In this chapter
You might be considering connecting your LAN to the Internet, or you might have done so already. Connecting will probably be more work than you expect (even with, or due to, my advice), but the achievement will be gratifying. After you make just a few keystrokes, a friend in Italy will be able to log on to your network. Millions of potential customers can reach you. You'll be one with the world.
I don't want to spoil your day, but the cruel fact is that, besides your customers, friends, mother, and curious, benign strangers, your computer and your LAN will also be exposed to pranksters, hackers, spammers, information bandits, thieves, and a variety of other bottom feeders and bad guys who, like anyone else, can probe, prod, and test your system. Will your network be up to the task? Even if you have a single computer only occasionally connected to the Internet by modem, you're still at risk.
By this point in the book, you are aware that network design is foremost a task of planning. It's especially true in this case: Before you connect to the Internet, you must plan for security, whether you have a single computer or a large local area network (LAN).
Explaining everything that you can and should do would be impossible. What I want to do in this chapter is give you an idea of what network security entails. I'll talk about the types of risks you'll be exposed to and the means people use to minimize this exposure; then I'll end with some tips and to-do lists. If you want to have a network or security consultant take care of implementation for you, that's great. This chapter will give you the background to understand what the consultant is doing. If you want to go it on your own, then consider this chapter to be a survey course, and your assignment is to continue to research, write, and implement a security plan.
Most of us don't give security risks a second thought. After all, who is a data thief going to target: me or the Pentagon? Who'd be interested in my computer? Well, the sad truth is that there are thousands of people out there who'd be delighted to find that they could connect to your computer. They might be looking for your credit card information, passwords for computers and Web sites, or a way to get to other computers on your LAN. Even more, they would love to find that they could install software on your computer, which they could then use to send spam and probe other peoples' computers. They might even use your computer to launch attacks against corporate or governmental networks. Don't doubt that this could happen to you. Much of the spam you receive is sent from home computers that have been taken over by criminals through the conduit of an unsecured Internet connection. The problem has gotten so bad in the past few years that starting with Windows XP Service Pack 2, when you install Windows software, Microsoft is now enabling the strictest network security settings by default, rather than requiring you to take explicit steps to enable them. There were just too many Windows computers—perhaps millions—with no protection whatsoever. And with the advent of high-speed, always-on Internet connections, the risks are increasing, because computers stay connected and exposed for longer periods of time.
In this chapter, I'll explain a bit about how network attacks and defenses work. I'll tell you ways to prevent and prepare for recovery from a hacker attack. And most importantly, I'll show you what to do to make your Windows XP system secure.
NOTE
If your computer is connected to a Windows Domain-type network, your network administrators probably have taken care of all this for you. In fact, you might not even be able to make any changes in your computer's network or security settings. If this is the case, you might find it frustrating, but it's in the best interest of your organization.
Even if you're not too interested in this, and you don't read any other part of this chapter, you should read and carry out the steps in the section titled “Specific Configuration Steps for Windows XP.”
To make matters worse, in a business environment, security risks can come from inside a network environment as well as from outside. Inside, you might be subject to highly sophisticated eavesdropping techniques or even simple theft. I know of a company whose entire customer list and confidential pricing database walked out the door one night with the receptionist, whose significant other worked for the competition. The theft was easy; any employee could read and print any file on the company's network. Computer security is a real and serious issue. And it only helps to think about it before things go wrong.
Before I talk about how to defend your computer against attack, let's briefly go through the types of attacks you're facing. Hackers can work their way into your computer and network using several methods. Here are some of them:
Password Cracking—. Given a user account name, so-called “cracking” software can tirelessly try dictionary words, proper names, and random combinations in the hope of guessing a correct password. This doesn't take a modern fast processor very long to accomplish.
Address Spoofing—. If you've seen the Caller ID service used on telephones, you know that it can be used to screen calls: You only answer the phone if you recognize the caller. But what if telemarketers could make the device say “Mom's calling”? There's an analogy to this in networking. Hackers can send “spoofed” network commands into a network with a trusted IP address.
Impersonation—. By tricking Internet routers and the domain name registry system, hackers can have Internet or network data traffic routed to their own computers rather than the legitimate Web site server. With a fake Web site in operation, they can collect credit card numbers and other valuable data.
Eavesdropping—. Wiretaps on your telephone or network cable, or monitoring of the radio emissions from your computer and monitor can let the more sophisticated hackers and spies see what you're seeing and record what you're typing.
Exploits—. It's a given that complex software has bugs. Some bugs make programs fail in such a way that part of the program itself gets replaced by data from the user. Exploiting this sort of bug, hackers can run their own programs on your computer. It sounds farfetched and unlikely, but exploits in Microsoft's products alone are reported about once a week. The hacker community usually hears about them a few weeks before anyone else does, so even on the most up-to-date copy of Windows, there are a few available for use.
Back Doors—. Some software developers put special features into programs intended for their use only, usually to help in debugging. These back doors sometimes circumvent security features. Hackers discover and trade information on these, and are only too happy to use the Internet to see if they work on your computer.
Open Doors—. All of the attack methods I described up to here involve direct and malicious actions to try to break into your system. But this isn't always necessary: Sometimes a computer can be left open in such a way that it just offers itself to the public. Like leaving your front door wide open might invite burglary, leaving a computer unsecured by passwords and without proper controls on network access allows hackers to read and write your files by the simplest means. Simple File Sharing, which I'll discuss later in the chapter, mitigates this risk somewhat.
Viruses and Trojan Horses—. The ancient Greeks came up with it 3200 years ago, and the Trojan Horse trick is still alive and well today. Shareware programs used to be the favored way to distribute disguised attack software, but today email attachments are the favored method. Most email providers automatically strip out obviously executable email attachments, so the current trend is for viruses to send their payloads in .ZIP file attachments.
Social Engineering—. A more subtle approach than brute force hacking is to simply call or email someone who has useful information and ask for it. One variation on this approach is the email that purports to come from a service provider like AOL, saying there was some sort of account glitch and could the user please reply with their password and social security number so the glitch can be fixed. P.T. Barnum said there's a sucker born every minute. Sadly, this works out to 1,440 suckers per day, or over half a million per year, and it's not too hard to reach a lot of them with one bulk email.
Recently there has been an upsurge in a new form of social engineering called phishing, where spammers send an email that purports to be from your bank or eBay or other such vendor, with a link to a Web site that looks official, and a request that you sign on with your username, password, and other personal information.
Denial of Service—. Finally, not every hacker is interested in your credit cards or business secrets. Some are just plain vandals, and it's enough for them to know that you can't get your work done. They may erase your hard drive, or more subtly, crash your server or tie up your Internet connection with a torrent of meaningless data. In any case, you're inconvenienced. For an interesting write-up on one such attack, see www.grc.com/dos.
