IT Security Countermeasures

Information Protection and Assurance (IPA)

The ten domains in ISC2 CISSP Common Body of Knowledge [CBK]	The 7 domains in the SSCP Common Body of Knowledge (CBK):
1. Access Control Systems & Methodology	1. Access Controls: ( Authentication & Biometrics)
2. Applications & Systems Development 3. Business Continuity & Disaster Recovery Planning	7. Malicious Code/Malware 4. Risk, Response and Recovery
4. Cryptography	5. Cryptography (and Encryption)
5. Law, Investigation & Ethics 6. Operations Security (Computer) 7. Physical Security 8. Security Architecture & Models 9. Security Management Practices	2. Administration 3. Auditing/Monitoring
10. Telecommunications & Network Security	6. Data Communications

“The art of war teaches us to rely not on the likelihood of the ånemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.” —Sun Tsu, 6th Century BC General, in The Art of War

Security and Encryption at professor Michael Rappa's Digital Enterprise site.

About NT Security

PKCS#'s

Security Admin job description

Open Source Security Test Manual from Idea Hamster.org

National Strategy to Secure Cyberspace administered by the Department of Homeland Security

SCADA (Secured distributed control systems)

“Access denied.”

Topics this page:

Site Map  
About this site  

Related:

Defensive Strategies

Objectives Auditing and Monitoring -- Alarming and Reporting (of Availability Flexibility and scalability East of use Appropriate Total Cost of Ownership Goals of InfoSec (The CIA Triad) Confidentiality (Sensitivity, Secrecy) Integrity (Accuracy, Authenticity) Availabilty (fault tolerance, Recovery)

5 Security Services in the ISO 7498-2 Security Architecture: Authentication Authorization - Control Access to resources Data Confidentiality Data Integrity, including compliance Non-Repudiation (proof of origin and delivery) Physical vs. Electronic Controls

Phases 1. Planning 2. Prevention 3. Detection 4. Response and Follow-up

Risk Analysis

Risk Expectation = Possible Extent of Loss   X   Probability of loss

To reduce extent of loss:	To reduce probability of loss:
Reduce amount subject to loss (multiple independent locations, disconnect computers, etc.)	Reduce frequency errors can occur (single entry of data)
Miminize impact of loss (Transfer risk - buy insurance)	Control opportunities for errors to occur (add error-checking logic)
	Eliminate threats -- (ie. Adobe asking FBI to arrest Dimitri, etc.) Minimize vulnerabilities (“harden” exposed systems)

Or Accept consequences (self insure) where Attack Tree Analysis reveals low likelihood of attack or low payoff for attackers

Documentation

A Policy is a high-level statement of beliefs, goals, and objectives, with a summary of the general means for attaining them.

A Procedure defines the tasks and the sequence of steps of how policies are implemented.

A Standard defines the basis for determining measurements of what is acceptable and what is excellence.

A Guideline is a general statement of recommendations on how to achieve objectives. It provides a framework to implement procedures.

Computer Security and Privacy Course by Dick Kemmerer of UCSB.

Security and Privacy of Information Systems by Richard Baskerville of Georgia State.

Security Levels

The US “Orange Book" (part of the “Rainbow Series") Trusted Computer Systems Evaluation Criteria (TCSEC) 1985 DoD Standard 5200.28 defines security levels.

ITSEC/TCSEC Classification	Security Features of the Target Of Evaluation (TOE)	Actual Ratings
D - Minimal Protection	None	MS-DOS
Discretionary Protection: F1/C1 - Minimal Protection F2/C2 - Controlled Access Protection	Identification and Authentication Discretionary Access Controls (DAC) Object Reuse Process isolation in System Architecture Audit Security Testing	MS-Windows = C1, MS-Windows NT/2000 = C2
Mandatory Protection: F3/B1 - Labeled Security F4/B2 - Structured Protection F5/B3 - Security Domains	Labels Mandatory Access Controls (MAC) Design Specification and Verification System Engineering in System Architecture Configuration Management Penetration Security Testing Trusted Facility Management Trusted Recovery	B1 => IBM MVS/ESA/RACF, AT&T UNIX SysV/MLS, Secureware CMW+ v1
Verified Protection: A1 - Verified Design	Formal Design Specification and Verification Formal Covert Channel Analysis Security Testing Trusted Distribution	Honeywell SCOMP STOP Release 2.1

F6 - high integrity systems (eg financial)
F7 - high availability/mission critical systems
F8 - high integrity data communications systems
F9 - high confidentiality data communications systems
F10 - high confidentiality and integrity networks

Since 1996, the “International Common Criteria” Standard for Information Security effort is based upon the levels of security defined by the TCSEC (Trusted Computers System Evaluation Criteria) and the ISO 15408, which is identical to the International Common Criteria 2.1 aiming to unify the various regional security criteria with SECMAN (security manuals):

1 - Security Policy
2 - Industrial Security
3 - Information System Security
4 - Protective Security
5 - Personnel Security
6 - Project Security
7 - Facility Security (Security Design and Contruction Guidelines)

European Information Technology Security Evaluation Criteria (ITSEC) document — developed by several European countries in 1991 and rewritten in 1999 as British Standard 7799 — defines specific controls such as the use of security policies and physical security measures to ensure confidentiality of data.

