Chapter 12 - Security: For Administrators and Developers

This chapter examines security from a broad perspective and highlights the key elements that you should consider when securing a Microsoft Application Center 2000 (Application Center) cluster and its applications. The chapter is organized so that you can skip the sections that you're already familiar with and go directly to the sections that you're interested in, such as "Platform Security" or "Application Center Security."

You can view Application Center security as a pyramid. You have to secure the base—all the low-level services, such as the network and operating system—and then work up and secure the higher levels. For this reason, a significant portion of this chapter deals with the foundation of the pyramid.

Before getting into the specifics of security practices and technologies, let's look at some security trends and perspectives and see what the experts have to say about computer crime and security.

On This Page

Security: Trends and Perspectives
The Nature of Security Breaches
The Security Design Process
The Three-Tier Security Model
Platform Security
Application Center Security
Secure Remote Administration
Monitoring and Auditing
Think Like a Hacker
Resources

Security: Trends and Perspectives

We'll start this section with a summary of computer industry trends in the context of computer crime.

What's Been Happening in the Computer Industry

Like the Internet, computer crime continues to be a growth industry. Hackers and vandals discover and create innovative—and often all too simple—techniques for disrupting computer systems around the world. It seems like the computer security industry is always one step behind the criminals, playing catch up in response to new intrusions and virus infections.

The following sidebar summarizes the results of the "1999 CSI/FBI Computer Crime and Security Survey" undertaken by the Computer Security Institute (CSI) and the FBI. These results underscore the magnitude of the computer security problem in this country.

"1999 CSI/FBI Computer Crime and Security Survey" 

From the "1999 CSI/FBI Computer Crime and Security Survey":

For the third year in a row 

• System penetration by outsiders increased, with 30 percent of survey respondents reporting intrusions. 

• The number of respondents who identified their Internet connection as a frequent point of attack increased from 37 percent in 1996 to 57 percent in 1999. 

• Unauthorized use by insiders increased, with 55 percent of respondents reporting incidents. 

• Financial losses due to security breaches exceeded $100 million. Note: Of the 51 percent who reported losses, only 31 percent could quantify these losses. 

Types of crimes reported by survey participants 

• Denial-of-service (DoS) attacks reported by 32 percent of participants. 

• Sabotage of data or networks reported by 19 percent. 

• Financial fraud reported by 14 percent. 

• Abuse of Internet access (for example, downloading pirated software or pornography, and inappropriate use of e-mail systems) reported by 97 percent. 

• Virus contamination reported by 90 percent. 

• Laptop computer theft reported by 69 percent. 

The Nature of the Beast

It's obvious from the statistics presented in the "1999 CSI/FBI Computer Crime and Security Survey" that many businesses aren't coping well with computer security or still aren't "getting it." Why not?

There are many reasons for the alarming trends identified in the survey, including:

• The complexity of the problem 

• The scope and volume of the problem 

• Misunderstanding the nature of the solution 

• Ownership of the problem 

The Complexity of the Problem

There has been exponential growth in the complexity—and inherent vulnerabilities—of computer systems over the past several years. Computer system complexity has been exacerbated by the broad acceptance of the Internet as a networking platform for business computing. The growing complexity of this computing environment means that products are becoming less secure rather than more secure.

The Scope and Volume of the Problem

At the same time that the Internet gave businesses global access to customers and other businesses, it also gave users around the world access to these same businesses and their computer systems. The increase in the number of attackers worked in combination with the rapid growth of Internet-based computing to put IT staff in an untenable situation, one in which support demands, particularly in the area of security, far outstripped available resources and capabilities. Hackers and vandals, on the other hand, were unhindered by bureaucracy and budgets and had an unlimited number of targets from which to choose. From the onset, security professionals and system administrators were forced into a catch-up role, a role that still persists today.

Jim Magadych, security research manager with Network Associates, observed: "There are a lot of system administrators out there that are aware that security holes exist in their systems, but they see the alerts coming out daily and are overwhelmed by sheer numbers." As a result, security fixes often don't get applied. According to a CMPnet ( https://www.cmpnet.com/ ) security task force, at least three-quarters of the businesses connected to the Internet have at least one of 20 known security holes.

Misunderstanding the Nature of the Solution

Even today, years after the Internet was adopted by mainstream businesses, many of the business managers and system administrators for these companies still believe that their systems are safe, simply because they have a firewall. Nothing could be farther from the truth. Reliance on a purely technical solution—particularly if it's flawed or poorly configured and implemented—is no solution. Numerous security professionals have noted that effective security systems are not a simply a product but an appropriate combination of products and processes that are designed to meet the needs of an individual organization.

Ownership of the Problem

An organization's staff members, from the CEO to junior office worker, have to share the burden of the security problem. The responsibility for computer security is everyone's problem, not just the individual or individuals that have formal responsibility for corporate computer security.

One writer equates user responsibility for computer security to employee responsibility for making sure the door is locked when they leave the building at the end of the work day—regardless of whether or not it's part of their job description.

Insights From the Experts

The SANS (System Administration, Networking, and Security) Institute, working with experts from more than 40 private and public sector security research and practitioner groups, compiled several lists of security-related items for managers and IT professionals to consider when dealing with security in their organizations.

But before examining the "The Ten Worst Security Mistakes Information Technology People Make" and "The Ten Most Critical Internet Security Threats" that the SANS Institute published, let's see what attendees at a large security conference identified as the top seven mistakes that managers made in the area of security.

The Seven Top Management Errors that Lead to Computer Security Vulnerabilities

The 1,850 computer security experts and managers attending the SANS99 and Federal Computer Security Conferences compiled this list of management errors:

1. Assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job. 

2. Fail to understand the relationship of information security to the business problem—they understand physical security but do not see the consequences of poor information security. 

3. Fail to deal with the operational aspects of security—make a few fixes and then not allow the follow-through that is necessary to ensure the problems stay fixed. 

4. Rely primarily on a firewall. 

5. Fail to realize how much money their information and organizational reputations are worth. 

6. Authorize reactive, short-term fixes so problems re-emerge rapidly. 

7. Pretend the problem will go away if they ignore it. 

Management security mistakes are frequently compounded by mistakes made by the IT professionals in their organization, as the next section illustrates.

The Ten Worst Security Mistakes Information Technology People Make

The 10 worst mistakes identified by the experts are:

1. Connecting systems to the Internet before hardening them (removing unnecessary services and patching necessary ones). 

2. Connecting test systems to the Internet with default accounts/passwords. 

3. Failing to update systems when security vulnerabilities are found and patches or upgrades are available. 

   Tip Install and use the Microsoft Windows 2000 Internet Information Services 5.0 (IIS) hotfix checking tool, HFCheck. This tool allows administrators to ensure that their servers are up to date on all IIS security patches. The tool can be run continuously or periodically against the local computer or a remote one, using either a database on the Microsoft Web site or a locally hosted copy of the program. When the tool finds a patch that hasn't been installed, it can display a dialog box or write a warning to the Event Log. 

   To obtain more information about this tool and download it, go to https://www.microsoft.com/technet/security/tools/default.mspx. 

   Warning Test your system(s) thoroughly after installing a software patch. Don't assume that simply applying the fix solves the problem. There may be other issues related to system configuration that need to be dealt with as well. 

4. Using Telnet and other unencrypted protocols for managing systems, routers, firewalls, and PKI (public key infrastructures). 

   Note This issue of unencrypted Telnet traffic is important if you are using one of the load balancing devices described in Chapter 13, "Third-Party Load Balancer Support." 

5. Giving users passwords over the phone or changing user passwords in response to telephone or personal requests when the requestor is not authenticated. 

6. Failing to maintain and test backups. 

7. Running unnecessary services, especially ftpd, telnetd, finger, rpc, mail, and rservices. 

8. Implementing firewalls with rules that allow malicious or dangerous traffic—incoming or outgoing. 

9. Failing to implement or update virus detection software. 

10. Failing to educate users on what to look for and what to do when they see a potential security problem. 

    And a bonus... 

