Boost Security: Limit Public Information

Companies spend thousands of dollars to protect the information on their networks, but most give little thought to the information they make publicly available through services running on their servers or through other outlets such as the company Web site or external listings. Obviously, you must share some information on the Internet. However, you might inadvertently be permitting unnecessary and excessive access to information about your network through null sessions, SNMP, WHOIS listings, company Web sites, device naming conventions, and DNS zone-file transfers. Intruders can piece together that data to build a map of your network that is as accurate as it would be if you had prepared a network diagram for them.

Null Sessions
Windows null sessions are some of the worst offenders at leaking information. Null sessions are established connections that use a blank (i.e., null) password and username. These connections automatically receive guest privileges on a system. Although intruders can't use a null session to access crucial data or services, they can use such sessions to get listings of all the users, shares, and services on the machine and to learn which users have administrator rights or haven't logged on in a while. This type of data is a wealth of information to someone trying to get into your network. Windows versions earlier than Windows XP permitted null sessions by default because applications used null sessions to get information from the system. Microsoft finally wised up, and XP limits null access by default. But unless you have an all-XP network, you might be running machines that permit these sessions.

To limit null sessions on XP or Windows 2000 systems, open the Control Panel Administrative Tools applet and select Local Security Policy. Open the Local Policies\Security Options object, then double-click Additional restrictions for anonymous connections in the right-hand pane. In the Local policy setting drop-down box, select No access without explicit anonymous permissions or, for a higher level of security, Do not allow enumeration of SAM accounts and shares. (Be aware that the more restrictive setting might affect some file-sharing capabilities when your network contains pre-Win2K clients.) On Windows NT or Windows 98 Second Edition (Win98SE) systems, open a registry editor and go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry subkey. Edit or add the RestrictAnonymous value (of type REG_DWORD), and set the value to 1.

SNMP
Services such as SNMP can also reveal information about your network. SNMP was originally developed to provide a standard for gathering data on network devices. Although many companies use the service to run network-management packages such as Hewlett-Packard's HP OpenView or Nortel Network's Optivity Network Management System, many more organizations don't use SNMP and don't even realize that it's running on their servers and other network devices.

The problem with SNMP is that almost every device that runs SNMP contains built-in, default manufacturer community strings—passwords that let you query and in some cases reconfigure the device. Even folks who actively use SNMP often leave these default community strings unchanged. Intruders then can use freely available tools such as Snmpwalk or Snmpset to learn all about that device and even shut it down. And recently, several serious SNMP exploits have come to light. These exploits don't require the community strings in many cases and therefore can be used against even secure SNMP implementations.

If you use SNMP on a network device, be sure to change all the default community strings. Also, determine whether the device vendor has issued any patches that address SNMP vulnerabilities. If you don't use SNMP—and if you aren't sure whether you do, you probably don't—be sure to turn off SNMP on any machines that might be running it.

WHOIS Listings
The first place to go when you want to know more about who runs a company's Web site is VeriSign's WHOIS search engine at http://www.netsol.com/cgi-bin/whois/whois (formerly maintained by Network Solutions). Something as simple as your WHOIS listing can give intruders valuable information about your network.

Web Figure 1 (http://www.windowswebsolutions.com, InstantDoc ID 25579) shows an example of a typical WHOIS record. One piece of information that this record reveals is a technical contact—someone who is usually fairly high up in the IT hierarchy. An intruder can use the technical contact's email address to launch social-engineering or email-spoofing attacks, in which the intruder tries to trick legitimate users out of sensitive information such as usernames and passwords. For example, few people would hesitate to download an attachment that came with an email message that appeared to be from the company's network manager, instructing the recipient to "Please load this software patch immediately." However, that message could be an email spoof from an intruder, tricking users into loading a Trojan horse that will let the intruder into the network or a keystroke logger that will capture and email user passwords back to the intruder.

Sometimes, the technical contact is an outside organization such as a consultant or ISP. Such cases usually are easy to identify because the domain for the contact's email address differs from the company's domain; a quick Web site visit to the domain name in the technical contact email usually can verify the contact's role. This situation makes social-engineering attacks even easier to pull off and opens up physical-access concerns. Imagine a technician showing up on site, claiming to be with your company's ISP and needing to look at your Internet connection. Is your receptionist likely to ask for identification before giving that person access to the wiring closet?

The WHOIS listing also can give intruders your company's email-address format. From the sample WHOIS record that Web Figure 1 shows, an intruder can determine that Example Systems uses the firstname.lastname@example.com format. If the intruder knows that the company president's name is John Smith, he or she has a good idea that john.smith@example.com might be a good email account to hit with a brute-force attack: The account is likely to contain sensitive information, and executives are often the worst about using easy-to-guess passwords and are sometimes exempted from the stricter password policies that other employees must observe.