WHEN MY KIDS WERE YOUNGER, they slept with night lights on to
protect them from the nameless, unspecified evil that was lurking beyond their
vision. As they grew older, however, they learned that nothing was stalking them
from the dark corners of their room, and now they can sleep in the dark. In
contrast, as I grow older, I become increasingly aware of the nameless,
unspecified evil that is stalking me from the dark corners of my network. In
fact, if I could attach a night light to my network, it would glow brightly
around the clock.
My fears are proportional to the size of the network: The bigger the
network, the more dark corners I have to worry about. When I hook up a private
network to the Internet, for instance, I see an endless maze of dark corners and
shadowy alleys. Some people may say I'm just paranoid--that Windows NT has
industrial-strength security (for an overview of NT security issues, see Keith
Pleas, "Securing Windows NT," page 74) and that Microsoft would never
release a product like the Internet Information Server (IIS--for a review of
IIS, see Stephen Genusa, "Serving Up Internet Information," page 62,
and Carl Calvello and Thad Schwebke, "Troubleshooting Internet Information
Server 2.0," page 107) unless it was completely secure. My cynical view,
however, is that no product connected to a network is 100% secure--it's just a
matter of time before intruders find paths through the software or through your
security implementation.
Personal paranoia aside, most discussions about security usually degenerate
into a classic optimist/pessimist argument: The optimist sees the glass as half
full and the network as mostly secure; the pessimist sees the glass as half
empty and the network as partially insecure.
To shed some light on the issue of Internet security (and to justify my
paranoia), I connected a system running Windows NT Server 4.0 beta 2 and IIS 2.0
to the Internet and asked a professional security analyst from Midwestern
Commerce (MWC) to hack away at it. As you'll see, the results were both amazing
and horrifying.
My Little Shop of Horrors
I built the NT system for this test by
configuring NT and IIS the way most people configure them. I installed NT Server
on one NT File System (NTFS) drive partition (for information about NTFS and its
security issues, see Sean Daily, "NTFS vs. FAT," page 95) on an Intel
dual Pentium system from Advanced Logic Research (ALR). During the NT Server
installation, I accepted the default settings for security and protocol. I then
installed IIS--with Web, FTP, and Gopher support enabled on the same
partition--and configured IIS for Internet access (for example, I enabled
anonymous FTP and Web access).
Finally, I went through the entire directory structure on the disk and made
sure that only the Administrator had full read and write access to all files. I
restricted other users to read-only access in system directories and read and
write access in the designated Web, FTP, and Gopher directories.
I debated going back through the system configuration to plug some security
holes I happened to be aware of, but ultimately, I decided not to. I wanted to
see whether the security analyst would exploit the obvious holes and how
Microsoft's out-of-the-box configuration fared against a full frontal assault.
So I kept my paranoia under wraps and pushed my test server over the cliff and
into the valley of darkness--in other words, I plugged the server into the
Internet and told the security analyst where to find it.
I didn't need a medium to let me know when my system came under attack.
Strange things began happening to my server system almost immediately. I
experienced a series of mysterious system lock-ups. I also received ominous
warning messages on the console, such as the one in Screen 1.
However, I didn't realize just how exposed my server was until a fateful
conversation with the security analyst. He called to tell me he had accidentally
corrupted my swap file. He needed me to reboot from NT Server to NT Workstation
and then back to NT Server to correct the corrupt swap file so he could continue
testing.
I said I couldn't recall whether I had installed NT Workstation on that
system. He calmly told me that both NT Server and NT Workstation were, in fact,
installed. He then proceeded to list the entire contents of the server system's
hard disk. Obviously, he had penetrated far beyond the boundaries of ordinary
Web access.
The Test Results
After several days of testing, the security
analyst sent me his observations and recommendations. The observation section of
his report listed the computer name, all the users defined for the system, the
groups assigned to those users, all the directories on the hard disk, the
permission levels assigned to those directories, and other details about my
server.
The recommendations section included the following instructions:
- Disable NetBIOS over TCP/IP.
- Disable the Guest account.
- Disable the Everyone group (but be careful how you do this!).
- Disable mapping for .bat and .cmd files, and don't use them as Common
Gateway Interface (CGI) scripts.
- Avoid using the FTP server.
- Don't use the Web server as a file server.
- Remove unused (and dangerous) program files (that is, ftp.exe, rasdial.exe,
and telnet.exe).
- Create separate partitions for NT system files, Hypertext Transfer Protocol
(HTTP) documents, CGI scripts, template files, and FTP files.
One recommendation I expected to see but didn't is to remove or rename the
Administrator account (for more information about this suggestion, see Mike
Reilly "Find Holes in Your NT Security," page 87, and Bob
Chronister, "Tricks and Traps," page 138, September 1996).