The NSA and NIST joint Trust Technology Assessment Program (TTAP) defined Evaluation Assurance Levels (EAL) from 1 to 7 (the most secure).

Microsoft Windows NT 4.0 C2 Configuration Checklist lets you customize your own list by selecting items.

Countermeasures to Minimize Vulnerabilities

• Reveal as little information about the system as possible.
• Limit access.
• Disable unnecessary services on all computers.
• Use strong authentication to access internal services.
• Educate users and management.
• Educate users and management.
• Continually monitor and fine-tune the security infrastructure.

Security Mechanisms such as Encryption can be specific or pervasive.

Reveal as little information about the system as possible.

• Remove information about O/S, version, and available services provided by default (such as initial TCP window size -- the Stack Fingerprint).
• Do not use implementation details in machine names (such as "exchange5server").
• Disable DNS version queries. Some name server implementations respond to queries for the version of the name server software. This feature exists to support system administration and is not used in normal DNS transactions. Automated attack tools exist which exploit this feature to locate specific name server versions that are known to have exploitable vulnerabilities.
• Lock up Emergency Repair Disks.
• Lockout accounts after 4 attempts.
• Program bogus IP addresses in outgoing email headers
• Do not put personal information in ".plan" files on UNIX systems and .vcf address book entry files sent out with messages from Microsoft Outlook.

RFC 2828, the Internet Security Glossary

The Jargon File

The Merged Security Glossary

Microsoft's Windows 2000 Technologies Home: Security Services

A Security Checklist for Internet Service Providers (ISPs)

Book: “Securing Windows NT/2000 Servers for the INternet" by Stefan Norberg

Bulgarian security consultant Georgi Guninski, author of Hack Proofing Your Network: Internet Tradecraft.

Limit access

On desktop machines:
• Enable password protect screen savers.
• Use ACL to block specific IP addresses.
Install a firewall (BlackICE)
• Close ports opened by default during installation.
• Filter out all but these ICMP messages:
  • ECHO type 0
  • ECHOREPLY type 8
  • TIME_EXCEEDED
• Set hosts file properties to Read-Only. Here is an example of how browser hijacker spotresults.com alter hosts file so you end up at their site instead:

  207.36.196.189  auto.search.msn.com
  207.36.196.189  search.netscape.com
  207.36.196.189  ieautosearch
  

• Use NAT (Network Address Translation) to hide one set of IP addresses used for internal traffic only while exposing a second set of addresses to external traffic.
• Split DNS into internal DNS zone inaccessible to the public and an external zone containing data about hosts meant for public access.
• Remove data about internal desktops, servers, or network hardware from external zone data.
• To prevent scanners from "walking" the DNS maps by trying every IP address in succession, using a gethostbyaddress() call for each address and recording responses, permit zone transfers only between primary and designated secondary DNS servers by enabling access control in the name server software and by restricting inbound access to TCP port 53 at the egress router between a name server and external network.
• To defend against spoofed RIP packets, set routers to reject any packets containing the Loose Source Routing option flag. There is very little legitimate need for this setting outside of network debugging.
• Configure firewall routers to accept only routes legal on a given wire.
• Use one-time passwords.
• Invoke password complexity rules to ensure use of strong Passwords. On Windows 2000, enable the GPO object Windows 2000 [Q225230]. This uses Microsoft's Passfilt.dll also on NT4 SP2. On NT4 a reg key must be set after installing it [Q161990]
• Encrypt backups
• Put certificates, such as syskey, on removeable media such as diskettes or SmartCards which require local physical access.
• Set sensitive data, such as Tripwire configuration files, with read-only attributes and store them in read-only folders.
• Lockout the Administrator account after 2 unsuccessful logon attempts.
• Block outgoing ICMP echo-reply and destination-unreachable messages in routers. An ICMP Redirect tells the recipient system to over-ride something in its routing table. It is legitimately used by routers to inform hosts of non-optimal or defunct route (such as to the wrong router). The wrong router sends the host back an ICMP Redirect packet that tells the host what the correct route should be. By forging ICMP Redirect packets accepted by a target host, an attacker can alter the routing tables on the host, causing traffic to flow via a path the network manager didn't intend. This is how users of a bank site could end up at a rogue site which requests passwords and account numbers just like the real site.
• On a Windows system, move executable tool files out of the /system32 dir and place them in a dir with secure permissions. xcopy.exe, wscript.exe, cscript.exe, net.exe, ftp.exe, telnet.exe, arp.exe, edlin.exe, ping.exe, route.exe, at.exe, finger.exe, posix.exe, rsh.exe atsvc.exe qbasic.exe syskey.exe cacls.exe ipconfig.exe, rcp.exe, secfixup.exe, nbtstat.exe, rdisk.exe, debug.exe, regedt32.exe, regedit.exe, edit.com, netstat.exe, tracert.exe, nslookup.exe, rexec.exe, cmd.exe, nslookup.exe, tftp.exe

  This technique requires disabling Windows File Protection

The 3rd edition of the Handbook of Information Security Management by Micki Krause, Harold F. Tipton, editors appears at the ccsecure.org study site courtesy of Auerbach Publications. It's so good, people refer to it using its acronym: HISM.

