for signsof an attack.

a. Switch to Network Monitor.

b. Choose Capture→Stop and View. Yourcapture should look similar to the follow-ing screen shot.

c. After you have examined the captureresults, close Network Monitor withoutsaving the capture.

6. Which packets in the capture created the DoS condition? (You might need to widen theDescription column.)

7. Can you determine the source of the attack?

8. What is the first thing you should consider doing in response to this DoS attack?

9. How else could you respond to this DoS attack?

LESSON 8


10. What steps should you take once the attack is resolved?

11. If the attacker wanted to automate the attacks instead of having to do so manually,what can the attacker do?

All Computers:

12. Use DDoSPing to check for any zom-bie agents on your network.

a. Run \\Server100\SPlus\Tools\DDoSPing\ddosping.exe.

b. Verify that 192.168.y.1 appears in theStart IP Address text box. Substitute yournetwork number for y.

c. Verify that 192.168.y.1 appears in theEnd IP Address text box. Substitute yournetwork number for y.

d. Click Start.

e. When the test is complete, closeDDoSPing.

13. Were any zombie agents detected?

If time permits, reverse roles and repeat the activity.

LESSON 8


ACTIVITY 8-10Blocking a Network Intruder

Setup:For this exercise, you will use the Windows XP Professional installation. The computer nameis Client#, where # is your unique integer assigned by the instructor. The default administratoraccount has been renamed with your first name and set up with a password of !Pass1234.There is also an administrative-level account on this computer named Admin100, with a pass-word of !Pass1234. The Windows XP Professional system has been hardened and theevaluation version of the RealSecure Desktop Protection intrusion detection software has beeninstalled. You will work with a partner in this activity; one partner will play the role of theintruder, and the other partner will play the role of the monitored system.

Scenario:During regular monitoring of a system, you detect unauthorized attempts to access the rootshare of a Windows XP Professional computer. Your organization’s security policy states thatall such access attempts should be blocked at the source.

You and your lab partner will need to decide who will be the intruder and who will be monitoring their system.After completing the activity, you can reverse roles and go through the steps again.


1. Reboot the computer into WindowsXP Professional and log on asAdmin100.

a. Reboot into Windows XP Professional.

b. Log on as Admin100.


2. Begin monitoring for intruders withRealSecure Desktop Protector.

a. In the System Tray, click the RealSecureDesktop Protector icon.

b. Select the Events tab and chooseTools→Clear Event List.

c. Click OK.

LESSON 8



3. Attempt to access the C$ adminis-trative share on your lab partner’scomputer.

If your attack isn’t detected after entering\\client#\c$, try using your partner’s IPaddress or connecting to the d$ share.

a. As the Admin100 user, from the Startmenu, choose Run.


c. Close the C$ folder window.


4. Block the intruder. a. On the Events page of RealSecure DesktopProtector, in the Events list, right-clickthe intrusion event from your partner’scomputer and choose Block Intruder→For An Hour.

b. Click Yes to confirm.

After about 45 minutes, you will get messagesprompting you to extend the hour-long block, ifdesired. Click No to dismiss the messages andlet the block expire.

c. Select the Intruders tab. Your partner’scomputer appears with a symbol indicat-ing it has been blocked.


5. Attempt to access the C$ share onyour lab partner’s computer.



c. Click OK in the error message thatappears after a few moments.


LESSON 8



7. Verify that the attempted intrusionwas detected and blocked.

If time permits, reverse roles and repeatthe activity. Before repeating the activity,you will need to remove the block inRealSecure Desktop Protector. OpenRealSecure Desktop Protector. On theIntruders page, right-click the blockedsystem and choose Trust Intruder→TrustAnd Accept. Confirm the trust and closeRealSecure Desktop Protector.

a. In RealSecure Desktop Protector, selectthe Events tab. The attempted intrusionevents appear with a symbol indicatingthat the intrusions were blocked.

b. Close RealSecure Desktop Protector.

Lesson 8 Follow-upIn this lesson, you learned to monitor the security infrastructure for any attempts to breachyour organization’s security. An advanced warning of an attack may give you just enough timeto stop the attack before it really gets going. The only way you discover this intrusion earlyenough is when you are monitoring your infrastructure on a daily basis.

1. What type of intrusion detection software are you familiar with and how have you usedit to detect attacks?

2. What do you feel is the most important part of the infrastructure to monitor? Why?

LESSON 8


Follow-upIn this course, you learned the skills and information you will need to implement and monitorsecurity on networks and computer systems, and respond to security breaches. You also cov-ered the majority of the learning objectives that you will need to prepare for the CompTIASecurity+ Certification examination. If you combine this class experience with review, privatestudy, and hands-on experience, you will be prepared to demonstrate your expertise boththrough certification testing and with solid technical competence on your job.

What’s Next?For more information on additional security courses, see your Element K sales representative,or visit our Web site at www.elementkcourseware.com.

FOLLOW-UP

315


NOTES

Authentication andAuthorization

While at first they might seem to be the same, authentication and authorization are verydifferent. Authentication is the process of requiring a user to prove his or her identity, whileauthorization is the process of taking that user’s identity after he or she has been authenticatedand allowing or denying access to specific network resources. It’s this two-step process that isat the very heart of an organization’s security infrastructure.

There are a variety of authentication methods that you can employ in your network. The fol-lowing table lists some common methods.

For more information on two-factor authentication and tokens, see RSA’s Web site at www.rsasecurity.com/products/securid/.

Authentication Method DescriptionUser name/password In this type of authentication, a user’s user name and password is com-

pared against a database. If the user name and password match, the useris authenticated. This method may not be very secure because the user’scredentials are often transferred in plain text.

Challenge HandshakeAuthentication Protocol(CHAP)

In CHAP authentication, the authenticating server sends a challenge mes-sage back to the user’s computer when the user tries to log on to anetwork or a specific server. The user’s computer responds with a hashvalue of the user’s user name and password. The authenticating servercompares the hash value against the result of its own hash function andif there’s a match, the user is authenticated. CHAP is used to log in toremote servers.

Certificates When a user authenticates using a certificate, the user presents a digitalcertificate in place of a user name and password. A user is authenticatedif his or her certificate is validated by a certificate authority.

APPENDIX A

APPENDIX A

Appendix A: Authentication and Authorization 317

Authentication Method DescriptionKerberos Kerberos authentication uses a key distribution server to validate user

credentials and distribute tickets to the user that allows them to accessthe local workstation. Kerberos is a very secure method of authenticationbecause it uses a strong level of encryption. Kerberos relies heavily onan accurate time service, so you’ll need to make sure you have a timeserver or your authenticating servers are synchronized using an Internettime server.

Tokens Tokens are text or numerical values in addition to user names and pass-words that provide an added layer of authentication. Tokens are oftenpersonal identification numbers (PINs) or a second, additional password.Tokens can be generated by special devices in response to a challengefrom an authenticating server or by devices that generate values usingalgorithms independent of a challenge by an authenticating server.Tokens provide multi-factor or two-factor authentication in that they pro-vide for a required value in addition to the user’s user name andpassword.

Biometrics Biometric authentication involves a user’s physical characteristics as partof the authentication process. This can involve a fingerprint scanner, aretinal scanner, or voice-recognition and face-recognition software.Because biometric authentication is currently very expensive to imple-ment, it isn’t as widely adopted as other authentication methods.

For a good introduction to the Kerberos protocol, visit: http://web.mit.edu/kerberos/www/dialogue.html

After the user is authenticated, there are several ways to control the user’s access to networkresources. Some of the common methods are described in the following table.

Authorization Method DescriptionMandatory Access Control(MAC)

In MAC, access is controlled based on an object’s security label and auser’s security clearance. Objects (files and other resources) are assignedsecurity labels of varying levels depending on the object’s sensitivity.Users are assigned a security level or clearance, and when they try toaccess an object, their clearance is compared to the object’s securitylabel. If there’s a match, the user can access the object; if there’s nomatch, the user is denied access. MAC security labels can generally bechanged only by a system administrator and not the object’s owner.MAC is highly secure but isn’t widely implemented because it isn’t aseasy to administer as other authorization methods.

Discretionary Access Control(DAC)

In DAC, access is controlled based on a user’s identity. Objects are con-figured with a list of users who are allowed access to them. Anadministrator has the discretion to place the user on the list or not. If auser is on the list, the user is granted access; if the user isn’t on the list,access is denied. Unlike MAC, in a DAC authorization scheme, objectowners can generally modify their objects’ access control lists.

APPENDIX A


Authorization Method DescriptionRole-based Access Control(RBAC)

In RBAC, access is controlled based on a user’s role. Users are assignedto roles, and network objects are configured to allow access only to spe-cific roles. Roles are created independently of user accounts. To preventmisuse of privilege attacks, RBAC allows administrator to implementseparation of duties (or roles). A user might have more than one roleassigned to him at one time or might switch from one role to anotherover the course of his employment. Using the principle of least privi-lege, an administrator can assign to a role only those privileges users inthe role need to complete their work.

Privilege Management Infra-structure (PMI)

A PMI is a collection of authentication and authorization mechanismsthat allow an administrator centralized control of user and group role-based privilege management. PMI is often implemented to control userauthentication and authorization for an organization’s Web resources. APMI should include an auditing component to track privilege use. PMIcan also offer single sign-on (SSO) capabilities by providing users one-time authentication for browsing multiple servers or sites.

APPENDIX A

Appendix A: Authentication and Authorization 319


NOTES

Understanding Media

Objectives:In this lesson, you will identify the characteristics of various media.

You will:

• define tape media.

• define disk media.

• define CD-ROM.

• define floppy disks and their characteristics.

• Describe the characteristics and use of hard drives.

• define bounded and unbounded media.

• identify coaxial cable.

• identify UTP and STP cable.

• Identify the characteristics of fiber-optic cable.

Lesson Time4 hour(s)APPENDIX B

APPENDIX B

Appendix B: Understanding Media 321

IntroductionThis appendix is a review and reference of media types.

You will examine the characteristics that define various kinds of media and determine whatmedia is most appropriate in given situations.

TOPIC ARemovable MediaData can be stored on many media, including magnetic tape, CD-ROMs, hard drives, andfloppy disks.

Consider the value of the data stored on your PC. A week’s worth of changes and additions tofiles or to a database can have greater value than the entire system on which it is stored.

As companies use PCs for more and more of their business transactions, the value of the infor-mation kept on these systems increases dramatically. It is important to understand the mediathat stores this data.

Tape MediaDefinition:

A tape is a magnetically coated strip of plastic on which data can be encoded. Tapesare accessed sequentially, which means specific data cannot be accessed on the tapewithout sequentially going through all of the preceding data. Tapes vary in storagecapacities and formats. Tapes are considered a slower media and are generally usedonly for long-term storage and backup.

There are more and more choices every year when it comes to backup media. A fewyears ago, you only had a choice between reel-to-reel tapes, QIC cartridges, and veryexpensive DAT recorders. Today, the costs of the DAT recorders and media are withinthe range of most IT budgets. For workstation backups, QIC cartridges are a popularchoice; you might consider using Iomega’s Jaz or Zip disks. Magnetic tape is still themost popular backup media.

The following table shows some of the most common backup media.

MediaMaximum StorageSizes Description

Digital Audio Tape(DAT)

At least 1 GB, up to12 GB

Used in many different size networks; 4 mm tape,about the size of an audio tape

Digital Linear Tape(DLT)

At least 10 GB, upto 12 GB

Used mainly in mid- to large-size networks; 0.5-inch cartridges

Quarter-Inch Car-tridge (QIC)

At least 40 MB, upto 25 GB

Original width was 0.25 inches; available in 3.5-inch (Traven) or 5.25-inch cartridges; usuallyused in smaller networks and stand-alone PCs

APPENDIX B


Example: Quarter-Inch Cartridge (QIC)Quarter-Inch Cartridge (QIC) technology is among the oldest, most standardized, andmost reliable of the tape technologies. QIC drives are available for most computerplatforms.

QIC cartridges are available in 60 MB, 150 MB, 250 MB, 525 MB, and larger sizes.Most of the drives designed to read the higher-capacity cartridges can also read thelower-capacity cartridges.

Two of the biggest detractions to QIC technology are cost and speed. QIC drives areinexpensive; however, the cartridges are expensive when dollars per megabyte isconsidered. Quarter-inch cartridge drives are slow, having about the slowest transferrates of any of the tape technologies.

Example: DAT CartridgesDigital Audio Tape (DAT) is a backup tape format that offers higher storage capacity ata lower cost than QIC technology. Capacity is from 1 GB to 4 GB and up. Originallyadapted from the audio market, the 4 mm DAT tape format offers higher storagecapacities at a lower cost than does QIC technology. The term “DAT,” or DigitalAudio Tape, is often used to describe 4 mm tape technology.

DAT cartridges are quite small compared with QIC cartridges, and therefore, are mucheasier to store and use. Capacities for 4 mm tapes range from 1 GB to 4 GB and more.

DAT tapes are considered to be less reliable than QIC tapes. They are especially vul-nerable to heat and moisture. Because the tape is pulled out of the cartridge duringoperation, to be wrapped around the spinning read/write head, the tapes wear morequickly than do QIC tapes.

Due to lack of strict standards, 4 mm tape drives are not always compatible: tapesfrom one drive might not be readable in another drive. This will probably only be aproblem for larger installations with a large variety of computing equipment.

Example: 8 mm TapeThe 8 mm tape format was originally developed by Exabyte, which continues to be theonly manufacturer of 8 mm drives. Many other manufacturers purchase raw drivesfrom Exabyte and integrate them into internal or external 8 mm tape drives. Thisarrangement ensures compatibility between 8 mm drives.

These 8 mm tape drives offer storage capabilities between 2.2 GB and 10 GB percartridge. The tape cartridges are only slightly larger than DAT tapes. They are oftenconsidered more reliable than 4 mm drives; however, the drives and tapes are moreexpensive than 4 mm units.

The 8 mm tape drives are popular in the UNIX and workstation industry. These driveshave only recently become popular with network administrators as the amount of dataon LANs has grown.

Example: Digital Linear Tape (DLTA)Digital Linear Tape (DLTA) is a backup tape technology developed by DEC. Currentstorage capacity is up to 50 GB. Digital Linear Tape (DLT) was developed by DECwho sold this technology to Quantum. The tape is a half-inch cartridge with a singlehub. There are 128 or 208 linear tracks, holding 10 to 35 GB of data. Another DLTformat, Super DLT, holds up to 50 GB. Currently, DLT transfer rates are in the 1.25MB to 5 MB per second range. The forecast is for DLT to soon hold up to 500 GBwith up to 40 MB per second transfer rates.

APPENDIX B


Disk MediaDefinition:

Disks are the most commonly used type of storage. There is a wide variety of differentdisk types, including many sizes and formats of floppy disks, hard disks, optical disks,CD-ROMs (Compact Disc Read-Only Memory), and removable hard disks (such asSyquest).

In general, all sorts of disk storage share certain common elements. On all disks,physical differences in the surface of the disk are used to represent data. On floppy andhard disks, magnetism is used to encode data. On CD-ROM and optical disks, varia-tions in how the disk surface reflects light are used to encode data.

On disks, tracks are concentric circles (hard and floppy disks) or spirals (CDs andvideo discs). On tapes, they are parallel lines. A sector is the smallest unit of storageread or written on a disk. Disks arrange information into concentric rings called tracks.Tracks are divided into pie-like slices called sectors. Some disks can be written to onlyon one side; others can be written to on both sides. A read/write head can be posi-tioned over any track, and data is read (or written) as the sectors pass by.

Example:A disk storage location can be specified by its side, track, and sector. An example isshown in Figure B-1.

Figure B-1: A disk storage location can be specified by its side, track, andsector.

APPENDIX B


CD-ROMDefinition:

A CD-ROM (which stands for Compact Disc Read-Only Memory) is an optical discstorage technology well suited for the distribution of large amounts of information. Acompact disc stores vast amounts (about 682 MB) of information in a convenient, per-manent medium. Most manufacturers use the ISO standard 9960 or the High Sierrasubset of that standard and provide common file formats.

Data on a CD-ROM is stored as a series of microscopic depressions in a metal sub-strate, sandwiched in a glass or plastic disc. The data is read by a low-power laserbeam. Binary 1s and 0s are differentiated by the degree of reflectivity of the surface.The depressions, or pits, reflect differently than the lands, or non-depression areas.

Example:CDs have many uses: they are used to distribute software and information, such ascollections of data, and to publish books, magazines, or collections of graphics. MostCDs are indexed, enabling them to be searched easily by using keywords. Althoughthey are slower to use than hard disks, CDs have become popular as a way to provideaccess to large amounts of information.

The mass production of CDs, as when a software manufacturer distributes software onCDs, begins with a process called mastering, or burning. One master copy of the CDis created and tested; and then it’s used by a CD publisher to make many (often thou-sands) of copies, with the per-copy cost typically being less than $1. Figure B-2 showsthe connectors for a typical CD-ROM drive.

Figure B-2: Connectors for a typical CD-ROM drive.

APPENDIX B


ATAPIAttachment Packet Interface is an extension to EIDE that enables support forCD-ROM and tape drives. AT Attachment Packet Interface (ATAPI) is an extension toEIDE that enables support for CD-ROM drives (including CD-R and CD-RW drives),as well as tape drives on an IDE controller. You can install an ATAPI drive as if itwere just another EIDE drive. With ATAPI drives, it’s not necessary to perform CMOSconfiguration. All configuration is handled automatically. ATAPI drives can be set upas master or slave drives (through jumpers) and can run off the primary or secondarycontroller.

MPEG stands for Movie Picture Experts Group. This group has developed MPEG digi-tal video compression standards and file formats, including MPEG-1 and MPEG-2.DVD drives also use ATAPI, but in addition require a Movie Picture Experts Group(MPEG) decoder to decode MPEG files used with DVDs. Two MPEG standards exist:MPEG-1 and MPEG-2. They are digital video compression standards and file formatsthat were developed by the Movie Picture Experts Group. MPEG-1 provides videoresolution of 352 x 240 at 30 frames per second. MPEG-2 provides video resolution of720 x 480 and 1,280 x 720 at 60 frames per second.

Using CD-ROMsSome operating systems—such as UNIX, OS/2 2.x, Windows NT, and others—inherently support CD-ROM drives. Other operating systems, such as DOS, DOS/Windows, and some versions of NetWare, require additional software in order to useCD-ROM drives. CD-ROM drives often provide driver software for the operating sys-tems that need them. Third-party driver software is also available.

Many CD-ROM drives use the SCSI interface to connect to the host system. A com-mon interface for SCSI CD-ROM drives and other devices, called the Advanced SCSIProgramming Interface, or ASPI, has been developed. This enables the use of a singleASPI device driver for multiple SCSI devices. An example of such a driver isAdaptec’s ASPIDSK.SYS.

