Documente Academic
Documente Profesional
Documente Cultură
Security+ A
CompTIA
Certification
CHUCK SWANSON
ANDREW LAPAGE
ROBYN FEIOCK
NANCY CURTIS
Security+ A
CompTIA
Certification
Chuck Swanson
Andrew LaPage
Robyn Feiock
Nancy Curtis
Security+ A CompTIA Certification
Part Number: 085544
Course Edition: 2.0
ACKNOWLEDGMENTS
Project Team
Curriculum Developers/Technical Writers: Chuck Swanson (Security+, MCT, MCSE+I—Windows NT 4, MCSE—Windows
2000, MCNI, MCNE, CTT), Andrew LaPage (Security+, MCP), Robyn Feiock and Nancy Curtis (Security+, Network+, MCSE—
Windows NT 4/Windows 2000, MCT, CNA) • Development Assistance: Alan J. Meeks (MCSE—Windows NT 4/Windows 2000,
MCT, Network+, CIWA) • Development Assistance: Mike Casper • Content Manager: Clare Dygert • Copy Editors: Angie J.
French and Jay Smith • Reviewing Editors: Christy D. Johnson and Laura Thomas • Technical Editor: Cory Brown • Quality
Assurance Coordinator: Frank Wosnick • Graphic Designer: Isolina Salgado • Project Technical Specialist: Michael Toscano
NOTICES
DISCLAIMER: While Element K Courseware LLC takes care to ensure the accuracy and quality of these materials, we cannot guarantee their accuracy, and all materials are provided without any warranty
whatsoever, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. The name used in the data files for this course is that of a fictitious company. Any
resemblance to current or future companies is purely coincidental. We do not believe we have used anyone’s name in creating this course, but if we have, please notify us and we will change the name in
the next revision of the course. Element K is an independent provider of integrated training solutions for individuals, businesses, educational institutions, and government agencies. Use of screenshots or
another entity’s product name or service in this book is for editorial purposes only. No such use should be construed to imply sponsorship or endorsement of the book by, nor any affiliation of such
entity with Element K. Certain exercises in this course manual assume that the user has access to various software products. Element K is not responsible for providing the user of this course manual
with access to those software products. Each user of this course manual is responsible for complying with the terms of any and all software licensing agreements associated with such software products.
Some of the tools and procedures presented in this course could cause problems if used improperly or maliciously in a live network environment. These tools are not a threat in any simulated activities
presented here, nor are they a threat when presented as part of instructor-led training in a closed classroom environment. However, the installation and use of the programs or procedures presented
outside of a controlled environment is the sole responsibility of the end-user and may result in criminal prosecution. Element K does not endorse or recommend the illegal use of any of the scanning or
hacking tools described in this course. This courseware contains links to sites on the Internet that are owned and operated by third parties (the “External Sites”). Element K is not responsible for the
availability of, or the content located on or through, any External Site. Please contact Element K if you have any concerns regarding such links or External Sites.
TRADEMARK NOTICES Element K and the Element K logo are trademarks of Element K LLC.
Microsoft and Windows are registered trademarks of Microsoft Corporation in the U.S. and other countries. Novell and NetWare are registered trademarks of Novell, Inc. in the U.S. and other countries.
Sun, Solaris, and Sun Microsystems are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. All other product names and services used throughout this book
may be common law or registered trademarks of their respective proprietors.
Copyright © 2003 Element K Content LLC. All rights reserved. Screenshots used for illustrative purposes are the property of the software proprietor. This publication, or any part thereof, may not be
reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, storage in an information retrieval system, or otherwise, without express written
permission of Element K, 500 Canal View Boulevard, Rochester, NY 14623, (585) 240-7500, (800) 434-3466. Element K Courseware LLC’s World Wide Web site is located at
www.elementkcourseware.com.
This book conveys no rights in the software or other products about which it was written; all use or licensing of such software or other products is the responsibility of the user according to terms and
conditions of the owner. Do not make illegal copies of books or software. If you believe that this book, related materials, or any other Element K materials are being reproduced or transmitted without
permission, please call 1-800-478-7788.
The logo of the CompTIA Authorized Curriculum Program and the status of this or other training material as "Authorized" under the CompTIA Authorized Curriculum Program signifies that, in CompTIA’s
opinion, such training material covers the content of the CompTIA’s related certification exam. CompTIA has not reviewed or approved the accuracy of the contents of this training material and specifically
disclaims any warranties of merchantability or fitness for a particular purpose. CompTIA makes no guarantee concerning the success of persons using any such "Authorized" or other training material in
order to prepare for any CompTIA certification exam. The contents of this training material were created for the CompTIA IT Security+ exam covering CompTIA certification exam objectives that were
current as of December, 2002.
How to Become CompTIA Certified: This training material can help you prepare for and pass a related CompTIA certification exam or exams. In order to achieve CompTIA certification, you must register
for and pass a CompTIA certification exam or exams. In order to become CompTIA certified, you must:
1. Select a certification exam provider. For more information please visit http://www.comptia.org/certification/general_information/test_locations.asp.
2. Register for and schedule a time to take the CompTIA certification exam(s) at a convenient location.
3. Read and sign the Candidate Agreement, which will be presented at the time of the exam(s). The text of the Candidate Agreement can be found at http://www.comptia.org/certification/general_
information/candidate_agreement.asp.
For more information about CompTIA’s certifications, such as their industry acceptance, benefits, or program news, please visit http://www.comptia.org/certification/default.asp. CompTIA is a non-profit
information technology (IT) trade association. CompTIA’s certifications are designed by subject matter experts from across the IT industry. Each CompTIA certification is vendor-neutral, covers multiple
technologies, and requires demonstration of skills and knowledge widely sought after by the IT industry. To contact CompTIA with any questions or comments: Please call + 1 630 268 1818
questions@comptia.org
iii
NOTES
Contents v
CONTENTS
C. Identify Hardware Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Contents vii
CONTENTS
B. Secure Wireless Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Wireless Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Mobile Device Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Wireless Security Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
C. Secure Client Internet Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Browser Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Internet Explorer Security Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Hardened Web Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
D. Secure the Remote Access Channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Remote Access Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Hardened Remote Access Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Contents ix
CONTENTS
APPENDIX A: AUTHENTICATION AND AUTHORIZATION
APPENDIX C: SECURESYSTEMS.DOC
SOLUTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Course Description
Target Student
This course is targeted toward an Information Technology (IT) professional who has network-
ing and administrative skills in Windows-based TCP/IP networks and familiarity with other
operating systems, such as NetWare, Macintosh, UNIX/Linux, and OS/2, who wants to: further
a career in IT by acquiring a foundational knowledge of security topics; prepare for the
CompTIA Security+ Certification examination; or use Security+ as the foundation for advanced
security certifications or career roles.
Course Prerequisites
CompTIA A+ and Network+ certifications, or equivalent knowledge, and six to nine months
experience in networking, including experience configuring and managing TCP/IP. Students
can obtain this level of skill and knowledge by taking the following Element K courses:
• A+ Certification: Core Hardware
• A+ Certification: Operating Systems
• Network+ Certification: 3rd Edition
Students can obtain additional TCP/IP knowledge from the Element K course Windows 2000:
Network and Operating System Basics.
Introduction xi
INTRODUCTION
Although not required, students might find it helpful to obtain foundational information from
introductory operating system administration courses.
As a Review Tool
Any method of instruction is only as effective as the time and effort you are willing to invest
in it. In addition, some of the information that you learn in class may not be important to you
immediately, but it may become important later on. For this reason, we encourage you to
spend some time reviewing the topics and activities after the course. For additional challenge
when reviewing activities, try the “What You Do” column before looking at the “How You Do
It” column.
As a Reference
The organization and layout of the book make it easy to use as a learning tool and as an after-
class reference. You can use this book as a first source for definitions of terms, background
information on given topics, and summaries of procedures.
Course Objectives
In this course, you will implement and monitor security on networks and computer systems,
and respond to security breaches.
You will:
• identify security threats.
• harden internal systems and services.
• harden internetwork devices and services.
• secure network communications.
• manage a PKI.
• manage certificates.
• enforce an organizational security policy.
Course Requirements
Hardware
To run this course make sure all equipment is on the Microsoft Hardware Compatibility List
(HCL) for Microsoft Windows 2000 Server and Microsoft Windows XP Professional. The
Microsoft Windows HCL can be found at: www.microsoft.com/hcl. You will need one com-
puter for each student and one for the instructor. Each computer will need:
• Pentium processor, 300 MHz or greater.
• 256 megabytes (MB) of Random Access Memory (RAM) or greater.
• 10 gigabyte (GB) hard disk or larger.
• Super VGA (SVGA) or higher resolution monitor capable of a screen resolution of at
least 800 x 600 pixels, at least 256-color display, and a video adapter with at least 4 MB
of memory.
• 3.5” 1.44 MB floppy disk drive.
• Bootable CD-ROM drive.
• Mouse or compatible tracking device.
• Network adapter and cabling connecting each classroom computer.
• Network interface card and network cabling.
• Internet access is recommended as some activities require Internet access. This will also
allow access to the numerous URLs that are referenced throughout the book. Students will
benefit from being able to access the latest information about security such as new types
of attacks and the latest security breaches to different products. Make sure to use IP
addresses that do not conflict with other portions of your network.
• The instructor computer will need a display system to project the instructor’s computer
screen.
Software
• Microsoft Windows 2000 Server or Windows 2000 Advanced Server with sufficient
licenses.
• Microsoft Windows 2000 Service Pack 2.
• Microsoft Windows 2000 Service Pack 3.
• Internet Explorer 6.0 with Service Pack1. If you will have Internet access during class,
you can download the installation setup file from www.microsoft.com/windows/ie/
downloads/ie6sp1/download.asp. If you will not have Internet access during class, you
will need to order the Internet Explorer 6 CD from www.microsoft.com/windows/ie/
ordercd/ie6sp1.asp.
• Microsoft Windows 2000 Security Rollup Package 1 (January, 2002). (W2KSP2SRP1.exe)
Download the Network Installation package from www.microsoft.com/windows2000/
downloads/critical/q311401/default.asp.
Introduction xiii
INTRODUCTION
• Microsoft Baseline Security Analyzer version 1.0 (MBSASetup.msi):
www.microsoft.com/technet/security/tools/Tools/MBSAhome.asp.
• Microsoft Internet Information Server (IIS) Security Rollup Package (Q319733)
(Q319733_W2K_SP3_X86_EN.exe): www.microsoft.com/Windows2000/downloads/
security/q319733.
• Microsoft IIS Lockdown Tool version 2.1 (IISLockd.exe). Go to www.microsoft.com/
downloads and search for Lockdown Tool.
• Microsoft Windows XP Professional with sufficient licenses. Be sure that you meet the
activation requirements for your classroom situation.
• Microsoft Windows XP Service Pack 1.
• The Cumulative Patch for Windows Media Player (Q320920). Go to www.microsoft.com/
technet/security/bulletin/ms02-032.asp. Download the executable for Windows Media
Player 6.4 (wm320920_64.exe).
• Microsoft Exchange Server 2000 Standard Edition or Enterprise Edition with sufficient
licenses.
• Microsoft Exchange 2000 Service Pack 3.
• Microsoft Exchange Instant Messaging client for Windows 2000 (mmssetup.exe):
www.microsoft.com/exchange/downloads/2000/IMclient.asp.
• Microsoft Network Monitor 2.0, Service Pack 1 (available with Systems Management
Server 2.0 with Service Pack 2), with sufficient licenses.
• Intrusion SecurityAnalyst. Go to www.intrusion.com/products. Click Other Products, and
then click the Downloads link for SecurityAnalyst. Download the evaluation version (SA_
SP2.exe). You will have to register.
• Smbrelay.exe: www.phreak.org/archives/exploits/microsoft.
• L0phtCrack 4 (LC4) (LC4Setup.exe): www.atstake.com/research/lc/download.html.
• Internet Security Systems (ISS) RealSecure Desktop Protector version 3.4 evaluation copy
(RSDPEvalSetup.exe): www.iss.net/products_services/enterprise_protection/rsdesktop/
protector_desktop.php. Click Download Trial. You will have to register.
• Foundstone Tools. Go to www.foundstone.com/knowledge/free_tools.html and individu-
ally download SuperScan v3.0 (superscan.exe), UDPFlood v2.0 (udpflood.zip) and
DDosPing v2.0 (ddosping.zip). Or, if you would like to have all the tools available in
class, you can select Download All Tools (approximately 3.38MB).
Class Setup
The classroom computers will be configured to dual-boot between Windows 2000 Server and
Windows XP Professional. In the following procedures you will set up the instructor computer
first so that you can copy the Windows 2000 Server and Windows XP Professional source files
to the instructor computer’s hard drive and share them. Then, you can install the student com-
puters over the network. On all computers, you will install and configure Windows 2000
Server first, then Windows XP Professional.
When installing over the network with MS-DOS boot disks, it is best to use SMARTDRV.EXE and HIMEM.SYS to
greatly reduce setup times. Also, Windows 98 Startup disks can be used to access local CD-ROM drives.
Approximate setup time: 16 hours for a base system, plus time to image other computers. Imaging the systems
is highly recommended, as this will make it easier to set up class or lab activities repeatedly.
1. Start the Windows 2000 Server setup program. (You can either boot the computer with
the Windows 2000 Server installation compact disc inserted into the CD-ROM drive, or
share the installation source files on a network drive and create MS-DOS network boot
disks to install over the network from the shared drive.)
2. Install a new copy of Windows 2000 Server (clean install) using the following parameters:
• Accept the license agreement.
• Create a new 6 GB C drive.
• Install Windows 2000 Server on the C drive. Format the drive to NTFS.
• Select the appropriate regional and language settings for your country.
• Enter the appropriate name and organization for your environment.
• Enter the product key, if necessary.
• Specify the appropriate number of per-server licenses for all classroom computers to
connect to this server. For example, with 10 students, set the number to 10.
• Use a computer name of Server100.
• Set the Administrator password to !Pass1234.
• On the Windows 2000 Components page, select (do not check) Internet Information
Services (IIS) and click Details. Check both File Transfer Protocol (FTP) Server and
NNTP Service and click OK. Then select Networking Services and click Details.
Check Dynamic Host Configuration Protocol (DHCP) and click OK. Click Next.
• Set the date and time settings appropriate for your location.
• On the Network Settings page, select Custom Settings and click Next. Open the
properties of the TCP/IP protocol and configure it with a static IP address of
192.168.y.100, where y is a unique number on your local subnet. For example, if this
is the only classroom in your location, then the instructor’s IP address would be
Introduction xv
INTRODUCTION
192.168.1.100. Enter this same IP address as the Preferred DNS Server address. (You
will install and configure DNS later.) Enter a subnet mask of 255.255.255.0.
• Accept the default workgroup name of Workgroup.
Note: The activities in this course require static IP addresses. If you are attached to a corporate net-
work, consult with your TCP/IP or network administrator to verify that this IP configuration does not
conflict with any other addresses in your location. Internet access is recommended in this class, so
you should also consult with them on an appropriate method of providing access (for example, Net-
work Address Translation (NAT)). Also, check with them on any additional parameters that may be
needed for Internet access; for example, a default gateway and additional DNS servers. If you do add
additional DNS servers for Internet access for each computer, make sure you always leave the class-
room configured DNS server IP address as first in the list.
Introduction xvii
INTRODUCTION
c. Use the Active Directory Installation Wizard to promote the server to domain con-
troller using the following parameters:
• Domain Controller For A New Domain.
• Create A New Domain Tree.
• Create A New Forest Of Domain Trees.
• Full DNS Name: domain100.internal.
• Domain NetBIOS name: accept the default of DOMAIN100.
• Accept the default locations for the Active Directory database and log.
• Accept the default location for the SYSVOL folder.
• Click OK in the DNS message box.
• Verify that Yes, Install And Configure DNS On This Computer is selected.
• Select Permissions Compatible Only With Windows 2000 Servers.
• Directory Services Restore Mode Administrator Password: password.
d. On the Summary screen, click Next.
e. After the Active Directory Installation Wizard completes, click Finish.
f. Click Restart Now when prompted.
g. Log on as Administrator with a password of !Pass1234.
9. Change your DNS zone type from Active Directory-integrated to Standard Primary by
completing the following steps:
• From the Start menu, choose Programs→Administrative Tools→DNS.
• Expand your DNS server and expand Forward Lookup Zones. Select and right-click
the Domain100.internal zone object and choose Properties.
• Change the Type to Standard Primary. Click OK twice.
• Change Allow Dynamic Updates to Yes. Click OK.
• Close DNS.
10. Create a DHCP scope by completing the following steps:
a. From the Start menu, choose Programs→Administrative Tools→DHCP.
b. Right-click the DHCP server object (server100), and choose New Scope.
c. Use the New Scope Wizard to create a DHCP scope using the following parameters:
• Scope Name: Local100
• Address Range: 192.168.#.101-101/24, where # is your unique number for the
classroom. (A range of just one address.)
• Do not add exclusions.
• Accept the default lease duration.
• Do not configure DHCP scope options.
• Do not activate the scope.
• Close DHCP.
11. Install the Microsoft Loopback Adapter by completing the following steps:
a. In Control Panel, run Add/Remove Hardware. Click Next.
b. Verify that Add/Troubleshoot A Device is selected and click Next.
c. In the Devices list, select Add A New Device and click Next.
Introduction xix
INTRODUCTION
16. Install Microsoft Exchange 2000 Standard Edition (or optionally Enterprise Edition) by
running C:\SPlus\E2K\Launch.exe. Click Exchange Server Setup and install using the fol-
lowing parameters:
• Agree to the license agreement.
• Enter the product key, if necessary.
• For the Microsoft Exchange 2000 component, choose the Custom installation action.
• Verify Install is selected for Microsoft Exchange Messaging and Collaboration
Services.
• Verify Install is selected for Microsoft Exchange System Management Tools.
• Choose Install for Microsoft Exchange Instant Messaging Service.
• Create a new Exchange Organization named Organization100.
• Agree to the license agreement.
17. Install Exchange 2000 Service Pack 3 from the C:\SPlus\E2KSP\ folder. (The exact path
to the installation file might vary depending on how you obtained the Service Pack.) Click
Install Service Pack 3. Accept all the update defaults.
When you rename the files, be careful not to create a double extension (Default.htm.htm), which can hap-
pen with the file extensions view turned off.
18. Create the Web sites you’ll use in class by completing the following steps:
a. Copy the Northeast.htm, Boc2.gif, and Swashtop.gif files from the student data files
to C:\Inetpub\wwwroot. Rename Northeast.htm to Default.htm. (This creates the
Nuclear Plant Training Site home page.)
b. Create a C:\Register directory. Copy the Register.htm and Dac10001.gif files from
the student data files to this folder.
c. In the C:\Register directory, rename Register.htm to Default.htm. This creates the
Student Registration Web page.
d. From the Start menu, choose Programs→Administrative Tools→Internet Services
Manager.
e. Expand the Server100 object and select the Default Web Site.
f. Right-click the Default Web site and choose New→Virtual Directory.
g. Use the Virtual Directory Creation Wizard to create a new virtual directory with the
following parameters:
• Alias: Register
• Directory: C:\Register
• Access Permissions: Use the defaults.
h. Close Internet Services Manager.
i. Open Internet Explorer and connect to http://Server100 to verify that you can see the
default Web site (the Nuclear Plant Training Site).
j. Connect to http://Server100/Register to verify that you can see the Registration Web
Page. Close Internet Explorer.
19. Open the PowerPoint slides from C:\SPlus\CourseCD to verify that they display properly.
Introduction xxi
INTRODUCTION
d. Select Just Enable File Sharing and click OK.
e. In the SPlus Properties dialog box, under Network Sharing And Security, check
Share This Folder On The Network.
f. Uncheck Allow Network Users To Change My Files. Click OK. It will take a few
minutes for the permissions to be set on all the subfolders.
g. Close My Computer or Windows Explorer.
6. Install Microsoft Network Monitor 2.0 from the C:\SPlus\SMS\NMext\I386 directory, by
double-clicking the Setup.exe file. When prompted, accept the license agreement and
select all default choices.
7. Configure Windows 2000 Server to be the default choice in the boot loader menu by com-
pleting the following steps:
a. From the Start menu, right-click My Computer and choose Properties.
b. Select the Advanced tab.
c. Under Startup And Recovery, click Settings.
d. From the Default Operating System drop-down list, select Microsoft Windows 2000
Server /fastdetect.
e. Click OK twice. The first hands-on activity in the course uses the Windows XP Pro-
fessional installation.
If possible, set up a few additional computers as spares if you have the available resources.
1. Start the Windows 2000 Server setup program. (You can either boot the computer with
the Windows 2000 Server installation compact disc inserted into the CD-ROM drive, or
create MS-DOS network boot disks to install over the network. These bootable disks
should connect to the \\Client100\SPlus\Srv2000 share, which contains the Windows 2000
Server installation compact disc source files, and then run the command winnt.)
When installing over the network with MS-DOS boot disks, it is recommended to use SMARTDRV.EXE and
HIMEM.SYS to greatly reduce setup times. Also, Windows 98 Startup disks can be used to access local
CD-ROM drives.
2. Install a new copy of Windows 2000 Server (clean install) using the following parameters:
• Accept the license agreement.
• Create a new 6 GB C drive.
• Install Windows 2000 Server on the C drive. Format the drive to NTFS.
• Select the appropriate regional and language settings for your country.
• Enter the appropriate name and organization for your environment.
• Enter the product key, if necessary.
• Specify the appropriate number of per-server licenses for all classroom computers to
connect to this server. For example, with 10 students, set the number to 10.
Introduction xxiii
INTRODUCTION
d. Close Computer Management.
7. Create a domain controller by completing the following steps:
a. Choose Start→Run.
b. In the Open text box, type dcpromo to start the Active Directory Installation Wizard,
and click Next.
c. Use the Active Directory Installation Wizard to promote the server to domain con-
troller using the following parameters:
• Domain Controller For A New Domain.
• Create A New Domain Tree.
• Create A New Forest Of Domain Trees.
• Full DNS Name: domain#.internal, where # is the unique number assigned to
this student/computer.
• Domain NetBIOS name: accept the default of DOMAIN#.
• Accept the default locations for the Active Directory database and log.
• Accept the default location for the SYSVOL folder.
• Click OK in the DNS message box.
• Verify that Yes, Install And Configure DNS On This Computer is selected.
• Select Permissions Compatible Only With Windows 2000 Servers.
• Directory Services Restore Mode Administrator Password: password.
d. On the Summary screen, click Next.
e. After the Active Directory Installation Wizard completes, click Finish.
f. Click Restart Now when prompted.
g. Log on as Administrator with a password of !Pass1234.
8. Change your DNS zone type from Active Directory-integrated to Standard Primary by
completing the following steps:
• From the Start menu, choose Programs→Administrative Tools→DNS.
• Expand your DNS server and expand Forward Lookup Zones. Select and right-click
the Domain#.internal zone object and choose Properties.
• Change the Type to Standard Primary. Click OK twice.
• Change Allow Dynamic Updates to Yes. Click OK.
• Close DNS.
9. Create a DHCP scope by completing the following steps:
a. From the Start menu, choose Programs→Administrative Tools→DHCP.
b. Right-click the DHCP server object (server#), and choose New Scope.
c. Use the New Scope Wizard to create a DHCP scope using the following parameters:
• Scope Name: Local#, where # is the student/computer’s unique number.
• Address Range: 192.168.y.50+#/24, where y is your unique number for the
classroom and # is a unique integer you assigned to each student. For example,
for Server6 in classroom 1, create a range of 192.168.1.56 – 192.168.1.56 (a
range of just one address).
• Do not add exclusions.
• Accept the default lease duration.
Introduction xxv
INTRODUCTION
i. Click OK twice more. Close Domain Controller Security Policy.
13. Double-click the Connect To The Internet icon. Run the Internet Connection Wizard to
configure Internet Explorer as appropriate for your classroom. If you’re not connected to
the Internet, you can choose I Connect Thru A LAN.
14. Install the Microsoft Windows 2000 Service Pack 2 from the \\Client100\SPlus\W2KSP2
directory. Accept the license agreement, back up the installation files, and click Install.
Restart the computer when prompted and log back on as Administrator with a password
of !Pass1234.
15. Install Microsoft Exchange 2000 Standard Edition (or optionally Enterprise Edition) by
running \\Client100\SPlus\E2K\Launch.exe. Click Exchange Server Setup and install using
the following parameters:
• Agree to the license agreement.
• Enter the product key, if necessary.
• For the Microsoft Exchange 2000 component, choose the Custom installation action.
• Verify Install is selected for Microsoft Exchange Messaging and Collaboration
Services.
• Verify Install is selected for Microsoft Exchange System Management Tools.
• Choose Install for Microsoft Exchange Instant Messaging Service.
• Create a new Exchange Organization named Organization#.
• Agree to the license agreement.
16. Install Exchange 2000 Service Pack 3 from the \\Client100\SPlus\E2KSP\ folder. (The
exact path to the installation file might vary depending on how you obtained the Service
Pack.) Click Install Service Pack 3. Accept all the update defaults.
When you rename the files, be careful not to create a double extension (Default.htm.htm), which can hap-
pen with the file extensions view turned off.
17. Create the Web sites you’ll be using in class by completing the following steps:
a. Copy the Northeast.htm, Boc2.gif, and Swashtop.gif files from the student data files
to C:\Inetpub\wwwroot. Rename Northeast.htm to Default.htm. (This creates the
Nuclear Plant Training Site home page.)
b. Create a C:\Register directory. Copy the Register.htm and Dac10001.gif files from
the student data files to this folder.
c. In the C:\Register directory, rename Register.htm to Default.htm. This creates the
Student Registration Web page.
d. From the Start menu, choose Programs→Administrative Tools→Internet Services
Manager.
e. Expand the Server# object and select the Default Web Site.
f. Right-click the Default Web Site and choose New→Virtual Directory.
g. Use the Virtual Directory Creation Wizard to create a new virtual directory with the
following parameters:
• Alias: Register
• Directory: C:\Register
• Access Permissions: Use the defaults.
h. Close Internet Services Manager.
When installing over the network with MS-DOS boot disks, it is recommended to use SMARTDRV.EXE and
HIMEM.SYS to greatly reduce setup times. Also, Windows 98 Startup disks can be used to access local
CD-ROM drives.
2. Install a new copy of Microsoft Windows XP Professional (clean install) using the follow-
ing parameters:
• Accept the license agreement.
• Enter the product key, if necessary.
• Install on the 4 GB partition, drive E. Leave the file system (FAT32) intact.
• Select the appropriate regional and language settings for your country.
• Enter the appropriate name and organization for your environment.
• For each student computer: name the computer Client#, where # is a unique integer
you assigned to each student.
• Set the Administrator password to !Pass1234.
• Set the date and time settings appropriate for your location.
• On the Network Settings page, select Custom Settings. Click Next. Open the proper-
ties of the TCP/IP protocol and configure the TCP/IP protocol settings with a static
IP address of 192.168.y.200+#, where y is your unique number for the classroom and
where # is a unique integer you assigned to each student. For example, in classroom
1, the address for Client6 would be 192.168.1.206. Enter a subnet mask of 255.255.
255.0. Do not enter a classroom DNS server address.
• Accept the default workgroup name of Workgroup.
3. After the computer restarts, use the Welcome To Microsoft Windows Wizard to configure
the computer as follows:
• Set up your Internet connection as appropriate for your classroom. If you’re not con-
nected to the Internet, you can skip the Internet connection.
• Do not activate Windows.
• Create a user account named Admin#. This user should become part of the Adminis-
trators group by default. When you finish the Wizard, the system should log you on
automatically as this user.
4. Create and configure user accounts by completing the following steps:
a. Right-click My Computer and choose Manage.
b. Expand Local Users And Groups, and select the Users folder.
c. Right-click the Admin# account and choose Set Password. Click Proceed.
Introduction xxvii
INTRODUCTION
d. Enter and confirm a password of password and click OK twice. (This user’s pass-
word will change during the course of the class.)
e. Right-click the Users folder and choose New User.
f. Create a new user named ChrisC.
g. Enter and confirm a password of Certification1 (observe the capitalization). Uncheck
User Must Change Password At Next Logon and click Create.
h. Create another user with Admin100 as the user name. Enter and confirm a password
of !Pass1234. Uncheck User Must Change Password At Next Logon and click
Create. Click Close.
i. Right-click the Admin100 user and choose Properties. Select the Member Of tab.
Click Add. Enter Administrators and click OK twice.
j. Close Computer Management.
5. Install Microsoft Network Monitor 2.0 from the C:\SPlus\SMS\NMext\I386 directory, by
double-clicking the Setup.exe file. When prompted, accept the license agreement and
select all default choices.
6. Configure Windows 2000 Server to be the default choice in the boot loader menu by com-
pleting the following steps:
a. From the Start menu, right-click My Computer and choose Properties.
b. Select the Advanced tab.
c. Under Startup And Recovery, click Settings.
d. From the Default Operating System drop-down list, select Microsoft Windows 2000
Server /fastdetect.
e. Click OK twice. The first hands-on activity in the course uses the Windows XP Pro-
fessional installation.
IMPORTANT: The following instructions are for the optional Lesson Labs at the end
of this book. Lesson Labs are meant to be self-guided practice activities for students
to reinforce what they learned in class and are completely separate from the activities
you’ll present in the classroom. There are eight Lesson Labs in this course (one for
each lesson). Only the labs for Lesson 1 and Lesson 7 can be completed in the class-
room immediately following the lessons because they are question/answer labs and
do not have any hands-on activities. The other six labs use different computer and
network configurations and must be setup up independently outside the classroom if
you choose to have students complete them.
Check with your lab supervisor to see if unique numbers are required in your lab. Your unique number is desig-
nated as #, and the unique lab room number is designated as y (y will generally be 1 if you only have one lab
room).
2. Install a new copy of Windows 2000 Server (clean install) using the following parameters:
• Accept the license agreement.
• Create a new 6 GB C drive.
• Install Windows 2000 Server on drive C. Format the drive to NTFS.
• Select the appropriate regional and language settings for your country.
• Enter the appropriate name and organization for your environment.
• Enter the product key, if necessary.
• Specify the appropriate number of per-server licenses for all lab computers to con-
nect to this server. For example, with 10 students in the lab, set the number to 10.
• Name the computer NUC01.
• Set the Administrator password to !Pass1234.
• Accept all the default Windows components.
• Set the date and time settings appropriate for your location.
• On the Network Settings page, select Custom Settings and click Next. Open the
properties of the TCP/IP protocol and configure the TCP/IP protocol settings with a
static IP address of 192.168.y.#, where y is your unique number for the lab and # is
the unique integer assigned to you. For example, if your lab number is 3, then the
student computer name would be Server3 and the IP address would be 192.168.1.3.
