Chapter 1. Windows NT/2000 Security

The use of Windows systems as Internet servers presents security challenges. In contrast to most internal systems, systems connected to the Internet are directly exposed to security attacks from both unsophisticated and highly skilled attackers. The typical Windows NT 4.0 (and, more recently, Windows 2000) installation makes a Windows server an easy target for such attacks. Securing the Windows NT or the Windows 2000 operating system for Internet use is a complex task. The purpose of this book is to offer a strategy for making your Windows-based server configuration as secure as possible. This strategy has two basic parts:

  1. Secure or " harden” any Windows server that will be exposed to potential attacks from the Internet so it is as secure as it possibly can be. An exposed system of this kind is typically known as a bastion host .

  2. Provide extra security protection for such exposed systems by installing an additional network — typically known as a perimeter network — that separates the outside network (usually the Internet) from your organization’s internal networks.

Later chapters of this book describe specifically how to harden your Windows NT or Windows 2000 system so it can function on your perimeter network as a secure bastion host. Before I present the step-by-step security details, this chapter sets the scene by describing briefly the security threats your system will face, the architecture of the Windows NT and Windows 2000 operating systems, and the recommended placement of Windows servers on your perimeter network.

Internet Threats

An Internet server faces many different kinds of threats. The most common include:

Intrusion

An intrusion occurs when an unauthorized person gains access to your system. These days, intrusions most often result in web page defacement: an attacker alters the contents of your web site. Such attacks are growing in popularity. Attrition ( http://www.attrition.org/mirror/attrition/ ) maintains a daily updated list of defaced web sites. The current record is 56 reported defacements in one day (November 21, 1999). About 60% of the defacements recorded at Attrition between October 1999 and April 2000 have occurred on Windows NT systems.

Denial of service

The goal of a denial of service (DOS) attack is to sabotage operation by consuming all of your computing resources (CPU time, network bandwidth, etc.). This effectively stops authorized users from using the system.

Information theft

This type of attack occurs when an unauthorized person obtains private information. The most popular targets are login/password information, credit card information, and software source code.

Many intrusions are made possible by improperly configured software. Looking at a concrete example may help underscore this point. Recently, the Apache web server site ( http://www.apache.org/ ) was hacked.[4] In this particular case, the attackers uploaded a PHP[5] script to a world-writeable FTP directory. The web server root directory was the same as the FTP server root directory. This allowed the attackers to launch Unix commands using the uploaded script. They uploaded and executed a shell binary that bound to a high port and enabled them to initiate a connection to that port. The attackers now had interactive shell access on the system. The next step was to gain root access. This was accomplished by using a database process that was running as root to indirectly create a setuid root shell.

Fortunately, these attackers (so-called "gray-hats”[6]) were not out to thrash the site; they only replaced the “powered by Apache” logo with a Microsoft Back Office logo and alerted the site administrators.

The following configuration errors made the Apache break-in possible:

  1. The web server and the FTP server had the same root directory. This allowed the attackers to upload the software that was used to launch the attack. The uploaded software could be executed because the web server software used the same filesystem hierarchy.

  2. There was no (or an improperly configured) firewall system protecting the web server. It was possible for the attackers to connect to any port on the system. This made the attack much easier.

  3. The database software was running as root. This is the reason why the attackers were eventually able to gain root access.

Windows NT systems present many vulnerabilities, which attackers are only too happy to take advantage of. For example, there are cases where an attacker has been able to connect directly to a system using Windows file sharing. Those systems are an even easier target than the Apache site was. Just start guessing passwords and try to connect as Administrator!

The number of security incidents reported to the Computer Emergency Response Team Coordination Center (CERT-CC)[7] has grown at an alarming rate in recent years. Figure 1.1 illustrates this development; note how steeply incidents have increased since 1997. (Incidents include, but are not limited to, attempts to gain unauthorized access to a system or its data, and disruption or denial of service.) The real security picture is far worse than these statistics show; it’s safe to assume that only a small number of all incidents are reported to CERT-CC.

Number of incidents reported to CERT-CC

Figure 1-1. Number of incidents reported to CERT-CC

If you already have a presence on the Internet, you probably know that attempts are made to compromise your site’s security mechanisms every day. And the stakes are high. Imagine how you’d feel if an online store that you use was hacked and the attacker managed to steal your credit card information. Would you feel comfortable shopping there again? Would you use an Internet bank that was successfully attacked last year? I wouldn’t.

As a result, it’s of great importance to have and maintain a high level of security for your site. This is a complex task, but after reading this book I hope you will find it somewhat less troublesome.

Keep in mind that even if you’re not running a large online bank or shopping site, you still need to take steps to protect your servers. The attackers are out there; they may be after your intellectual property; they may want to use your computing resources; or they may just want to have some fun defacing your web site.



[4] This attack was described in detail on the BugTraq mailing list on May 4, 2000, in a message entitled “How we defaced www.apache.org.”

[5] PHP is a free server-side scripting language (http://www.php.net/ ) similar to Microsoft’s Active Server Pages (ASP).

[6] Tom O’Donnell of the IEEE Ethics Committee describes gray-hats as “self-styled Robin Hoods who make it their business to expose security flaws in software in a very public way” (http://www.spectrum.ieee.org/INST/dec99/ethics.html ).

[7] CERT-CC originally was established in response to the first major Internet security incident: the release of the Internet worm back in 1988.

Get Securing Windows NT/2000 Servers for the Internet now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.