Practical IssuesKeep the following in mind when you are using CD resources:

• Some older CD-ROM drives require that the disc be placed in a disc caddy, orprotective plastic container, before they can be inserted into the drive. You maywant to consider purchasing additional caddies for storage purposes.

• CD-ROM drives are connected to a host computer by using a SCSI bus or an IDEbus.

• If you put a SCSI CD-ROM on the same controller as a hard disk, you might seea performance loss. Check with the hardware vendors for known incompatibilities.

• When you connect the data cable and power to the drive, the configuration issimilar to that of a hard drive—data cable to the left, power cable to the right,and a red stripe closest to the red power wire.

• Make sure that the jumpers are set properly and that the audio cable is attached.Audio cables carry only analog sound; digital sounds are carried on the datacable.

APPENDIX B


Floppy DisksIt is often necessary to share files with other people. One way to do this is to use removabledisks. Another use for removable disks is to provide a second copy or backup of importantfiles.

Definition:Floppy disks are similar to hard disks, except that the material on which data isrecorded is not hard; it is made of a floppy material, such as mylar. Read/write headsrecord data on floppy disks similar to the way they do on hard disks. Because floppydisks can be removed from the computer and easily carried, they are not as well pro-tected as hard disks. To make floppy disks more tolerant (than hard disks) of dust andscratches, data is not packed as densely into a floppy disk as it is in a hard disk. Whatfloppy disks lack in storage capacity, they make up in portability. To provide a reason-able degree of protection for floppy disks, they are contained inside a tight-fittingsquare sheath of vinyl or hard plastic.

Example:There are three floppy-disk formats. These three floppy-disk formats are shown in Fig-ure B-3.

Figure B-3: Three floppy-disk formats.

Storage CapacityThe amount of data that can be stored in a disk is determined by the number of sides,tracks per side, sectors per track, and bytes that can be stored in a sector. For example,a double-sided disk with 80 tracks, 36 sectors, and 512 bytes per sector has a totalcapacity of 2 x 80 x 36 x 512, or 2,949,120 bytes. Divide this by 1,024 to get thenumber of kilobytes, which is 2,880. The following table shows common floppy-disksizes and formats, and their total capacity in kilobytes.

APPENDIX B


Disk Size(inches) Sides

Tracks perSide

Sectorsper Track

Bytes perSector

Total Capac-ity inKilobytes

Sectors perCluster

3.5 2 80 36 512 2,880 2

3.5 2 80 18 512 1,440 1

3.5 2 80 9 512 720 2

5.25 2 80 15 512 1,200 1

5.25 2 40 9 512 360 2

5.25 2 40 8 512 320 2

5.25 1 40 9 512 180 1

5.25 1 40 8 512 160 1

The Evolution of the Floppy DiskEarly floppy disks were large; they had an 8-inch diameter and a soft vinyl cover. Thenext type of disk to become widely used was the 5.25-inch format, which was essen-tially the same as the 8-inch format, only smaller. These two types of disks come witha special envelope, in which they are stored when not in use.

The most commonly used type of floppy disk today is the 3.5-inch disk, which has ahard plastic cover, and a metal shutter that closes to protect the inner disk from dustwhen the disk is not inside a drive mechanism. The 3.5-inch disks do not need to bestored in an envelope when they are not in use because the metal shutter adequatelyprotects the disk from normal amounts of airborne particles. Despite the trend towardsmaller disks, the storage capacity of floppy disks has increased dramatically over theyears.

Floppy Disk DrivesHere are some things to keep in mind when you are installing or replacing a floppydisk drive:

• When you look at the back of the drive, the data connection is on the right andthe power connection is on the left (or above the data connection). This configura-tion is the opposite of hard drives.

• For floppy disk drive data connectors, Pin 1 is on the left side. To connect thedata cable, place the red strip on the cable nearest to the red wire on the powerconnection cable.

• Data cables for floppy disk drives have a twist in them, so that the computer canrecognize and distinguish between multiple floppy disk drives (drives A and B,usually) in a system. When you are connecting only one drive, connect it after thecable twist. When you are connecting more than one drive, connect drive A afterthe twist and drive B before the twist.

Figure B-4 shows the connectors for a floppy disk drive.

APPENDIX B


Figure B-4: Connectors for a typical 3.5-inch floppy disk drive.

Hard DrivesDefinition:

Hard drives, or fixed disks, are a type of storage device that provide fast access tolarge amounts of storage in a small, reasonably reliable physical package. Withoutthem, most modern computing applications would be impossible.

The aggregate of all tracks that reside in the same location on every disk surface. Onmultiple-platter disks, the cylinder is the sum total of every track with the same tracknumber on every surface. On a floppy disk, a cylinder comprises the top and corre-sponding bottom track. Hard disks are often composed of multiple disks. A cylinderconsists of a track on the top side of the top-most disk, and all of the tracks beneath it.This is shown in Figure B-5. A cylinder represents all of the data that the read/writeheads can access when they are in a certain position. (There is a separate read/writehead for each side of each disk, but they all move together.)

APPENDIX B


Figure B-5: A cylinder.

Hard drives have been designed to meet users’ needs for speed and capacity. With thematuration of the technology, designers now add reliability to and reduce the cost ofthe design process. This constant redesign process has produced better drives, in manydifferent types. However, even with differences, almost all hard drives operate thesame way: data is stored as locations of magnetic flux, or change, on a disk of spe-cially coated aluminum or glass. Hard disks can have one or more of these platters ordisks. The information is read or written with a head, or small magnet, that floats on acushion of air over the platter. The platter spins at a high rate, generally 5,400 or 7,200revolutions per minute (rpm). The heads are moved across the platter by one of twotechnologies: older designs used a motor, called a stepper motor, that moved only inpre-defined increments, or steps. Newer designs use a voice coil, similar to an audiospeaker, to move the heads more precisely over the platter.

Example:Figure B-6 illustrates the components of a hard drive.

APPENDIX B


Figure B-6: The physical components of a hard drive.

Writing Data to the Hard DiskHard disks spin at very fast speeds, and the read/write heads hover over the platters,very close to the surface so that they can read or write data. The platters are made of arigid material, such as aluminum, that is coated with a magnetic material. To writedata, the computer positions the head in a particular track. When the appropriate sectorpasses by, pulses of electricity are sent through a coil of wire in the head. This createsan electromagnetic field, which aligns magnetic particles on the disk surface. By alter-nating the flow of the current to the head, 1s and 0s can be encoded magnetically.

Each platter has its own read/write head that encodes (writes) and decodes (reads) datafor that platter. Data is read and written in circular tracks as the head floats on a thinlayer of air over the rotating platter.

Reading Data from the Hard DiskTo read data, the computer positions the head over the appropriate track. When thesector passes by, the magnetic particles on the disk create an electrical current in thehead through a phenomenon known as inductance. In the head, the alternating patternsof magnetism on the disk translate into alternating flows of electrical current, whichcan be translated into 1s and 0s.

Physical CharacteristicsPhysically, hard drives come in a number of designs. The terms form factor and heightare used to describe the physical characteristics of hard drives that are mountedinternally. External drives are most often simply internal drives mounted in a case thatalso has a power supply.

• With regard to a disk drive, the form factor is the overall diameter of the plattersand case, such as 3.5 inches or 5.25 inches, not the size in terms of storagecapacity. The form factor of a drive refers to its width. This measurement isderived from the original IBM PC/XT case that had drive openings of 5.25

APPENDIX B


inches. Most drives today are actually smaller than their rated form factor and usespacers, or mounting brackets, to fit within the case. The 5.25-inch and 3.5-inchform factors are the most popular for desktop and desk-side computer systems.Newer form factors, designed for use in laptops and notebooks, include 2.5-inchand even 1-inch designs.

• Again, the height of the drive is a measurement derived from the original IBMPC/XT case. A device that would fill the height of the drive bay of the XT is con-sidered to be a full-height device. Other heights include half-height and the newer1-inch high drives.

You must match the form factor and height of a drive you purchase with the availableopenings in your computer. Otherwise, you will have difficulty installing the newdrive.

Installing a Hard DriveThe specific steps for setting up a hard disk in a system depend on the system and thetype of hard disk you are installing; however, the main tasks are:

1. Physically install the hard disk into the computer.

2. Prepare the new hard disk for use in the system.

The Configuration of Hard DrivesYou should configure the hard drive before you install it in the case. The drives areconfigured with jumpers. There is often a label on the drive with the jumper settings.

The master is the first IDE or EIDE device on a single IDE channel. If the device isthe hard drive on the first IDE channel, the device can be formatted to be the bootdisk. The slave is the second IDE or EIDE device on a single IDE channel. The firstdrive is referred to as the master drive. The second drive is referred to as the slave. Ifyou have two IDE or EIDE devices on the same cable, one needs to be set to masterand the other to slave. This allows both devices to properly communicate on a singlechannel. It also specifies the boot order of the drives. The master drive on the first IDEchannel is the first IDE drive accessed when the system boots.

You will need to change the jumper settings to reflect their role (master or slave). Also,some drives have separate settings if there will only be one drive in the system. This isusually referred to as single drive or cable select if there is only one drive on the IDEchannel.

If possible, place hard drives on a different channel than CD drives. This requires twoIDE controllers. One or two hard drives should go on IDE 1, as master and slave, orsingle. If you have an IDE CD-ROM and a second CD drive (such as a rewriter, DVD,or just another CD-ROM), they should go on IDE 2 as master and slave.

Hard DrivesKeep the following in mind when you are working with hard drives:

• Because of the delicate nature of hard disks, you need to be very careful whenyou are handling them. Do not bump or shake them unnecessarily, and do nottransport them unless they are encased in protective packaging.

• When performance is a less-critical issue than cost, consider adding another harddisk to an existing controller board, rather than replacing the controller, disk, orcomputer.

APPENDIX B


• If you are installing a hard drive, make sure that you’re using the proper cablerating and type for the hard drive to be installed. Also, you need to be sure tofollow the correct installation and configuration procedures, as described later inthis topic.

Advances in CapacityToday’s hard drives hold far more information than the hard drives of just a few yearsago. They’re smaller, faster, and more reliable, due to technological advancements suchas improved coatings for platters and smoother platter surfaces. Another improvementis the advent of the voice coil design, which enables cylinders to be written closertogether. This, in turn, enables more data to be saved to each platter than could besaved on older hard drives with the same platter size.

DISCOVERY ACTIVITY B-1Storage Media

Scenario:You are in the process of purchasing various storage media for your organization. You need tounderstand the specifications in order to make your decisions.

1. Form factor refers to a drive’s .

2. How is the storage capacity of a floppy disk determined?

3. Tape drives are used primarily for .

APPENDIX B


TOPIC BCablingA major category of media is network cabling. In this topic, you will become familiar withcable types and their characteristics.

Networks have gone through quite a lot of changes in the last 15 years, driven mostly by twofactors: speed and reliability. In the early days of networking, conventional wisdom said that75 percent of all network failures were related to the network media or cabling. Today, older,less-reliable media types have been phased out, and better assembly techniques have beendeveloped to make networks far more reliable.

Bounded and Unbounded MediaDefinition:

Bounded media is any network media that travels in a contained conductor.Unbounded media does not travel in a contained conductor (wireless transmission).

Example:Wires, cables, and fiber optics are examples of bounded media. Radio, microwave, andinfrared use unbounded media. Some examples of bounded and unbounded media areshown in Figure B-7.

Figure B-7: Bounded and unbounded media.

APPENDIX B


Coaxial Cable (Coax)Definition:

Coaxial cable, known by its common name of just “coax,” is so named because of thephysical relationship between the center conductor and the shield where they share aCOmmon AXis. Coaxial cable is used with a single-ended signal reference where thecenter conductor carries the data signal, and the braided outer shield provides a combi-nation of the reference signal and a drain for noise control. The braided shield isseparated by a dielectric insulator around the outside of the cable. All coax cables haveto be terminated. It’s complicated, but basically the dielectric insulator and the shieldprovide the cable’s electrical characteristics and determine its termination resistance.While coaxial cable provides better noise rejection than other cable types, it requires aphysical bus topology with a maximum transmission speed of 10 Mbps and tends to beless reliable. Because of this, it’s rarely used today.

Another type of connector is the Attachment Unit Interface (AUI), which is a 15-pin, D-shaped connec-tor (a DB-15 connector) that looks like a parallel port connector. Another commonly used name for anAUI connector is a DIX connector, named for the three companies that developed it—Digital, Intel, andXerox.

Example: ThinNetThe most common type of coax used in networks is RG58A/U cable, or ThinNet, asit’s affectionately known. ThinNet is small in diameter (about an eighth of an inch)and relatively easy to install. It uses BNC connectors and requires a 50 ohmterminator. It has an end-to-end distance of 185 meters.

Example: ThickNetThe other type of coax used in Networks is RG-8, or ThickNet. ThickNet is muchharder to work with than ThinNet because it’s about a half inch in diameter and verystiff. There are two types of connectors for use with ThickNet—the N-connector and avampire tap. N-connectors are large, screw-type connectors that look like those usedon two-way radios. Vampire taps are a two-part clamshell connector that clamps overthe cable and pierces the outer jacket to make the connection. ThickNet has an end-to-end distance of 500 meters. Figure B-8 shows examples of coaxial cable.

Figure B-8: Coaxial cable.

APPENDIX B


Coax Cable SpecificationsThe following table displays each coaxial cable type with its respective specifications.

RG58A/U ThinNet 185 meters or607 feet

BNC connector 50 ohm termina-tor

RG8 ThickNet 500 meters or1,640 feet

N-connectors orvampire taps

50 ohm termina-tor

Twisted Pair (UTP/STP) CableDefinition:

Unshielded Twisted Pair (UTP) cable is by far the most popular cable in use today. It’seasy to install, supports the logical bus/physical star configuration, and is very reliable.UTP uses two conductors twisted around each other within the cable to carry a differ-ential signal. The combination of the differential signal and the twists (twists per foot)give UTP good noise rejection and a maximum distance of 100 meters. Newer cable,properly installed, can support data speeds up to 1 Gbps.

Category 6 and 7 aren’t official standards but are in the development stages and supported by manymanufacturers because of the demand for high speed connectivity.

Example:Analog and digital telephone cable are examples of UTP. UTP is also used for varyingspeeds of network cable. Figure B-9 displays UTP.

Figure B-9: Unshielded twisted pair.

UTP CategoriesUTP comes in different grades, called categories (Category 1 to Category 7 or Cat 1 toCat 7), where the cable’s bandwidth capability increases with the category number. Cat5 is the most popular category, along with its subcategories Cat5+ and Cat5 E(enhanced). Cat 6 and 7 aren’t official standards but are defined by the cablemanufacturers.

APPENDIX B


Category System Type1 Telephone (Analog)

2 Telephone (Digital)

3 Network, 10 Mbps

4 Network, 16 Mbps

5 Network, 100 Mbps

5+ Network, 150 Mbps

5 Enhanced Network, 350 Mbps

6 Network, 1000 Mbps

7 Network, 1000 Mbps

RJ-45 ConnectorsCat 5 cables use RJ-45 connectors that look like a common phone plug, only biggerand with eight conductors. Figure B-10 shows an RJ-45 connector. (The phone connec-tors are called RJ-11.) One pair of conductors is used for transmitting data and anotherfor receiving data; the other two pairs are unused. Each pair is color-coded with a solidcolor and a white wire with a colored band. For the pin-out of the connectors, thereare two standard color schemes: EIA/TIA 568A and 568B. It’s important that bothends of a cable be wired with the same color scheme. Both use the same pins fortransmit (TX) and receive (RX), but different color pairs.

Figure B-10: RJ-45 connector.

Assemble Patch CablesTo assemble patch cables:

1. Strip the cable jacket back about three-quarters of an inch (don’t cut or nick theinner pairs of wires).

APPENDIX B


2. Place the pairs in color order so they lay flat and slip into the connector.

3. Slip the wires into the connector and be sure they’re properly seated and in thecorrect order (a 5x eye loupe will help with this). Make sure the outer jacket isfar enough into the connector that it will be captured by the strain relief tab.

4. Insert the cable/connector assembly into a crimping tool and crimp.

The process of assembling patch cables is detailed in Figure B-11.

Figure B-11: Assembling patch cables.

To make a standard patch cable (TX goes to TX), use the same color scheme at each end. To make acrossover (TX goes to RX) cable, use 568A at one end and 568B at the other.

Shielded Twisted Pair (STP)Shielded Twisted Pair (STP) has the same twisted-pair wire as UTP, but has a shield(usually a foil and a drain wire) added to drain away noise. STP has a shorter distancethan UTP (only 90 meters) but has better noise rejection. STP cable grades are calledtypes and range from type 1 to type 9 with types 1, 1A, 2A, and 6A used in networks.STP works well in environments where electrical noise is hard to control and cost isan issue.

Fiber-optic CableDefinition:

Fiber-optic technology is a point-to-point technology that uses a light to carry a datasignal through cable. The light source is either a laser or high-intensity LED, depend-ing on transmission range (laser is used for long-range transmission). Because of thespeed of light and fast reaction of the optic devices, fiber-optic signals have very highdata rates—the digital data is flashed through the fiber-optic carrier.

Analogy:Fiber-optic technology is very much like the signaling devices used to send Morsecode between ships at night. Figure B-12 gives an example of fiber-optic technology.

APPENDIX B


Figure B-12: Fiber optics.

Basic Fiber ConstructionFiber-optic cables use a thin thread of glass to conduct the light from one end of thecable to the other. This glass thread can break easily, so the rest of the fiber-optic cableis designed to protect it. The glass core is between 5 and 125 microns (62.5 is mostcommon). To put it in perspective for you, a sheet of paper is about 25 microns thick.The core is covered by a silica layer called a cladding, which keeps the light inside thecore.

The fiber is loosely encased inside an inner jacket about an eighth of an inch in diam-eter, and filled with a lubricant. The core is longer than the jacket and that’s importantbecause when the temperature changes, the extra length compensates for the jacket’sexpansion and contraction. The jacket is surrounded by an Aramid or Kevlar braid,making the cable more stable. Like the belts on a car tire, the braid prevents shocks tothe outside of the cable from getting to the core. Finally, the cable has an exteriorjacket or armor.

Example:Figure B-13 shows some examples of fiber-optic cable.

Figure B-13: Fiber-optic cable.

APPENDIX B


Single-mode fiberSingle-mode fiber carries a single data signal over long distances (a maximum of 30miles). It has a small diameter core (10 microns) and uses a laser, usually in the invis-ible, infrared spectrum. Most single-mode fiber transmitters are always on and transmitdata by modulating the amplitude (intensity) of the light.