Enter a subnet mask of 255.255.255.0. Enter this same IP address as the Preferred
DNS Server address. (You will install and configure DNS in a later step.)
• Accept the default workgroup name of Workgroup.
• When installation is complete, log on as Administrator with a password of !Pass1234.
The activities in this course require static IP addresses. Internet access is recommended in this
class, so consult with your TCP/IP or network administrator or lab supervisor to verify that this IP
configuration does not conflict with any other addresses in your location. Also, check with them on
any additional parameters that may be needed for Internet access; for example, a default gateway and
DNS servers.
Introduction xxix
INTRODUCTION
14. In the Open text box, type dcpromo to start the Active Directory Installation Wizard, and
click Next.
15. Use the Active Directory Installation Wizard to promote the server to domain controller
using the following parameters:
• Select Domain Controller For A New Domain.
• Select Create A New Domain Tree.
• Select Create A New Forest Of Domain Trees.
• Full DNS Name: nuclear.internal.
• Domain NetBIOS name: accept the default of NUCLEAR.
• Accept the default locations for the Active Directory database and log.
• Accept the default location for the SYSVOL folder.
• Click OK in the DNS message box.
• Select Yes, Install And Configure DNS On This Computer.
• Select Permissions Compatible Only With Windows 2000 Servers.
• Directory Services Restore Mode Password: password.
16. On the Summary screen, click Next.
17. After the Active Directory Installation Wizard completes, click Finish. Click Restart Now
when prompted.
18. Log on as Administrator with a password of password.
19. Choose Start→Programs→Administrative Tools→DNS.
20. Expand the DNS server object and Forward Lookup Zones. Right-click the new zone and
choose Properties.
21. Change the Type to Standard Primary. Click Yes to accept.
22. In the Allow Dynamic Update drop-down list, select Yes. Click OK.
23. Close DNS.
24. Open Windows Explorer and create a C:\SPlus folder.
25. In the C:\SPlus folder, create the following subfolders:
• W2KSP2: Copy the Microsoft Windows 2000 Service Pack 2 files.
• W2KSP3: Copy the Microsoft Windows 2000 Service Pack 3 files.
• W2KSRP: Copy the Microsoft Windows 2000 Security Rollup Package 1.
• IE6: Copy Microsoft Internet Explorer 6 setup files.
• WMPPatch: Copy the Cumulative Patches for Windows Media Player (wm320920_
64.exe).
• MBSA: Copy the Microsoft Baseline Security Analyzer.
26. Double-click the Internet Explorer icon.
27. Use the Internet Connection Wizard to configure Internet Explorer as appropriate for your
network setup.
When installing over the network with MS-DOS boot disks, it is recommended to use SMARTDRV.EXE and
HIMEM.SYS to greatly reduce setup times. Also, Windows 98 Startup disks can be used to access local
CD-ROM drives.
2. Install a new copy of Windows 2000 Server (clean install) using the following parameters:
• Accept the license agreement.
• Create a new 6 GB C drive.
• Install Windows 2000 Server on drive C. Format the drive to NTFS.
• Select the appropriate regional and language settings for your country.
• Enter the appropriate name and organization for your environment.
• Enter the product key, if necessary.
• Specify the appropriate number of per-server licenses for all lab computers to con-
nect to this server. For example, with 10 students in the lab, set the number to 10.
• Name the computer Server#, where # is a unique integer assigned to each student in
your lab.
• Set the Administrator password to !Pass1234.
• Accept all the default Windows components.
• Set the date and time settings appropriate for your location.
• On the Network Settings page, select Custom Settings and click Next. Open the
properties of the TCP/IP protocol and configure the TCP/IP protocol settings with a
static IP address of 192.168.y.#, where y is your unique number for the lab and # is
the unique integer assigned to you. For example, if your lab number is 3, then the
student computer name would be Server3 and the IP address would be 192.168.1.3.
Enter a subnet mask of 255.255.255.0.
• Accept the default workgroup name of Workgroup.
• When installation is complete, log on as Administrator with a password of !Pass1234.
Note: The activities in this course require static IP addresses. Internet access is recommended in this
class, so consult with your TCP/IP or network administrator or lab supervisor to verify that this IP
configuration does not conflict with any other addresses in your location. Also, check with them on
any additional parameters that may be needed for Internet access; for example, a default gateway and
DNS servers.
Introduction xxxi
INTRODUCTION
9. Click Add/Remove Windows Components.
10. On the Windows 2000 Components page, select the words (don’t check the check box)
Internet Information Services and then click Details.
11. Check FTP Server and NNTP Service and then click OK. Click Next.
12. On the Completing The Windows Components wizard page, click Finish.
13. Close Add/Remove Programs and Control Panel.
14. Open Computer Management and expand Services And Applications. Select Services.
15. In the right pane, verify that the FTP Publishing Service is started and that its startup type
is Automatic.
16. Close Computer Management.
17. In the C:\SPlus folder, create the following subfolders:
• IIS\SecRollup: Copy the Microsoft Internet Information Server (IIS) Security Rollup
Package.
• IIS\Lockdown: Copy the Microsoft IIS Lockdown Tool.
18. Double-click the Internet Explorer icon.
19. Use the Internet Connection Wizard to configure Internet Explorer as appropriate for your
lab.
20. Install Microsoft Windows 2000 Service Pack 2. Accept the license agreement. Restart the
computer when prompted, and log back on as Administrator.
21. Install the Microsoft Windows 2000 Security Rollup Package.
22. Install Microsoft Internet Explorer 6.
Check with your lab supervisor to see if unique numbers are required in your lab. Your unique number is desig-
nated as #, and the unique lab room number is designated as y (y will generally be 1 if you only have one lab
room).
1. You will need two Windows XP computers for this activity. Run Windows XP Profes-
sional setup: Install a new copy of Microsoft Windows XP Professional (clean install)
using the following parameters:
• Accept the license agreement.
• Enter the product key, if necessary.
• Create a new 4 GB C drive and format it using NTFS.
• Select the appropriate regional and language settings for your country.
• Enter the appropriate name and organization for your environment.
• For the computers: name the first computer NUCXP1 and the second NUCXP2.
• Set the Administrator password to !Pass1234.
• Set the date and time settings appropriate for your location.
When installing over the network with MS-DOS boot disks, it is recommended to use SMARTDRV.EXE and
HIMEM.SYS to greatly reduce setup times. Also, Windows 98 Startup disks can be used to access local
CD-ROM drives.
2. Install a new copy of Windows 2000 Server (clean install) using the following parameters:
• Accept the license agreement.
• Install Windows 2000 Server on a new 6 GB C drive. Format the drive to NTFS.
• Select the appropriate regional and language settings for your country.
• Enter the appropriate name and organization for your environment.
• Enter the product key, if necessary.
• Specify the appropriate number of per-server licenses for all lab computers to con-
nect to this server. For example, with 10 students in the lab, set the number to 10.
• Name the computers BROKERSRV1 and BROKERSRV2.
• Set the Administrator password to !Pass1234.
• Accept all the default Windows components.
Introduction xxxiii
INTRODUCTION
• Set the date and time settings appropriate for your location.
• On the Network Settings page, select Custom Settings and click Next. Open the
properties of the TCP/IP protocol and configure the TCP/IP protocol settings with a
static IP address of 192.168.y.#, where y is your unique number for the lab and # is
the unique integer assigned to you. For example, if your lab number is 3, then the
student computer name would be Server3 and the IP address would be 192.168.1.3.
Enter a subnet mask of 255.255.255.0. Enter this same IP address as the Preferred
DNS Server address. (You will install and configure DNS in a later step.)
• Accept the default workgroup name of Workgroup.
• When installation is complete, log on as Administrator with a password of !Pass1234.
Note: The activities in this course require static IP addresses. Internet access is recommended in this
class, so consult with your TCP/IP or network administrator or lab supervisor to verify that this IP
configuration does not conflict with any other addresses in your location. Also, check with them on
any additional parameters that may be needed for Internet access; for example, a default gateway and
DNS servers.
When installing over the network with MS-DOS boot disks, it is recommended to use SMARTDRV.EXE and
HIMEM.SYS to greatly reduce setup times. Also, Windows 98 Startup disks can be used to access local
CD-ROM drives.
2. Install a new copy of Windows 2000 Server (clean install) using the following parameters:
• Accept the license agreement.
• Create a new 6 GB C drive.
• Install Windows 2000 Server on drive C. Format the drive to NTFS.
• Select the appropriate regional and language settings for your country.
• Enter the appropriate name and organization for your environment.
• Enter the product key, if necessary.
• Specify the appropriate number of per-server licenses for all lab computers to con-
nect to this server. For example, with 10 students in the lab, set the number to 10.
• Name the computer BankSRV1.
• Set the Administrator password to !Pass1234.
• Accept all the default Windows components.
• Set the date and time settings appropriate for your location.
• On the Network Settings page, select Custom Settings and click Next. Open the
properties of the TCP/IP protocol and configure the TCP/IP protocol settings with a
static IP address of 192.168.y.#, where y is your unique number for the lab and # is
the unique integer assigned to you. For example, if your lab number is 3, then the
student computer name would be Server3 and the IP address would be 192.168.1.3.
Enter a subnet mask of 255.255.255.0.
• Accept the default workgroup name of Workgroup.
• When installation is complete, log on as Administrator with a password of password.
Introduction xxxv
INTRODUCTION
Note: The activities in this course require static IP addresses. Internet access is recommended in this
class, so consult with your TCP/IP or network administrator or lab supervisor to verify that this IP
configuration does not conflict with any other addresses in your location. Also, check with them on
any additional parameters that may be needed for Internet access; for example, a default gateway and
DNS servers.
2. Install a new copy of Microsoft Windows XP Professional (clean install) using the follow-
ing parameters:
• Accept the license agreement.
• Create a new 4 GB C drive. Install on the C drive and format it using NTFS.
• Select the appropriate regional and language settings for your country.
• Enter the appropriate name and organization for your environment.
• Enter the product key, if necessary.
• Name the computers ITSTAFF1 and SCIFACULTY1
• Set the Administrator password to !Pass1234.
• Set the date and time settings appropriate for your location.
• On the Network Settings page, select Custom Settings. Click Next. Open the proper-
ties of the TCP/IP protocol and configure the TCP/IP protocol settings with a static
IP address of 192.168.y.200+#, where y is your unique number for the lab and where
# is a unique integer assigned to you. For example, in lab 1, the address for Client6
would be 192.168.1.206. Enter a subnet mask of 255.255.255.0. Do not enter a lab
DNS server address.
• Accept the default workgroup name of Workgroup.
3. After the computer restarts, use the Welcome To Microsoft Windows Wizard to configure
the computer as follows:
• Skip the Internet configuration (you won’t need an Internet connection for this lab).
• Do not activate Windows.
• Create a user account named Admin#. (Create the same Admin# on both computers.)
This user should become part of the Administrators group by default. When you fin-
ish the wizard, the system should log you on automatically as this user.
4. Open Control Panel, User Accounts. Click the Admin# account and click Create A
Password. Enter and confirm a password of !Pass1234 and click Create Password, and
then click Yes, Make Private.
5. On ITStaff1, create a user account named ITTest and make it a limited account. Then give
it a password of password. Close User Accounts and Control Panel.
6. On the ITStaff1 and SciFaculty1 computers, open My Computer and create a C:\SPlus
folder.
7. On the ITStaff1 computer, create the following subfolders and add the associated tool:
• SuperScan: Copy the SuperScan v2.0 setup file.
• @stakeLC4: LC4setup.exe.
8. On the SciFaculty1 computer, create the following subfolders and add the associated tool:
• RealSecureDP: Internet Security Systems (ISS) RealSecure Desktop Protector evalua-
tion (RSDPEvalSetup.exe).
• BackOfficer: NFR BackOfficer Friendly (both the nfrbofl executable file and the asso-
ciated bof folder). You can download bof-1-01.zip from http://
online.securityfocus.com/tools/2222.
Introduction xxxvii
INTRODUCTION
9. On SciFaculty1, open My Computer. Choose Tools→Folder Options. On the View tab,
uncheck Use Simple File Sharing.
10. On SciFaculty1, create a folder on the C drive named Physics Exams.
Lesson Objectives:
In this lesson, you will identify security threats.
You will:
• Identify social engineering attacks.
• Describe audit attacks.
• Identify hardware attacks.
TOPIC A
Identify Social Engineering Attacks
When you think about attacks against information systems, you might think most about pro-
tecting the technological components of those systems. But people, the system users, are as
much a part of an information system as the technological components; they have their own
vulnerabilities, and they can be the first part of the system to succumb to certain types of
attacks. In this first topic, you’ll learn to identify social engineering attacks—threats against the
human factors in your technology environment.
For technical people, it can be easy to forget that one of the most important components of
information systems is the people using those systems. Computers and technology don’t exist
in a vacuum; their only benefit comes from the way people use them and interact with them.
Attackers know this, and so they know that the people in the system are as good a target for
attack as any other. If you want to protect your systems and data, you need to be able to rec-
ognize this kind of attack when it happens.
Example:
Some examples of a social engineering attack are listed below. In each example, an
attacker deceives a trusting user into giving up some sensitive information.
• An attacker calls an employee and pretends to be calling from the help desk. The
attacker tells the employee he’s reprogramming the order-entry database and he
needs the employee’s user name and password to make sure it gets entered into
the new system.
• An attacker creates an executable (for example, a file with a .vbs or .exe file
extension) that prompts a network user for his user name and password. He then
emails the executable to the user with the story that he needs the user to double-
click the file and log on to the network again to clear up some logon problems the
organization’s been experiencing that morning.
• An attacker contacts the help desk pretending to be a remote sales representative
who needs assistance setting up his dial-in access. Through a series of phone
calls, the attacker obtains the phone number for remote access and the phone
number for accessing the organization’s PBX and voicemail system.
ACTIVITY 1-1
Identifying Social Engineering Attacks
Scenario:
Your IT department wants to know when they are being attacked and what type of attacks are
occurring. As the new security administrator for your organization, you will be responsible for
determining which events are true social engineering attacks and which are false alarms. The
organization is concerned about these false alarms and tightening security too much in
response, and they want to make sure they know the difference between attacks and normal
activity. They do not want customers or users to be halted in their tracks when they are per-
forming normal tasks with no malicious intent. They have asked you to analyze a list of recent
network interactions and classify them as true social engineering attacks or as false alarms.
1. True or False? A supposed customer calls the help desk stating that she can-
not connect to the e-commerce Web site to check order status. She would also like a
user name and password. The user gives a valid customer company name, but is not
listed as a contact in the customer database. The user doesn’t know the correct com-
pany code or customer ID.
3. True or False? A new accountant was hired and is requesting that a copy of
the accounting software be installed on his computer so he can start working
immediately. Last year, someone internal compromised company accounting records,
so distribution of the accounting application is tightly controlled. You have received all
the proper documentation for the request from his supervisor and there is an available
license for the software.
6. True or False? A user calls the help desk stating that he is a phone technician
needing the password to configure the PBX and voice mail system.
7. True or False? A security guard lets a vendor team though without a required
escort as they have shirts on from the preferred vendor, and they stated they were
called in to fix an urgent problem. The guard attempted to call the authorization con-
tact in the organization, but the phone was busy for over 10 minutes.
8. True or False? The CEO of the organization needs to get access to data
immediately. You definitely recognize her voice, but a proper request form hasn’t
been filled out to modify the permissions. She states that normally she would fill out
the form and should not be an exception, but she urgently needs the data.
Software Attacks
Definition:
A software attack is any attack that targets an application, an operating system, or a
protocol. The goal of a software attack is to disrupt or disable the applications, operat-
ing systems, and protocols running on the computers in your enterprise, or to exploit
them in some way to gain access to a single or multiple systems or a network. A soft-
ware attack might be used by itself or in combination with another type of attack, such
as a social engineering attack, and the different types of software attacks might be used
alone or in combination with each other.
Example: Eavesdropping
Eavesdropping on network communications is an example of a software attack. In this
type of attack, an attacker captures unsecured packets as they travel across a network.
The attacker then examines the packets to retrieve usernames or passwords so he can
later gain access to secured resources. In this example of a software attack, the attacker
targets the protocols used to transport the packets across the network.
Example:
An example of a port scanning attack is when an attacker uses a utility to contact a
computer on the Internet to see which ports are open and which services are using
those open ports. For example, on a Web server, port 80 (and probably others) will be
listening, and the HTTP service will be using that port. An attacker can use this infor-
mation to exploit the Web server’s operating system to gain access to the computer and
the network it’s connected to. There are many utilities available that potential attackers
can use to scan ports on remote networks, including Nmap, SuperScan, and Strobe.
Eavesdropping Attacks
Definition:
An eavesdropping attack, also sometimes called sniffıng, is a type of software attack
where an attacker tries to gain access to private network communications, using a util-
ity such as Dsniff or Network Monitor, in order to steal the content of the
communication itself or to obtain user names and passwords for future software
attacks, such as a takeover attack. These attacks can be made against both traditional
communications across the network wire and wireless communications. For an attacker
to eavesdrop on a private network, the attacker must have physical access to the net-
work or the ability to physically tap into the network wire somewhere within the
organization. On the other hand, to eavesdrop on wireless communications, an attacker
need only have the proper software, receiving device, and a location somewhere in
close proximity to the wireless network. In most cases, you’ll never know somebody is
eavesdropping on your network, unless perhaps you spot an unknown computer leasing
an IP address from a DHCP server.
Example:
An example of an eavesdropping attack is a disgruntled employee who installs packet-
sniffing software on a network host and then analyzes the packets to obtain user names
and passwords he can use to access network resources with administrative privileges.
Similarly, an attacker could sit with a laptop in the parking lot of an organization and
use a wireless device and packet-sniffing software to access data as it passes through a
wireless network.
IP Spoofing Attacks
Definition:
An IP spoofing attack is a type of software attack where an attacker creates IP packets
with a forged source IP address and uses those packets to gain access to a remote
system. IP spoofing attacks take advantage of:
• Applications and services that authenticate based on source IP address.
• Devices that run Sun RPC, X Windows.
• Services that have been secured using TCP wrappers.
• Network File System (NFS) and UNIX r commands (such as rlogin).
• Applications that use authentication based on IP addresses.
Generally, UNIX hosts and services that do not use Kerberos authentication are more
prone to spoofing attacks than NetWare and Windows systems, because trust relation-
ships on UNIX hosts are more easily exploited and can be configured to use address-
based authentication. Spoofing attacks also take advantage of routers that have not
been configured to drop incoming external packets with internal IP addresses as the
source addresses. One signal of a potential IP spoofing attack is to find incoming pack-
ets at your border routers with internal IP addresses as the source IP address.
Example:
For example, imagine a scenario where an attacker wants to gain access to a UNIX
host with an IP address of 192.168.100.101 and an application that authenticates only
hosts with 192.168.100.x addresses. With an IP address of 10.10.125.252, the applica-
tion isn’t going to authenticate the attacker, whose IP address is 10.10.100.252. So the
attacker creates IP packets with the forged source IP address of 192.168.100.186 and
sends those packets to the UNIX host. Because the network’s border router hasn’t been
configured to reject packets from outside the network with internal IP addresses, the
router forwards the packets to the UNIX host, where the attacker is authenticated and
given access to the system.
Hijacking Attacks
Definition:
A hijacking attack is a software attack where the attacker takes control of (hijacks) a
TCP session (after authentication at the beginning of the session) to gain access to data
or network resources using the identity of a legitimate network user. During a hijack-
ing attack, the attacker can either participate in the TCP session and access the packets
as they pass from one host to another, or take control of a TCP session between two
hosts, disconnect one of the hosts, and continue communication with the other host as
if it were one of the original parties to the session. A hijacking attack might manifest
itself in a sudden dropped connection, but most likely you’ll never know a session has
been hijacked.
Example:
For example, suppose an attacker is monitoring communications between client and
server using a tool such as Hunt or Juggernaut. After the client has authenticated to the
server, the attacker can use the tool to insert himself into the communication stream,
disconnect the user at the client, and take control of the user’s session with the server,
while the server is never aware that it’s now communicating with a different host. The
attacker has then taken control of, or hijacked, the session, and can manage the session
in any way he wants, sending commands to the server to do just about anything the
original user could do.
Replay Attacks
Definition:
A replay attack is a software attack where an attacker captures (through eavesdropping
or sniffing) network traffic in the form of packets and stores it for retransmittal at a
later time to gain unauthorized access to a specific host or a network. This attack is
particularly successful when an attacker captures packets that contain user names, pass-
words, or other authentication data. Replay attacks differ from eavesdropping attacks
because, in eavesdropping attacks, the attacker just listens to network communication,
while in a replay attack, the attacker saves the packets for reuse at a later time. In
most cases, replay attacks are never discovered.
Example:
For example, an attacker uses sniffer software to intercept and store a user’s logon traf-
fic as that user is signing on to a network connected to the Internet. To later gain
access to that network, the attacker can replay those stored packets to masquerade as
that user and have all that user’s privileges in that network.
Man-in-the-Middle Attacks
Definition:
A man-in-the-middle attack is a type of software attack where an attacker inserts him-
self between two hosts to gain access to their data transmissions. Typically in a man-
in-the-middle attack, an attacker intercepts data transmitted from a source computer
and responds to the data as if it (the attacker) were the intended destination. The
attacker then forwards the data to the intended destination and then intercepts and
responds to the reply as if it (the attacker) were the original source computer. Man-in-
the-middle attacks are used to gain access to user names, passwords, and network
infrastructure information for future attacks or to gain access to the content of the
packets being transmitted. Man-in-the-middle attacks are similar to eavesdropping
attacks in that both types of attacks monitor network traffic and capture IP packets as
they make their way through the network. Man-in-the-middle attacks differ from eaves-
dropping attacks because instead of just listening to and capturing network traffic, in a
man-in-the-middle attack, the attacker is actually making the sender and receiver
Example:
A typical man-in-the-middle attack might happen like this: An attacker sets up a host
on a network with IP forwarding enabled and a utility like Dsniff installed to capture
and analyze packets. After analyzing network traffic to determine which server would
make an attractive target, the attack might proceed in the following way:
1. The attacker intercepts packets from a client that are destined for the server.
2. The attacker’s computer sends a fake reply to the client.
3. The attacker’s computer forwards a fake packet to the server, modified to look
like the attacker’s computer is the original sender.
4. The server replies to the attacker’s computer.
5. The attacker’s computer replies to the server as it if were the original client.
In this way, the attacker has access to both sides of a session between a client and
server and in the process can access valuable information, including sensitive data and
user credentials.
Example: Viruses
A virus is an example of a malicious code attack. A virus is a sample of code that
spreads from one computer to another by attaching itself to other files. The code in a
virus corrupts and erases files on a user’s computer, including executable files, when
the file to which it was attached is opened or executed. A recent example of a destruc-
tive virus is the Melissa virus, which spread throughout the world attached to
Microsoft Word documents that were sent as email attachments.
Example: Worms
Another example of malicious code is a worm. A worm is a piece of code that spreads
from one computer to another on its own, not by attaching itself to another file. Like a
virus, a worm can corrupt or erase files on your hard drive. An example of a worm is
the Code Red worm, which propagated itself through email attachments, Web files, and
shared files on local networks.
Example: Trojans
A third example of malicious code is a Trojan horse. A Trojan horse is malicious code
that masquerades as a harmless file. When a user executes it, thinking it’s a harmless
application, it destroys and corrupts data on the user’s hard drive.
Example:
For example, a default installation of Windows 2000 Server brings with it IIS 5.0 with
Web services enabled. As just about any network administrator can tell you, IIS is a
frequent target for hackers, and for unsuspecting administrators or users, it’s a wide-
open door into the operating system and the computer it’s running on.
Example:
An example of a misuse of privilege attack is an employee who has found a market
for his company’s sensitive data. Imagine a scenario where a network administrator is
able to give himself access to private personnel files stored in a database in the human
resources department. From private employee files, he’s able to obtain full names,
addresses, Social Security Numbers, and other data, which he can then sell to others
who can use it for crimes involving identity fraud.
Password Attacks
Definition:
A password attack is a type of software attack in which the attacker tries to guess
passwords or crack encrypted password files. In a password guessing attack, an
attacker attempts to guess user passwords, either manually or through the use of
scripts, in order to gain access to a single system, an application, or a network.
Because users tend to use simple passwords that are easy to remember, such as birth-
days and anniversaries, rather than more complex alphanumeric passwords, an attacker
can script an almost unending series of password guesses using the most popular and
common “simple” passwords. In a password cracking attack, an attacker tries to crack
Example:
The simplest example of a password attack is somebody who doesn’t have access to
your network sitting down at a workstation and typing in guess after guess at a user
name and password. On the other extreme is a brute force attack, where an attacker
employs an application, such as L0phtCrack, to exhaustively try every possible alpha-
numeric combination to try to crack encrypted passwords, such as those in a Windows
NT or Windows 2000 computer’s local SAM database. In both examples, given
enough time and lax security policies, an attacker will eventually find the necessary
password to gain access to the system. This is especially true of brute force attacks.
Backdoor Attacks
Definition:
A backdoor attack is a type of software attack where an attacker creates a mechanism
for gaining access to a computer using a piece of software or by creating a bogus user
account. The mechanism itself is called the backdoor, and if it isn’t found and
removed, it can survive forever, listening on one of the ports and giving an attacker an
easy way to get into the system and execute just about any command. This mechanism
often survives even after the initial intrusion has been discovered and resolved. Typi-
cally, a backdoor is delivered through use of a Trojan horse or some other malicious
code, and backdoor attacks are often impossible to spot because they generally leave
no trace, other than a few innocent looking files.
Example:
Back Orifice (BO) is an example of a backdoor that an attacker can insert into a Win-
dows system using a Trojan horse or any executable file. By default, in Windows
2000, Back Orifice installs itself into a system file and hides there listening on TCP
port 54320 or UDP port 54321 for commands from the attacker.
Takeover Attacks
Definition:
A takeover attack is a type of software attack where an attacker gains access to a
remote host and takes control of the system. An attacker can use any of the attacks
we’ve identified so far to gain access to the system, including IP spoofing and
backdoors. A takeover attack will manifest itself in loss of control over the particular
system that’s under attack.
NetBus and SubSeven are other backdoors that attackers can use to take control of a system.
Example:
An example of a takeover attack is using BO to take complete control over a target
machine. BO is started every time the computer is started and is hidden from view in
Task Manager. Once installed, an attacker can use BO to basically take control of a
remote system, including shutting down the system, copying and deleting files, modify-
ing the Registry, and starting and stopping services. An attacker can also use BO to log
keystrokes and obtain system information, including the name of the logged-on user,
cached passwords, and memory, CPU, and processor data.
Audit Attacks
Definition:
An audit attack is a type of software attack where an attacker covers his trail by delet-
ing audit entries that might point to an intrusion. Operating systems such as NetWare
6.0 and Windows 2000 Server have native auditing capabilities, and when used prop-
erly, auditing can give valuable clues to system administrators of attacks that are in
progress or that have happened some time in the past. By clearing audit logs, an
attacker can cover up an intrusion and leave a system or network without any trace,
allowing him later access. The most common signals that an audit attack has taken
place are:
• Empty audit logs when they should contain audit entries.
• Gaps in the audit logs where it appears entries that cover a specific time have
been deleted.
• Audit entries that show the audit logs have been erased.
Example:
Suppose an attacker has found a way into a Windows 2000 Server and has spent some
time trying to browse files and crack the local SAM database to obtain some
passwords. If auditing had been properly configured on his system, an administrator
who understands how to read the audit logs could probably trace many of the attack-
er’s activities as he worked his way through the system. However, if the attacker knew
enough to clear the audit logs after he was done, most of the evidence of his intrusion
will be gone, although an experienced and alert administrator might see the audit log
had been cleared and be alerted to a possible intrusion.
ACTIVITY 1-2
Classifying Software Attacks
Scenario:
Your IT department wants to know why the performance of some of your computer systems is
degrading. In all the cases of poor performance, your IT administrator, Ronald, has already
used existing network baseline data to rule out the possibility of this performance degradation
occurring as either a temporary spike in traffic or insufficient hardware resources. You and
Ronald believe your systems are under attack, but now you need to know the type of attack
that is occurring in each instance so that you can devise an appropriate response.
1. Kim, a help-desk staffer, gets a phone call from Alex in human resources stating that
he can’t log on. Kim looks up the account information for Alex and sees that the
account is locked. This is the third time the account has locked this week. Alex insists
that he was typing in his password correctly. Kim notices that the account was locked
at 6 A.M.; Alex says he was at a meeting at a client’s site until 10 A.M. today. It seems
like a case of .
3. You find out the security log was cleared on the file and print server. No one in IT
claims responsibility. No matter who did this, you consider it .
4. Your antivirus software has detected the ILOVEYOU virus. You’re under attack from
.
5. While administering user accounts you notice that a new account called LyleBullock
has been created on your server. You know of no user in your organization with that
name. The account also is part of the administrators group. It’s a classic
.
6. While you are connected to another host on your network, the connection is suddenly
dropped. When you review the logs at the other host, it appears as if the connection is
still active. You suspect .
7. Your e-commerce Web server is getting extremely slow. Customers are calling stating
that it is taking a long time to place an order on your site. This could be
.
8. Your intranet Webmaster, Tim, has noticed an entry in a log file from an IP address
that is within the range of addresses used on your network. Tim does not recognize
the computer name as valid. Your network administrator, Deb, checks the DHCP server
and finds out the IP address is not in any of the scopes. This seems to be a case of
.
9. Tina, the network analysis guru in your organization, analyzes a network trace capture
file and finds out that packets have been intercepted and retransmitted to both a
sender and a receiver. You’ve experienced .
10. You get an email from an outside user letting you know in a friendly way that she
found it very easy to determine the correct password to access your FTP server. To
prove it, she includes the FTP password in the email. All your files are still on the FTP
server and have not been modified. Although this person had no malicious intent, you
still consider it .
Example:
If an intruder breaks into a locked server room and steals the hard disks out of a
server, this is an example of a hardware attack because the attack is targeting the
physical hardware of the computer and not the computer’s applications or operating
systems.
1. An intruder enters a locked building at night and steals five laptops from various users
in the software development department. What type of attack is this?
2. An intruder enters a locked building at night, sits at a user’s desk, and tries to enter a
user name and password to log on to the computer based on notes he finds taped to
the user’s monitor. What type of attack is this?
3. To obtain user names and passwords, an attacker installs a device on a keyboard that
records the user’s keystrokes. What type of attack is this?
