The Handy Security Toolkit Revisited

[October 1999]
The Handy Security Toolkit Revisited
By: Mark Joseph Edwards
Focus
InstantDoc #7192
From the October 1999 edition of Windows IT Pro

Add torque to your network with a few new tools

Securing your network requires more than installing a firewall and setting some access controls. Security is an ongoing process of checks and balances that requires you to be diligent and persistent, and you need a good toolkit at your disposal to perform checks and balances.

When I wrote "The Handy Security Toolkit," May 1997, you didn't have as many nifty tools to choose from as you do today. As new products surfaced, I added them to my security toolkit. In this article, I review some mainstay tools and introduce you to some new tools that I've come to rely on in various situations.

My security toolkit includes mailing lists, port scanners, dial-up scanners (aka war dialers), event log analyzers, Registry analyzers, access control analyzers, packet sniffers, password crackers, and general security scanners. Table 1, page 70, lists various types of tools that you can use to secure your network. Let's take a closer look at all these tools.

Mailing Lists
Good security practice involves constant monitoring of your systems, networks, and product information updates. You need to pay close attention to vendor updates—especially Microsoft updates—because vendors invariably release patches that correct serious security problems. To obtain new security information as fast as intruders do, you need to monitor the vendors. Therefore, mailing lists remain a staple in my security toolkit.

Microsoft has an electronic Security Bulletin in which the company announces new security risks and publishes information regarding fixes for the risks. Other vendors have similar mailing lists, so search for those resources that apply to your needs.

In addition to vendor-based mailing lists, several other mailing lists will keep you up-to-date regarding new security risks. If you work in a mixed OS environment, BUGTRAQ from NetSpace is a great list to join. Although most of the information pertains to UNIX-based OSs and applications, a fair amount of the information relates to Microsoft security.

NTBugtraq's mailing list is another good resource that discusses security bugs in the Windows NT platform. And although you won't find much information on the list that relates to other aspects of Microsoft's products, the list is a good place to quickly learn about new NT-related security problems.

By searching the Internet, I found at least a half-dozen mailing lists that pertain to NT security in some form. The amount of mail you receive by joining all these lists can become a significant burden. For example, on any given day you can expect to receive about eight messages from Internet Security Systems' (ISS's) NT Security mailing list and about a dozen or more messages from Global Networking and Computing's Firewalls mailing list. These two mailing lists alone can amount to 20 messages per day. When you toss in four or five more list memberships, you get an overflowing inbox and not enough time in the day to read all the messages and be productive. If you don't want to join several mailing lists, I offer a mailing list called NT Security Digest (NTSD). The list is a catchall of security problems that surface in the other security-related mailing lists.

If you don't receive Windows NT Magazine's Security UPDATE, you need to subscribe to this free electronic newsletter. This weekly newsletter summarizes industry news about network security in a timely manner.

Port Scanners
Each TCP/IP-related service listens on a particular port or set of ports. A port scanner lets you scan ranges of IP addresses to find TCP/IP ports that are listening. These active ports have some type of service running on them. A port scanner immediately reveals systems that are running services that you might not want to make available on your network, such as a private Web site or FTP server running on an employee workstation. For port scanning, I still use Point One Publishers' UltraScan 1.5, which is fast and now free. One limitation of UltraScan is its ability to scan only a Class C network. So, to scan a larger range of addresses, you must break the addresses into Class C networks.

When I need to scan larger networks or when I want some detail beyond which ports are listening, I use Nmap from Insecure.Org. Nmap is a fantastic scanning tool that not only iterates listening ports but also determines which OS is running on the scanned system. Although Nmap is UNIX-based and doesn't run on NT, the utility is well worth the effort to use. I highly recommend that serious security buffs load a copy of Linux and learn to use this OS. Administrators have exposed numerous NT security exploits by running example exploit code on UNIX. If you have a Linux box handy, you can test this code against your networks and also run valuable software, such as Nmap.