Though it’s bad practice to look into the end of any fiber connection that is turned on, it’s extremelydangerous to look into a single-mode fiber connection because of the intensity of the transmitting laser.

Multi-mode fiberMulti-mode fiber can carry more than one signal at the same time. Using two differenttechniques, multi-mode devices can place different light signals onto the cable andremove each at the other end. Multi-mode fiber uses a larger core than single mode(50, 62.5, or 100 microns) and has a shorter transmission distance.

Step Index multi-mode fiber uses a transmission diode that angles a signal into thecable. By adjusting the angle, a transmitter can create multiple transmission paths. Stepmode costs the least to implement, but is limited to shorter distances (a few hundredfeet).

Graded Index fiber uses layers inside the glass core to send multiple signals down thecable. The core contains glass layers, each of which carries a signal. Graded Index isused to send higher quality data signals over distances up to 2,500 meters. Figure B-14shows the difference between Step Index and Graded Index multi-mode fiber.

Figure B-14: Step Index versus Graded Index multi-mode fiber.

Fiber ConnectorsThere are multiple types of fiber connectors shown in the following table. Figure B-15illustrates these fiber connectors.

APPENDIX B


Connector DescriptionST Fiber ST connectors are used to connect multi-mode fiber. They look

like BNC connectors and have a straight, ceramic center pin and abayonet lug lock down. They’re used a lot in network patch panels.Overall, ST connectors are the most popular type of fiber connector.

SC SC connectors are box-shaped and snap into a receptacle. They’reseen a lot in a duplex configuration where two fibers are terminatedinto two connectors molded together. SC connectors are easy to hookup.

SMA SMA connectors are similar to ST connectors, but use a threaded fer-rule on the outside to lock the connector together. SMA connectorsare typically used where water and other environmental conditionsnecessitate a waterproof connection that can’t be made with a bayonetlug type connector.

FC FC connectors are similar to SMA connectors, but use a heavy ferrulein the center for more mechanical stability than SMA or STconnectors. FC connectors are not used much in business networking,but they might find their best use in industrial networking where theextra mechanical strength of the FC connector is desired.

Figure B-15: Fiber-optic connectors.

APPENDIX B


DISCOVERY ACTIVITY B-2Becoming Familiar with Fiber-optic Cable

Scenario:Your manager is unfamiliar with cable media. He asks you the following questions.

1. What type of media is copper cable?

a) Bounded

b) Unbounded

c) Radiated

d) Inferential

2. How many grades does UTP cable come in?

a) Four

b) Five

c) Six

d) Seven

3. On UTP cable, which designation describes telephone connectors?

a) Cat-5T

b) RJ-45

c) RJ-11

d) RJ-568A

4. Why shouldn’t you look into the end of a fiber connector or socket, even if you don’tsee a light?

5. What advantages does fiber have over copper media?

6. How many fiber conductors are needed to implement a full duplex connection?

APPENDIX B


SecureSystems.doc

National Bank’s System Hardening Recommendations

Make sure to keep up to date with the latest security patches!

Windows XP Professional Security Recommendations

(workgroup environments)

Note: These steps should be used for all Windows XP Professional clients in a workgroup, andthose that will remain on isolated subnets, such as the Bank’s background investigationcomputers. For Windows XP Professional clients participating in a domain, these steps can beautomated by following the steps on Group Policy.

General Settings:

1. Install the latest Windows XP patches and hot fixes on all desktop systems. All securitypatches should be installed immediately when available.

2. Do not use Internet Connection sharing.

3. Disable the Welcome Screen.

4. Disable Fast User Switching.

5. For Laptops and Home systems only—Enable the built-in XP Internet ConnectionFirewall.

6. Apply the Windows Media Player Security Patch.

7. Convert all drives to NTFS.

8. Install anti-virus software; keep virus definition files up to date.

9. Use the MBSA tool quarterly to verify that the system is secure.

10. Check TechNet and the Center for Internet Security for the latest recommendations forsecuring the registry and the file system.

Password Policy Settings:

1. Enforce password history→24 passwords remembered

2. Maximum password age→30 days

3. Minimum password age→7 days

4. Minimum password length→8 characters

5. Password must meet complexity requirements→Enabled

APPENDIX C

APPENDIX C

Appendix C: SecureSystems.doc 343

6. Store password using reversible encryption for all users in the domain→Disabled

Account Lockout Policy Settings:

1. Account lockout duration→30 minutes

2. Account lockout threshold→3 invalid logon attempts

3. Reset account lockout counter after→30 minutes

Audit Policy Settings:

1. Audit account logon events→Success and Failure

2. Audit account management→Success and Failure

3. Audit directory service access→No auditing (Used for Domain Controllers only)

4. Audit logon events→Success and Failure

5. Audit object access→Failure

6. Audit policy change→Success and Failure

7. Audit privilege use→Failure

8. Audit process tracking→No auditing

9. Audit system events→Success and Failure

User Rights Assignment Policy Settings:

1. Access this computer from the network→Administrators,Users,Power Users,BackupOperators

2. Act as part of the operating system

3. Add workstations to domain

4. Adjust memory quotas for a process→LOCAL SERVICE,NETWORKSERVICE,Administrators

5. Allow logon through Terminal Services→Administrators,Remote Desktop Users

6. Back up files and directories→Administrators,Backup Operators

7. Bypass traverse checking→Administrators,Users,Power Users,Backup Operators

8. Change the system time→Administrators

9. Create a pagefile→Administrators

10. Create a token object

11. Create permanent shared objects

12. Debug programs→Administrators

13. Deny access to this computer from the network→SUPPORT_########

14. Deny logon as a batch job

15. Deny logon as a service

16. Deny logon locally→SUPPORT_########,Guest

17. Deny logon through Terminal Services

18. Enable computer and user accounts to be trusted for delegation

19. Force shutdown from a remote system→Administrators

20. Generate security audits→LOCAL SERVICE,NETWORK SERVICE

21. Increase scheduling priority→Administrators

22. Load and unload device drivers→Administrators

APPENDIX C


23. Lock pages in memory

24. Log on as a batch job→SUPPORT_########

25. Log on as a service→NETWORK SERVICE

26. Log on locally→Administrators,Users,Power Users,Backup Operators

27. Manage auditing and security log→Administrators

28. Modify firmware environment values→Administrators

29. Perform volume maintenance tasks→Administrators

30. Profile single process→Administrators,Power Users

31. Profile system performance→Administrators

32. Remove computer from docking station→Administrators,Users,Power Users

33. Replace a process level token→LOCAL SERVICE, NETWORK SERVICE

34. Restore files and directories→Administrators,Backup Operators

35. Shut down the system→Administrators,Users,Power Users,Backup Operators

36. Synchronize directory service data

37. Take ownership of files or other objects→Administrators

Security Options Policy Setttings:

1. Accounts: Administrator account status→Enabled

2. Accounts: Guest account status→Disabled

3. Accounts: Limit local account use of blank passwords to console logon only→Disabled

4. Accounts: Rename administrator account→(Rename this account to yourfirstname)

5. Accounts: Rename guest account→(Rename this account to guser#)

6. Audit: Audit the access of global system objects→Enabled

7. Audit: Audit the use of Backup and Restore privilege→Enabled

8. Audit: Shut down system immediately if unable to log security audits→Enabled

9. Devices: Allow undock without having to log on→Disabled

10. Devices: Allowed to format and eject removable media→Administrators

11. Devices: Prevent users from installing printer drivers→Enabled

12. Devices: Restrict CD-ROM access to locally logged-on user only→Enabled

13. Devices: Restrict floppy access to locally logged-on user only→Enabled

14. Devices: Unsigned driver installation behavior→Do not allow installation

15. Domain controller: Allow server operators to schedule tasks→Not defined

16. Domain controller: LDAP server signing requirements→Not defined

17. Domain controller: Refuse machine account password changes→Not defined

18. Domain member: Digitally encrypt or sign secure channel data (always)→Enabled

19. Domain member: Digitally encrypt secure channel data (when possible)→Enabled

20. Domain member: Digitally sign secure channel data (when possible)→Enabled

21. Domain member: Disable machine account password changes→Disabled

22. Domain member: Maximum machine account password age→30 days

23. Domain member: Require strong (Windows 2000 or later) session key→Disabled

24. Domain member: Require strong (Windows 2000 or later) session key→Disabled

APPENDIX C


25. Interactive logon: Do not display last user name→Enabled

26. Interactive logon: Do not require CTRL+ALT+DEL→Disabled

27. Interactive logon: Message text for users attempting to log on→Warning, This system isfor authorized users only. Anyone using this system without authority is subject toprosecution. Additionally, the system may be monitored. By using this system, you con-sent to monitoring and any suspicious activity may be reported to the proper authorities.

28. Interactive logon: Message title for users attempting to log on→Warning! This system isfor authorized users only!

29. Interactive logon: Number of previous logons to cache (in case domain controller is notavailable)→1 logon

30. Interactive logon: Prompt user to change password before expiration→14 days

31. Interactive logon: Require Domain Controller authentication to unlock workstation→Disabled

32. Interactive logon: Smart card removal behavior→Force Logoff

33. Microsoft network client: Digitally sign communications (always)→Disabled

34. Microsoft network client: Digitally sign communications (if server agrees)→Enabled

35. Microsoft network client: Send unencrypted password to third-party SMB servers→Disabled

36. Microsoft network server: Amount of idle time required before suspending session→15minutes

37. Microsoft network server: Digitally sign communications (always)→Disabled

38. Microsoft network server: Digitally sign communications (if client agrees)→Disabled

39. Microsoft network server: Disconnect clients when logon hours expire→Enabled

40. Network access: Allow anonymous SID/Name translation→Disabled

41. Network access: Do not allow anonymous enumeration of SAM accounts→Enabled

42. Network access: Do not allow anonymous enumeration of SAM accounts and shares→Disabled

43. Network access: Do not allow storage of credentials or .NET Passports for networkauthentication→Disabled

44. Network access: Let Everyone permissions apply to anonymous users→Disabled

45. Network access: Named Pipes that can be accessed anonymously→COMNAP,COMNODE,SQL\QUERY,SPOOLSS,LLSRPC,EPMAPPER,LOCATOR,TrkWks,TrkSvr

46. Network access: Remotely accessible registry paths→System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Control\Server Applications,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,Software\Microsoft\Windows NT\CurrentVersion,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\TerminalServer,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration

47. Network access: Shares that can be accessed anonymously→COMCFG,DFS$

48. Network access: Sharing and security model for local accounts→Classic—local usersauthenticate as themselves

49. Network security: Do not store LAN Manager hash value on next password change→Disabled

APPENDIX C


50. Network security: Force logoff when logon hours expire→Enabled

51. Network security: LAN Manager authentication level→Send LM & NTLM responses

52. Network security: LDAP client signing requirements→Negotiate signing

53. Network security: Minimum session security for NTLM SSP based (including secureRPC) clients→No minimum

54. Network security: Minimum session security for NTLM SSP based (including secureRPC) servers→No minimum

55. Recovery console: Allow automatic administrative logon→Disabled

56. Recovery console: Allow floppy copy and access to all drives and all folders→Disabled

57. Shutdown: Allow system to be shut down without having to log on→Disabled

58. Shutdown: Clear virtual memory pagefile→Disabled

59. System cryptography: Use FIPS compliant algorithms for encryption, hashing, andsigning→Disabled

60. System objects: Default owner for objects created by members of the Administratorsgroup→Object creator

61. System objects: Require case insensitivity for non-Windows subsystems→Enabled

62. System objects: Strengthen default permissions of internal system objects (e.g. SymbolicLinks)→Enabled

Event Log Settings:

1. Event Log Maximum Size: 9984 KB

2. When Maximum Log Size Reached: Do not Overwrite Events

Windows 2000 Server Hardening Recommendations

1. Install the latest Windows 2000 patches and hot fixes on all server systems. All securitypatches should be installed immediately when available. Make sure to configure the sys-tem before connecting to the Internet, as during the installation, the system is vulnerable.

2. Install the Windows 2000 Security Rollup Package 1.

3. Turn off all unnecessary services (Web service, FTP, NNTP and Print Spooler).

4. Install Internet Explorer 6.0.

5. Convert all drives to NTFS. If the partition you installed Windows 2000 Server on wasconverted to NTFS after the installation, use fixacls.exe from the Windows NT ServerResource Kit to tighten security after converting.

6. Use the MBSA tool to verify the system is secure.

7. Apply the Windows Media Player Security Patch.

8. Protect the Registry from anonymous access from non-adminsitrative users: From HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg,remove Backup Operators group from permissions list. Grant local Administrators groupFull Control permission.

9. Restrict access to public Local Security Authority (LSA) information: Set. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous = 1(value type = REG_DWORD).

Windows 2000 Active Directory Hardening Recommendations

1. Check security on Active Directory objects.

APPENDIX C


2. Policy Security Settings: these settings should be automatically configured by using GroupPolicy. All domain controllers will use the Microsoft high-security template file includedwith Windows 2000, hisecdc.inf.

3. Check TechNet and the Center for Internet Security for the latest recommendations forsecuring the registry and the file system.

4. See the Active Directory administrator or Windows 2000 security administrator for addi-tional security settings or use of any additional security templates.

Windows 2000 File and Print Server Hardening Recommendations

1. Oversee the Desktop team so that they only grant the minimal NTFS and share permis-sions necessary for users.

2. Enable the Print Spooler service.

3. Suppress default administrative shares: Set. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareServer = 0 (data type:REG_DWORD).

4. Microsoft network client: Digitally sign communications (always)→Enabled.

5. Do not set up a file and print server on a domain controller.

Windows 2000 RRAS Hardening Recommendations

1. Use static pools of addresses for VPN clients, not DHCP.

2. Only use L2TP/IPSec for VPN clients.

Windows 2000 DNS Hardening Recommendations

1. For internal DNS servers, install DNS on domain controllers, switch Active Directory toNative mode, and use AD-integrated DNS zones.

2. Use secure dynamic updates for DNS zones on domain controllers.

3. Install fault tolerant DNS servers on different subnets.

4. Use ISP BIND DNS servers in addition to internal DNS servers.

5. Secure the DNS cache against pollution.

6. For DNS servers in the DMZ, use stand-alone Windows 2000 Servers or BIND DNS. Donot install DNS on domain controllers when the DNS server will be exposed to theInternet.

Windows 2000 IIS Hardening Recommendations

1. Enable IIS logging.

2. Install the IIS Security Rollup Package.

3. Run the IIS Lockdown Wizard using the default settings in the Static Web Server tem-plate; be sure to install URLScan and review the scan results.

4. Do not install IIS on a domain controller.

Exchange 2000 Hardening Recommendations

1. Enable Exchange 2000 diagnostic logging on the MSExchangeIS/Mailbox/Logons at theminimum level.

2. Enable message size limits of 40,000, 50,000 and 60,000 KB respectively.

3. Enable SMTP logging for the SMTP virtual server.

4. Enable Exchange 2000 message tracking.

5. Block inbound SMTP traffic for the following domains:

APPENDIX C


• hacker.com

• intruder.com

6. Install Exchange compatible anti-virus software and enable attachment restrictions.

Instant Messaging Hardening Recommendations

1. Install Instant Messaging (IM) servers behind firewalls and do not connect them to theInternet (Use Exchange IM only). IM will be used for internal communication only.

2. IM server will host user accounts.

3. Use Windows Authentication. Do not use Digest authentication, as this will require pass-words be stored with reversible encyrption.

APPENDIX C



NOTES

Security+ Exam ObjectivesMapping

The following table lists the test domains and objectives for the Security+ examination, andwhere they are covered in this course. Some objectives were covered in the prerequisitecourses and were not repeated in this course. Objectives covered in the prerequisite courses aremapped to the course part numbers, which are listed along with their corresponding titles in atable at the end of this appendix.

Security+ exam objectives are current as of 3/1/2003.

Security+ Test Domains and Objectives Element K Course Lessons and TopicsDomain 1.0: General Security Concepts

1.1 Access Control Appendix A

1.2 Authentication Appendix A

1.3 Non-essential Services and Protocols Lesson 2, Topic A

1.4 Attacks Lesson 1

1.5 Malicious Code Lesson 1, Topic B

1.6 Social Engineering Lesson 1, Topic A

1.7 Auditing Lesson 8, Topic A; Lesson 2, Topic A

Domain 2.0: Communication Security

2.1 Remote Access Lesson 4, Topic D

2.2 E-mail Lesson 3, Topic F

2.3 Web Lesson 3, Topic C; Lesson 4, Topic C

2.4 Directory Lesson 2, Topic B

2.5 File Transfer Lesson 3, Topics D

2.6 Wireless Lesson 4, Topic B

Domain 3.0: Infrastructure Security

3.1 Devices Lesson 1, Topic C; Lesson 3, Topic A; Lesson 4,Topic B

APPENDIX D

APPENDIX D

Appendix D: Security+ Exam Objectives Mapping 351

Security+ Test Domains and Objectives Element K Course Lessons and Topics3.2 Media Appendix B

3.3 Security Topologies Lesson 2, Lesson 3, Lesson 4, Lesson 5, and Les-son 8

3.4 Intrusion Detection Lesson 8

3.5 Security Baselines Lesson 2, Topic A

Domain 4.0: Basics of Cryptography

4.1 Algorithms Lesson 4, Topic A

4.2 PKI Lesson 5, Topic A

4.3 Standards and Protocols Lesson 4, Topic A

4.4 Key Management/Certificate Lifecycle Lesson 5, Topics A, B, and D; Lesson 6, Topics C,D, and G

Domain 5.0: Operational/Organizational Security

5.1 Physical Security Lesson 1, Topic C; Lesson 7, Topic C

5.2 Disaster Recovery Lesson 7, Topic C

5.3 Business Continuity Lesson 7, Topic C

5.4 Policies and Procedures Lesson 2, Topic A; Lesson 7; Lesson 8, Topic D

5.5 Privilege Management Appendix A

5.6 Forensics Lesson 7, Topic B

5.7 Risk Identification Lesson 8, Topic A

5.8 Education Lesson 7, Topic D

5.9 Documentation Lesson 7

APPENDIX D


Automated Setup Instructions

The classroom computers will be configured to dual-boot between Windows 2000 Server andWindows XP Professional. You will need one computer for the instructor and one computer foreach student. In the following procedures you will set up the instructor computer first so thatthe Windows 2000 Server and Windows XP Professional source files will be shared from theinstructor computer’s hard drive. Then the automated setup will install the student computersover the network.

See your manufacturer’s reference manual for hardware considerations that apply to your spe-cific hardware setup.