4. An attacker removes the battery backup on a critical server system and then cuts
power to the system, causing irreparable data loss. What type of attack is this?
2. Which type of attack do you think it might be most difficult to guard against?
Lesson Objectives:
In this lesson, you will harden internal systems and services.
You will:
• Harden a computer’s operating system.
• Harden directory services.
• Harden a DHCP server.
• Harden file and print servers.
Scenario:
You’re a network security expert who’s been asked to evaluate the vulnerabilities in a client’s
network. The client currently has a network of Windows 2000 Server and Windows XP Profes-
sional computers. You’ve decided to use L0phtcrack to check for password strength and
Superscan to scan for listening ports.
d. Click OK.
h. Close Superscan.
5. Reboot into Windows 2000 Server. a. Restart the computer and choose Win-
dows 2000 Server from the boot loader
menu.
Analogy:
A good security policy provides functions similar to a government’s foreign policy.
The policy is determined by the needs of the organization. Just as the United States
needs a foreign policy because of real and perceived threats from other countries, orga-
nizations also need a policy to protect their data and resources. The United States’
foreign policy defines what the threats are and how the government will handle those
To view the complete list of policies from the SANS Institute, see www.sans.org/newlook/resources/
policies/policies.htm#template.
ISO 17799 is a standard for information security that is currently under development by the Interna-
tional Standards Organization (ISO). To view information on ISO 17799, see http://
enterprisesecurity.symantec.com/article.cfm?articleid=356&PID=470086, www.securityauditor.net/
iso17799/index.htm, and https://www.bspsl.com/secure/iso17799software/cvm.cfm.
Separation of Duties
In addition to the policies developed within the information security department, other
departments will have policies that overlap with information security such as human
resources, building security, and finance. These policies may be not be owned or man-
aged by the information security department; in fact, it is good business practice to
have the responsibility for individual policies distributed throughout the organization in
different departments. This is often referred to as a separation of duties. No one person
or department should be exclusively responsible for all security issues. This concept
applies to policies, procedures, and ownership of an organization’s assets, whether
physical or virtual. Regardless of who owns a policy and the procedures and the
responsibility for enforcing it, security professionals must work with each department
as a main point of contact to ensure continuity in the overall corporate policy.
ACTIVITY 2-2
Examining a Security Policy
Data Files:
• NuclearPlantPasswordPolicy.rtf
Setup:
You’re using a Windows XP Professional computer named Client#, where # is a unique
number. There’s an administrative account named Admin#, where # is also a unique number,
which has a password of password.
Scenario:
As the new security administrator for a nuclear plant, you will be responsible for maintaining
and updating the documentation related to security policies, as well as for understanding and
enforcing the policies. Before you can be effective in these new duties, you’ve decided that
you need to familiarize yourself with the existing policy documents in the organization. Use
the \\Client100\SPlus\Student\NuclearPlantPasswordPolicy.rtf file to answer the following
questions.
1. If necessary, log on to Windows XP. a. Reboot the computer and choose Win-
dows XP Professional from the boot
loader menu.
4. What other types of policy documents might you need in order to create a complete
security policy?
5. Which of the general components of a policy document are represented in this docu-
ment?
6. How often must users change their passwords in order to adhere to this policy?
8. Would “gandalf8” be an acceptable password according to this policy? Why or why not?
Vulnerability Description
DNS zone transfers DNS zone transfers can provide a wealth of information about
the internal structure of a network because they include DNS
records for every host in an organization. By default, zone trans-
fers are allowed to any DNS server.
Telnet service To gain unauthorized access, an attacker could exploit the pre-
dictability of the name of the pipe created during the
establishment of a Telnet session. Code could be placed on the
server and executed when the pipe is opened.
Internet Information Services Because IIS is installed and enabled by default, it can provide
easy access to a Windows 2000 server.
Directory Services Restore Mode Allows an attacker to boot into Directory Services Restore mode
Administrator password and access Active Directory data.
Local SAM attack Member servers’ Security Accounts Manager (SAM) databases
are vulnerable to password-cracking utilities because of how the
passwords are stored. Also, in some circumstances, deleting the
SAM on a member server will reset the Administrator account’s
password to blank.
Remote Datagram Protocol (RDP) When multiple malformed packets are sent to the RDP port on a
Windows 2000 server, it could cause the system to suddenly
crash, resulting in a DoS.
Vulnerability Description
Universal Plug and Play (UPnP) This vulnerability involves sending a fake notification message
buffer overflow to the UPnP service on a Windows XP machine. The resulting
buffer overflow could lead to a takeover attack.
RAS phonebook The Remote Access Service (RAS) phonebook module in Win-
dows XP does not properly check a specific attribute value,
which can cause malformed data requests to lead to an attacker
receiving LocalSystem privileges and the ability to execute mali-
cious code on the target system.
SNMP buffer overrun When malformed data is sent to the Simple Network Manage-
ment Protocol (SNMP) service running on Windows XP, a
specially designed malicious management request could lead to a
DoS, a takeover attack, or a malicious code attack.
Vulnerability Description
NetWare Loadable Modules (NLMs) Because NetWare systems rely on NLMs, they are vulnerable to
fake NLMs that grant an attacker access to the system in some
way. A popular malicious NLM allows the attacker to change the
supervisor’s password on the server. There are also Trojan NLMs
that mimic real NLMs, and attackers can use flaws in real NLMs
to compromise the system.
NetWare Core Protocol (NCP) Attackers can flood the NetWare server with malicious and fake
requests NCP requests, which results in a DoS attack when the server
crashes and stops responding.
Server console Anyone with physical access to the server console can run NLMs
to gain administrative access to the server.
RCONSOLE The RCONSOLE password is not encrypted by default.
The following table lists some of the vulnerabilities of the UNIX operating system and some
known vulnerabilities of Sun Solaris 9 specifically.
Vulnerability Description
Trusts and address-based authentica- By masquerading as another host, an attacker can bypass the
tion .rhosts security implementation to gain access to a remote Solaris
system.
Daemons Improperly configured daemons, or daemons with security flaws,
could lead to system compromise.
setuid programs A security flaw in a setuid program, especially a setuid root pro-
gram, could give an attacker elevated privileges or access to the
root (or both).
r services Weak authentication mechanisms for these services provide
opportunities for spoofing attacks.
Berkeley Internet Name Domain Because BIND runs with root privileges, BIND vulnerabilities
(BIND) DNS can lead to unauthorized root access.
Samba 2.0.8 and 2.0.9 If Solaris is running either of these versions of Samba, an
attacker can exploit a symbolic link condition to gain elevated
access and overwrite and destroy system files.
Security Baselines
A security baseline is a collection of security configuration settings that are to be applied to a
particular system in the enterprise. Generally speaking, a specific security baseline will outline
a minimum security configuration that you can use as criteria against which you can compare
other systems in your network. When creating a baseline for a particular computer, the settings
you decide to include will depend on its operating system and its function in your organization
and should include manufacturer recommendations. So you will have separate baselines for
desktop clients, file and print servers, DNS/BIND servers, application servers, directory ser-
vices servers, and for all those same types of systems depending on whether they’re running
Windows, NetWare, or a version of UNIX or Linux.
Baselines should be documented so they can be applied consistently throughout your organiza-
tion, and they will include all the hardening methods that you’re employing for each operating
system and type of computer. Once you’ve decided on a baseline, you can implement it with
each new deployment or upgrade.
On a Windows 2000 server computer, you’ll be able to configure only Account Policies, Local Policies, Public Key
Policies, and IP Security Policies using the Local Security Policy utility.
Table 2-2 lists the security policy settings you can configure on a Windows XP Professional
computer using Local Security Policy. You can use these settings to configure Windows XP
computers that are part of a domain or workgroup, although they would most likely be used to
configure security on Windows XP computers in a workgroup setting.
Like all Group Policy settings, you can configure security policy at the local, site, domain, or
organizational unit (OU) level. And like other Group Policy settings, security settings are
inheritable, but OU settings override domain settings, which override site settings, which over-
ride local settings, unless of course you force Group Policy inheritance.
2. Is there a password policy setting that lets you set a minimum password age?
4. Is there a way to lock out a user after he or she has entered the wrong username or
password three times?
5. By default, which users have been assigned the right to log on locally to a Windows XP
computer?
6. Is there a security option that will allow you to create and display a warning banner
when users log on?
9. True or False? Security settings configured at the domain level will override
local policy settings on Windows XP computers in that domain.
Because auditing is configured as a policy, you can apply an audit policy at the local computer
using local policy or across the organization using Group Policy. To apply an audit policy, you
must first enable the policy and then decide whether to log successes or failures, or both,
depending on your audit strategy and security policy. For example, your security policy might
require the auditing of only account logon failures and not successes, or it might not require
the audit of policy changes at all. Once you’ve enabled and configure auditing, all events will
be written to the security log in Event Viewer, which will require careful monitoring to detect
possible attackers or intruders. Monitoring Event Viewer should be part of your overall net-
work monitoring strategy.
2. In addition to monitoring the overall security of a network and its resources, why else
might events in the security log be important?
4. What type of threat or attack could you discover by monitoring successful user logons?
5. What type of attack could you discover by monitoring successful changes to user or
group accounts?
Because servers are likely to have more services running than a workstation, we’re not focusing on Windows XP
in this section. However, you can usually disable many of the same core operating system services on Windows
XP that you can on Windows 2000 Server.
Table 2-4: Services, NLMs, and Daemons You Can Safely Disable or Not Enable
Operating Sys- Service, NLM, or Dae-
tem mon Comment
Windows 2000 Alerter service Used to forward alerts generated on the local computer
to users or remote computers. Disable to prevent a
social engineering attack.
Clipbook service Used only to transfer clipboard data between
computers.
Fax service Used only if users will be sending and receiving faxes
from the system.
Messenger service Used for sending pop-up messages between users. Dis-
able to prevent a social engineering attack.
Print Spooler service Can be safely disabled on computers not accessing
printers.
World Wide Web Publish- Unnecessary if the server isn’t a Web server.
ing service
NetWare 6 Portal.nlm and nsweb.nlm Not necessary if the server isn’t a Web server.
Nwftpd.nlm Used only for FTP access.
Named.nlm Used only on DNS servers.
Dhcpsrvr.nlm Used only on DHCP servers.
Java.nlm Unnecessary unless you support Java applications on
the server.
Security Templates
Definition:
Security templates are text files that specify security settings in the areas of account
policies, local policies, the event log, restricted groups, system services, and the
Registry. Security templates give you a way to standardize security settings based on
computer role and the level of security you require and to apply those settings consis-
tently to multiple computers. They also help automate the task of applying separate
security settings when you harden your systems—a task which can involve configuring
settings in several different utilities. Windows 2000 and Windows XP security tem-
plates are stored in %systemroot%\Security\Templates.
You can use Windows 2000 security templates on Windows 2000 Server and Windows 2000 Profes-
sional computers.
You can also use security templates to analyze your current system settings by comparing your current settings
to those that Microsoft recommends and includes as part of the template.
You can use the Security Configuration And Analysis tool, a Microsoft Management
Console (MMC) snap-in, to apply a security template. If you want to examine or
modify template settings, you can use the Security Templates snap-in. You can apply
one of the default templates without modifying it, or you can choose one that is simi-
lar to your needs and then modify it accordingly. Before you apply any of the
templates, be sure to examine them closely to see which settings they contain. You can
also automate the deployment of security templates by using Group Policy.
For more information on how to deploy security templates, see Windows 2000 Help or
www.microsoft.com/windows2000/techinfo/howitworks/security/sctoolset.asp.
1. Open a blank MMC and snap in the a. Choose Start→Run, and enter MMC.
Security Templates tool.
b. Choose File→Add/Remove Snap-in.
2. How do the password policy settings differ in the compatws and securews templates?
3. If you want to audit account logon events and account management, but not object
access, which security template would you use?
5. If you want to reset the system-wide security policy settings to the default configura-
tion, you would apply the template.
If you want to reset the security settings on the system root, you would apply the
template.
6. Why would you choose to use Group Policy to apply security templates instead of
applying the templates locally to individual computers?
If you are deploying multiple hotfixes at once in your own environment, you can chain them together
by using the Qchain tool. This will make it easier to deploy hotfixes so you don’t have to reboot
between each one. For more information, visit: www.microsoft.com/downloads/release.asp?
ReleaseID=29821.
1. Apply the latest service packs or hotfixes to close any security holes in the operat-
ing system.
a. Connect to the Windows Update Web site at http://
windowsupdate.microsoft.com or run the executable for the service pack or
hotfix, which you can obtain from Microsoft’s Web site.
b. Use the wizards to complete the installations and restart when prompted.
2. Disable unnecessary services to prevent hackers from exploiting the services to
gain access or control of the system.
a. Right-click My Computer and choose Manage.
b. Expand Services And Applications and select Services.
c. In the details pane, disable any unnecessary services by double-clicking the
service and choosing Disabled from the Startup Type drop-down list.
3. Install Internet Explorer 6 to update the server’s browser and remove the vulner-
abilities found in Internet Explorer 5.x. (Install Internet Explorer from the
Windows Update Web site.)
4. Configure strict access control on the HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Control\SecurePipeServers\Winreg Registry key.
a. Choose Start→Run and enter regedt32.
b. In the Registry Editor window, in HKEY_LOCAL_MACHINE, expand
\SYSTEM\CurrentControlSet\Control\SecurePipeServers.
c. Select the Winreg subkey.
d. Choose Security→Permissions.
e. In the Name list, configure access only for the most trusted group of
administrators.
You can disable the firewall check if the server isn’t a firewall by editing the ASET environment
file (asetenv).
ACTIVITY 2-6
Hardening a Stand-alone Windows XP Operating
System
Data Files:
• SecureSystems.doc
Setup:
Tools, Service Packs, and data files you will need for this activity are available on the network
in the \\Client100\SPlus share in the following folders:
• Windows XP Service Pack: \XPProSP1
• Microsoft Baseline Security Analyzer: \MBSA
• SecureSystems.doc: \Student
Scenario:
As the security administrator for a large national bank, you need to make sure your new Win-
dows XP Professional client computers are secure. For now, these computers will be deployed
in a workgroup. With the current Windows 98 systems, the bank’s IT department has had
problems in the past with viruses; with short or non-existent passwords; with users bypassing
g. Log on as Admin#.
g. Click OK.
l. Select Enabled.
m. Click OK.
5. Set the appropriate Account Lock- a. In Local Security Settings, under Account
out Policy as specified in the Policies, select Account Lockout Policy.
SecureSystems.doc file.
b. Double-click Account Lockout
Threshold.
d. Click OK.
6. Set the appropriate Audit Policy as a. In Local Security Settings, under Local
specified in the SecureSystems.doc Policies, select Audit Policy.
file.
b. Double-click Audit Account Logon
Events.
d. Click OK.
7. Set the appropriate User Rights a. In Local Security Settings, under Local
Assignment as specified in the Policies, select User Rights Assignment.
SecureSystems.doc file. You will
only need to change policies if the
default setting for a given policy does b. Double-click Access This Computer From
The Network.
not match the recommended setting
in the SecureSystems.doc file.
d. Click OK.
e. Click OK.
p. Click OK.
u. Click OK.
Code Sample 1
Warning! This system is for authorized users only. Anyone using this
system without authorization is subject to prosecution. In addition,
the system may be monitored. By using this system, you consent to
monitoring. Any suspicious activity may be reported to the proper
authorities.
d. Open My Computer.
10. Test the Account Lockout policy a. In the Log On To Windows dialog box,
settings. enter Admin# as the user name.
12. Configure the appropriate Event a. In Control Panel, click Performance And
Log settings as specified in the Maintenance.
SecureSystems.doc file.
b. Click Administrative Tools.
g. Click OK.
e. Close MBSA.
16. Can you tell if all current security patches have been implemented on the Windows XP
Professional system? If not, why?
17. How would you fix some of the problems the scan has detected?
Setup:
Tools, Service Packs, and data files for this activity are available on the network at
\\Server100\SPlus in the following folders:
• Windows 2000 Security Rollup Package 1: \W2KSRP
• Internet Explorer 6: \IE6
• Windows Media Player Security Patch: \WMPPatch
• Microsoft Baseline Security Analyzer: \MBSA
• SecureSystems.doc: \Student
Scenario:
Your next task as the bank’s security administrator is to make sure your new servers are
secure. With the current Windows NT server systems, the bank’s IT department has had addi-
tional problems in the past with users, both internal and external, accessing services they were
not supposed to, as well as some problems with attacks on the default Internet Information
Server (IIS) configuration from Internet users. The bank wants to minimize the possibility of
those attacks without removing IIS altogether, as many of the systems will be deployed later as
Web servers, or will host applications that require IIS. For now, you as the security administra-
tor will disable these services until you harden them later on as you need them. Also, the
security plan calls for disabling the Print Spooler service on servers that are not being used as
print servers. Before connecting the new Windows 2000 Servers to your network and joining
the computers to the domain, you want to make sure that the server operating system is hard-
ened to minimize the likelihood of attacks from both internal and external users. Because these
will be domain member computers, all security-related policies will be set at the domain level,
so there is no need for you to configure them individually, but you will need to perform other
hardening steps individually on each system.
The IT department has designed a security deployment plan for all new systems, including the
Windows 2000 Server systems, and you as the security administrator need to make sure the
plan is implemented. Using the deployment design document SecureSystems.doc, implement
the changes on your Windows 2000 Server system, named Server#, in domain Domain#. The
default administrator account has been set up with a password of !Pass1234.
c. Log on as Administrator.
e. Click Stop.
g. Choose Security→Permissions.
k. Click OK.
o. Click OK.
The installation steps might vary depend- b. Run the Windows Media Player 6.4
ing on the current version of the patch. Update installation file (wm320920_64.
exe).
e. Close MBSA.
10. Can you tell if all current security patches have been implemented on the Windows
2000 Server system? If not, why?
11. How would you fix some of the problems the scan has detected?
Setup:
Service Pack 3 is available on the network at \\Server100\SPlus\W2KSP3.
Scenario:
You have completed a basic hardening procedure on all Windows 2000 domain member
computers. However, Microsoft has just released a new Service Pack that postdates the last
security patches that you applied when you hardened your servers. The bank’s security policy
recommends applying the newest service packs as soon as possible.
The location of the installation file might vary depending upon the source of the Service Pack. For example,
it might be in the Update folder.
TOPIC B
Harden Directory Services
In Topic 2A, you learned to increase security on base operating systems to make any kind of
computer service more secure. But system security doesn’t stop there, because, for each spe-
cialized service you run in your environment, there are also specialized security problems and
holes that attackers are just longing to find and exploit. In the remainder of this lesson, you’ll
learn how to increase security on a variety of internal network services, starting with one of
the most fundamental and wide-ranging: the directory service that your organization depends
on for day-to-day user operations.
Have you ever lost your personal organizer? You know, the book, device, or calendar that has
your whole life in it—your appointments, key phone numbers, addresses? Remember how lost
and desperate you felt? Well, the directory service for your network is like the organizer for
your whole business. Your business really doesn’t want to lose that service to an attacker who
might get inside your network to attack it. By increasing directory security, you can make the
service a much tougher nut to crack.
Example:
Novell Directory Services (NDS) is an example of a directory service. NDS holds
information about all the users, groups, servers, printers, and other objects in a Novell
NetWare network. Users can use NDS to find network resources, such as printers, and
administrators can control access to such resources through access control lists. NDS
also has a schema that controls how objects are created and what attributes an adminis-
trator may assign to them. NDS is illustrated in Figure 2-3 as an example of a
directory service.
Figure 2-4: Using Ldp to access the Active Directory directory service.
While the plain text editor might be useful in troubleshooting situations, the GUI utili-
ties are easier to work with, as you can see when you compare Figure 2-5 with Figure
2-4. In addition, you can create scripts that use LDAP to automate routine directory
maintenance tasks, such as adding large numbers of users or groups and checking for
blank passwords or disabled or obsolete user accounts.
Figure 2-5: Using Active Directory Users And Computers to access the Active
Directory directory service.
ACTIVITY 2-9
Hardening Directory Services
Data Files:
• SecureSystems.doc
Scenario:
Your next task as the bank’s security administrator is to make sure Active Directory is secure.
With the current Windows NT domain environment, the bank’s IT department has had prob-
lems in the past with users, both internal and external, logging on with user accounts that were
not their own. They also had problems with users not changing their passwords in the domain
and using easy-to-guess passwords. There were also some problems with attacks on servers
from Internet users. The bank wants to minimize the possibility of the attacks to the Active
Directory domain. Before connecting the new Active Directory domain controllers to your net-
work and joining the new Windows XP professional computers to the domain, you want to
make sure that Active Directory is hardened to minimize the likelihood of attacks from both
internal and external users.
The IT Department and Active Directory design team has created a deployment plan for the
Windows 2000 Active Directory servers and you as the security administrator need to make
sure the plan is implemented. Using the deployment design document SecureSystems.doc,
implement the changes on your Windows 2000 server systems.
f. Click Add.
h. Click OK.
3. What other security templates are available in a default installation of Windows 2000?
5. Reanalyze the system to verify that a. Switch to the MMC console window.
the policy changes from the tem-
plate are in effect.
b. Right-click Security Configuration And
Analysis and choose Analyze Computer
Now.
ACTIVITY 2-10
Hardening DHCP
Scenario:
One of the next tasks as the bank’s security administrator is to make sure DHCP is secure.
With the current Windows NT Server systems, the bank’s IT department has had problems in
the past with rogue DHCP servers being set up on the network and giving out unauthorized IP
addresses. The bank also had problems with some Windows NT DHCP servers giving out
addresses on subnets they were not supposed to. Before connecting the new Windows 2000
DHCP Servers to your network, you want to make sure that DHCP is hardened to minimize
the likelihood of attacks from both internal and external users.
Although DHCP is running on a domain controller for classroom and testing purposes, DHCP servers should not
be running on domain controllers, as this is a security risk. This will allow the possibility of client spoofs of
domain controllers. Also, if you have Active-Directory-integrated DNS zones and you have more than one DHCP
server covering the same subnet (for redundancy), you may need to add them to the DNSUpdate Proxy group.
To prevent rogue Windows 2000 DHCP servers from being installed on the network, the
Active Directory design team has decided to have all the Windows 2000 DHCP servers autho-
rized in Active Directory. To prevent DHCP addresses from passing to inappropriate subnets,
they have decided to eliminate the DHCP Relay Agent from all Windows 2000 routers. As the
security administrator, you need to make sure these changes are implemented.
1. Authorize the DHCP server. a. From the Start menu, choose Programs→
Administrative Tools→DHCP.
Do not activate the DHCP scope.
b. Select and right-click the DHCP server
object, and choose Authorize.
d. Close DHCP.
TOPIC D
Harden Network File and Print Servers
Once clients connect to your network with their DHCP address and get authenticated by the
directory service, they are going to want to access basic network resources, like shared files
and network printers, in order to get their day-to-day work accomplished. The servers that host
your shared files and printers might not be as specialized as the other network services we’ve
discussed, but they do have their own security needs. In this topic, you’ll learn to increase the
security of the basic file and print sharing services on your network.
File and print servers might not seem like the most interesting or exciting network services,
but they are in need of your protection. For one thing, if these servers are compromised, so is
the ability of network users to do their day-to-day jobs. For another thing, you don’t want
attackers getting access to sensitive company information that might be stored in files on those
servers. So, these basic services are as worthy of your security attention as anything else that’s
running on your network.
SMB Signing
The Server Message Block (SMB) protocol runs on top of protocols such as TCP/IP, IPX/SPX,
and NetBEUI, and is used to access shared network resources, such as files and printers. SMB
typically works in this way:
1. A client computer sends SMB packets to a server to establish a connection.
2. After a client computer makes the initial connection to the server, it uses SMB packets to
send requests for shared data or commands to a shared printer.
Scenario:
One of the next tasks as the bank’s security administrator is to make sure your file and print
servers are secure. With the current Windows NT Server systems, the bank’s IT department has
had problems in the past with users accessing resources that they were not supposed to have
access to. There were also SMB man-in-the-middle attacks. The bank also had problems with
some confidential print jobs being taken from printers. Before connecting the new Windows
2000 file and print servers to your network, you want to make sure that your file and print
servers are hardened to minimize the likelihood of attacks from both internal and external
users.
Although the file and print server is running on a domain controller for classroom and testing purposes, you
should not use a domain controller as a file and print server because it poses a security risk.
To prevent users from accessing information that they are not supposed to and to prevent
attackers from getting data, the bank’s IT department has decided to tighten permissions and
implement appropriate countermeasures to prevent these attacks. As shares are created on the
systems by the desktop support group, the IT department will verify that only the minimal per-
missions necessary are assigned. As the security administrator, your job is to implement any
required system-wide security changes on all servers that will function as file and print servers.
The underlying operating systems for these servers were hardened at installation time accord-
ing to the general OS hardening guidelines of the organization. In some cases, you need to
alter that configuration to permit the systems to function in their new roles. The IT department
has provided you with a security recommendations document, SecureSystems.doc, that contains
the desired security configuration information for file and print servers.
e. Click Start.
5. What could you do with the default administrative shares to harden the Windows 2000
server?
i. Click OK.
b. Log on as Administrator.
With this setting enabled, users can print, Don’t choose Domain Security Policy.
but will not be able to see the print
queue.
b. Expand Windows Settings, Security Set-
tings, and Local Policies, and select
Security Options.
Lesson 2 Follow-up
In this lesson, you hardened your internal servers and the services they provide. Because your
internal systems hold much of your organization’s sensitive data, it’s important to make sure
they’re as secure as possible.
1. Does your organization stay current with all the latest operating system patches? Why
or why not?
2. Which operating system do you think is most secure: Windows 2000, NetWare 6, or
Solaris 9? Why?
Hardening Internetwork
Devices and Services
Lesson Objectives:
In this lesson, you will harden internetwork devices and services.
You will:
• Harden internetwork connection devices.
• Harden DNS and BIND servers.
• Harden Web servers.
• Harden FTP servers.
• Harden NNTP servers.
• Harden email servers.
• Harden conferencing and messaging servers.
TOPIC A
Harden Internetwork Connection
Devices
Tightening the perimeter of your network means increasing security anywhere that traffic can
flow between your internal systems and external systems, whether the external systems are on
the Internet or on other private networks. At the most basic level, this means making sure that
only desired network packets can make it past the connection devices, such as routers,
firewalls, and gateways, that create the physical connection between your private networks and
the outside world. In this topic, you’ll learn how to secure the internetwork connection devices
that sit between your valuable private systems and the attackers that want to get at them.
Attackers that attack from outside your private network have a fundamental challenge: they
have to get their packets onto your private network before they can start doing anything bad to
your systems. That means that they have to get their traffic past your border guards—your
routers and other internet connection devices. If you secure these devices properly, your legiti-
mate business communications can go through, but attackers’ communications will be stopped
at the border.
Vulnerability Description
SNMP SNMPv1 uses clear text to send SNMP community names,
which can be used to gain administrative access and take over
network connection devices. If you’re using SNMP, try to use
SNMPv2 or higher. If you have no need for SNMP, disable it.
Telnet Because Telnet communications are unencrypted by default,
attackers can more easily hijack the session.
Router configuration files If you improperly store copies of router configuration files on
unsecured servers, attackers could gain administrative access to
the devices.
ACTIVITY 3-1
Hardening a Windows 2000 Router
Scenario:
One of the next tasks as the bank’s security administrator is to make sure your routers are
secure. In the past, the bank has had problems with attackers accessing services and data that
they were not supposed to have access to through the routers. Before connecting the new Win-
dows 2000 routers behind a firewall on your network, you want to make sure that your routers
are hardened to minimize the likelihood of attacks, especially DDoS and spoofing attacks, from
external users. After you configure the routers, the bank’s desktop team will test the connec-
tions from laptops to make sure the security is not too restrictive.
To prevent users from accessing information that they are not supposed to and to prevent
attackers from getting data, the bank’s IT department has decided to create a demilitarized
zone (DMZ) by implementing two software-based routers using Windows 2000 Routing and
Remote Access Server. These routers will be installed behind the existing hardware-based
firewall, which has already been hardened. To help ensure security on these software-based
routers, they will run RIPv2 and will communicate with each other securely by RIP peer
security. The bank also wants to implement packet filters to drop incoming external packets
with internal private IP addresses as the source addresses to prevent attackers from spoofing
internal IP addresses on the private subnet.
1. Install RIP version 2 for IP as a new a. From the Start menu, choose Programs→
routing protocol on the Routing and Administrative Tools→Routing And
Remote Access Server, using the Remote Access.
Local Area Connection as the RIP
protocol interface.
b. Expand your server object and expand
IP Routing.
h. Click OK.
2. Why would you not check Activate Authentication in the General properties for RIP on
the Local Area Connection interface?
3. What type of attacks do the default Advanced settings for RIP on the Local Area Con-
nection interface protect against?
e. Click Add.
f. Click OK.
5. What is the security benefit of the peer security feature that you have just enabled?
7. This software-based router does not have a live connection to another subnet. If the
computer was a true multi-homed router with multiple network cards, what additional
hardening steps should you take on this router to accomplish the additional security
goals in the scenario?
Vulnerability Description
DNS spoofing An attacker manipulates DNS records to send DNS clients to
fraudulent Web sites where the attacker can record data
transmissions.
DNS hijacking An attacker gains administrative access to a DNS server and
modifies or deletes records, which can eliminate a company’s
Internet presence until the problem is found and resolved.
Cache corruptions (aka cache poison- Some Microsoft DNS servers are vulnerable to malformed que-
ing or cache pollution) ries, or accepting malicious data from a remote name server,
which may result in corruption of the DNS cache and can result
in a DoS attack. It can also allow an attacker to redirect the Web
sites that use the vulnerable DNS.
Input validation On a BIND server, specially formatted user input, when improp-
erly validated, may be used to execute code with the permissions
of the BIND user.
Environment variables A specially executed query may expose environment variables
via the program stack on a BIND server. This can provide
potentially sensitive information that may result in further
attacks.
ACTIVITY 3-2
Hardening DNS
Data Files:
• SecureSystems.doc
Scenario:
One of the next tasks as the bank’s security administrator is to make sure your DNS servers
are secure. In the past, when the bank managed its own DNS, without assistance from the ISP,
it has had problems with DNS hijack attempts, where attackers redirected users to a fake bank
Web page. All Windows NT domain controllers and DNS servers at the bank have now been
upgraded to Windows 2000. Before connecting the new Windows 2000 DNS Server to your
network, you want to make sure that your DNS server is hardened to minimize the likelihood
of attacks from both internal and external users. To prevent attackers from hijacking DNS
records, the bank’s IT department has decided to implement a secure DNS server.
