How I may help
LinkedIn Profile Email me!
Call me using Skype client on your machine

Reload this page IT Security Countermeasures

Information Protection and Assurance (IPA)

The ten domains in ISC2 CISSP Common Body of Knowledge [CBK] The 7 domains in the SSCP Common Body of Knowledge (CBK):
  • 1. Access Control Systems & Methodology
  • 1. Access Controls:

  • (
    Authentication & Biometrics)
  • 2. Applications & Systems Development

  • 3. Business Continuity & Disaster Recovery Planning
  • 7. Malicious Code/Malware

  • 4. Risk, Response and Recovery
  • 4. Cryptography
  • 5. Cryptography (and Encryption)
  • 5. Law, Investigation & Ethics
  • 6. Operations Security (Computer)
  • 7. Physical Security

  • 8. Security Architecture & Models

  • 9. Security Management Practices
  • 2. Administration

  • 3. Auditing/Monitoring
  • 10. Telecommunications & Network Security
  • 6. Data Communications
  • “The art of war teaches us to rely not on the likelihood of the ånemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.” —Sun Tsu, 6th Century BC General, in The Art of War

    A website external to this site Security and Encryption at professor Michael Rappa's Digital Enterprise site.

    About NT Security

    PKCS#'s

    Security Admin job description

    Open Source Security Test Manual from Idea Hamster.org

    National Strategy to Secure Cyberspace administered by the Department of Homeland Security

    SCADA (Secured distributed control systems)

    “Access denied.”

     

    Topics this page:

  • Defensive Strategies: Objectives, Goals, Approaches, Phases
  • Risk Analysis
  • Security Levels
  • Countermeasures
  • HTTPS/SSL/SGC
  • IIS Setup
  • Firewalls, Proxies
  • Authentication Methods & Protocols
  • Permissions
  • Trusts
  • Your comments???

    webpage article Symantec's Security Response Glossary

    webpage article Firewalls and Internet Security: Repelling the Wily Hacker by William R. Cheswick and Steven M. Bellovin

  •  

    Site Map List all pages on this site 
    About this site About this site 
    Go to first topic Go to Bottom of this page

    Search

    Related:

  • ITSec Pro Certs
  • Vulnerabilities
  • Cryptography & Encryption
  • Kerberos
  • IPSec
  • Why backup?
  • Windows 2000 Install, Configuration, Authentication & Policy Admin
  • Active Directory Trusts
  • Quality Management

  • Free Training!
  • Tech Support
  • Go to top of page Defensive Strategies

      Objectives

    • Auditing and Monitoring -- Alarming and Reporting (of Availability
    • Flexibility and scalability
    • East of use
    • Appropriate Total Cost of Ownership
    • Goals of InfoSec (The CIA Triad)

    • Confidentiality (Sensitivity, Secrecy)
    • Integrity (Accuracy, Authenticity)
    • Availabilty (fault tolerance, Recovery)
    •  

      5 Security Services

      in the ISO 7498-2 Security Architecture:
      1. Authentication
      2. Authorization - Control Access to resources
      3. Data Confidentiality
      4. Data Integrity, including compliance
      5. Non-Repudiation (proof of origin and delivery)
      6. Physical vs. Electronic Controls

       

      Phases

      1. Planning
      2. Prevention
      3. Detection
      4. Response and Follow-up

    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Go to top of page Risk Analysis

      Risk Expectation = Possible Extent of Loss   X   Probability of loss

      To reduce extent of loss: To reduce probability of loss:
    • Reduce amount subject to loss (multiple independent locations, disconnect computers, etc.)
    • Reduce frequency errors can occur (single entry of data)
    • Miminize impact of loss (Transfer risk - buy insurance)
    • Control opportunities for errors to occur (add error-checking logic)
    • Eliminate threats -- (ie. Adobe asking FBI to arrest Dimitri, etc.)
    • Minimize vulnerabilities (“harden” exposed systems)
    • Or Accept consequences (self insure) where Attack Tree Analysis reveals low likelihood of attack or low payoff for attackers

      Documentation

      A Policy is a high-level statement of beliefs, goals, and objectives, with a summary of the general means for attaining them.

      A Procedure defines the tasks and the sequence of steps of how policies are implemented.

      A Standard defines the basis for determining measurements of what is acceptable and what is excellence.