If all this makes you nervous about hooking your LAN up to the Internet, I've done my job well. Before you pull the plug, though, read on.
Making your computer and network completely impervious to all these forms of attack is quite impossible, if for no other reason than there is always a human element that you cannot control, and there are always bugs and exploits not yet anticipated.
You can do a great deal, however, if you plan ahead. Furthermore, as new software introduces new features and risks, and as existing flaws are identified and repaired, you'll have to keep on top of things to maintain your defenses. The most important part of the process is that you spend some time thinking about security.
The following sections delve into the four main lines of computer defense. They are
Preparation
Active defense
Testing, logging, and monitoring
Disaster planning
You can omit any of these measures, of course, if you weigh what you have at risk against what these efforts will cost you, and decide that the benefit isn't worth the effort.
What I'm describing sounds like a lot of work, and it can be if you take full-fledged measures in a business environment. Nevertheless, even if you're a home user, I encourage you to consider each of the following steps and to put them into effect with as much diligence as you can muster. Just think of that poor sleeping soul whose hard disk I could have erased that morning at 1 a.m. (If you missed this poignant example, see the sidebar titled “Think You're Safe? Think Again.” earlier in the chapter.)
Preparation involves eliminating unnecessary sources of risk before they can be attacked. You should take the following steps:
Invest time in planning and policies. If you want to be really diligent about security, for each of the strategies I describe in this chapter, outline how you plan to implement each one.
Structure your network to restrict unauthorized access. Do you really need to allow users to use their own modems to connect to the Internet? Do you want to permit access from the Internet directly in to your network, indirectly via a Virtual Private Network (VPN), or not at all? Eliminating points of access reduces risk, but also convenience. You'll have to decide where to strike the balance.
If you're concerned about unauthorized in-house access to your computers, be sure that every user account is set up with a good password—one with letters and numbers or punctuation. Unauthorized network access is less of a problem with Simple File Sharing, as all network users are treated the same, but you must ensure that an effective firewall is in place between your LAN and the Internet. I'll show you how to use the Windows firewall later in this chapter.
Note
→ To learn more about simple file sharing, see “Simple File Sharing,” p. 1088.
Install only needed services. The less network software you have installed, the less you'll have to maintain through updates, and the fewer potential openings you'll offer to attackers.
For example, don't install SMTP or Internet Information Services unless you really need them.
The optional “Simple TCP Services” network service provides no useful function, only archaic services that make great denial of service attack targets. Don't install it.
Use software known to be secure and (relatively) bug free. Use Windows's Automatic Updates feature. Update your software promptly when fixes become available. Be very wary of shareware and free software, unless you can be sure of its pedigree and safety.
Properly configure your computers, file systems, software, and user accounts to maintain appropriate access control. We'll discuss this in detail later in the chapter.
Hide from the outside world as much information about your systems as possible. Don't give hackers any assistance by revealing user account or computer names, if you can help it. For example, if you set up your own Internet domain, put as little information into DNS as you can get away with. Don't install SNMP unless you need it, and be sure to block it at your Internet firewall.
TIP
The most important program to keep up-to-date is Windows XP itself. I suggest that you keep up-to-date on Windows XP bugs and fixes through the Automatic Updates feature and through independent watchdogs. Configure Windows to notify you of critical updates. Subscribe to the security bulletin mailing lists at www.microsoft.com/security, www.ntbugtraq.com, and www.sans.org.
If you use Internet Information Services to host a Web site, pay particular attention to announcements regarding Internet Explorer and IIS. Internet Explorer and IIS together account for the lion's share of Windows security problems.
Security is partly a technical issue and partly a matter of organizational policy. No matter how you've configured your computers and network, one user with a modem and a lack of responsibility can open a door into the best-protected network.
You should decide which security-related issues you want to leave to your users' discretion, and which you want to mandate as a matter of policy. On a Windows 200x domain network, the operating system enforces some of these points, but if you don't have a domain server, you might need to rely on communication and trust alone. The following are some issues to ponder:
Do you trust users to create and protect their own shared folders, or should this be done by management only?
Do you want to let users run a Web server, FTP server, or other network services, each of which provides benefits but also increases risk?
Are your users allowed to create simple alphabetic passwords without numbers or punctuation?
Are users allowed to send and receive personal email from the network?
Are users allowed to install software they obtain themselves?
Are users allowed to share access to their desktops with Remote Desktop, Remote Assistance, NetMeeting, Carbon Copy, PCAnywhere, or other remote-control software?
Make public your management and personnel policies regarding network security and appropriate use of computer resources.
If your own users don't respect the integrity of your network, you don't stand a chance against the outside world. A crucial part of any effective security strategy is making up the rules in advance and ensuring that everyone knows.
Active defense means actively resisting known methods of attack. Active defenses include
Firewalls and gateways to block dangerous or inappropriate Internet traffic as it passes between your network and the Internet at large
Encryption and authentication to limit access based on some sort of credentials (such as a password)
Keeping up-to-date on security and risks, especially with respect to Windows XP
When your network is in place, your next job is to configure it to restrict access as much as possible. This task involves blocking network traffic known to be dangerous and configuring network protocols to use the most secure communications protocols possible.
Using a firewall is an effective way to secure your network. From the viewpoint of design and maintenance, it is also the most efficient tool because you can focus your efforts on one critical place, the interface between your internal network and the Internet.
A firewall is a program or piece of hardware that intercepts all data passing between two networks, for example between your computer or LAN and the Internet. The firewall inspects each incoming and outgoing data packet and only permits certain packets to pass through. Generally, a firewall is set up to permit traffic for safe protocols like those used for email and Web browsing. It blocks packets that carry file sharing or computer administration commands.
NAT (Network Address Translation), the technology behind Internet Connection Sharing and connection sharing routers, insulates your network from the Internet by funneling all of your LAN's network traffic through one IP address—the Internet analogue of a telephone number. Like an office's switchboard operator, NAT lets all of your computers place outgoing connections at will, but intercepts all incoming connection attempts. If an incoming data request was anticipated, it's forwarded to one of your computers, but all other incoming network requests are rejected or ignored. Microsoft's Internet Connection Sharing and hardware Internet connection sharing routers all use a NAT scheme.
Note
→ To learn more about this topic, see “NAT and Internet Connection Sharing,” p. 742.
The use of either NAT or a firewall, or both, can protect your network by letting you specify exactly how much of your network's resources you'll expose to the Internet.
One of Windows XP's new features is the built-in Windows Firewall software. Windows Firewall was introduced in Windows XP Service Pack 2 to replace the more primitive “Internet Connection Firewall” that originally shipped with XP. (Among other things, Internet Connection Firewall left computers unprotected for 5 to 20 seconds during bootup, and untold thousands of computers were infected by viruses as a result.)
