Training
Find Training
Manage My Learning
Training Options
Browse by Subject
Guide My Training
Certifications
Certification Overview
Browse by Subject
Browse by Name
Find an Exam
Prepare for an Exam
Register for an Exam
Books
Books Overview
New and Upcoming
Find Books
Where to Buy
Special Offers
What's New
Community
Learning Community
Member Sites
Worldwide Sites
Help and Support




 
Microsoft® Windows® XP Networking Inside Out
Author Curt Simmons with James Causey
Pages 704
Disk N/A
Level Int/Adv
Published 10/16/2002
ISBN 9780735616523
ISBN-10 0-7356-1652-3
Price(USD) $44.99
To see this book's discounted price, select a reseller below.
 

More Information

About the Book
Table of Contents
Sample Chapter
Index
Related Series
Related Books
About the Author

Support: Book & CD

Rate this book
Barnes Noble Amazon Quantum Books

 

Chapter 20: Maintaining Network Security

Chapter 20 Maintaining Network Security

Understanding potential security issues has always been an advanced topic, particularly in the Windows world. For many years, Windows clients were used in isolated LANs or as limited Internet clients. In either case, Windows systems were expected to have little or no interaction with the outside world, and serious security concerns were left to be dealt with by system administrators of other operating systems.

However, two major changes in the Windows networking arena have shattered this utopia forever. Ever since the introduction of Microsoft Windows NT, the Windows family of operating systems has gradually grown more powerful and functional in WAN environments and has become more and more Internet-aware. In addition, the continued popularity of Windows on the desktop, as well as the expanding popularity of Windows in Internet server environments, has created a massive number of potential security targets for hackers to exploit.

Out of the box, Microsoft Windows XP is the most secure operating system ever produced by Microsoft, and most remaining potential security liabilities can be addressed using the tools included with Windows XP along with the right know-how. In this chapter, you'll learn about the most common threats to running a secure Windows XP installation and the countermeasures you can take to make your computing safe and secure.

Examining Windows Security History

Microsoft Windows was originally developed as a stand-alone desktop computing environment based on MS-DOS. As such, Windows was not originally intended to function in a modern network environment; in fact, when Windows first began to gain market share, the Internet itself was barely known outside academic circles.

As Windows evolved, it eventually became able to participate in LANs, via third-party components as well as later Microsoft enhancements. Later, the Internet became more and more commonplace in both home and corporate networks, and Windows' ability to connect to the Internet improved with every release of both the consumer and business-oriented versions of Windows.

Because the inclusion of, and later focus on, network and Internet functionality was a gradual process, Windows' security features grew gradually as well.

In addition, Microsoft's focus has always been on developing products that provide the maximum number of features for users. Part of this focus has traditionally resulted in Windows (and other notable Microsoft products, including Office) being installed with nearly every enhancement and feature enabled and disabling options that would increase security but decrease ease of use or limit functionality.

As Windows clients have become more and more prevalent across the Internet, this policy has become more controversial. The existence of these features, along with Windows' traditional focus as a stand-alone operating system, has led to numerous security vulnerabilities, many of which have been exploited on large numbers of computers.

Originally, Microsoft's policy was to continue to provide as much easy-to-use functionality as possible and to suggest that individuals running in networked environments simply disable what they didn't need. Unfortunately, many Windows users either didn't understand that everything was enabled in a default product installation or didn't pay enough attention to the security vulnerabilities of some of those features; thus, they continued to be left vulnerable to many types of security exploits. To compound this problem, as security holes were discovered in Microsoft's products, its recommendations for configuring or patching the computer to block the threats were commonly unnoticed or ignored by many users and system administrators.

With Microsoft Windows 98, Microsoft introduced Windows Update, a Web-based tool that makes it even easier for Windows users to update their operating system. At first, remembering to regularly visit this site required vigilance on the part of the user, but Microsoft eventually released components that allowed users to automatically receive notifications when critical patches became available and even to have these patches downloaded and installed automatically.

For more information about using Windows Update to patch Windows XP installations, see "Keeping Software Up to Date," page 573.

Unfortunately, the fact remained that many installations of Windows operating systems connected to the Internet remained highly insecure. In addition, the fundamental design of many Microsoft products, as well as that of many features included with Windows, led to a large number of security flaws.

In 2002, Microsoft attempted to address these issues at every level of the company with their Trustworthy Computing Initiative. Triggered by a memo sent to all company employees by Microsoft Chairman and Chief Security Architect Bill Gates, Microsoft's Trustworthy Computing Initiative is an attempt to improve both the security and reliability of the company's products as well as Microsoft's public image. The Trustworthy Computing Initiative includes a number of extremely important steps:

  • Sending all Microsoft programmers to security training classes to help eliminate the introduction of low-level security vulnerabilities during the development process.