11. Allowing untrained, uncertified people to take responsibility for securing important systems. (Author's note: This item is a recurring theme in most security surveys and articles.) 

The Ten Most Critical Internet Security Threats

In the wake of the distributed denial-of-service (DDoS) attacks that brought down eight major Web sites in a week, the SANS Institute started soliciting input from security experts in February 2000. The entries in "The Ten Most Critical Internet Security Threats" list are the results of a consensus between almost 50 experts from companies, universities, and such government agencies as the National Security Agency and the Department of Defense. It is intended to give system administrators who are looking to secure their systems a place to start.

The top 10 threats identified by the experts are:

1. BIND weaknesses: nxt, qinv, and in.named allow immediate root compromise. 

2. Vulnerable Common Gateway Interface (CGI) programs and application extensions (for example, Cold Fusion) installed on Web servers. 

3. RPC weaknesses in rpc.ttdbserverd (Tooltalk), rpc.cmsd (Calendar Manager), and rpc.statd that allow immediate root compromise. 

4. Remote Data Services (RDS) security hole in IIS. 

5. Send-mail buffer overflow weaknesses, pipe attacks, and MIMEbo that allow immediate root compromise. 

6. Sadmind and Mountd. 

7. Global file sharing and inappropriate information sharing via NetBIOS and Microsoft Windows NT ports 135-139 (445 in Windows 2000), or UNIX network file system (NFS) exports on port 2049, or Macintosh Web sharing or Appleshare/IP on ports 80, 427, and 548. 

8. User identifiers, especially root/administrator with no passwords or weak passwords. 

9. Internet Message Access Protocol (IMAP) and point of presence (POP) buffer overflow or incorrect configuration. 

10. Default Simple Management Network Protocol (SNMP) community strings set to 'public' and 'private'. 

Alan Paller, director of research for the SANS Institute, says that this list gives administrators a set of priorities for dealing with security holes. With regards to the items in this list, he says, "This is probably 70 percent of the attacks occurring on the Internet. Even though (the list represents) 10 out of a large number of exploits, it's the majority of attacks."

Jim Magadych (Network Associates), a contributor to the report, says that by closing the holes identified in the top 10 list, companies "are protecting themselves against the largest number of intruders on the Internet, but also the least sophisticated—what we call ankle-biters."

Note The SANS Institute also published "How to Eliminate the 10 Most Critical Security Threats," which can be downloaded from its Web site at https://www.sans.org/.

The Nature of Security Breaches

When you're dealing with security, it's very easy to focus on the obvious sources and types of attacks—that is to say, external attacks with malicious intent. Don't assume, as others have, that this is the most common or most dangerous source of attack. The diagram in Figure 12.1 illustrates the three primary sources of security breaches, as well as some of the types of damage that an attacker can inflict on your organization.

As you can see in Figure 12.1, the three primary sources of attacks are:

• External attacks over a network, such as the Internet 

• External attacks made by compromising dial-up access 

• Internal attacks by using authenticated logons inside the organization 

A survey conducted by Michael G. Kessler and Associates, a New York-based security firm, examined attacks from the perspective of the parties responsible for attacks—for example, hackers, business competitors, and so on. Table 12.1 summarizes the results of this survey.

Note These survey results show how important it is to ensure that the back-end network for your cluster is secure. Remember, the back-end network adapter on every cluster member carries all the administrative traffic for an Application Center cluster.

 

Figure 12.1 Sources of security attacks and types of damage 

Table 12.1 Summary of Michael G. Kessler and Associates Security Survey 

Party responsible for attack	Percent
Employees	35
Outside hackers	28
Other U.S. companies	18
Foreign corporations	11
Foreign governments	8

External Attacks—Network Access

The Internet provides an environment where a few individuals can create major security concerns for administrators whose systems are exposed to the public. External attacks from the Internet take many forms, such as disseminating viruses, defacing sites, and denial of service (DoS). The latter has become the attack of choice for hackers because this type of attack requires the least skill, is the hardest to defend against, and is very difficult to trace back to its source. The hacker doesn't have to penetrate deeply into a security perimeter; he simply has to overload a server to the point that it becomes unavailable to legitimate users. (See the sidebar below.)

Denial of Service (DoS) 

Distributed Denial-of-Service (DDoS) attacks 

In response to the growth in DDoS attacks this year, the SANS Institute published the following two documents, which can be obtained from their Web site:

• "Consensus Roadmap for Defeating Distributed Denial of Service Attacks" 

• "Help Defeat Denial of Service Attacks: Step-by-Step" 

Denial-of-service threat gets IETF's attention—July 24, 2000 

In response to the seriousness of DoS attacks, the Internet Engineering Task Force (IETF) launched a working group to develop Internet Control Message Protocol (ICMP) trace-back messages, which would let network managers discover the path that packets take through the Internet. Nicknamed "itrace," this new tool will be based on a forthcoming IETF standard for trace-back messages.

Although itrace can't prevent DoS attacks, it will be an important tool for network managers who are trying to isolate and stop these attacks.

"Itrace is a pretty important initiative," says John Pescatore, research director for network security at Gartner Group. "What we need are standard mechanisms that can be built into the Internet switching infrastructure. That's the only place it will work to stop distributed denial-of-service attacks."

Deconstructing DoS attacks 

Related to DoS, Bradley F. Shimmin of Bug Net ( https://www.bugnet.com/ ) published an article called "Deconstructing Denial of Service Attacks". This article, published on ZDNet ( https://www.zdnet.com/ ) in February 2000, uses the attack on Yahoo! to illustrate how you can analyze a DoS attack and implement preventive measures.

External Attacks—Remote Access

Remote access by using remote access and a dial-up or DSL/cable connection provides the second avenue for an external attack on corporate systems.

The general principle for remote access by employees is to ensure that everyone accessing your network has a connection that is properly authenticated and secured.

Note Staff members who are engaged in remote system administration require stronger levels of authentication and encryption than the default levels for typical users.

Internal Attacks

When assessing the security of your computing environment, it's important to remember that not all attacks come from the outside, as clearly indicated by the Kessler and Associates survey (Table 12.1). In fact, security consultants from Network Associates Inc. (NAI) state that recent statistics indicate that internal attacks are on a dramatic upswing.

It's also important to note that not all internal attacks are intentional or necessarily malicious. The most valued and trusted employee can cause tremendous damage or significant downtime on a vulnerable system. You need to ensure that files, services, and applications are only accessible by users that should have access and that can provide the appropriate authentication information.

The Security Design Process

There are several valid methodologies for conducting a security analysis and designing a solution that implements the appropriate security policies and technologies for your organization.

Note The information in this section is extracted from Chapter 2, "A Process for Building Secure Web Applications" of Michael Howard's book, Designing Secure Web-Based Applications for Microsoft Windows 2000 (Microsoft Press, 2000).

As Michael notes in his book, the security design process is iterative—as well as cyclical—because threats change rapidly and continuously. Figure 12.2 illustrates his security design process.

The purpose of the security design process is to develop the appropriate security solution for meeting your company's overall business and information requirements. As noted, different types of businesses will have different security goals and objectives, and their implementation of security services reflects those goals. (See the sidebar on the following page.)

Another significant step in the security design process is conducting a risk assessment (see Figure 12.2). This assessment provides the basis for developing a security policy and selecting security technologies to support your organization's security services.

 

Figure 12.2 The process for determining security requirements and technologies 

General security objectives and controls 

Security objectives are the information requirements that a company implements in order to meet its business objectives. Here are the goals that most IT groups strive toward when dealing with business objectives and computer security:

• Integrity—Any data or information created and stored is complete and accurate. Integrity is required to support proper processing as well as to meet financial and reporting requirements. 

• Availability—The system(s) must provide information on demand to the business process. 

• Confidentiality—Sensitive information must be protected to prevent unauthorized access to the system and its data. 

• Efficiency—Resources must be used in the most effective and efficient manner when providing information. 