      A Guideline is a general statement of recommendations on how to achieve objectives. It provides a framework to implement procedures.

      Computer Security and Privacy Course by Dick Kemmerer of UCSB.

      Security and Privacy of Information Systems by Richard Baskerville of Georgia State.


    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Go to top of page Security Levels

      The US “Orange Book" (part of the “Rainbow Series") webpage article Trusted Computer Systems Evaluation Criteria (TCSEC) 1985 DoD Standard 5200.28 defines security levels.

      ITSEC/TCSEC ClassificationSecurity Features of the Target Of Evaluation (TOE) Actual Ratings
      D - Minimal ProtectionNone MS-DOS
      Discretionary Protection:

      F1/C1 - Minimal Protection

      F2/C2 - Controlled Access Protection

      1. Identification and Authentication
      2. Discretionary Access Controls (DAC)
      3. Object Reuse
      4. Process isolation in System Architecture
      5. Audit
      6. Security Testing
      MS-Windows = C1,
      MS-Windows NT/2000 = C2
      Mandatory Protection:

      F3/B1 - Labeled Security

      F4/B2 - Structured Protection

      F5/B3 - Security Domains

      1. Labels
      2. Mandatory Access Controls (MAC)
      3. Design Specification and Verification
      4. System Engineering in System Architecture
      5. Configuration Management
      6. Penetration Security Testing
      7. Trusted Facility Management
      8. Trusted Recovery
      B1 => IBM MVS/ESA/RACF, AT&T UNIX SysV/MLS, Secureware CMW+ v1
      Verified Protection:

      A1 - Verified Design

      1. Formal Design Specification and Verification
      1. Formal Covert Channel Analysis Security Testing
      2. Trusted Distribution
      Honeywell SCOMP STOP Release 2.1

      F6 - high integrity systems (eg financial)
      F7 - high availability/mission critical systems
      F8 - high integrity data communications systems
      F9 - high confidentiality data communications systems
      F10 - high confidentiality and integrity networks

     

      Since 1996, the “International Common Criteria” Standard for Information Security effort is based upon the levels of security defined by the TCSEC (Trusted Computers System Evaluation Criteria) and the ISO 15408, which is identical to the International Common Criteria 2.1 aiming to unify the various regional security criteria with SECMAN (security manuals):

      1 - Security Policy
      2 - Industrial Security
      3 - Information System Security
      4 - Protective Security
      5 - Personnel Security
      6 - Project Security
      7 - Facility Security (Security Design and Contruction Guidelines)

      European Information Technology Security Evaluation Criteria (ITSEC) document — developed by several European countries in 1991 and rewritten in 1999 as British Standard 7799 — defines specific controls such as the use of security policies and physical security measures to ensure confidentiality of data.

      The NSA and NIST joint Trust Technology Assessment Program (TTAP) defined Evaluation Assurance Levels (EAL) from 1 to 7 (the most secure).

      webpage article Microsoft Windows NT 4.0 C2 Configuration Checklist lets you customize your own list by selecting items.

     
    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Go to top of page Countermeasures to Minimize Vulnerabilities

     


    Go to Top of this page.
    Previous topic this page
    Next topic this page
      Security Mechanisms such as Encryption can be specific or pervasive.

      Reveal as little information about the system as possible.

      • Remove information about O/S, version, and available services provided by default (such as initial TCP window size -- the Stack Fingerprint).
      • Do not use implementation details in machine names (such as "exchange5server").
      • Disable DNS version queries. Some name server implementations respond to queries for the version of the name server software. This feature exists to support system administration and is not used in normal DNS transactions. Automated attack tools exist which exploit this feature to locate specific name server versions that are known to have exploitable vulnerabilities.
      • Lock up Emergency Repair Disks.
      • Lockout accounts after 4 attempts.
      • Program bogus IP addresses in outgoing email headers
      • Do not put personal information in ".plan" files on UNIX systems and .vcf address book entry files sent out with messages from Microsoft Outlook.
     

