CRS Technology Serving Southwest Florida's Business Technology Needs
Home Page Our Company Contact Us Site Index
Services
Network Services
System Integration
Consultation
Service Contracts
Education
Business Technology Articles
Seminars and Training
Virus Alerts
Lee County
239.542.8450
Collier County
239.643.1888

Network Security Terms Defined
Network Security Procedures

Definitions - Procedures

Back-door device - A device installed and maintained for the specific purpose of bypassing normal access controls. Back-doors are usually installed under the premise of providing "emergency" access for a system administrator. Unfortunately, back-doors are unsecured entry points that allow hackers that same access.

BIS - As used in this document, BIS refers to either the Bureau of Information Services, or a responsible party within BIS. BIS approval refers to authorization by the CIO or a direct designee of the CIO.

End-user access device - A personal computer, terminal, or other I/O device used by an end-user for information processing such as data entry, spreadsheet analysis, and word processing. An end-user device is generally not used for purposes of WAN maintenance or configuration. Such devices are considered system-control devices.

LAN - A Local Area Network generally servicing a limited geographic area such as an office, a floor in a building, or a building. LANs generally do not cover an area larger than a building due to physical restrictions of the network wiring. For purposes of this document, LANs generally serve a single agency or office.

WAN - A Wide Area Network covers a large geographic area and is characterized by the use of repeaters and bridges to boost signals between network devices. A WAN also provides the mechanism for users on one agency's LAN to communicate with users on a different agency's LAN. For purposes of this document, the state of Maine WAN is that wide area network that acts as the backbone for inter-agency electronic communication, and is installed and maintained by the Bureau of Information Services.

System-control access device - A personal computer, terminal, or other I/O device used by a system administrator, software engineer, or other person for the purpose of system configuration or maintenance. The system involved may be the WAN, a LAN, or a sub-net of either.

Local Area Network (LAN) and Domain Server Security

There are well-documented steps that network systems engineers should follow to adequately secure local area networks and the assets of their employers or clients. This section details such steps, and is based on the use of Windows NT/2000 as the library’s server operating system.

Obviously, in larger environments the automation system may require the use of another operating system. Some of the items below will not apply at all in those cases, and some may need to be "translated" into terminology used in the alternative system.

This information is not intended as an instruction or guide, but as a general list of some of the steps required to secure local area networks. CRS Technology provides this information solely as a convenience to web site visitors, and is not responsible for any use or misuse of this information. Always consult your office networking specialist before making any changes to a networked computer.

In most small library local area networks, there will be one or two servers: a main server, usually a domain controller under Windows NT/2000, which verifies the logins of all users, and a file server used with the library automation system. In some libraries, these two services are combined on one server. It is possible to operate in a very small environment with just Windows NT Workstation/2000 Professional-based computers and no server at all, but it is more difficult to maintain security in this environment. So this base level of security assumes the presence of at least one server. The following items are needed to secure the local area network servers in the library, and do not apply to web servers..

  • Configure all NT Server partitions with NTFS file systems
  • Configure separate operating system and data partitions (both NTFS)
  • Mirror server drives (or implement RAID), if funding allows, for redundancy

These two items are similar to the settings for workstations. Best practice now dictates that all partitions (that show up as distinct drives in the Explorer window) be formatted with the NTFS file system. On a server, that idea is expanded to include a separation of the operating system files and all other programs and user data installed on the server. Separating these so they are located on different "drives" (drives C and D, for example) makes it a bit faster to perform backups, easier to secure sensitive operating system files, and less likely that applying patches and Service Packs (updates to the operating system) will affect other files on the system.

Mirroring hard drives provides an exact duplicate of everything on a server’s hard drive. This can be an important feature if the server hard drive fails. Mirrored systems automatically switch to use of the secondary drive while the first is being replaced. This redundancy provides a way to keep a service operational even when there is a hard drive failure. One might call this service security. While they are advantageous, mirrored systems do add significant cost to a server. (RAID is a more sophisticated approach that offers similar functionality.)

