Embed Size (px)
Citation preview
Overview:
• Identify the Internet protocols and standards • Identify common vulnerabilities and countermeasures• Identify specific IIS/WWW/FTP concerns• Identify specific Exchange/SMTP/POP service concerns• Identify specific RAS/dial-in/dial-out concerns
Module 9Module 9
TC P /IP P r o to c o l s
Ne two rk I n te rfa ce C a rd (NI C )Ne two rk I n te rf . \
H a rdwa re
IP
TC P UD P
FTPTFTP
D NSNFS
H TTPS M TP
NTPX W in do ws
TEL NETPI NGS M TP
I C M PA R P
R A R PI n te rn e t
Tra n s po rt
A pplica t io n
TC P/I PA rch ite ctu ra l L a y e rs
TCP/IP ArchitectureTCP/IP Architecture
FTP Telnet (Add-on) NFS (Add-on) SMTP (Exchange, Lotus MTA, NTMail…) SNMP Increasingly more TCP/IP services are
becoming available in the NT environment Result: substantial increased in the threat of
unauthorized remote access
TCP/IP ServicesTCP/IP Services
RFC
768783791792793826854894919,92295095910091034,1035
SUBJECT
User Datagram Protocal (UDP)Trivial File Transfer Protocol (TFTP)Internet Protocol (IP)Internet Control Message Protocol (ICMP)Transmission Control Protocol (TCP)Address Resolution Protocol (ARP)Telnet Protocol (TELNET)IP over EthernetIP Broadcast DatagramsInternet Standard Subnetting ProcedureFile Transfer ProtocolRequirements for Internet GatewaysDomain Name Service (DNS)
RFCs & Open StandardsRFCs & Open Standards
Service
• Echo• Chargen• FTP• Telnet• SMTP• HTTP• nbname• nbdatagram• nbsession
Port
71920,21232580137138139
TCP/IP Services Deserving Special FocusTCP/IP Services Deserving Special Focus
Built on TCP/IPv4 suite (Basic Clear Text) Data storage locations are left on vulnerable drives Data files that grow are left on system drive Services that use weak authentication Services are run on PDC
– Reward from compromise is infinitely great– SAM database is used for authentication
Source IP filtering is not used when appropriate
Common Application- VulnerabilitiesCommon Application- Vulnerabilities
Use TCP/IPv6 when available (full encryption) Move data and logs to non- system disk and
delete default share Chose the strongest authentication possible Run Internet Services on servers with no trust,
not DCs Disable inappropriate services on Servers
providing Internet Services. Use source IP filtering for all, local only, services
Common Application- Counter Common Application- Counter MeasuresMeasures
Internet Information Server (IIS) WWW Server
IIS FTP Server IIS Gopher Server Exchange SMTP, POP, LDAP, Remote Access Server (RAS) PPP &
PPTP Certificate Server
Applications for Internet ServicesApplications for Internet Services
IIS V2, V3, V4 Provides Internet Service Daemons; www, ftp, gopher
– V4 does not provide gopher Can be managed from a central location
– V2 & V3 Use Internet Service Manager
– V4 Uses Microsoft Management Console(MMC) as snap-in Uses NT Security Model WWW Security features include:
– NT Challenge Authentication
– SSL (https://)
Internet Information Server (IIS)Internet Information Server (IIS)
Provides for Strong Authentication Provides for HTTPS (Secure) Pages Allows IP source filtering
IIS
IIS
With Property Sheets You Can•Establish Logon Requirements•Configure Access Permissions•Specify Home Directories•Create Multiple Virtual Servers On One Computer•Setting Encryption Options•Configure Event Logging Options•View Current Sessions•Enable or Disable Server Access By IP Address
• FTP makes all objects in the file structure accessible!
• Access permission = permissions assigned to account used to gain FTP access and file/directory permission (conjunctive rule)
A Special Concern: FTPA Special Concern: FTP
• Account to be used for FTP access can be misused similarly to the Guest account
• FTP users are members of Everyone group
• Inbound FTP authentication can be performed by the source host if not configured otherwise
• Passwords for outbound FTP are transmitted in clear text
A Special Concern: FTP
• HTTP input overflow can allow unauthorized
users to execute commands
• CGI scripts can allow commands to be written to .BAT files, resulting in execution of commands not intended for execution on web servers
• Some types of HTTP access are to a user ID (as in FTP)
Problems with NT-Based Web Servers
• Serious concern: NT web servers or firewalls running within an NT domain (and, thus, effectively within NT’s security perimeter)
• Recommendations:- Run each firewall as a standalone NT platform
- Run Web servers as standalone NT platforms or as part of a Web server domain
- Do not mix internal and external Web servers in the same domain
TCP/IP Services and NT Domains
Recommendations for Controlling TCP/IP
Services
IIS
IIS
Security Approach
IIS
NT Security for System Administrators