The IT department has designed a security deployment plan for all new systems, including the
Windows 2000 DNS Servers, and you as the security administrator need to make sure the plan
is implemented. The IT department has already established a DNS solution with the ISP for
other DNS servers running BIND, so you do not have to configure those servers. Using the
deployment design document SecureSystems.doc, implement the changes on your Windows
2000 DNS server.
1. As the domain administrator, switch a. From the Start menu, choose Programs→
Active Directory to Native mode. Administrative Tools→Active Directory
Users And Computers.
e. Click OK twice.
2. Change DNS zones to Active a. From the Start menu, choose Programs→
Directory-integrated. Administrative Tools→DNS.
b. Click OK.
d. Close DNS.
TOPIC C
Harden Web Servers
In Topic 3B, you hardened the DNS servers that provide name resolution between your inter-
nal systems and the Internet. One of the most common reasons to provide DNS services is so
that outside users can access your company’s own Web sites. Because nearly every company
in today’s business environment has a Web presence, many security specialists will have the
responsibility of securing Web services. In this topic, you’ll perform the steps you need to
secure your Web servers.
A functioning Web site is a major part of your company’s public persona. Most companies
today wouldn’t be without a Web site any more than they would be without a phone number.
Hacking or defacing an informational Web site can be a terrible embarrassment for your
company. But even beyond that, for many companies, a Web presence is essential to how they
do business; in e-commerce, the Web site is the business. If the Web site goes down, so does
your ability to take orders, respond to customer service requests, and ship products. Therefore,
your Web site is one of your company’s most important assets. It’s your responsibility to do
everything you can to protect it from attack.
Don’t forget that you must still configure access control lists to provide user access to files; this step is separate
from configuring these Web security features.
Because attackers are finding new ways to exploit Web servers every day, you must constantly check with your
vendor for new threats and available patches.
As you work through the wizard, you can use the pages shown in the following table to con-
figure your IIS settings.
Page Description
Select Server Template You can select the role that the server will play in your network.
These roles include Small Business Server, Proxy Server, BizTalk
Server, Static Web Server, and Server That Does Not Require
IIS. Which role you choose will determine which settings are
configured and which services are enabled or disabled. You must
check View Template Settings on this page to see the next three
pages.
You can see more detailed information about URLScan in the IIS Lockdown tool Help files or
www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/urlscan.asp.
After you’ve completed the wizard, Microsoft recommends that you test your Web server to
ensure that it provides the services that you need it to provide. If you find that the server is too
secure, you can run the tool again to restore the server’s previous settings, or you can make
minor adjustments in settings to meet your needs.
Scenario:
As you plan ways to secure your Web servers, you’ve suggested to those planning the security
implementation that you use the IIS Lockdown tool to help automate the hardening process for
your Web servers, which currently run Solaris 9, Windows NT 4.0 (with IIS 4.0), and Win-
dows 2000 (with IIS 5.0). You’ve been asked to answer some questions and submit a report
that outlines the benefits of the tool.
2. Of the three Web servers you currently have, which can you use the IIS Lockdown tool
to secure?
4. True or False? You can use the IIS Lockdown tool to completely remove IIS
from a server.
5. True or False? You may not make any manual changes after running the IIS
Lockdown tool.
ACTIVITY 3-4
Hardening a Web Server
Data Files:
• SecureSystems.doc
Setup:
Data files and other resources are located on the network in \\Server100\SPlus in the following
folders:
• IIS Security Rollup: \IIS\SecRollup
• IIS Lockdown Wizard: \IIS\Lockdown
• SecureSystems.doc: \Student
Scenario:
You disabled the World Wide Web Publishing service until you were ready to harden IIS and
deploy your Web server. Well, now you’re ready! As the bank’s security administrator you
need to make sure your Web servers are secure. In the past, the bank has had problems with
attackers running code on the Web servers and either bringing down the Web site or stealing
information. Before connecting the new Windows 2000 IIS Servers to your network, you want
to make sure that your Web server is hardened to minimize the likelihood of attacks from both
1. Uninstall Windows Service Pack 3 a. Open Control Panel and run Add/Remove
before beginning this activity to Programs.
avoid conflicts with the IIS Security
Rollup Package.
b. In the Currently Installed Programs list,
click Windows 2000 Service Pack 3.
c. Click Change/Remove.
e. Click Start.
f. Log on as Administrator.
ACTIVITY 3-5
Identifying FTP Password Vulnerabilities
Setup:
You will work with a partner in this activity; both partners’ servers are running the FTP
service. You can log on to the FTP servers using any user name or password. Each partner will
connect to the other partner’s FTP server. Installation source files for Network Monitor Service
Pack 1 are available at \\Server100\SPlus\SMS\NMext\I386.
Scenario:
Part of the security deployment plan at your firm will involve hardening the FTP servers. Cur-
rently, the FTP servers are configured to accept any user name and password for
authentication, and users generally log on with their Windows 2000 domain user accounts. The
firm is particularly concerned with verifying that your FTP servers are not vulnerable to pass-
word eavesdropping attacks. You want to see if this is a valid concern by taking a look to see
how vulnerable your FTP user names and passwords are.
c. Close WordPad.
f. Click Finish.
d. Click OK.
f. Choose Capture→Filter.
i. Click OK twice.
j. Choose Capture→Start.
5. Use FTP to access the FTP server a. Open a command prompt and enter ftp
and log on as a domain user Server# where # is your partner’s com-
account. puter number.
7. How did you identify the frame containing the clear-text password?
FTP Vulnerabilities
Besides the vulnerabilities covered already in this course, FTP servers have some specific vul-
nerabilities that are listed in the following table.
Vulnerability Description
Basic authentication Like Web servers, basic authentication on an FTP server passes
user names and passwords in clear text.
Anonymous access (blind FTP) There are no authentication or access control mechanisms that
can prevent malicious activity. Additionally, a blind FTP server
could be used for illegal activity; for example, it could become
a warez server.
Unnecessary services Extra unnecessary services running on the FTP server could pro-
vide an avenue of attack.
Clear text transmissions By default, FTP data transfers are not encrypted, which leaves
the data open to sniffers and eavesdroppers on the local network
or across the Internet.
The OpenSSH project (www.openssh.org) is currently the leading command-line open source imple-
mentation of SSH. There are two versions of SSH. The current version, Version 2, is considered to be
significantly more secure than the original, SSH Version 1. SSH Clients and Servers are available for
nearly all operating systems in a commercial or open source implementation.
SFTP is simply a secure, SSH-encrypted, version of the FTP protocol. Users may also
use the scp command, which is a secure, drop-in replacement for the rcp command on
Linux and UNIX hosts. This command is used for transferring files over a secure, SSH
connection. Many SSH implementations have a corresponding SFTP implementation
(and nearly all have an SCP implementation). While there are other protocols available
for secure login and file transfer, including FTP over SSL and Telnet over SSL, these
tools have mostly been replaced by SSH/SCP/SFTP at most installations.
Although the FTP service is running on a domain controller for classroom and testing purposes, this is
a security risk.
Scenario:
National Bank is preparing to deploy FTP servers on the network on top of dynamic Web
servers. The IT department has enabled FTP on your Windows 2000 Server; now, as the
bank’s security administrator, you need to make sure the FTP server is secure. In the past, the
bank has had problems with users accessing files they should not have had access to. Before
connecting the new Windows 2000 FTP Server to your network, you want to make sure that
your FTP server is hardened to minimize the likelihood of attacks from both internal and exter-
nal users. The IT department also wants to prevent anyone sending genuine user names and
credentials when they log on to the FTP server.
If the Lockdown Tool hangs and stops b. Click Next, and then click Yes to restore
responding, or the undo procedure fails, the original server settings.
try re-running the tool. If it fails again,
reboot your computer. The undo proce-
dure can take 20 minutes or more. c. When the settings have been restored,
click Next, and then click Finish.
f. Click OK.
1. Start capturing all data sent a. From the Start menu, choose Programs→
between the local computer and all Administrative Tools→Network Analysis
other destinations on the network. Tools→Network Monitor.
b. Choose Capture→Filter.
e. Click OK twice.
f. Choose Capture→Start.
2. Use FTP to access the FTP server a. Open a command prompt and enter ftp
and attempt to log on as a domain server# where # is your partner’s com-
user account. puter number.
4. Stop the capture and review the a. Choose Capture→Stop and View.
capture log.
b. After you have located the frames show-
ing the successful and unsuccessful
logons, close Network Monitor without
saving the capture or unsaved database
entries.
6. Other than restricting logons, how else could you protect against an eavesdropping
attack against clear text FTP passwords?
ACTIVITY 3-8
Hardening an NNTP Server
Activity Time:
30 minutes
Setup:
Your Windows 2000 server is running as a Web and FTP server, and it has been locked down
by using the IIS Lockdown Wizard. The NNTP service was disabled when the base operating
system was hardened. Resources are located on the network in \\Server100\SPlus in the follow-
ing folder:
• IIS Lockdown Wizard: \IIS\Lockdown
Scenario:
You disabled the NNTP service until you were ready to harden IIS and deploy your NNTP
server. The bank has decided that they now want to use NNTP, FTP, and enable ASP on the
IIS server. As the bank’s security administrator you need to make sure your NNTP servers are
secure. In the past, the bank has had problems with users accessing newsgroups that they
should not have had access to. Before connecting the new Windows 2000 NNTP Server to
your network, you want to make sure that your NNTP server is hardened to minimize the like-
lihood of attacks from both internal and external users. To prevent attackers from attacking
NNTP the bank’s IT department has decided to implement a secure NNTP server.
The IT department has designed a security deployment plan for all new systems, including the
Windows 2000 NNTP Servers, and you as the security administrator need to make sure the
plan is implemented.
d. Click Apply.
e. Click Start.
If the Lockdown Tool hangs, or if the b. Click Next, and then click Yes to restore
undo procedure fails, try re-running the the original server settings.
tool. If it fails again, reboot your
computer. The undo procedure can take
20 minutes or more. c. When the settings have been restored,
click Next, and then click Finish.
Email Vulnerabilities
There are numerous known email vulnerabilities, and there seem to be new ones discovered
every week. The following table lists some examples of common email vulnerabilities.
Vulnerability Description
Email worms Users with an email client that uses a particular version of
Microsoft Internet Explorer may be vulnerable to the automatic
execution of arbitrary code in an email. This can result in the
spread of the code to other clients using other email addresses
found in a variety of places on the computer, including the
user’s contact management application (for example, Microsoft
Outlook), the Web browser’s local cache, and the contents of
email messages received and stored on the system. Nimda is an
example of an email worm.
Malicious code A user who opens and executes malicious code disguised as an
attachment may infect their machine and others on their
network. The malicious code may reveal sensitive information
on the system, fill the hard disk to maximum capacity, or recur-
sively delete files. For example, in some versions of Outlook
and some instant messaging applications, files that don’t meet
the 8.3 filenaming convention are truncated with an ellipsis. This
could mean a user will execute a file because he or she can’t see
the file extension or the complete file name, leading to a serious
code attack.
Data buffers There have been numerous buffer overflows found in Sendmail,
Microsoft Exchange Server, and other email protocols (including
SMTP, POP, and IMAP) servers throughout the years.
Spam A malicious user can flood a network with emails and effectively
cause a DoS by overloading an organization’s email servers. An
attacker can also use target servers set up as SMTP relays to
launch spam attacks against other networks.
Public key cryptography and certificates will be covered later in this course.
Setup:
The Exchange server is also an IIS server running the WWW and FTP services. These services
were previously hardened by running the IIS Lockdown Wizard. The SMTP service is
disabled. Data files and other resources are located on the network in \\Server100\SPlus in the
following folders:
• IIS Lockdown Wizard: \IIS\Lockdown
• SecureSystems.doc: \Student
• Windows 2000 Server installation files: \Srv2000
Scenario:
National Bank supports SMTP email services by using Microsoft Exchange 2000 Server. One
of the next tasks as the bank’s security administrator is to enable SMTP and to make sure
these SMTP servers are secure. In the past, the bank has had problems with DoS attacks on
the Exchange Servers. Before connecting the new Exchange 2000 Server to your network, you
want to make sure that your Exchange 2000 server is hardened to minimize the likelihood of
attacks from both internal and external users. To prevent attackers from attacking Exchange
2000 Server, the bank’s IT department has decided to implement a secure Exchange 2000
Server.
The IT department and the Exchange 2000 design team have designed a security deployment
plan for all new systems, including the Windows 2000 Exchange 2000 Servers, and you as the
security administrator need to make sure the plan is implemented. One part of the plan is to
make sure that FTP is not running on any SMTP servers, in order to eliminate any possible
attacks on the mail servers through FTP. The Exchange 2000 design team is planning to install
virus protection software on the Exchange server when you are done hardening.
e. Click OK.
3. In the First Storage group, enable a. In the Tree pane of Exchange System Man-
Message size limits on the Mailbox ager, expand your server and select the
Store and Public Store, according to First Storage Group.
the specifications in the
SecureSystems.doc file.
b. Right-click Mailbox Store and choose
Properties.
h. Click OK.
e. Click Start.
6. Enable SMTP logging for the SMTP a. In the Exchange System Manager Tree
protocol’s SMTP Virtual Server pane, under your server, expand the Pro-
object. tocols folder and select SMTP.
When hardening Exchange 2000 Server, b. Right-click the Default SMTP Virtual
you should also enable IIS logging. You Server and choose Properties.
did this in an earlier activity.
7. Block inbound SMTP traffic for the a. In the Default SMTP Virtual Server Proper-
domains specified in the ties sheet, select the Access tab.
SecureSystems.doc file by adding
them to the Access/Connection
Control list for the SMTP Server b. Click Connection.
object.
c. In the Connection dialog box, verify that
All Except The List Below is selected,
and click Add.
d. Select Domain.
If the Lockdown Tool hangs and stops b. Click Next, and then click Yes to restore
responding, or the undo procedure fails, the original server settings.
try re-running the tool. If it fails again,
reboot your computer. The undo proce-
dure can take 20 minutes or more. c. When the settings have been restored,
click Next, and then click Finish.
10. Verify that FTP is no longer a. From the Start menu, choose Programs→
installed. Administrative Tools→Internet Services
Manager.
TOPIC G
Harden Conferencing and
Messaging Servers
Another way that your company might be communicating across the Internet with foreign net-
works is through the use of various types of collaboration services. Tools like instant
messaging and video conferencing are no longer novelties but, instead, are commonplace and
legitimate tools for business communications. In this topic, you’ll learn to secure communica-
tions that use these real-time interactive services.
With collaboration services, such as instant messaging, your employees are communicating
with the outside world in real time. The communication is instantaneous and performance is of
the essence. Before you know it, an attacker could insert something undesirable into the com-
munication and you wouldn’t have time to stop it. It’s better to secure these systems so that an
attacker can’t connect to them in the first place.
Setup:
You have a new installation of a Windows 2000 Server setup as an Exchange 2000 Server with
Instant Messaging installed. The computer is named Server#, and it is in a domain named
Domain#, where # is a unique integer assigned to you by the instructor. The default adminis-
trator account has been set up with a password of !Pass1234. The Exchange 2000 Server has
been hardened along with running the IIS Lockdown Tool. Data files are located in
\\Server100\SPlus\Student and the IM Client is at \\Server100\SPlus\E2KIM. Your email
address is administrator@server#.
Although the Exchange Server with Instant Messaging is running on a domain controller for classroom and test-
ing purposes, this is a security risk.
Scenario:
You have already hardened your Exchange 2000 Server and IIS with the IIS Lockdown Tool.
Now, one of the next tasks as the bank’s security administrator is to make sure your Instant
Messaging servers are secure. In the past, the bank has had problems with users using Instant
Messaging with unauthorized users. Before connecting the new Instant Messaging server to
your network, you want to make sure that your Instant Messaging server is hardened to mini-
mize the likelihood of attacks from both internal and external users. To prevent attackers from
attacking Instant Messaging, the bank’s IT department has decided to implement a secure
Instant Messaging server.
The IT department and the Exchange 2000 Server design team have designed a security
deployment plan for all new systems, including the Instant Messaging servers, and you as the
security administrator need to make sure the plan is implemented. After you implement the
changes on your Exchange 2000 server, you should be sure to verify the IM clients can con-
nect to the IM server with the new security configuration. The network administrators will then
place the server behind the firewall.
Because the DNS hierarchy for each class domain is independent, this activity will not enable you to send Instant
Messages between classroom computers.
f. Click Next.
h. Click OK twice.
4. True or False? If you use Digest Authentication, you must configure user pass-
words to be stored using reversible encryption.
5. Modify the Exchange Features prop- a. From the Start menu, choose Programs→
erties of your Active Directory user Administrative Tools→Active Directory
account to enable Instant Messaging Users And Computers.
and use your Instant Messaging
server as your home server.
b. Expand your domain and select the
Users folder.
d. Click Next.
Lesson 3 Follow-up
In this lesson, you hardened the devices and computers that are exposed to the Internet and
provide services to both local and remote users. By securing the systems that act as a border
around your network, you provide a higher level of security to your internal network resources.
1. Which internetwork connection device do you think is most important to secure?
2. Which provides a greater security threat to your organization: your border router or
your email infrastructure?
Securing Network
Communications
Lesson Objectives:
In this lesson, you will secure network communications.
You will:
• Secure network traffic using IPSec.
• Secure wireless traffic.
• Secure client Internet access.
• Secure the remote access channel.
TOPIC A
Secure Network Traffic Using IP
Security (IPSec)
When you secure network traffic, it’s not a single operation. You need to consider various
types of traffic, such as LAN, WAN, and wireless communications. We’ll start with a method
that you can apply in many types of situations. In this topic, you’ll learn how to configure
Internet Protocol Security (IPSec), a powerful, general-purpose technique for protecting data on
IP networks.
IPSec is a flexible and powerful tool that can help you ensure not only that only authorized
data is getting through your network systems, but also that the data can be read only by autho-
rized parties. So, IPSec can prevent hackers both from hijacking a session and from scanning
the network data for information. Unfortunately, used incorrectly, IPSec can also shut down
legitimate communications on your network. So, learning to apply IPSec correctly is an
indispensible skill for any network security professional.
Data Integrity
To protect against replay or man-in-the-middle attacks, you need to provide a method that two
computers can use to verify that the data they’re exchanging is the original, unmodified data—
that is, you need to provide a way for Computer A to verify that the data it receives from
Computer B is the same data Computer B sent and vice-versa. One method is to use a mes-
sage digest. A message digest, also called a digital signature, is created by using a one-way
encryption algorithm, also called a hashing algorithm, such as MD5 and SHA-1, both of which
are described in Table 4-1. The algorithm produces a numerical result, called a digest or hash
value, of a fixed size, which is just a condensed form or representation of the original data.
The data and the digest are sent to the recipient, who then decrypts the digest and recomputes
the digest from the received file using the same algorithm. If the recomputed digest matches
the digest that was sent with the data, the file is proved to be intact and tamper-free from the
sender. Digital signatures promote data integrity and non-repudiation by ensuring that data is
authentic from the source and that one party can’t deny involvement in an electronic
transaction.
While message digests are a secure way to authenticate data, attackers can attempt to use the “birthday paradox”
to generate a separate but identical version of a hash. For more information about birthday attacks, see
www.rsasecurity.com/rsalabs/faq/2-4-6.html.
Data Encryption
One way to protect data passing through unsecured data channels is to encrypt the data.
Encryption is the process of converting the data into coded form in such a way that only
authorized parties can access the information. Only those with the necessary password or
decryption key can decode and read the data. Encryption promotes confidentiality of sensitive
data.
Many encryption schemes and methods are available. Electronic mail packages often offer the
ability to encrypt messages. Specialized encryption devices can be inserted into the data-
transmission media to encrypt all the data that passes through. The level of encryption that you
implement depends on the value of the data. When considering the value, consider what loss
would be incurred if your competitors or the general public were to become aware of the con-
tents of the data.
Data is encrypted and decrypted using algorithms, which in turn use a private key, a public
key, or a combination of the two. Data encryption is either symmetric or asymmetric, as
described in Table 4-2.
The encryption algorithms in Table 4-2 use different methods for encrypting data. Two com-
monly used methods are stream cipher and block cipher:
• Stream cipher, a type of symmetric encryption, encrypts data one bit at a time. Each
plaintext bit is transformed into encrypted ciphertext. These algorithms are relatively fast
to execute. The ciphertext is the same size as the original text. This method produces
fewer errors than other methods, and when errors occur, they affect only one bit. RC4 is
an example of a stream cipher.
• Block cipher encrypts data a block at a time, often in 64-bit blocks. It is usually more
secure, but is also slower, than stream encryption. There are several modes of block
cipher encryption. In ECB (Electronic Code Block) encryption, each block is encrypted by
itself. Each occurrence of a particular word is encrypted exactly the same. In CBC
(Cipher Block Chaining) encryption, before a block is encrypted, information from the
preceding block is added to the block. In this way, you can be sure that repeated data is
encrypted differently each time it is encountered. The CFB (Cipher FeedBack mode)
encryption model allows encryption of partial blocks rather than requiring full blocks for
encryption. DES is an example of a block cipher.
For the current state of IPSec and to view all the RFCs that describe IPSec technologies, see the Internet Engi-
neering Task Force Web site at www.ietf.org/html.charters/ipsec-charter.html.
Because of the high level of encryption, Windows 2000 and Windows XP systems must have the high encryption
pack installed to use 3DES. In addition, because of its strong level of encryption, 3DES is one of those technolo-
gies that may not be available for export to some countries outside North America. See www.microsoft.com/
windows2000/downloads/recommended/encryption/default.asp and www.bxa.doc.gov/Default.htm for more
information.
The second of these properties, encryption, is provided by one of two encryption algorithms,
DES or 3DES.
• DES is a symmetric encryption algorithm that encrypts data in 64-bit blocks using what
appears to be a 64-bit key, while in fact it really has only the strength of a 56-bit key
because 8 bits are used for parity. So only seven bits of each byte are used for DES,
which results in a key length of only 56 bits.
• 3DES is a symmetric encryption algorithm that encrypts data by processing each block of
data three times using a different key each time. It first encrypts plain text into ciphertext
using one key, it then encrypts that ciphertext with another key, and it last encrypts the
second ciphertext with yet another key.
Depending on how you configure IPSec, you can use message digests, data encryption, or
both.
ACTIVITY 4-1
Investigating the Default IPSec Policies
Scenario:
You are the security administrator for an organization called MilTrack that does consulting for
military personnel. As the organization begins the process of adopting a security policy, you’ve
been asked some questions about a report you submitted detailing the default IPSec policies in
Windows 2000 and Windows XP.
1. Why use IPSec? Why isn’t it enough to harden the servers and the client computers?
2. In Windows 2000, display the default a. From the Administrative Tools menu,
IPSec policies. choose Domain Controller Security
Policy.
3. If you want a Windows 2000 server to request negotiations for a secure session but still
communicate with a computer that does not respond to the request, you would use
the default IPSec policy.
4. If you want a Windows 2000 server to require secure communications at all times and
not communicate with another computer that can’t negotiate a secure session, you
would use the default IPSec policy.
5. Display the Server default IPSec a. Double-click the Server (Request Secu-
policy and open the All IP Traffic rity) policy.
rule.
b. In the list of security rules, double-click
All IP Traffic.
8. If you choose to use a pre-shared key as the authentication method, which characters
must the key contain?
9. True or False? You must explicitly assign a policy to a computer to apply its
settings to that computer.
10. What would happen if you had a Secure Server policy assigned to a Windows 2000
server but no Client policies assigned to the Windows XP computers in the network?
11. Close all windows. a. Click Cancel in the Edit Rule Properties
dialog box.
1. Reboot the computer into Windows a. Restart the computer and choose Win-
XP Professional. dows XP Professional from the boot
loader menu.
e. Click Add.
3. Why are there Server and Secure Server policies on a Windows XP computer?
To deploy IPSec policies on the local computer, right-click the policy you want to
assign and choose Assign.
To deploy IPSec policies using Group Policy, assign the appropriate IPSec policy
at the site, domain, or OU level.
3. Test IPSec communications to verify that only secured hosts can communicate
with each other.
4. Verify that communications are secure by examining network data with a packet
analyzer such as Network Monitor or, in Windows environments, the Windows IP
Security Monitor MMC snap-in. To verify communications using Windows IP
Security Monitor:
a. In Windows IP Security Monitor, expand your computer object.
b. Expand the Main Mode folder and select the Security Associations folder.
c. Right-click the security association object and choose Properties to see the
authentication mode as well as the encryption and data integrity algorithms
negotiated for the security association.
ACTIVITY 4-3
Securing Network Traffic Using IPSec
Scenario:
Most of MilTrack’s consulting is done on site at military bases throughout the world, and it is
your responsibility to set up Windows XP computers in each site, so that consultants can fill
out background check applications and send them to a security officer for review. The consult-
ants fill out applications while sitting at an available Windows XP system in an isolated
workgroup. The data is then transferred to the security officer’s Windows XP computer so that
she can review it before sending it to the government for final approval. The consultants will
then be granted or denied the appropriate clearance to enter the military installations. In the
past, MilTrack had consultants sit at the security officer’s computer and fill out the forms;
however, this created a backlog of consultants waiting to use her computer. You now want to
use additional isolated computers in your workgroup and transfer data securely between the
computers using IPSec. The first workgroup you will secure by using IPSec contains two com-
puters, your computer and the other Client# computer.
1. Modify the appropriate IPSec policy a. In the console tree pane, select IP Secu-
for your computer to use a pre- rity Policies On Local Computer.
shared key of bogus123.
b. In the details pane, right-click the Secure
Enter the key exactly as it appears here. Server (Require Security) policy and
IPSec is case-sensitive. choose Properties.
d. Click Edit.
f. Click Add.
i. Click OK.
k. Click OK.
l. Click Close.
3. Verify that you can connect to your a. Open a command prompt window.
partner’s computer using IPSec
security.
b. Enter ping client#, where # is your part-
ner’s computer number.
TOPIC B
Secure Wireless Traffic
Another reason why you might need to implement specialized network security is because of a
particular type of networking technology that you are incorporating in your LAN. Wireless
networking is becoming more and more prevalent in all types of LAN environments, and wire-
less devices and protocols pose their own security challenges. In this topic, you’ll learn to
secure traffic over wireless LAN connections.
Wireless networking has become more and more popular because of the mobility it gives to
network users, and the simplicity of connecting components to a LAN. However, that very
simplicity creates security problems, because any attacker with physical access and a laptop
with a wireless network adapter can attach to your wireless LAN, and once an attacker’s on
your network, you have trouble. If you know the right security procedures, you can provide
the convenience of wireless connections to your users without compromising network security.
Wireless Protocols
Just as wired devices on a network use protocols to communicate, so do wireless devices.
Listed in the following table are the most common wireless protocols today.
Protocol Description
Wireless Application Protocol (WAP) A protocol that’s used to transmit data to and from wireless
devices such as cell phones, PDAs, and handheld computers,
sometimes over very long distances to be displayed on small
screens. You can use WAP to transmit Web pages (using Wire-
less Markup Language—WML), email, and newsgroups. WAP is
an industry standard developed by companies such as Ericsson,
Motorola, and Nokia. WAP has five layers: Wireless Application
Environment, Wireless Session Protocol, Wireless Transport Pro-
tocol, Wireless Transport Layer Security (WTLS), and the
Wireless Datagram Protocol.
802.11b 802.11b (also called Wi-Fi, short for “wired fidelity”) is prob-
ably the most common and certainly the least expensive
wireless network protocol used to transfer data among comput-
ers with wireless network cards or between a wireless computer
or device and a wired LAN. 802.11b provides for an 11 Mbps
transfer rate in the 2.4 GHz frequency. (Some vendors, such as
D-Link, have increased the rate on their devices to 22Mbps.)
802.11b has a range up to 1000 feet in an open area and a range
of 200 to 400 feet in an enclosed space (where walls might
hamper the signal).
802.11a 802.11a is a more expensive but faster protocol for wireless
communication than 802.11b. 802.11a supports speeds up to 54
Mbps in the 5 GHz frequency. Unfortunately that blazing speed
has a limited range of only 60 feet, which, depending on how
you arrange your access points, could severely limit user
mobility. Although more secure and faster, 802.11a isn’t as
widely deployed at 802.11b.
Vulnerability Description
Data stored in plaintext Often, users store personal and confidential information (for
example, Social Security numbers, medical information, credit
card numbers) on their handheld devices using a built-in text
editing application or the device’s contact manager (Palm
Databook or Microsoft Pocket Outlook). These contact managers
do not store their information in an encrypted format. Palm OS
permits the user to specify records as Private, but this is not an
encrypted format and is easily accessible by an attacker familiar
with the inner workings of the operating system, which means
much of this data is accessible to crackers who have either stolen
or temporarily borrowed a device.
Viruses While there are currently few viruses and Trojans that affect
handheld devices, they do exist. In fact, Symantec distributes a
version of its antivirus software for Palm OS. Like other viruses,
those that affect handheld devices cause trouble typically by
deleting or corrupting data.
Buffer overflows As with desktop and server applications, it’s also possible for
applications on handheld devices to be vulnerable to buffer over-
flows, which may cause the device operating system to crash or
reboot, and may also cause the loss of data or execution of rogue
code on devices.
SSL on WAP Many WAP gateways, through which WAP data travels between
the Web server and the handheld device, have been found to
have an SSL vulnerability. These gateways may not check the
validity of the SSL certificate used for data encryption, which
may allow rogue sites to capture personal and financial informa-
tion without the user’s knowledge.
Lack of authentication By default, many wireless access points (APs) will accept com-
munications from just about any wireless device. While this
might seem ideal because it means easy access to network
resources without a lot of configuration, it also creates the perfect
opportunity for the wrong people to get into your network, mak-
ing wardriving a very real threat.
Some experts believe that wireless communication is inherently insecure and that there isn’t currently any practi-
cal way of really securing it.
Setup:
This is a simulated activity. In this simulation, you have a Windows XP Professional computer
named elementk-ngqv7t. The Windows XP Professional computer has a wireless network
adapter with a MAC address of 00-40-05-B8-2D-7C. The adapter is configured to obtain
addressing information automatically. There is an 802.11b-compliant wireless router providing
network and Internet access. The router’s MAC address is 00-40-05-B7-FF-81. In the simula-
tion, the router obtains IP addressing dynamically from a DHCP server and automatically
issues IP addresses to wireless clients on the 192.168.0.x network. The IP address of the
administrative interface on the router is 192.168.0.1. Wireless clients use this IP address as
their default gateway. The default management account for the router is admin with no
password.