  • Freezing all new product feature development until top-down security reviews, designed to discover and document security vulnerabilities, are completed and software patches for those vulnerabilities released.

  • A focus on security as a critical feature of all new product development.

  • An end to the practice of automatically enabling features that could potentially expose users to security risks. Those features would have to be explicitly enabled by the end user.

The first major product release to benefit from Microsoft's Trustworthy Computing Initiative was Windows XP. Windows XP was in the latter stages of testing when the Trustworthy Computing Initiative began; however, Microsoft had already committed to making Windows XP the most secure operating system the company has ever released.

This determination shows in a number of areas. For example, Windows XP Professional includes Internet Information Services (IIS), but for the first time, IIS is not enabled by default during installation of the operating system. Additionally, Windows XP includes built-in support for automating Windows Update as well as the ability to automatically report application and system errors to Microsoft for analysis. Windows XP also includes Internet Connection Firewall (ICF), and security has been improved in both Microsoft Outlook Express and Microsoft Internet Explorer.

No operating system, however, can remain completely secure without vigilant attention from users and system administrators, and adherence to secure practices. You'll learn all about these practices in this chapter. The next section analyzes the types of security threats that Windows XP users face.

Understanding Security Threats

There are two major categories of security threats that Windows XP users need to protect themselves from:

  • Network-initiated threats in which remote hackers attempt to take advantage of security flaws in software installed on network systems across WANs such as the Internet

  • Local threats initiated by software running on local client computers

The line between these types of threats is often blurred; for instance, some Internet worms are triggered by being executed on a local e-mail application such as Microsoft Outlook Express, but can also attempt to exploit remote computers over a computer's network connection. Another example is remote Web content that takes advantage of flaws in Microsoft Internet Explorer to attack a user's computer. However, these two categories are still useful when trying to understand the types of threats Windows XP users need to address.

Understanding Network-initiated Threats

The public image of security attacks centers on those initiated across remote networks, such as dial-up connections or the Internet. Although these attacks are far less melodramatic than those depicted in movies such as War Games (MGM, 1983), they remain a significant risk to any computer connected to a large network.

Individual hackers can launch attacks across a network with a number of different goals in mind. They might want to gain control of a remote system to access sensitive information, to deface or damage data located on the system, or simply to use the system as a staging ground for other attacks. They might also want to disable the computer or the network to which it's connected.

Denial of Service Attacks

Attacks that disable a computer or the network to which it's connected are referred to as denial-of-service (DoS) attacks. DoS attacks are designed to prevent normal network functionality on a computer or a group of computers. Individuals can launch DoS attacks in several ways, for example:

  • Attackers can transmit specially crafted network packets to a target system. These packets, which do not meet the required standards of the network or application protocol running on the destination system, cause applications or services (or even the entire operating system) on the target machine to close or crash. Perhaps the most famous example of this type of attack is the Ping of Death, where an Internet Control Message Protocol (ICMP) ping packet is sent with a gigantic packet size. Many IP stacks on several operating systems share a bug that causes the computer to crash when this packet is received.

  • Attackers can flood a computer with so much traffic that it has no CPU time left for normal tasks, effectively making it unable to perform any other tasks. Some systems or services can even crash due to this overload. If properly executed, a traffic overload can flood the target computer's entire network.

  • Attackers can transmit the packets required to initiate a connection to a protocol or application without completing the connection. This consumes a limited resource on the target system, and if repeated enough times, can slow the computer to a halt.

DoS attacks launched against individual computers were once a popular form of network attack. However, many of the flaws in the IP protocol (as well as in other application protocols) that left computers vulnerable to simple DoS attacks (such as those launched by one originator against one target) have been fixed. Additionally, network administrators are familiar with normal DoS attack signatures and can easily block traffic from individual computers or networks launching an attack.

Today, DoS attacks are more commonly launched by multiple computers located across the Internet in what is called a distributed denial-of-service (DDoS) attack. To maximize the effect of such an attack, hackers take over computers across the Internet (using techniques that will be discussed later in this chapter), and then use all of these hacked computers to launch DoS attacks on a target computer or network. Because the traffic comes from multiple sources, it can quickly overload a network's routers and computers; for the same reason, blocking the attack can be extremely difficult.