     
    Go to Top of this page.
    Previous topic this page

      Limit access

        On desktop machines:
        • Enable password protect screen savers.
        • Use ACL to block specific IP addresses.
        Install a firewall (BlackICE)
        • Close ports opened by default during installation.
        • Filter out all but these ICMP messages:
          • ECHO type 0
          • ECHOREPLY type 8
          • TIME_EXCEEDED
      • Set hosts file properties to Read-Only. Here is an example of how browser hijacker spotresults.com alter hosts file so you end up at their site instead:

        207.36.196.189  auto.search.msn.com
        207.36.196.189  search.netscape.com
        207.36.196.189  ieautosearch
        
      • Use NAT (Network Address Translation) to hide one set of IP addresses used for internal traffic only while exposing a second set of addresses to external traffic.
      • Split DNS into internal DNS zone inaccessible to the public and an external zone containing data about hosts meant for public access.
      • Remove data about internal desktops, servers, or network hardware from external zone data.
      • To prevent scanners from "walking" the DNS maps by trying every IP address in succession, using a gethostbyaddress() call for each address and recording responses, permit zone transfers only between primary and designated secondary DNS servers by enabling access control in the name server software and by restricting inbound access to TCP port 53 at the egress router between a name server and external network.
      • To defend against spoofed RIP packets, set routers to reject any packets containing the Loose Source Routing option flag. There is very little legitimate need for this setting outside of network debugging.
      • Configure firewall routers to accept only routes legal on a given wire.
      • Use one-time passwords.
      • Invoke password complexity rules to ensure use of strong Passwords. On Windows 2000, enable the GPO object Windows 2000 [Q225230]. This uses Microsoft's Passfilt.dll also on NT4 SP2. On NT4 a reg key must be set after installing it [Q161990]
      • Encrypt backups
      • Put certificates, such as syskey, on removeable media such as diskettes or SmartCards which require local physical access.
      • Set sensitive data, such as Tripwire configuration files, with read-only attributes and store them in read-only folders.
      • Lockout the Administrator account after 2 unsuccessful logon attempts.
      • Block outgoing ICMP echo-reply and destination-unreachable messages in routers. An ICMP Redirect tells the recipient system to over-ride something in its routing table. It is legitimately used by routers to inform hosts of non-optimal or defunct route (such as to the wrong router). The wrong router sends the host back an ICMP Redirect packet that tells the host what the correct route should be. By forging ICMP Redirect packets accepted by a target host, an attacker can alter the routing tables on the host, causing traffic to flow via a path the network manager didn't intend. This is how users of a bank site could end up at a rogue site which requests passwords and account numbers just like the real site.
      • On a Windows system, move executable tool files out of the /system32 dir and place them in a dir with secure permissions. xcopy.exe, wscript.exe, cscript.exe, net.exe, ftp.exe, telnet.exe, arp.exe, edlin.exe, ping.exe, route.exe, at.exe, finger.exe, posix.exe, rsh.exe atsvc.exe qbasic.exe syskey.exe cacls.exe ipconfig.exe, rcp.exe, secfixup.exe, nbtstat.exe, rdisk.exe, debug.exe, regedt32.exe, regedit.exe, edit.com, netstat.exe, tracert.exe, nslookup.exe, rexec.exe, cmd.exe, nslookup.exe, tftp.exe

        This technique requires disabling Windows File Protection

     

     
    Go to Top of this page.

      Disable unnecessary services on all computers

      Physical access:
      • Disable floppy drives and removeable media to unauthorized users
      • Disconnect or remove modems when not in use.
      Desktop apps:
      • Windows Media Player
      • Microsoft Outlook "Automatically add addressee to address book"
      • Microsoft Word/Excel macro execution.
      IIS web servers
      • ISAPI mapping
      • Active server pages (.asp)
      • Index server web interface (.idq, .htw, .ida)
      • Server Side Includes (.shtml, .shtm, .stm)
      • Internet data connector (.idc)
      • Internet printing (.printer)
      • .htr scripting (.htr)
      • Sample web files
      • Scripts virtual directory
      • WebDAV
      • Disable parent paths using the IIS administration tool. http://www.exair.com/samples/showcode.asp?file=../../../boot.ini
      • Set file permissions to prevent IIS anonymous user from executing system utilities or writing to content directories.

      • IIS5 Checklist from Microsoft , such as LDAP with HTTPS

      • Turn off “AutoShare" of hidden shares on D$, etc.
      Configure Exchange server to stop email relays
      • Testing: http://www.mail-abuse.org

      Use strong authentication to access internal services

      Educate users and management

      • Define a Security Policy [RFC 2196]Site Security Handbook: Categorize resources into Levels of importance:
          I. Critical systems central to business operation, containing data needing high integrity, such as email, DNS, SQL servers.
          II. Significant systems needed but not critical.
          III. Routinely Essential systems which would not stop the organization.