• Compliance—Information, and the processes used to create it, must comply with contracts and laws imposed by external business requirements. 

Security controls provide the means by which you can meet your security objectives. There are three primary types of controls: preventing, detecting, and correcting.

• Preventing—The purpose of this control is to ensure that security vulnerabilities are not exposed. 

• Detecting—This involves discovering when a security breach takes place. 

• Correcting—These are measures that you take when a security hole or issue is detected. 

Risk Assessment

In a nutshell, risk assessment is the process of analyzing your system(s) to determine:

• Whether or not your site is an attractive target—what is the likelihood that your site will be penetrated? 

• The cost and consequences of a successful attack—what damages (tangible and intangible) are you likely to incur? 

• The cost of security against probable attacks—what will it cost in terms of effort and dollars? 

• Which threats should you defend against—since you likely can't address all of them, what are your priorities? 

In order to conduct a sound risk assessment that reflects your company's business requirements and enables you to deploy secure applications, you need to understand the threats. You can use a basic taxonomy of attacks—threats that have been carried out—to provide the foundation for understanding and prioritizing threats. We recommend STRIDE, which is a more granular taxonomy that Microsoft uses. The STRIDE model includes:

• Spoofing user identity. The hacker impersonates a valid system user or resource to gain access to the system. 

  Note Chapter 5, "Load Balancing," provides detailed information about custom header vulnerability to spoofing attacks when request forwarding is enabled. 

• Tampering with data (integrity). The attacker modifies system or user data with/without detection. 

• Repudiability. A user can deny performing an action without administrators having a way to prove otherwise. 

• Information disclosure (disclosure). A user has the ability to read a file that he was not granted access to, or an intruder can read data in transit between two computers. 

• Denial of service. The attacker uses techniques that deny service to valid users by making a system temporarily unavailable or unuseable. 

• Elevation of privilege. A user with low access privileges is able to gain undetected, privileged access to a system. 

The following tables, taken from Chapter 2, "A Process for Building Secure Web Applications," of Michael Howard's book, Designing Secure Web-Based Applications for Microsoft Windows 2000, summarizes the countermeasures that can be applied to each threat in the STRIDE model (Table 12.2) and the Windows 2000 technologies that can be used to implement countermeasures (Table 12.3).

Table 12.2 Countermeasures Mapped to Each Threat in the STRIDE Model 

Threat	Countermeasures
Spoofing user identity	Strong authentication.
	Don't store secrets (such as passwords) in configuration files. If you must store secrets, use secure mechanisms.
Tampering with data	Strong access control mechanisms.
	Hashes/digital signatures on resources.
	End-to-end tamper-resistant data transfer protocols.
Repudiability	Secure logging.
	Digital signatures and time stamping.
Information disclosure	Strong access control mechanisms.
	Perform correct file canonical resolution.
	Limit specific file operations.
	End-to-end encrypted data transfer protocols.
	Don't store secrets (such as passwords) in configuration files. If you must store secrets, use secure mechanisms.
Denial of service	Bandwidth throttling.
	Resource throttling.
	Quality of service.
	Packet filtering.
Elevation of privilege	Run process in low privileged account.
	Safe buffer management.

Table 12.3 Windows 2000 Technologies Mapped to the Countermeasures in Table 12.2 

Countermeasure	Technologies and best practices
Strong authentication	Don't design your own authentication scheme; most of the time such schemes are very weak and flawed.
	Use digest, certificates, or Kerberos authentication, if possible.
Storing secrets	Use the data protection APIs: CryptProtectData  and CryptUnprotectData.
Access control	Use access control lists (ACLs) on resources, such as files and registry settings.
Hashes and digital signatures	CryptoAPI 2.0 provides functions such as signatures CryptHashData  and CryptSignHash  for creating hashes from data.
Secure end-to-end protocols	Secure Sockets Layer/Transport Layer Security protocol (SSL/TLS), which is built into most Web servers and browsers such as Microsoft Internet Explorer and IIS.
	Internet Protocol Security (IPSec), which is the industry-standard IP security protocol built into Windows 2000.
File access	Use the Windows 2000 functions to open files rather than writing your own. If you perform your own work, you may make incorrect assumptions about file names.
Limiting specific file operations	Consider whether '..' (parent operations directory) is allowed in a file name. Allowing this might enable an attacker to access files otherwise not accessible.
Bandwidth throttling	Windows 2000 thread pools.
	IIS bandwidth throttling.
	HTTP compression, built-in to IIS, conserves bandwidth and provides faster data transmission between the Web server and compression-enabled clients.(1)
Resource throttling	IIS CPU throttling. IIS uses Windows 2000 job objects to perform this task. The Microsoft Developer Network (MSDN) describes a job object like so: "A job object allows groups of processes to be managed as a unit. Job objects are namable, securable, sharable objects that control attributes of the processes associated with them. Operations performed on the job object affect all processes associated with the job object." You can set CPU, time, user interface restrictions, and memory limits on a job object.
Quality of service (QoS)	Windows QoS controls how network bandwidth is allotted to applications; time-critical applications can be given more bandwidth, and less important applications can be given less bandwidth.
Packet filtering	Packet filtering is used to specify what type of traffic is allowed into and out of the computer. For example, you can limit a computer to accept only Web traffic (which uses TCP port 80) and ping traffic (which uses IMCP).
Buffer management	Windows 2000 structured exception handling and good programming practices, such as:
	· Making sure buffers are large enough to copy data into.
	· Analyzing safe usage of C/C++ functions that copy data such as strcpy, strcat, memcpy, and sprintf.
Low privilege context	Run the application under a non-administrator and non-local-system account.
	Use restricted tokens, such as CreateRestrictedToken, to remove privileges and security identifiers (SIDs) from the user's token.
	Use Windows 2000 secondary logon.

1 On Web sites that use a lot of dynamic content, the overhead for compressing/decompressing files may drastically affect your server's performance. Before you implement HTTP compression, you should read "Using HTTP Compression on Your IIS 5.0 Web Site" (Microsoft TechNet).

Threat Trees

One of the foremost techniques for risk assessment is the construction of a Threat Tree, which is formal methodology for analyzing systems and subsystems. The tree construct is used to represent the object that you're trying to protect and the potential threats to the object. This technique, presented by Ed Amoroso in his book, Fundamentals of Computer Security Technology (Prentice-Hall, 1994), steps you through the process of modeling security threats so you can develop a realistic view of your system's risk level. You can then use the tree to play "what if" games with potential countermeasures and select the appropriate countermeasure for a specific threat.

The Three-Tier Security Model

When it comes to applications and their various elements, the best starting point for considering application security is Microsoft TechNet. There's an article there called "Three-Tier Security in an E-commerce Environment" ( https://www.microsoft.com/technet/archive/itsolutions/ecommerce/default.mspx ) that provides an excellent overview of the key aspects of securing distributed applications.

The three-tier security model described in this article consists of three layers:

• Presentation services 

• Business services 

• Data services 

Presentation Services

The presentation services layer provides the user interface that presents information to, and collects information from, the user. For Web-based applications, this interface typically consists of HTML/DHMTL and Active Server Pages (ASP).

This interface should be the only point of contact with the user. In addition to providing the user interface, the presentation services layer can convert data for use by the business logic or data services layers or perform the reverse by converting internal data for display to the user.

Tip For Web applications with database back-ends, consider having the client make HTTP calls to a COM+ component, which in turn makes a direct call to the database. This design is inherently more secure than one in which the client makes an HTTP call directly to the database via ADO.

In general, the presentation layer:

• Provides the external capture and presentation of data 

• Performs syntactical validation of input 

• Detects presentation and formatting errors 

• Does not support object action security decisions 

• Provides the first level of authentication 

Business Services

The business services layer implements component-based business logic that handles the infrastructure by using integrated application services. These services can include IIS, ASP, COM+, and Message Queuing. Access to the data services layer is accomplished by wrapping OLE-database/ODBC technologies in components, such as ADO.