Approximate setup time using these instructions is 3.5 hours for the instructor system and 3.5hours for a student system. You must install the instructor computer before you can start thestudent computer installations. You may install multiple student computers at the same time.

Before You Get StartedBefore you start the process, you’ll need to assemble the following:

• Two (2) blank CD-R discs

• Three (3) blank floppy disks

• Windows 2000 Server installation CD-ROM

• Exchange 2000 Server installation CD-ROM

• Windows XP Professional installation CD-ROM

• Windows 2000 Service Pack 2

• Exchange 2000 Server Service Pack 3

• All the software listed in the Instructor’s Edition setup instructions

Create the Windows 98 Boot DiskCreate the Windows 98 boot disk you’ll need for this setup by completing the following steps:

1. Download the Boot98.exe file from www.bootdisk.com/bootdisk.htm (download theWindows 98 OEM version).

2. Double-click Boot98.exe and insert a floppy disk when prompted.

3. When the process is complete, remove and label the floppy disk.

APPENDIX E

APPENDIX E

Appendix E: Automated Setup Instructions 353

Create the Instructor and Student Floppy DisksCreate the instructor and student floppy disks by completing the following steps:

1. From the course CD-ROM, in the DATA\Data\Automated Setup directory, double-clickthe INSTRUCTOR.exe file.

2. In the WinImage Self Extractor dialog box, click OK. Insert a floppy disk whenprompted.

3. When the Instructor floppy disk is complete, remove and label it.

4. From the course CD-ROM, in the DATA\Data\Automated Setup directory, double-clickthe STUDENT.exe file. In the WinImage Self Extractor dialog box, click OK. Insert afloppy disk when prompted.

5. When the Student floppy disk is complete, remove and label it.

Create the CD-ROMs Containing Windows 2000SP2 and Exchange 2000 Server SP3Create the CD-ROMs containing Windows 2000 SP2 and Exchange 2000 Server SP3 by com-pleting the following steps:

1. Extract the contents of the Windows 2000 Service Pack 2 file, W2KSP2.exe.

2. Create one CD that contains the following folder and software in the root of the CD:

• W2KSP2: Copy the contents of the I386 folder from the extracted W2KSP2.exe file.

3. Create one CD that contains the following folder and software in the root of the CD:

• E2KSP: Copy all the Microsoft Exchange 2000 Service Pack 3 files and folders.

4. When the process is complete, remove and label the CD-ROMs.

Install the Instructor’s ComputerInstall the instructor’s computer by completing the following steps:

1. Use the Windows 98 boot disk to boot the computer.

2. Choose Start Computer With CD-ROM Support.

3. Start Fdisk. Enter Y to enable large disk support.

4. Use Fdisk to delete any existing partitions.

5. Use Fdisk to create a 6 GB primary DOS partition. (You may use a larger partition ifyou’d like, but it must be at least 6 GB.)

6. Set the new partition as the active partition.

7. Create a 4 GB extended DOS partition. Define a logical drive using the entire extendedpartition.

8. Press Esc until you return to a command prompt. Restart the computer.

9. Use the Windows 98 boot disk to reboot the computer. Start Computer With CD-ROMSupport.

10. Use Format.exe to format the C and D drives. You do not need to copy the system files.

11. Boot the computer with the Instructor floppy disk.

12. When prompted, insert the Windows 2000 Server installation CD and press Spacebar.

13. When you see the CD Found message, press any key to continue.

APPENDIX E


14. Remove the Windows 2000 Server installation CD from the CD drive and eject the floppydisk when the initial file copy completes and the Windows 2000 Server installation starts(the Windows 2000 Server Setup blue screen).

15. Enter the following information for the Windows 2000 Server when you are prompted:

a. Enter an appropriate name and organization.

b. Enter the product key, if necessary.

c. Name the computer Server100. Do not change the password that’s been enteredautomatically.

d. Set the date and time appropriate for your location.

16. When installation is complete and the computer restarts, if necessary, when the DOS win-dow appears, move it to the bottom of the screen so that the prompts to insert CDs arevisible. (There might be a delay of several seconds up to a minute before the promptsbegin to appear.)

17. Insert the Exchange 2000 CD-ROM when prompted. Click OK.

18. Insert the Windows XP Professional CD-ROM when prompted. Click OK.

19. Insert the Windows 2000 SP2 CD-ROM. Click OK.

20. Insert the Exchange 2000 Server SP3 CD-ROM. Click OK.

21. After the file copy is complete, the Active Directory Installation Wizard will run, the com-puter will restart and log on automatically as Administrator. Setup will then installWindows 2000 SP2 and restart. Setup will then install Exchange 2000 Server andExchange 2000 Server SP3.

22. Setup will then begin the Windows XP Professional installation. When prompted:

a. Enter the product key, if necessary. The computer will continue with setup and thenrestart into a text-based setup, where it will continue to install the operating systemon the D drive.

b. Enter an appropriate name and organization.

c. Name the instructor computer Client100. Do not change the password that’s beenentered automatically.

d. Set the date and time settings appropriate for your location.

23. When Windows XP installation is complete, the system will reboot into Windows XP andlog on automatically. Because of the default operating system settings, if you don’t imme-diately continue setup, you’ll be logged out of Windows XP. If that happens, log on asAdministrator with a password of !Pass1234 to continue setup.

24. In Windows XP, configure the IP address by completing the following steps:

a. In Control Panel, open Network And Internet Connections.

b. Open Network Connections.

c. Right-click Local Area Connection and choose Properties

The activities in this course require static IP addresses. If you are attached to a corporate network,consult with your TCP/IP or network administrator to verify that this IP configuration does not con-flict with any other addresses in your location. Internet access is recommended in this class, so youshould also consult with them on an appropriate method of providing access (for example, NetworkAddress Translation (NAT)). Also, check with them on any additional parameters that may be neededfor Internet access (for example, a default gateway and additional DNS servers). If you do add addi-tional DNS servers for Internet access for each computer, make sure you always leave theclassroom-configured DNS server IP address as first in the list.

APPENDIX E


d. Open the properties of the TCP/IP protocol and configure the TCP/IP protocol set-tings with a static IP address of 192.168.y.200 where y is your unique number for theclassroom. Enter a subnet mask of 255.255.255.0. Do not enter a classroom DNSserver address.

25. Set up your Internet connection as appropriate for your classroom. If you’re not connectedto the Internet, you can skip this step.

26. Open Windows Explorer and browse to the C:\SPlus folder. In the C:\SPlus folder, createthe following subfolders and add the specified contents:



• IIS: This folder will contain the following subfolders:

— SecRollup: Copy the Microsoft Internet Information Server (IIS) Security RollupPackage.

— Lockdown: Copy the Microsoft IIS Lockdown Tool.

• IE6: Copy Microsoft Internet Explorer 6 setup files from the IE6 installationCD-ROM so students can do a full installation without Internet access, or, if you willbe setting up Internet access in the classroom, you can simply copy the smallIe6setup.exe file that you downloaded from Microsoft. There are steps for both typesof installations in the activity.

• WMPPatch: Copy the Cumulative Patch for Windows Media Player.

• XPProSP1: Copy the Microsoft Windows XP Service Pack 1 files.


• E2KIM: Copy the Microsoft Exchange Instant Messaging Client.

• SMS: Copy the SMSSetup folder and the NMext folder from the Microsoft SystemsManagement Server 2.0 with Service Pack 2 installation CD.

• SecurityAnalyst: Extract the Intrusion SecurityAnalyst setup files from the zippedsource file. Place the extracted files directly in the \SPlus\SecurityAnalyst folder, nota subfolder.

• SMBRelay: Copy smbrelay.exe.

• LC4: Copy L0phtCrack4.

• RealSecureDP: Copy RSDPEvalSetup.exe.

• Tools: Copy the Foundstone Tools. If you used the option to download all the tools,extract foundstone_tools.zip to \Tools. Otherwise, use the following subfolders in theTools folder:

— SuperScan: Copy SuperScan v2.0.

— UDPFlood: Extract the UDPFlood v2.0 files from the zipped source file.

— DDosPing: Extract the DDosPing v2.0 files from the zipped source file.

• CourseCD: Copy the PowerPoint slides for the course and the PowerPoint viewerapplication from the course CD that shipped with this book. (If you prefer, you canrun the slides directly from the CD’s Autorun interface.)

• Student: Extract the data files from the course CD that shipped with this book to the\Student directory. If necessary, remove the Read-only attribute from the data filesafter extracting them.

APPENDIX E


27. Install Microsoft Network Monitor 2.0 from the C:\SPlus\SMS\NMext\I386 directory bydouble-clicking the Setup.exe file. When prompted, accept the license agreement andselect all default choices.

28. Configure sharing on the C:\SPlus folder by completing the following steps:

a. Use Windows Explorer or My Computer to open the C drive.

b. Right-click the SPlus folder and choose Sharing And Security.

c. Click the If You Understand The Security Risks But Want To Share Files WithoutRunning The Wizard Click Here link.

d. Select Just Enable File Sharing and click OK.

e. In the SPlus Properties dialog box, under Network Sharing And Security, checkShare This Folder On The Network. Uncheck Allow Network Users To Change MyFiles. Click OK. It will take a few minutes for the permissions to be set on all thesubfolders.

f. Close My Computer or Windows Explorer.






e. Click OK twice.

30. Reboot the computer into Windows 2000 Server. Log on as Administrator with a pass-word of !Pass1234.

31. Configure the IP address by completing the following steps:

a. In Control Panel, open Network And Dial-up Connections.

b. Right-click the Local Area Connection object and choose Properties.

c. Open the properties of the TCP/IP protocol and configure it with a static IP addressof 192.168.y.100, where y is a unique number on your local subnet. Enter a subnetmask of 255.255.255.0. For example, if this is the only classroom in your location,then the instructor’s IP address would be 192.168.1.100. Enter this same IP addressas the Preferred DNS Server address.

32. Name the Loopback adapter:

a. Right-click Local Area Connection 2 (the loopback adapter) and choose Rename.

b. Type Loopback Adapter and press Enter.

c. Close Network And Dial-up Connections.



b. Expand your DNS server and expand Forward Lookup Zones. Select and right-clickthe Domain100.internal zone object, and choose Properties.

c. Change the Type to Standard Primary. Click OK twice.

d. Change Allow Dynamic Updates to Yes. Click OK

e. Close DNS.

APPENDIX E




b. Right-click the DHCP server object (Server100) and choose New Scope.


— Scope Name: Local100

— Address Range: 192.168.#.101-101/24, where # is your unique number for theclassroom (a range of just one address).

— Do not add exclusions.

— Accept the default lease duration.

— Do not configure DHCP scope options.

— Close DHCP.



b. Right-click the server object (Server100) and choose Configure And Enable RoutingAnd Remote Access using the following settings:

— Select Virtual Private Network (VPN) Server.

— Accept the default protocols (TCP/IP).

— Select the Loopback Adapter as the Internet connection.

— Assign IP addresses automatically.

— Don’t use RADIUS.

— Click OK to close the DHCP Relay Agent message box.















APPENDIX E


a. Copy the Northeast, Boc2, and Swashtop files from the student data files toC:\Inetpub\wwwroot. Rename Northeast to Default. (This creates the Nuclear PlantTraining Site home page.)

b. Copy the Register and Dac10001 files from the student data files to the C:\Registerdirectory.

c. In the C:\Register directory, rename Register to Default. This creates the StudentRegistration Web page.

If you find you can’t connect to the Web pages, check to be sure the files aren’t named with doublefile extensions.

d. Open Internet Explorer and connect to http://Server100 to verify that you can see thedefault Web site (the Nuclear Plant Training Site).

e. Connect to http://Server100/Register to verify that you can see the Registration WebPage. Close Internet Explorer.

38. Open the course PowerPoint slides to verify that they display properly.

39. Reboot the computer into Windows XP Professional. You don’t have to log on; the stu-dent computer setups and the first activity in the course require the instructor computer tobe booted to Windows XP Professional.

Install the Student ComputersIMPORTANT: The instructor computer (CLIENT100) must be booted to the WindowsXP Professional operating system for the student computer unattended installations towork correctly.

Install the student computers by completing the following steps on each computer:

1. Use the Windows 98 boot disk to boot the computer.

2. Choose Start Computer With CD-ROM Support.

3. At the A:\ prompt, enter fdisk to start Fdisk.exe. Enter Y to enable large disk support.

4. Use Fdisk to delete any existing partitions.

5. Use Fdisk to create a 6 GB primary DOS partition. (You may use a larger partition ifyou’d like, but it must be at least 6 GB.)

6. Set the new partition as the active partition.

7. Create a 4 GB extended DOS partition. Define a logical drive using the entire extendedpartition.

8. Press Esc until you return to the command prompt. Restart the computer.

9. Use the Windows 98 boot disk to reboot the computer. Start Computer With CD-ROMSupport.

10. Format the C and D drives. You do not need to copy the system files.

11. Boot the computer with the Student floppy disk.

12. When prompted, insert the Windows 2000 Server installation CD and press Spacebar.

13. When you see the CD Found message, press any key to continue.

14. Remove the Windows 2000 Server installation CD from the CD drive and eject the floppydisk when the initial file copy completes and the Windows 2000 Server installation starts(the Windows 2000 Server Setup blue screen).

15. Enter the following information for Windows 2000 Server when you are prompted:

APPENDIX E


a. Enter an appropriate name and organization.


c. Name each student computer Server#, where # is a unique integer you assign to eachstudent. Do not change the password that’s been entered automatically.

d. Set the date and time appropriate for your location.

16. Click OK to acknowledge that you must enter a domain name. Then, during the ActiveDirectory Installation Wizard, enter the following information when prompted:

a. Full DNS Name: domain#.internal, where # is the unique number assigned to thisstudent/computer.

b. Domain NetBIOS name: DOMAIN#.

c. Accept the default locations for the Active Directory database and log.

d. Accept the default location for the SYSVOL folder.

e. Click OK in the DNS message box.

f. Verify that Yes, Install And Configure DNS On This Computer is selected.

g. Select Permissions Compatible Only With Windows 2000 Servers.

h. Accept the password that’s automatically entered as the Directory Services RestoreMode Administrator password.

i. When prompted for the install files, change the Copy Files From location fromE:\i386 to D:\i386 and click OK.

j. Click Finish to complete the wizard. Restart when prompted. You will be loggedback on automatically. (If not, log on as Administrator with a password of!Pass1234.)

17. When prompted, configure the TCP/IP protocol settings with a static IP address of192.168.y.#, where y is your unique number for the classroom and # is the unique integeryou assigned to each student. For example, if this is the only classroom in your location,and this is the third student computer you are installing, then the student computer namewould be Server3 and the IP address would be 192.168.1.3. Accept the subnet mask of255.255.255.0.

18. When prompted, enter the IP address of the CLIENT100 computer (instructor’s computerwith the SPlus share). Setup will install Windows 2000 SP2 and restart automatically.

19. After the computer reboots automatically, if necessary manually log on as Administratorwith a password of !Pass1234.

20. Enter the following information for the Microsoft Exchange 2000 Server Setup when youare prompted:

a. Agree to the license agreement.


c. For the Microsoft Exchange 2000 component, choose the Custom installation action.

d. Verify that Install is selected for Microsoft Exchange Messaging and CollaborationServices.

e. Verify that Install is selected for Microsoft Exchange System Management Tools.

f. Choose Install for Microsoft Exchange Instant Messaging Service.

g. Create a new Exchange Organization named Organization#.

h. Agree to the license agreement.

APPENDIX E


i. Click Finish to complete the wizard and start the Exchange 2000 Server SP3installation.

21. After the Exchange 2000 Server SP3 installation is complete, enter the following informa-tion for the Windows XP Professional installation when you are prompted:

a. Enter the product key, if necessary.

b. Enter the appropriate name and organization for your environment.

c. For each student computer, name the computer Client#, where # is a unique integeryou assigned to each student. Do not change the password that’s been enteredautomatically.

d. Set the date and time settings appropriate for your location.

22. When the automated setup is completed, the computer will restart automatically, boot intoWindows XP Professional, and log you on as Administrator.

23. Configure the IP address by completing the following steps:

a. In Control Panel, open Network And Internet Connections.

b. Open Network Connections.

c. Right-click Local Area Connection and choose Properties.

d. Open the properties of the TCP/IP protocol and configure the TCP/IP protocol set-tings with a static IP address of 192.168.y.200#, where y is your unique number forthe classroom and # is a unique integer you assigned to each student. For example,in classroom 1, the address for Client6 would be 192.168.1.206. Enter a subnet maskof 255.255.255.0. Do not enter a classroom DNS server address.


a. From the Start menu, right-click My Computer and choose Manage.


c. Right-click the Users folder and select New User.

d. Name the new user Admin# and give it a password of password. Uncheck the checkbox for the user to change their password at next logon. Click Create and then Close.

e. Right-click the Admin# user and select Properties.

f. Select the Member Of tab.

g. Click Add and, in the Enter The Object Names To Select text box, enterAdministrators. Click OK.

h. Click OK and close Computer Management.

25. Install Microsoft Network Monitor 2.0 from the \\Client100\SPlus\SMS\NMext\I386 direc-tory by double-clicking the Setup.exe file. When prompted, accept the license agreementand select all default choices.






e. Click OK twice.

APPENDIX E


27. Reboot the computer into Windows 2000 Server. Log on as Administrator with the pass-word of !Pass1234.

28. Configure the preferred DNS server address by completing the following steps:

a. In Control Panel, open Network And Dial-up Connections.

b. Right-click Local Area Connection and choose Properties.

c. Open the properties of the TCP/IP protocol and configure the Preferred DNS Serverwith the same IP address you have assigned to this server.

29. Name the Loopback adapter:

a. In Network and Dial-up Connections, right-click Local Area Connection 2 (theloopback adapter) and choose Rename.

b. Type Loopback Adapter and press Enter.

c. Close Network and Dial-up Connections.



b. Expand your DNS server and expand Forward Lookup Zones. Select and right-clickthe Domain100.internal zone object, and choose Properties.

c. Change the Type to Standard Primary. Click OK twice.

d. Change Allow Dynamic Updates to Yes. Click OK.

e. Close DNS.



b. Right-click the DHCP server object (Server#) and choose New Scope.


— Scope Name: Local#, where # is the student/computer’s unique number.

— Address Range: 192.168.y.50+#/24, where y is your unique number for theclassroom and # is a unique integer you assigned to each student. For example,for Server6 in classroom 1, create a range of 192.168.1.56 – 192.168.1.56 (arange of just one address).

— Do not add exclusions.

— Accept the default lease duration.

— Do not configure DHCP scope options.

— Close DHCP.



b. Right-click the server object (Server#) and choose Configure And Enable RoutingAnd Remote Access using the following settings:

— Select Virtual Private Network (VPN) Server.