        This determination is used to justify Service Levels another page on this site

      • Educate users about social engineering exploits (such as calling users and asking for their login and passwords under the guise of some official capacity).
      • Publish security policies
      • Separate applications from data using different folders and drives/partitions
     

      tool List all services on computer COMPx using Resource Kit utility that runs across the network to display both the driver name and the display name as well as both services and devices:
      netsvc \\COMPx /list

      Use the Service Controller tool to list process types and status for each service:
      Command Line Interface sc query type= service

      Unregister server service filespy:
      Command Line Interface Delsrv filespy

      Two-factor authentication

      Fortezza (Italian for “fortress") PCMCIA Crypto cards developed by the NSA for two-factor authentication are supported by IIS5.

      tool Tools to check configuration settings:

    • Eeye's Retina Security Analyzer

    • Intrusion.COM's Kane Security Analyst

    • PGP Security CyberCop Scanner from NAI

    • ISS - Internet Scanner has a higher-end tool than the free version on Microsoft's W2K Reskit \Apps \Systemsscanner.

      webpage article PC mag Nov 2000 article on security scanners

     
    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Go to top of page Auditing and Monitoring

      Continually monitor and fine-tune the security infrastructure.

      • Use password cracking programs and alert users who craft poor passwords.
      • Use host policy scanners to confirm compliance (such as the latest patches being installed).
      • Detect remote registry browsing by turning on auditing in HKLM\Security
      • Install agents to periodically request website to verify availability.
      • Install Network Intrusion Detection System (NIDS) such as NukeNabber to detect port scans and attempts from outside the firewall A website external to this siteMore
      • Install host-based Intrusion Detection System to flag suspicious activities inside the firewall (such as a long string of x86 NOOPs Dragon leaves in the control connection).
      • Install Signature Verification software to detect changes to files
      • Detect reverse-DNS lookups along when logging tracerout requests.
      • Find patterns in logs using a grep or regular expression

      Plan (and test) responses to attack

      • Logging, evidence gathering
      • Predetermine countermeasures. For example, use Checkpoint's “OPSEC" standard and their Suspicious Activity Monitoring Protocol (SAMP) to dynamically configure firewalls.
      • Counterstrike (disable attacking host)

      Honeypots

      (using NFR's Back Officer Friendly) to piss off hackers. (In my opinion, this is not a good idea.)

      Set alarms

      • Set flag CRYPT_USER_PROTECT to notify the key owner when an application attempts to use the owner's private key.
      • Carvdawg's Startup.pl Perl script checks for suspicious entries the startup configuration of local and remote NT systems, all locations (ie, files, directories, and Registry keys). Executables linked to can be 'fingerprinted' using MD5 hashes as an extra step to ensure that the files haven't been overwritten by something very, very bad.

      Forensics

    • incident-response.org
    • Danny Mares Tools
    • AccessData's FTK
    • NTI tools
    • EnCase
    • Forensic Toolkit
     

     
    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Go to top of page Action Analogies: Physical & Electronic Countermeasures

      CategoryPhysical controlsElectronic counterpart
      Advertisement Company name, phone number is listed in the public phone book DNS name and IP address populated in Whois database of DNS entries
      Company lists POBox Network Address Translation
      Company Operator does not give out employee direct extensionsContact info hidden from public Whois queries
      Authentication Guard asks visitors to sign in at front door Visitors asked to register before viewing website
      Guest shows guard a printed invitation to the partyPresentation of Credentials
      Guard checks ID's at doorsVerification of Credentials
      Guard verifies who's on the guest listCertificate Authority and Credentials store
      Guard does not stop those he recognizesSingle Sign On
      Guard rejects vagrants and ex-employeesInbound firewall
      Badges are dated Time To Live
      Badges are color codes (Group Coding) Group and role based permissions
      Authorization Visitor badge issued by GuardUser ID with limited permissions
      Visitor gets bathroom key from GuardSecurity tokens for Security Associations
      Executive gets keys to the Executive BathroomElevated Priviledge granted
      Access Doors are locked Passwords are applied
      Content Guard inspects packages coming in Inbound content monitoring/filtering
      Shipments are sealed Encryption
      Guard collects an authorization form for packages leaving the building FTP Log
      Intrusion Detection Guard looks at monitors from cameras logging
      Audit Scan video tapes log analysis
      Employee Exit Log closeout analysis

