Protecting your system from intrusion
Threats to your information systems are everywhere. If you don't know about the threats, just spend a few days at a security conference to learn about hacking, cracking, spoofing, and sniffing--the activities of underground pranksters, hardened criminals, industrial spies, and international terrorists who want to break into your systems for profit and pleasure.
At the recent NetSec '96 conference in San Francisco, Len D'Alotto of GTE Laboratories told a story that I'll paraphrase: Two friends are walking across the African plains. They see a lion heading their way. One friend stops to put on a pair of running shoes. The other says, "You can't outrun a lion!" The first says, "No, but all I need to do is outrun you." Similarly, the best way to discourage intruders is to tighten security at your site so they leave you alone and pursue easier prey. Then again, the challenge of breaking your security may be too much for a confident hacker to resist.
How do intruders break into your Windows NT system? The Administrator account is the first target, for two good reasons: It has unlimited privileges, and you need the passprop.exe utility that comes with the Windows NT 4.0 Resource Kit if you want to lock out network access to the Administrator account. If intruders can't break in through the Administrator account, they will enter through authorized means and then find holes in some service and get more privileges to your system. For example, attackers look for holes in a service that runs under the System account. Unfortunately, you never know what new holes hackers will find and exploit. But, you can prevent many attacks on your system by protecting your Administrator account, limiting services, and understanding weak spots in NT's file- and printer-sharing services.
Administrator Account Break-ins
A typical attack comes from someone who knows the Administrator account name and attempts to log on to that account. You did change the Administrator account name to something obscure, right? Your best protection is to change the name of the Administrator account to include a long string of alphanumeric characters and no discernible words.
As additional protection, through the Account Policy option in User Manager, set lockouts on all other accounts. Assume an inside user is attacking an NT server. To avoid lockout, internal attackers will collect user account names and occasionally attempt logons over extended periods.
Despite such measures, the Administrator account is a hacker's best target. How can hackers learn the Administrator's name if you rename it? A hacker can collect account names in the hopes of uncovering the Administrator. For example, one way to collect names is to run the nbtstat command to get statistics about NetBIOS over TCP/IP. Assume you are an internal hacker and type the nbtstat command as shown here, replacing <ipaddress> with the IP address of any computer that the Administrator is logged on to (an internal hacker can easily observe which computer the Administrator logs on to and figure out a few logical steps to discover its IP address).
NBTSTAT -A <ipaddress>
Screen 1 shows the result--a list of account names a hacker can use to guess the Administrator's account. On my internal network, I renamed the Administrator account to TOPGUN, and you can see this name in the list. The command will not show an Administrator logged on to the primary domain controller (PDC)--a good reason to have your Administrator log on only at the server console of such machines. However, if the Administrator is working at some workstation on the network and an internal hacker happens to notice, the hacker might just run the nbtstat command using the IP address or computer name of that workstation to view the Administrator's renamed account.
nbtstat also accepts NetBIOS names such as those you see in Network Neighborhood (type NBTSTAT-a<name>). Granted, this technique won't always work, but it shows that the Administrator name is generally available to someone who knows where to look. If intruders discover the account name, they can attempt to crack the account. If the account has weak passwords, intruders can break in eventually.
Try this. Go to a Windows workstation on your network and log on as Administrator, but assume you don't know the password. Type in the wrong one. When that fails, try another password. Keep trying as long as you like. Now consider how easy it is to write a program that repeats those keystrokes and tries passwords from one of the password dictionaries available on the Internet.
Meanwhile, the Event Log on your server is filling with failed logon attempt messages, if you took the security precaution of enabling Failure for the auditing feature Logon and Logoff. To set this option, open User Manager and choose Audit from the Policies menu. Now you just need to look in Event Viewer every so often to see whether someone is trying to break in. If you want the server to notify you of repeated attempts to break in, you can set alarms.
If the inability to lock out the Administrator account worries you, you can just have the system shut down in the event of a continuous attack. If your system does shut down, perhaps your attackers have achieved their goal: a denial-of-service attack that prevents legitimate users from accessing your system. Nevertheless, you're better safe than sorry.
To set up shutdown instructions, open Event Viewer and choose Log Settings from the Log menu. Then reduce Maximum Log Size so the log fills quickly. You must set the option Do Not Overwrite Events, and you need to set an option in the Registry. You can find this procedure at Microsoft's Knowledge Base Web site (www.microsoft.com/kb) by searching for document number Q140058. When the log fills, you get a warning and the server shuts down.
Another intruder attack can come from an NT user who targets the administrative share accounts on your servers. Administrative shares are default accounts that you cannot permanently remove. The system creates these accounts for the NT root directory and for the root of each disk partition. The shares have a dollar-sign suffix (c$, d$, winnt$) and are usually not visible to users. However, a malicious user on your network can open the Run dialog and type something like \\<server
name>C$, which brings up the dialog in Screen 2. Now the user can type the Administrator's account name in the Connect As field and enter a guessed password in the Password field to keep guessing as long as necessary.
These examples give you an idea of what your system is up against. Fortunately, you can easily stop these attacks by preventing all Administrator logons from the network. But what about remote logon?