Data Services

Although the data services layer typically consists of a database management system (DBMS), it can also include other data store mechanisms, such as directory services, e-mail stores, and spreadsheets. For our purposes, the data services layer consists of Microsoft SQL Server.

Tip Isolate your database from the Web or component servers by running it on its own server. Hackers have exploited stored procedures, which run as localsystem, to gain access to the operating system.

As Michael Howard indicates in his book, a common security weakness in this tier is implementing weak security on the database and putting too much faith in mechanisms that are implemented in the presentation and business services layers. This flawed scenario is based on the assumption that since the only direct communication with the database is from the business services tier, strong security is not required on the database.

Topologies for the Three-Tier Model

Although it's not the goal of this chapter to delve into the labyrinth of designing secure network topologies, it is worthwhile to mention firewalls and the use of a Demilitarized Zone (DMZ), also called a perimeter network. The firewall industry provides an unlimited number of options for monitoring, filtering, and blocking inbound and outbound network traffic.

Note It's important to note that even though packet-filtering routers and proxy servers do provide a measure of filtering, they are not firewalls and should not be regarded as the most optimal security solution for traffic monitoring and control.

If firewall vendors provide a staggering number of options for securing your network, the myriad of possibilities for architecting secure network topologies is even more overwhelming. The next illustration, Figure 12.3, shows a fairly simple and fairly common topology that employs a single firewall. (For the sake of simplicity, the topology shown does not include routers, DNS servers, or remote access servers.)

 

Figure 12.3 Network topology that uses a single firewall and three network adapters 

The advantages of the popular configuration shown in Figure 12.3 are (relative to other configurations) that it's the least expensive, the easiest to configure, and the easiest to maintain. The greatest disadvantage of this configuration is that it provides a single point of failure. A hacker who compromises the single firewall has access to all your corporate assets. This leads us to the next topology (Figure 12.4), which implements a DMZ by using two firewalls to provide a buffer zone between the publicly accessible servers and the corporate network.

 

Figure 12.4 A topology that uses two firewalls to create a DMZ 

Consider this: if you make the expenditure in effort, time, and money to build a highly available Web server cluster with Application Center—which eliminates the single point of failure for application access—does it make sense to rely on a security perimeter that has a single point of failure? Probably not.

The example we've provided is not the definitive topology, but it gives you a good basis for considering the type of design you may require to secure your Application Center cluster(s) and back-end servers. Regardless of the topology that you implement, the objective of creating a secure perimeter remains the same—to segregate internal and external traffic as much as possible by using electronic and physical techniques, without downgrading performance. One of the major challenges in architecting a secure site is maintaining a reasonable level of performance without compromising security.

Warning If users inside a secure network have a modem at their desk that gives them external access, your firewall system is compromised by default.

Some security strategies to consider are:

• If different organizational units maintain their own cluster, consider setting up each unit's cluster on a separate domain with separate DNS servers. 

• Extend the physical isolation concept (front-end and back-end adapters on separate sub-nets) by installing each Application Center cluster on a different network segment. 

Note These clusters must host different applications.

Tip If you have invested in a firewall, or are going to invest in one, ensure that it's properly configured. Get the firewall vendor or a security professional that's familiar with the firewall technology in question to install the firewall.

Platform Security

In dealing with Application Center clusters, you have to take a holistic approach to security by reviewing the security configurations of the individual software elements that make up the cluster environment. These include:

• The network 

• The operating system and Web server 

• The applications and components 

• The back-end databases 

Note Your cluster topology and application architecture will play an important role in determining how some of these elements are configured, particularly when firewalls are implemented as part of the environment.

Before beginning any security assessment and configuration for your environment, you should read the "Site Security Planning" documentation in Appendix B of the Microsoft Internet Information Services 5.0 Resource Guide (Microsoft Press, 1999).

Network Security

Although they're not exhaustive, the following steps, which are extracted from an article called "Security Considerations for Network Attacks" (Microsoft TechNet), provide a good starting point for general network security. These steps can lower the vulnerability of your Web site to DoS and other network attacks:

• Monitor networks boundaries for attacks. Use an intrusion detection tool to detect attacks. 

• Ensure that routers are not converting layer 3 broadcasts into layer 2 broadcasts. The default setting for routers that use Cisco Internetwork Operating System (IOS) version 12.0 or greater is no ip directed-broadcast. 

• Restrict routers to allow only the use of ports that are necessary for the site to function. (See the sidebar on the following page.) 

• Disable unnecessary or optional services (for example, the Client for Microsoft Networks on a computer running Internet Information Server 4.0). 

• Enable TCP/IP filtering, and restrict access to only the ports that are necessary for the server to function. 

• Unbind NetBIOS over TCP/IP where it is not needed. 

• Configure static IP addresses and parameters for public network adapters. 

• Configure registry settings for maximum protection. 

• Consult the Microsoft security Web site regularly for security bulletins ( https://www.microsoft.com/technet/security/default.mspx ). 

The "Security Considerations for Network Attacks" article also provides detailed information about the registry settings that will increase the resistance of the Windows 2000 network stack to DoS attacks.

General Security Guidelines for Windows 2000 Server and Web Servers

Because the Web server (IIS) runs as a Windows 2000 Server service and you can regard the two programs as a single entity, we'll start by looking at general security measures that can be applied to both, specifically the use of security templates and site hardening techniques. Following this, we've provided specific checklists for configuring Windows 2000 Server and IIS.

Note As you may recall from earlier chapters, the Windows 2000 server and IIS settings that you configure on the cluster controller provide the master configuration settings for every cluster member. Therefore, overall cluster security is only as good as the lockdown you implement on the cluster controller. 

Security Templates

Windows 2000 provides standard and incremental security templates that can you can use in conjunction with the Windows 2000 Security Configuration and Analysis tool. This tool provides a single point of administration for Windows system security. It allows you to:

• Define one or more security policies based on the role of the computer. 

• Configure a server to match a security policy. 

• Audit against an existing policy and report differences. 

Port probes and attacks 

Gaining entry to computer systems via unsecured ports is probably one of the easiest avenues of attack, even for the least sophisticated hacker. The Internet has dozens of popular sites where anyone can download a port scanner for virtually any operating system. Software for detecting port probes is as essential to your operation as virus detection software.

Tip Have a look at the Intrusion Detection FAQ published by the SANS Institute. The FAQ can be obtained at https://www.sans.org/resources/idfaq/.

There are several excellent tools available for detecting the port probe intrusion as well as checking for security weaknesses. You should regularly run a security scanner on your Web server by using software from one of the companies listed at the Microsoft Security Advisor site ( https://backoffice.microsoft.com/securitypartners/ ).

Tip If you want to find out what ports are active on your server, as well as their state, from the Windows 2000 command prompt, run nstat {–a | more}. You'll get output similar to the following:

TCP ACDW 01:2756 sam-xyz-99.samples.microsoft.com:3670 ESTABLISHED 
TCP ACDW01:2789 ACDW01.samples.microsoft.com:0 LISTENING 
UDP ACDW 01:epmap *:* 
UDP ACDW 01:1029 *:* 

To find out which running application is actually holding open each listening port, you'll need a special tool. The best, and perhaps only, tool is Inzider. Developed by Arne Vidstrom, it's available from his Web site at https://ntsecurity.nu/.

The following sample output illustrates the type of information that Inzider provides:

Checked E:\Program Files\Microsoft Office\Office\OUTLOOK.EXE (PID=1504) 
Found UDP port 4079 bound at 0.0.0.0 by E:\Program Files\ 
Microsoft Office\Office\OUTLOOK.EXE (PID=1504) [UDP client] 
Found UDP port 4080 bound at 0.0.0.0 by E:\Program Files\ 
Microsoft Office\Office\OUTLOOK.EXE (PID=1504) [UDP client] 
Checked E:\WINNT\Explorer.exe (PID=1320) 
Checked C:\Inoculan\realmon.exe (PID=1572) 
Checked E:\Program Files\Common Files\Microsoft Shared\Service Manager\ 
sqlmangr.exe (PID=1076) 
Checked E:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE (PID=1452) 
Found UDP port 4087 bound at 0.0.0.0 by E:\Program Files\ 
Common Files\System\MAPI\1033\nt\MAPISP32.EXE (PID=1452) [UDP client] 
Found UDP port 4088 bound at 0.0.0.0 by E:\Program Files\ 
Common Files\System\MAPI\1033\nt\MAPISP32.EXE (PID=1452) [UDP client] 

After you've installed Inzider, you can use it to track down the executable that is using each port to see what it is. Keep a close eye out for odd programs, such as "Explorer," opening ports because this is usually an indication that you've been infected by a Trojan—Explorer does not open ports.