Windows Firewall is enabled, or attached, on any network adapter or dial-up connection that directly connects to the Internet. Its purpose is to block any traffic that carries networking-related data, so it prevents computers on the Internet from accessing shared files, Remote Desktop, Remote Administration, and other “sensitive” functions.
In fact, Windows Firewall is designed so that on all but large corporate LANs it can be used on all network interfaces without interfering with day-to-day networking use. This can help prevent the spread of viruses from one computer to another across your LAN, should one become infected.
Windows Firewall is enabled by default when you install XP Service Pack 2, or install a copy of Windows XP that has Service Pack 2 built in. You can also enable or disable it manually by selecting the Change Windows Firewall Settings task on the Network Connections window (I'll tell you how to do this later in the chapter under “Specific Configuration Steps for Windows XP.”) You also can tell the firewall whether you want it to permit incoming requests for specific services. If you have a Web server, for example, you'd need to tell Windows Firewall to permit incoming HTTP data.
NOTE
Windows Firewall has the advantage that it automatically opens up to permit incoming connections for programs like Remote Assistance and Windows Messenger. On the other hand, it's part of the very operating system it's trying to protect, and if either Windows XP or the firewall gets compromised, your computer's a goner.
If I had the choice between using Windows Firewall and an external firewall device such as a commercial firewall server, or a connection sharing router with filter rules, I'd use the external firewall. But Windows Firewall is definitely better than no firewall at all.
Windows XP introduced a new network security model called Simple File Sharing. Before I explain this, I'll give you some background. In the original Windows NT/2000 workgroup network security model, when you attempted to use a shared network resource, Windows would see if your username and password matched an account on the remote computer. One of four things would happen:
If the username and password exactly matched an account defined on the remote computer, you'd get that user's privileges on the remote machine for reading and writing files.
If the username matched but the password didn't, you'd be prompted to enter the correct password.
If the username didn't match any predefined account, or if you failed to supply the correct password, then you'd get the privileges accorded to the Guest account, if the Guest account was enabled.
If the Guest account was disabled, and it usually was, you would be denied access.
The problem with this system is that it required you to create user accounts on each computer you wanted to reach over the network. Multiply say 5 users times 5 computers, and you had 25 user accounts to configure. What a pain! (People pay big bucks for a Windows Server-based domain network to eliminate this very hassle.) Because it was so much trouble, people usually would enable the Guest account.
The problem is that Guest is a member of the group Everyone, and usually Everyone has read/write or at least read privileges on the entire hard drive and full privileges on FAT-formatted disks which have no user-level security at all. This means the user account headache invited people to make their entire computers vulnerable to abuse over their LAN and the Internet. (And, as I mentioned earlier, this is where most of your spam comes from.)
Enter Simple File Sharing. On all Windows XP Home Edition computers, and as the default option on XP Professional on a Workgroup network, Simple File Sharing does four things:
It treats anyone who attempts to use shared resources over the network as Guest.
The Guest account is enabled by default for network use only. (You can separately choose whether Guest can log on at your keyboard. This is disabled by default on both XP Home and Pro.)
Windows removes Everyone from the permission lists for access to the hard drive's root folder and Windows directory. This means that only authorized locally logged-on users can access most of the disk, and the Windows directory in particular.
When you share folders, Windows in most cases automatically applies the correct permissions to the shared folder so that Everyone (that is, Guest) can read and optionally write to the folder. For folders it knows aren't safe to share, it doesn't do this.
Only a few folders get shared, and while anybody with access to the network can access them, the damage an intruder can do is limited to stealing or modifying just the files in a few folders that are known to be public.
It's also much easier to use shared files and folders on your LAN. You won't be called upon or able to select which individual users get access and which don't. If you share a folder, you share it with read-only or read/write access. It's very simple indeed, and it's perfectly appropriate for home and small office LANs. Microsoft's reasoning here is that it's better to configure a somewhat looser LAN correctly than a stricter LAN poorly. For tight user control, corporations use Server-based networks.
There are two down sides to Simple File Sharing: First, and most important, it's crucial that you have a firewall in place. Otherwise, everyone on the Internet will have the same rights in your shared folders as you. (That's one of the reasons for Windows Firewall, and why the Network Setup Wizard is so adamant about either installing the Firewall or disabling file sharing.)
The second down side is less troublesome and probably less noticeable to most people: If you attempt to use a shared folder from another computer on which you have the same username and password, you won't get the full rights that you'd have locally. You'll be a guest like anyone else. In particular, the very handy whole-drive administrative shares like “C$” do not work when Simple File Sharing is in use.
On Windows XP Professional, if you want to use the old per-user permission scheme, you can disable Simple File Sharing. You'll have more control over permissions at the cost of lots more work in configuration.
If you use a hardware Internet connection sharing router (also called a residential gateway) or a full-fledged network router for your Internet service, you can instruct it to block data that carries services you don't want exposed to the Internet. This is called packet filtering. You can set this up in addition to NAT to provide extra protection.
Filtering works like this: Each Internet data packet contains identifying numbers that indicate the protocol type (such as TCP or UDP) and the IP address for the source and destination computers. Some protocols also have an additional number called a port, which identifies the program that is to receive the packet. The WWW service, for example, expects TCP protocol packets addressed to port 80. A domain name server listens for UDP packets on port 53.
A packet arriving at the firewall from either side is examined; then it is either passed on or discarded, according to a set of rules that list the protocols and ports permitted or prohibited for each direction. A prohibited packet can be dropped silently, or the router can reject the packet with an error message indicating the requested network service is unavailable. (If possible, I prefer to specify the silent treatment. Why tell hackers that a desired service is present even if it's unavailable to them?) Some routers can also make a log entry or send an alert indicating that an unwanted connection was attempted.
NOTE
For a good introduction to firewalls and Internet security in general, I recommend Practical Firewalls, published by Que; Maximum Windows 2000 Security, published by Sams; and Firewalls and Internet Security: Repelling the Wily Hacker published by Addison & Wesley.
Configuring routers for filtering is beyond the scope of this book, but I'll list some relevant protocols and ports in Table 21.1. If your router lets you block incoming requests separately from outgoing requests, you should block incoming requests for all of the services listed below, unless you are sure you want to enable access to them. If you have a basic gateway router that doesn't provide separate incoming and outgoing filters, you probably only want to filter those services that I've marked with an asterisk (*).