Exploiting Insecure Resources

Disrupting target computers and networks is not the only potential goal of a hacker, however. A hacker might want to gain control of a target computer for other purposes. This section discusses how a hacker can gain control of a computer by exploiting vulnerabilities in services on target systems.

These exploits typically begin with a hacker probing a system to determine its vulnerabilities. This probing usually takes the form of a port scan in which the hacker's computer attempts to connect to ports on the target computer to build a list of IP ports that are listening for connections. This can either be done by sweeping all numerical IP ports or through a more targeted scan of certain well-known IP ports used by applications known to be vulnerable to attack.

Once the port scan is complete, the hacker can use the list of available ports on the target computer to determine which attacks to launch. Often, simply knowing which ports are listening (such as port 80, the common HTTP port used by Web servers) tells the hacker something about what programs are running on the target computer. These ports can also be probed in more detail by connecting to them manually to see what responses are returned from the target computer. These responses can be used to identify the services and the operating system more specifically. For instance, in the case of a Web server, a manual connection to the HTTP port normally returns the name and version number of the Web server as well as the underlying operating system. With this information, the hacker can then refine his or her attack on the system and perhaps attempt to take advantage of known vulnerabilities in the specific Web server or search for other commonly used services on the target operating system.

What, then, are the vulnerabilities that can be exploited? There are many different kinds in many different types of software; however, most fall into one of the following categories.

  • Buffer overruns. Most operating systems (as well as network services that run on them) are written in some derivative of the C or C++ programming language, or even assembly language. These languages are used because of their high levels of performance, which is critical for both operating systems and network services that are intended to handle heavy loads. However, these languages can require programmers to manually manage buffers of memory for many tasks including the input and output of data. Many (if not most) programmers using these languages simply place input data directly into these buffers without performing more than perfunctory checks for the validity of the data including its length and contents. This practice leaves these applications extremely vulnerable to being hijacked by a malicious user. For instance, if input gathered by an IP application is not checked for length, a hacker can perform a buffer overrun attack, in which a large amount of data is transmitted to a vulnerable IP application, thus overrunning (exceeding the size of) its input buffer. If the buffer is sufficiently overrun with machine instructions of the hacker's choosing, the target computer can be induced to run those instructions, thereby hijacking the system's normal processing. These machine instructions can perform any task on the target system that the target application has rights to perform. For applications such as IIS, which runs by default with System-level permissions, such an attack can be truly disastrous. The hacker can gain complete control over the target computer.

  • Unsecured network services. Many network services were developed with little or no concern for security. A number of these services predate the modern Internet environment with its constant security threats, whereas others were intended to rely on other security features (such as firewalls) provided by the network administrator. When installed and configured by default, these protocols provide no security whatsoever or have security settings turned down or disabled completely. One example of such a protocol is Simple Network Management Protocol (SNMP). SNMP provides the capability to both query and manage a vast array of configuration settings on network devices such as computers and routers, and it does not provide a facility for logon authorization. It simply specifies community names, so any computer in a specified community can perform SNMP tasks on other systems in that community. SNMP traffic can be blocked by host name or IP, but this feature is also disabled by default. Also, many devices and applications, such as residential gateways, network-enabled printers, and even Microsoft SQL Server 2000, provide default administrator accounts with standard or blank passwords that provide full control over those devices or programs.

  • Insecure network protocols. Many common Internet applications in their default configurations transmit all data across the network as clear text, meaning that no encryption is used to protect the data from being intercepted and read by an unauthorized third party. One example of such a protocol is Telnet. When making a Telnet connection, all data, including your user name and password, is transmitted in the clear. HTTP, the communications protocol used by Web browsers and Web servers, also transmits all information in the clear by default, although an encrypted version of the protocol, Secure Hypertext Transfer Protocol (HTTPS) is available. Clear-text information can be intercepted in a number of ways. Because most modern networks use a shared broadcast medium for communication, a hacker normally only needs to take over some kind of device on that network, install an application known as a packet sniffer to listen to all traffic on the network, and then scavenge for user name and password pairs. In fact, in a worst-case scenario, that same hacker might be able to scavenge even more critical information, such as credit card numbers, personal identification data, or proprietary company data.

  • Brute-force attacks. Brute-force attacks use the automation power of computers to attack secure systems, either by trying all possible combinations of a logon password or by attempting to perform cryptographic analysis on protected network traffic. These techniques require extreme computational power and are unlikely to work on properly encrypted data and secure systems. For example, decrypting a data packet that has been protected with 128-bit encryption could take a standard desktop PC literally millions of years of constant computation. However, flaws in encryption mechanisms or system logon routines can be relatively easily exposed using these brute-force techniques.