  • Configure servers with private IP addresses (LAN-wide recommendation)

This item is repeated from workstation configuration. If private IP addresses are used on the workstations, they need to be used on local servers as well to keep the network configuration simple. Again, this does not apply to web servers.

  • Remove unnecessary services
  • Remove unnecessary files/programs

Many security holes in server operating systems are discovered as users attempt to do things they "shouldn’t do." Current security wisdom indicates services not used on a server should be removed from the server. This limits a user’s opportunity to do what he shouldn’t do. For example, on a typical library file server, if no web documents are available on the server to share across the local network, then the Internet Information Server (IIS) service should be removed (turned off). Leaving it running presents an unnecessary opportunity for someone to break through the server’s normal security and have complete access to the server.

By the same logic, system files that allow reformatting the hard drive (and other such utilities) should be removed from the server hard drive. They can be copied onto a floppy drive for use by administrators when needed. In the event that an attacker does break through your security, there will be no utility available to help him reformat your drive! Also, if a program is no longer being used on the server, go ahead and uninstall it so that it presents no unintended threats later on.

  • Configure file system with proper file/folder access permissions

As mentioned under workstation security, all the files and folders on the server hard drive can be assigned permissions so that only specified users can read or write to files, or open folders or execute programs. On the server it is especially important to limit what users can access.

  • Restrict access to the Network Monitor Agent

This agent is a packet analysis tool, which potentially allows a user to view the contents of all the data flowing across the network. It can be a valuable tool for a network administrator. However, extra care should be taken to secure the file so unauthorized users do not gain access to it.

  • Disable anonymous user logons
  • Disable caching of user logons
  • Configure account policy to restrict unauthorized logon attempts
  • Create logon warning message (a warning against unauthorized logon or access and use of restricted resources)

As mentioned earlier, the primary means of restricting access to sensitive files on a network is through user logons (requiring a user to supply a user name and password). The password becomes the key to securing the entire system. In addition to using strong passwords, and requiring users on each workstation to log on, the items above add more security on the server side of the connection. First, disable the "anonymous" user, where someone leaves the username and password fields blank and clicks "Logon". Logon information, like most other network data, can be stored temporarily in a place called a cache. In most library environments, workstations and the server should be configured to disable this process.

Also, make sure there is a limit placed on the number of logon attempts made before the account is locked out for some specified time. Three is a good limit. This keeps attackers from using unrestricted blocks of time trying to guess passwords.

Last, due to court cases involving unauthorized access to networks, many security consultants now advise the use of a posted warning against unauthorized use of the network. Windows NT/2000 provides a generic logon warning that can be edited for use in your library. One example of such a banner is the warning notice defined by the Department of Energy’s classified order 5639.6A-1:

WARNING: To protect the system from unauthorized use and to ensure that the system is functioning properly, activities on this system are monitored and recorded and subject to audit. Use of this system is expressed consent to such monitoring and recording. Any unauthorized access or use of this Automated Information System is prohibited and could be subject to criminal and civil penalties.

  • Create alternative Administrators group and restrict membership
  • Restrict privileges of default Administrators group
  • Create alternative Administrator account (with new name) with full privileges
  • Disable default Administrator account
  • Configure auditing of Administrator account logon attempts (to track hacking attempts)
  • Set a strong password for current administrator account
  • Use different passwords for domain/server accounts than for local workstation accounts, or use different account names
  • Restrict access permissions for the Everyone group
  • Disable Guest account if enabled
  • Create appropriate user and group accounts (minimum of three groups: Patrons, Staff, and Administrators)
  • Set appropriate group access permissions
  • Set appropriate user account passwords (password for PatronX account(s) may be simple or empty)
  • Encrypt the SAM password database

This lengthy list applies to the main concepts of user control in any operating system: user accounts, group accounts, and the password file. Your library may assign a user account to each staff member, temporary accounts to contracted technical workers, and individual accounts to patrons. (Most libraries have chosen to allow patron access only through a generic patron account, one account used by all patrons.) These form natural groups of users. So the operating system allows the formation of group accounts as well. Individual users can then be assigned to one or more group accounts. Then it’s easy to manage access to all files and folders by controlling just the access that each group has. It keeps the administrator from having to assign permissions to the file system for each individual account. It also ensures a uniform application of permissions.