Table 21.1. Services That You Might Want to Block
Protocol | Port | Associated Service |
|---|---|---|
TCP | 20–21 | FTP—. File Transfer Protocol. |
TCP * | 23 | TELNET—. Clear-text passwords are sent by this remote terminal service, which also is used to configure routers. |
TCP | 53 | DNS—. Domain Name Service. Block TCP mode “zone” transfers, which reveal machine names. |
TCP+UDP | 67 | BOOTP—. Bootstrap Protocol (similar to DHCP). Unnecessary. |
TCP+UDP | 69 | TFTP—. Trivial File Transfer Protocol. No security. |
TCP | 110 | POP3—. Post Office Protocol. |
UDP * | 137–8 | NetBIOS—. Three ports are used by Microsoft |
TCP * | 139 | File Sharing. |
UDP * | 161–2 | SNMP—. Simple Network Monitoring Protocol. Reveals too much information and can be used to reconfigure the router. |
TCP * | 445 | SMB—. Windows XP and 2000 File Sharing can use Port 445 as well as 137–139. |
TCP | 515 | LPD—. UNIX printer sharing protocol supported by Windows XP. |
UDP | 1900 | Universal Plug and Play—. can be used to reconfigure |
TCP | 5000 | routers. |
As I said, if you use a hardware router to connect to the Internet, I can't show you the specifics for your device. I can give you a couple of examples, though. My Linksys Cable/DSL Sharing Router uses a Web browser for configuration, and there's a page for setting up filters, as shown in Figure 21.1. In this figure, I've blocked the ports for Microsoft file sharing services.
If you use routed DSL Internet service, your ISP might have provided a router manufactured by Flowpoint, Netopia, or another manufacturer. As an example, filtering is set up in a Flowpoint router through a command line interface, as shown below:
remote ipfilter append input drop -p udp -dp 137:138 internet remote ipfilter append input drop -p tcp -dp 139 internet remote ipfilter append input drop -p tcp -dp 445 internet
These are complex devices and your ISP will help you set yours up. Insist that they install filters for ports 137, 138, 139, and 445 at the very least.
By either name, Network Address Translation (NAT) has two big security benefits. First, it can be used to hide an entire network behind one IP address. Then, while it transparently passes connections from you out to the Internet, it rejects all incoming connection attempts except those that you explicitly direct to waiting servers inside your LAN. Packet filtering isn't absolutely necessary with NAT, although it can't hurt to add it.
Note
→ To learn more about NAT, see “NAT and Internet Connection Sharing,” p. 742.
You learned how to configure Windows Internet Connection Sharing in Chapter 19, so I won't repeat that information here.
CAUTION
Microsoft's Internet Connection Sharing (ICS) blocks incoming access to other computers on the LAN but unless Windows Firewall is also enabled, it does not protect the computer that is sharing the Internet connection. If you use ICS you must enable Windows Firewall on the same connection. Together, they provide adequate protection for all of your computers.
If you have built a network with another type of router or connection sharing device, you must follow the manufacturer's instructions or get help from your ISP to set it up.
TIP
Not all ISPs will help you set up a connection-sharing router. These devices just cut into their revenues. Your ISP may even forbid their use. Better check first, before asking for help in installing one. Personally, I think that the additional security that they provide justifies their use even if the ISP doesn't like them.
There are many commercial products called Personal Firewalls, designed for use on PCs. Products such as Zone Alarm and Zone Alarm Pro (www.zonelabs.com), McAfee Personal Firewall (www.mcafee.com), Sygate Personal Firewall (www.sygate.com), Norton Personal Firewall (www.symantec.com), and Black Ice Defender (www.networkice.com) range in price from free to about $50. Now that Windows includes an integral firewall, these add-on products may no longer be necessary, but you may still want to investigate them for the additional reporting and outbound-traffic-monitoring they provide.
If you use a router for your Internet connection and rely on it to provide network protection, you must make it require a secure password. If your router doesn't require a password, anyone could connect to it across the Internet and delete the filters you've set up. Most routers as configured by the manufacturers and ISPs do not require a password.
To lock down your router, you'll have to follow procedures for your specific router. You want to do the following:
Change the router's administrative password to a combination of letters, numbers, and punctuation. Be sure to write it down somewhere!
Change the SNMP read-only and read-write community names (which are in effect passwords) to a secret word.
Prohibit Write access via SNMP or disable SNMP entirely.
Change all Telnet login passwords, whether administrative or informational.
If you don't want to attempt to lock down your router, your ISP should do it for you. If your ISP supplied your router and you change the password yourself, be sure to give the new password to your ISP.
Possibly the most important and difficult step you can take is to limit access to shared files, folders, and printers. You can use the guidelines shown in Table 21.2 to help organize a security review of every machine on your network. I've put some crucial items in boldface.
Table 21.2. Restricting Access Controls
Access Point | Controls |
|---|---|
File Sharing | Don't share your computers' entire hard drives. Share only folders that need to be shared, and if possible choose only folders in your My Documents folder (for simplicity). |
Passwords | Set up all accounts to require passwords. You can configure your computers to require long passwords if you want to enforce good internal security. I'll show you how to do this later in the chapter. |
Partitions | If you install IIS and want to make a Web site or FTP site available to the Internet, set up a separate NTFS partition on your hard drive just for Web site files. I discussed this in Chapter 13, “Hosting Web Pages with Internet Information Server.” |
Access Control | Don't use Administrator or any other Computer Administrator account for your day-to-day work. If you accidentally run a Trojan horse or virus program using an Administrator account, the nasty program has full access to your computer. Instead, create and use Power User and Limited User accounts to the greatest extent possible. |
FTP | If you install a public FTP server, do not let FTP share a FAT-formatted drive or partition. In addition, you must prevent anonymous FTP users from writing to your hard drive. I discussed this in Chapter 13. |
SMTP | Configuring an email system is beyond the scope of this book. But if you operate an email server, consider storing incoming mail in a separate partition to avoid getting overrun with too much mail. Also, you must prohibit “relaying” from outside SMTP servers to outside domains, lest your server be used as a spam relay site. |
HTTP (Web) | Don't enable both Script/Execute permission and Write permission on the same folder. Enabling both permissions would permit outside users to install and run arbitrary programs on your computer. You should manually install any needed scripts or CGI programs. (The FrontPage extensions can publish scripts to protected directories, but they perform strong user authentication before doing so.) |
SNMP | This network monitoring option is a useful tool for large networks but it also poses a security risk. If installed, it could be used to modify your computer's network settings and, at the very least, will happily reveal the names of all the user accounts on your computer. Don't install SNMP unless you need it, and if you do, change the “community name” from public to something confidential and difficult to guess. Block SNMP traffic through your Internet connection with filtering. |
New bugs in major operating systems and applications software are found every week, and patches and updates are issued almost as frequently. Even Microsoft's own public servers have been taken out by virus software!
Software manufacturers including Microsoft have recently become quite forthcoming with information about security risks, bugs, and the like. It wasn't always the case, as they mostly figured if they kept the problems a secret, fewer bad guys would find out about them, and so their customers would be better off. (That, and it saved them the embarrassment of admitting the seriousness of their bugs.) Information is shared so quickly among the bad guys now that it has become essential for companies to inform users of security problems as soon as a defensive strategy can be devised.
