GBN's Notes for
CTC Retreat Security Panel
November 13, 1998
Pop Quiz
- How do you find out about new security problems and fixes?
- A. Subscribing to mailing lists
- B. Reading journals and trade magazines
- C. Checking vendor Web sites and patch updates
- D. I just hear about them, usually from people I know or work with
- E. I wait until I experience a problem to investigate patches
- NT: Have you installed Service Pack 4?
- A. Yes
- B. No
- C. What's a Service Pack?
- Solaris: What's your current kernel revision?
- A. SunOS 5.6 105181-09
- B. A previous version, because Sun's recommended security
patches are only recommendations
- C. They've revised the kernel?
- NT: What have you done to improve on security "out of the box" with your
NT Server or Workstation OS?
- A. Read through hacker sites, FAQs and other online materials to
insure no known exploits will work against me
- B. Installed Microsoft's
Security Configuration Manager to update security
- C. Purchased and run 3rd party security software, such
as ISS's System Scanner
- D. Why? Isn't NT completely secure out of the box?
- All: When was the last time you used a port scanner to
test systems you manage for vulnerabilities?
- A. I use port scanners regularly, especially after
software updates
- B. When I hear about a new exploit, I use a port
scanner to test my systems for vulnerabilities
- C. Port scanners are hackers tools, and therefore
should only be used by hackers
- All: How would you know if someone broke into a system
you manage?
- A. Daily output of integrity checkers (like tripwire) and log summaries
are automatically emailed to me, and I read them
- B. Someone from another system complains that my system is
misbehaving or hackers are using it as a staging site
- C. Something breaks
Don't forget physical security
Physical access to a computer practically guarantees it can be
accessed illicitely. (Exception: encrypted file systems, but this
probably only protects data, not illicit access to the system)
Unix v. NT Security
- General: Both require a reasonable level of proficiency to operate
a secure server. Both require constant diligence to ensure continued
security.
- ACLs: NT has more control over file manipulation (with NTFS)
- Password encryption: Unix uses stronger (but still weak) encryption
(out of the box)
- Password hiding: On both NT and Unix, Administrator/root access is
enough to get encrypted passwords from a local (or trusting) machine
- Internet communication: Unix servers have more external IP-based
communication than NT out of the box. Both enable the removal
of non-required Internet services.
- Multi-users: NT systems tend to have fewer users who can
access administrative functions. Correlary: NT systems
administrators can make tragic mistakes easily (since they're
always "administrator"). "Regular" NT users often require
undesirable access to system directories so that software
can save configuration files, DLLs, etc., much more so than with
Unix systems.
- Cost: The NT OS and software is expensive, but runs on
commodity PCs. Unix software is often free, but the OS and
hardware can be more expensive. The exception is the Linux
variant of Unix: free OS running on commodity PCs. Much more
free security software is available for Unix.
- Web servers: Bottom line: security is comparable, in that
both let you have complete control, and both let you make
mistakes. NT and Unix both have very fast Web servers. Both
have added features (like ODBC capability), but NT is usually easier
to configure. NT's BackOffice suite (really, lots of separate
software) offers a substantial integrated approach to extending Web
functionality - some of which is available free for Unix, but not
nearly as integrated or easy to install & use.
- Anonymous FTP: Both are fine, although we see Unix more frequently.
3rd party FTP for NT is desirable.
- Email: Comparable security issues. NT's Exchange Server has many
extended features & capabilities. Unix's sendmail is more
frequently used. POP and IMAP clients are available for each.
Key security mailing lists
Bugtraq and NTbugtraq are full-disclosure lists where announcements
about new security expolits and workarounds are posted. Get advance
notice (measured in weeks or months) before vendors post patches,
updates or advice.
NT Security
Some of the resources on this list of NT security resources was taken
from "Maximizing NT Security" by Stephen Cobb & David Brussin in July
1998 BYTE, pp. 88c-88f. Beware! Many
resources are out of date, and none are authoritative.
- Fundamentals: NT
Security FAQ (upated October 97)
- Company: Microsoft's
security pages, includes link to NT pages.
- Company: Aelita Software
Group includes Security Checkbox, a tool for automatically
checking your NT security.
- Company: Internet Security Systems
includes archives of mailing lists &
pointers to tools.
- Company: Kane Security Analysis,
includes a tool for monitoring multiple servers.
- Various info:
various security information at securityserver.com
- Various info: known NT
vulnerabilities at infilsec.com
- Various info:
tec-ref.com includes an NT security checklist and other links
- Reference: De-mystify how different prototols work together with
(SMB, NetBEUI, NetBIOS, IPX and TCP/IP) What is SMB,
NetBIOS, etc.?
- Reference: You can also look up protocols, acronymns and other terms
at whatis.com
- Links: NT security related
links from Somarsoft.com; also other resources
- Resources:
NTBugTraq includes exploits, mailing lists and other information
- Resources:
NT vulnerabilities checked by ISS' product
Standards and Details
- PGP FAQs, including
information about cryptography in general
-
The Orange Book, known formally as: Department of Defense (DoD)
Trusted Computer System Evaluation Criteria (TCSEC) (DoD 5200.28-STD
1985). Fort Meade, MD: Department of Defense, 1985. The Orange Book
specifies levels of security and their criteria.
- NIST's Computer
Security Resource Clearinghouse, includes "Common Criteria"
for IT security evaluation (note version 1 is HTML, version 2 is
PDF). Also mentions the newly declassified (May 1998) Skipjack
algorithm.
Get help
Laws
Incident reporting
Free resources to protect & educate yourself
Hacker Hangouts
Lots of resources
Some of useful hacking resources, codes, cracks, etc.
Publications
Additional hacking resources, not as centralized or organized
Get hacked by pros
Prepared by
Gregory B. Newby
Most recent update: November 13, 1998
URL for this page: http://ruby/gbnewby/presentations/security.html