This activity was written using a D-Link Enhanced 2.4 GHz Wireless Router, model 614+ and D-Link Enhanced
2.4 GHz Wireless PCI adapter, model DWL 520+. For more information, visit www.dlink.com.
Scenario:
You have been assigned the task of tightening security for a small insurance sales organization
called Eckert Insurance, Inc. Many of the employees are mobile users, and it is your responsi-
bility to set up Windows XP laptop and desktop computers with wireless cards so that users
can communicate with each other without having to run any cables. The CEO, Jim McBee, is
concerned that attackers may steal customer information. Jim says that employees run applica-
tions and transfer customer data and sales information on Windows XP Professional systems
configured in a workgroup. Jim wants to make sure that only valid computers can communi-
cate with each other and also wants to encrypt the data transferred between computers.
You have successfully tested Internet access through the router on the first desktop computer.
Now, you need to configure the router’s security features. First, you must configure the router
with MAC filtering enabled and verify that the Windows XP Professional computer can com-
municate with the wireless router. You will then need to configure WEP on the router to verify
that the data will be encrypted. The IT consultants for Eckert Insurance have developed a plan
for wireless usage that requires all wireless traffic to be encrypted using 256-bit encryption
with a key of all 5s. The IT consultants will later work with Eckert Insurance’s ISP to secure
the router’s firewall, DMZ, and port filtering options. Configure the wireless security on your
wireless router.
1. Run the Wireless.exe simulation file a. From the student data files, run
and open the Web management Wireless.exe. The simulated environment
interface for the router. contains a simulated computer desktop.
There is a navigation box in the lower-
right corner of the simulation window.
As you work through the simulated activ-
ity, it might occasionally be necessary to
click the Next button in the simulation’s b. Within the simulation window, click the
navigation box in order to advance to the Start button.
next screen.
4. Verify that the wireless network a. In the simulation window, in the System
card is now automatically using Tray, double-click the icon for the
WEP. D-Link AirPlus Utility .
For performance reasons, you should b. In the left pane, click Encryption to
verify that the data transfer speeds of the verify that the Authentication mode is set
wireless devices are at least 22 Mbps to to Auto.
compensate for the additional overhead
of WEP. On the D-Link 614+ router, the
default setting is Auto, but you can force
the setting to 22 Mbps or reposition the
router so it gets a better signal. With a
better signal, the router should automati-
cally set the data transfer rate to 22
Mbps.
j. Click Cancel.
TOPIC C
Secure Client Internet Access
In addition to securing the various types of traffic on your internal network, as you did in the
first three topics, you also have to be concerned about the security of network packets that
pass from your network to the Internet. A common source of traffic from your network out to
the Internet is ordinary client-level Web access from users’ Web browsers and other Web tools.
In this topic, you’ll learn to secure the traffic that flows from your client systems onto the
Internet.
You might wonder why you need to care about traffic going out of your network. It seems as
if what you really need to worry about is attackers coming in. But, in fact, attackers can look
at an outbound data stream and get lots of useful information that can help them attack the
network. Attackers will be looking at client traffic to determine the network addresses and
computer names of the source systems inside your network, and they will try to grab user’s
passwords and personal information off the wire as well. To prevent attackers from getting
hold of information that they can use against you, be sure that the data your users send out
into the world is properly secured.
Browser Vulnerabilities
Browsers are applications and, as such, are vulnerable to the same types of attacks that
threaten other applications. However, browsers do have some unique vulnerabilities, examples
of which are described in the following table.
Vulnerability Description
Java Attackers can exploit flaws in Java code to run malicious code
of their own or gain access to the target’s file system.
Tool Description
Zones You can set one of four levels of security based on the four
zones: Local Intranet (trusted intranet sites), Trusted Sites
(trusted Internet sites), Restricted Sites (untrusted, potentially
damaging sites), and Internet (unclassified sites). You can set
these zones on a per-computer basis, or you can use Internet
Explorer Administration Kit (IEAK) or Group Policy to set
these zones across your organization. Each zone has default set-
tings that dictate how Internet Explorer will display and access
the sites within that zone. The settings for each zone are
customizable. You can also configure how cookies are handled
for sites in the Internet zone (sites you haven’t put in any of the
other zone—most likely sites you haven’t visited yet) using the
Privacy page of the Internet Options dialog box.
Content Advisor You can use Content Advisor to restrict access to Web sites
based on their content, as rated by the Recreational Software
Advisory Council (RSAC), using the categories Language,
Nudity, Sex, and Violence. Or you can use another ratings sys-
tem, such as the Internet Content Rating Association (ICRA) or
SafeSurf. In addition or instead of a ratings system, you can
restrict specific sites, regardless of their content. You can also
require an administrative password to view restricted sites. In
addition, you can choose to turn off the AutoComplete feature to
keep user names and private information from being entered
automatically in Web forms.
ACTIVITY 4-5
Securing Client Internet Access
Data Files:
• IESecurity.rtf
Setup:
Your Windows XP computer has an administrative account named Admin100 with a password
of !Pass1234. This account has permission to access shares on the \\Client100 computer. There
is an unrated Web site available on the network at http://Server100. Files for this activity are
available at \\Client100\SPlus\Student\IESecurity.rtf.
Scenario:
You are the security administrator for a nuclear plant and need to make sure your new Win-
dows XP Professional clients with Internet Explorer are secure. In the past, the plant’s IT
department has had problems with users storing passwords in their Internet browsers. They
have also had problems with users visiting sites that contain inappropriate content, and users
have also downloaded unauthorized programs to their computers. Before connecting the new
Windows XP Professional computers to your network, you need to make sure that the browser
is configured properly to minimize the likelihood of attacks.
1. Unassign the IPSec policies on your a. From the Start menu, choose All
computer. Programs→Administrative Tools→IPSec
Management.
h. Click OK.
c. Click Apply.
4. Configure the appropriate Web sites a. In the Web Sites area, click Edit.
to allow use of cookies.
b. In the Address Of Web Site text box, type
nrc.gov and click Allow.
d. Click OK.
e. Click Apply.
h. Click OK.
k. Click OK twice.
Instructor Only:
7. Reboot your computer to Windows a. Restart your computer and boot to Win-
2000 Server. This is to make the dows 2000 Server.
http://Server100 Web site available.
b. Log on as Administrator.
Students:
8. Verify that you can connect to the a. In the Internet Explorer Address bar, type
http://Server100 Web site. http://Server100 and press Enter. You
should see the default Web page on the
Server100 Web site.
Vulnerability Description
PPTP Microsoft’s implementation of PPTP is susceptible to a number
of attacks, including a dictionary attack against its LAN Man-
ager (LM) password authentication mechanism.
DHCP for remote access clients If an attacker can connect to a remote access server that assigns
clients’ IP addresses using DHCP, the attacker can get a valid IP
address and have the run of the network.
Improperly configured remote access While most administrators might never think of allowing unlim-
security ited access attempts or being lax with user name and password
requirements on the local network, sometimes the same care
isn’t given to remote access. Such an improper configuration
could lead to brute force attacks against a dial-in remote access
server.
Wardialers These tools are used to dial every available phone number in an
organization to find which numbers can be used to access
modems, fax machines, and voicemail systems. This information
can then be used to launch another attack. Wardialers include
ToneLoc and PhoneSweep.
ACTIVITY 4-6
Hardening a Remote Access Server
Setup:
The Windows 2000 Server computer has a physical LAN adapter and also a virtual Microsoft
Loopback Adapter to simulate the presence of an external connection object. The Microsoft
Loopback Adapter has been configured with default IP settings. The RRAS server is configured
to use DHCP to distribute IP addresses to remote access clients.
Although the Routing and Remote Access Server (RRAS) is running on a domain controller for classroom and
testing purposes, Routing and Remote Access Server (RRAS) should not be running on domain controllers as
this is a security risk.
Scenario:
One of the next tasks as the bank’s security administrator is to make sure your Remote Access
servers are secure. In the past, the bank has had problems with attackers accessing services and
data that they were not supposed to have access to through VPN connections. You will now
provide VPN services through new Windows 2000 Routing and Remote Access Servers. To
prevent users from accessing information that they are not supposed to and to prevent attackers
from getting data, the bank’s IT department has decided to place the new VPN Routing and
Remote Access Server behind the existing hardware firewall to set up a demilitarized zone
(DMZ). The hardware-based firewall has already been secured. Also, the Active Directory team
has already created a remote access security policy to determine who will have VPN access to
RRAS servers in your domain. Before connecting the new VPN server to your network, you
want to make sure that the VPN servers are hardened to minimize the likelihood of attacks
from external users. In particular, the bank does not want legacy PPTP Remote Access clients
to connect, but only clients that support L2TP with IPSec encryption. Because you will not use
PPTP on your server, you want to block PPTP packets that come from external networks. You
also want to configure the incoming clients with a reserved pool of static addresses on your
internal network. The network administration team has reserved the address range of
192.168.x.10-20 for this purpose. After you configure the VPN server, the bank’s desktop team
will test the connections from laptop VPN clients to make sure the security is not too
restrictive.
2. Disable PPTP on the RRAS server. a. From the Start menu, choose Programs→
Administrative Tools→Routing And
Remote Access.
f. Click OK twice.
4. Set up the static IP address pool. a. Right-click your RRAS server object and
choose Properties.
d. Click Add.
g. Click OK twice.
Lesson Objectives:
In this lesson, you will manage a PKI.
You will:
• Install a Certificate Authority (CA) Hierarchy.
• Harden a Certificate Authority.
• Back up CAs.
• Restore the CA.
TOPIC A
Install a Certificate Authority (CA)
Hierarchy
You can implement certificate-based security either by obtaining certificates from a public Cer-
tificate Authority (CA), or by establishing your own CA. If you plan to use your own CA
servers to issue certificates on your network, then the first step in the process of setting up
public key security is installing the CA servers. In this topic, you’ll install CA servers into a
CA hierarchy.
You can only trust a certificate if you can trust the CA that issued it, and you can only trust
that CA if you can trust the CA above it in the chain. The entire certificate security system will
fail if the basic CA hierarchy is not properly established and authorized. If your job as a secu-
rity professional requires you to implement a CA design by installing CAs, you can use the
skills in this topic to make sure it’s done properly.
A public key infrastructure (PKI) is a system that is composed of a CA, certificates, software,
services, and other cryptographic components for the purpose of enabling authenticity and vali-
dation of data and/or entities—for example, to secure transactions over the Internet. A PKI is
composed of:
• Digital certificates—Electronic documents that bind the entity’s public key to the informa-
tion regarding that entity, to verify that an entity is who it claims to be.
• A Certificate Authority (CA)—The Certificate Authority is responsible for issuing digital
certificates to computers, users, or applications.
• A registration authority (RA)—The registration authority is responsible for verifying users
identity and approving or denying requests for digital certificates.
• A certificate repository—The database that contains the digital certificates.
• A certificate management system—A system that provides the software tools to perform
the day-to-day functions of the PKI.
CA Hierarchy
A PKI is implemented through a trust model or as it is more commonly called, a CA
hierarchy. A CA hierarchy is a single CA or group of CAs that work together to issue digital
certificates. At any given time, there may be thousands of issued certificates circulating in a
large corporation. A CA Hierarchy provides a way for multiple CAs to distribute the workload
and provide certificate services more efficiently.
In Windows 2000, do not install Certificate Services on a domain controller because it could pose a security risk.
Root CA Security
To provide the most secure environment possible for the root CA, companies will often
set up the entire CA hierarchy and then take the root offline, allowing the subordinate
CAs to issue all certificates. This strategy ensures that the root CA is not accessible by
anyone on the network and thus, it is much less likely to be compromised.
Refer to RFC 3280 for standards for identifying information for CAs. You can find this RFC at
www.ietf.org/rfc/rfc3280.txt.
Setup:
The data file for this activity is available at \\Server100\SPlus\Student\UniversityCAspecs.rtf.
The installation source files for Windows 2000 server are available at \\Server100\SPlus\
Srv2000. You will need a floppy disk for this activity.
Scenario:
As the security administrator for a private university located in Rochester, NY, one of your job
functions is to make sure the Certificate Authority hierarchy designed by the IT department is
implemented correctly. In the past, the university has had problems with CAs being set up as
stand-alone and having unauthorized users being granted certificates. To prevent users from
receiving unapproved certificates and accessing information that they are not supposed to, and
also to prevent attackers from getting data, the university has decided to implement a new
secure CA hierarchy using Windows 2000 Servers. The IT design team has created and docu-
mented a CA implementation plan in UniveristyCASpecs.doc. The plan calls for installing a
root CA for the entire university, taking the root CA offline, and then installing subordinate
CAs for each college. The Windows 2000 Servers on which you will install Certificate Ser-
vices have already been hardened to minimize the likelihood of attacks against the operating
system itself from external users.
Although Certificate Services is running on a domain controller for classroom and testing purposes, this is a
security risk.
You and your partner will need to decide on who will be the root CA (University CA) and who will be the subordi-
nate CA (College CA).
1. Install Certificate Services on the a. Open Control Panel and run Add/Remove
root CA. Programs.
e. Click Next.
2. Verify that Certificate Services was a. From the Start menu, choose Programs→
installed properly. Administrative Tools→Certification
Authority. The UniversityRootCA# object
should appear in the MMC console.
Wait until your lab partner has completed the previous steps before proceeding.
6. Install Certificate Services on the a. Open Control Panel and run Add/Remove
subordinate CA. Programs.
e. Click Next.
Wait until your lab partner has completed the previous step before proceeding.
7. Use the certificate request file to a. Insert the floppy disk containing the cer-
request a certificate for your lab tificate request file into your floppy disk
partner’s subordinate CA. drive.
f. Close Notepad.
Wait until your lab partner has completed the previous steps before proceeding.
10. Start the Certificate Server and a. Insert the floppy disk containing the
install the CA certificate for the downloaded server certificate file into
subordinate CA. your floppy disk drive.
Certificate Policies
Definition:
A certificate policy (CP) is a security policy that determines what information a digital
certificate will contain, what the requirements are to obtain a certificate, and the speci-
fications for the information in the certificate. The CP is developed by representatives
from the entire company including management, security, and network architecture.
The CP is formalized and an official certificate policy document is created. After the
CP is finalized, the CA software is configured to implement the stated policy.
Some companies make the document available on the Internet. For an example of a certificate policy
and certificate practice statement, go to www.entrust.com/resources/pdf/cps.pdf.
Once the certificate policy is finalized into a formal document and the CA software is
configured to conform to that policy, a separate certificate practice statement (CPS) is
developed. The CPS specifies how a particular CA will manage its certificates based on
the certificate policy for that CA. For example, the CP may require a photo ID be pre-
sented to obtain a certificate. The CPS will state that users can go to a designated local
registration authority and present their driver’s license to meet this requirement.
Each certificate policy is specifically created for a particular set of business require-
ments and security needs. The certificate policy can vary widely depending on its
purpose. A company may have several certificate policies at the same time and thus
have several types of certificates available to entities both inside and outside the
organization.
This variety of policies results in end users with several certificates. The end users then
have multiple key pairs depending on the purpose each certificate is used for. End
users may also have a single certificate that combines services such as encryption and
digital signatures. This is known as a dual key pair because the keys perform more
than one purpose.
Table 5-2 shows some of the ways certificate policies can vary.
CA Vulnerabilities
While CA servers are vulnerable to the same exploits covered so far in this course, including
eavesdropping and malicious code, CAs also have unique vulnerabilities, all of which center
around the security of certificates and keys. If there isn’t tight control placed on the issuance
of certificates and keys, attackers could obtain certificates and exploit those trust relationships.
The following table describes a few common vulnerabilities.
Vulnerability Description
Unauthorized users Your CA should issue certificates only to autho-
rized users. If access control is too loose, attackers
could obtain and exploit certificates from your CA.
Physical security If an attacker can physically access your CA,
there’s no limit to what he or she can accomplish.
Private keys Weak private keys threaten the security of your
entire CA hierarchy because they can more easily
be broken and exploited by an attacker.
ACTIVITY 5-2
Hardening a Windows 2000 Certificate Authority
Data Files:
• UniversityCAspecs.rtf
Scenario:
One of the next tasks as the university’s security administrator is to make sure the certificate
server is hardened based on the design documents of the IT department. In the past, the uni-
versity has had problems with unauthorized users being granted certificates. You have installed
new Windows 2000 CAs as Enterprise CAs in your domain so that you have the ability to
configure the certificate server to restrict user access to certificate templates. The IT department
has documented the required certificate template permission settings in the UniversityCAspecs.
rtf security guidelines document.
In the classroom, your CA is actually installed as a stand-alone CA. You will still be able to perform the required
permissions configurations in the Active Directory.
1. Use Active Directory Public Key Ser- a. From the Start menu, choose Programs→
vices to configure the appropriate Administrative Tools→Active Directory
permissions on the User template as Sites And Services.
specified in the UniversityCAspecs.
rtf file.
b. Choose View→Show Services Node.
3. Suppose the University wanted only faculty members to be able to enroll certificates
from its Enterprise CAs. How would you configure security?
TOPIC C
Back Up Certificate Authorities
As a network administrator, you’re probably used to backing up data and services on a regular
basis, so that you can restore the information in case of damage or loss. Your CA database is
no different. You should always have a valid CA backup on hand as a safety net for your CA
servers.
Scenario:
One of the next tasks as the university’s security administrator is to make sure the certificate
server is backed up based on the design document of the IT department. The university is con-
cerned about the possibility of the certificate server failing or being breached by an attacker
and wants to implement a backup strategy.
b. Click Next.
2. If you did lose your root CA due to system failure and you did not have the password to
restore, what would happen to the certificates that have already been issued?
TOPIC D
Restore a Certificate Authority
In Topic 5C, you learned to back up your CA to prevent against disaster. With luck, you’ll
never have to use that backup, but you should be ready to do so just in case the CA ever does
go down. In this topic, you’ll learn to restore a CA server from a backup.
There are lots of things that can bring a CA server down. Ordinary problems such as a bad
hard disk or a loss of power can affect the system just like any other system, or, despite your
best efforts at hardening the server, an attacker might target and compromise the CA to obtain
user IDs, issue false certificates, or simply deny CA services. In these cases, restoring your
clean backup will be part of your plan for a speedy, safe, and effective CA restoration.
Scenario:
Some of the files for your CA server have become corrupted. Fortunately, you have a backup
copy that you can use to restore your CA.
g. Click Finish.
Lesson 5 Follow-up
In this lesson, you learned to manage a certificate-based security system through a public key
infrastructure (PKI). The tasks involved in managing a PKI range from implementing a CA
hierarchy to understanding how to restore the CA and restore lost keys. As a security profes-
sional, these skills will be vitally important if your company implements a PKI. You will be
the person they call on to get the services up and running.
1. What types of CAs are you familiar with?
Managing Certificates
Lesson Objectives:
In this lesson, you will manage certificates.
You will:
• Enroll certificates for entities.
• Secure network traffic using certificates.
• Renew certificates.
• Revoke certificates.
• Back up certificates and private keys.
• Restore certificates and private keys.
TOPIC A
Enroll Certificates for Entities
Using certificates is a process that has several stages. The first stage is enrolling and installing
certificates for the entities (users, devices, and services) who need them. In this topic, you’ll
learn to enroll certificates for various entities that require them.
A CA by itself doesn’t do you any good. You have to get the certificates enrolled properly for
the appropriate entities in order to implement certificate-based security. If a user, server, or
client machine doesn’t have the right certificate, there is nothing you can do to secure commu-
nications to or from that entity. The skills you’ll learn in this topic will help you request and
install the proper certificates for each security situation.
Scenario:
Now that your certificate server is functional, one of the next tasks as the university’s security
administrator is to enroll certificates for entities that require them. The university maintains a
Web-based student registration system. Internet Information Services has already been hard-
ened on your CAs and all University Web servers. One of the first implementations of using
certificates will be to make sure the data being transferred is secure on the student registration
Web servers. In order to do so, you will need to enroll a certificate for the Web server accord-
ing to the specifications in the UniversityCAspecs.rtf file.
The focus of this activity is on enrolling the certificate, not setting up the secure Web communications.
1. Create a file-based request for a a. From the Start menu, choose Programs→
new Web server certificate from Administrative Tools→Internet Services
your CA. Manager.
f. Click Next.
2. Submit the request to your certifi- a. Use Notepad to open the C:\Certreq.txt
cate server. file.
c. Close Notepad.
5. Install and verify the certificate. a. In Internet Services Manager, open the
properties of the Default Web Site.
c. Click Next.
For more information on TLS, see RFC 2246. For more information on SSL, visit http://wp.netscape.com/eng/
ssl3/.
Setup:
A certificate has been installed on the Web server. There is a home page for a student registra-
tion Web site on the server at the URL http://server#/register. The data file for this activity is
available at \\Server100\SPlus\Student\UniversityCAspecs.rtf.
Scenario:
Now that you have obtained and installed the required certificate, your next task as the univer-
sity’s security administrator is to enable secure communications on the student registration
Web site, which the University’s Webmaster has created on the Web server at http://server#/
register. You need to ensure that the enrollment data being transferred to and from the
registration Web site is secured according to the specifications in the UniversityCAspecs.rtf
file.
f. Click OK twice.
TOPIC C
Renew Certificates
After you initially configure certificate-based security, as you did in Topic 6B, the remainder of
your certificate management tasks have to do with maintaining the certificates over the rest of
their life cycle. Because certificates are temporary and can expire, your first concern will be
with renewing existing certificates at the appropriate intervals. In this topic, you’ll learn to
renew certificates.
Just like a driver’s license, certificates are designed to expire at regular intervals. If the driver’s
license was good indefinitely, society would have no way to verify over time that the driver
was still qualified to drive. And if certificates didn’t expire, an entity on the network could use
one indefinitely even if its job role or function had changed. So that drivers can keep their
license past the expiration period, most motor vehicle departments have a renewal process in
place that doesn’t interrupt a driver’s right to be on the road. It’s the same way with
certificates. You should renew certificates appropriately so that you don’t have any interrup-
tions in your security services.
ACTIVITY 6-3
Renewing a CA Certificate
Scenario:
Your root CA key has been compromised! To avoid student records being accessed inappropri-
ately, you need to correct the root CA key problem immediately.
d. Click OK.
TOPIC D
Revoke Certificates
In Topic 6C, you learned to perform certificate renewal, which is necessary when you want a
security entity to be able to continue using a certificate past its original expiration period. You
might sometimes encounter the opposite case, when you want a security entity to permanently
stop using a certificate for a period of time. To do that, you must revoke the certificate, which
is what we’ll do in this topic.
Remember that certificates are sort of like driver’s licenses; although they are only good for a
limited period, most people can simply renew theirs to keep it valid past the original
expiration. But sometimes, a driver loses the right to drive. In the same way, sometimes a
security principal no longer needs a certificate or should no longer be able to authenticate with
a certificate. Just like the driver’s license, the certificate has to be revoked to prevent its further
use.
Certificate Suspension
Certificate revocation permanently invalidates a given certificate. You can revoke cer-
tificates on any type of CA. Some Unix-based certificate server systems also support
certificate suspension, which enables you to temporarily invalidate a certificate with the
option of later reinstating it. Certificate suspension is not supported on Windows 2000
CAs. Applications that check certificate status by checking CRLs will also check for
suspended certificates as part of the certificate status check.
Revoke Certificates
Procedure Reference: Revoke a Certificate
You may need to revoke certificates when an entity is compromised. To revoke a cer-
tificate:
1. Revoke the certificate itself. For Windows 2000, in Certification Authority, select
the Issued Certificates folder, right-click the certificate you want to revoke, and
choose All Tasks→Revoke Certificate. You can specify a reason why the certifi-
cate was revoked.
2. Publish the CRL. The CRL is published automatically at an interval that you
specify, and can also be published manually.
• To publish a Windows 2000 CRL manually, in Certification Authority, right-
click the Revoked Certificates folder and choose All Tasks→Publish.
• To modify the CRL publication interval on a Windows 2000 server, in Certi-
fication Authority, open the properties of the Revoked Certificates folder and
set the Publication Interval to the desired value.
Scenario:
One of your colleagues in IT thinks that a student has compromised the public and private key
pairs on the student registration Web server. IT wants to make sure the suspect keys are no
longer used. In cases like this, the University’s CA security guidelines call for revocation of
the compromised certificate and immediate publication of the CRL.
1. Revoke the certificate for the Web a. In Certification Authority, select the
server. Issued Certificates folder.
ACTIVITY 6-5
Modifying the CRL Publication Interval
Setup:
You have a new installation of a Windows 2000 Server configured as a certificate server. The
computer name is Server# and it is installed in a domain named Domain#, where # is a unique
integer assigned to you by the instructor. The default administrator account has been set up
with a password of !Pass1234.
Scenario:
Your CA is configured with the default publication interval for the CRL. The University’s CA
security guidelines call for daily publication of the CRL. You’re responsible for configuring
your CA in accordance with the guidelines.
1. Change the publication interval for a. In Certification Authority, open the prop-
the CRL. erties of the Revoked Certificates
folder.
TOPIC E
Back Up Certificates and Private
Keys
Without certificate keys, public-key security simply cannot function. Due to their necessity,
keys should be safeguarded closely. However, despite the best precautions, keys are occasion-
ally damaged or lost. You need to have backup procedures for certificates and keys so that you
can restore them when needed.
ACTIVITY 6-6
Backing Up a Certificate and Private Key
Data Files:
• UniversityCASpecs.rtf
Setup:
You will need a floppy disk for this activity.
Scenario:
The University has decided to secure email communications through the use of individual
email certificates for each student and staff member. The security design team has developed
recommendations for the strength of the email certificates. They have also developed recom-
mendations for maintaining backup copies of the email certificates and their associated private
keys, to guard against loss or compromise of the certificates. As the security administrator,
your job is to support enrollment for email certificates, and to maintain backups of each issued
certificate according to the specifications in the UniversityCAspecs.rtf. You will need an email
certificate enrolled and backed up for your own personal Administrator user account.
1. Request a certificate for email pro- a. Open Internet Explorer and connect to
tection for the Administrator user. http://server#/certsrv, where # is your
student number.
If your system is unable to download the
ActiveX control to create the enrollment b. Verify that Request A Certificate is
form, you will need to install the Certifi- selected and click Next.
cate Enrollment Control patch from
Microsoft Security Bulletin MS02-048
(Knowledge Base article Q323172). You c. Select Advanced Request and click Next.
can download the patch from http://
support.microsoft.com/default.aspx?
scid=kb;en-us;323172. d. Verify that Submit A Certificate Request
To This CA Using A Form is selected and
click Next.
i. Click Submit.
3. Install the new email certificate for a. In Internet Explorer, select Check On A
the Administrator user. Pending Certificate and click Next.
d. Click Add.
j. Click Finish.
M of N Control
Regardless of which recovery method you use, there are only a certain number of
agents or trustees that have the authority to recover a key. To determine how many
agents are required, the M of N Scheme is commonly used. The M of N Scheme is a
mathematical control that takes into account the total number of key recovery agents
along with the number of agents required to perform a key recovery.
ACTIVITY 6-7
Restoring a Certificate and Private Key
Setup:
There is a backup copy of the Administrator user’s email certificate and private key on a
floppy disk. There is a Certificates MMC console for the Administrator user.
Scenario:
A staff member’s email certificate and private keys have become corrupted. Fortunately, you
have followed the procedures in your security policy document and maintain backup copies of
all user certificates and private keys. You can use these backups to correct the user’s problem.
c. Click Next.
h. Click Finish.
Lesson 6 Follow-up
In this lesson, you learned what is involved in the day-to-day management of certificates.
Regardless of how simple or complex your certificate hierarchy is, you will still need to do
different tasks such as issue, revoke, renew, and eventually expire certificates. Each of these
tasks play an equally important role in managing certificates.
1. What types of certificate management functions have you performed?
2. Which function of digital certificate management do you find the most common? What
function is the most complex?
Enforcing Organizational
Security Policy
Lesson Objectives:
In this lesson, you will enforce an organizational security policy.
You will:
• Enforce corporate security policy compliance.
• Enforce legal compliance.
• Enforce physical security compliance.
• Educate users.
TOPIC A
Enforce Corporate Security Policy
Compliance
In the first several lessons of this course, you learned the skills you need to configure security
according to the requirements of your organization. After the initial configuration, you will
need to make sure that the configuration is maintained appropriately over time. In this topic,
you’ll learn to enforce compliance with your own organization’s security policy.
It’s not enough to have a security policy documented or even to take the initial steps to config-
ure your systems to match the policy. Unless you have a way to ensure that you conform to
the policy on an ongoing basis, cracks are going to appear in your security infrastructure, and
the attackers will be out there just waiting to pry open those cracks and jump through onto
your network. To maintain a safe and secure environment, make sure you take the time to
make sure you are always in compliance with the security needs of your own organization.
Guidelines
To enforce corporate security policy compliance:
• Read all applicable policy documents thoroughly so that you understand the stan-
dards and guidelines that pertain to your organization.
• Monitor security-related activities in your organization.
• Take appropriate actions to correct the situation when a security policy is broken.
ACTIVITY 7-1
Enforcing a Security Policy for an Organization
Data Files:
• NationalBankAcceptableUsePolicy.rtf
Scenario:
As the security administrator for National Bank, a help desk employee, Randy Williams, has
given you a report of information gathered at the help desk. He thinks that there are some pos-
sible security issues. He asks you to determine whether or not they are within the guidelines of
your Acceptable Use security policy. You will not be responsible for terminating users, but it is
your responsibility to enforce the policy and make sure the appropriate changes are made
based on possible breaches. You will then report back to Randy with your findings.
Using the \\Server100\SPlus\Student\NationalBankAcceptableUsePolicy.rtf policy document,
determine which of the following scenarios are within the guidelines of the organization’s
policy. If not, what steps would you take to enforce the security policy?
1. A user, Curt, decides to practice his skills with Network Monitor, a tool that he just
learned to use in a Microsoft SMS class.
TOPIC B
Enforce Legal Compliance
In Topic 7A, you learned to enforce security policies that are designed to meet the internal
needs of your organization. But, as a security professional, you might have responsibility for
meeting the security needs of outside legal authorities as well. In this lesson, you’ll enforce
compliance with any security requirements that your company might legally be required to
meet.
Legal security compliance requirements can affect your company in a variety of situations. You
might work for a company in a publicly-regulated industry such as the nuclear power industry.
Your company might have business partnerships with or provide services or products to any
one of a number of government agencies. You also have responsibilities to your local munici-
pality for safety and security. As a security professional, you’ll need to be able to demonstrate
that your company is in compliance with any or all of these entities’ security requirements.