You can subscribe to the Microsoft email Updates security bulletin service at www.microsoft.com/security. The following are some other places to check out:
www.ntbugtraq.com www.sans.org www.cert.org www.first.org www.cs.purdue.edu/coast/ www.greatcircle.com Usenet newsgroups: comp.security.*, comp.risks
Some of these sites point you toward security-related mailing lists. You should subscribe to Microsoft Security Advisor Bulletins at least. Forewarned is forearmed!
Testing, logging, and monitoring involve testing your defense strategies and detecting breaches. It's tedious, but who would you rather have be first to find out that your system is hackable: you or “them”? Your testing steps should include
Testing your defenses before you connect to the Internet
Monitoring Internet traffic on your network and on the connection to your Internet service provider or other networks
Detecting and recording suspicious activity on the network and in application software
You can't second-guess what 100 million potential “visitors” might do to your computer or network, but you should at least be sure that all your roadblocks stop the traffic you were expecting them to stop.
Some companies hire expert hackers to attempt to break into their networks. You can do this too, or you can try to be your own hacker. Before you connect to the Internet, and periodically thereafter, try to break into your own system. Find its weaknesses.
Go through each of your defenses and each of the security policy changes you made, and try each of the things you thought they should prevent.
First, connect to the Internet, visit www.grc.com, and view the Shields Up page. This Web site attempts to connect to Microsoft Networking and TCP/IP services on your computer to see whether any are accessible from the outside world. Click the Test My Shields! and Probe My Ports! buttons to see whether this testing system exposes any vulnerabilities. This is a great tool. (Its author, Steve Gibson is a very bright guy and has lots of interesting things to say, but be forewarned, some of it is a bit hyperbolic.)
NOTE
If you're on a corporate network, contact your network manager before trying this. If your company uses intrusion monitoring, this probe might set off alarms and get you in hot water.
As a second test, find out what your public IP address is. If you use a dial-up connection or Internet Connection Sharing, go to the computer that actually connects to the Internet, open a Command Prompt window, and type ipconfig. Write down the IP address of your actual Internet connection (this number will change every time you dial in, by the way). If you use a sharing router, you'll need to get the actual IP address from your router's Status page.
Then, enlist the help of a friend, or go to a computer not on your site but out on the Internet. Open Windows Explorer (not Internet Explorer) and in the Address box, type \1.2.3.4, except in place of 1.2.3.4 type the IP address that you recorded earlier. This will attempt to connect to your computer for file sharing. You should not be able to see any shared folders, and you shouldn't even be prompted for a username and/or password. If you have more than one public IP address, test all of them.
If you have installed a Web or FTP server, attempt to view any protected pages without using the correct username or password. With FTP, try using the login name anonymous and the password guest. Try to copy files to the FTP site while connected as “anonymous”—you shouldn't be able to.
Note
If you are not able to view protected Web pages or folders even after providing the correct password, see “Can't View Protected Web Pages” in the “Troubleshooting” section at the end of this chapter.
Use network testing utilities to attempt to connect to any of the network services you think you have blocked—for example, SNMP.
Attempt to use Telnet to connect to your router, if you have one. If you are prompted for a login, try the factory default login name and password listed in the router's manual. If you've blocked telnet with a packet filter setting, you should not be prompted for a password. If you are prompted, be sure the factory default password does not work, because you should have changed it.
Port scanning tools are available to perform many of these tests automatically. For an example, see the Shields Up Web page at www.grc.com. I caution you to use this sort of tool in addition to, not instead of, the other tests I listed here.
If you use Windows Firewall, you can configure it to keep a record of rejected connection attempts. Open the properties page of the firewalled connection, select the Advanced tab, click Settings, select the Advanced tab, and under Security Logging, click Settings (phew!) to get to the Log Settings dialog shown in Figure 21.2.
Inspect the log file periodically by viewing it with Notepad.
NOTE
If you use a dial-up connection, the firewall log is less useful. It will accrue lots of entries caused by packets left over from connections made by the dial-up customer who had your temporary IP address before you got it. They'll continue to arrive for a while, just as junk mail does after a tenant moves out.
Disaster planning should be a key part of your security strategy. The old saying “Hope for the best, and prepare for the worst” certainly applies to network security. Murphy's law predicts that if you don't have a way to recover from a network or security disaster, you'll soon need one. If you're prepared, you can recover quickly and may even be able to learn something useful from the experience. Here are some suggestions to help you prepare for the worst:
Make permanent, archived “baseline” backups of exposed computers before they're connected to the Internet and anytime system software is changed
Make frequent backups once online
Prepare written, thorough, and tested computer restore procedures
Write and maintain documentation of your software and network configuration
Prepare an incident plan
A little planning now will go a long way toward helping you through this situation. The key is having a good backup of all critical software. Each of the points discussed in the preceding list is covered in more detail in the following sections.
You should make a permanent “baseline” backup of your computer before you connect with the Internet for the first time, so you know it doesn't have any virus infections. This backup should be kept permanently. You can use it as a starting point for recovery if your system is compromised.
Note
→ To learn more about making backups, see “Backup Tools and Strategies,” p. 1142.
I hate to sound like a broken record on this point, but you should have a backup plan and stick to it. Make backups at some sensible interval and always after a session of extensive or significant changes (for example, after installing new software or adding users). In a business setting, you might want to have your backup program schedule a backup every day automatically. (You do have to remember to change the backup media, even if the backups are automatic, however!) In a business setting, backup media should be rotated off-site to prevent against loss due to theft or fire.
I can tell you from personal experience that the only feeling more sickening than losing your system is finding out that the backups you've been diligently making are unreadable. Whatever your backup scheme is, be sure it works!
This step is really difficult to take, but I really urge you to try to completely rebuild a system after an imaginary break-in or disk failure. Use a sacrificial computer, of course, not your main computer, and allow yourself a whole day for this exercise. Go through all the steps: Reformat hard disks, reinstall Windows or use the Automated System Recovery feature, reinstall tape software (if necessary), and restore the most recent backups. You will find this a very enlightening experience, well worth the cost in time and effort. Finding the problem with your system before you need the backups is much better than finding it afterward!
Also, be sure to document the whole restoration process so that you can repeat it later. After a disaster, you'll be under considerable stress, so you might forget a step or make a mistake.
Having a clear, written, tested procedure goes a long way toward making the recovery process easier and more likely to succeed.
It's in your own best interest to maintain a log of all software installed on your computers, along with software settings, hardware types and settings, configuration choices, network number information, and so on. (Do you vaguely remember some sort of ordeal with a DMA conflict when you installed the tape software last year? How did you resolve that problem, anyway?)