Table 12.4 summarizes the areas where you can use the Security Configuration and Analysis tool to apply and verify security settings on a system.

Table 12.4 Configurable Security Areas 

Area	Configurable items
Account policies	Password, lockout, and Kerberos authentication settings
Local policies	Audit, user rights, and security options
Event Log	Settings for system application, security, and directory service logs
Restricted groups	Policy regarding group membership
System services	Start-up modes and access control for system services
Registry	Access control for registry keys
File system	Access control for folders and files

You can use the following components of the Security Configuration and Analysis tool set to configure some or all of the security areas described in Table 12.4.

• Security Templates snap-in—allows you to create a text-based template file that contains security settings for all security areas. 

• Security Configuration and Analysis snap-in—use this snap-in to configure or analyze Windows 2000 operating system security. This snap-in uses the contents of an existing security template to support its operations. 

• Secedit.exe—a command-line version of the Security Configuration and Analysis snap-in. 

• Security Settings extension to Group Policy—use this extension snap-in to the Group Policy editor to configure local security policies, as well as security policies for domains or organizational units (OUs). Local security policies only include the account policy and local policy security areas described in Table 12.4. However, security policies defined for domains or OUs can include all security areas. 

Tip Take advantage of the incremental security template, Hisecweb.inf, which you can download from the Secure Internet Information Services 5 Checklist page. You can use this template as a baseline that is applicable to most secure Web sites (see the following section).

Pre-Defined Security Templates

Windows 2000 provides a collection of pre-defined security templates that you can apply against your cluster members. This collection consists of default security templates and incremental templates that you can use to extend the security defaults that you've already applied.

Windows 2000 Default Security Templates

The Windows 2000 default security settings are applied only to Windows 2000–based systems that have been clean-installed on an NTFS partition. In an upgrade scenario, where computers are upgraded from Windows NT 4.0 or earlier, the existing security settings are not modified. The following default security templates are provided so you can secure upgraded NTFS computers in the same manner as clean-installed NTFS computers:

• Basic Workstation (Basicwk.inf)—is for computers running Windows 2000 Professional. 

• Basic Server (Basicsv.inf)—is for computers running Windows 2000 Server. 

• Basic Domain Controller (Basicdc.inf)—is for domain controllers running Windows 2000 Server. 

You can use the preceding templates to specify default Windows 2000 security settings for all security areas with the exception of user rights and groups.

Note You cannot apply the default settings in these templates if Windows 2000 is installed on a FAT file system.

Incremental Security Templates

Windows 2000 also ships with incremental security templates. The settings specified in the incremental security templates were created on the assumption that the templates would be applied to computers that had the default Windows 2000 security settings applied. As the name implies, the incremental templates simply extend the default security settings—they do not include the default settings plus modifications.

You should apply incremental templates on computers where Windows 2000 has been clean-installed onto an NTFS partition. If you want to apply any of the incremental security templates to an NTFS computer that was upgraded from Windows NT 4.0 or earlier, apply the corresponding basic template (as described in the preceding section) first. Table 12.5 describes the incremental templates.

Table 12.5 Incremental Security Templates 

Security level	File name	System	Comments
Compatible	Compatws.inf	Workstation or server	If you do not want your users to run as power users, the compatible configuration opens the default permissions for the Users group so that legacy applications are more likely to run correctly. Microsoft Office 97 should run successfully when you are logged on as a user to a computer running Windows 2000 that has had the compatible security template applied over the default settings. Note that this is not considered a secure environment.
Secure	Securews.inf Securedc.inf	Workstation or server Domain controller	These secure configurations provide increased security for areas of the operating system not covered by permissions. This includes increased security settings for Account Policy, Auditing, and some well-known security-relevant registry keys. Access control lists are not modified by the secure configurations because the secure configurations assume that default Windows 2000 security settings are in effect.
Highly secure	Hisecws.inf Hisecdc.inf	Workstation or server Domain controller	The high security configuration is provided for computers running Windows 2000 that operate in native Windows 2000 environments only. In this configuration, all network communications must be digitally signed and encrypted at a level that can only be provided by Windows 2000. Therefore, communications between a highly secure computer running Windows 2000 and a client running Windows with a down-level operating system cannot be performed.

Site Hardening

Site hardening involves removing programs and services that are not required, leaving only those that are necessary to support the role of the server. Several of these programs, such as the OS/2 subsystem, have already been identified in the preceding sections.

Tip Don't install unneeded application software or development tools on your cluster member. Remove applications that aren't required, such as Microsoft Outlook Express, and others contained in the Accessibility, Games, Entertainment, and Communications folders.

You should determine if the services identified in Tables 12.6 and 12.7 are required by any of the programs or applications on your cluster members. If these services aren't needed, remove them from the members.

Table 12.6 Services That May Be Required By Your Installation 

Service	Comment	Required by Application Center
Certificate Authority	Required to issue certificates.	No
Content Index	Required if using Index Server.	No
FTP Publishing	Required if using the FTP service. It's highly recommended that FTP and Web services run on separate servers.	No
NNTP	Required if using Network News Transfer Protocol (NNTP).	No
Plug and Play		Yes
Remote Access Services	Required if you use dial-up access. It's recommended that this run on a server outside of the cluster.	No
RPC Locator		Yes
Server	Can be disabled, but required to run User Manager.	No
SMTP	Required if using SMTP.	Optional
Telephony	Required if access is by dial-up connection. This is not needed for the cluster.	No
Terminal Services	Required if using Terminal Services for remote administration.	Optional
Uninterruptible Power Supply (UPS)	Optional, but recommended that you use a UPS.	No
Workstation	Optional, but important if you have UNC virtual roots.

Table 12.7 Services That Are Not Required By Most Installations 

Service	Required by Application Center
Alerter
ClipBook Server	No
Computer Browser	No
DHCP Client	Optional(1)
Messenger	No
NetBIOS Interface	Yes
Net Logon	Yes
Network DDE and Network DDE DSDM	No
Network Monitor Agent	Optional
NWLink NetBIOS	No
NWLink IPX/SPX Compatible Transport	No
Simple TCP/IP	No
Spooler	No
TCP/IP NetBIOS Helper	Yes
WINS Client (TCP/IP)	Yes

1 The DHCP client is only required if you are using DHCP on the network adapter.

Warning Sometimes a Setup program will reset operating system or IIS configuration settings back to their original defaults. After you install a security patch, service pack, hotfix, or software program, check all your lockdown settings to make sure that they haven't been reset.

Windows 2000 Server Settings

The following guidelines, taken from the Windows 2000 Server documentation, identify settings and actions that you should consider when setting up your server running Windows 2000 Server:

• Review and apply the appropriate secure configuration template settings (see "Security Templates" earlier in this chapter). 

• Turn off NTFS 8.3 name generation. 

• Set the system start time to zero seconds. 

• Remove the OS/2 subsystem. 

• Remove the Portable Operating System Interface for UNIX (POSIX) subsystem. 

• Format the hard disk(s) to NTFS. 

• Set appropriate NTFS Directory Access Lists (DACLs). 

• Remove all network shares. 

• Unbind NetBIOS from TCP/IP unless it is absolutely required. 

• Disable IP routing. 

• Disable the Guest account. 

• Check user accounts, group membership, and privileges. Only give users the privileges they need to do their work. 