CAUTION

Even well-crafted encryption mechanisms are not sufficient to protect network traffic from interception and eavesdropping. If the communication channel between two systems is not properly authenticated, an attacker could perform a man-in-the-middle attack, in which the attacker poses as the remote communication partner for an encrypted data exchange to both the client and server. This enables the attacker to negotiate encryption channels with both partners and watch all the traffic being exchanged between them. For this reason, secure protocols such as HTTPS rely on signed certificates that are verified by a trusted third party (such as Thawte or VeriSign) to represent the identity of the remote communication partner.

These are only samples of the types of network attacks that can be initiated by a remote attacker. It should be clear that protecting a computer against these attacks is critical. However, only protecting against network-initiated attacks is not enough to truly ensure the security of your Windows XP computer.

Understanding Local Security Threats

Using the term local to refer to the threats categorized in this section can be misleading. For the most part, these threats do not have their true origin on the local computer. Computer viruses normally arrive on the local computer via an infected disk or file, and most often, the file is downloaded over the Internet. However, because these threats primarily do their damage by running software on the end user's computer, the designation of local remains apt.

Local security threats also tend to rely on design flaws and vulnerabilities in operating system software and applications, but they equally tend to rely on how people use their computers. This section examines the different types of local threats that Windows XP users face.

Viruses

Perhaps the most commonly known form of malicious software is the computer virus. Computer viruses are named after their biological equivalent because, like the viruses that make humans and animals sick, they take advantage of their hosts to propagate from target to target and cause damage.

Computer viruses are transmitted from system to system via mechanisms built into the operating systems or applications that they infect. Although many viruses are harmless, developed as exercises in software development by their authors, many others carry destructive payloads designed to alter or destroy user data or operating system installations (or in some rare cases, computer hardware).

There are several types of viruses, for example:

  • Executable viruses. Executable viruses alter an application's executable files with their own machine instructions, causing their payload to be loaded into memory the next time the user launches the program.

  • Boot sector viruses. Boot sector viruses install instructions onto the boot sector of a floppy disk or hard disk. These instructions can then load the virus's payload into memory when the system next starts up.

  • Macro viruses. Macro viruses take advantage of the macro scripting facilities built into popular productivity applications such as Microsoft Office. In earlier versions of these applications, macros were automatically triggered when the files were loaded into the applications, causing the payload contained within the macro scripts to be executed. More recent versions, such as Microsoft Office XP, require explicit user permission to enable macros, but if the user chooses to enable the macros and the macros contain viruses, the viruses will still be executed and do their damage.

In each case, once the payload is executed, it can have its desired effect. Some viruses simply patch copies of themselves onto other applications or files (or disks, in the case of boot sector viruses). Others alter or delete files, damage the target operating system, or alter a hardware device's firmware to render it unusable.

Because of the expansion of scripting facilities into e-mail applications such as Microsoft Outlook and Outlook Express, macro viruses have expanded beyond the initial annoyance of a periodic infected Microsoft Word document. Infected e-mail messages can automatically send copies of themselves from the infected user's computer to the user's address book contacts, thus propagating across the Internet like wildfire. Viruses that propagate from computer to computer without any form of user intervention are more properly referred to as worms because of their ability to crawl across the network from computer to computer.

Trojan Horses

Unlike a virus, which patches itself onto an innocent program to spread its payload, a Trojan horse is an application that claims to provide a set of features, but instead contains a payload that performs more insidious tasks behind the user's back, much like the mythical gift to the defenders of Troy that contained warriors who took over the city from within its walls. Trojan horse applications can perform a number of different tasks, from using the target computer to illicitly store files to acting as spyware, software that quietly gathers data about how the target computer is configured, what software is installed, and even what Web sites the target user visits on the Internet. Even worse, many Trojan horse applications install back doors that allow hackers to easily take control of the target computer to use it for such purposes as DDoS attacks (see "Denial of Service Attacks," page 560).

Active Web Content

Web browsers, like Internet Explorer, include a number of features, such as JavaScript, Java run-time environments, and ActiveX, that allow Web sites to include executable scripts and code to enhance Web-based applications. Unfortunately, many of these features have security vulnerabilities that allow hackers to develop Web sites that can take control of, damage, or install spyware on computers that visit them.

Web sites can also use cookies as spyware. Cookies can be installed by remote Web sites, and then later detected by other Web sites, allowing any Web site to track which sites a user has visited.

Of course, applications downloaded from a Web site can also be a threat because they can be Trojan horse programs or be infected with viruses.

Next


Last Updated: October 1, 2002
Top of Page