Can you improve your network's security?
For many organizations, Microsoft Proxy Server acts as the network's front line for security. Proxy Server's ability to hide a company's internal IP address space combined with the ability to prevent IP routing between the internal network and the Internet gives companies a good security baseline. Proxy Server also attracts many customers by promising plug-and-play security and by leveraging a company's existing Windows NT and Microsoft BackOffice infrastructure and user account database.
Even with Proxy Server in place, however, clever intruders can find ways into your network. Unfortunately, many companies rely solely on Proxy Server's default configuration to provide all their security. This reliance often leaves them vulnerable to attack.
To maximize network security, you need to consider implementing some advanced security measures, including Proxy Server's advanced security features and special network configurations to enhance its security potential. In this article, I show you techniques to tighten your network's security beyond the basic default configuration.
Most of these techniques require only minor changes to existing networks and servers and are steps that you can take right now to protect your company against Internet-based attacks. In addition, these techniques can help you get the most from your Proxy Server investment.
Basic Security Steps
In many customer applications, Proxy Server sits at the Internet-exposed network's edge and provides secure Internet access via application- and circuit-level gateways. These gateways sit between internal computers and Internet servers. The application-level gateway includes three proxy services (i.e., Winsock, Web, and SOCKS) that accommodate different client-access methods and Internet services.
The three services use Network Address Translation (NAT) to translate private internal IP addresses to one routable IP address assigned to an Internet-connected network adapter. Because Proxy Server directly connects to the Internet, Internet-based intruders see an opportunity to probe, hack, and attack.
One NIC proxy server is hard to secure and prone to causing problems with certain applications and services, so I'll assume that you're running Proxy Server in the recommended configuration using at least two network cards: one connected to the internal (private) network, and another connected to an Internet-exposed network or router. Before I jump into an advanced discussion, consider some basics central to any Proxy Server implementation. Microsoft also covers many of these basic concepts in Proxy Server's installation documentation.
Consider This
The first security consideration relates to the NT Server service, which provides Server Message Block (SMB) access to file and print shares and the Registry on NT systems. You need to disable this service because exposing it directly to Internet-based computers presents a major security risk.
Luckily, you can easily disable this service on only the external NIC while leaving the service enabled on the internal NIC so that the server remains accessible to internal network clients. To disable the NT Server service on the TCP/IP binding to the Internet-exposed NIC, go to the Network applet in Control Panel and select the Bindings tab. Display all services in the Show Bindings for list box, and double-click Server, WINS Client(TCP/IP). Highlight your Internet-connected adapter, and click Disable. Screen 1 shows how the Internet-connected adapter looks after you click Disable. Click OK, and restart your system. After the system restarts, the NT Server service isn't available over TCP/IP with this network adapter.
If you think that this change will limit trusted Internet-based users' access to Proxy Server's Server service, you can investigate a VPN-based solution, such as PPTP-based RAS connections. You need to avoid directly exposing the Server service to the Internet. (See Eric Pearce, "Managing VPNs with PPTP," January 1999, and Douglas Toombs, "DNS and PPTP for Network Security," August 1997, for more information about VPNs and PPTP.)
In addition, an alternative method of securing access to the resources provided via the NT Server service (and other NT network services) is to disable or control access to the specific ports that clients use to connect to these services, specifically UDP ports 135, 137, and 138, and TCP port 139. In most cases, you implement this control at your Internet-connected router or firewall product. Limiting access to these ports can provide an equivalent degree of security, but I recommend disabling the Server service binding on all Internet-exposed NICs. Using both methods creates an even better solution and provides a fallback in the event that someone upgrades or replaces a router and forgets to include these filters, or someone accidentally reenables the Server service binding.
Disabled Default Configuration
You need to verify the default configuration for IP forwarding (routing). Disabled IP forwarding is the default Proxy Server configuration except with RAS, in which case the application leaves IP forwarding enabled. (Proxy Server disables IP forwarding during installation, but administrators can always enable the option after installation.) Disabling IP forwarding prevents NT from forwarding packets between any two interfaces on the system—an essential condition for a fully secure Proxy Server.
However, IP forwarding is necessary in at least one situation: When Proxy Server acts as a RAS server. IP forwarding is necessary in this case because it permits RAS clients to communicate with the internal network. For this reason, I recommend leaving RAS off a Proxy Server whenever possible. When the Proxy Server acts as a PPTP-based RAS server, you can use a special configuration to maintain security. This configuration involves the PPTP-filtering feature and a special PPTP-specific Registry modification. (See Watch Your RAS, "Securing a RAS Proxy Server," August 1999, for details.)
Unless absolutely necessary, don't install Proxy Server on a domain controller on your internal network. Domain controllers house NT's SAM database, so installing the application on your network can expose you to more risk. Intruders can run dictionary and brute-force attacks against the database to gain additional user and password information. When you must run a Proxy Server on a domain controller, use Service Pack 4 (SP4) or later, and consider using the Syskey (SAM encryption) utility included in SP3 and later. (See Mark Joseph Edwards, "Service Pack 3 Is Really Security Pack 3," August 1997, for details.)
Filtering Finesse
Last on the basic Proxy Server configuration checklist is one of Proxy Server's strongest and most overlooked security features—filtering. Filtering lets you specify, on a service-by-service basis, exactly what types of traffic you permit to access your network through Proxy Server's external NIC. Proxy Server's filtering feature uses a security policy that denies all traffic except that which is highly secure. In addition, you can easily add commonly required services (e.g., DNS, HTTP, FTP, PPTP) through predefined filters.
At this point, stop and ask yourself whether using Proxy Server with these features is sufficient security for your network. Your answer depends on your specific security needs. A network secured with Proxy Server in a standard configuration is far more secure than one without a firewall, but no security solution is perfect or impenetrable.
The goal in securing any network is to provide the maximum number of barriers to intruders while giving internal network users the minimum-required level of functionality. The special network configuration scenarios enhance Proxy Server's usefulness and remain fairly unobtrusive to legitimate network users.