Understand and eliminate Win2K vulnerabilities
To make remote work tolerable, most telecommuters have a permanent cable modem or Digital Subscriber Line (DSL) connection to the Internet. Although a permanent connection is a great convenience, it also makes your small office/home office (SOHO) more vulnerable to Internet-based probing and potential attacks. When you have a permanent connection, your Internet system is always listening for and responding to incoming connections—legitimate and otherwise. If your permanent connection has a static TCP/IP address, your Internet system is a known and registered entity on the Internet. A static TCP/IP address is similar to having a listed phone number. As a known entity, your system becomes a target for intrusion in the same way your listed number is fair game for telemarketers. If you routinely work at home, your home system is an extension of your employer's network. Your system probably contains sensitive information that you need to safeguard—for your sake and for your employer's sake.
Securing a SOHO involves a combination of two approaches: preventing unwanted access and detecting and preventing attempts at unwanted access. You can use several techniques to reduce Windows 2000's inherent vulnerabilities. You can set stringent controls for account lockout, disable services that announce your system's presence on the Internet, and disable services that have a track record of successful exploitation. You can enable security auditing to monitor logon and logoff, account management, policy management, privilege use, and system events. (For more information about hardening Win2K, see "Related Articles.")
These native Win2K techniques reduce the vulnerability of your Internet-connected machine, but they deter and monitor intrusion attempts only at the Win2K service level. Below each native service is a second layer of vulnerability in the form of TCP and UDP ports—the primary target of innumerable Internet-based Trojan horses and of attackers' attempts to probe for security holes. Although you can implement port and address filtering in Win2K as part of an IP Security (IPSec) implementation, not many SOHO systems are sophisticated enough to support IPSec connections. A personal firewall is the only software you can install to tightly monitor and control activity to and from your Internet system. When you implement a firewall, you can control incoming and outgoing traffic by port number, permit or deny connections based on source and destination address, and deter unwanted access in realtime.
I suggest two simple exposure tests to identify your SOHO's current vulnerabilities. After you run the tests, read on to learn how and where Win2K is vulnerable to accidental or purposeful intrusion—through NetBIOS, native services, and ports—and how to eliminate these open doors. Although what follows doesn't guarantee that your Internet-connected system won't experience problems, these Win2K techniques will significantly reduce your exposure and minimize the risk of attack. In Part 2 of this series, I'll cover how to select and install a personal firewall to address the remaining vulnerabilities.
Evaluating Your SOHO Exposure
Let's start by evaluating your SOHO's security vulnerabilities. If you're not convinced you have a problem, this test might be a sobering experience. Find a Web site that probes a system for common vulnerabilities. One such site is the Gibson Research Corporation Web site (http://grc.com), at which you can evaluate Windows-specific NetBIOS (i.e., NetBIOS over TCP/IP—NetBT) exposure and port-level exposure.
Test your NetBIOS exposure. At Gibson Research's site, click the Shields UP! link and scroll down the Shields UP! page until you see the Test My Shields! and Probe My Ports! buttons. Click Test My Shields!, and wait until the test finishes. If your system is like most systems, you'll see a display similar to Figure 1, which shows that NetBIOS port 139 is open and accessible and that the test can retrieve your username, your computer name, and your local share name information from this port. Because of its insecure nature, NetBIOS is the most common target for intruders. Save the results of this test so that you can compare them with the report you get when you run the test again after you implement the Win2K settings I recommend in the section "Eliminating NetBIOS Exposure."
Test your port exposure. Next, run the Probe My Ports! test. This tool is a port scanner that asks each Win2K sevice whether it's listening to and responding to incoming connections. The Gibson Research site explains that a port can be open, closed, or stealth, depending on how you configure and protect your system. An open port means that the associated service accepts incoming connections, which presents an opportunity for access. A closed port means that the service is available but doesn't accept incoming connections. A stealth port is an invisible port that gives no indication that the service is loaded and running. Figure 2 shows the results of the port test on an unprotected system that's wide open to NetBIOS and Telnet access. If you follow the instructions I provide in the section "Reducing Win2K Service Exposure" and then run this test again, you'll see how easy it is to remove these ports as targets.
Eliminating NetBIOS Exposure
Each time you install a network adapter, Win2K automatically installs and binds two NetBIOS components to each network card: Client for Microsoft Networks and File and Printer Sharing for Microsoft Networks. These components provide backward-compatibility for Windows NT 4.0 and Windows 9x systems that use Microsoft's proprietary and nonsecure NetBIOS (i.e., WINS) name registration and name resolution. Under the hood, Win2K and NT implement NetBIOS by using TCP/IP as a transport, an implementation the documentation refers to as NetBT. However, you don't need these functions on your Internet connection, and here's why.
Prev. page
[1]
2
3
next page 