• Set a very strong password for the Administrators account (at least nine characters). 

You should read the article "Default Access Control Settings in Windows 2000," which is available at the Microsoft TechNet Web site ( https://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/secdefs.mspx ). Compare and contrast these settings with those that are required and implemented by Application Center Setup. This article provides detailed information about the permissions given to the three main user categories: administrator, power user, and user. In addition, this article includes information about the default file system and registry ACLs for the three user types.

Tip Secure your servers from physical access by hackers. If an unauthorized user has physical access to the server, they can find a way around the standard password protection. You can:

• Configure the BIOS so the server won't start from a floppy disk drive. 

• Password protect the BIOS so it can't be reconfigured. 

• Lock the server case to prevent access to the BIOS jumpers on the motherboard. 

• Put the server in a locked room with limited access. 

IIS Settings

The next step in securing your Windows 2000 and Web server environment is to read the "Secure Internet Information Services 5 Checklist" ( https://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/tips/iis5chk.mspx ) written by Michael Howard, a member of the Windows 2000 security team. His article highlights issues that are specific to securing IIS 5.0 and includes the "why" and "how" for the following items:

• Setting appropriate ACLs on virtual directories 

• Recommended default ACLs by file type 

• How to set appropriate log file ACLs 

• How to enable and configure logging 

• Setting IP address/DNS address restrictions 

• Validating executable content for trustworthiness 

• Updating root CA certificates at the server running IIS 

• Disabling or removing all sample applications 

• Disabling or removing unneeded COM components 

• Removing the IISADMPWD virtual directory 

• Removing unused script mappings 

• Removing extensions from IIS 5.0 

• Checking <FORM> and Querystring input in ASP code 

• Disabling parent paths 

• Disabling the IP address in Content-Location 

In addition to the preceding information, this article shows you how to get automatic notification of security issues via e-mail by subscribing to the Microsoft Security Notification service.

The Applications and Components

Your applications and components span both the presentation and business services tiers, and these elements should be secured in accordance to the tier that they support.

Before deploying an application, you should:

• Make sure that the application validates all user input on the client-side before passing on data to the other layers. 

• Remove all hard-coded values, such as user names and passwords that were used for testing the applications. 

• Configure IIS to ensure that all ASP pages are set as Execute Only. 

• Verify that components are not vulnerable to buffer overflow attacks by using a code analysis tool such as Prefix. 

Tip Read Marco Gregorini's articles, "The Subtleties of Client Impersonation with IIS, ASP and MTS/COM(+)." You can find Parts 1 and 2 on the ASP Today Web site ( https://www.asptoday.com/Content.aspx?id=296).

COM+ is a key technology in the business services layer because it provides a programming model for integrated security checking, automatic enlistment in resource pooling and transactions, threading synchronization, and lifetime management of component instances.

Note Components can be organized into business and data components. Business components create and enlist data components during a method call in existing transactions, of which the business component may be the root. Typically the business component uses COM+ to check security, while the data components are usually instantiated by the business object. This optimizes security because security is not checked when the data object's methods are invoked. The business objects, rather than the data objects, are instantiated by an ASP page or DCOM call.

Use DCOM config to ensure that DCOM interfaces are secure by only allowing specific users to instantiate these interfaces.

Data objects manage the data on the back-end and massage it into a form that the business object can handle. This encapsulation hides the underlying data structure so the client isn't aware of data structures such as tables, relationships, or even column names.

The following articles relate to component security and are available from MSDN:

• "Using Distributed COM with Firewalls," adapted from an article by Michael Nelson ( https://msdn.microsoft.com/library/backgrnd/html/msdn_dcomfirewall.htm) 

• "Security Briefs," by Keith Brown, Microsoft Systems Journal ( https://www.microsoft.com/msj/1199/comsecurity/comsecurity.aspx) 

• "The COM+ Security Model Gets You Out of the Programming Business," by Guy Eddon, Microsoft Systems Journal ( https://msdn.microsoft.com/library/periodic/period99/comsecurity.htm) 

Tip Check the permissions on application executables and components to ensure that they can't be overwritten with malicious code.

The Back-End Databases

The final element to secure in the three-tier security model is your database server. As we noted in "Data Services" earlier in this chapter, we recommend that you implement strong security on your back-end database—do not rely solely on the business services layer to secure your data.

SQL Server Settings

The following check list provides some guidelines to follow for securing a Microsoft SQL Server database:

• Harden the database server by stopping all unnecessary services and removing programs that aren't required. Look for samples (that is to say, database applications, stored procedures, databases), and test material such as stored procedures and data that can be removed. 

• Whenever possible, use Windows 2000 authentication, rather than SQL Server authentication. Known as integrated security, Windows 2000 authentication lets you take advantage of the Windows 2000 password management features (for example, aging and strength). 

• Exploit SQL Server's user access privileges (select, insert, delete, and update) and roles on objects such as tables and views. 

• Prevent direct access to tables by using execute privileges for specific stored procedures. 

• Enable the SQL Server audit feature to monitor logon successes and failures. 

Application Center Security

Although the Application Center features implement a variety of security mechanisms, such as privileged inter-process communications and encryption, Application Center itself does not implement security mechanisms via its user interface. However, the product design is such that security is implemented at all levels, from the individual driver level up to the level of the Application Center snap-in. This section summarizes how the Application Center design minimizes potential security weaknesses. Feature-specific security is covered in detail in the chapter that documents each particular feature.

User Accounts

As documented in Chapter 4, "Cluster Services," Application Center uses its own group and user accounts for cluster activities. The Windows 2000 local account**, IUSR**_machinename, which IIS uses, is not used by Application Center.

Caution We recommend that you do not change the setting for the anonymous access account for IIS on a cluster after adding members. Changing this setting can cause authentication failures. If you do want to implement this change, refer to "Managing User Accounts" in the Application Center online Help to see how to do this correctly.

User Credentials

Specific credentials are required to use Application Center. These credentials are as follows:

• An Administrators account (local or domain) is required to open the Application Center user interface. 

• To manage a cluster, you require an Administrators account (local or domain) that exists on the cluster members that you want to manage (usually a cluster controller and cluster member pair). If the account is local, the same password is required for both members. 

• When deploying applications, you require one set of credentials (with administrative privileges) for the source server, a second set of credentials for the targets, and if you're using a stager, a third set of credentials for the controller that can be used with the deployment wizard to deploy from cluster to cluster. 

• In order to remove a cluster member or disband a cluster, you have to provide credentials with administrative privileges on the target. 

Tip For simplicity, use one domain account with administrative privileges across a cluster. Use a separate, local Administrators account for remote administration to implement tighter security.

File Systems

Although Application Center supports all three file systems formats (FAT, FAT32, and NTFS), we recommend that you use NTFS to implement the highest possible level of file system security. For more information about NTFS file system security, refer to the following topics in the Application Center online Help:

• "Security During Synchronization" 

• "Set ACLs on Virtual Directories" 

Network Adapters

The two-card configuration that Application Center uses effectively segregates inbound client traffic—carried on the front-end adapter—from internal cluster administrative communications, which is handled by the back-end adapter. It is very important to secure the back-end because of the possibility of attacks against the internal administrative protocols and interfaces that Application Center uses.

Note In a cluster that does not use Network Load Balancing (NLB), only one network adapter is required. However, a single network adapter configuration introduces the risk of inappropriate data usage since all the network traffic is routed through the same network adapter. This can present a security risk if your cluster is serving content to Internet clients. Because Application Center will use a second network adapter if it is present, you should consider this configuration option.

Health Monitor and WMI

Any authenticated user can read the Application Center and Microsoft Health Monitor 2.1 namespaces, but only an administrator and the cluster user group account, ACA_ servername, can write to these namespaces, which is to say, create an instance of existing classes or create new classes.

On the Windows 2000 operating system, Windows Management Instrumentation (WMI) does not distinguish between local and remote access. Remote connection to a given WMI namespace is a separate user right that might or might not be granted by the system administrator.