4th edition of the 728 page Handbook of Information Security Management by Micki Krause, Harold F. Tipton, editors

The Computer Security Handbook: Third Edition by Arthur Hutt, Seymour Bosworth, Douglas Hoyt (John Wiley 1995)

CERT (Computer Emergency Response Team) Practice Guides

Robert Graham's FAQ on Network Intrusion Detection Systems

FBI's National Infrastructure Protection Center, setup mid 1998, published CyberNotes

Information Security Policies Made Easy (Version 7) by Charles Cressen Wood provides 900 pages of proven samples. How much time do you need to save before justifying the $795 price?


Book: Writing Information Security Policies by Scott Barman of Wash. DC govt sites

Book: Information Warfare: How to Survive Cyber Attacks


PCWorld.com's Security utilities

Cyberangels.org recruits computer hackers to work with software products and Internet services to prevent cybercrimes.

Disable unnecessary services on all computers

Physical access:
• Disable floppy drives and removeable media to unauthorized users
• Disconnect or remove modems when not in use.
Desktop apps:
• Windows Media Player
• Microsoft Outlook "Automatically add addressee to address book"
• Microsoft Word/Excel macro execution.
IIS web servers
• ISAPI mapping
• Active server pages (.asp)
• Index server web interface (.idq, .htw, .ida)
• Server Side Includes (.shtml, .shtm, .stm)
• Internet data connector (.idc)
• Internet printing (.printer)
• .htr scripting (.htr)
• Sample web files
• Scripts virtual directory
• WebDAV
• Disable parent paths using the IIS administration tool. http://www.exair.com/samples/showcode.asp?file=../../../boot.ini
• Set file permissions to prevent IIS anonymous user from executing system utilities or writing to content directories.

• IIS5 Checklist from Microsoft , such as LDAP with HTTPS

• Turn off “AutoShare" of hidden shares on D$, etc.

Configure Exchange server to stop email relays
• Testing: http://www.mail-abuse.org

Use strong authentication to access internal services

• Format drives using NTFS Encrypting File System
• Use digital certificates.
• Use syskey to maximize SAM security.
• Geneate a password and calculate how long it will take to brute crack it - Javascript tool by Scott Lee

Educate users and management

• Define a Security Policy [RFC 2196]: Categorize resources into Levels of importance:
  
  I. Critical systems central to business operation, containing data needing high integrity, such as email, DNS, SQL servers.
  II. Significant systems needed but not critical.
  III. Routinely Essential systems which would not stop the organization.

  This determination is used to justify Service Levels

• Educate users about social engineering exploits (such as calling users and asking for their login and passwords under the guise of some official capacity).
• Publish security policies
• Separate applications from data using different folders and drives/partitions

List all services on computer COMPx using Resource Kit utility that runs across the network to display both the driver name and the display name as well as both services and devices:
netsvc \\COMPx /list

Use the Service Controller tool to list process types and status for each service:
sc query type= service

Unregister server service filespy:
Delsrv filespy

Two-factor authentication

Fortezza (Italian for “fortress") PCMCIA Crypto cards developed by the NSA for two-factor authentication are supported by IIS5.

Tools to check configuration settings:

• Eeye's Retina Security Analyzer

• Intrusion.COM's Kane Security Analyst

• PGP Security CyberCop Scanner from NAI

• ISS - Internet Scanner has a higher-end tool than the free version on Microsoft's W2K Reskit \Apps \Systemsscanner.

  PC mag Nov 2000 article on security scanners

Auditing and Monitoring

Continually monitor and fine-tune the security infrastructure.

• Use password cracking programs and alert users who craft poor passwords.
• Use host policy scanners to confirm compliance (such as the latest patches being installed).
• Detect remote registry browsing by turning on auditing in HKLM\Security
• Install agents to periodically request website to verify availability.
• Install Network Intrusion Detection System (NIDS) such as NukeNabber to detect port scans and attempts from outside the firewall More
• Install host-based Intrusion Detection System to flag suspicious activities inside the firewall (such as a long string of x86 NOOPs Dragon leaves in the control connection).
• Install Signature Verification software to detect changes to files
Maresware calculates the CRC, MD5, SHA1, or SHA2 hash of a file
• Detect reverse-DNS lookups along when logging tracerout requests.
• Find patterns in logs using a grep or regular expression

Plan (and test) responses to attack

• Logging, evidence gathering
• Predetermine countermeasures. For example, use Checkpoint's “OPSEC" standard and their Suspicious Activity Monitoring Protocol (SAMP) to dynamically configure firewalls.
• Counterstrike (disable attacking host)

Honeypots

(using NFR's Back Officer Friendly) to piss off hackers. (In my opinion, this is not a good idea.)