    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Go to top of page Roles for Security Policy

     

     
    Go to Top of this page.
    Previous topic this page
    topic

    Go to top of page HTTPS on the Client

      When processing online purchasing (credit card numbers) or private information (social security numbers or birthdates, etc.), encrypt information between computers over the World Wide Web by using the Hypertext Transfer communications Protocol (HTTPS) instead of HTTP.

      Here's an example of the HTML coding presented to the client browser (Microsoft® Internet Explorer 3.0 or later):

        <A href="https://example.company.com"> HTTPS Example Link </A>

      When a browser sends a "https://" URL, it tells IIS to open an SSL-encrypted session.

      SSL creates an intermediate layer between the upper-level HTTP and the lower-level TCP/IP. Web browsers and Web servers make calls and requests directly to the SSL, which manages the task of setting up a secure communications channel and passing or receiving information from TCP/IP.

      SGC

      Server Gated Cryptography extends SSL to bring browsers operating at 40-bit encryption to 128 bit.

     


    Go to Top of this page.
    Previous topic this page
    Next topic this page

    WinInet API For Windows CE

      From Microsoft on How to Make SSL Requests Using WinInet (Article 168151)

    When using WinInet (Win32 Internet Functions) APIs:

    • The HTTPS invokes use of a Private Communications Technology (PCT) -- the Secure Socket Layer (SSL) encryption protocol on a secure server provided by Schannel.dll

    • InternetConnect for HTTPS uses INTERNET_DEFAULT_HTTPS_PORT (TCP port 443) instead of INTERNET_INVALID_PORT_NUMBER or INTERNET_DEFAULT_HTTP_PORT

    • HttpOpenRequest uses the INTERNET_FLAG_SECURE option.

    Go to Top of this page.
    Previous topic this page
    Next topic this page


    Activewin's excellent Step-by-Step Guide to Setting up a Certificate Authority

    Excerpted from Internet Security with Windows NT by Mark J. Edwards

    webpage article Untangling Web Security: Getting the Most from IIS Security (Technet on-line article)

    download Microsoft's Security Site offers a Checklist for IIS4.0 (download Checklist.exe which self-extracts into two Checklist.htm file).

    The Windows NT Security Site

    webpage article The Microsoft Internet Information Server 3.0 (70-77) and 4.0 (70-87) Certification Exam Page

    Go to top of page Setting Up HTTPS SSL on IIS

      SSL uses public key cryptography to securely generate and exchange a commonly-held key, -- the session key -- used for symmetric encryption. Therefore, SSL features require a server certificate to be obtained from a Certificate Authority (such as VeriSign). The certificate is for a particular IP address : port number combination.
      Secure Sockets Layer (SSL) Options (Article Q172023)

      To enable SSL on IIS:

      1. Generate a request file with a security key pair file.
      2. Request a digital certificate from a Certification Authority.
      3. Install the certificate on your IIS server.
      4. Activate SSL security on your IIS server.

      From the Internet Services Manager (ISM), use the IIS Key Manager to build the key pair information files you use to apply for a digital certificate.
      How to Create and Install an SSL Certificate in IIS 4.0 (Article Q228991)

      Mark J. Edwards offers this list of fields in the dialog box:
      Key Name Name of the key pair you are creating.
      Password Password used to encrypt the private key (use long passwords).
      Bits Number of bits for the key pair. The default is 1,024 bits; I highly recommend using this setting.
      Organization Your company name or your own name.
      Organizational Unit Name of the division of your company.
      Common Name Internet domain name of your server.
      Country Two-letter abbreviation, such as US, UK, AU, or JP.
      State/Province Your state or province, such as Texas or Alberta.
      Locality Complete name of your city, such as Houston.
      Request File Name of the file you are creating.

