To limit your WHOIS exposure, use only generic titles and email addresses in your WHOIS record. An address such as webmaster@example.com or dnsmaster@example.com provides enough information to legitimate users—and protects you when a primary technical contact leaves the company. WHOIS record changes can take several weeks, during which a terminated technical contact could have access to domain information. Also, domain providers typically email the primary contact to verify any requested changes. If your primary contact's email address is specific to one person and that person then leaves the company, the domain provider's email messages will bounce and you'll need to jump through additional hoops to make your changes. And be sure to keep your WHOIS listing current. If phone numbers or email addresses are outdated or incorrect, you might encounter hassles when you need to make a quick change.
Web Site Information
Periodically review the information on your Web site from a security standpoint. Having a voluminous listing of specific email addresses on your Web site is a bad idea, contrary to what the marketing department might say. In addition to the reasons I explained in relation to using specific addresses in your WHOIS listing, publishing such email addresses on your Web site provides fodder for recruiters and spam robots. Use generic email addresses (e.g., sales@, accounting@, info@) that forward email messages to the correct parties. Better yet, funnel all requests through a Web-based form, which will let you collect more information about a request and more easily categorize and route it.
You should also use a major search engine to search for your Web site and see what comes up. In addition to confirming that your primary listing is correct, go farther down the results page to look for listings that shouldn't be public. You might find old Web pages that are no longer connected to your Web site but that search-engine robots (and consequently, intruders) can still access. A person with a lot of patience can sometimes find old project data or even an internal site. To use the Google search engine to determine whether any sensitive files or data have made it onto the Web, use the search parameters filetype:ext and site:yoursite.com, where ext is the file extension you want to search for and yoursite.com is your Web site. These parameters will search for any public files with the specified extension, from your site only. Good extensions to check for are .mdb, .xls, or .dwg (for technical drawings). You can also use a Web-mirroring program, such as SoftByte Laboratories' BlackWidow, to scan your Web site, listing all the pages and whether they actively link to other pages.
Device Naming Conventions
As far as network tools go, nothing shows an intruder how your network is physically laid out like the Trace Route—aka Tracert (tracert.exe)—command-line utility. The command
tracert <IP address>
shows an intruder the names of all visible hosts between the intruder and the target IP and the relationships between those hosts. And if you've been nice enough to use descriptive names for your network devices, malicious users can label each point as a router, firewall, mail server, and so on. Sometimes the tool reveals the types and models of routers (e.g., cr for a Cisco Systems router) and the speed of the company's Internet link (e.g., ds1 for a T1 line, POS for a packet over a Synchronous Optical Network—SONET). In some cases, I've seen this tool traverse an internal network, revealing the company's private network schemes. (IP spoofing, anyone?) Servers with descriptive names also help intruders decide where to focus their efforts. Host names such as accounting1.example.com or oracleserver2.example.com look juicy to potential intruders—the latter name even tells them the application to work on.
Web Figure 2 shows the sample results of a typical Tracert run into a corporate network. (I've changed the IP addresses to nonpublic addresses.) An intruder can use the IP host names to start building a network map. The results show that the company uses a Cisco 7500 router, connects to the Internet through a T1 line, and employs Sprint as the ISP. The Tracert results even provide a customer reference number that might come in handy for social engineering. Intruders can determine which cities the network comes from and flows to, therefore finding central aggregation points. (Abbreviations such as DAL and HOU won't fool a savvy Tracert user.)
Instead of using descriptive names for your devices and servers, try using a genre naming convention. Pick a common group of things, such as Snow White's seven dwarves (assuming you have no more than seven servers), country names, or whatever strikes your fancy. (I once named a whole network after Irish beers.) Such names are still easy to remember for people in the know, but an intruder wont be able to determine that sneezy.example.com is your e-commerce server or that dopey.example.com is your email server—at least not without doing a lot more work.
For internal naming conventions, resist the temptation to use host names such as johnscomputer or frontdesk. Although such conventions make life easier in the short term, they can also raise the temptation for users to go snooping through Network Neighborhood for the boss's computer or the Human Resources (HR) system that holds salary lists. And such location-specific conventions can be a nightmare when you need to move machines around.
DNS Information
If you run your own DNS, don't permit zone-file transfers between your DNS servers and other DNS servers unless those servers are secondary servers for your domains. To secure zone-file transfers, open the Microsoft Management Console (MMC) DNS snap-in. Open the zone's Properties dialog box and go to the Zone Transfers tab. If you don't run a secondary server, clear the Allow zone transfer check box; if you do run a secondary server, select the Only to the following servers option, then add your backup DNS servers to the IP address box. Also, make sure that the only hosts you let make queries against your DNS server are hosts on your internal LAN or WAN. You have no reason to offer use of your DNS server to the outside world.
Time Well Spent
It doesn't matter how high your castle walls are if you hang the keys to the castle in the town square. Review your WHOIS listing, your naming conventions, and your server configurations to keep from giving the bad guys a blueprint to your network. The time you spend will be worth your while.