Set alarms

• Set flag CRYPT_USER_PROTECT to notify the key owner when an application attempts to use the owner's private key.
• Carvdawg's Startup.pl Perl script checks for suspicious entries the startup configuration of local and remote NT systems, all locations (ie, files, directories, and Registry keys). Executables linked to can be 'fingerprinted' using MD5 hashes as an extra step to ensure that the files haven't been overwritten by something very, very bad.

Forensics

• incident-response.org
• Danny Mares Tools
• AccessData's FTK
• NTI tools
• EnCase
• Forensic Toolkit

Anti-Virus Products

Certified by ICSA Labs
• $39/yr NOD32 is the only product tested by Virus Bulletin to have never missed a single "In the Wild" virus.
• AVG from Grisoft
• Network Associates McAfee Virus Scan is the most well known.
  
• Symantec Norton
  
• Trend Micro House Call detects Trojans as well. Its PC-cillin blocks infections.
  
• F-PROT
  
• f-secure
• Panda
  
• Sophos
• Kaspersky

  The W32.Mydoom.F worm or one of its variants interfere with the ability to successfully install or run anti-virus software.

  Updates

  Download nshc32.exe version 3.2and run
  hfnetchk -v -z -x s:\security\hotfixfile.xml

  It can specify servers by IP address. UpdateExpert works on a single domain?

  Hotfix Reporter utility converts the raw, plaintext output from MS HfNetChk into an HTML page, complete with clickable links so you can easily get to the appropriate security bulletins and KB articles on the MS site.

  Patchlink performs version checking of apps as well as OS patches. It can run in silent distribution mode.

  Citadel's Hercules is the first automated vulnerability remediation product to fix up to 90% of vulnerabilities.

  Security Profiling

  Shavlik Enterprise Security Advisor is an ASP and XML based online tool used by Microsoft to scan for 100s of security loop holes in Windows NT, Windows 2000 and Windows XP, Office, Outlook, Office XP computers.

  UpdateEXPERT from StBernard software also installs the updates and ensure that they are correctly installed.

  Port Scanners

  To scan ports and get system info (such as NETBIOS name), use the freeware from gfisoftware

  CORE-SDI suite or products listed in http://www.securityfocus.com/

  Network Intrusion Detection

  Finjan
  eSafe SandboxII Network Computing November 15, 1999 article

• Internet Security Systems' RealSecure 3.2 ($8,995)
• Axent Technologies' Intruder Alert and NetProwler ($9,000)
• Cisco Systems' Secure Intrusion Detection System/NetRanger on Solaris x86 ($22,000)
• CyberSafe's Centrax 2.2 ($2,500)
• Network Flight Recorder's NFR Intrusion Detection Appliance 4.0 open source ($3,100)
• Network Ice's BlackIce Defender and Enterprise Icepac 1.0 ($40 per node)
• Network Security Wizards' Dragon IDS ($4,500)

  Nessus remote scanner

  Bindview's RAZOR

  System Integrity Verifiers

  Run Microsoft's sfs.exe

  Intact from Pedestal Software was designed for Windows NT and Windows 2000 to monitor files, Registry entries, ACLs, and monitors user and group account manipulation.

  Robert Graham on making a one-way cable for Snort IDC boxes.

Action Analogies: Physical & Electronic Countermeasures

Category	Physical controls	Electronic counterpart
Advertisement	Company name, phone number is listed in the public phone book	DNS name and IP address populated in Whois database of DNS entries
	Company lists POBox	Network Address Translation
	Company Operator does not give out employee direct extensions	Contact info hidden from public Whois queries
Authentication	Guard asks visitors to sign in at front door	Visitors asked to register before viewing website
	Guest shows guard a printed invitation to the party	Presentation of Credentials
	Guard checks ID's at doors	Verification of Credentials
	Guard verifies who's on the guest list	Certificate Authority and Credentials store
	Guard does not stop those he recognizes	Single Sign On
	Guard rejects vagrants and ex-employees	Inbound firewall
	Badges are dated	Time To Live
	Badges are color codes (Group Coding)	Group and role based permissions
Authorization	Visitor badge issued by Guard	User ID with limited permissions
	Visitor gets bathroom key from Guard	Security tokens for Security Associations
	Executive gets keys to the Executive Bathroom	Elevated Priviledge granted
Access	Doors are locked	Passwords are applied
Content	Guard inspects packages coming in	Inbound content monitoring/filtering
	Shipments are sealed	Encryption
	Guard collects an authorization form for packages leaving the building	FTP Log
Intrusion Detection	Guard looks at monitors from cameras	logging
Audit	Scan video tapes	log analysis
	Employee Exit	Log closeout analysis

Roles for Security Policy

CISO and BISO officers of an organization define and enforce that organization's Security Policy.