In businesses, this information is often part of the “oral tradition,” but a written record is an important insurance policy against loss due to memory lapses or personnel changes. Record all installation and configuration details.
TIP
Windows has no utilities to print out the configuration settings for software and network systems. I use Alt+PrntScrn to record the configurations for each program and network component and then paste the images into WordPad or Microsoft Word.
Then, print out a copy of this documentation, so you'll be able to refer to it if your computer crashes.
Make a library of CD-ROMs, repair disks, startup disks, utility disks, backup CDs, ZIP disks, tapes, manuals, and notebooks that record your configurations and observations. Keep them together in one place and locked up if possible.
A system crash or intrusion is a highly stressful event. A written plan of action made now will help you keep a clear head when things go wrong. The actual event probably won't go as you imagined, but at least you'll have some good first steps to follow while you get your wits about you.
If you know a break-in has been successful, you must take immediate action. First, disconnect your network from the Internet. Then find out what happened.
Unless you have an exact understanding of what happened and can fix the problem, you should clean out your system entirely. This means that you should reformat your hard drive, install Windows and all applications from CDs or pristine disks, and make a clean start. Then you can look at recent backups to see whether you have any you know aren't compromised, restore them, and then go on.
But most off all, have a plan. The following are some steps to include in your incident plan:
Write down exactly how to properly shut down computers and servers.
Make a list of people to notify, including company officials, your computer support staff, your ISP, an incident response team, your therapist, and anyone else who will be involved in dealing with the aftermath.
Check www.first.org to see whether you are eligible for assistance from one of the many FIRST response teams around the world. FIRST (the Forum of Incident Response and Security Teams) can tell you which agencies might best be able to help you in the event of a security incident; call 1-301-975-3359.
The CERT-CC (the Computer Emergency Response Team Coordination Center) may also be able to help you, or at least get information from your break-in to help protect others. Check www.cert.org. In an emergency, call 1-412-268-7090.
You can find a great deal of general information on effective incident response planning at www.cert.org. CERT offers training seminars, libraries, security (bug) advisories, and technical tips as well.
Many of the points I've mentioned so far in this chapter are general, conceptual ideas that should be helpful in planning a security strategy, but perhaps not specific enough to directly implement. The following sections provide some specific instructions to tighten security on your Windows XP computer or LAN. These instructions are for a single Windows XP computer or a workgroup without a Windows 200x Server. Server offers more powerful and integrated security tools than are available with Windows XP Professional alone (and happily, it's the domain administrator's job to set it all up).
If you have a standalone system without a LAN, you need to take only a few steps to be sure you're safe when browsing the Internet:
Enable Macro Virus Protection in your Microsoft Office applications.
Be very wary of viruses and Trojan horses in email attachments and downloaded software. Install a virus scan program, and discard unsolicited email with attachments without opening it. If you use Outlook or Outlook Express, you can disable the “preview” pane that automatically displays email. Several viruses have exploited this open-without-asking feature. (The version of Outlook provided with XP Service Pack 2 is better in this regard.)
Keep your system up-to-date with Automatic Updates (see the Automatic Updates tab on the System control panel applet), Windows Update, service packs, application software updates, and virus scanner updates. Check for updates every couple of weeks at the very least.
NOTE
Unfortunately, the Automatic Updates pop-up only appears when you are logged in using a Computer Administrator account. Unless you've configured Automatic Updates to automatically install the updates, you need to log on as an administrator at least once every week or two to see if anything new has been downloaded.
Make the Security Policy changes I suggest later in this chapter under “Tightening Local Security Policy.”
Use strong passwords on each of your accounts including the Administrator account. (Sign on as Administrator by typing Ctrl+Alt+Del twice at the Welcome screen. Then change the password and make a password reset diskette.) For all passwords use letters and numbers or punctuation; don't use your name or other simple words.
Be absolutely certain that Windows Firewall is enabled on any icon in your Network Connections folder that connects directly to the Internet. To enable Windows Firewall, use the steps shown later in this chapter under “Enabling Windows Firewall.”
If your computer is connected to others through a LAN, follow the first five suggestions from the list in the preceding section. Make the Security Policy changes on each computer.
If you are using the Simple File Sharing system option, which I discussed earlier in this chapter, the security situation is quite different than it was in any previous version of Windows. Since all access to shared files over any network or Internet connection is granted or denied access without a password, your one and only line of defense is having a firewall in place between the Internet and your computer. It's absolutely essential that you have a firewall in place, either Windows Firewall or a third-party product.
CAUTION
If you use cable Internet service with multiple IP addresses provided by your ISP, but have no hardware firewall device in place, you cannot share files on your LAN. For this reason, I urge you NOT to use this type of arrangement. See Chapter 19, “Connecting Your LAN to the Internet,” for details.
Finally, if you use a wireless network, you must use WEP or WPA encryption to protect your network. Otherwise, thanks to Simple File Sharing, random people passing by could have the same access to your shared files as you do.
If you use the Internet, whether directly from your computer or through a network connection, you must be sure that some sort of firewall is in place to prevent Internet denizens from reaching into your computer. If you use a hardware Internet connection sharing device, that will protect you to some extent, and I gave specific tips for adding additional protection in the previous section. But unless you're on a professionally secured corporate network, or you use a third-party firewall product, you should also use Microsoft's Windows Firewall. Starting with Windows XP Service Pack 2, Windows Firewall is turned on by default, and you may already be using it. You can use the following procedure to verify or manually enable the firewall:
Click Start, My Network Places, and then View Network Connections.
Find the icon that represents your actual connection to the Internet. This could be a dial-up connection or a local area connection that is used to connect to a LAN, router, or a DSL, cable, or satellite modem.
The icon for this connection should have the word Firewalled next to it. If it does, you're all set.
If it doesn't say Firewalled, click Change Windows Firewall Settings. Check On (Recommended) as shown in Figure 21.3.
Click OK. The icon should now say Firewalled next to it.
If you want to run a Web server, email system, or other network services that you want to be made available to the outside world, you'll have to “open” the firewall for these services. See “Configuring Windows Firewall” later in this chapter for details.
You should set your machine's own (local) security policy whether your have a standalone computer or are on a LAN. Local Security Policy lets Windows enforce some common-sense security rules, like requiring a password of a certain minimum length.
If your computer is part of a Windows domain-type network, your local security policy settings will likely be superseded by policies set by your domain administrator, but you should set them anyway so that you're protected if your domain administrator doesn't specify a so-called global policy.
To configure local security policy, log in as a Computer Administrator, and choose Start, All Programs, Administrative Tools, Local Security Policy. (If the Administrative Tools icon doesn't appear on the menu, the Administrative Tools Control Panel applet can get you there.)
A familiar Explorer view then appears with several main security policy categories in the left pane, as shown in Figure 21.4. I'll list several policy items you may want to change.