— Accept the default protocols (TCP/IP).

— Select the Loopback Adapter as the Internet connection.

— Assign IP addresses automatically.

— Don’t use RADIUS.

APPENDIX E


— Click OK to close the DHCP Relay Agent message box.















a. Copy the Northeast, Boc2, and Swashtop files from the student data files toC:\Inetpub\wwwroot. Rename Northeast.htm to Default.htm. (This creates theNuclear Plant Training Site home page.)

b. Copy the Register.htm and Dac10001.gif files from the student data files to theC:\Register directory.


d. Open Internet Explorer and connect to http://Server# to verify that you can see thedefault Web site (the Nuclear Plant Training Site).

e. Connect to http://Server#/Register to verify that you can see the Registration WebPage. Close Internet Explorer.

APPENDIX E



NOTES

Due to classroom setup constraints, some labs cannot be keyed in sequence immediately fol-lowing their associated lesson. Your instructor will tell you whether your labs can be practicedimmediately following the lesson or whether they require separate setup from the main lessoncontent.

LESSON 1 LAB 1Classifying Attacks

Activity Time:

15 minutes

Scenario:Your IT department wants to know when they are being attacked what type of attacks areoccurring. As the new security administrator for your organization, you have been asked to doa presentation on the different types of attacks that may occur on your network. Before you do,you’ll take a look at some sample attacks that have occurred in your organization and classifythem into the appropriate categories.

LESSON LABS

LESSON

LABS

Lesson Labs 365

1. In all cases of poor performance, your IT administrator Ronald has already ruledout the possibility of this occurring as either a temporary spike in traffic or notenough hardware in your servers by using existing baselines. Ronald knows it’s anattack, but he doesn’t know the type of attack. Fill in the blanks with the mostlikely types of attack(s).

A help desk person in your organization sniffs the network for telnet user accounts andpasswords. She then uses this information to log on to the network to steal sensitivedata. What type of attack(s) did the attacker use?

The help desk receives a call from someone claiming to be a support person asking theFQDN and IP address of the Web server in your organization. A short while later, noone on the Internet can get to your Web server because the performance has suddenlydropped. What type of attack(s) did the attacker use?

An IT administrator looks at Human resource records, he then deletes the audit log fileto erase any records of him accessing the files. Just to be sure he hides his steps, healso does a restore from tape. The next day, he tells the other IT folks that there was aproblem with the a server hard drive and he had to restore a tape backup. What typeof attack(s) did the attacker use?

A user forwards an email with attachments to other users in the organization. Theemail stated that a person was in dire need of help and to please forward the email toothers immediately. It causes a virus to spread within the organization. What type ofattack(s) did the attacker use?

An attacker scans your network and finds Port 21 open. She then retrievs a user nameand password for your server. After logging on, she creates an account with adminis-trative privileges. Later, she logs on with his account and steals data. What type ofattack(s) did the attacker use?

LESSON

LABS


LESSON 2 LAB 1Hardening an Operating System

Activity Time:

1 hour(s)

You can find a suggested solution for this activity in the Hardening an Operating System.txt file in the Solutionsfolder in the student data files.

Setup:You have a new installation of a Windows 2000 Server on a computer named NUC01 in adomain named NUCLEAR. The default administrator account has been set up with a passwordof !Pass1234. Tools, Service Packs, and data files for this activity are available in the C:\SPlusfolder:

• Windows 2000 Service Pack 2: \W2KSP2

• Windows 2000 Security Rollup Package 1: \W2KSRP

• Internet Explorer 6: \IE6

• Windows Media Player Security Patch: \WMPPatch


Scenario:You are the security administrator for a nuclear plant and you need to make sure your newservers are secure. The Windows 2000 servers are currently being installed with the defaultconfiguration and this is leaving the servers vulnerable to attacks. The nuclear plant wants tominimize the possibility of those attacks and does not want to use IIS. The server beinginstalled is also a domain controller, and according to the Active Directory design team, youneed to harden with the default high security template. Before connecting the new Windows2000 Servers to your network and joining the computers to the domain, you want to make surethat the server operating system on the domain controller is hardened to minimize the likeli-hood of attacks from both internal and external users.

1. Install the Microsoft Baseline Security Analyzer.

If you are not connected to the Internet, MBSA will be unable to read the list of current security patches fromMicrosoft. If the system determines that there are current patches that have not been implemented, this couldmean that Microsoft released additional patches since this course was written. Make sure to checkwww.microsoft.com/security and the Windows Update Web site (http://windowsupdate.microsoft.com) for thelatest security patches.

2. Run the Microsoft Baseline Security Analyzer.

3. Correct the problems found by the Microsoft Baseline Security Analyzer.

LESSON

LABS

Lesson Labs 367

4. Configure the domain controller with the default high security template.

LESSON 3 LAB 1Hardening a Web Server

Activity Time:

1 hour(s)

You can find a suggested solution for this activity in the Hardening a Web Server.txt file in the Solutions folder inthe student data files.

Setup:You have a new installation of a Windows 2000 stand-alone server on a computer namedServer#, where # is a unique integer assigned to each student in your lab, in a workgroupnamed workgroup. The default administrator account has been set up with a password of!Pass1234. The base operating system has been hardened. Tools, Service Packs, and data filesfor this activity are available in the C:\SPlus directory in the following folders:

• IIS\SecRollup: Microsoft Internet Information Server (IIS) Security Rollup Pack-age

• IIS\Lockdown: Microsoft IIS Lockdown Tool

Scenario:You are the security administrator for a college and you need to make sure your new Webservers are secure. The Windows 2000 servers are currently being installed with the defaultconfiguration and this is leaving the servers vulnerable to attacks. The college wants to mini-mize the possibility of those attacks. They also do not want FTP installed but would like touse NNTP and ASP. Before connecting the new Windows 2000 Servers to your network, youwant to make sure that the Web server is hardened to minimize the likelihood of attacks fromboth internal and external users.

1. Install the Microsoft Internet Information Server (IIS) Security Rollup Package.

2. Verify that logging is enabled on the default Web site.

3. Install the Microsoft IIS Lockdown Tool.

4. Run the Microsoft IIS Lockdown Tool with the appropriate options.

5. What other steps would you take if you were going to further harden the Webserver?

LESSON

LABS


LESSON 4 LAB 1Securing Network Traffic Using IPSec

Activity Time:

45 minutes

You can find a suggested solution for this activity in the IPSec.txt file in the Solutions folder in the student datafiles.

Setup:You have two Windows XP Professional computers named NUCXP1 and NUCXP2. There isan administrative-level account on the computer named Admin#. The password for this accountis !Pass1234.

Scenario:You are the security officer at a nuclear plant and you need to make sure that highly sensitivedata transferred between Windows XP computers is secure. In the past, the nuclear plant hashad problems with employee personnel information being compromised as it traveled acrossthe network. The plant has decided to not use certificates or deploy Active Directory for nowbut wants to require the use of IPSec to secure all IP traffic. The first Windows XP computersyou need to secure are two systems that security officers use daily in a small workgroup.

1. On both Windows XP computers, create an MMC console with the IP Security PolicyManagement and IP Security Monitor snap-ins.

2. On both Windows XP computers, configure the appropriate IPSec policy with thesame preshared key.

3. On both Windows XP computers, assign the policy.

4. On NUCXP1, open Network Monitor and start a capture between the two WindowsXP computers.

5. On NUCXP1, try to connect to NUCXP2 to verify the Security Association.

6. On NUCXP1, stop the capture and verify IPSec is being used between the twocomputers.

7. Which frame showed the security association between the two computers?

8. How else could you verify the IPSec policy is working?

LESSON

LABS

Lesson Labs 369

LESSON 5 LAB 1Installing and Configuring a Certificate Authority

Activity Time:

45 minutes

You can find a suggested solution for this activity in the Certificate Authority.txt file in the Solutions folder in thestudent data files.

Setup:You have two new installations of a Windows 2000 Server configured as domain controllers.The computer name is BROKERSRV1 and BROKERSRV2 installed in a domain, BROKERS.The default administrator account has been set up with a password of !Pass1234.

Scenario:You are the security administrator for a brokerage firm and you need to make sure your emailcommunication is secure. The brokerage is currently not encrypting email transmissions andwants to prevent any attacker from intercepting any emails that contain private clientinformation. You want to make sure that email communications are secure by implementingthe PKI plan from the brokerage firm’s IT department to minimize the likelihood of attacksfrom both internal and external users. The plan calls for an enterprise root CA and a enterprisesubordinate CA and backing up the CA itself along with a separate backup of the domaincontroller. Authenticated users should be able to use certificate templates. You should verifythe backups are successful by periodically doing a restore. The IT team will back up thedomain controllers at night and later, the email administrators will start using certificates fromthe CA. The IT department wants these descriptions for the CAs:

1. Enter this CA information for the enterprise CA when prompted:

• Broker Root CA.

• Education as the Organizational Unit.

• Enter Syracuse as the City.

• Enter New York as the State Or Province.

• Verify that US is selected as the Country/Region.

• Enter [email protected] as the E-mail.

• Enter Enterprise CA Root for Syracuse as the CA Description.

• From the Valid For drop-down lists, select 2 Years.

2. Enter this CA information for the subordinate CA when prompted:

• Broker Subordinate CA.

• Education as the Organizational Unit.

• Enter Syracuse as the City.

• Enter New York as the State Or Province.

• Verify that US is selected as the Country/Region.

• Enter [email protected] as the E-mail.

• Enter Subordinate CA Root for Syracuse as the CA Description.

LESSON

LABS


• From the Valid For drop-down lists, select 2 Years.

1. Install the enterprise root CA.

2. Install the enterprise subordinate CA.

3. Verify that Certificate Services was installed properly on each domain controller.

4. Configure Active Directory so that Authenticated Users have permissions to usecertificate templates.

5. Back up the individual CAs.

6. Test a restore of the CAs.

LESSON 6 LAB 1Managing and Using Certificates

Activity Time:

30 minutes

You can find a suggested solution for this activity in the Certificates.txt file in the Solutions folder in the studentdata files.

Setup:You have a new installation of a Windows 2000 Server configured as a standalone root CA.The computer name is BankSRV1. The default administrator account has been set up with apassword of !Pass1234. You have an email address of [email protected].

Scenario:You are the security administrator for an international bank based in Chicago, Illinois, and youneed to make sure your email communication is secure. The bank is currently not encryptingemail transmissions and wants to prevent any attacker from intercepting any emails that con-tain confidential information. You want to make sure that email communications are secure byimplementing the PKI plan from the brokerage firm’s IT department to minimize the likelihoodof attacks from both internal and external users. The bank PKI plan requires a standalone rootCA, which has already been installed. Many of the bank employees use laptops. You need tomake sure enrollment of certificates is working properly before you let laptop users enroll. Youalso need to backup their individual private keys in case they leave the organization or loosetheir private key. You should verify the backups are successful by periodically doing a testrestore. The IT team will back up the servers at night and later, the email administrators will

LESSON

LABS

Lesson Labs 371

start using certificates from the CA once you have verified the enrollment process is workingproperly. The desktop team will later configure users email to use the certificates. The ITdepartment stated that once you are done testing with your account you should revoke yourcertificate and publish the CRL. The planning document calls for daily updates to the CRL.

1. Request an email certificate for your user account.

2. Issue the pending request.

3. Install the new certificate.

4. Back up the certificate and private key.

5. Delete your email certificate.

6. Restore the certificate and private key from the backup.

7. Revoke your certificate.

8. Change the CRL publishing interval.

9. Publish the CRL.

LESSON 7 LAB 1Implementing and Enforcing a Security Policy for anOrganization

Activity Time:

30 minutes

You can complete this activity immediately following the lesson or any other time.

You can find a suggested solution for this activity in the Policy.txt file in the Solutions folder in the student datafiles.

Data Files:

• UKSecurityPolicy.rtf

LESSON

LABS


Scenario:As the security administrator for your organization located in London, you have been assignedthe task of implementing a security policy. You have downloaded a sample policy fromwww.ruskwig.com/security_policies.htm and named it UKSecurityPolicy.rtf. You’ll need tocustomize it later for your environment. A help desk employee, Vladimir, has given you areport of information gathered at the help desk and he thinks that some of these are possiblesecurity issues. He asks you to determine whether or not they are within the guidelines of yournew Security Policy. You will not be responsible for taking any action against the users, but itis your responsibility to enforce the policy and make sure the appropriate changes are madebased on possible breaches. You will then report back to Vladimir with your findings.

Using the UKSecurityPolicy.rtf policy document, determine which of the following scenariosare within the guidelines of the organizations new policy. If not, what steps would you take toenforce the security policy?

1. A user named Allison brings in some floppy disks from home which have somedocuments on them that she was editing at home. She scanned them at home witha virus scanner before bringing them into the office.

2. A user named Amjad downloads some shareware that will assist him in creatingscripts. It was downloaded from a well-known Web site and Amjad started using itimmediately after downloading.

3. A user named Laura accidentally gets a virus on her computer. Rather than report-ing the virus, she immediately scans her system and is happy that it is now clean.

4. An IT administrator named Ulf logs on to a UNIX system as an administrator toinstall new IDS software.

5. An accountant named Rolly uses ftp to download some files from the corporateUNIX FTP server.

6. Angela, the NetWare administrator, configures the NetWare server for three gracelogins.

7. Kelly set up the voicemail accounts with passwords of eight characters.

8. An IT administrator, Catherine, installs a licensed, authorized copy of MicrosoftSMS to inventory computers.

9. The human resource department has been locking their workstations when theyare not in use.

10. An IT administrator, Alex, installs a new Windows 2000 server, records the admin-istrator password, and locks it in the IT room.

LESSON

LABS

Lesson Labs 373

LESSON 8 LAB 1Monitoring for Intruders

Activity Time:

45 minutes

You can find a suggested solution for this activity in the Monitoring.txt file in the Solutions folder in the studentdata files.

Data Files:

• Monitoring.txt

Setup:Tools are available on each computer in the C:\SPlus folder. Your computer is a Windows XPcomputer named ITStaff1. Your user name is Admin# with a password of !Pass1234.

Scenario:You’ve recently been hired to assist the security administrator at a large university. Your firsttask is to try to figure out who has been trying to break in to student and faculty computersacross campus. The security administrator reports that his investigation so far has determinedthat an intruder, possibly from within the campus network, has been scanning ports and tryingto access a number of computers using a variety of methods, including ftp, telnet, and HTTP.The intruder may be trying to access and compromise sensitive data, such as exams that teach-ers have stored on their hard drives and student grade reports.

The security administrator wants you to use Windows XP security audits, and the other tools atyour disposal, on a standalone Windows XP computer to try to lure the intruder and discoverwho it is. You’ve been told to use the Windows XP computer SciFaculty1, which contains afolder named Physics Exams that’s meant to appeal to the intruder. There is an administrative-level account on the computer named Admin#. The Administrator has also copied thefollowing software onto the SciFaculty1 computer:

• NFR BackOfficer Friendly

• ISS RealSecure Desktop Protector evaluation version

You have the following software available on the ITStaff1 computer:

• @stake L0phtCrack4

• Foundstone SuperScan v2.0

Before you go live on the network with the new honeypot, you’ve been instructed to installand test the intrusion detection software and the security audits.

1. Install RealSecure Desktop Protector on SciFaculty1.

2. Install and configure BackOfficer Friendly on SciFaculty1.

LESSON

LABS


3. Configure auditing on SciFaculty1.

4. On ITStaff1, use SuperScan to scan SciFaculty1.

5. On ITStaff1, use L0phtCrack to attempt to scan for passwords on SciFaculty1.

6. Try to connect to SciFaculty1 from your computer using at least one user account.Try to access the Physics Exam folder using the C$ administrative share.

7. Try to ftp and telnet into SciFaculty1.

8. Try to connect to SciFaculty1 using HTTP.

9. What types of intrusion alerts do you see on SciFaculty1?

10. What types of events were written to the security log on SciFaculty1?

LESSON

LABS

Lesson Labs 375


NOTES

SOLUTIONS

Lesson 1Activity 1-1

1. True True or False? A supposed customer calls the help desk stating that she can-not connect to the e-commerce Web site to check order status. She would also like auser name and password. The user gives a valid customer company name, but is notlisted as a contact in the customer database. The user doesn’t know the correct com-pany code or customer ID.

2. False True or False? The VP of Sales is in the middle of a presentation to a group ofkey customers and accidently logged off. She urgently needs to continue with the pre-sentation, but forgot her password. You recognize her voice on the line, but she issupposed to have her boss make the request according to the company password secu-rity policy.

3. False True or False? A new accountant was hired and is requesting that a copy ofthe accounting software be installed on his computer so he can start workingimmediately. Last year, someone internal compromised company accounting records,so distribution of the accounting application is tightly controlled. You have received allthe proper documentation for the request from his supervisor and there is an availablelicense for the software.

4. True True or False? Christine receives a message in her instant messaging softwareasking for her account and password. The person sending the message states that therequest comes from the IT department, because they need to do a backup of Chris-tine’s local hard drive.

5. True True or False? Rachel gets an email with an attachment that is namedNewVirusDefinitions.vbs.

6. True True or False? A user calls the help desk stating that he is a phone technicianneeding the password to configure the PBX and voice mail system.

7. True True or False? A security guard lets a vendor team though without a requiredescort as they have shirts on from the preferred vendor, and they stated they werecalled in to fix an urgent problem. The guard attempted to call the authorization con-tact in the organization, but the phone was busy for over 10 minutes.

8. False True or False? The CEO of the organization needs to get access to dataimmediately. You definitely recognize her voice, but a proper request form hasn’tbeen filled out to modify the permissions. She states that normally she would fill outthe form and should not be an exception, but she urgently needs the data.

SOLUTIONS

Solutions 377

Activity 1-2

1. Kim, a help-desk staffer, gets a phone call from Alex in human resources stating thathe can’t log on. Kim looks up the account information for Alex and sees that theaccount is locked. This is the third time the account has locked this week. Alex insiststhat he was typing in his password correctly. Kim notices that the account was lockedat 6 A.M.; Alex says he was at a meeting at a client’s site until 10 A.M. today. It seemslike a case of a password attack.

2. Judi, who does backups, states that according to her log files, an IT administrator per-formed a restoration on the accounting server last night. You send out an email askingall the members of the IT department whether there were any problems with the serv-ers last night as you see nothing entered on the IT problem log forms. All of ITresponds stating no problems occurred last night. Something isn’t right, and it all addsup to a misuse of privilege attack.

3. You find out the security log was cleared on the file and print server. No one in ITclaims responsibility. No matter who did this, you consider it an audit attack.