User management manages user access to the VPN. User Management tasks include authentication, authorization, and accounting.

Device management is the setup, configuration, and management of hardware and software devices.

Powerpoint presentations from the Spring 2000 VPNCon

“Secure Computing” by Rita C. Summers (McGraw Hill)

“Security in Computing” by Charles Pfleeger (Prentice-Hall, 1997)

“The CERT Guide to System and Network Security Practices” by Julia H. Allen (Addison-Wesley, 2001)

Book: Secrets & Lies by

BS7799 Auditor

Microsoft's Security home page

“A Security Blueprint for Enterprise Networks" 58 page white paper by Sean Convery and Bernie Trudel of Cisco

Articles on Security at IBM DeveloperWorks

Book: Designing Secure Web-Based Applications for Microsoft Windows 2000 by Michael Howard Microsoft Press © 2000 , 504 pages ISBN: 0735609950

HTTPS on the Client

When processing online purchasing (credit card numbers) or private information (social security numbers or birthdates, etc.), encrypt information between computers over the World Wide Web by using the Hypertext Transfer communications Protocol (HTTPS) instead of HTTP.

Here's an example of the HTML coding presented to the client browser (Microsoft® Internet Explorer 3.0 or later):

<A href="https://example.company.com"> HTTPS Example Link </A>

When a browser sends a "https://" URL, it tells IIS to open an SSL-encrypted session.

SSL creates an intermediate layer between the upper-level HTTP and the lower-level TCP/IP. Web browsers and Web servers make calls and requests directly to the SSL, which manages the task of setting up a secure communications channel and passing or receiving information from TCP/IP.

SGC

Server Gated Cryptography extends SSL to bring browsers operating at 40-bit encryption to 128 bit.

Here's a description of SSL by its inventor, Netscape.

E-Commerce Security: Weak Links, Best Defenses (New York: John Wiley & Sons, 1998) by Anup K. Ghosh, Director of Security Research at Cigital, formerly Reliable Software Technologies.

Web Security, A Step-by-Step Reference Guide (Addison Wesley, 1998) by Lincoln Stein, who maintains The World Wide Web Security FAQ at W3C while he makes the human genome both accessible from The Cold Spring Harbor Laboratory, NY.

Electronic Commerce: Security, Risk Management and Control (Boston: McGraw Hill, 2000) by M. Greenstein, T. Feinman

Web Security Sourcebook (John Wiley & Sons, 1997) by Aviel Rubin, Daniel Geer, and Marcus Ranum.

Web Security and Commerce (O'Reilly Publishing, 1997) by Simson Garfinkel and Gene Spafford.

Intrusion Techniques and Countermeasures [Online document] (Sedona, AZ, 1999) by R. Farrow.

Security Management for the World Wide Web [Online document] by L. L. McGhie, P. Q. Maier, Chapter 2-3-1, Section 2-3, Internet Security, Handbook of Information Security Management: Communications Security, 1996-1999 EarthWeb, Inc. [cited 1999 September 28],

Meinel, "Guide to (mostly) Harmless Hacking: Beginners' Series #1"> [Online document] 1997 [cited 1999 October 4], Available

Information Security: Protecting the Global Enterprise by D. L. Pipkin. (Hewlett-Packard Professional Books, New Jersey: Prentice Hall PTR, 2000)

"Understanding IP Addressing: Everything You Ever Wanted to Know" [Online document] by C. Semeria, [cited 10/10/00]

Tiwana, Web Security, Massachusetts: Digital Press (Butterworth-Heinemann), 1999.

Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network (Indianapolis: Sams Publishing, 1998)

Check Point Software Technologies, Ltd., “Top 10 Challenges to Securing Your Network," PN 39400000400, March 1999.

Innovative Security Products, “Security White Paper Series: Microcomputer Security," [Online document], 1998 [cited 1999 August 6], Available

International Data Corporation, "eSecurity : The Essential eBusiness Enabler". 1999.

“Techniques Adopted by 'System Crackers' When Attempting to Break Into Corporate or Sensitive Private Networks," [Online document] 1998 December, Network Security Solutions Ltd. Front-line Information Security Team [cited 1999 December 6].

“Understanding Concepts in Enterprise Network Security and Risk Management" [Online document], 1998 January, Network Security Solutions, Ltd., Front-line Information Security Team (FIST) [cited 1999 December 8].

WinInet API For Windows CE

When using WinInet (Win32 Internet Functions) APIs:

• The HTTPS invokes use of a Private Communications Technology (PCT) -- the Secure Socket Layer (SSL) encryption protocol on a secure server provided by Schannel.dll

• InternetConnect for HTTPS uses INTERNET_DEFAULT_HTTPS_PORT (TCP port 443) instead of INTERNET_INVALID_PORT_NUMBER or INTERNET_DEFAULT_HTTP_PORT

• HttpOpenRequest uses the INTERNET_FLAG_SECURE option.