Figure 21.4. The Local Policy Editor lets you tighten security by restricting unsafe configuration options.
To change the settings, select the policy categories from the left pane, and double-click the policy names in the right pane. Appropriate Properties dialogs appear for each; an example is shown in Figure 21.5.
Figure 21.5. Each security policy item has a Properties dialog. You can enter the settings shown in the tables in the following sections.
You don't need to change all the policies. I'll list the important ones in the following sections.
Account policies can be used to require long, difficult, frequently changed passwords, and make it hard for users to recycle the same passwords over and over when forced to change. You should lock out accounts that fail several login attempts, locally or over the LAN. Table 21.3 shows the password policies and recommended altered settings, and Table 21.4 show the options at your disposal for locking out an account.
You should have Windows make an entry in the Event Log whenever someone oversteps his or her bounds. Table 21.5 shows the audit policies and recommended settings.
Table 21.5. Audit Policy Settings
Audit Policy | Local Setting |
|---|---|
Audit account logon events | Failure |
Audit account management | Failure |
Audit directory service access | Failure |
Audit logon events | Failure |
Audit object access | Failure |
Audit policy change | Success, Failure |
Audit privilege use | No auditing [*] |
Audit system events | Failure |
[*] You should not audit Privilege Use because hundreds of spurious entries appear for no apparent reason. | |
No changes are necessary in the User Rights assignments section, but you might want to view these entries to see what sorts of permission restrictions Windows uses.
Finally, go through the security options, as listed in Table 21.6. Security options are used to restrict what users can do with system options.
Table 21.6. Security Options Settings
Security Option | Local Setting |
|---|---|
Interactive logon: Do not require Ctrl+Alt+Del | Enabled * |
Interactive logon: Log-in Message text | You can display a sort of “Posted: No Trespassing” warning with this entry. |
Devices: Prevent users from installing printer drivers | Disabled. If you want to prevent users from installing potentially untested printer and hardware drivers, check out the options for these settings. |
Shut down system immediately if unable to log security audits | A common hacker trick is to fill up audit logs with junk messages and then break in. If you want to, you can have Windows shut down when the Security Event Log fills. The downside is that it makes your security system a denial of service risk! (Microsoft's public “hack me if you can” Windows 2000 Server was shut down just this way.) |
Devices: Unsigned driver installation behavior | Warn but allow. If you want to prevent users from installing potentially untested printer and hardware drivers, check out the options for these settings. |
NOTE
If you're interested in how Windows regulates the operation of your computer, take a look at the settings under User Rights Assignment and Security Options. You'll probably never need to change any of these settings, but these two sections are the heart of Windows's security controls.
When you log out and back in, the new restrictive security policies will take effect.
The purpose of Windows Firewall is to examine all incoming network data looking for attempts to connect to your computer. The firewall maintains a list of networking services for which incoming connections should be permitted, within a given range of network addresses. For example, by default, Windows Firewall permits file sharing connections only from computers on the same “subnet” or local area network as your computer. Attempts by users outside your immediate network to contact your computer are rebuffed. This prevents Internet users from examining your shared files. (Outgoing requests, attempts by your computer to connect others are not restricted.)
The Firewall also monitors application programs and system services that announce their willingness to receive connections through the network. These are compared against a list of authorized programs. If an unexpected program sets itself up to receive incoming network connections, Windows displays a pop-up message like the one shown in Figure 21.6, giving you the opportunity to either prevent the program from receiving any network traffic (“Keep Blocking”), or to add the program to the authorized list (“Unblock”). This gives you a chance to prevent “spyware” and Trojan Horses from doing their dirty work. Firewall-aware programs like Windows Messenger automatically instruct the Firewall to unblock their data connections.
Figure 21.6. Windows Firewall displays a pop-up message if an unauthorized program asks to receive network connections.
To view Windows Firewall's setup dialogs, open the Network Connections window and select Change Windows Firewall Settings, or open the Windows Security Center and select Manage Security Settings for Windows Firewall.
NOTE
On a corporate network, your network manager may enforce or prevent its use and may restrict your ability to change Firewall settings while your computer is connected to the network.
The remainder of this section discusses the various setup options for Windows Firewall.
The Firewall's General tab (refer to Figure 21.3) lets you enable or disable the firewall function. When on, you can additionally check Don't Allow Exceptions to prevent all incoming connections from other computers. This can provide an extra level of safety when you are using an unsecured public network such as a Wireless hotspot in a hotel, airport or café.
In most cases you do want other computers to be able to make connections to yours; for instance, this is how other people get to folders and printers you are sharing. Windows Firewall lets you determine what network services it will let in, and for each, which other users (as specified by their computers' network address) will be allowed to make contact. These are called exceptions.
Exceptions can be defined in terms of network protocols and port numbers, which correspond to particular network services, or in terms of specific application program filenames. When a protocol and port is listed, any program that wants to receive connections for that network service is permitted to. When a program filename is listed, that program is permitted to receive connections for any protocol or port it wishes to.
The range of network addresses that are allowed to contact your computer is called a scope, and can be specified as any of the following:
Any computer (including those on the Internet)
My Network (subnet only)
Custom list (a list of network addresses or subnet specifications separated by commas).
CAUTION
The “My Network” selection permits access by any computer in the same subnet (local network group) of any of your computer's network connection, which may include more than just your own LAN. When your computer has a direct broadband or dialup Internet connection, in most cases there can be up to 252 other random computers assigned to the same subnet as your computer, and they'll have access to your computer.
The workaround is to not run sensitive services on a computer that is sharing its own Internet connection. This is not a problem when you are using a shared connection or a sharing router.
On the Firewall's Exceptions tab, shown in Figure 21.7, there is a predefined list of programs and network services for which the firewall will allow incoming connections. These are listed in Table 21.7.
Figure 21.7. Exceptions permit incoming connections to particular network services or specified application programs.
Table 21.7. Predefined Windows Firewall Exceptions
Entry | Selected by Program or Port? | Scope | Protocols/Ports |
|---|---|---|---|
File and Printer Sharing | Port | Subnet | TCP 139 |
Subnet | TCP 445 | ||
Subnet | UDP 137 | ||
Subnet | UDP 138 | ||
Remote Assistance | Program | Any | |
Remote Desktop | Port | Any | TCP 3389 |
UPnP Framework | Port | Any | TCP 2689 |
Any | UDP 1900 | ||
Windows Messenger [*] | Program | Any | |
[*] Windows Messenger appears automatically the first time Windows Messenger is used. | |||
If you run a service such as a Web server, or an application program that will need to receive network connections, you can get an exception placed into this list by letting Windows display a pop-up warning of the type shown in Figure 21.6, or you can manually add an exception for this program.