One note here is that creating a new administrator account and keeping the default "Administrator" account allows easy monitoring of logon attempts to the default account. Since many people know this account exists, it is often the target of attacks. If an attacker can successfully logon as the Administrator, he will have complete control of the server. By keeping the account, but disabling it, it’s possible to monitor all logon attempts and deal with potential attacks in their early stages.

  • Configure Remote Access Service security, if applicable

Most libraries won’t provide any type of dial-in access to the network through the server, so we don’t cover security of the Remote Access Service in this document. Libraries that do allow dial-in access, to staff or patrons, need to review other security documents to be sure their network is as secure as possible. This, too, is a popular point of attack if it’s available.

  • Set/Create registry entries/values for proper security
  • Document software and security settings for future use in reconfiguring servers

As mentioned in the workstation security section, the registry holds many different configuration settings for programs installed on the computer. There are many settings which should be set: disabling the Netware DLL Trojan horse capability (assuming Novell Netware is not used on your network), restricting remote access to the registry, restricting access to "named pipes" and to the Scheduler, blocking the 8.3 DOS naming convention attack. There are others. It is imperative that you document for future reference any decisions your library makes regarding specific registry settings.

  • Configure audit logs to track unauthorized access to files/folders/accounts; restrict access to log files
  • Develop and implement procedure for monitoring audit logs

With Windows NT/2000 it’s possible to track, or audit, all types of access to system resources, even to track all access attempts on a certain file, folder, or account. Server usage that you’ve chosen to audit is recorded in an audit log. Auditing needs to be configured (especially for sensitive areas like accessing the Administrator account or attempts to run restricted programs) for many areas, but creating the logs is useless unless staff reviews them. Develop the discipline of regularly reviewing server logs. This responsibility should be assigned to a specific person to be conducted at specific intervals (e.g., daily or weekly).

  • Install software for the server’s UPS that automatically shuts down the server

Be sure to install software that allows the UPS (to which the server is connected) to communicate with the server when a power problem occurs. The communication may include a command to shut the server down if battery power is low. This protects the integrity of data being written to the server’s hard drive.

  • Implement procedures for file backups according to backup plan
  • Restrict access to backup program
  • Maintain backup log and auditing
  • Rotate one backup set offsite regularly

Backing up, while not a normal network security issue, does goes to the heart of network security: protecting data from loss or corruption. Only a specified individual or two should have access to the backup software, so unauthorized persons cannot restore sensitive data from a previous backup. Good discipline requires backups to be performed regularly and that one person be responsible for the backup procedures and maintenance of backup logs. To protect data stored on a server against theft, rotate one set of backup media offsite (out of the library) regularly. (What could be worse than going through the rigors of backing up regularly only to have both server and backup media stolen?) Be sure all backup media, the offsite set as well, is secured properly. This may include putting the media in a lockable container and securing the key in a controlled location.

  • Schedule periodic download and installation of operating system patches
  • Create and maintain current Emergency Repair Disks, and store in a controlled location
  • Implement paper log to record maintenance problems, attempts at unauthorized access, and other server problems
  • File all server component documentation (papers/ manuals/disks) for use by service technicians

Even more than with workstations, it is vitally important to update the server operating system on a regular basis by installing patches and Service Packs as Microsoft makes them available. Doing so will greatly reduce your risk of attack. Use the same paper log for servers as for workstations to document problems and repairs, attacks, and other anomalies related to servers. And finally, keep the server’s documentation available for any service technician that may need it.

 

[ Home : Company : Contact : Site Index ] [ Network Services : System Integration : Consultation : Service Contracts ]
[ Business Technology Articles : Seminars/Training : Virus Alerts ]
Copyright © 2000-2007 CRS Technology   All Rights Reserved.
| www.crsonline.net | Legal Notice / Terms of Use | webmaster@crsonline.net |