Activewin's excellent Step-by-Step Guide to Setting up a Certificate Authority

Excerpted from Internet Security with Windows NT by Mark J. Edwards

Untangling Web Security: Getting the Most from IIS Security (Technet on-line article)

Microsoft's Security Site offers a Checklist for IIS4.0 (download Checklist.exe which self-extracts into two Checklist.htm file).

The Windows NT Security Site

The Microsoft Internet Information Server 3.0 (70-77) and 4.0 (70-87) Certification Exam Page

SSL uses public key cryptography to securely generate and exchange a commonly-held key, -- the session key -- used for symmetric encryption. Therefore, SSL features require a server certificate to be obtained from a Certificate Authority (such as VeriSign). The certificate is for a particular IP address : port number combination.
Secure Sockets Layer (SSL) Options (Article Q172023)

To enable SSL on IIS:

1. Generate a request file with a security key pair file.
2. Request a digital certificate from a Certification Authority.
3. Install the certificate on your IIS server.
4. Activate SSL security on your IIS server.

From the Internet Services Manager (ISM), use the IIS Key Manager to build the key pair information files you use to apply for a digital certificate.
How to Create and Install an SSL Certificate in IIS 4.0 (Article Q228991)

Mark J. Edwards offers this list of fields in the dialog box:

Key Name	Name of the key pair you are creating.
Password	Password used to encrypt the private key (use long passwords).
Bits	Number of bits for the key pair. The default is 1,024 bits; I highly recommend using this setting.
Organization	Your company name or your own name.
Organizational Unit	Name of the division of your company.
Common Name	Internet domain name of your server.
Country	Two-letter abbreviation, such as US, UK, AU, or JP.
State/Province	Your state or province, such as Texas or Alberta.
Locality	Complete name of your city, such as Houston.
Request File	Name of the file you are creating.

Use the IIS Key Manager to install the certificate to bind the certificate to the Web site.
Installing a New Certificate for Use in SSL/TLS (Article Q228836) (for use with smart cards and calling routers)

Activate SSL on IIS by configuring the Directories properties using the Internet Service Manager. Key-length (128 or 40) can be set in the Secure Communications dialog box. If you select the Require Secure Channel when accessing this resource option,

Accessing Security Protocols

RSA corporation (RSA is an acronym from the last name of its three founders: Ron Rivest, Adi Shamir, and Leonard Adelman).

More about SSL

"Insurgency on the Net" CNN's Report

Alternatives to HTTPS

Secure Sockets Layer (SSL) versions 2.0 and 3.0 is the most widely-used method of creating secure transactions on the Web today.

Using SSL (Secure Socket Layer) with the HTTPS: protocol makes it more difficult to read private messages intercepted over the wire.

It's appropriate to use whenever one or both parties do not want information shared with others. Examples include information possibly used to establish authentication, such as Social Security number, date of birth, mother's maiden name, credit card numbers, or even phone numbers and addresses.

SSL protects messages by encrypting it for transmission.

SSL is NOT appropriate where information is already offered freely, such as RFC documents intended for open dissemination or documents which the authors can't get to enough people. Why would someone go through the trouble of intercepting messages when it's easily available?

SSL is often not appropriate because there is computing overhead with SSL connections. This means a more expensive system that's more difficult to maintain for the provider and a slower application for the user. One compromise some developers use (especially for Intranet applications) is to employ SSL connections for logon and password change functionality, then drop down to regular HTTP exchanges for all other transactions.

Alternatives are:

• Client certificates which map to Windows NT user accounts.
• Server Gated Crypto (SGC) security protocols

Non-Microsoft SSL implementations on Java

Firewalls and Proxies

Modern firewalls use a hybrid of 3 main firewall technologies working at the Network layer:
• Proxy firewalls are also called application gateways.

  NAT [RFC 1631]

• Stateful inspection firewalls are also called dynamic packet filtering. They are application.

Configure Packet Filtering

Packet Filter routers selectively deny or allow the routing of packets between trusted and untrusted networks based on a site's security policy stored in Access Control Lists (ACL). Screening is based on source and destination address and ports in IP (not UDP) Headers.

To get Windows 2000 to filter incoming (not outgoing) TCP, IP, and UDP packets, use the “Advanced TCP/IP Settings” GUI “Options” tab.

To get Windows 2000 to filter incoming ICMP packets, use the “Routing and Remote Access” MMC.

Encapsulation

The concept of encapsulation makes use of a fundamental principle of the TCP/IP protocol. On the sending end, each layer in the ISO model adds a header to the "payload" it receives. On the receiving end, headers at each level are stripped away to obtain content from the sending peer level.

The processor at each layer does not examine the contents of packets it receives. This allows VPN packets to be *encapsulated* (or encased) within any other packets of data.