      Use the IIS Key Manager to install the certificate to bind the certificate to the Web site.
      Installing a New Certificate for Use in SSL/TLS (Article Q228836) (for use with smart cards and calling routers)

      Activate SSL on IIS by configuring the Directories properties using the Internet Service Manager. Key-length (128 or 40) can be set in the Secure Communications dialog box. If you select the Require Secure Channel when accessing this resource option,



    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Accessing Security Protocols

    RSA corporation (RSA is an acronym from the last name of its three founders: Ron Rivest, Adi Shamir, and Leonard Adelman).

    More about SSL

    "Insurgency on the Net" CNN's Report

    Go to top of page Alternatives to HTTPS

      Secure Sockets Layer (SSL) versions 2.0 and 3.0 is the most widely-used method of creating secure transactions on the Web today.

      Using SSL (Secure Socket Layer) with the HTTPS: protocol makes it more difficult to read private messages intercepted over the wire.

      It's appropriate to use whenever one or both parties do not want information shared with others. Examples include information possibly used to establish authentication, such as Social Security number, date of birth, mother's maiden name, credit card numbers, or even phone numbers and addresses.

      SSL protects messages by encrypting it for transmission.

      SSL is NOT appropriate where information is already offered freely, such as RFC documents intended for open dissemination or documents which the authors can't get to enough people. Why would someone go through the trouble of intercepting messages when it's easily available?

      SSL is often not appropriate because there is computing overhead with SSL connections. This means a more expensive system that's more difficult to maintain for the provider and a slower application for the user. One compromise some developers use (especially for Intranet applications) is to employ SSL connections for logon and password change functionality, then drop down to regular HTTP exchanges for all other transactions.

      Alternatives are:

      • Client certificates which map to Windows NT user accounts.
      • Server Gated Crypto (SGC) security protocols

      Non-Microsoft SSL implementations on Java


    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Go to top of page Firewalls and Proxies

      Modern firewalls use a hybrid of 3 main firewall technologies working at the Network layer:

      • Proxy firewalls are also called application gateways.

        NAT [RFC 1631]

      • Stateful inspection firewalls are also called dynamic packet filtering. They are application.

      Configure Packet Filtering

      Packet Filter routers selectively deny or allow the routing of packets between trusted and untrusted networks based on a site's security policy stored in Access Control Lists (ACL). Screening is based on source and destination address and ports in IP (not UDP) Headers.

      To get Windows 2000 to filter incoming (not outgoing) TCP, IP, and UDP packets, use the “Advanced TCP/IP Settings” GUI “Options” tab.

      To get Windows 2000 to filter incoming ICMP packets, use the “Routing and Remote Access” MMC.

      Encapsulation

      The concept of encapsulation makes use of a fundamental principle of the TCP/IP protocol. On the sending end, each layer in the ISO model adds a header to the "payload" it receives. On the receiving end, headers at each level are stripped away to obtain content from the sending peer level.

      The processor at each layer does not examine the contents of packets it receives. This allows VPN packets to be *encapsulated* (or encased) within any other packets of data.

      This is why, when you install VPN as a Communications component on Windows 98 (from Add/Remove Programs), you select “Microsoft VPN Adapter" as the connection device. This device, in turn, accesses the modem. This is also why Windows 95 is upgraded for VPN with the “Dial-up Networking 1.3" upgrade downloadable from Microsoft.

      This technique is not new. NetBIOS and IPX packets are also encapsulated for transmission over IP networks. Only one IPX network ID is used by all VPN clients.

      Encapsulation make use of a *tunneling* protocol. The first tunneling protocol was based on the most widely used protocol for remote access to the Internet: the Point-to-Point Protocol (PPP) [RFC 1547, 1661]. Windows NT 4 and Windows 98 use Point to Point Tunneling Protocol (PPTP) (using 128 ports) to encapsulate PPP packets using a modified version of the GRE (Generic Routing Encapsulation) protocol 47 over port 1723. So one disadvantage of VPN is that the firewall needs have this path open (providing another possible door of attack).

      Voluntary tunnels are configured and created through a conscious action by the user at the tunnel client computer. Compulsory tunnels are configured and created automatically for users without their knowledge or intervention

      Do this! To configure PPTP for inbound VPN connections, use the Routing and Remote Access MMC wizard.

     

     
    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Go to top of page Authentication

      Authentication is the process where a network user establishes a *right to an identity* -- the right to use a *name*. The goal is to verify that you are not dealing with an imposter. Authentication implements Access Control.