4. Your antivirus software has detected the ILOVEYOU virus. You’re under attack from amalicious code attack.

5. While administering user accounts you notice that a new account called LyleBullockhas been created on your server. You know of no user in your organization with thatname. The account also is part of the administrators group. It’s a classic backdoorattack.

6. While you are connected to another host on your network, the connection is suddenlydropped. When you review the logs at the other host, it appears as if the connection isstill active. You suspect a hijacking attack.

7. Your e-commerce Web server is getting extremely slow. Customers are calling statingthat it is taking a long time to place an order on your site. This could be a Denial ofService (DoS) attack.

8. Your intranet Webmaster, Tim, has noticed an entry in a log file from an IP addressthat is within the range of addresses used on your network. Tim does not recognizethe computer name as valid. Your network administrator, Deb, checks the DHCP serverand finds out the IP address is not in any of the scopes. This seems to be a case of anIP spoofing attack.

9. Tina, the network analysis guru in your organization, analyzes a network trace capturefile and finds out that packets have been intercepted and retransmitted to both asender and a receiver. You’ve experienced a man-in-the-middle attack.

10. You get an email from an outside user letting you know in a friendly way that shefound it very easy to determine the correct password to access your FTP server. Toprove it, she includes the FTP password in the email. All your files are still on the FTPserver and have not been modified. Although this person had no malicious intent, youstill consider it an eavesdropping attack.

Activity 1-3

1. An intruder enters a locked building at night and steals five laptops from various usersin the software development department. What type of attack is this?

This is a hardware attack.

SOLUTIONS


2. An intruder enters a locked building at night, sits at a user’s desk, and tries to enter auser name and password to log on to the computer based on notes he finds taped tothe user’s monitor. What type of attack is this?

This is a software attack (password attack).

3. To obtain user names and passwords, an attacker installs a device on a keyboard thatrecords the user’s keystrokes. What type of attack is this?


4. An attacker removes the battery backup on a critical server system and then cutspower to the system, causing irreparable data loss. What type of attack is this?


5. An attacker tricks a user into running an executable that modifies an application onthe user’s mobile device so it consumes more power than normal and depletes thedevice’s battery, causing data loss. What type of attack is this?

This is a combination of social engineering and software attacks (DoS attack).

Lesson 1 Follow-upLesson 1 Lab 1

1. A help desk person in your organization sniffs the network for telnet user accounts andpasswords. She then uses this information to log on to the network to steal sensitivedata. What type of attack(s) did the attacker use? Eavesdropping and misuse of privi-lege attacks.

SOLUTIONS

Solutions 379

The help desk receives a call from someone claiming to be a support person asking theFQDN and IP address of the Web server in your organization. A short while later, noone on the Internet can get to your Web server because the performance has suddenlydropped. What type of attack(s) did the attacker use? Social engineering and DoS/DDoSattacks.

An IT administrator looks at Human resource records, he then deletes the audit log fileto erase any records of him accessing the files. Just to be sure he hides his steps, healso does a restore from tape. The next day, he tells the other IT folks that there was aproblem with the a server hard drive and he had to restore a tape backup. What typeof attack(s) did the attacker use? Misuse of privilege, audit, and social engineeringattacks.

A user forwards an email with attachments to other users in the organization. Theemail stated that a person was in dire need of help and to please forward the email toothers immediately. It causes a virus to spread within the organization. What type ofattack(s) did the attacker use? Malicious code and social engineering attacks.

An attacker scans your network and finds Port 21 open. She then retrievs a user nameand password for your server. After logging on, she creates an account with adminis-trative privileges. Later, she logs on with his account and steals data. What type ofattack(s) did the attacker use? Port scanning, eavesdropping, and backdoor attacks.



Password attack.


Port scan attack.

Activity 2-2

3. What type of security policy document is this?

A password policy document.

4. What other types of policy documents might you need in order to create a completesecurity policy?

Acceptable Use Policy; Audit Policy; Extranet Policy; Wireless Standards Policy.

5. Which of the general components of a policy document are represented in this docu-ment?

The document includes a policy statement (sections 1.0, 2.0, and 3.0), policy standards(section 4.1 and section 5.0), and guidelines (the remaining sections). It does not provideprocedure steps for creating or changing passwords to conform to the policy.

SOLUTIONS


6. How often must users change their passwords in order to adhere to this policy?

At least once every six months.

7. What is the minimum length for a password according to this policy?

Eight characters.

8. Would “gandalf8” be an acceptable password according to this policy? Why or why not?

No. It is simply the name of a fantasy character, followed by a digit. This is prohibited insection 4.2 A.

Activity 2-3

2. Is there a password policy setting that lets you set a minimum password age?

Yes, under Account Policies, Password Policy, you can configure a minimum password age.

3. By default, how long are passwords valid on a Windows XP computer?

The maximum password age is 42 days.

4. Is there a way to lock out a user after he or she has entered the wrong username orpassword three times?

Yes, under Account Policies, Account Lockout Policy, you can configure an account lockoutthreshold to lock out users after three failed logon attempts.

5. By default, which users have been assigned the right to log on locally to a Windows XPcomputer?

Members of the Administrators, Backup Operators, Power Users, and Users groups. Also,you can use the Guest account to log on to the computer. You can view these settings inthe Log On Locally Policy in Local Policies, User Rights Assignment.

6. Is there a security option that will allow you to create and display a warning bannerwhen users log on?

Yes, under Local Policies, Security Options, there’s a setting named Interactive Logon:Message Text For Users Attempting To Log On. You can enter a message to users using thissetting that warns them against improper use of the computer.

7. Under Public Key Policies, what setting can you configure?

You can add a data recovery agent.

8. What are the three default IP Security policies?

The three default IP Security policies are Client (Respond Only), Secure Server (RequireSecurity), and Server (Request Security).

9. True True or False? Security settings configured at the domain level will overridelocal policy settings on Windows XP computers in that domain.

SOLUTIONS

Solutions 381

Activity 2-4

1. What are some of the benefits of setting up an audit policy?

Answers might include: Help determine which use of company resources is legitimate andwhich might be the result of an attack on the network; monitor administration of userand group accounts and privilege use to look for signs of abuse of privilege; and tracklogon attempts to look for possible attacks.

2. In addition to monitoring the overall security of a network and its resources, why elsemight events in the security log be important?

Answers might include: They could be used at a later date as evidence in the prosecutionof an attacker; and evidence of attacks could be used to justify increased spending onresources and equipment to increase network security.

3. What might a series of unsuccessful logon events indicate?

A series of unsuccessful logon attempts could indicate an attacker trying random pass-word attacks.

4. What type of threat or attack could you discover by monitoring successful user logons?

Successful logons, depending on time, day, or location of the logon, could indicate suc-cessful password attacks, stolen user credentials, or even misuse of privilege.

5. What type of attack could you discover by monitoring successful changes to user orgroup accounts?

Depending on the circumstance, you could uncover misuse of privilege attacks.

6. What type of attack might an empty security log indicate?

It might indicate a successful audit attack.

Activity 2-5

2. How do the password policy settings differ in the compatws and securews templates?

In the compatws templates, none of the password policies are defined, whereas there arepassword policy settings defined in the securews template.

3. If you want to audit account logon events and account management, but not objectaccess, which security template would you use?

You would use the securews security template.

4. Which workstation template uses restricted groups to protect the Administrators andPower Users groups?

The hisecws template.

5. If you want to reset the system-wide security policy settings to the default configura-tion, you would apply the setup security template.

SOLUTIONS


If you want to reset the security settings on the system root, you would apply therootsec template.

6. Why would you choose to use Group Policy to apply security templates instead ofapplying the templates locally to individual computers?

You might choose to use Group Policy if you want to deploy security templates to mul-tiple computers throughout an organization. It would be easier to use Group Policy toassign the templates at the domain or OU level than it would be to apply templates indi-vidually to multiple computers.

Activity 2-6

16. Can you tell if all current security patches have been implemented on the Windows XPProfessional system? If not, why?

If you are not connected to the Internet, MBSA will be unable to read the list of currentsecurity patches from Microsoft. If the system determines that there are current patchesthat have not been implemented, this could mean that Microsoft released additionalpatches since this course was written. Make sure to check www.microsoft.com/securityand the Windows Update Web site (http://windowsupdate.microsoft.com) for the latestsecurity patches.


Answers may vary, but one step would be to disable unneeded services. This is not calledfor in the bank’s security recommendations document, however.

Activity 2-7

10. Can you tell if all current security patches have been implemented on the Windows2000 Server system? If not, why?

If you are not connected to the Internet, MBSA will be unable to read the list of currentsecurity patches from Microsoft. If the system determines that there are current patchesthat have not been implemented, this could mean that Microsoft released additionalpatches since this course was written. Make sure to check www.microsoft.com/securityand the Windows Update Web site (windowsupdate.microsoft.com) for the latest securitypatches.


Answers may vary, but one would be to disable unneeded services. This is not called for inthe bank’s security recommendations document, however.

Activity 2-9

3. What other security templates are available in a default installation of Windows 2000?

Some answers are: hisecws.inf and compatws.inf.

SOLUTIONS

Solutions 383

Activity 2-10

3. Why would you delete the DHCP relay agent?

Answers might include: You don’t want the DHCP broadcast packets to traverse therouter. This would also prevent valid clients from getting addresses. Alternatively, youcould configure your router with a helper address to hand out DHCP addresses to clients.

Activity 2-11

2. How can you prevent users from stealing print jobs from the printers?

Answers may vary, but you could lock the room the printer is in or get a tray that locks onthe printer itself.

4. What shares are currently available on the Windows 2000 server?

There are folders that are shared for Microsoft Exchange Server and to support ActiveDirectory. There are also default administrative shares for each disk drive, shared as[drive$], and for the C:\WINNT folder, shared as [ADMIN$]. The Inter Process Communica-tion share (IPC$) is required so that the computer can create communications sessionswith other nodes on the network.

5. What could you do with the default administrative shares to harden the Windows 2000server?

Don’t share them on startup. However, this would eliminate some remote administrativecapabilities.


2. Why would you not check Activate Authentication in the General properties for RIP onthe Local Area Connection interface?

The password is sent unencrypted and is not meant to be used as a security option. If anattacker used a sniffer, then he or she would see the password.

3. What type of attacks do the default Advanced settings for RIP on the Local Area Con-nection interface protect against?

These settings will protect against attacks that would attempt to update the routersincorrectly to cause looping and convergence problems on the routers.

5. What is the security benefit of the peer security feature that you have just enabled?

The router will now only accept update announcements from the peer router. Any otherannouncements (for example, from an attacker’s router) will be discarded.

6. What basic operating-system hardening procedures will also protect a software-basedrouter such as this?

Answers might include strong password requirements for system logon, auditing, and sys-tem logon banners.

SOLUTIONS


7. This software-based router does not have a live connection to another subnet. If thecomputer was a true multi-homed router with multiple network cards, what additionalhardening steps should you take on this router to accomplish the additional securitygoals in the scenario?

Implement a filter on the external router interface to block any packets that come fromexternal source, but which carry an internal IP address.

Activity 3-3

1. Why use the IIS Lockdown tool?

The IIS Lockdown tool can be used to automatically harden a Web server according toMicrosoft’s recommendations instead of making the configuration changes manually.

2. Of the three Web servers you currently have, which can you use the IIS Lockdown toolto secure?

You can use it on both the Windows NT 4.0 and Windows 2000 Web servers.

3. Why would you choose to enable URLScan?

To more tightly control how your Web server responds to certain HTTP requests and tokeep a log of the types of requests your Web server is denying.

4. True True or False? You can use the IIS Lockdown tool to completely remove IISfrom a server.

5. False True or False? You may not make any manual changes after running the IISLockdown tool.

You may make any manual configuration changes you need after you run the IIS Lockdowntool.

Activity 3-5

7. How did you identify the frame containing the clear-text password?

It is an FTP protocol request. The Description column entry reads “Req. from port [####],‘PASS !Pass1234’.”

Activity 3-7

5. What security problems can remain with anonymous-only logons?

Until the users are retrained not to use their domain accounts, they might still attemptto log on with those accounts. The user names and passwords will still be sent in cleartext.

6. Other than restricting logons, how else could you protect against an eavesdroppingattack against clear text FTP passwords?

Answers may vary; for example, you could encrypt data that is being sent from the FTPclient to the FTP server by using IPSec.

SOLUTIONS

Solutions 385

Activity 3-9

4. Why would you enable message size limits?

To prevent DoS attacks. An attacker could send lots of email to all the mailboxes and fillthe hard drive or hit the maximum limit of 16 GB on standard edition.

Activity 3-10

3. What authentication methods should be enabled on the Instant Messaging Virtual Direc-tory if users log on through a proxy server?

a) Anonymous access

b) Basic authentication

✓ c) Digest authentication

d) Integrated Windows authentication

4. True True or False? If you use Digest Authentication, you must configure user pass-words to be stored using reversible encryption.


1. Why use IPSec? Why isn’t it enough to harden the servers and the client computers?

While hardening servers and clients secures those computers, their communications—thatis, the packets they exchange across a network—are still vulnerable to attack. IPSecsecures the packets as they travel from one computer to another, securing that dataagainst any known form of attack.

3. If you want a Windows 2000 server to request negotiations for a secure session but stillcommunicate with a computer that does not respond to the request, you would usethe Server default IPSec policy.

4. If you want a Windows 2000 server to require secure communications at all times andnot communicate with another computer that can’t negotiate a secure session, youwould use the Secure Server default IPSec policy.

6. How are the five components of the rule displayed?

The five components of the rule are displayed as tabs in the rule’s Properties dialog box.

7. Match the component with its description.

SOLUTIONS


b IP filter a. Defines the action the IPSec drivershould take when it encounters apacket that matches an IP filter.

a Filter action b. Describes the specific protocol, port,and source computer or destinationcomputer to which the rule shouldapply.

e Authentication method c. Allows you to configure the computerto create a tunnel to anothercomputer.

c Tunnel setting d. Lets you specify the network connec-tion to which this rule applies.

d Connection type e. Establishes a trust relationship as partof the Phase 1 SA.

8. If you choose to use a pre-shared key as the authentication method, which charactersmust the key contain?

The key may contain any combination of characters, but the key must be exactly the sameon any computer you want to negotiate a secure connection using IPSec.

9. True True or False? You must explicitly assign a policy to a computer to apply itssettings to that computer.

10. What would happen if you had a Secure Server policy assigned to a Windows 2000server but no Client policies assigned to the Windows XP computers in the network?

The Windows XP computers would not be able to communicate with the Windows 2000server.

Activity 4-2

3. Why are there Server and Secure Server policies on a Windows XP computer?

Because you can use them to request or require a secure connection to a Windows XPcomputer.


4. Why do you need to install the CA certification path?

This will add your lab partner’s root CA as a trusted root.

5. What should you do to secure your root CA physically after it is installed?

Take the root CA offline; that is, move it to an isolated subnet so that it is not connectedto the network and so that only authorized persons have physical access to it.

SOLUTIONS

Solutions 387

Activity 5-2

3. Suppose the University wanted only faculty members to be able to enroll certificatesfrom its Enterprise CAs. How would you configure security?

Create an Active Directory group containing all the faculty user accounts, grant thatgroup Read and Enroll permissions to the templates, and remove the Enroll permissionfrom the Authenticated Users group.

Activity 5-3

2. If you did lose your root CA due to system failure and you did not have the password torestore, what would happen to the certificates that have already been issued?

The certificates would be rejected as invalid.


4. Why did it fail?

Because the server now requires secure communications, you must use the HTTPSprotocol.


Yes, after accepting all the dialog boxes, you can connect using the HTTPS protocol.

Activity 6-4

2. When will users know that the certificate is revoked?

When the CRL is published.

3. Suppose an attacker maliciously misuses administrative privileges to revokecertificates. What could you do to reinstate the certificates?

Restore the CA from a backup.

SOLUTIONS



1. Is this permissible? Why or why not?

No, it is not permissible. According to the policy, network sniffing is prohibited.


If Curt’s manager indicates that Curt should be able to use company resources to practicehis network monitoring skills, have him do so on an isolated subnet.


Yes, this is permissible. The policy states that users only need to change their passwordsevery six months. Only system-level accounts need to be changed quarterly.


No action is necessary as Nancy’s actions conform to the security policy.


Tina broke multiple policies. One of them is: Creating or forwarding “chainletters,” “Ponzi,” or other “Pyramid” schemes of any type.


An IT representative, an HR representative, or Tina’s manager should discuss the relevantpolicy with Tina and verify that she understands it. For general staff information, you canpost information such as a link to http://hoaxbusters.ciac.org/ on the company Web siteto assist users in determining whether or not emails are hoaxes.


No, this is not permissible. Cathy is complying with the requirement that her screensaverbe password-protected. However, the screensaver should activate every 10 minutes.


Refer Cathy to the relevant section of the acceptable use policy, and assist her in chang-ing the activation interval for her screensaver.

Activity 7-2

1. A user opens an attachment which causes a virus to spread within the organization.

The policy does not call for legal action in this situation. However, disciplinary actionmay be taken.

2. A user emails a copy of a new type of encryption software program to a user in a for-eign country for testing.

Depending on your locality and the destination country, this may be a legal violation ofexport control laws and legal action might be taken.

SOLUTIONS

Solutions 389

3. A user scans your network for open ports.


4. A user forwards an email which appears to be a “Ponzi” or “Pyramid” scheme.


5. Two employees have an argument at lunchtime. During the afternoon, one user sendsa threatening email to the other. The second employee is afraid to leave the buildingunescorted that evening.

Hostile or threatening messages could be considered a form of harassment, which couldbe subject to legal action according to the policy.

Activity 7-3

2. A Business Continuity Plan is a policy that defines how normal day-to-day business willbe maintained in the event of a major systems failure.

3. In your own words, how is a BCP different than a DRP?

Answers will vary, but in general, a BCP should focus on what needs to be done to keepthe most critical components of a business running in case of a disaster, while a DRPshould focus on the specific steps needed to recover your systems from a disaster.

4. Why is it important to create a BCP?

It’s important to create a BCP because you want to have a plan in place to keep your busi-ness operating in the event of a large-scale security event or other disaster. BCPs canhelp reduce the financial loss associated with a security attack.

5. Why is it important to create a DRP?

A DRP is important because it will provide the steps necessary to recover critical systemsin the event of a disaster and help reduce any financial loss associated with the disaster.

6. What tools are available to help you create a BCP and DRP?

There are seminars, software utilities, and consulting services available.

7. In your opinion, which of the tools you’ve found in your research would be most help-ful to you in creating a BCP or DRP? Why?

Answers will vary. One possible answer is a consulting firm that can assess needs and cre-ate a customized plan. This could save the cost of creating a BCP or DRP in-house.