This is why, when you install VPN as a Communications component on Windows 98 (from Add/Remove Programs), you select “Microsoft VPN Adapter" as the connection device. This device, in turn, accesses the modem. This is also why Windows 95 is upgraded for VPN with the “Dial-up Networking 1.3" upgrade downloadable from Microsoft.

This technique is not new. NetBIOS and IPX packets are also encapsulated for transmission over IP networks. Only one IPX network ID is used by all VPN clients.

Encapsulation make use of a *tunneling* protocol. The first tunneling protocol was based on the most widely used protocol for remote access to the Internet: the Point-to-Point Protocol (PPP) [RFC 1547, 1661]. Windows NT 4 and Windows 98 use Point to Point Tunneling Protocol (PPTP) (using 128 ports) to encapsulate PPP packets using a modified version of the GRE (Generic Routing Encapsulation) protocol 47 over port 1723. So one disadvantage of VPN is that the firewall needs have this path open (providing another possible door of attack).

Voluntary tunnels are configured and created through a conscious action by the user at the tunnel client computer. Compulsory tunnels are configured and created automatically for users without their knowledge or intervention

To configure PPTP for inbound VPN connections, use the Routing and Remote Access MMC wizard.

Datacom Protocol Layers
Datacom devices
Routing

Microsoft's replaced its Proxy Server product with the Windows 2000 Internet Security and Acceleration Server (a.k.a. ISA server)

Microsoft' Routing and Remote Access Server (RRAS) can use several connections:

• Direct connection to a network hub
• Dial-up
• X.25
• Frame relay
• ISDN
• VPN

RRAS supports two routing control protocols:

• OSPF
• RIP
More on Datacom Layers and Protocols

Filtering Products

Cisco PIX
Check Point Firewall-1
Netscreen 10/100
Watchguard
Microsoft Internet Security and Acceleration (ISA) Server
Smoothwall
Tiny Personal Firewall is not supported and does not route.
Kerio Firewall

Firewall Mailing List

Content Filtering Software Products

Websense pass-through filtering and logging for porn, etc.

Authentication

Authentication is the process where a network user establishes a *right to an identity* -- the right to use a *name*. The goal is to verify that you are not dealing with an imposter. Authentication implements Access Control.

Authentication Mechanisms

1. Proving what you know -- password.
2. Showing what you have -- smart cards
3. Demonstrating who you are -- biometrics.
4. Identifying where you are -- call back phone number or IP address.

The program that presents the logon box is Winlogon (the Net Logon service) running in the Local Security Authority (LSA) process. The LSA authenticates accounts by examining credentials such as a password to a valid account. Security rules are enforced by the Security Reference Monitor running in kernel mode, where user intervention cannot occur.

Single-sign-on is possible because in Windows 2000, any user or computer daemon that can initiate action is a security principal. Security principals establish a context for their actions by presenting credentials from a security authority that is trusted by the LSA on the computer where the principal intends to act.

Interfaces

Windows 2000 supports several Interfaces to security providers:

SSPI	SSP
Kerberos v5 NTLM Schannel Other	RPC for DCOM apps HTTP for Web-based apps Firewalls for Directory-Enabled apps Smart Card Service Provider (SCSP) Cryptographic Service Provider Other apps

NTLM

NT4's NTLM v1 authenticates one-way: only the server authenticates clients.
NT4 SP4's NTLMv2 and Windows 2000's Kerberos v5 are two-way: a client and a server mutually authenticates to prevent impersonation.

Mechanisms Supported by IPSec

• Kerberos v5 establishes two-way transitive trusts (the default between two Windows 2000 domains in the same forest)
• Trusted Public Key Certificate Authorities
• Microsoft Certificate Server
• Pre-shared Key

The Windows Internet Authorization Service (IAS) is Microsoft's version of a RADIUS server, which can integrate with UNIX TACACS.

The Order IIS5 attempts to Authenticate

1. Anonymous Access by external users (those without a Windows account)
2. Basic Authentication (HTTP 1.0) sends passwords in unencrypted Base64-encoded format.
3. Digest Authentication, as a new HTTP 1.1 feature, is supported by clients using Internet Explorer 5.0 or later. It's only for Windows 2000 domain accounts because it accesses the Active Directory.
4. Integrated Windows Authentication

Biometrics

Failure to acquire happens when the biometric unit can't get enough information to decide.

Panasonic/Iridian Technologies' $240 Authenticam system analyzes the pattern in users' irises from a foot away. This has the best CER of 0.5%. Better than retina scanners.

The Crossover Error Rate (CER) is the point when the FAR -- False Acceptance (of imposters) Rate crosses over the FRR -- False Reject (of good guys) Rate.

BioID identifies individuals based on facial image from a $50 Samsung Anycam and voice recognition.

Identix, Visionics, Veridicom, and Compaq reads fingerprints.