For more information on standards and regulations, including various international standards, visit http://
securityresponse.symantec.com/avcenter/security/Content/security.articles/corp.security.policy.html.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is important federal legislation that
impacts security professionals in the United States. This legislation provides standards for maintaining individu-
al’s health records and guidelines for enforcing those standards. It also guarantees the security and privacy of
health information. Any security professional working with health care or a related industry in the United States
must be aware of this law.
In the legal realm, the critical issues for security professionals are:
• Evidence collection—Following the correct procedure for collecting evidence from floppy
disks, hard drives, smart cards, and other media. As in any other case, evidence that is
improperly collected may not be admissible in court.
• Evidence preservation—Criminal cases can take years to resolve and the evidence needs
to be properly preserved for a lengthy period of time.
Guidelines
To verify that your organization is in compliance with the legal requirements of gov-
ernment and regulated industries:
• Read all relevant policy documents that your organization maintains.
• Work with your organization’s legal counsel to stay current with all governmental
actions that affect security requirements for your industry, and update your inter-
nal policies accordingly.
• Request periodic reviews of your internal policy documents from legal counsel.
• Monitor your organization for compliance with all relevant regulations.
• Take appropriate actions if you determine that your organization is not in
compliance.
Example:
You are a security administrator for a nuclear power plant, which is subject to regula-
tion by the Nuclear Regulatory Commission (NRC). To keep yourself abreast of new
NRC regulations, you visit the NRC’s RuleForum Web site (http://
ruleforum.llnl.gov/) on a weekly basis. When new rules are proposed, you work with
your legal team to determine if your existing policies and procedures would be in com-
pliance with the new rules. If not, you draft an action plan for modifying your policies
and procedures and implement the plan once the final rule is adopted.
Scenario:
As the security administrator for National Bank, you have been assigned the task of determin-
ing when appropriate legal action should be taken based on the bank’s Acceptable Use policy.
Use the Acceptable Use policy document to determine if your security policy calls for legal
action in any of the following situations.
1. A user opens an attachment which causes a virus to spread within the organization.
2. A user emails a copy of a new type of encryption software program to a user in a for-
eign country for testing.
5. Two employees have an argument at lunchtime. During the afternoon, one user sends
a threatening email to the other. The second employee is afraid to leave the building
unescorted that evening.
ACTIVITY 7-3
Investigating Business Continuity and Disaster Recovery
Plans
Scenario:
As security administrator for your company, Riordan Software Systems, you’ve been asked to
join a committee of high-level managers to develop a Business Continuity Plan (BCP) and
Disaster Recovery Plan (DRP). Before the committee’s first meeting, you decide to do some
research on the Internet.
1. Search the Internet for information a. Open Internet Explorer and go to your
on BCPs and DRPs. favorite search engine.
6. What tools are available to help you create a BCP and DRP?
7. In your opinion, which of the tools you’ve found in your research would be most help-
ful to you in creating a BCP or DRP? Why?
8. You’ll probably see in your research that risk assessment is an important part of creat-
ing a BCP. Why is that?
9. In your opinion, of buildings, devices, and communications, which do you think is gen-
erally most vulnerable to attack? Which do you think would be most difficult to
recover?
10. Close your browser window when a. Click the Close button to close your
you’re done. browser window.
Usually security personnel are notified that you will be testing. This is critical in high security
sites such as military installations, nuclear plants, and other environments where firearms are
used. Consult the legal team within the organization before testing physical security breaches.
6. Take the appropriate actions when a physical security policy procedure is broken.
Alternate Sites
Depending on the nature of your business, you might need to implement alternate sites
to ensure that an attack doesn’t cause any disruption in your operations. Alternate sites
are in different geographic regions and are used to continue your business in the event
of a failure at your primary physical location. Alternate sites are generally one of three
types, as described in Table 7-3. Which site you implement depends on the needs of
your organization.
Secure Recovery
When creating a DRP, it’s important to include provisions for securely recovering data,
systems, and other sensitive resources. The DRP should include steps necessary to
secure not only physical resources, such as computers, the network infrastructure, and
any physical backup media, but steps to secure the recovery process itself. This might
mean designating a trusted administrator to administer the DRP and any steps taken to
restore systems or processes necessary to recover from disaster and continue operations
either at the primary site or an alternate site.
ACTIVITY 7-4
Implementing a Physical Security Policy for an
Organization
Data Files:
• UKSecurityPolicy.rtf
Scenario:
As the security administrator for your organization located in London, you have been assigned
the task of implementing a security policy. You are basing your policy, UKSecurityPolicy.rtf,
on the sample template available from www.ruskwig.com/security_policies.htm. Currently,
the top priority at your organization is physical security, as someone recently broke into com-
pany headquarters and stole hardware and data. You need to protect over £100,000 worth of
new equipment that is now centrally stored in your computing center. At the minimum, you
will be implementing the following security measures in the computing center:
1. Locks will be placed on computer room doors.
2. Blinds will be installed on windows.
3. No computers will be placed by windows.
2. Besides using blinds and locks on the windows, what else could you recommend using
to secure the windows from unauthorized access?
3. Once the motion-detection alarms are installed, what procedure will you need to fol-
low to verify they are working properly?
4. Given the security requirements of this company and the category of risk the comput-
ing center falls into, what other physical security recommendations could you make,
based on this document?
Guidelines
To educate your users on security practices:
• Train new users on how to use their computers, applications, and organizational
security policies. Focus in on potential security problems throughout the training.
• Post all policies so that they are easily available to all users.
• Notify users when changes are made to policies. Educate them on the new
changes.
• Periodically test user skills after training to verify they are implementing proper
security. For example, you can use planned social engineering attacks.
• Post information such as a link to http://hoaxbusters.ciac.org/ on the company
Web site to assist users in determining whether or not emails are hoaxes.
Example:
In new-hire orientation, all new employees at your organization are briefed on the
security standards of your company and connect to the company’s internal Web site,
which contains links to all the company’s security policy documents. After training,
you email the address of the Web site to all new employees. One new Accounting
department employee has difficulty creating an acceptable password for the accounts
payable database system; she visits the Web site, opens the password policy document
stored there, and successfully creates a strong password in accordance with corporate
guidelines.
ACTIVITY 7-5
Educating Users
Scenario:
As the security administrator for a nuclear power plant, one of your responsibilities is coordi-
nating the employee security education program. The plant has recently experienced several
security incidents involving improper user behavior. IT staff and plant management have come
to you for recommendations on how to implement proper employee training procedures to pre-
vent similar problems in the future.
1. A virus has spread throughout your organization, causing expensive system downtime and
corruption of data. Once you have dealt with the immediate crisis, you review network
logs to try to determine the source of the virus. It soon becomes apparent that it was sent
to many users as an email attachment. The original email presented itself as a marketing
survey and stated that if the user double-clicked the attachment, a tracking message
would be sent to Microsoft. The user would receive $10 from PayPal as a thank you. The
email also suggested forwarding the attachment to friends and family. You quickly deter-
mine that this is a well-known email hoax that had already been posted on several hoax-
related Web sites.
Most of the users in your organization received the email from the same individual inside
the company. When questioned, this employee said that he thought it sounded as if it
could be legitimate, and he couldn’t see any harm in “just trying it.”
3. You come in on a Monday morning to find laptops had been stolen from several employee’s
desks over the weekend. After reviewing videotapes from the security cameras, you find
that as an employee exited the building through the secure rear door on Friday night, she
held the door open to admit another individual. You suspect this individual was the thief.
When you question the employee, she states that the individual told her that he was a
new employee who had not yet received his employee badge, that he only needed to be in
the building for a few minutes, and that it would save him some time if she could let him
in the back door rather than having to walk around to the receptionist entrance. Your
security policy states that no one without identification should be admitted through the
security doors at any time, but the employee says she was unaware of this policy. You ask
her to locate the security policy documents on the network, and she is unable to do so.
5. One of your competitors has somehow obtained confidential data about your organization.
There have been no obvious security breaches or physical break-ins, and you are puzzled
as to the source of the leak. You begin to ask questions about any suspicious or unusual
employee activity, and you begin to hear stories about a sales representative from out of
town who didn’t have a desk in the office and was sitting down in open cubes and plugging
her laptop in to the corporate network. You suspect that the sales representative was
really an industrial spy for your competitor. When you ask other employees why they
didn’t ask the sales representative for identification or report the incident to security, the
other employees said that, giving their understanding of company policies, they didn’t see
anything unusual or problematic in the situation. You review your security policy docu-
ments and, in fact, none of them refer to a situation like this one.
Lesson 7 Follow-up
In this lesson, you performed routine tasks that ensure your organization stays in compliance
with the organization security policy. Although this is not nearly as exciting as chasing attack-
ers or managing a PKI, it is even more essential to the health of your security structure. All
the effort you put into identifying potential security threats and securing the individual systems
will not protect your company’s sensitive data if the security policy is not adhered to. When
there is a security breach, it is the administrators that ensure policy compliance that are held
responsible. The policy is developed to protect company assets, and it is up to the security pro-
fessionals to be sure the policy is followed.
1. What are some corporate policies that you are familiar with?
2. Have you ever witnessed a policy being broken? What was the result?
Lesson Objectives:
In this lesson, you will monitor the security infrastructure.
You will:
• Run vulnerability scans.
• Monitor for intruders.
• Set up a honeypot.
• Respond to security incidents.
TOPIC A
Scan for Vulnerabilities
Monitoring your security infrastructure is an ongoing job responsibility for a security
professional. You will need to perform a variety of tasks on a regular basis to ensure that your
security is not breached. One of these regular tasks is to periodically review your system vul-
nerabilities, so that you can detect them before attackers do. In this topic, you will scan for
vulnerabilities on your system.
Many times, one of the first steps an attacker takes to break into a system is to scan the sys-
tem for vulnerabilities. It is critical to discover where the possible points of entry are on your
network and systems. Even if you have taken every precaution to harden your network compo-
nents and services, there will still be vulnerabilities that you may not be aware of, but that you
can be sure attackers will find. The best way to find these vulnerabilities is to perform a scan
yourself and patch the holes before the attackers find them.
While it’s probably true that no two network attacks are the same or are carried out in the
same manner, generally speaking there is a process that most experienced attackers employ
when they carry out an attack. The more you know about this process the better you’ll be able
to recognize it in its early stages and put an end to it before it takes down your servers or
compromises your data.
If you scan a Windows system for open ports, you may see a variety of port assignments over
1024. This does not mean the service associated with that port is running on the Windows
system. Port numbers above 1024 are registered ports, not well-known ports, and they are not
managed by the Internet Assigned Numbers Authority (IANA), although IANA maintains the
registry list. Windows assigns these ports dynamically as session ports to create network
connections.
4. Manually review your system audit logs as well as any logs created by the scan-
ning program.
5. If possible, install a tool to automate the process of reviewing and analyzing audit
logs.
6. If vulnerabilities are found, revisit your hardening procedures to harden your oper-
ating systems and devices.
7. Consider registering with Security Event Aggregators such as www.dshield.org/
or www.mynetwatchman.com/. They will also analyze your firewall logs and act
as a fully automated abuse escalation/management system.
Do not use this tool, or any other hacking tools in class, on a computer other than those specified in the activi-
ties unless the instructor grants permission. There may be serious ramifications if you use these tools outside of
the classroom subnet. For example, they may violate certain ISP agreements.
Scenario:
You are the security administrator for a large brokerage firm and need to make sure your new
Windows 2000 servers are secure by scanning your servers for open ports. The brokerage
firm’s IT department has had problems in the past with attackers getting access to applications
on servers by getting through the firewall and accessing open ports on the servers. You have
already hardened your servers and now want to check your work. Before connecting the new
Windows 2000 servers to your network, you need to make sure not only that the base operat-
ing system is hardened, but also that no unnecessary ports are open on the servers to minimize
the likelihood of attacks. There are two Windows 2000 servers that you are responsible for
scanning; your own computer, and another Windows 2000 server named Server100.
b. Click Next.
d. Click OK.
h. Click Save.
3. What ports were open on your Windows 2000 Server? Should these ports be open?
g. Close SuperScan.
5. What ports were open on the Server100 computer? Should these ports be open?
ACTIVITY 8-2
Scanning for System Vulnerabilities
Setup:
The Intrusion SecurityAnalyst tool is available on the network at \\Server100\SPlus\
SecurityAnalyst\Setup.exe.
Scenario:
You are the security administrator for a small government agency. You have already hardened
all of your servers and other computer systems, but a new regulation requires that you also
perform periodic vulnerability scans to audit system security against a high-security standard
profile. Periodic scans will enable you to see what vulnerabilities lie in your network, and also
keep track of any changes that have been made to your systems. This will allow you to moni-
tor internal users as well as detect outside attackers. You have selected SecurityAnalyst as your
vulnerability scanning tool.
b. Click Next.
3. Audit your system against the a. In the Analyst Bar, click Run Security
default Security Standard. Audit to open the Run Security Audit-New
SnapShot pane.
4. View the risks on your system. a. On the Report Card screen, click List
Risks.
d. Close SecurityAnalyst.
7. Given this analysis information, what steps could you take to harden your system fur-
ther?
SMBRelay
SMBRelay is a command-line program that you can use to determine if Windows com-
puters are vulnerable to a man-in-the-middle attack against the Server Message Block
(SMB) protocol. If this protocol is compromised, an attacker can then read the data
stream to gain access to Windows passwords and crack them with a password-cracking
ACTIVITY 8-3
Scanning for Man-in-the-Middle Vulnerabilities
Setup:
SMB Signing has been implemented on your computers as part of the hardening process.
Scenario:
One of the next tasks as the security administrator for the brokerage firm is to make sure your
new Windows 2000 systems are secure by scanning your systems for various vulnerabilities.
The brokerage firm’s IT department wants to make sure they have done everything reasonable
to prevent intrusions and that none of your security measures have been altered or
compromised. The firm is particularly concerned with verifying that the servers are not suscep-
tible to man-in-the-middle attacks.
1. Copy SMBRelay from the network to a. Create a folder named SMBRelay on your
a new C:\SMBRelay folder on your C drive.
local computer.
b. Connect to \\Server100\SPlus\SMBRelay.
ACTIVITY 8-4
Verifying Password Strength
Do not use this tool, or any other hacking tools, on computers other than specified in the activities unless the
instructor grants permission. There may be serious ramifications if you use these tools outside of the classroom
subnet.
Setup:
On your Windows XP Professional computer, there is a non-administrative user account named
ChrisC with a password of Certification1. The Windows XP Professional system has been
hardened. The @stakeLC4 evaluation software is available on the network at \\Client100\
SPlus\LC4\LC4Setup.exe.
1. Reboot into Windows XP Profes- a. Restart your computer and choose Win-
sional and log on as Admin100. dows XP Professional from the boot
loader menu.
g. Click Finish.
d. Click Next.
7. What should you do to prevent any of the passwords on this system from being stolen
by an attacker?
d. Click Next.
h. Click Finish.
j. Click OK.
l. Close LC4.
There are also application-based IDSs, although they are not commonly used due to the expense of
implementation. They may be used sporadically in conjunction with a network-based or host-based
configuration to add another layer of protection to a critical application such as a customer database.
ACTIVITY 8-5
Installing Intrusion Detection Software
Setup:
The Windows XP Professional system has been hardened and scanned for vulnerabilities. The
Internet Security Systems (ISS) RealSecure Desktop Protector evaluation software is available
on the network at \\Client100\SPlus\RealSecureDP\RSDPEvalSetup.exe.
Scenario:
You are the security administrator for a large brokerage firm and need to make sure your new
Windows XP Professional systems are secure by actively monitoring your system for intruders.
The brokerage firm’s IT department wants to take a proactive approach to security and catch
the intruders before they do harm. You have already hardened your servers and scanned for
vulnerabilities. Now, you want to be able to actively monitor for intrusions in real time, as
well as to log suspicious activity for later analysis. Before connecting the new Windows XP
Professional systems to your network, you need to make sure that the chosen intrusion detec-
tion software, Internet Security Systems’ RealSecure Desktop Protector, is installed and
configured.
b. Click Next.
2. Use the IDS software to determine a. In the System Tray, click the RealSecure
if any intruders have attempted to Desktop Protector icon . The entry
access your system. on the Events tab shows you that
RealSecure Desktop Protector began
RealSecure Desktop Protector also has a detecting intrusion events as soon as it
Notifications feature that can alert you at was installed.
the time an intrusion is detected. See
RealSecure Desktop Protector Help for
b. Select the Intruders tab. This tab would
more information.
report the system name or IP address of
any intruder systems.
e. Click OK.
Scenario:
One of the next tasks as the security administrator for the brokerage firm is to make sure your
new Windows XP Professional systems are secure by actively monitoring your system from
intruders. The brokerage firm’s IT department wants to make sure you catch intruders before
they do harm. You have already hardened your servers, scanned for vulnerabilities, and
installed intrusion detection software. You have a schedule for reviewing the IDS logs, but as
part of the security plan, you also perform periodical real-time monitoring on the IDS. If the
intrusion detection software is detecting intruders properly, you might be able to catch one in
the act!
You and your lab partner will need to decide who will be the intruder and who will be monitoring their system.
After completing the activity, you can reverse roles and go through the steps again.
e. Click Start.
5. Verify that the intrusion was a. Select the Events tab. You should see
detected. various port probes and scans from your
partner’s computer.
To see the attack in progress, select the
Events tab before your partner starts the b. Select the History tab. You should see a
scan in the previous step. spike in suspicious activity in the Events
graph. You may need to wait for the pro-
gram view to refresh in order to see the
new spike.
Honeypots
Definition:
A honeypot is a security tool that lures attackers away from legitimate network
resources while tracking their activities. Honeypots appear and act as a legitimate com-
ponent of the network but are actually secure lockboxes where security professionals
can block the intrusion and begin logging activity for use in court or even launch a
counterattack. Honeypots can be software emulation programs, hardware decoys, or an
entire dummy network.
• Software-based honeypots are elaborate emulations that mimic real network
components. The attacker is not really in the network or accessing actual network
components. Thus, security on the actual network is never compromised. How-
ever, the work involved in creating a software emulation that would fool a
blackhat is quite complex. Software emulations are usually contracted out to com-
panies that specialize in this type of project. If a company did build a software
emulation honeypot poorly and an attacker discovered the facade, her only option
would be to leave and unfortunately, if she didn’t take the bait, it may be difficult
to catch anyone.
• Hardware-based honeypots are systems comprised of hardware and software com-
ponents that are partially disabled and improperly configured to entice attackers.
They reside within the network but have special security controls in place to pre-
vent attackers from taking the honeypot over or using it to access the rest of the
network. A hardware-based honeypot is relatively easy to build, but there is
always the threat of an experienced attacker having more access to the actual net-
work than she should have.
• A composite or dummy network honeypot system uses software emulations and
actual hardware and software components to create an entire honeypot network
apart from the legitimate network. This type of deployment allows for an incred-
ible amount of data to be gathered against an attacker. Although the honeypot
network combines the best each system, it is very expensive to build and
maintain.
A excellent real-world example of a dummy network type of honeypot is the HoneyNet Project http://
project.honeynet.org. The project is a joint effort by over 30 security professionals to study attacks
and share this information on the Web.
Set Up a Honeypot
Procedure Reference: Set Up a Honeypot
To set up a honeypot:
1. Determine what type of attack or attacks you are trying to detect.
2. Install and configure the honeypot system. This can either be a third-party soft-
ware package that mimics a live server, or simply a system with weak security
that you set up manually and expose on your network.
3. Test the honeypot to verify it is working properly. Act as an attacker to verify it
looks real.
4. Monitor the honeypot, both in real time and by reviewing activity logs
periodically.
ACTIVITY 8-7
Installing a Honeypot
Setup:
Network Monitor has been installed. Microsoft Exchange is running. You will work with a
partner in this activity; one partner will play the role of the monitored honeypot system, and
the other partner will play the role of an attacker.
Scenario:
State University has had a problem in the past with students uploading and downloading files
from the university’s internal faculty FTP site and wants to catch the perpetrators. Instead of
attempting to catch the students during the last breach, the FTP server was just hardened to
immediately stop the attacks. No students have broken in since. However, now that the live
FTP servers are secure, you would really like to catch the intruders. A faculty member, Dean
Allison Ager, suspected it was her account that was compromised, as she frequently uploads to
the FTP site. Her FTP account, like other faculty accounts at the University, is named with her
first initial and last name. Dean Ager admitted that at times she wasn’t following the best prac-
tices section of the university security policy, using easy passwords such as her last name and
first name, and writing them down on sticky notes attached to the computer monitor in her
office. She also indicated that many students and teaching assistants have access to her office.
You suspect that her account would quickly become a target again if you deployed an FTP
server with no file-access controls and no anonymous user access. The IT department has
checked with the legal department in the university and they have given the green light to
deploy this FTP honeypot to try to detect the intruder.
You and your lab partner will need to decide who will act as the student attacker and who will be the security
administrator. After completing the activity, if time permits, you can reverse roles and go through the steps again.
On Both Systems:
1. If necessary, reboot into Windows a. Restart the computer and choose Win-
2000. dows 2000 Server from the boot loader
menu.
2. Install FTP and provide one or more a. Open Control Panel and run Add/Remove
dummy FTP data files. Programs.
f. Click Finish.
f. Click OK.
4. Create a vulnerable user account a. From the Start menu, choose Programs→
on the FTP honeypot computer. Administrative Tools→Active Directory
Users and Computers.
g. Click Finish.
b. Choose Capture→Filter.
e. Click OK twice.
f. Choose Capture→Start.
8. Stop the capture and review the a. In Network Monitor, choose Capture→
capture log. Stop And View. You can see all the logon
attempts, all the attempted password
entries, and the data transfer that
occurred during the attacker’s session.
9. What was the source IP address of the attack? How can this assist you in finding the
attacker?
10. Why would you suspect this student was the previous attacker to the FTP site?
TOPIC D
Respond to Security Incidents
With this topic, we’ve arrived at the last phase of the network security cycle. This is the phase
that you hope never arrives: your network is under attack, and you need to respond. In this
topic, you’ll learn to respond to the security breaches.
You might hope that if you implement security well and monitor vigilantly, you might never
have to live through a network attack. But, simply put, attacks are inevitable. Attackers are out
there every day, ceaselessly trolling the Internet with automated tools that can uncover and
penetrate susceptible systems. No matter how secure your network, detecting an attack is a
question of when, not if. The skills you’ll learn in this topic will help you to respond appropri-
ately when this does occur.
ACTIVITY 8-8
Investigating Incident Response Policies
Scenario:
As security administrator for your organization, Leland Hospital Systems, you’ve been asked
to join a committee of high-level managers to develop an incident response policy (IRP).
Before the committee’s first meeting, you decide to do some research on the Internet.
1. Search the Internet for information a. Open Internet Explorer and go to your
on IRPs. favorite search engine.
3. What do you think are the most important components in the policies you’ve found?
4. How do you think the policies you’ve found answer the questions in the concepts pre-
ceding this activity?
6. Why might you want to alert law enforcement officials of a security incident? Why
might you want to notify the media?
You might need to work with your ISP or your internal network or router administrators to gather
the necessary information and respond to the attack.
3. Gather evidence, in the form of network trace files, security logs, and so on, if the
attack is not causing immediate damage.
4. Block the source of a network attack if it becomes necessary to stop the attack.
5. For DDoS attacks, scan for and remove any zombie agents on your local network,
using a tool such as Zombie Zapper from http://razor.bindview.com.
6. Shut down the affected systems and move them to an isolated subnet, but only if
necessary to stop the attack or prevent further system damage.
7. Reverse the damage to the affected systems:
• For malicious code attacks, run antivirus software to disinfect the systems.
• For other attacks, restore lost files, user accounts, and other objects from a
backup.
• If a backup is not available, rebuild the lost objects manually.
• As a last resort, reinstall the systems.
8. Gather any additional evidence regarding the source of the attack.
9. Perform a quantitative and qualitative damage assessment to determine a dollar
value of the cost of the attack.
ACTIVITY 8-9
Responding to a DoS Attack
Setup:
The Windows 2000 system has been hardened, and Network Monitor has been installed and
has been used previously to capture data on your local network. Port 80 is open on the server.
All computers on your network are on the 192.168.y.x subnet, where y is a number unique to
your network. You will work with a partner in this activity; one partner will play the role of
the intruder, and the other partner will play the role of the monitored system. The tools and
data files you will need for this activity are available on the network in the \\Server100\SPlus\
Tools share in the following folders: \UDPFlood\udpflood.exe and \DDosPing\ddosping.exe.
Scenario:
As you are monitoring your network performance, you notice a performance degradation on
one of your Web servers. The security policy for your organization states that any such perfor-
mance degradation should be treated as a symptom of a possible DoS or DDoS attack until
proved otherwise.
You and your lab partner will need to decide who will be the attacker and who will be acting as the monitoring
system. After completing the activity, you can reverse roles and go through the steps again.
1. Begin monitoring system perfor- a. Right-click the Taskbar and choose Task
mance with Task Manager. Manager.
e. Click OK.
g. Choose Capture→Start.
f. Click Go.
4. During the attack, examine Task a. Switch to Task Manager. The CPU Usage
Manager for signs of a performance History shows signs of increased activity.
degradation. However, depending on the hardware
resources in your system, the actual
impact on system performance will prob-
ably be minor.
6. Which packets in the capture created the DoS condition? (You might need to widen the
Description column.)
8. What is the first thing you should consider doing in response to this DoS attack?
11. If the attacker wanted to automate the attacks instead of having to do so manually,
what can the attacker do?
All Computers:
d. Click Start.
Scenario:
During regular monitoring of a system, you detect unauthorized attempts to access the root
share of a Windows XP Professional computer. Your organization’s security policy states that
all such access attempts should be blocked at the source.
You and your lab partner will need to decide who will be the intruder and who will be monitoring their system.
After completing the activity, you can reverse roles and go through the steps again.
2. Begin monitoring for intruders with a. In the System Tray, click the RealSecure
RealSecure Desktop Protector. Desktop Protector icon.
c. Click OK.
3. Attempt to access the C$ adminis- a. As the Admin100 user, from the Start
trative share on your lab partner’s menu, choose Run.
computer.
b. Enter \\client#\c$ and click OK. Use
If your attack isn’t detected after entering your partner’s computer number for #.
\\client#\c$, try using your partner’s IP
address or connecting to the d$ share.
c. Close the C$ folder window.
5. Attempt to access the C$ share on a. From the Start menu, choose Run.
your lab partner’s computer.
b. Enter \\client#\c$ and click OK. Use
your partner’s computer number for #.
Lesson 8 Follow-up
In this lesson, you learned to monitor the security infrastructure for any attempts to breach
your organization’s security. An advanced warning of an attack may give you just enough time
to stop the attack before it really gets going. The only way you discover this intrusion early
enough is when you are monitoring your infrastructure on a daily basis.
1. What type of intrusion detection software are you familiar with and how have you used
it to detect attacks?
2. What do you feel is the most important part of the infrastructure to monitor? Why?
What’s Next?
For more information on additional security courses, see your Element K sales representative,
or visit our Web site at www.elementkcourseware.com.
315
NOTES
APPENDIX A
Authentication and
Authorization
While at first they might seem to be the same, authentication and authorization are very
different. Authentication is the process of requiring a user to prove his or her identity, while
authorization is the process of taking that user’s identity after he or she has been authenticated
and allowing or denying access to specific network resources. It’s this two-step process that is
at the very heart of an organization’s security infrastructure.
There are a variety of authentication methods that you can employ in your network. The fol-
lowing table lists some common methods.
For more information on two-factor authentication and tokens, see RSA’s Web site at www.rsasecurity.com/
products/securid/.
After the user is authenticated, there are several ways to control the user’s access to network
resources. Some of the common methods are described in the following table.
Understanding Media
Objectives:
In this lesson, you will identify the characteristics of various media.
You will:
• define tape media.
• define disk media.
• define CD-ROM.
• define floppy disks and their characteristics.
• Describe the characteristics and use of hard drives.
• define bounded and unbounded media.
• identify coaxial cable.
• identify UTP and STP cable.
• Identify the characteristics of fiber-optic cable.
TOPIC A
Removable Media
Data can be stored on many media, including magnetic tape, CD-ROMs, hard drives, and
floppy disks.
Consider the value of the data stored on your PC. A week’s worth of changes and additions to
files or to a database can have greater value than the entire system on which it is stored.
As companies use PCs for more and more of their business transactions, the value of the infor-
mation kept on these systems increases dramatically. It is important to understand the media
that stores this data.
Tape Media
Definition:
A tape is a magnetically coated strip of plastic on which data can be encoded. Tapes
are accessed sequentially, which means specific data cannot be accessed on the tape
without sequentially going through all of the preceding data. Tapes vary in storage
capacities and formats. Tapes are considered a slower media and are generally used
only for long-term storage and backup.
There are more and more choices every year when it comes to backup media. A few
years ago, you only had a choice between reel-to-reel tapes, QIC cartridges, and very
expensive DAT recorders. Today, the costs of the DAT recorders and media are within
the range of most IT budgets. For workstation backups, QIC cartridges are a popular
choice; you might consider using Iomega’s Jaz or Zip disks. Magnetic tape is still the
most popular backup media.
The following table shows some of the most common backup media.
Maximum Storage
Media Sizes Description
Digital Audio Tape At least 1 GB, up to Used in many different size networks; 4 mm tape,
(DAT) 12 GB about the size of an audio tape
Digital Linear Tape At least 10 GB, up Used mainly in mid- to large-size networks; 0.5-
(DLT) to 12 GB inch cartridges
Quarter-Inch Car- At least 40 MB, up Original width was 0.25 inches; available in 3.5-
tridge (QIC) to 25 GB inch (Traven) or 5.25-inch cartridges; usually
used in smaller networks and stand-alone PCs
Example: 8 mm Tape
The 8 mm tape format was originally developed by Exabyte, which continues to be the
only manufacturer of 8 mm drives. Many other manufacturers purchase raw drives
from Exabyte and integrate them into internal or external 8 mm tape drives. This
arrangement ensures compatibility between 8 mm drives.
These 8 mm tape drives offer storage capabilities between 2.2 GB and 10 GB per
cartridge. The tape cartridges are only slightly larger than DAT tapes. They are often
considered more reliable than 4 mm drives; however, the drives and tapes are more
expensive than 4 mm units.
The 8 mm tape drives are popular in the UNIX and workstation industry. These drives
have only recently become popular with network administrators as the amount of data
on LANs has grown.
Example:
A disk storage location can be specified by its side, track, and sector. An example is
shown in Figure B-1.
