Protect Your System from Intruders
Mr. Kruchkov presents a common, real-world scenario that many of you might
face. Protecting yourself from this type of access is simple. Let's look at each
aspect of protection that you need if you want to avoid this type of intrusion.
Internet Information Server (IIS)—Load the service packs and
hotfixes. If you can't load the fixes, always put your Web scripts in a
separate directory from your HTML and other files and allow only Execute access
to that directory. If you take these precautions, no one can browse those
documents or their hidden field contents.
SQL Server—Never leave an account with a blank
password; always change the password to something complex that contains
a mix of numeric, alpha, and special characters. Consider not using TCP/IP on
your SQL servers, and instead run NetBEUI between your SQL server and other
systems (e.g., a Web server) that access that system. This way, intruders
originating from TCP/IP-based systems will have a much harder time getting into
your SQL servers. Because those systems speak only NetBEUI, an intruder has to
commandeer a system on your network loaded with NetBEUI, to attack your SQL
Server system. In addition, disable the SQL Server xp_cmdshell stored procedure,
unless you absolutely must use it. And if possible, don't let stored procedures
access the Windows NT Registry.
Domain Name System (DNS)—Never put a hostname in DNS unless
it's absolutely necessary, such as when you need the system—such as a Web
server or mail server—to be visible to the Internet via DNS queries.
Consider using an LMHOSTS file or a WINS server for private internal machines
that never require inbound Internet access. If you use LMHOSTS or WINS,
discovering other machines on your network is more difficult. Always disallow
Domain Listing on your DNS server; this action prevents someone from dumping
your domain record database.
Protocols—Always block ports 137, 138, and 139 for
inbound and outbound access unless you know these need to be open. In the cases
where you must let people use these ports (e.g., a remote user accessing the
network via the Internet), define filtering rulesets (in your firewall, router,
or NT TCP/IP stack) that let only specific systems use these ports to connect.
Also, consider unbinding NetBIOS from your network cards connected to an
Internet route. This action makes an intruder's discovery process much tougher
and stops many types of potential attacks.
User Accounts—Disable the Guest account. If you must let
guests access your system, consider establishing an ID name other than Guest,
and set the lowest possible level of rights and permissions for that account.
Dump Logs—Configuring NT to write a memory dump file when it
crashes can help you find out why NT crashed. But leaving those system dump logs
and drwtsn32.log debug files unprotected on your system can lead to disaster.
Often, dump/debug files contain information (e.g., domain name, ID, passwords)
an intruder needs to break in to your network. Any time NT or an application
crashes, make sure you either delete the dump/debug file or move it to a secured
directory (one that has administrator access only).
General Protection—If your network has a firewall, consider
not allowing inbound ping traffic; this action prevents several types of
mischief. Also, consider disabling inbound and outbound access to User Datagram
Protocol (UDP) ports 137 and 138 and TCP port 139 to stop many common attacks on
NT networks. A general rule for firewall implementation is to use your
firewall's rules to block everything, and then open access as needed.
For example, if you don't run an FTP server, block inbound FTP until you
need to make it available. Block inbound access to all your systems, especially
systems running SQL Server, until you have a definite need to allow direct
inbound access. Following this practice can be tedious, but it could save your
business from complete disaster.