Hand geometry

Forbes articles on biometrics

Authentication Protocols

Windows 2000 uses this order (top down):
1. MS-CHAP v2 passwords are encrypted using MD4 for MPPE. It also provides two-way mutual authentication to guard against server impersonation attacks.
2. MS-CHAP v1 provides 40-bit encryption for secure password & session data transmission. The user's account can only be a maximum of 14 characters
3. CHAP (challenge Handshake Authentication Protocol) encrypts usernames and passwords only, not session data. Used for MPPE by stand-alone servers (which are not supported by EAP-TLS)
4. SPAP (Shiva PAP) encrypts password but not session data.
5. PAP isn't secure - sends plain-text (unencrypted) username and passwords. It's included with Windows 2000 to support older clients.

Windows 2000 uses three protocols for authenticating remote connections:

• DPA - Distributed Password Authentication - uses SSP file Msapsspc.dll
• EAP-TLS (Extensible Authentication Protocol) extends PPP to encrypt session data.
• Schannel Protocols included in the Schannel authentication method using a certificate and SSP module Schannel.dll:
  1. SSL v2
  2. SSL v3
  3. PCT - Private Communication Technology 1.0
  4. EAP/ TLS 1.0 provides user-level mutual authentation.

EAP-RADIUS is when the Internet Authorization Service (IAS) forwards authentication to another RADIUS server as a RADIUS-formatted message.

Secure FTP

Serv-U FTP server and Voyager FTP client from rhinosoft.com encrypts the authentication password that other FTP programs leave in the clear.

WinSCP is a Windows version of Unix Secure Copy.

SSH 2.0 has built-in file transfer capabilities. f-secure.com and Open SSH.com list GNU licensed implementations.

In Client for Microsoft Network Properties, Service provide name: Windows Locator does not require a Network address as with DCE Cell Directory Service.

Authorization of Permissions

Authorization is the process of determining whether an authenticated identity (plus a set of attributes associated with that identity) is permitted to *perform some action*, such as accessing a resource.

NTFS Permissions

When IIS is installed, two users are created:
• IUSR_computername to handle built-in anonymous logons to the IIS system.
• IWAM_computername to allow IIS to start out-of-process Web applications such as accounting, monitoring, and scripting.

Limitations by Group

A security descriptor lists the permissions a user needs to read the properties of an AD object.
• "Users" can only run certified applications.
• "Power Users" can also run unsigned legacy applications.

  Appsec.exe, installed from Instappsec.exe in the Resource Kit, prevents users from running executable files (not DLLs) through the command line or from within another application. To prevent users from running other versions of the same executable file from alternate locations, Appsec permits applications based on full path names. Its Admin run mode provides tracking of what applications have been run.

  Like NTFS Permissions are Additive

  Access permissions are cumulative when dealing with like permissions. All NTFS permissions are added together to determine the effective rights. Share permissions are also culumative.

  Local Security Authority

  The LSA controls access to resources on a local Windows 2000 computer. It starts SSPs (Security Support Providers).

  Network Share Permissions

  Share permissions apply only to access over a network, not locally. Sharing a folder also shares all the lower level resources under that share. Only the Administrators group can access the Admin$ share created by default. The $ in the name makes it hidden.

  When a share is in an NTFS volume, their permissions are combined with NTFS Permissions in a Most Restrictive way.

  The only way to secure network resources on a FAT volume is with shared folder permissions. However, on Windows 2000 NFTS volumes, leave network shares the default assignment of "Full Access" for Everyone and depend upon NTFS permissions to "flow through" protection. Managing a single set of permissions makes for easier administration.

  Denying permissions takes precedence over the permissions that you allow.

  When a shared folder is moved, it loses its share status.

For a 20% discount on SANS books published by New Riders, call 1-800-428-5331 and mention code "SANS"


Network Intrusion Detection: An Analyst's Handbook, 2nd Edition


Intrusion Signatures & Analysis, January 2001

"Securing Database Servers" - 8 page whitepaper from Internet Security Systems

The $379 Security Explorer utility integrates with the Windows NT 4.0 Desktop search across subdirectories for permissions. Grant, revoke, and clone permissions across subdirectories without affecting any other user's permissions. can search and modify Windows NT security on NTFS drives, the Registry, and Shares. Select 50 shares on a server and grant permissions to multiple users and groups simultaneously. Export permissions to a database for further analysis and reporting. Back up file permissions and restore them if necessary. Set ownership on files and directories. Seamless integration with the Windows NT 4.0 Desktop (right-click just about anywhere). Security Explorer makes finding security holes and filling them a snap!

Trusts

NTLM provides one-way, non-transitive trusts between Windows NT domains.

A shortcut trust is established directly between two domains in the same forest.

Resources on Info Security

Security Consultants

These are not those who offer you their services after they hack into your system. (or other “mafia” tactic)

• Jon Miller and others at Covert Systems 310.566-7277 in Marina del Rey, California
• TruSecure
• Center for Secure Information Systems (CSIS) at George Mason University offers scholarships for BS and MS degrees specifically on Cryptography, Internet Security Protocols, Computer Network Security, Computer Intrusion Detection, Secure Electronic Commerce, etc.