      Authentication Mechanisms

      1. Proving what you know -- password.
      2. Showing what you have -- smart cards
      3. Demonstrating who you are -- biometrics.
      4. Identifying where you are -- call back phone number or IP address.

      The program that presents the logon box is Winlogon (the Net Logon service) running in the Local Security Authority (LSA) process. The LSA authenticates accounts by examining credentials such as a password to a valid account. Security rules are enforced by the Security Reference Monitor running in kernel mode, where user intervention cannot occur.

      Single-sign-on is possible because in Windows 2000, any user or computer daemon that can initiate action is a security principal. Security principals establish a context for their actions by presenting credentials from a security authority that is trusted by the LSA on the computer where the principal intends to act.

      Interfaces

      Windows 2000 supports several Interfaces to security providers:

      SSPI SSP
      Kerberos v5another page on this site
      NTLM
      Schannel
      Other
      RPC for DCOM apps
      HTTP for Web-based apps
      Firewalls for Directory-Enabled apps
      Smart Card Service Provider (SCSP)
      Cryptographic Service Provider
      Other apps

      NTLM

      NT4's NTLM v1 authenticates one-way: only the server authenticates clients.
      NT4 SP4's NTLMv2 and Windows 2000's Kerberos v5 are two-way: a client and a server mutually authenticates to prevent impersonation.

      Mechanisms Supported by IPSec

      • Kerberos v5another page on this site establishes two-way transitive trusts (the default between two Windows 2000 domains in the same forest)
      • Trusted Public Key Certificate Authorities
      • Microsoft Certificate Server
      • Pre-shared Key

      The Windows Internet Authorization Service (IAS) is Microsoft's version of a RADIUS server, which can integrate with UNIX TACACS.

      The Order IIS5 attempts to Authenticate

      1. Anonymous Access by external users (those without a Windows account)
      2. Basic Authentication (HTTP 1.0) sends passwords in unencrypted Base64-encoded format.
      3. Digest Authentication, as a new HTTP 1.1 feature, is supported by clients using Internet Explorer 5.0 or later. It's only for Windows 2000 domain accounts because it accesses the Active Directory.
      4. Integrated Windows Authentication

     

      Biometrics

      Failure to acquire happens when the biometric unit can't get enough information to decide.

      A website external to this site Panasonic/Iridian Technologies' $240 Authenticam system analyzes the pattern in users' irises from a foot away. This has the best CER of 0.5%. Better than retina scanners.

      Reminder The Crossover Error Rate (CER) is the point when the FAR -- False Acceptance (of imposters) Rate crosses over the FRR -- False Reject (of good guys) Rate.

      A website external to this site BioID identifies individuals based on facial image from a $50 Samsung Anycam and voice recognition.

      A website external to this site Identix, Visionics, Veridicom, and Compaq reads fingerprints.

      Hand geometry

      webpage article Forbes articles on biometrics

     
    Go to Top of this page.
    Previous topic this page
    Next topic this page

      Go to top of page Authentication Protocols

      Windows 2000 uses this order (top down):
      1. MS-CHAP v2 passwords are encrypted using MD4 for MPPE. It also provides two-way mutual authentication to guard against server impersonation attacks.
      2. MS-CHAP v1 provides 40-bit encryption for secure password & session data transmission. The user's account can only be a maximum of 14 characters
      3. CHAP (challenge Handshake Authentication Protocol) encrypts usernames and passwords only, not session data. Used for MPPE by stand-alone servers (which are not supported by EAP-TLS)
      4. SPAP (Shiva PAP) encrypts password but not session data.
      5. PAP isn't secure - sends plain-text (unencrypted) username and passwords. It's included with Windows 2000 to support older clients.

      Windows 2000 uses three protocols for authenticating remote connections:

      • DPA - Distributed Password Authentication - uses SSP file Msapsspc.dll
      • EAP-TLS (Extensible Authentication Protocol) extends PPP to encrypt session data.
      • Schannel Protocols included in the Schannel authentication method using a certificate and SSP module Schannel.dll:
        1. SSL v2
        2. SSL v3
        3. PCT - Private Communication Technology 1.0
        4. EAP/ TLS 1.0 provides user-level mutual authentation.

      EAP-RADIUS is when the Internet Authorization Service (IAS) forwards authentication to another RADIUS server as a RADIUS-formatted message.