Figure B-1: A disk storage location can be specified by its side, track, and
sector.
Example:
CDs have many uses: they are used to distribute software and information, such as
collections of data, and to publish books, magazines, or collections of graphics. Most
CDs are indexed, enabling them to be searched easily by using keywords. Although
they are slower to use than hard disks, CDs have become popular as a way to provide
access to large amounts of information.
The mass production of CDs, as when a software manufacturer distributes software on
CDs, begins with a process called mastering, or burning. One master copy of the CD
is created and tested; and then it’s used by a CD publisher to make many (often thou-
sands) of copies, with the per-copy cost typically being less than $1. Figure B-2 shows
the connectors for a typical CD-ROM drive.
Using CD-ROMs
Some operating systems—such as UNIX, OS/2 2.x, Windows NT, and others—
inherently support CD-ROM drives. Other operating systems, such as DOS, DOS/
Windows, and some versions of NetWare, require additional software in order to use
CD-ROM drives. CD-ROM drives often provide driver software for the operating sys-
tems that need them. Third-party driver software is also available.
Many CD-ROM drives use the SCSI interface to connect to the host system. A com-
mon interface for SCSI CD-ROM drives and other devices, called the Advanced SCSI
Programming Interface, or ASPI, has been developed. This enables the use of a single
ASPI device driver for multiple SCSI devices. An example of such a driver is
Adaptec’s ASPIDSK.SYS.
Practical Issues
Keep the following in mind when you are using CD resources:
• Some older CD-ROM drives require that the disc be placed in a disc caddy, or
protective plastic container, before they can be inserted into the drive. You may
want to consider purchasing additional caddies for storage purposes.
• CD-ROM drives are connected to a host computer by using a SCSI bus or an IDE
bus.
• If you put a SCSI CD-ROM on the same controller as a hard disk, you might see
a performance loss. Check with the hardware vendors for known incompatibilities.
• When you connect the data cable and power to the drive, the configuration is
similar to that of a hard drive—data cable to the left, power cable to the right,
and a red stripe closest to the red power wire.
• Make sure that the jumpers are set properly and that the audio cable is attached.
Audio cables carry only analog sound; digital sounds are carried on the data
cable.
Definition:
Floppy disks are similar to hard disks, except that the material on which data is
recorded is not hard; it is made of a floppy material, such as mylar. Read/write heads
record data on floppy disks similar to the way they do on hard disks. Because floppy
disks can be removed from the computer and easily carried, they are not as well pro-
tected as hard disks. To make floppy disks more tolerant (than hard disks) of dust and
scratches, data is not packed as densely into a floppy disk as it is in a hard disk. What
floppy disks lack in storage capacity, they make up in portability. To provide a reason-
able degree of protection for floppy disks, they are contained inside a tight-fitting
square sheath of vinyl or hard plastic.
Example:
There are three floppy-disk formats. These three floppy-disk formats are shown in Fig-
ure B-3.
Storage Capacity
The amount of data that can be stored in a disk is determined by the number of sides,
tracks per side, sectors per track, and bytes that can be stored in a sector. For example,
a double-sided disk with 80 tracks, 36 sectors, and 512 bytes per sector has a total
capacity of 2 x 80 x 36 x 512, or 2,949,120 bytes. Divide this by 1,024 to get the
number of kilobytes, which is 2,880. The following table shows common floppy-disk
sizes and formats, and their total capacity in kilobytes.
Hard Drives
Definition:
Hard drives, or fixed disks, are a type of storage device that provide fast access to
large amounts of storage in a small, reasonably reliable physical package. Without
them, most modern computing applications would be impossible.
The aggregate of all tracks that reside in the same location on every disk surface. On
multiple-platter disks, the cylinder is the sum total of every track with the same track
number on every surface. On a floppy disk, a cylinder comprises the top and corre-
sponding bottom track. Hard disks are often composed of multiple disks. A cylinder
consists of a track on the top side of the top-most disk, and all of the tracks beneath it.
This is shown in Figure B-5. A cylinder represents all of the data that the read/write
heads can access when they are in a certain position. (There is a separate read/write
head for each side of each disk, but they all move together.)
Example:
Figure B-6 illustrates the components of a hard drive.
Physical Characteristics
Physically, hard drives come in a number of designs. The terms form factor and height
are used to describe the physical characteristics of hard drives that are mounted
internally. External drives are most often simply internal drives mounted in a case that
also has a power supply.
• With regard to a disk drive, the form factor is the overall diameter of the platters
and case, such as 3.5 inches or 5.25 inches, not the size in terms of storage
capacity. The form factor of a drive refers to its width. This measurement is
derived from the original IBM PC/XT case that had drive openings of 5.25
Hard Drives
Keep the following in mind when you are working with hard drives:
• Because of the delicate nature of hard disks, you need to be very careful when
you are handling them. Do not bump or shake them unnecessarily, and do not
transport them unless they are encased in protective packaging.
• When performance is a less-critical issue than cost, consider adding another hard
disk to an existing controller board, rather than replacing the controller, disk, or
computer.
Advances in Capacity
Today’s hard drives hold far more information than the hard drives of just a few years
ago. They’re smaller, faster, and more reliable, due to technological advancements such
as improved coatings for platters and smoother platter surfaces. Another improvement
is the advent of the voice coil design, which enables cylinders to be written closer
together. This, in turn, enables more data to be saved to each platter than could be
saved on older hard drives with the same platter size.
Example:
Wires, cables, and fiber optics are examples of bounded media. Radio, microwave, and
infrared use unbounded media. Some examples of bounded and unbounded media are
shown in Figure B-7.
Another type of connector is the Attachment Unit Interface (AUI), which is a 15-pin, D-shaped connec-
tor (a DB-15 connector) that looks like a parallel port connector. Another commonly used name for an
AUI connector is a DIX connector, named for the three companies that developed it—Digital, Intel, and
Xerox.
Example: ThinNet
The most common type of coax used in networks is RG58A/U cable, or ThinNet, as
it’s affectionately known. ThinNet is small in diameter (about an eighth of an inch)
and relatively easy to install. It uses BNC connectors and requires a 50 ohm
terminator. It has an end-to-end distance of 185 meters.
Example: ThickNet
The other type of coax used in Networks is RG-8, or ThickNet. ThickNet is much
harder to work with than ThinNet because it’s about a half inch in diameter and very
stiff. There are two types of connectors for use with ThickNet—the N-connector and a
vampire tap. N-connectors are large, screw-type connectors that look like those used
on two-way radios. Vampire taps are a two-part clamshell connector that clamps over
the cable and pierces the outer jacket to make the connection. ThickNet has an end-to-
end distance of 500 meters. Figure B-8 shows examples of coaxial cable.
Category 6 and 7 aren’t official standards but are in the development stages and supported by many
manufacturers because of the demand for high speed connectivity.
Example:
Analog and digital telephone cable are examples of UTP. UTP is also used for varying
speeds of network cable. Figure B-9 displays UTP.
UTP Categories
UTP comes in different grades, called categories (Category 1 to Category 7 or Cat 1 to
Cat 7), where the cable’s bandwidth capability increases with the category number. Cat
5 is the most popular category, along with its subcategories Cat5+ and Cat5 E
(enhanced). Cat 6 and 7 aren’t official standards but are defined by the cable
manufacturers.
RJ-45 Connectors
Cat 5 cables use RJ-45 connectors that look like a common phone plug, only bigger
and with eight conductors. Figure B-10 shows an RJ-45 connector. (The phone connec-
tors are called RJ-11.) One pair of conductors is used for transmitting data and another
for receiving data; the other two pairs are unused. Each pair is color-coded with a solid
color and a white wire with a colored band. For the pin-out of the connectors, there
are two standard color schemes: EIA/TIA 568A and 568B. It’s important that both
ends of a cable be wired with the same color scheme. Both use the same pins for
transmit (TX) and receive (RX), but different color pairs.
To make a standard patch cable (TX goes to TX), use the same color scheme at each end. To make a
crossover (TX goes to RX) cable, use 568A at one end and 568B at the other.
Fiber-optic Cable
Definition:
Fiber-optic technology is a point-to-point technology that uses a light to carry a data
signal through cable. The light source is either a laser or high-intensity LED, depend-
ing on transmission range (laser is used for long-range transmission). Because of the
speed of light and fast reaction of the optic devices, fiber-optic signals have very high
data rates—the digital data is flashed through the fiber-optic carrier.
Analogy:
Fiber-optic technology is very much like the signaling devices used to send Morse
code between ships at night. Figure B-12 gives an example of fiber-optic technology.
Example:
Figure B-13 shows some examples of fiber-optic cable.
Though it’s bad practice to look into the end of any fiber connection that is turned on, it’s extremely
dangerous to look into a single-mode fiber connection because of the intensity of the transmitting laser.
Multi-mode fiber
Multi-mode fiber can carry more than one signal at the same time. Using two different
techniques, multi-mode devices can place different light signals onto the cable and
remove each at the other end. Multi-mode fiber uses a larger core than single mode
(50, 62.5, or 100 microns) and has a shorter transmission distance.
Step Index multi-mode fiber uses a transmission diode that angles a signal into the
cable. By adjusting the angle, a transmitter can create multiple transmission paths. Step
mode costs the least to implement, but is limited to shorter distances (a few hundred
feet).
Graded Index fiber uses layers inside the glass core to send multiple signals down the
cable. The core contains glass layers, each of which carries a signal. Graded Index is
used to send higher quality data signals over distances up to 2,500 meters. Figure B-14
shows the difference between Step Index and Graded Index multi-mode fiber.
Fiber Connectors
There are multiple types of fiber connectors shown in the following table. Figure B-15
illustrates these fiber connectors.
4. Why shouldn’t you look into the end of a fiber connector or socket, even if you don’t
see a light?
6. How many fiber conductors are needed to implement a full duplex connection?
APPENDIX C
SecureSystems.doc
National Bank’s System Hardening Recommendations
Make sure to keep up to date with the latest security patches!
Windows XP Professional Security Recommendations
(workgroup environments)
Note: These steps should be used for all Windows XP Professional clients in a workgroup, and
those that will remain on isolated subnets, such as the Bank’s background investigation
computers. For Windows XP Professional clients participating in a domain, these steps can be
automated by following the steps on Group Policy.
General Settings:
1. Install the latest Windows XP patches and hot fixes on all desktop systems. All security
patches should be installed immediately when available.
2. Do not use Internet Connection sharing.
3. Disable the Welcome Screen.
4. Disable Fast User Switching.
5. For Laptops and Home systems only—Enable the built-in XP Internet Connection
Firewall.
6. Apply the Windows Media Player Security Patch.
7. Convert all drives to NTFS.
8. Install anti-virus software; keep virus definition files up to date.
9. Use the MBSA tool quarterly to verify that the system is secure.
10. Check TechNet and the Center for Internet Security for the latest recommendations for
securing the registry and the file system.
Password Policy Settings:
1. Enforce password history→24 passwords remembered
2. Maximum password age→30 days
3. Minimum password age→7 days
4. Minimum password length→8 characters
5. Password must meet complexity requirements→Enabled
APPENDIX D
Security+ Exam Objectives
Mapping
The following table lists the test domains and objectives for the Security+ examination, and
where they are covered in this course. Some objectives were covered in the prerequisite
courses and were not repeated in this course. Objectives covered in the prerequisite courses are
mapped to the course part numbers, which are listed along with their corresponding titles in a
table at the end of this appendix.
Security+ Test Domains and Objectives Element K Course Lessons and Topics
Domain 1.0: General Security Concepts
1.1 Access Control Appendix A
1.2 Authentication Appendix A
1.3 Non-essential Services and Protocols Lesson 2, Topic A
1.4 Attacks Lesson 1
1.5 Malicious Code Lesson 1, Topic B
1.6 Social Engineering Lesson 1, Topic A
1.7 Auditing Lesson 8, Topic A; Lesson 2, Topic A
Domain 2.0: Communication Security
2.1 Remote Access Lesson 4, Topic D
2.2 E-mail Lesson 3, Topic F
2.3 Web Lesson 3, Topic C; Lesson 4, Topic C
2.4 Directory Lesson 2, Topic B
2.5 File Transfer Lesson 3, Topics D
2.6 Wireless Lesson 4, Topic B
Domain 3.0: Infrastructure Security
3.1 Devices Lesson 1, Topic C; Lesson 3, Topic A; Lesson 4,
Topic B
APPENDIX E
Automated Setup Instructions
The classroom computers will be configured to dual-boot between Windows 2000 Server and
Windows XP Professional. You will need one computer for the instructor and one computer for
each student. In the following procedures you will set up the instructor computer first so that
the Windows 2000 Server and Windows XP Professional source files will be shared from the
instructor computer’s hard drive. Then the automated setup will install the student computers
over the network.
See your manufacturer’s reference manual for hardware considerations that apply to your spe-
cific hardware setup.
Approximate setup time using these instructions is 3.5 hours for the instructor system and 3.5
hours for a student system. You must install the instructor computer before you can start the
student computer installations. You may install multiple student computers at the same time.
The activities in this course require static IP addresses. If you are attached to a corporate network,
consult with your TCP/IP or network administrator to verify that this IP configuration does not con-
flict with any other addresses in your location. Internet access is recommended in this class, so you
should also consult with them on an appropriate method of providing access (for example, Network
Address Translation (NAT)). Also, check with them on any additional parameters that may be needed
for Internet access (for example, a default gateway and additional DNS servers). If you do add addi-
tional DNS servers for Internet access for each computer, make sure you always leave the
classroom-configured DNS server IP address as first in the list.
If you find you can’t connect to the Web pages, check to be sure the files aren’t named with double
file extensions.
d. Open Internet Explorer and connect to http://Server100 to verify that you can see the
default Web site (the Nuclear Plant Training Site).
e. Connect to http://Server100/Register to verify that you can see the Registration Web
Page. Close Internet Explorer.
38. Open the course PowerPoint slides to verify that they display properly.
39. Reboot the computer into Windows XP Professional. You don’t have to log on; the stu-
dent computer setups and the first activity in the course require the instructor computer to
be booted to Windows XP Professional.
LESSON LABS
Due to classroom setup constraints, some labs cannot be keyed in sequence immediately fol-
lowing their associated lesson. Your instructor will tell you whether your labs can be practiced
immediately following the lesson or whether they require separate setup from the main lesson
content.
LESSON 1 LAB 1
Classifying Attacks
Activity Time:
15 minutes
Scenario:
Your IT department wants to know when they are being attacked what type of attacks are
occurring. As the new security administrator for your organization, you have been asked to do
a presentation on the different types of attacks that may occur on your network. Before you do,
you’ll take a look at some sample attacks that have occurred in your organization and classify
them into the appropriate categories.
The help desk receives a call from someone claiming to be a support person asking the
FQDN and IP address of the Web server in your organization. A short while later, no
one on the Internet can get to your Web server because the performance has suddenly
dropped. What type of attack(s) did the attacker use?
An IT administrator looks at Human resource records, he then deletes the audit log file
to erase any records of him accessing the files. Just to be sure he hides his steps, he
also does a restore from tape. The next day, he tells the other IT folks that there was a
problem with the a server hard drive and he had to restore a tape backup. What type
of attack(s) did the attacker use?
A user forwards an email with attachments to other users in the organization. The
email stated that a person was in dire need of help and to please forward the email to
others immediately. It causes a virus to spread within the organization. What type of
attack(s) did the attacker use?
An attacker scans your network and finds Port 21 open. She then retrievs a user name
and password for your server. After logging on, she creates an account with adminis-
trative privileges. Later, she logs on with his account and steals data. What type of
attack(s) did the attacker use?
You can find a suggested solution for this activity in the Hardening an Operating System.txt file in the Solutions
folder in the student data files.
Setup:
You have a new installation of a Windows 2000 Server on a computer named NUC01 in a
domain named NUCLEAR. The default administrator account has been set up with a password
of !Pass1234. Tools, Service Packs, and data files for this activity are available in the C:\SPlus
folder:
• Windows 2000 Service Pack 2: \W2KSP2
• Windows 2000 Security Rollup Package 1: \W2KSRP
• Internet Explorer 6: \IE6
• Windows Media Player Security Patch: \WMPPatch
• Microsoft Baseline Security Analyzer: \MBSA
Scenario:
You are the security administrator for a nuclear plant and you need to make sure your new
servers are secure. The Windows 2000 servers are currently being installed with the default
configuration and this is leaving the servers vulnerable to attacks. The nuclear plant wants to
minimize the possibility of those attacks and does not want to use IIS. The server being
installed is also a domain controller, and according to the Active Directory design team, you
need to harden with the default high security template. Before connecting the new Windows
2000 Servers to your network and joining the computers to the domain, you want to make sure
that the server operating system on the domain controller is hardened to minimize the likeli-
hood of attacks from both internal and external users.
If you are not connected to the Internet, MBSA will be unable to read the list of current security patches from
Microsoft. If the system determines that there are current patches that have not been implemented, this could
mean that Microsoft released additional patches since this course was written. Make sure to check
www.microsoft.com/security and the Windows Update Web site (http://windowsupdate.microsoft.com) for the
latest security patches.
2. Run the Microsoft Baseline Security Analyzer.
LESSON 3 LAB 1
Hardening a Web Server
Activity Time:
1 hour(s)
You can find a suggested solution for this activity in the Hardening a Web Server.txt file in the Solutions folder in
the student data files.
Setup:
You have a new installation of a Windows 2000 stand-alone server on a computer named
Server#, where # is a unique integer assigned to each student in your lab, in a workgroup
named workgroup. The default administrator account has been set up with a password of
!Pass1234. The base operating system has been hardened. Tools, Service Packs, and data files
for this activity are available in the C:\SPlus directory in the following folders:
• IIS\SecRollup: Microsoft Internet Information Server (IIS) Security Rollup Pack-
age
• IIS\Lockdown: Microsoft IIS Lockdown Tool
Scenario:
You are the security administrator for a college and you need to make sure your new Web
servers are secure. The Windows 2000 servers are currently being installed with the default
configuration and this is leaving the servers vulnerable to attacks. The college wants to mini-
mize the possibility of those attacks. They also do not want FTP installed but would like to
use NNTP and ASP. Before connecting the new Windows 2000 Servers to your network, you
want to make sure that the Web server is hardened to minimize the likelihood of attacks from
both internal and external users.
1. Install the Microsoft Internet Information Server (IIS) Security Rollup Package.
4. Run the Microsoft IIS Lockdown Tool with the appropriate options.
5. What other steps would you take if you were going to further harden the Web
server?
You can find a suggested solution for this activity in the IPSec.txt file in the Solutions folder in the student data
files.
Setup:
You have two Windows XP Professional computers named NUCXP1 and NUCXP2. There is
an administrative-level account on the computer named Admin#. The password for this account
is !Pass1234.
Scenario:
You are the security officer at a nuclear plant and you need to make sure that highly sensitive
data transferred between Windows XP computers is secure. In the past, the nuclear plant has
had problems with employee personnel information being compromised as it traveled across
the network. The plant has decided to not use certificates or deploy Active Directory for now
but wants to require the use of IPSec to secure all IP traffic. The first Windows XP computers
you need to secure are two systems that security officers use daily in a small workgroup.
1. On both Windows XP computers, create an MMC console with the IP Security Policy
Management and IP Security Monitor snap-ins.
2. On both Windows XP computers, configure the appropriate IPSec policy with the
same preshared key.
4. On NUCXP1, open Network Monitor and start a capture between the two Windows
XP computers.
6. On NUCXP1, stop the capture and verify IPSec is being used between the two
computers.
7. Which frame showed the security association between the two computers?
You can find a suggested solution for this activity in the Certificate Authority.txt file in the Solutions folder in the
student data files.
Setup:
You have two new installations of a Windows 2000 Server configured as domain controllers.
The computer name is BROKERSRV1 and BROKERSRV2 installed in a domain, BROKERS.
The default administrator account has been set up with a password of !Pass1234.
Scenario:
You are the security administrator for a brokerage firm and you need to make sure your email
communication is secure. The brokerage is currently not encrypting email transmissions and
wants to prevent any attacker from intercepting any emails that contain private client
information. You want to make sure that email communications are secure by implementing
the PKI plan from the brokerage firm’s IT department to minimize the likelihood of attacks
from both internal and external users. The plan calls for an enterprise root CA and a enterprise
subordinate CA and backing up the CA itself along with a separate backup of the domain
controller. Authenticated users should be able to use certificate templates. You should verify
the backups are successful by periodically doing a restore. The IT team will back up the
domain controllers at night and later, the email administrators will start using certificates from
the CA. The IT department wants these descriptions for the CAs:
1. Enter this CA information for the enterprise CA when prompted:
• Broker Root CA.
• Education as the Organizational Unit.
• Enter Syracuse as the City.
• Enter New York as the State Or Province.
• Verify that US is selected as the Country/Region.
• Enter secadmin@broker.internal as the E-mail.
• Enter Enterprise CA Root for Syracuse as the CA Description.
• From the Valid For drop-down lists, select 2 Years.
2. Enter this CA information for the subordinate CA when prompted:
• Broker Subordinate CA.
• Education as the Organizational Unit.
• Enter Syracuse as the City.
• Enter New York as the State Or Province.
• Verify that US is selected as the Country/Region.
• Enter secadmin@broker.internal as the E-mail.
• Enter Subordinate CA Root for Syracuse as the CA Description.
3. Verify that Certificate Services was installed properly on each domain controller.
LESSON 6 LAB 1
Managing and Using Certificates
Activity Time:
30 minutes
You can find a suggested solution for this activity in the Certificates.txt file in the Solutions folder in the student
data files.
Setup:
You have a new installation of a Windows 2000 Server configured as a standalone root CA.
The computer name is BankSRV1. The default administrator account has been set up with a
password of !Pass1234. You have an email address of secadmin@bankers.internal.
Scenario:
You are the security administrator for an international bank based in Chicago, Illinois, and you
need to make sure your email communication is secure. The bank is currently not encrypting
email transmissions and wants to prevent any attacker from intercepting any emails that con-
tain confidential information. You want to make sure that email communications are secure by
implementing the PKI plan from the brokerage firm’s IT department to minimize the likelihood
of attacks from both internal and external users. The bank PKI plan requires a standalone root
CA, which has already been installed. Many of the bank employees use laptops. You need to
make sure enrollment of certificates is working properly before you let laptop users enroll. You
also need to backup their individual private keys in case they leave the organization or loose
their private key. You should verify the backups are successful by periodically doing a test
restore. The IT team will back up the servers at night and later, the email administrators will
LESSON 7 LAB 1
Implementing and Enforcing a Security Policy for an
Organization
Activity Time:
30 minutes
You can complete this activity immediately following the lesson or any other time.
You can find a suggested solution for this activity in the Policy.txt file in the Solutions folder in the student data
files.
Data Files:
• UKSecurityPolicy.rtf
1. A user named Allison brings in some floppy disks from home which have some
documents on them that she was editing at home. She scanned them at home with
a virus scanner before bringing them into the office.
2. A user named Amjad downloads some shareware that will assist him in creating
scripts. It was downloaded from a well-known Web site and Amjad started using it
immediately after downloading.
3. A user named Laura accidentally gets a virus on her computer. Rather than report-
ing the virus, she immediately scans her system and is happy that it is now clean.
5. An accountant named Rolly uses ftp to download some files from the corporate
UNIX FTP server.
6. Angela, the NetWare administrator, configures the NetWare server for three grace
logins.
9. The human resource department has been locking their workstations when they
are not in use.
10. An IT administrator, Alex, installs a new Windows 2000 server, records the admin-
istrator password, and locks it in the IT room.
You can find a suggested solution for this activity in the Monitoring.txt file in the Solutions folder in the student
data files.
Data Files:
• Monitoring.txt
Setup:
Tools are available on each computer in the C:\SPlus folder. Your computer is a Windows XP
computer named ITStaff1. Your user name is Admin# with a password of !Pass1234.
Scenario:
You’ve recently been hired to assist the security administrator at a large university. Your first
task is to try to figure out who has been trying to break in to student and faculty computers
across campus. The security administrator reports that his investigation so far has determined
that an intruder, possibly from within the campus network, has been scanning ports and trying
to access a number of computers using a variety of methods, including ftp, telnet, and HTTP.
The intruder may be trying to access and compromise sensitive data, such as exams that teach-
ers have stored on their hard drives and student grade reports.
The security administrator wants you to use Windows XP security audits, and the other tools at
your disposal, on a standalone Windows XP computer to try to lure the intruder and discover
who it is. You’ve been told to use the Windows XP computer SciFaculty1, which contains a
folder named Physics Exams that’s meant to appeal to the intruder. There is an administrative-
level account on the computer named Admin#. The Administrator has also copied the
following software onto the SciFaculty1 computer:
• NFR BackOfficer Friendly
• ISS RealSecure Desktop Protector evaluation version
You have the following software available on the ITStaff1 computer:
• @stake L0phtCrack4
• Foundstone SuperScan v2.0
Before you go live on the network with the new honeypot, you’ve been instructed to install
and test the intrusion detection software and the security audits.
6. Try to connect to SciFaculty1 from your computer using at least one user account.
Try to access the Physics Exam folder using the C$ administrative share.
10. What types of events were written to the security log on SciFaculty1?
1. True True or False? A supposed customer calls the help desk stating that she can-
not connect to the e-commerce Web site to check order status. She would also like a
user name and password. The user gives a valid customer company name, but is not
listed as a contact in the customer database. The user doesn’t know the correct com-
pany code or customer ID.
3. False True or False? A new accountant was hired and is requesting that a copy of
the accounting software be installed on his computer so he can start working
immediately. Last year, someone internal compromised company accounting records,
so distribution of the accounting application is tightly controlled. You have received all
the proper documentation for the request from his supervisor and there is an available
license for the software.
4. True True or False? Christine receives a message in her instant messaging software
asking for her account and password. The person sending the message states that the
request comes from the IT department, because they need to do a backup of Chris-
tine’s local hard drive.
5. True True or False? Rachel gets an email with an attachment that is named
NewVirusDefinitions.vbs.
6. True True or False? A user calls the help desk stating that he is a phone technician
needing the password to configure the PBX and voice mail system.
7. True True or False? A security guard lets a vendor team though without a required
escort as they have shirts on from the preferred vendor, and they stated they were
called in to fix an urgent problem. The guard attempted to call the authorization con-
tact in the organization, but the phone was busy for over 10 minutes.
8. False True or False? The CEO of the organization needs to get access to data
immediately. You definitely recognize her voice, but a proper request form hasn’t
been filled out to modify the permissions. She states that normally she would fill out
the form and should not be an exception, but she urgently needs the data.
Solutions 377
SOLUTIONS
Activity 1-2
1. Kim, a help-desk staffer, gets a phone call from Alex in human resources stating that
he can’t log on. Kim looks up the account information for Alex and sees that the
account is locked. This is the third time the account has locked this week. Alex insists
that he was typing in his password correctly. Kim notices that the account was locked
at 6 A.M.; Alex says he was at a meeting at a client’s site until 10 A.M. today. It seems
like a case of a password attack.
2. Judi, who does backups, states that according to her log files, an IT administrator per-
formed a restoration on the accounting server last night. You send out an email asking
all the members of the IT department whether there were any problems with the serv-
ers last night as you see nothing entered on the IT problem log forms. All of IT
responds stating no problems occurred last night. Something isn’t right, and it all adds
up to a misuse of privilege attack.
3. You find out the security log was cleared on the file and print server. No one in IT
claims responsibility. No matter who did this, you consider it an audit attack.
4. Your antivirus software has detected the ILOVEYOU virus. You’re under attack from a
malicious code attack.
5. While administering user accounts you notice that a new account called LyleBullock
has been created on your server. You know of no user in your organization with that
name. The account also is part of the administrators group. It’s a classic backdoor
attack.
6. While you are connected to another host on your network, the connection is suddenly
dropped. When you review the logs at the other host, it appears as if the connection is
still active. You suspect a hijacking attack.
7. Your e-commerce Web server is getting extremely slow. Customers are calling stating
that it is taking a long time to place an order on your site. This could be a Denial of
Service (DoS) attack.
8. Your intranet Webmaster, Tim, has noticed an entry in a log file from an IP address
that is within the range of addresses used on your network. Tim does not recognize
the computer name as valid. Your network administrator, Deb, checks the DHCP server
and finds out the IP address is not in any of the scopes. This seems to be a case of an
IP spoofing attack.
9. Tina, the network analysis guru in your organization, analyzes a network trace capture
file and finds out that packets have been intercepted and retransmitted to both a
sender and a receiver. You’ve experienced a man-in-the-middle attack.
10. You get an email from an outside user letting you know in a friendly way that she
found it very easy to determine the correct password to access your FTP server. To
prove it, she includes the FTP password in the email. All your files are still on the FTP
server and have not been modified. Although this person had no malicious intent, you
still consider it an eavesdropping attack.
Activity 1-3
1. An intruder enters a locked building at night and steals five laptops from various users
in the software development department. What type of attack is this?
This is a hardware attack.
3. To obtain user names and passwords, an attacker installs a device on a keyboard that
records the user’s keystrokes. What type of attack is this?
This is a hardware attack.
4. An attacker removes the battery backup on a critical server system and then cuts
power to the system, causing irreparable data loss. What type of attack is this?
This is a hardware attack.
Lesson 1 Follow-up
Lesson 1 Lab 1
1. A help desk person in your organization sniffs the network for telnet user accounts and
passwords. She then uses this information to log on to the network to steal sensitive
data. What type of attack(s) did the attacker use? Eavesdropping and misuse of privi-
lege attacks.
Solutions 379
SOLUTIONS
The help desk receives a call from someone claiming to be a support person asking the
FQDN and IP address of the Web server in your organization. A short while later, no
one on the Internet can get to your Web server because the performance has suddenly
dropped. What type of attack(s) did the attacker use? Social engineering and DoS/DDoS
attacks.
An IT administrator looks at Human resource records, he then deletes the audit log file
to erase any records of him accessing the files. Just to be sure he hides his steps, he
also does a restore from tape. The next day, he tells the other IT folks that there was a
problem with the a server hard drive and he had to restore a tape backup. What type
of attack(s) did the attacker use? Misuse of privilege, audit, and social engineering
attacks.
A user forwards an email with attachments to other users in the organization. The
email stated that a person was in dire need of help and to please forward the email to
others immediately. It causes a virus to spread within the organization. What type of
attack(s) did the attacker use? Malicious code and social engineering attacks.
An attacker scans your network and finds Port 21 open. She then retrievs a user name
and password for your server. After logging on, she creates an account with adminis-
trative privileges. Later, she logs on with his account and steals data. What type of
attack(s) did the attacker use? Port scanning, eavesdropping, and backdoor attacks.