To manually add an application exception, which lets the program receive any network connections it wishes, view the Exceptions tab and click Add Program. Click Browse to locate the program's executable (.EXE) file, and click Change Scope to set the range of network addresses that should be able to access the program's services.
To manually add a port (service) exception, which lets any program receive network connections on the specified network ports, view the Exceptions tab and click Add Port. Enter a name to describe the network service, enter the port number, and select TCP or UDP. Click Change Scope to set the range of network addresses that should be able to access this service.
For example, to permit access to a Web server running on your computer, you add the information shown in Figure 21.8. The Scope could be set to Any to permit access by the entire Internet, or Subnet to restrict access to your LAN only.
You can later highlight any entry and select Delete or Edit to remove or modify these settings. You can also uncheck an entry to temporarily block the program or service.
TIP
Curious to know what programs and services on your computer are listening for incoming network connections? Log on as a Computer Administrator, open a Command Prompt window, and type the command netstat -ab | more. (This may take quite a long time.) If you don't recognize a program's name, use Google to see if it's discussed on any Web pages; this may help you determine whether it's a legitimate Windows program or some sort of malware.
The Firewall's Advanced tab lets you remove the firewall from particular network connections, enable logging of rejected data, control how Internet control packets are treated, and restore the Firewall to the default, factory-fresh settings.
You can remove some network connections from the firewall's scrutiny by unchecking these connections in the Network Connection Settings list. This leaves the other connections still protected by the firewall. You may wish to do this when, for instance, your LAN is professionally protected by a hardware firewall, and you use network services on your LAN that the firewall has trouble with.
In general, though, it's best to leave all of your network connections protected by the firewall, to help prevent the spread of viruses and Trojans around your network should one computer be compromised.
The Settings button lets you change forwarding and ICMP packet filtering for the highlighted connection. This is not useful unless you are using Internet Connection Sharing, and the selected connection is the one being shared. (To be honest, it's hard to understand what Microsoft was thinking here. It would have been very useful if this button let you configure exceptions on an interface by interface basis, but that's not what it does.)
You can have Windows Firewall keep a record of connection requests it receives and rejects, or even of connections accepted and rejected. This may be useful in determining why network connections to your computer are failing, and also to identify when your computer is under attack. This feature was discussed earlier in the chapter under “Monitor Suspicious Activity.”
In addition to TCP, UDP, and other data transmission protocols, the Internet makes extensive use the Internet Control Message Protocol (ICMP), which takes care of housekeeping details such as informing computers of routing problems and data transmission errors. It's also used by the ping program, a very important networking diagnostic tool.
By default, Windows Firewall does not permit any ICMP data to pass through the firewall. This prevents outside computers from sending you bogus ICMP data that could disrupt your use of the network. You can click ICMP Settings to instruct the firewall to pass any particular ICMP messages that your computer definitely needs to process.
In most cases, ICMP Echo Request (ping) is the only ICMP message that you definitely want to process. And, happily, you don't have to manually check this, as Windows Firewall automatically passes these packets if the exception for File and Printer Sharing is enabled.
You can restore the firewall to the default settings provided by Microsoft by clicking Default Settings.
However, you should be aware that this will remove entries for programs that may have added their own firewall settings. Furthermore, it will uncheck most of the default entries listed in Table 21.7 including File and Printer Sharing. You will need to recheck the entries for any services you want to make available.
This chapter just barely scratched the surface of what there is to know and do about network security. There are lots of great books on the topic, and I've mentioned several of them in this chapter.
You also can get lots of information on the Web. First, www.sans.org and www.cert.org are great places to start looking into the security community. Steve Gibson has plenty to say about security at www.grc.com—it's educational and entertaining.
Finally, you might look into additional measures you can take to protect your computer and your network. There are many ways to configure networks. It's common, for example, to keep any public Web or email servers you have separate from the rest of your LAN. For additional security, you even can buy or build special-purpose firewall routers to place between your LAN and the Internet. One nifty way to do this is shown at www.linux-firewall-tools.com/linux/.
In any case, I'm glad you're interested enough in security to have read this far down in the chapter!
When I use Explorer to view my computer across the Internet, I am prompted for a username and password, and/or shared folders are visible.
If you have this problem, Microsoft file sharing services are being exposed to the Internet. If you have a shared connection to the Internet, you need to enable Windows Firewall, or enable filtering on your Internet connection. At the very least you must block TCP/UDP ports 137 through 139 and 445. Don't leave this unfixed!
If you have several computers connected to a cable modem with just a hub, and no connection sharing router, you should read Chapter 19 for alternate ways to share your cable Internet connection.
When I access my Web site from the Internet using a Web browser or anonymous FTP, I can view folders that I thought were private and protected.
First, you must be sure that the shared folders are not on a FAT-formatted disk partition. FAT disks don't support user-level file protection. Share only folders from NTFS-formatted disks.
You must restrict access on the shared folders using NTFS permissions. View the folders in Windows Explorer on the computer running IIS. View the folders' Securities Properties tab. Be sure neither Everyone nor IUSR_XXXX (where XXXX is your computer name) is granted access. On these protected folders, grant Read and Write privileges only to authorized users. In the Internet Information Services management console, you can also disable Anonymous access on the Web site's security page.
When I try to view protected Web pages or change to a protected directory in FTP, I can't view the pages or folders.
View the virtual folder's Properties page in the Internet Information Services management applet. On the Directory Security tab, click Edit under Anonymous Access and Authentication Control. Be sure that Digest Authentication and Integrated Windows Authentication are checked. If they were checked already, view the folder's Security settings in Windows Explorer as described in the previous troubleshooting tip. Make sure that the desired users or groups are granted appropriate NTFS access permissions on the folder and its files and subfolders.
I can connect to my computer across the Internet with remote administration tools such as the Registry Editor, with SNMP viewers, or with other tools that use network services. How do I prevent this access?
Look up the protocol type (for example, UDP or TCP) and port numbers of the unblocked services, and configure filters in your router to block these services. Your ISP might be able to help you with this problem. You might have disabled Windows Firewall by mistake.
When you attempt to send someone a file using Windows Messenger, they can't receive the file.
When you send someone a file, what actually happens is that the other person's copy of Windows Messenger contacts your computer to pick up the file. If Windows Firewall is blocking Windows Messenger data, the other person's copy of Messenger will not be able to retrieve the file. Check the Windows Firewall configuration dialog to ensure that Don't Allow Exceptions is not checked (at least temporarily), and that Windows Messenger appears in the Exceptions list and is checked.
I can connect to my Internet service router through Telnet across the Internet without providing a secret administrative password. How do I prevent this access?
Configure your router to require a sensible password for access. Choose a password with letters and numbers. Be sure you write it down, and also give it to the technical support department of your ISP. The ISP might even be able to help you change the password.