     

      Secure FTP

      tool Serv-U FTP server and Voyager FTP client from rhinosoft.com encrypts the authentication password that other FTP programs leave in the clear.

      tool WinSCP is a Windows version of Unix Secure Copy.

      tool SSH 2.0 has built-in file transfer capabilities. f-secure.com and Open SSH.com list GNU licensed implementations.

      In Client for Microsoft Network Properties, Service provide name: Windows Locator does not require a Network address as with DCE Cell Directory Service.

     
    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Go to top of page Authorization of Permissions

      Authorization is the process of determining whether an authenticated identity (plus a set of attributes associated with that identity) is permitted to *perform some action*, such as accessing a resource.

      NTFS Permissions

      When IIS is installed, two users are created:
      • IUSR_computername to handle built-in anonymous logons to the IIS system.
      • IWAM_computername to allow IIS to start out-of-process Web applications such as accounting, monitoring, and scripting.

      Limitations by Group

      A security descriptor lists the permissions a user needs to read the properties of an AD object.
    • "Users" can only run certified applications.
    • "Power Users" can also run unsigned legacy applications.

      tool Command Line Interface Appsec.exe, installed from download Instappsec.exe in the Resource Kit, prevents users from running executable files (not DLLs) through the command line or from within another application. To prevent users from running other versions of the same executable file from alternate locations, Appsec permits applications based on full path names. Its Admin run mode provides tracking of what applications have been run.

      Like NTFS Permissions are Additive

      Access permissions are cumulative when dealing with like permissions. All NTFS permissions are added together to determine the effective rights. Share permissions are also culumative.

      Local Security Authority

      The LSA controls access to resources on a local Windows 2000 computer. It starts SSPs (Security Support Providers).

      Network Share Permissions

      Share permissions apply only to access over a network, not locally. Sharing a folder also shares all the lower level resources under that share. Only the Administrators group can access the Admin$ share created by default. The $ in the name makes it hidden.

      When a share is in an NTFS volume, their permissions are combined with NTFS Permissions in a Most Restrictive way.

      best practice The only way to secure network resources on a FAT volume is with shared folder permissions. However, on Windows 2000 NFTS volumes, leave network shares the default assignment of "Full Access" for Everyone and depend upon NTFS permissions to "flow through" protection. Managing a single set of permissions makes for easier administration.

      Denying permissions takes precedence over the permissions that you allow.

      When a shared folder is moved, it loses its share status.

     

      For a 20% discount on SANS books published by New Riders, call 1-800-428-5331 and mention code "SANS"


      Network Intrusion Detection: An Analyst's Handbook, 2nd Edition


      Intrusion Signatures & Analysis, January 2001

      webpage article "Securing Database Servers" - 8 page whitepaper from Internet Security Systems

      tool The $379 Security Explorer utility integrates with the Windows NT 4.0 Desktop search across subdirectories for permissions. Grant, revoke, and clone permissions across subdirectories without affecting any other user's permissions. can search and modify Windows NT security on NTFS drives, the Registry, and Shares. Select 50 shares on a server and grant permissions to multiple users and groups simultaneously. Export permissions to a database for further analysis and reporting. Back up file permissions and restore them if necessary. Set ownership on files and directories. Seamless integration with the Windows NT 4.0 Desktop (right-click just about anywhere). Security Explorer makes finding security holes and filling them a snap!

     
    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Go to top of page Trusts

      NTLM provides one-way, non-transitive trusts between Windows NT domains.

      A shortcut trust is established directly between two domains in the same forest.

     


    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Go to top of page Resources on Info Security

      Security Consultants

      These are not those who offer you their services after they hack into your system. (or other “mafia” tactic)

    • Jon Miller and others at Covert Systems 310.566-7277 in Marina del Rey, California
    • TruSecure
    • Center for Secure Information Systems (CSIS) at George Mason University offers scholarships for BS and MS degrees specifically on Cryptography, Internet Security Protocols, Computer Network Security, Computer Intrusion Detection, Secure Electronic Commerce, etc.


    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Portions ©Copyright 1996-2011 Wilson Mar. All rights reserved. | Privacy Policy |


    How I may help

    Send a message with your email client program


    Your rating of this page:
    Low High




    Your first name:

    Your family name:

    Your location (city, country):

    Your Email address: 



      Top of Page Go to top of page

    Thank you!