Lesson 2
Activity 2-1
Activity 2-2
4. What other types of policy documents might you need in order to create a complete
security policy?
Acceptable Use Policy; Audit Policy; Extranet Policy; Wireless Standards Policy.
5. Which of the general components of a policy document are represented in this docu-
ment?
The document includes a policy statement (sections 1.0, 2.0, and 3.0), policy standards
(section 4.1 and section 5.0), and guidelines (the remaining sections). It does not provide
procedure steps for creating or changing passwords to conform to the policy.
8. Would “gandalf8” be an acceptable password according to this policy? Why or why not?
No. It is simply the name of a fantasy character, followed by a digit. This is prohibited in
section 4.2 A.
Activity 2-3
2. Is there a password policy setting that lets you set a minimum password age?
Yes, under Account Policies, Password Policy, you can configure a minimum password age.
4. Is there a way to lock out a user after he or she has entered the wrong username or
password three times?
Yes, under Account Policies, Account Lockout Policy, you can configure an account lockout
threshold to lock out users after three failed logon attempts.
5. By default, which users have been assigned the right to log on locally to a Windows XP
computer?
Members of the Administrators, Backup Operators, Power Users, and Users groups. Also,
you can use the Guest account to log on to the computer. You can view these settings in
the Log On Locally Policy in Local Policies, User Rights Assignment.
6. Is there a security option that will allow you to create and display a warning banner
when users log on?
Yes, under Local Policies, Security Options, there’s a setting named Interactive Logon:
Message Text For Users Attempting To Log On. You can enter a message to users using this
setting that warns them against improper use of the computer.
9. True True or False? Security settings configured at the domain level will override
local policy settings on Windows XP computers in that domain.
Solutions 381
SOLUTIONS
Activity 2-4
2. In addition to monitoring the overall security of a network and its resources, why else
might events in the security log be important?
Answers might include: They could be used at a later date as evidence in the prosecution
of an attacker; and evidence of attacks could be used to justify increased spending on
resources and equipment to increase network security.
4. What type of threat or attack could you discover by monitoring successful user logons?
Successful logons, depending on time, day, or location of the logon, could indicate suc-
cessful password attacks, stolen user credentials, or even misuse of privilege.
5. What type of attack could you discover by monitoring successful changes to user or
group accounts?
Depending on the circumstance, you could uncover misuse of privilege attacks.
Activity 2-5
2. How do the password policy settings differ in the compatws and securews templates?
In the compatws templates, none of the password policies are defined, whereas there are
password policy settings defined in the securews template.
3. If you want to audit account logon events and account management, but not object
access, which security template would you use?
You would use the securews security template.
4. Which workstation template uses restricted groups to protect the Administrators and
Power Users groups?
The hisecws template.
5. If you want to reset the system-wide security policy settings to the default configura-
tion, you would apply the setup security template.
6. Why would you choose to use Group Policy to apply security templates instead of
applying the templates locally to individual computers?
You might choose to use Group Policy if you want to deploy security templates to mul-
tiple computers throughout an organization. It would be easier to use Group Policy to
assign the templates at the domain or OU level than it would be to apply templates indi-
vidually to multiple computers.
Activity 2-6
16. Can you tell if all current security patches have been implemented on the Windows XP
Professional system? If not, why?
If you are not connected to the Internet, MBSA will be unable to read the list of current
security patches from Microsoft. If the system determines that there are current patches
that have not been implemented, this could mean that Microsoft released additional
patches since this course was written. Make sure to check www.microsoft.com/security
and the Windows Update Web site (http://windowsupdate.microsoft.com) for the latest
security patches.
17. How would you fix some of the problems the scan has detected?
Answers may vary, but one step would be to disable unneeded services. This is not called
for in the bank’s security recommendations document, however.
Activity 2-7
10. Can you tell if all current security patches have been implemented on the Windows
2000 Server system? If not, why?
If you are not connected to the Internet, MBSA will be unable to read the list of current
security patches from Microsoft. If the system determines that there are current patches
that have not been implemented, this could mean that Microsoft released additional
patches since this course was written. Make sure to check www.microsoft.com/security
and the Windows Update Web site (windowsupdate.microsoft.com) for the latest security
patches.
11. How would you fix some of the problems the scan has detected?
Answers may vary, but one would be to disable unneeded services. This is not called for in
the bank’s security recommendations document, however.
Activity 2-9
3. What other security templates are available in a default installation of Windows 2000?
Some answers are: hisecws.inf and compatws.inf.
Solutions 383
SOLUTIONS
Activity 2-10
Activity 2-11
2. How can you prevent users from stealing print jobs from the printers?
Answers may vary, but you could lock the room the printer is in or get a tray that locks on
the printer itself.
5. What could you do with the default administrative shares to harden the Windows 2000
server?
Don’t share them on startup. However, this would eliminate some remote administrative
capabilities.
Lesson 3
Activity 3-1
2. Why would you not check Activate Authentication in the General properties for RIP on
the Local Area Connection interface?
The password is sent unencrypted and is not meant to be used as a security option. If an
attacker used a sniffer, then he or she would see the password.
3. What type of attacks do the default Advanced settings for RIP on the Local Area Con-
nection interface protect against?
These settings will protect against attacks that would attempt to update the routers
incorrectly to cause looping and convergence problems on the routers.
5. What is the security benefit of the peer security feature that you have just enabled?
The router will now only accept update announcements from the peer router. Any other
announcements (for example, from an attacker’s router) will be discarded.
Activity 3-3
2. Of the three Web servers you currently have, which can you use the IIS Lockdown tool
to secure?
You can use it on both the Windows NT 4.0 and Windows 2000 Web servers.
4. True True or False? You can use the IIS Lockdown tool to completely remove IIS
from a server.
5. False True or False? You may not make any manual changes after running the IIS
Lockdown tool.
You may make any manual configuration changes you need after you run the IIS Lockdown
tool.
Activity 3-5
7. How did you identify the frame containing the clear-text password?
It is an FTP protocol request. The Description column entry reads “Req. from port [####],
‘PASS !Pass1234’.”
Activity 3-7
6. Other than restricting logons, how else could you protect against an eavesdropping
attack against clear text FTP passwords?
Answers may vary; for example, you could encrypt data that is being sent from the FTP
client to the FTP server by using IPSec.
Solutions 385
SOLUTIONS
Activity 3-9
Activity 3-10
3. What authentication methods should be enabled on the Instant Messaging Virtual Direc-
tory if users log on through a proxy server?
a) Anonymous access
b) Basic authentication
✓ c) Digest authentication
d) Integrated Windows authentication
4. True True or False? If you use Digest Authentication, you must configure user pass-
words to be stored using reversible encryption.
Lesson 4
Activity 4-1
1. Why use IPSec? Why isn’t it enough to harden the servers and the client computers?
While hardening servers and clients secures those computers, their communications—that
is, the packets they exchange across a network—are still vulnerable to attack. IPSec
secures the packets as they travel from one computer to another, securing that data
against any known form of attack.
3. If you want a Windows 2000 server to request negotiations for a secure session but still
communicate with a computer that does not respond to the request, you would use
the Server default IPSec policy.
4. If you want a Windows 2000 server to require secure communications at all times and
not communicate with another computer that can’t negotiate a secure session, you
would use the Secure Server default IPSec policy.
9. True True or False? You must explicitly assign a policy to a computer to apply its
settings to that computer.
10. What would happen if you had a Secure Server policy assigned to a Windows 2000
server but no Client policies assigned to the Windows XP computers in the network?
The Windows XP computers would not be able to communicate with the Windows 2000
server.
Activity 4-2
3. Why are there Server and Secure Server policies on a Windows XP computer?
Because you can use them to request or require a secure connection to a Windows XP
computer.
Lesson 5
Activity 5-1
Solutions 387
SOLUTIONS
Activity 5-2
3. Suppose the University wanted only faculty members to be able to enroll certificates
from its Enterprise CAs. How would you configure security?
Create an Active Directory group containing all the faculty user accounts, grant that
group Read and Enroll permissions to the templates, and remove the Enroll permission
from the Authenticated Users group.
Activity 5-3
2. If you did lose your root CA due to system failure and you did not have the password to
restore, what would happen to the certificates that have already been issued?
The certificates would be rejected as invalid.
Lesson 6
Activity 6-2
Activity 6-4
Activity 7-2
1. A user opens an attachment which causes a virus to spread within the organization.
The policy does not call for legal action in this situation. However, disciplinary action
may be taken.
2. A user emails a copy of a new type of encryption software program to a user in a for-
eign country for testing.
Depending on your locality and the destination country, this may be a legal violation of
export control laws and legal action might be taken.
Solutions 389
SOLUTIONS
3. A user scans your network for open ports.
The policy does not call for legal action in this situation. However, disciplinary action
may be taken.
5. Two employees have an argument at lunchtime. During the afternoon, one user sends
a threatening email to the other. The second employee is afraid to leave the building
unescorted that evening.
Hostile or threatening messages could be considered a form of harassment, which could
be subject to legal action according to the policy.
Activity 7-3
2. A Business Continuity Plan is a policy that defines how normal day-to-day business will
be maintained in the event of a major systems failure.
6. What tools are available to help you create a BCP and DRP?
There are seminars, software utilities, and consulting services available.
7. In your opinion, which of the tools you’ve found in your research would be most help-
ful to you in creating a BCP or DRP? Why?
Answers will vary. One possible answer is a consulting firm that can assess needs and cre-
ate a customized plan. This could save the cost of creating a BCP or DRP in-house.
8. You’ll probably see in your research that risk assessment is an important part of creat-
ing a BCP. Why is that?
By completing a risk assessment, you can determine what parts of the business are most
vulnerable and which are of greatest consequence. You can then formulate a plan to
recover from attack and keep the most important parts of your business operating.
9. In your opinion, of buildings, devices, and communications, which do you think is gen-
erally most vulnerable to attack? Which do you think would be most difficult to
recover?
Answers will vary.
2. Besides using blinds and locks on the windows, what else could you recommend using
to secure the windows from unauthorized access?
You could install obscurity filming or even metal bars.
3. Once the motion-detection alarms are installed, what procedure will you need to fol-
low to verify they are working properly?
You will need to perform a walktest.
4. Given the security requirements of this company and the category of risk the comput-
ing center falls into, what other physical security recommendations could you make,
based on this document?
Answers may vary; for example, the escorted contractors should give 48 hours notice on
what they will be doing. Computers could be placed at least 1.5 meters from external
windows.
Activity 7-5
Solutions 391
SOLUTIONS
4. What education steps do you recommend taking in response to this incident?
Answers might include: This seems to be an isolated incident, so you should be sure to
address it with the employee in question by reviewing all security policies with her and
emphasizing the possible consequences of her actions. You should probably also post all
security policies in an easily-accessible location on the network and send out a company-
wide reminder about them. However, because this employee never even attempted to
refer to the policy, the inaccessibility of the policy documents was not a contributing fac-
tor in this incident. Finally, you should review your new-hire security training procedures
to be sure they include common-sense tips on building security.
Lesson 8
Activity 8-1
3. What ports were open on your Windows 2000 Server? Should these ports be open?
Because this server is hosting so many different services, there will be many ports open.
For example, the DNS service runs on port 53. Active Directory uses ports 88, 389, 445,
464, and 636. Ports 23, 25, 110, 143 and 995 support Microsoft Exchange. The Web server
uses 80 and 443. Network connections are created on port 135. The network news service
will use 119 and 563. Ports higher than 1024 are dynamically-assigned ports not associ-
ated with a particular service on this server.
5. What ports were open on the Server100 computer? Should these ports be open?
Results should be similar to the local computer scan.
7. Given this analysis information, what steps could you take to harden your system fur-
ther?
Answers will vary. For example, you could create stronger password policies.
Activity 8-3
Activity 8-4
7. What should you do to prevent any of the passwords on this system from being stolen
by an attacker?
Implement strong passwords for all users. Restrict membership of the administrators
group to prevent misuse of privilege attacks.
Solutions 393
SOLUTIONS
Activity 8-6
Activity 8-7
9. What was the source IP address of the attack? How can this assist you in finding the
attacker?
The source IP was the attacker’s computer. Once you have the IP address, you can track
the computer using that IP on campus. You can either physically go see who is using that
computer, or view log files to see who logged on.
10. Why would you suspect this student was the previous attacker to the FTP site?
The attacker used Dean Allison Ager’s name when attempting to log on. The dean sus-
pected she was the vulnerable account.
Activity 8-8
3. What do you think are the most important components in the policies you’ve found?
Answers will vary.
4. How do you think the policies you’ve found answer the questions in the concepts pre-
ceding this activity?
Answers will vary.
5. In general, do you think it’s important to notify employees of ordinary security inci-
dents? Why or why not?
Answers will vary.
Activity 8-9
6. Which packets in the capture created the DoS condition? (You might need to widen the
Description column.)
All the packets with a destination of Port 80.
8. What is the first thing you should consider doing in response to this DoS attack?
You should consider doing nothing. If the attack is not degrading service, a response
might only warn an attacker to be more careful next time. By watching and waiting, you
might be able to accumulate evidence and take definitive action against the attacker.
10. What steps should you take once the attack is resolved?
Following any attack, you should always re-evaluate your system hardening procedures;
for example, you can scan your system for open ports and close any unneeded ports.
Always keep in mind that you must not harden a system so much that it becomes
inaccessible.
11. If the attacker wanted to automate the attacks instead of having to do so manually,
what can the attacker do?
Install zombie agents (or drones) on each computer.
Activity 8-10
Solutions 395
SOLUTIONS
Appendix B
Activity B-1
Activity B-2
4. Why shouldn’t you look into the end of a fiber connector or socket, even if you don’t
see a light?
The infrared light might not be visible to the human eye but will still cause eye damage.
6. How many fiber conductors are needed to implement a full duplex connection?
Two: one for transmit (TX) and one for receive (RX).
GLOSSARY
802.11a audit attack
A more expensive but faster protocol for A type of software attack where an attacker
wireless communication than 802.11b. The covers his trail by deleting audit entries that
802.11a protocol supports speeds up to 54 might point to an intrusion.
Mbps in the 5 GHz frequency.
AUP
802.11b (Acceptable Use Policy) A security policy that
Also called Wi-Fi, short for “wired fidelity,” defines what constitutes the appropriate and
802.11b is probably the most common and inappropriate use of resources within the
certainly the least expensive wireless network organization.
protocol used to transfer data among comput-
ers with wireless network cards or between a authentication
wireless computer or device and a wired The process of proving a user’s or computer’s
LAN. The 802.11b protocol provides for an identity.
11 Mbps transfer rate in the 2.4 GHz
authorization
frequency.
The process of taking a user’s identity after
AH protocol he or she has been authenticated and allowing
(Authentication Header protocol) A protocol or denying access to specific network
that IPSec uses to provide data integrity resources.
through the use of MD5 and SHA. AH takes
backdoor
an IP packet and uses either MD5 or AH to
A mechanism for gaining access to a com-
hash the IP header and the data payload, and
puter that bypasses or subverts the normal
then it adds its own header to the packet.
method of authentication. Back Orifice is an
anomaly/profile-based analysis example of a backdoor.
Looks for network, host, or application
backdoor attack
changes compared to preset parameters. This
A type of attack where the attacker creates a
is also known as profile-based analysis.
mechanism to gain access to a system and its
application-based IDS resources. This can involve software or a
An IDS software component that monitors a bogus user account.
specific application on a host.
BCP
asymmetric encryption algorithm (Business Continuity Plan) A policy that
A cryptographic algorithm that generally uses defines how normal day-to-day business will
one key for encryption and another key for be maintained in the event of a major systems
decryption. failure.
Glossary 397
GLOSSARY
black hat certificate policy
A hacker who exposes vulnerabilities for A security policy that determines what infor-
financial gain or for some malicious purpose. mation a digital certificate will contain and
the parameters for that information.
block cipher
A type of symmetric encryption that encrypts certificate practice statement
data a block at a time, often in 64-bit blocks. A document that states how the CA will
It is usually more secure, but is also slower, implement the certificate policy.
than stream ciphers.
certificate repository
brute force attack A database containing digital certificates.
A type of password attack where an attacker
uses an application to exhaustively try every chain of custody
possible alphanumeric combination to try to A complete inventory of evidence that shows
crack encrypted passwords. who has handled specific items and where
they have been stored.
buffer overflow attack
An attack that exploits fixed data buffer sizes ciphertext
in a target piece of software by sending data Another name for encrypted data.
that is too large for the buffer.
corporate security policy
bulk encryption key A collection of individual security policies
Session key generated from a master key. that defines how security will be implemented
Schannel and Internet Key Exchange (IKE) within a particular organization.
use bulk encryption keys.
cracker
CA A user who gains unauthorized access to
(Certificate Authority) An authority in a net- computers and network for malicious
work that issues digital certificates. CAs can purposes.
provide information to others regarding the
CRL
authenticity of certificates. Most CAs follow
(Certificate Revocation List) A list of certifi-
the Public Key Cryptography Standards
cates that are no longer valid.
(PKCS).
DAC
CA hierarchy
(Discretionary Access Control) In DAC,
A PKI model based on the parent/child
access is controlled based on a user’s identity.
relationship.
Objects are configured with a list of users
certificate enrollment who are allowed access to them. An adminis-
The process of an entity (such as a user, trator has the discretion to place the user on
server or an application) applying for a digital the list or not. If a user is on the list, the user
certificate from a CA. is granted access; if the user isn’t on the list,
access is denied.
certificate life cycle
The lifetime of a certificate from initial issu- DDoS attack
ance to expiration/revocation. (Distributed Denial of Service attack) A soft-
ware attack in which an attacker hijacks or
certificate lifetime manipulates multiple computers (through the
The length of time a certificate is valid. use of zombies or drones) on disparate net-
works to carry out a DoS attack.
certificate management system
A system that provides the software tools to
perform the day-to-day functions of the PKI.
Glossary 399
GLOSSARY
ethical hack honeypot
A hack performed, usually by a third party, to A security tool used to lure attackers away
test an organization’s security infrastructure from the actual network components. Also
and find weaknesses. called decoy or sacrificial lamb.
guideline IKE
A suggestion for meeting the policy standard (Internet Key Exchange) Used by IPSec to
or best practices. create a master key, which in turn is used to
generate bulk encryption keys for encrypting
hacker data. (IKE is a newer term for the Internet
A user who excels at programming or manag- Security Association and Key Management
ing and configuring computer systems (or Protocol and Oakley key generating protocol,
both). Often used to improperly refer to a usually seen as ISAKMP/Oakley.)
cracker.
IP spoofing attack
hardening A type of software attack where an attacker
The process of securing a computer or other creates IP packets with a forged source IP
device according to a determined security address and uses those packets to gain access
policy. to a remote system.
hardware attack IPSec
An attack that targets a computer’s physical (Internet Protocol security) A set of open,
components and peripherals, including its non-proprietary standards that you can use to
hard disk, motherboard, keyboard, network secure data as it travels across the network or
cabling, or smart card reader. the Internet through data authentication and
encryption. Many operating systems and
hash value
devices support IPSec, such as Windows
A numerical result of a fixed size that is gen-
2000, Windows XP, NetWare 6, Solaris 9, and
erated from a mathematical calculation, called
routers.
a hashing algorithm.
IPSec driver
hashing algorithm
IPSec driver watches packets being sent and
An algorithm used to generate a message
received to determine if the packets need to
digest for some piece of data.
be signed and encrypted based on Group
HIDS Policy or local Registry settings.
(Host-based IDS) An IDS system that uses IPSec Policy Agent
primarily software installed on a specific host
A service that runs on each Windows 2000
such as a Web server.
Server, Windows 2000 Professional, and Win-
hijacking attack dows XP Professional computer that’s used to
A software attack where the attacker takes transfer IPSec policy agent from Active
control of (hijacks) a TCP session to gain Directory or the local Registry to the IPSec
access to data or network resources using the driver.
identity of a legitimate network user.
master key
A key that is used by a client and a server to
generate session keys.
Glossary 401
GLOSSARY
PKCS private key
(Public Key Cryptography Standards) A set of An encryption/decryption key that is kept
protocol standards developed by a consortium secure and used by one individual or entity
of vendors to send information over the only. It can also be used to digitally sign a
Internet in a secure manner using a public message.
key infrastructure (PKI).
private root
PKCS #10 - Certification Request Syntax A root CA created within a company for
Standard internal use by the company itself.
A PKCS that describes the syntax used to
request certification of a public key and other procedure
information. Instructions that detail specifically how to
implement the policy.
PKCS #7 - Cryptographic Message Syntax
Standard public key
A PKCS that describes the general syntax An encryption/decryption key that is available
used for cryptographic data such as digital on public networks. A public key works in
signatures. conjunction with a private key.
SA signature-based analysis
(Security Association) The negotiated relation- Looks for network, host or application activ-
ship between two computers using IPSec. SAs ity that compares signatures in the datastream
are the result of the two-stage negotiation with known attack signatures.
process. These stages are known as Phase 1
and Phase 2. smartcard
A device similar to a credit card that contains
scanning a user’s private key. The user may or may not
The attacker uses specific tools to determine be required to use a password to access the
an organization’s infrastructure and discover information on the smartcard.
vulnerabilities. The attacker will scan the tar-
get’s border routers, firewalls, Web servers, SMB protocol
and other systems that are directly connected (Server Message Block protocol) A protocol
to the Internet to see which services are lis- that runs on top of protocols such as TCP/IP,
tening on which ports and to determine the IPX/SPX, and NetBEUI, and is used to access
operating systems and manufacturers of each shared network resources, such as files and
system. printers.
sniffing
See eavesdropping attack.
Glossary 403
GLOSSARY
social engineering attack SYN flood
A type of attack where the goal is to obtain A type of DoS attack in which the attacker
sensitive data, including user names and pass- sends multiple SYN messages initializing
words, from network users through deception TCP connections with a target host.
and trickery.
TACACS+
software attack (Terminal Access Controller Access Control
A type of attack where the goal is to disrupt System Plus) A standard protocol for provid-
or disable the operating systems and applica- ing centralized authentication and
tions running on the computers in your authorization services for remote users.
enterprise. TACACS+ also supports multifactor
authentication. For more information, see
software exploitation attack RFC 1492.
A type of software attack where an attacker
attempts to gain access to a system or to sen- takeover attack
sitive data by exploiting a flaw or feature in A type of software attack where an attacker
an application. gains access to a remote host and takes con-
trol of the system.
spyware
Code that’s secretly installed on a user’s com- TLS
puter to gather data about the user and relay (Transport Layer Security) TLS version 1.0
it to a third party. provides a mechanism for two computers to
verify each other’s identity (authentication), to
SSL establish a secure, tamper-resistant channel
(Secure Sockets Layer) A security protocol for communication, and to encrypt data. This
that combines digital certificates for authenti- protocol is slightly different from SSL and is
cation with RSA public key encryption. not compatible with SSL.
standard token
A definition of how adherence to the policy Text or numerical values in addition to
will be measured. usernames and passwords that provide an
added layer of authentication. Tokens are
stream cipher
often personal identification numbers (PINs)
A type of symmetric encryption that encrypts
or a second, additional password.
data one bit at a time. Each plaintext bit is
transformed into encrypted ciphertext. These Trojan horse
algorithms are relatively fast to execute. Malicious code that masquerades as a harm-
less file. When a user executes it, thinking it’s
subordinate CA
a harmless application, it destroys and cor-
A CA that can create another CA under it in
rupts data on the user’s hard drive.
the hierarchy or manages the day-to-day func-
tions of a CA below the root, including trustee
issuance, revocation, renewal, and expiration. An individual granted private key restoration
rights and responsibilities.
suspended certificate
A certificate that has temporarily been desig- virus
nated invalid for security purposes. A sample of code that spreads from one com-
puter to another by attaching itself to other
symmetric encryption algorithm
files. The code in a virus corrupts and erases
A cryptographic algorithm that generally uses
files on a user’s computer, including execut-
a single key for encryption and decryption.
able files, when the file to which it was
The key is sometimes referred to as a session
attached is opened or executed.
key.
wardriving
A popular way to gain unauthorized access to
a network that involves simply driving in a
car with a laptop and a wireless NIC until the
NIC detects a wireless network, which
according to some reports is very easy in
large cities.
warez
(Pronounced “wares”) Pirated software that’s
made available for download and general use.
Servers that contain warez are called warez
servers.
WEP
(Wired Equivalency Protocol) Provides 64-bit,
128-bit, and 256-bit encryption using the
Rivest Cipher 4 (RC4) algorithm for wireless
communication that uses the 802.11a and 802.
11b protocols.
white hat
A hacker who exposes security flaws in appli-
cations and operating systems so
manufacturers can fix them before they
become widespread problems.
worm
A piece of code that spreads from one com-
puter to another on its own, not by attaching
itself to another file. Like a virus, a worm can
corrupt or erase files on your hard drive.
WTLS
(Wireless Transport Layer Security) The secu-
rity layer of WAP and the wireless equivalent
of TLS in wired networks.
X.509
An international standard defining the differ-
ent components that make up a certificate.
Glossary 405
NOTES
INDEX
802.11a, 171 CA hierarchy, 199
802.11b, 171 components, 199
implementation options, 201
A installing, 201
Acceptable Use Policy certificate
See: AUP destroying files, 239
AH protocol, 158 enrollment process, 226
anomaly-based analysis, 290 restoring, 248
ASET, 52 suspending, 239
security levels, 53 Certificate Authority
asymmetric encryption, 156 See: CA
attacker, 4 certificate enrollment, 226
attacking, 271 certificate life cycle, 214
audit attack, 21 expiration, 215
AUP, 32 factors, 215
Authentication Header protocol issuance, 215
See: AH protocol renewal, 215
Automated Security Enhancement Tool revocation, 215
See: ASET certificate lifetime, 213
certificate management system, 198
B
certificate policy
backdoor, 19
See: CP
backdoor attack, 19
considerations, 212
BCP, 258
certificate practice statement
black hat, 4
See: CPS
block cipher, 156
certificate repository, 198
browser vulnerabilities, 181
Certificate Revocation List
brute force attack, 19
See: CRL
buffer overflow attack, 14
certificates
bulk encryption key, 159
backing up, 242
Business Continuity Plan
enrolling for entities, 226, 227
See: BCP
renewing, 236, 237
C restoring, 247
revoking, 238, 239
CA, 198
chain of custody, 255
backing up, 219
ciphertext, 156
hardening, 212, 217
client internet access
installing a hierarchy, 198
securing, 181, 183
restoring, 222
conferencing and messaging servers
Index 407
INDEX
hardening, 145, 146 employee security education process, 264
corporate security policy, 31 employee security responsibilities, 265
corporate security policy compliance Encapsulating Security Payload protocol
enforcing, 252 See: ESP protocol
CP, 212 encryption, 155, 157
CPS, 212 encryption algorithms, 155
cracker, 4 enumerating, 271
CRL, 238 ESP protocol, 158
ethical hack, 272
D
data encryption, 155 F
data integrity, 154 file and print servers
DDoS attack, 12 hardening, 90
default security configuration attack, 16 file and printer server
DH algorithm, 159 hardening, 91
DHCP servers footprint, 271
hardening, 87, 88 footprinting, 271
vulnerabilities, 87 FTP
digital certificates, 198 vulnerabilities, 122
digital signature, 154 FTP server
directory management tools, 81 hardening, 119, 123
directory services
example, 77 G
hardening, 77 guidelines, 31
hardening domain controllers, 80
H
vulnerabilities, 78
hacker, 4
Disaster Recovery Plan
hacking process, 270
See: DRP
hardening, 37
DNS and BIND
application servers, 53
vulnerabilities, 105
directory services, 76
DNS and BIND servers
hash value, 154
hardening, 105, 106
hashing algorithm, 154
documentation handling, 33
hashing algorithms, 154
DoS attack, 12
HIDS, 288
drones, 13
hijacking attack, 9
DRP, 258
honeypot, 298
dual key pair, 212
setting up, 298, 299
due care, 31
host-based IDS
E See: HIDS
eavesdropping attack, 6, 7 HTTPS, 233
Also See: sniffing Hypertext Transfer Protocol over SSL
email See: HTTPS
vulnerabilities, 134
I
email security
IDS, 288
PGP, 135
analysis methods, 290
S/MIME, 135
components, 291
email servers
legal issues, 291
hardening, 134, 136
passive vs. active, 290
Index 409
INDEX
Pretty Good Privacy secure wireless traffic, 171
See: PGP security and accessibility
private branch exchange balancing, 218
See: PBX security association
private key See: SA
replacing, 247 security baseline, 38
restoring, 247, 248 security incidents
private key encryption, 155 responding, 305, 307
private keys security infrastructure
backing up, 242 scanning for vulnerabilities, 270
restoring, 247 security policies
private root CA, 200 individual, 32
procedures, 31 security policy
profiling, 271 components, 31
public key encryption, 156 security scans
public root CA, 200 types, 272
security templates
R Windows 2000, 45, 46
RA, 198 Windows XP, 45, 47
RADIUS, 100 security threats
RC4 algorithm, 173 identifying, 2
registration authority social engineering attack, 2
See: RA separation of duties, 32
regulated industries Server Message Block protocol
requirements, 256 See: SMB protocol
remote access session key, 156
common ports, 192 SFTP, 124
remote access channel SHA, 154
securing, 190, 191 signature-based analysis, 290
remote access vulnerabilities, 190 smart card, 213
replay attack, 10 SMB signing, 90
root CA, 200 SMBRelay, 281
security, 201 Smurf attack, 14
sniffing, 7
S
social engineering attack, 2
S/MIME, 135
examples, 3
SA, 159
identifying, 2, 4
scanning, 271
software attack
schema, 77
classifying, 22
Secure FTP
software attacks
See: SFTP
classifying, 6
secure hash algorithm
software exploitation attack, 17
See: SHA
Solaris 9
Secure Multipurpose Internet Mail Extensions
ASET, 52
See: S/MIME
spyware, 181
Secure Shell
SSH, 124
See: SSH
SSL, 232
Secure Socket Layer
standard, 31
See: SSL
stream cipher, 156
U
unnecessary daemons, 44
unnecessary NLMs, 44
unnecessary services, 44
user
responsibility for security, 265
users
educating, 264
employee security education process, 264
V
virus, 15
vulnerabilities
scanning, 274
vulnerability scanning tools, 271
W
WAP, 171
wardriving, 173
warez, 122
Web server
security methods, 109
vulnerabilities, 110
Web servers
hardening, 109, 114
WEP, 173
white hat, 4
Windows XP, 160
Wired Equivalency Protocol
See: WEP
Index 411
NOTES