Dial-up Scanners
A dial-up scanner (aka war dialer) detects listening modems. With this tool, you'll find unwanted and unauthorized modems that are listening for calls on your phone lines. Many employees leave their systems up and their modems online so they can access the corporate LAN and the Internet on the company's dime after hours. This practice is bad news because intruders love to find such back doors into your network. Your firewall is useless when back doors are open. Free dial-up scanners, which many intruders wrote and used, are available for you to use to test your network security. I use ToneLoc because it displays details in a graphical map that represents information in colored patterns. With ToneLoc, I can see immediately the phone numbers that have modems that are listening. To obtain a copy of ToneLoc, you can locate it through a search engine or download it from http://www.ntsecurity.net. ToneLoc might be overkill for your needs because it's designed to scan large blocks of phone numbers.

SecureLogix has a dial-up scanner called TeleSweep Secure, which was in beta at press time. I added TeleSweep Secure to my security toolkit because it goes beyond the average dial-up scanner by performing security checks of the systems answering the modem lines. For example, this scanner can determine whether the phone lines are voice, data, or fax. When TeleSweep detects a modem answering (in the case of data and fax lines), the product checks commonly known username and password combinations to assess the security configuration of the applications running on identified modems.

Event Log Analyzers
Monitoring your system logs is one of the most important tasks you need to perform regularly. Unfortunately, this task is grueling because NT's event log doesn't adequately filter log entries.

Log analyzers provide an alternative method to rifle through all the logged information. You can export the data to a database manager, where you can sift out the items you're looking for and produce reports to your liking. When I want to move event log information into a database, I prefer to use Somarsoft's free DumpEvt tool by Frank Ramos. Somarsoft also has DumpEvt in a .dll form that you can incorporate into custom applications. In addition to DumpEvt, the Microsoft Windows NT Server 4.0 Resource Kit contains a utility called Dumpel, which also dumps events out of the log. But DumpEvt does a much nicer job.

When I want to research logon information, such as failed logons and remote logons, I use NT OBJECTive's NTLast. The product is a fabulous command-line tool that makes searching for logon information a very simple task. J.D. Glaser developed this product, which costs $29.95. For the work NTLast performs, it's worth every penny. (For a review of NTLast's functionality, see "NTLast v2.6," September 1999.)

Prev. page [1] 2 next page

ADS BY GOOGLE

SQL JOB OPENINGSSPONSORED LINKS

Backup & Recover like the DBA star you are: With continuous application imaging and data de-dupe, Replay AppImage speeds recovery in test or live environments from hours to minutes. Try it now!

SQL Management Made Easy with DBLaunch 4.0!: Wish you could migrate multiple SQL databases with the same time and effort it takes for one? Now you can with DBLaunch. Download a free trial today!

Order Your SharePoint Fundamentals CD!: Learn how to uncover rich information management capabilities with this free SharePoint CD.

FEATURED LINKS

Empower Your Processes with PowerShell 201: Paul Robichaux delves deep into PowerShell how-tos in 3 informative lessons, each followed by live Q&A—all on your own computer! Register today!

SQL Connections, March 22-25, 2009 – Orlando, FL: The first 800 paid attendees receive SQL Server 2008 Standard Edition w/one CAL. Register by January 12 and receive a free night at the JW Marriott (with 3-night stay). For details (203) 268-3204 or 800-438-6720.

Join Today: VIP Monthly Pass: Get online access to ALL of the resources in the Windows IT Pro and SQL Server Magazine network! With your order, you'll also receive a full digital copy of the latest issue of SQL Server Magazine.

	SQL Server Magazine Register Subscribe FAQ for Windows WinInfoNews
	Contact Us / Customer Service Editorial Calendar Media Kit Affiliates / Licensing Technology Resource Directory
	Windows IT Pro Office & SharePoint Pro Windows Dev Pro IT Library Connected Home SuperSite IT Job Hound ITTV

	Copyright © 2009 Penton Media, Inc. All rights reserved. Terms and Use Privacy Statement Reprints and Licensing

SQL Server Magazine

Search

Related Resources

SQL JOB OPENINGSSPONSORED LINKS

Backup & Recover like the DBA star you are

SQL Management Made Easy with DBLaunch 4.0!

Order Your SharePoint Fundamentals CD!

FEATURED LINKS

Empower Your Processes with PowerShell 201

SQL Connections, March 22-25, 2009 – Orlando, FL

Join Today: VIP Monthly Pass