Warning A user who is gaining access to a cluster over a remote connection can specify a user name and password as a substitute for their current user name and password. If the name that they provide is authenticated, they can gain access to the target namespace. In order to control access to a namespace, you have to implement user rights.

Monitoring

Whenever you use Health Monitor to create an HTTP monitor that uses authentication, all of the authentication information is stored in the WMI repository. Because this information is readable by all users, you should only use low-privileged test accounts for cluster monitoring.

Logging

Application Center logging uses integrated security, with Read/Write access granted to the Application Center administrative group ACA_ servername and the server's Administrators group.

The Application Center Events and Performance Logging database runs as a named instance which allows multiple copies of SQL Server 2000 to run on the same server. This architecture, coupled with the fact that Application Center uses a different port number, isolates the monitoring database from conventional installations of SQL Server.

Remote Control

Application Center disables remote control of NLB clusters by default. If you enable remote control, you should use a firewall for the NLB User Datagram Protocol (UDP) ports that receive remote control commands. These ports are 1717 and 2504 at the cluster IP address.

NoteApplicationCenter does not support synchronization of the NLB remote-control password. You have to configure the NLB remote-control password on each cluster member.

Secure Remote Administration

You can use the following three technologies to administer an Application Center cluster remotely:

• Use the Microsoft Management Console (MMC)–based Application Center Administrative client 

• Use the Microsoft Internet Explorer 5 Web browser to access the Web-based user interface 

• Use Windows 2000 Terminal Services 

Note Any form of remote administration assumes that a secure connection from the remote user to the corporate network is in place. In most cases, this connection will either employ direct dial-up access to a modem pool or will use Network and Dial-Up Connections to connect to a remove access server via the Internet. In the case of WANs, some form of Virtual Private Networking (VPN) should be in place. (See the sidebar below.)

VPNs 

VPN technologies are being widely deployed to implement wide area networking over the Internet backbone.

To get a good foundation of Microsoft's implementation of VPN, you should read the "Windows 2000 Virtual Private Networking Scenario," which is available from TechNet ( https://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/vpnscen.mspx).

Another good source of information about VPN technology, from a broader, industry-wide perspective, are Rick Allen's two articles, "The Reality of Building Secure Private Networks, Parts One and Two," which are available at the SecurityPortal Web site. These articles provide some very good information about the issues related to building secure networks by using VPN technology.

Securing Off-Site Computers

It's important to ensure that remote users adequately secure their computers, in particular portables because they are more vulnerable to theft. (As you may recall, 69 percent of the respondents in the computer crime survey reported portable thefts.)

Use the following checklist as a guideline for implementing security on off-site computers:

• Install a virus detection program, and test for up-to-date virus signatures during logon. 

• If the user is gaining access to the corporate network over a DSL/cable connection, require the use of a personal firewall system. Test the remote system when it's connected to the corporate network for possible security weaknesses, such as unnecessary open ports and exposed file shares. 

• Install Windows 2000 Professional, with NTFS formatted drives, on off-site computers. This will let the user encrypt sensitive files and directories. 

  Disable the Network and Dial-Up Connections Save password option. Passwords stored as plain text in local files are an invitation to disaster, especially if their system is exposed over a DSL/cable connection or Network and Dial-Up is configured on a laptop. To disable this option:

  • Open the Registry editor, and add the REG_DWORD value DisableSavePassword to the HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/ Services/RasMan/Parameters key. Set the value of DisableSavePassword to 1. 

  Don't make it easy for hackers by providing information about a user or the company. The Windows default setting that remembers the user name of the last person who was on the computer, and displays it the next time CTRL-ALT-DEL is typed, should be disabled. To disable this feature:

  • Open the Registry editor, and navigate to HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon. 

  • Choose Edit, Add Value, and then create a new value named DontDisplayLastUserName, of type REG_SZ. 

  • Enter 1 as the value for DontDisplayLastUserName. 

  • Because Windows also retains and displays the name of the default user on a computer, you may want to disable this as well. Locate the DefaultUserName value in Winlogon, and then delete any user name that Windows assigned during Setup. 

• Audit your security policies and configurations for remote users on a regular basis to ensure compliance, and revise these policies and configurations as needed. 

The Application Center Administrative Client

The Application Center Administrative client, which you can install on a computer running Windows 2000 Professional, is the preferred method for administering a cluster. The minimum requirements for installing the Administrative client are a computer running:

• Windows 2000 Professional 

• Windows 2000 Service Pack 1 (SP1) 

Note You can also install the Administrative client on any computer running Windows NT 4.0 that has Service Pack 6 installed.

Provided that you have the authority and can supply the authentication that Application Center requests for certain activities, such as adding/removing members and deploying applications, you have full access to the product feature set via the graphical user interface.

Note The Administrative client installation does not include the AC.EXE command-line tool, Health Monitor, or Application Center Events and Performance Logging on the local computer.

The Application Center Web-Based Administrative Client

The Application Center Web-based Administrative client is limited to cluster monitoring features. The default page for the Web-based Administrative client view of the cluster is linked to port 4242 and can be accessed by entering https:// servername :4242 in the address area of the browser.

Warning You should disable for all incoming Internet traffic by locking out port 4242.

The best way to restrict access to the cluster user interface is to set ACLs at the site directory level (Application Center 2000 Administrative Site). This will have some impact on performance because the user interface uses images that are located in the Images directory, which is included in the lockdown. You can also control access to the site by setting IP address and domain name restrictions on Application Center 2000 Administrative Site directory.

Windows 2000 Terminal Services

You can use the Terminal Services thin client to provide remote access to a server desktop, where the client acts as a terminal emulator. Terminal Services can be installed in either application server or remote administration mode. When this service is installed as an application server, you can configure the service to provide remote access to a specific application, such as Application Center.

Terminal Services running in application mode doesn't provide any functional gains over using the Application Center Administrative client on a remote connection, but it does provide an alternative for users who don't have access to a computer running Windows 2000 Professional. The Terminal client can run on a number of hardware devices, including Windows-based terminals. Terminal Services also supports access to a Terminal server by other devices, such as Macintosh computers or UNIX-based workstations, through the use of third-party software.

In remote administration mode, Terminal Services gives a remote user complete control over the server to which he connects. As a matter of security policy, you have to determine whether or not this level of access is really needed to support a cluster.

Note Terminal Services provides robust security settings that you can implement for logon and authentication, permissions settings, and encryption.

Monitoring and Auditing

Security monitoring and auditing should be implemented on your cluster members in such a fashion that intrusion attempts are detected and notifications are sent out in a timely manner, thus enabling you to respond quickly to threats. Windows 2000 provides several tools that you can use for security monitoring and auditing.

Performance Monitor

You can use selected Performance Monitor counters as a means to flag possible hacking attempts on a server and implement real-time monitoring and detection. By using counters and a threshold that you establish, you can trigger an alert when the threshold is exceeded. You can also specify the following actions to take when an alert is triggered:

• Log an entry in the application Event Log 

• Send a network message 

• Start a performance data log 

• Run a specified program 

A good example of using performance counters and alerts is the counter for logon failures. Figure 12.5 shows the custom alert we created for monitoring failed system logons. In this example, we use the Errors Logon counter for the Server performance object. When the number of failed logons passes the threshold (25), an alert will be triggered.

Figure 12.5 Using Performance Monitor to set up security alerts 

Obviously it's not feasible to monitor all the objects in the operating system. Table 12.8 lists the objects that we think you should monitor and generate alerts for.

Table 12.8 Alert Recommendations 

Counter	Description
Errors Access Permissions	Indicates whether somebody is randomly attempting to gain access to files in the hopes of finding an improperly protected file.
Errors Granted Access	Logs attempts to gain access to files without proper access authorization.
Errors Logon	Display failed logon attempts, which could mean that password-guessing programs are being used to crack security on the server.