8. You’ll probably see in your research that risk assessment is an important part of creat-ing a BCP. Why is that?

By completing a risk assessment, you can determine what parts of the business are mostvulnerable and which are of greatest consequence. You can then formulate a plan torecover from attack and keep the most important parts of your business operating.

9. In your opinion, of buildings, devices, and communications, which do you think is gen-erally most vulnerable to attack? Which do you think would be most difficult torecover?

Answers will vary.

SOLUTIONS


Activity 7-4

1. Which security level does your organization fall under? Why?

Security level 4, due to the monetary value of the equipment you need to protect in asingle location.

2. Besides using blinds and locks on the windows, what else could you recommend usingto secure the windows from unauthorized access?

You could install obscurity filming or even metal bars.

3. Once the motion-detection alarms are installed, what procedure will you need to fol-low to verify they are working properly?

You will need to perform a walktest.

4. Given the security requirements of this company and the category of risk the comput-ing center falls into, what other physical security recommendations could you make,based on this document?

Answers may vary; for example, the escorted contractors should give 48 hours notice onwhat they will be doing. Computers could be placed at least 1.5 meters from externalwindows.

Activity 7-5

1. How could better user education have helped this situation?

Answers might include: If the employees had been aware of the dangers of opening emailattachments, and had been more knowledgeable about how to identify email hoaxes, it isunlikely that the virus would have spread as far. If the initial employee in particular hadbeen better informed, you might have been able to keep the virus out of your organiza-tion altogether.


Answers might include: Because this was a widespread incident, your response mustinclude better security information for all users. You should distribute or prominentlypost a notice regarding the incident, reviewing proper guidelines for opening emailattachments and for identifying email hoaxes. You should distribute links to commonhoax-debunking Web sites to make it easy for employees to research possible hoaxes. Youshould also review your new-hire training procedures to be sure they include informationon email security.


Answers might include: Regardless of the specific policy, if the employee had beeninformed of some common-sense security guidelines, she might have not admitted thestranger without question.

SOLUTIONS

Solutions 391


Answers might include: This seems to be an isolated incident, so you should be sure toaddress it with the employee in question by reviewing all security policies with her andemphasizing the possible consequences of her actions. You should probably also post allsecurity policies in an easily-accessible location on the network and send out a company-wide reminder about them. However, because this employee never even attempted torefer to the policy, the inaccessibility of the policy documents was not a contributing fac-tor in this incident. Finally, you should review your new-hire security training proceduresto be sure they include common-sense tips on building security.


Answers might include: In this case, it’s not apparent that there were any problems inthe education process. Users were aware of the presence of policy documents, but thedocuments themselves were inadequate because they did not deal with the dangers ofthis type of situation.


Answers might include: You need to update your acceptable network use policy to make itclear what kind of authorization an individual needs in order to access the corporate net-work from within the building. You also need to disseminate this new information to allemployees. You might want to follow this up in a few weeks or months with a “staged”attack of a similar nature, to see how employees respond.


3. What ports were open on your Windows 2000 Server? Should these ports be open?

Because this server is hosting so many different services, there will be many ports open.For example, the DNS service runs on port 53. Active Directory uses ports 88, 389, 445,464, and 636. Ports 23, 25, 110, 143 and 995 support Microsoft Exchange. The Web serveruses 80 and 443. Network connections are created on port 135. The network news servicewill use 119 and 563. Ports higher than 1024 are dynamically-assigned ports not associ-ated with a particular service on this server.

5. What ports were open on the Server100 computer? Should these ports be open?

Results should be similar to the local computer scan.

7. Did the scan or probe reveal any vulnerabilities?

Answers will vary depending upon your Internet access configuration. If your system isdirectly exposed to the Internet, the scan will probably find multiple vulnerabilities dueto the large number of ports open on the computer. However, if your computer is locatedbehind a properly-hardened Internet firewall, the system should pass the scans andappear to the scanning tool as if it is in “Stealth” mode.

SOLUTIONS


Activity 8-2

5. What is the source of most of the failure ratings on this system?

This system has an abnormally small user accounts database, so an unusually high per-centage of the user and group accounts on the system have Administrative privileges. Aproduction system in a normal corporate domain would have many more user-level userand group accounts.

7. Given this analysis information, what steps could you take to harden your system fur-ther?

Answers will vary. For example, you could create stronger password policies.

8. Is it always desirable to harden a system as much as possible?

No. Security is a balancing act. Every step you take to harden a system can potentiallyrestrict access to the system and system usability.

Activity 8-3

4. Were you successful? Why or why not?

No, because SMB Signing has been implemented on this system. This effectively protectsagainst SMB man-in-the-middle attacks.

5. Why would an attacker attempt this operation?

The passwords retrieved when establishing the session could be used in a password crack-ing program.

Activity 8-4


No. All the users on the system (except the guest user account, which is disabled) havepasswords strong enough to resist this attack.

6. Were all the passwords retrieved? Why or why not?

No. The Certification1 password for the ChrisC user-level account was cracked, but thetool only retrieved the last two digits of the more complex passwords on the administra-tive accounts.

7. What should you do to prevent any of the passwords on this system from being stolenby an attacker?

Implement strong passwords for all users. Restrict membership of the administratorsgroup to prevent misuse of privilege attacks.


No. The computer was hardened to prevent remote access to the passwords.

SOLUTIONS

Solutions 393

Activity 8-6


Yes. The Admin100 account is common to both systems. Using this as a workgroup admin-istrative account, you can access the other computer’s C$ share.

6. What intrusions were detected?

Many types of scans and probes against common ports.

Activity 8-7


Yes. This FTP server is deliberately configured with no logon or file-access security.

9. What was the source IP address of the attack? How can this assist you in finding theattacker?

The source IP was the attacker’s computer. Once you have the IP address, you can trackthe computer using that IP on campus. You can either physically go see who is using thatcomputer, or view log files to see who logged on.

10. Why would you suspect this student was the previous attacker to the FTP site?

The attacker used Dean Allison Ager’s name when attempting to log on. The dean sus-pected she was the vulnerable account.

Activity 8-8

2. In your own words, why is it important to have an incident response policy?

Answers will vary, but generally, an incident response policy is important because it willhelp reduce confusion during a security incident by detailing who should respond to anincident and in what fashion, and it will minimize the impact such an incident will haveon an organization.

3. What do you think are the most important components in the policies you’ve found?

Answers will vary.

4. How do you think the policies you’ve found answer the questions in the concepts pre-ceding this activity?

Answers will vary.

5. In general, do you think it’s important to notify employees of ordinary security inci-dents? Why or why not?

Answers will vary.

SOLUTIONS


6. Why might you want to alert law enforcement officials of a security incident? Whymight you want to notify the media?

Answers will vary, but generally, you’d want to notify law enforcement if the incidentwas serious enough to have a financial impact or other consequence that might warrant acriminal investigation. You might notify the media to warn other companies to protectagainst a specific type of attack or if the incident had any effects on the organizationthat might be important to stockholders.

Activity 8-9

6. Which packets in the capture created the DoS condition? (You might need to widen theDescription column.)

All the packets with a destination of Port 80.

7. Can you determine the source of the attack?

Yes. The packets show the source host’s IP address.

8. What is the first thing you should consider doing in response to this DoS attack?

You should consider doing nothing. If the attack is not degrading service, a responsemight only warn an attacker to be more careful next time. By watching and waiting, youmight be able to accumulate evidence and take definitive action against the attacker.

9. How else could you respond to this DoS attack?

Answers may vary; for example, because you know the source host, you could block thesource of the attack.

10. What steps should you take once the attack is resolved?

Following any attack, you should always re-evaluate your system hardening procedures;for example, you can scan your system for open ports and close any unneeded ports.Always keep in mind that you must not harden a system so much that it becomesinaccessible.

11. If the attacker wanted to automate the attacks instead of having to do so manually,what can the attacker do?

Install zombie agents (or drones) on each computer.

13. Were any zombie agents detected?

No.

Activity 8-10


No. Even though you are an administrator, you cannot access the other computer, as yourlab partner blocked your computer as an intruder.

SOLUTIONS

Solutions 395

Appendix BActivity B-1

1. Form factor refers to a drive’s width.

2. How is the storage capacity of a floppy disk determined?

The amount of data that can be stored in a disk is determined by the number of sides,tracks per side, sectors per track, and bytes that can be stored in a sector.

3. Tape drives are used primarily for backup.

Activity B-2

1. What type of media is copper cable?

✓ a) Bounded

b) Unbounded

c) Radiated

d) Inferential

2. How many grades does UTP cable come in?

a) Four

b) Five

c) Six

✓ d) Seven

3. On UTP cable, which designation describes telephone connectors?

a) Cat-5T

b) RJ-45

✓ c) RJ-11

d) RJ-568A

4. Why shouldn’t you look into the end of a fiber connector or socket, even if you don’tsee a light?

The infrared light might not be visible to the human eye but will still cause eye damage.

5. What advantages does fiber have over copper media?

Distance and speed.

6. How many fiber conductors are needed to implement a full duplex connection?

Two: one for transmit (TX) and one for receive (RX).

SOLUTIONS


802.11aA more expensive but faster protocol forwireless communication than 802.11b. The802.11a protocol supports speeds up to 54Mbps in the 5 GHz frequency.

802.11bAlso called Wi-Fi, short for “wired fidelity,”802.11b is probably the most common andcertainly the least expensive wireless networkprotocol used to transfer data among comput-ers with wireless network cards or between awireless computer or device and a wiredLAN. The 802.11b protocol provides for an11 Mbps transfer rate in the 2.4 GHzfrequency.

AH protocol(Authentication Header protocol) A protocolthat IPSec uses to provide data integritythrough the use of MD5 and SHA. AH takesan IP packet and uses either MD5 or AH tohash the IP header and the data payload, andthen it adds its own header to the packet.

anomaly/profile-based analysisLooks for network, host, or applicationchanges compared to preset parameters. Thisis also known as profile-based analysis.

application-based IDSAn IDS software component that monitors aspecific application on a host.

asymmetric encryption algorithmA cryptographic algorithm that generally usesone key for encryption and another key fordecryption.

attackerAnother term for a user who gains unautho-rized access to computers and networks formalicious purposes.

audit attackA type of software attack where an attackercovers his trail by deleting audit entries thatmight point to an intrusion.

AUP(Acceptable Use Policy) A security policy thatdefines what constitutes the appropriate andinappropriate use of resources within theorganization.

authenticationThe process of proving a user’s or computer’sidentity.

authorizationThe process of taking a user’s identity afterhe or she has been authenticated and allowingor denying access to specific networkresources.

backdoorA mechanism for gaining access to a com-puter that bypasses or subverts the normalmethod of authentication. Back Orifice is anexample of a backdoor.

backdoor attackA type of attack where the attacker creates amechanism to gain access to a system and itsresources. This can involve software or abogus user account.

BCP(Business Continuity Plan) A policy thatdefines how normal day-to-day business willbe maintained in the event of a major systemsfailure.

biometric authenticationMechanism that uses a person’s physical char-acteristics as part of the authenticationprocess.

GLOSSARY

GLOSSARY

Glossary 397

black hatA hacker who exposes vulnerabilities forfinancial gain or for some malicious purpose.

block cipherA type of symmetric encryption that encryptsdata a block at a time, often in 64-bit blocks.It is usually more secure, but is also slower,than stream ciphers.

brute force attackA type of password attack where an attackeruses an application to exhaustively try everypossible alphanumeric combination to try tocrack encrypted passwords.

buffer overflow attackAn attack that exploits fixed data buffer sizesin a target piece of software by sending datathat is too large for the buffer.

bulk encryption keySession key generated from a master key.Schannel and Internet Key Exchange (IKE)use bulk encryption keys.

CA(Certificate Authority) An authority in a net-work that issues digital certificates. CAs canprovide information to others regarding theauthenticity of certificates. Most CAs followthe Public Key Cryptography Standards(PKCS).

CA hierarchyA PKI model based on the parent/childrelationship.

certificate enrollmentThe process of an entity (such as a user,server or an application) applying for a digitalcertificate from a CA.

certificate life cycleThe lifetime of a certificate from initial issu-ance to expiration/revocation.

certificate lifetimeThe length of time a certificate is valid.

certificate management systemA system that provides the software tools toperform the day-to-day functions of the PKI.

certificate policyA security policy that determines what infor-mation a digital certificate will contain andthe parameters for that information.

certificate practice statementA document that states how the CA willimplement the certificate policy.

certificate repositoryA database containing digital certificates.

chain of custodyA complete inventory of evidence that showswho has handled specific items and wherethey have been stored.

ciphertextAnother name for encrypted data.

corporate security policyA collection of individual security policiesthat defines how security will be implementedwithin a particular organization.

crackerA user who gains unauthorized access tocomputers and network for maliciouspurposes.

CRL(Certificate Revocation List) A list of certifi-cates that are no longer valid.

DAC(Discretionary Access Control) In DAC,access is controlled based on a user’s identity.Objects are configured with a list of userswho are allowed access to them. An adminis-trator has the discretion to place the user onthe list or not. If a user is on the list, the useris granted access; if the user isn’t on the list,access is denied.

DDoS attack(Distributed Denial of Service attack) A soft-ware attack in which an attacker hijacks ormanipulates multiple computers (through theuse of zombies or drones) on disparate net-works to carry out a DoS attack.

GLOSSARY


default security configuration attackA type of software attack where an attackerattempts to gain access to a computer byexploiting the security flaws that exist in thecomputer’s operating system.

DH algorithm(Diffie-Hellman algorithm) A public key algo-rithm that is used to securely exchange keysbetween entities without having any priorsecrets. IPSec uses DH to generate masterkeys, which are then used to generate bulkkeys for data encryption.

digestA numerical result that’s generated from amathematical function, usually a hashingalgorithm. Also called a message digest.

digital certificateAn electronic document that binds two piecesof information together, the entities publickey and the information regarding that entity,to verify the entity is who it claims to be.Many certificates are based on the X.509standard.

digital signatureInformation appended to a message identify-ing the sender and the message.

directory serviceA network service that stores informationabout all the objects in a particular network,including users, groups, servers, client com-puters, and printers.

DoS attack(Denial of Service attack) A software attackin which an attacker disables systems thatprovide network services by consuming a net-work link’s available bandwidth, consuming asingle system’s available resources, orexploiting programming flaws in an applica-tion or operating system.

DRP(Disaster Recovery Plan) A policy that defineshow people and resources will be protected inthe case of a natural or man-made disaster,and how the organization will recover fromthe disaster.

dual key pairKeys that perform more than one purpose,such as keys that combine services such asencryption and digital signatures.

due careThe process of an individual or organizationthoroughly investigating and researching allthe issues and options relating to a particularsubject.

dumpster divingThe attacker will try to gain valuable infor-mation from items that are improperlydisposed of in the trash.

eavesdropping attackA software attack where an attacker attemptsto gain access to private communications onthe network wire or across a wirelessnetwork. This type of attack is used either tosteal the content of the communications itselfor to gain information that will help theattacker later gain access to your network andresources.

encryptionThe process of converting the data into codedform in such a way that only authorized par-ties can access the information. Only thosewith the necessary password or decryptionkey can decode and read the data.

encryption algorithmA mathematical function that is used forencryption and decryption of data.

enumerationThe attacker will try to gain access to usersand groups, network resources, shares, appli-cations and banners, or valid user names andpasswords. The attacker can obtain thesethrough social engineering, network sniffing,dumpster diving, or watching a user log in.

ESP protocol(Encapsulating Security Payload protocol) Aprotocol that IPSec uses to provide data integ-rity as well as data confidentiality(encryption) using one of the two encryptionalgorithms, DES or 3DES.

GLOSSARY

Glossary 399

ethical hackA hack performed, usually by a third party, totest an organization’s security infrastructureand find weaknesses.

expired certificateA certificate that has reached the end of itslifetime.

footprintingThe attacker chooses a target organization ornetwork and begins to gather information thatis publicly available. This can also be calledprofiling.

guidelineA suggestion for meeting the policy standardor best practices.

hackerA user who excels at programming or manag-ing and configuring computer systems (orboth). Often used to improperly refer to acracker.

hardeningThe process of securing a computer or otherdevice according to a determined securitypolicy.

hardware attackAn attack that targets a computer’s physicalcomponents and peripherals, including itshard disk, motherboard, keyboard, networkcabling, or smart card reader.

hash valueA numerical result of a fixed size that is gen-erated from a mathematical calculation, calleda hashing algorithm.

hashing algorithmAn algorithm used to generate a messagedigest for some piece of data.

HIDS(Host-based IDS) An IDS system that usesprimarily software installed on a specific hostsuch as a Web server.

hijacking attackA software attack where the attacker takescontrol of (hijacks) a TCP session to gainaccess to data or network resources using theidentity of a legitimate network user.

honeypotA security tool used to lure attackers awayfrom the actual network components. Alsocalled decoy or sacrificial lamb.

HTTPSHypertext Transfer Protocol over SSL. A Webprotocol that uses SSL to secure HTTPconnections. HTTPS uses port 443.

IDS(Intrusion Detection System) A softwareand/or hardware system that scans, audits, andmonitors the security infrastructure.

IKE(Internet Key Exchange) Used by IPSec tocreate a master key, which in turn is used togenerate bulk encryption keys for encryptingdata. (IKE is a newer term for the InternetSecurity Association and Key ManagementProtocol and Oakley key generating protocol,usually seen as ISAKMP/Oakley.)

IP spoofing attackA type of software attack where an attackercreates IP packets with a forged source IPaddress and uses those packets to gain accessto a remote system.

IPSec(Internet Protocol security) A set of open,non-proprietary standards that you can use tosecure data as it travels across the network orthe Internet through data authentication andencryption. Many operating systems anddevices support IPSec, such as Windows2000, Windows XP, NetWare 6, Solaris 9, androuters.

IPSec driverIPSec driver watches packets being sent andreceived to determine if the packets need tobe signed and encrypted based on GroupPolicy or local Registry settings.

IPSec Policy AgentA service that runs on each Windows 2000Server, Windows 2000 Professional, and Win-dows XP Professional computer that’s used totransfer IPSec policy agent from ActiveDirectory or the local Registry to the IPSecdriver.

GLOSSARY


issued certificateA certificate issued to an individual or otherdevice by a CA.

issuing CAA Certificate Authority that issues certificates.

key escrowA method of restoring a private key where theprivate key is divided into several parts anddistributed to different individuals or trustees.

logic bombA piece of code that sits dormant on a user’scomputer until it’s triggered by a specificevent, such as a specific date. Once the codeis triggered, the logic bomb “detonates,” eras-ing and corrupting data on the user’scomputer.

