Learn how to implement basic AD security features
People often ask me which OS is the most secure, and my answer is the OS with the best administrators. The most important factor in your overall network security is how well you manage the network. A large component of managing network security is knowing which systems are present on your network, finding security holes, and getting them fixed. Even well-built, well-managed systems are vulnerable to ever-new security risks, so running one or more network security auditing tools is essential.
You need to audit your entire network, not just the parts that you think are important. Although smaller networks can use the easy-to-manage security model of allowing only one way in or out through a firewall, a larger network must have many access points. Using a hardened perimeter to protect a large network is becoming as obsolete as using moats and drawbridges to protect a city. Internal security is important in the event of a virus-borne attack as well. If you properly protect your network shares, a virus can't corrupt as many files. Finally, attackers can use unprotected, seemingly unimportant systems to obtain access to crucial systems.
Choosing Your Software
Choosing a vulnerability scanner is difficult. Several scanners are on the market, and each one claims to be the best. The more comprehensive scanners check for hundreds of vulnerabilities, and they frequently have different names for the same check. Tools that follow the Common Vulnerabilities and Exposures (CVE) list are easier to compare. (For information about CVE, visit http://cve.mitre.org/about.) Making comparisons even more difficult is that under the covers, these tools work differently. Comparing the available scanners is beyond the scope of this article, so let me give you a few general guidelines so that you can do your own research and choose the package that best suits your needs. "Related Articles," page 2, contains references to many product reviews available on the Windows 2000 Magazine Network Web site and is a good place to start your search. Here are some tips to keep in mind when you select your scanner.
Your needs depend on your environment. Each scanner has strengths and weaknesses, so choose a scanner that's strong in the areas important to your environment. For example, a network with mostly one OS needs a scanner focused on that OS. You might also consider buying a specialized scanner for particular system types, such as Web servers or databases.
A "living" scanner is best. The best scanners are those under active development. Good vendors issue regular updates to enable the scanners to check for newly discovered vulnerabilities and exploits.
Completing the scan is only a small part of the job. After your scan is completed, you must fix all the holes. You need time to evaluate the quality of each vulnerability description and the fix information. On a large network, you can find thousands of vulnerabilities; therefore, managing the information about the problems you find becomes important.
You might also consider using more than one scanning product. Every scanner has some checks that don't work as well as others because of developer error or the difficulty of writing a particular check. For example, I wrote a check that has a 50 percent false-positive rate. However, I use it because it reduces 3000 candidate systems to only 20 or 30 that I have to manually check. Running more than one scanner is like getting a second opinion.
Preparing to Scan
Let's look at what you need to do before you use a scanner on your network. I've seen instances in which administrators simply installed the scanner, turned on all the possible checks, then proceeded to cause mayhem on their networks. If you'd like to keep your job, I wouldn't advise this method.
Before you run a security scanner on a network, you need to notify administrators (and possibly end users) that you're going to conduct an audit. The extent of the notification depends on the size of your network. In a small company, you might simply send a broadcast email message. If you're dealing with a larger network, you might need to follow more formal procedures, such as making an entry into change control to notify the Help desk and operations.
I ran a surprise scan of a fairly sensitive network, and the scan caused an email flood the next day when surprised administrators checked their logs, discovered an attack, then notified all their friends. As you increase the intensity of your scans, make sure you notify crucial support people. Although it's unusual, network infrastructure hosts can die unexpectedly. If the administrators don't know what you're doing, you might repeat the scans and continue to cause problems.
Network security auditing tools can have adverse effects on the network and on the hosts they scan. Some problems that scanners can cause are well documented. For example, nearly every scanner has a set of Denial of Service (DoS) attacks. If you run DoS attacks against unsuspecting systems, you'll cause a lot of damage and have only yourself to blame. If you need to run DoS attacks against your network, target them against a limited number of systems at a time, and be sure that the relevant administrators are standing by to quickly deal with any problems that might occur.
Other problems can crop up from seemingly benign activities. For example, some older versions of the Hewlett-Packard (HP) JetDirect network printer devices can fail because of a simple TCP port scan. (For more information about this vulnerability, see SecurityFocus.com at http://www.securityfocus.com/vdb/bottom.html?section=discussion&vid=1124.) Although SecurityFocus.com cites Nmap as the tool that causes the problem, nearly any port scanner can cause problems with these devices. Your scanner is a powerful tool. If you're careful and use it correctly, your network will be much more secure.