Auditing and the Event Viewer

The Windows 2000 Event Viewer, which consists of the System, Application, and Security logs, records information for all the events that are audited on the computer. You can use the Security Log, which records errors, warnings, or information generated by the operating system, in the Event Viewer to review audited events. This log contains default events, such as logons and logoffs, as well as any others that you want to audit.

System auditing is established at the domain level and can be extended by applying policies on the local computer by using the Local Security Settings option (in Windows 2000, click the Start button, point to Programs, and then click Administrative Tools). Remember, domain security policies always take precedence over local policies when the local policy is weaker than the domain policy.

The audit policies that you can apply at either the domain or local level include:

• Account logon events 

• Account management 

• Directory service access 

• Logon events 

• Object access 

• Policy change 

• Privilege use 

• Process tracking 

• System events 

You should monitor the Windows 2000 Event Log on a regular basis to see if any of the Security Log entries listed in Table 12.9 appear because they could indicate an intrusion or attempted intrusion.

Table 12.9 Security Log Entries That You Should Monitor 

Event identifier	Comments
612	The audit policy has changed. Verify who changed it and why.
640	A change was made to the SAM database. Was it you?
531	An attempt was made to log on by using a disabled account. Who would attempt this and why?
539	A log-on attempt was made and rejected because the account was locked out. Who would attempt this and why?
529	An attempt was made to log on by using an unknown user account or by using a valid account with a password that is not valid. An unexpected increase in the frequency of this event could indicate an attempt to guess passwords.
517	The Audit Log was cleared. Did you do this, or is it an attempt by an intruder to cover his tracks?
624	A user account was created. Did you or a trusted person create it?
628	A user account's password was set. Did you or a trusted person do this?

Remember, the logs that record the events you're auditing are an important part of this process. Make sure that these logs cannot be deleted or corrupted by setting the appropriate level of security access on them. The files that you need to protect are:

• AppEvent.evt 

• SecEvent.evt 

• SysEvent.evt. 

Using crash logging and notification as a security tool 

Because hackers will attempt to crash a server in order to gain access, it's useful to receive and retain crash information. In addition to the crash log file, you can also enable two other methods of crash notification and logging.

First, you can enable an administrative alert by setting HKEY_LOCAL_ MACHINE/SYSTEM/CurrentControl/SetCrashControlSendAlert to 1. The next time the server crashes, an administrative alert will be sent.

Second, you can make the operating system log the crash in the Event Log by changing HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet /CrashControlLogEvent to 1. Now the exact time of the crash will be permanently recorded.

You can use this information during a security audit to determine whether or not the server was deliberately crashed.

Think Like a Hacker

The "think like a hacker" philosophy was first espoused many years ago, and although it's still a valid approach to security, it's easier said than done.

In reality, most legitimate computer professionals don't possess the mores, mindset, or motivation of a serious hacker. It seems that no matter how many security courses we take, most of us simply don't think the same way that a hacker does. That's not to say that you should give up trying to understand the hacker culture.

The best way to get a feel for the world of hacking is to visit hacker sites. Fortunately, most hackers require peer recognition so they love to publicize the security holes they've found and the hacks they've made. You may not fully understand them, but at least by reading about the "attack du jour," you'll find out what hackers are doing to the systems you're trying to protect. The best starting point is the site hosted by "2600 The Hacker Quarterly," ( https://www.2600.com/magazine/) which is also available in most bookstores.

Resources

The following books and Web sites provide additional information about a wide range of computer security topics.

Books and Articles

Microsoft Windows 2000 Resource Kit (Microsoft Press, 2000)

The Windows 2000 Resource Kit provides information not found in the core documentation as well as software tools on a CD.

Howard, M., Designing Secure Web-Based Applications for Microsoft Windows 2000 (Microsoft Press, 2000)

This book provides an authoritative and pragmatic end-to-end view of Windows 2000 security topics. It provides a complete picture of Windows 2000 Web server, including component-level and database security features and considerations.

Amoroso, E., Fundamentals of Computer Security Technology, (Prentice-Hall, 1994)

A must-have for anyone involved in security, this books starts by covering the threats to computer systems (which motivate the field of computer security); then it discusses all the models, techniques, and mechanisms designed to thwart those threats, as well as known methods for exploiting vulnerabilities. It closes with the security evaluation of computer systems in order to grade a particular implementation of computer security. Keep your eyes open for the next edition of this one.

Scambray, McClure, and Kurtz, Hacking Exposed, Second Edition (Osborne/McGraw-Hill, 2000)

This book covers all aspects of network security, including informational scans and probes, password vulnerabilities, dial-up networking insecurities, buffer overflows, Web and e-mail insecurities, Trojans, and back doors. The authors use high-profile attacks and case studies to illustrate network vulnerabilities and show you how to implement security on your own system.

Cheswick and Bellovin, Firewalls and Internet Security: Repelling the Wily Hacker (Addison Wesley Longman, Inc., 1994)

The authors describe how to plan and execute a security strategy that will deter most determined and sophisticated hackers without downgrading your access to Internet services. They provide a step-by-step plan for setting up a firewall, as well as information on cryptography and the tools used by hackers. Keep your eyes open for the second edition of this book, which is due out in February 2001.

Web Sites

https://www.w3.org/Security/Faq/ 

The WWW Security FAQ, maintained by World Wide Web Consortium (W3C), provides a good starting point for anyone interested in learning about Internet and WWW security issues and technologies.

https://www.microsoft.com/technet/security/default.mspx 

Microsoft TechNet main security topics page. From this link, you have access to the latest security bulletins, software patches, and other resources, such as security articles, case studies, security tools, and training information.

https://www.cert.org/ 

The home page for the Computer Emergency Response Team (CERT) of the Internet. From here you can access all the CERT security advisory bulletins, report an incident, and gain information about security-related topics, such as viruses and firewalls. CERT also hosts discussion forums, provides mailing lists, and maintains an extensive biographical section for books and articles related to security.

https://www.cerias.purdue.org/ 

The Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University is the foremost university center for multidisciplinary research and education in areas of information security. CERIAS supports various security projects, and its Hotlist page ( https://www.cerias.purdue.edu/infosec/hotlist/) is one of the most extensive collections of security links on the Internet. The Hotlist is divided into the following subject areas: System Security, Network Security, Organizations and Agencies, Intrusion Detection, Cryptography, Education, Publications, Events & Call for Papers, Commercial Sites, Virus Detection, and Electronic Law.

https://www.sans.org/ 

The SANS (System Administration, Networking, and Security) Institute is one of the foremost organizations supporting cooperative research and education organization among system, security, and network professionals. SANS publishes security bulletins, digests, and books as well as hosts security conferences and workshops throughout North America. SANS also provides several security certifications that are recognized throughout the computer industry.

https://www.gocsi.com/ 

The Computer Security Institute (CSI) co-sponsored the "1999 CSI/FBI Computer Crime and Security Survey" and, in addition to offering conferences and seminars on security topics, they provide summary information about security vendors' products, such as firewalls.

https://csrc.nist.gov/ 

The CSRC (Computer Security Resource Center) is operated by Computer Security Division ( https://www.itl.nist.gov/div893/) of the National Institute of Standards and Technology. The site contains information about a variety of computer security issues, products, and research of concern to federal agencies, industry, and users. The CSRC is a clearinghouse "to make publicly and easily available a wide collection of valuable computer security resources, including: computer security related topics, publications, testing materials, training materials, standards, policies, organizations, and event information."

https://www.insecure.org/ 

This site, offered by a self-proclaimed hacker (Fyodor), contains general security information as well as specifics about hacking tools.

https://www.securityfocus.com/microsoft 

The Bugtraq site is a moderated discussion area for posting and reading information about security bugs for the various operating systems. This is a good resource for finding out about bugs as soon as the hackers do. Intrusion Detection, Penetration Testing, VPN, and Firewall mailing lists are also available at this site.

https://www.2600.com/ 

"2600 The Hacker Quarterly" is one of the first hacker publications to appear on bookstore shelves. It's the premiere site for serious hackers and in a way, the first "legitimate" hacker site.