M of N schemeA mathematical control that takes intoaccount the total number of key recoveryagents along with the number of agentsrequired to perform a key recovery.

MAC(Mandatory Access Control) Objects (files andother resources) are assigned security labelsof varying levels depending on the object’ssensitivity. Users are assigned a security levelor clearance, and when they try to access anobject, their clearance is compared to theobject’s security label. If there’s a match, theuser can access the object; if there’s nomatch, the user is denied access.

malicious code attackA type of software attack where an attackerinserts malicious code into a user’s system todisrupt or disable the operating system or anapplication. A malicious code attack can alsomake an operating system or an applicationtake action to disrupt or disable other systemson the same network or on a remote network.

man-in-the-middle attackA type of software attack where an attackerinserts himself between two hosts to gainaccess to their data transmissions.

master keyA key that is used by a client and a server togenerate session keys.

MD5(Message Digest 5) This hash algorithm,based on RFC 1321, produces a 128-bit hashvalue and is used in IPSec policies for dataauthentication.

misuse of privilege attackAn attack in which a user uses legitimateadministrative privileges to attack the system.

multi-factor authenticationUsing another mechanism for authenticationin addition to a user name and password. Forexample, a user name/password and a token.

NIDS(Network-based IDS) An IDS system thatuses primarily passive hardware sensors tomonitor traffic on a specific segment of thenetwork.

non-repudiationA feature of digitally signed communicationsthat provides the recipient a measure of secu-rity in the data received. This security comesfrom the sender’s or signer’s inability to denythat they performed a certain action on ablock of data.

offline CAA CA that is isolated from your organization’snetwork.

password attackA type of software attack in which theattacker tries to guess passwords or crackencrypted password files.

PBX(Private Branch Exchange) A private tele-phone network managed by an organizationfor use by its employees.

PGP(Pretty Good Privacy) A method of securingemails created to prevent attackers from inter-cepting and manipulating email andattachments by encrypting and digitally sign-ing the contents of the email using public keycryptography.

GLOSSARY

Glossary 401

PKCS(Public Key Cryptography Standards) A set ofprotocol standards developed by a consortiumof vendors to send information over theInternet in a secure manner using a publickey infrastructure (PKI).

PKCS #10 - Certification Request SyntaxStandardA PKCS that describes the syntax used torequest certification of a public key and otherinformation.

PKCS #7 - Cryptographic Message SyntaxStandardA PKCS that describes the general syntaxused for cryptographic data such as digitalsignatures.

PKI(Public Key Infrastructure) A system that iscomposed of a Certificate Authority (CA),certificates, software, services, and other cryp-tographic components, for the purpose ofenabling authenticity and validation of dataand/or entities, for example to secure transac-tions over the Internet.

plaintextData that is not encrypted. Sometimes calledcleartext.

PMI(Privilege Management Infrastructure) A col-lection of authentication and authorizationmechanisms that allow an administrator cen-tralized control of user and group role-basedprivilege management. PMI is often imple-mented to control user authentication andauthorization for an organization’s Webresources.

policy statementAn outline of the plan for the individual secu-rity component.

port scanning attackA software attack where an attacker scansyour systems to see which ports are listening.This is a software attack where the attacker istrying to find a way to gain unauthorizedaccess.

private keyAn encryption/decryption key that is keptsecure and used by one individual or entityonly. It can also be used to digitally sign amessage.

private rootA root CA created within a company forinternal use by the company itself.

procedureInstructions that detail specifically how toimplement the policy.

public keyAn encryption/decryption key that is availableon public networks. A public key works inconjunction with a private key.

Public Key CryptographyThe process of encrypting and decrypting datausing a public key/private key pair.

public rootA root CA created by a third-party (or com-mercial) vendor for a company for useoutside the company such as the Internet.

RA(Registration Authority) An authority in a net-work that processes requests for digitalcertificates from users.

RADIUS(Remote Authentication Dial-in User Service)A standard protocol for providing centralizedauthentication and authorization services forremote users. For more information, see RFCs2138 and 2138.

RBAC(Role-based Access Control) Access is con-trolled based on a user’s role. Users areassigned to roles, and network objects areconfigured to allow access only to specificroles. Roles are created independently of useraccounts.

RC4 algorithm(Rivest Cipher 4 algorithm) A symmetricencryption algorithm that uses variable-sizedkeys (40 to 256 bits) to encrypt data. RC4 ismuch faster than DES but not as secure.

GLOSSARY


renewed certificateA certificate that has reached the end of itslifetime and had the lifetime extended.

replay attackA type of software attack where an attackercaptures (through eavesdropping or sniffing)network traffic and stores it for retransmissionat a later time to gain unauthorized access toa network.

revoked certificateA certificate that has been designated asinvalid before its expiration.

root CAThe most trusted CA in a CA hierarchy. Theroot CA is the top of the hierarchy. Root CAscan issue certificates for subordinate CAs.

S/MIME(Secure Multipurpose Internet Mail Exten-sions) S/MIME prevents attackers fromintercepting and manipulating email andattachments by encrypting and digitally sign-ing the contents of the email using public keycryptography.

SA(Security Association) The negotiated relation-ship between two computers using IPSec. SAsare the result of the two-stage negotiationprocess. These stages are known as Phase 1and Phase 2.

scanningThe attacker uses specific tools to determinean organization’s infrastructure and discovervulnerabilities. The attacker will scan the tar-get’s border routers, firewalls, Web servers,and other systems that are directly connectedto the Internet to see which services are lis-tening on which ports and to determine theoperating systems and manufacturers of eachsystem.

schemaA set of rules in a directory service as to howobjects are created and what their characteris-tics can be.

security baselineA collection of security configuration settingsthat are to be applied to a particular system inthe enterprise.

security templatesText files that specify security settings in theareas of account policies, local policies, theevent log, restricted groups, system services,and the Registry. They are used to apply aconsistent set of security settings across mul-tiple computers.

separation of dutiesA policy of no one individual or departmentowning all the responsibility for creating,managing, and enforcing security policy.

session keyA key that is randomly generated, used onlyonce, and then discarded.

SHA(Secure Hash Algorithm) This hash algorithmis modeled after MD5, and is considered thestronger of the two because it produces a160-bit hash value.

signature-based analysisLooks for network, host or application activ-ity that compares signatures in the datastreamwith known attack signatures.

smartcardA device similar to a credit card that containsa user’s private key. The user may or may notbe required to use a password to access theinformation on the smartcard.

SMB protocol(Server Message Block protocol) A protocolthat runs on top of protocols such as TCP/IP,IPX/SPX, and NetBEUI, and is used to accessshared network resources, such as files andprinters.

Smurf attackA type of DoS attack in which a ping mes-sage is broadcast to an entire network onbehalf of a victim computer, flooding the vic-tim computer with responses.

sniffingSee eavesdropping attack.

GLOSSARY

Glossary 403

social engineering attackA type of attack where the goal is to obtainsensitive data, including user names and pass-words, from network users through deceptionand trickery.

software attackA type of attack where the goal is to disruptor disable the operating systems and applica-tions running on the computers in yourenterprise.

software exploitation attackA type of software attack where an attackerattempts to gain access to a system or to sen-sitive data by exploiting a flaw or feature inan application.

spywareCode that’s secretly installed on a user’s com-puter to gather data about the user and relayit to a third party.

SSL(Secure Sockets Layer) A security protocolthat combines digital certificates for authenti-cation with RSA public key encryption.

standardA definition of how adherence to the policywill be measured.

stream cipherA type of symmetric encryption that encryptsdata one bit at a time. Each plaintext bit istransformed into encrypted ciphertext. Thesealgorithms are relatively fast to execute.

subordinate CAA CA that can create another CA under it inthe hierarchy or manages the day-to-day func-tions of a CA below the root, includingissuance, revocation, renewal, and expiration.

suspended certificateA certificate that has temporarily been desig-nated invalid for security purposes.

symmetric encryption algorithmA cryptographic algorithm that generally usesa single key for encryption and decryption.The key is sometimes referred to as a sessionkey.

SYN floodA type of DoS attack in which the attackersends multiple SYN messages initializingTCP connections with a target host.

TACACS+(Terminal Access Controller Access ControlSystem Plus) A standard protocol for provid-ing centralized authentication andauthorization services for remote users.TACACS+ also supports multifactorauthentication. For more information, seeRFC 1492.

takeover attackA type of software attack where an attackergains access to a remote host and takes con-trol of the system.

TLS(Transport Layer Security) TLS version 1.0provides a mechanism for two computers toverify each other’s identity (authentication), toestablish a secure, tamper-resistant channelfor communication, and to encrypt data. Thisprotocol is slightly different from SSL and isnot compatible with SSL.

tokenText or numerical values in addition tousernames and passwords that provide anadded layer of authentication. Tokens areoften personal identification numbers (PINs)or a second, additional password.

Trojan horseMalicious code that masquerades as a harm-less file. When a user executes it, thinking it’sa harmless application, it destroys and cor-rupts data on the user’s hard drive.

trusteeAn individual granted private key restorationrights and responsibilities.

virusA sample of code that spreads from one com-puter to another by attaching itself to otherfiles. The code in a virus corrupts and erasesfiles on a user’s computer, including execut-able files, when the file to which it wasattached is opened or executed.

GLOSSARY


WAP(Wireless Application Protocol) A protocolthat’s used to transmit data to and from wire-less devices such as cell phones, PDAs, andhandheld computers, sometimes over verylong distances to be displayed on smallscreens.

wardrivingA popular way to gain unauthorized access toa network that involves simply driving in acar with a laptop and a wireless NIC until theNIC detects a wireless network, whichaccording to some reports is very easy inlarge cities.

warez(Pronounced “wares”) Pirated software that’smade available for download and general use.Servers that contain warez are called warezservers.

WEP(Wired Equivalency Protocol) Provides 64-bit,128-bit, and 256-bit encryption using theRivest Cipher 4 (RC4) algorithm for wirelesscommunication that uses the 802.11a and 802.11b protocols.

white hatA hacker who exposes security flaws in appli-cations and operating systems somanufacturers can fix them before theybecome widespread problems.

wormA piece of code that spreads from one com-puter to another on its own, not by attachingitself to another file. Like a virus, a worm cancorrupt or erase files on your hard drive.

WTLS(Wireless Transport Layer Security) The secu-rity layer of WAP and the wireless equivalentof TLS in wired networks.

X.509An international standard defining the differ-ent components that make up a certificate.

zombies (or drones)A program installed by an attacker on remotesystems that is later triggered by a commandfrom the attacker to launch a DoS attack. Anattacker can create a DDoS attack by secretlyinstalling zombie agents on multiple remotehosts.

GLOSSARY

Glossary 405


NOTES

802.11a, 171

802.11b, 171

AAcceptable Use Policy

See: AUP

AH protocol, 158

anomaly-based analysis, 290

ASET, 52

security levels, 53

asymmetric encryption, 156

attacker, 4

attacking, 271

audit attack, 21

AUP, 32

Authentication Header protocol

See: AH protocol

Automated Security Enhancement Tool

See: ASET

Bbackdoor, 19

backdoor attack, 19

BCP, 258

black hat, 4

block cipher, 156

browser vulnerabilities, 181

brute force attack, 19

buffer overflow attack, 14

bulk encryption key, 159

Business Continuity Plan

See: BCP

CCA, 198

backing up, 219

hardening, 212, 217

installing a hierarchy, 198

restoring, 222

CA hierarchy, 199

components, 199

implementation options, 201

installing, 201

certificate

destroying files, 239

enrollment process, 226

restoring, 248

suspending, 239

Certificate Authority

See: CA

certificate enrollment, 226

certificate life cycle, 214

expiration, 215

factors, 215

issuance, 215

renewal, 215

revocation, 215

certificate lifetime, 213

certificate management system, 198

certificate policy

See: CP

considerations, 212

certificate practice statement

See: CPS

certificate repository, 198

Certificate Revocation List

See: CRL

certificates

backing up, 242

enrolling for entities, 226, 227

renewing, 236, 237

restoring, 247

revoking, 238, 239

chain of custody, 255

ciphertext, 156

client internet access

securing, 181, 183

conferencing and messaging servers

INDEX

INDEX

Index 407

hardening, 145, 146

corporate security policy, 31

corporate security policy compliance

enforcing, 252

CP, 212

CPS, 212

cracker, 4

CRL, 238

Ddata encryption, 155

data integrity, 154

DDoS attack, 12

default security configuration attack, 16

DH algorithm, 159

DHCP servers

hardening, 87, 88

vulnerabilities, 87

digital certificates, 198

digital signature, 154

directory management tools, 81

directory services

example, 77

hardening, 77

hardening domain controllers, 80

vulnerabilities, 78

Disaster Recovery Plan

See: DRP

DNS and BIND

vulnerabilities, 105

DNS and BIND servers

hardening, 105, 106

documentation handling, 33

DoS attack, 12

drones, 13

DRP, 258

dual key pair, 212

due care, 31

Eeavesdropping attack, 6, 7

Also See: sniffing

email


email security

PGP, 135

S/MIME, 135

email servers

hardening, 134, 136

employee security education process, 264

employee security responsibilities, 265

Encapsulating Security Payload protocol

See: ESP protocol

encryption, 155, 157

encryption algorithms, 155

enumerating, 271

ESP protocol, 158

ethical hack, 272

Ffile and print servers

hardening, 90

file and printer server

hardening, 91

footprint, 271

footprinting, 271

FTP


FTP server

hardening, 119, 123

Gguidelines, 31

Hhacker, 4

hacking process, 270

hardening, 37

application servers, 53

directory services, 76

hash value, 154

hashing algorithm, 154

hashing algorithms, 154

HIDS, 288

hijacking attack, 9

honeypot, 298

setting up, 298, 299

host-based IDS

See: HIDS

HTTPS, 233

Hypertext Transfer Protocol over SSL

See: HTTPS

IIDS, 288

analysis methods, 290

components, 291

legal issues, 291

passive vs. active, 290

INDEX


IKE, 159

incident response policy, 305

instant messaging


Internet Explorer

security tools, 182

Internet Key Exchange

See: IKE

Internet Protocol Security

See: IPSec

Internet shopping, 214

internetwork connection devices

hardening, 98, 100

internetwork devices

vulnerabilities, 98

intruders

monitoring, 288, 292

intrusion detection system

See: IDS

IP spoofing, 8

IPSec, 154, 156

data integrity, 157

IPSec

security associations, 159

transport protocols, 157

IPSec default policies

Windows 2000, 160

Windows XP, 160

IPSec driver

Windows 2000, 160

Windows XP, 160

IPSec Policy Agent

Windows 2000, 160

IPSec Policy Agent

issuing CA, 201

Kkey escrow, 247

LLDAP, 78, 81

legal compliance

enforcing, 254, 256

legal security compliance requirements, 255

Lightweight Directory Access Protocol

See: LDAP

logic bomb, 15

MM of N scheme, 247

malicious code attack, 14

man-in-the-middle attack, 11

master key, 159

MD5, 154

message digest, 154

Message Digest 5

See: MD5

Microsoft Baseline Security Analyzer, 38

Microsoft IIS Lockdown tool, 112, 124, 131,137

misuse of privilege attack, 18

mobile device vulnerabilities, 173

NNetwork News Transport Protocol

See: NNTP

network traffic

securing using certificates, 232, 233

securing with IPSec, 154

network-based IDS

See: NIDS

NIDS, 288

NNTP

hardening, 130

Ooffline CA, 201

operating system vulnerabilities, 35

NetWare 6, 36

Sun Solaris 9, 36

Windows 2000 Server, 35

Windows XP Professional, 35

organizational security policy

enforcing, 252

Ppassword attack, 18

PBX, 2

PGP, 135

physical resource


physical resource vulnerabilities, 258

physical security compliance

enforcing, 258, 261

PKI, 198

implementation, 199

plaintext, 156

policy statement, 31

port scanning attack, 6

INDEX

Index 409

Pretty Good Privacy

See: PGP

private branch exchange

See: PBX

private key

replacing, 247

restoring, 247, 248

private key encryption, 155

private keys

backing up, 242

restoring, 247

private root CA, 200

procedures, 31

profiling, 271

public key encryption, 156

public root CA, 200

RRA, 198

RADIUS, 100

RC4 algorithm, 173

registration authority

See: RA

regulated industries

requirements, 256

remote access

common ports, 192

remote access channel

securing, 190, 191

remote access vulnerabilities, 190

replay attack, 10

root CA, 200

security, 201

SS/MIME, 135

SA, 159

scanning, 271

schema, 77

Secure FTP

See: SFTP

secure hash algorithm

See: SHA

Secure Multipurpose Internet Mail Extensions

See: S/MIME

Secure Shell

See: SSH

Secure Socket Layer

See: SSL

secure wireless traffic, 171

security and accessibility

balancing, 218

security association

See: SA

security baseline, 38

security incidents

responding, 305, 307

security infrastructure

scanning for vulnerabilities, 270

security policies

individual, 32

security policy

components, 31

security scans

types, 272

security templates

Windows 2000, 45, 46

Windows XP, 45, 47

security threats

identifying, 2

social engineering attack, 2

separation of duties, 32

Server Message Block protocol

See: SMB protocol

session key, 156

SFTP, 124

SHA, 154

signature-based analysis, 290

smart card, 213

SMB signing, 90

SMBRelay, 281

Smurf attack, 14

sniffing, 7

social engineering attack, 2

examples, 3

identifying, 2, 4

software attack

classifying, 22

software attacks

classifying, 6

software exploitation attack, 17

Solaris 9

ASET, 52

spyware, 181

SSH, 124

SSL, 232

standard, 31

stream cipher, 156

INDEX


subordinate CA, 200

symmetric encryption, 155

SYN flood, 14

system hardening, 28, 37

base operating systems, 31

Windows 2000, 51

Windows XP, 49

TTACACS+, 100

takeover attack, 20

TCP and UDP ports


TLS, 233

Transport Layer Security

See: TLS

Trojan horse, 15

trustee, 247

Uunnecessary daemons, 44

unnecessary NLMs, 44

unnecessary services, 44

user

responsibility for security, 265

users

educating, 264

employee security education process, 264

Vvirus, 15

vulnerabilities

scanning, 274

vulnerability scanning tools, 271

WWAP, 171

wardriving, 173

warez, 122

Web server

security methods, 109


Web servers

hardening, 109, 114

WEP, 173

white hat, 4

Windows XP, 160

Wired Equivalency Protocol

See: WEP

Wireless Application Protocol

See: WAP

wireless security

methods, 174

wireless traffic

securing, 175

Wireless Transport Layer Security

See: WTLS

worm, 15

WTLS, 173

Zzombies, 13

INDEX

Index 411


NOTES

Comp Ti a Security

Documents

Transcript of Comp Ti a Security