The tools in this month’s toolbox help you protect your public-facing Web site, decipher error codes, and organize and remember your username/password combinations.
A public-facing Web site can be your most serious security risk, especially as more services are interconnected and require greater interactivity. Having multiple lines of defense is critical to recognizing and mitigating potential threats. One tool you might want to add to your defenses is ThreatSentry from PrivacyWare, the IT security arm of PWI Inc.
ThreatSentry is a Web application firewall that aims to quickly classify incoming requests as either trusted or untrusted—based on a number of policies, signatures and heuristics—and blocks untrusted events before IIS responds. It runs as an IIS ISAPI extension and is available in both 32- and 64-bit versions for IIS versions 5, 6, 7 and 7.5.
To classify a request as either trusted or untrusted, ThreatSentry uses a conventional rules-based engine along with a behavioral engine. The rules-based engine contains a preconfigured set of rules for identifying known exploit techniques and attack characteristics. There’s also a user-customizable rule set for domain- and application-specific threat identification. The customizable rules include request rules like allowed operations (get, post, head, search, propfind and so on), target URLs (blocking requests for .php), request parameters and request header information.
You can also set rules based on request frequency and parameter length. There are IP address rules with which you can filter based on single addresses or ranges of IP addresses. For each rule, you can also specify whether the default action is to block, notify or allow.
Besides maintaining an action log in Microsoft SQL Server, ThreatSentry has a number of different notification options. You can have a visual or audio alert, an e-mail or SMS alert, write the event to the event log or send a visual alert via Microsoft Messenger Service. You can have it block untrusted requests by default, respond with a 404 for blocked IP addresses, automatically add untrusted IPs to the blocked list, close all ports on the machine to blocked IP addresses or even stop IIS.
One risk to automatically blocking incoming traffic is blocking legitimate traffic based on a false positive or an incorrect configuration. ThreatSentry minimizes this risk by giving you a training mode that helps you learn about your environment and request patterns. You can also directly import your IIS logs into the pattern database to help ThreatSentry learn about your Web site.
You manage ThreatSentry through a standard Microsoft Management Console (MMC) snap-in. You can add this to any customized MMC view you might already have for server administration. You can also have multiple servers write to the same SQL Server instance to help with aggregation and consolidation. Within the MMC you can see the current service state, modify the current filtering policies, configure the user-based rule sets, import training data and view the Security Alert log. The application also gives you HTML reports on the activity and, because the event data is written to a SQL database, you can also query that directly for any custom data views you may want.
ThreatSentry starts at $649 per server, which includes one year of support. There’s a 30-day trial and a free evaluation session at the Web site. If you’re looking for another layer of protection against SQL injection, cross-site scripting or Denial of Service attacks, check out ThreatSentry.
You’ve undoubtedly received error codes in event logs or other warning messages. Those error codes never contain any truly useful information to help you understand what went wrong. Having a tool at your fingertips that can quickly help you translate those codes would be a great timesaver.
One such simple tool is the free Windows Error Lookup Tool from Gunner Inc. This lightweight (24KB), transportable tool requires no installer. You can easily run it from a USB key. The Windows Error Lookup Tool can translate decimal or hex HRESULT, NTSTATUS and STOP error codes into the English error description. Simply enter the error number in the text box, choose the type of error and hit enter.
Besides the English description, you can see the error status, facility and resultant error code (useful for hex translation). There’s also a basic Notes section so you can save information about how the error was caused or any other details you think are pertinent for the next time you look up that error code.
Any application or Web site that requires a username and password will invariably have its own policy requirements. These often clash with others, so you end up having to keep track of dozens of combinations. You can alleviate this issue with one of many password-storage applications, such as the free, open source Password Safe project.
Password Safe has two installation modes: Regular and Green. The first stores settings in the registry, which is useful for use on your own machine. The second doesn’t use the registry, which is useful for “thumb-drive” installation. If you choose a regular installation, you can also have the start minimized to your notification area when Windows starts. This is a great tactic on your primary machine for quick access to your passwords.
Once installed, you start by creating a password database and settings. This is the “combination” you’ll use to encrypt the database file. This should be a very strong password, as it will protect the rest of your passwords. If your password is too weak, Password Safe will warn you. Then you can start adding entries for all those username/password combinations you have to remember on a daily basis. A basic entry has a title, username, password (and confirmation), URL, e-mail and a notes field.
You can tag the entry with a group to keep yourself organized. Groups are hierarchical, so if you have a ton of entries, you can keep them in a multilevel tree. You can also specify additional details like a password history of 1 to N passwords, a password expiration policy by date or days, and rules for random password generation. For password generation, specify a desired length, how many lowercase, uppercase, digits or symbol characters your passwords require. You can also have the product generate passwords using only “easy-to-read” characters (for example, avoiding “l” and “1”) and/or have it generate “pronounceable” passwords.
You can use Password Safe to copy your entries to your clipboard. You can also specify an autotype formula, browse to a URL, copy the notes to the clipboard, minimize the application on copy, run a command, send an e-mail or view/edit the entry.
There are a number of useful context menu actions. You can have Password Safe display a subset of the password as a hint, perform an autotype action or export the entry to text or XML, as well as the standard edit, rename, delete, duplicate and shortcut options. You can also “protect” the entry, which locks it from editing or deleting for those quick-fingered actions, helping you avoid mistakes.
Password Safe will auto-minimize after a period of inactivity to protect against prying eyes if you forget to close the window or lock your desktop before you leave your desk. It also has a configurable backup scheme to help protect against database corruption and mistakes. You can have the application save immediately after each update. You can also have it save intermediary backups before saving, just in case. For backups, you can specify a distinct file name, a suffix so you can have multiple backups and the directory in which the backups are saved.
If you’re getting tired of remembering all those different accounts, or just are looking for an alternative to your current password-management tool, check out the free and open source Password Safe.
Greg Steen is a technology professional, entrepreneur and enthusiast. He’s always on the hunt for new tools to help make operations, QA and development easier for the IT professional.