This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Web Security Field Guide provides you with hands-on, proven solutions to help patch the most common vulnerabilities of Windows(r) web servers and browsers within the context of an end-toend network security architecture. Avoiding conceptual discussions of underlying technologies, the book spends little time discussing how each application works. Using plain language and lots of step-by-step examples, the book instead focuses on helping you secure your web servers and prevent the majority of network attacks. Divided into five parts, the book opens with an overview of essential background information and helps you establish working network security • Table of Contents rules and policies. Parts II through IV teach you the techniques for hardening the operating • Index system, the web server, and the browser. Part V of the book addresses overall network security, Web Security Field Guide focusing on preventing and controlling access. Topics such as becoming a Certification Authority, By StevePIX(r) KalmanFirewall, Cisco IOS(r) Firewall, access lists, ongoing security maintenance, and Cisco testing are all examined in-depth, providing an overall network security plan that can drastically reduce the risk your business systems and data. Publisher: Cisco to Press Pub Date: November 08, 2002
Full of diagrams, screen captures, and step-by-step instructions for performing simple tasks that ISBN: 1-58705-092-7 can radically improve the security of your Internet business solutions, Web Security Field Guide Pages: 608 is a practical tool that can help ensure the integrity and security of your business-critical applications.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on for securing Windows(r) servers, browsers, and network communications. About techniques the Author About the Technical Reviewers Acknowledgments Create effective security policies and establish rules for operating in and maintaining a Introductionconscious environment securityFocus of the Book
Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Audience Command Syntax Conventions
Understand secure installation options for Windows web servers and how to enhance Icons Used in This Book security on existing web and FTP server installations Part I: The Fundamentals of Web Security Chapter security 1. Essential for Web Security Administrators Improve atInformation the end user's workstation, including web browsers, desktops, and laptops Two Internetworking Models Headers
Evaluate the pros and cons of installing a certificate server and becoming your own Shims Certification Authority Above the Transport Layer
Summary Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco Chapter 2. Security Policiesaccess lists standard and extended Justifying Security
Discover ways to test the current state of security and keep it up to date Security Policies Summary
Learn to engage end users as part of the overall network security solution Part II: Hardening the Server Chapter 3. Windows System Securityand improved the way we do business, this vast network and While the Internet has transformed its associated technologies have opened the door to an increasing number of security threats. NT 4 Security The challenge for2000/XP successful, Windows Securitypublic web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining One Final Task performance or scalability. The more reliant organizations become on the Internet to perform Summary daily jobs or conduct transactions, the greater the impact a breach of network security has. Just Part III: Installing and Protecting IIS as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a Chapter in 4. the IIS Installation market leader development and sale of products and technologies that protect data Installingthe IIS4Internet. Yet a network security solution is only as strong as its weakest traveling across Installing IIS5 can occur at any point, including the network connection, the firewall, the link. Network attacks web server, or the client. Hardening the defenses at all these points is key to creating an Summary effective, all-encompassing network security solution.
Chapter 5. Enhancing Web Server Security Web Servers Versus Development Servers Locating Document Root Logging Limiting Access to Your Web Server Miscellaneous Security Enhancements Hosting Multiple Web Servers
• •
Table of Contents
Summary
Index
Chapter 6. Enhancing the FTP Server Web Security Field Guide Inner Workings of FTP BySteve Kalman Secure FTP Example of Secure FTP Product Publisher: Cisco Press Summary Pub Date: November 08, 2002 Part IV: Protecting the User ISBN: 1-58705-092-7 Chapter 7. Browser Security Pages: 608 Dangerous Content Four Zones Cookies Summary Chapter 8. Desktop/Laptop Security
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Acquiring IEAK6 Configuring the IEAK
Create effective security policies and establish rules for operating in and maintaining a Building a Desktop securityconscious IEAK Profile Managerenvironment Managing Multiple INS Files
Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Summary Part V: Protecting the Network Understand secure installation options for Windows web servers and how to enhance security on existing and FTP server installations Chapter 9. Becoming aweb Certification Authority (CA) Encryption Schemes
Improve security at the end user's workstation, including web browsers, desktops, and CA Responsibilities laptops Establishing Your Own CA
Requesting a Server Certificate Evaluate the pros and cons of installing a certificate server and becoming your own Installing aAuthority Certificate on Your Web Server Certification Browser Certificates
Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco Summary standard and extended access lists Chapter 10. Firewalls
Firewall-Protected Network Discover ways to test theComponents current state of security and keep it up to date Firewall Design
Learn to engage end users as part of the overall network security solution Access Lists Using Access Lists
While the Internet has transformed and improved the way we do business, this vast network and Firewall Feature Set its associated technologies have opened the door to an increasing number of security threats. Cisco PIX Firewall The challenge for successful, public web sites is to encourage access to the site while eliminating Summary undesirable or malicious traffic and to provide sufficient levels of security without constraining Chapter Maintaining The Ongoing Security performance or11. scalability. more reliant organizations become on the Internet to perform and Fixes daily jobsPatches or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems hasRisks been an innovator in using the Internet to conduct business, so too is it a Miscellaneous market leader in the development and sale of products and technologies that protect data Antivirus traveling across the Internet. Yet a network security solution is only as strong as its weakest Personal Firewalls link. Network attacks can occur at any point, including the network connection, the firewall, the Summary web server, or the client. Hardening the defenses at all these points is key to creating an Chapter 12. The Weakest Link effective, all-encompassing network security solution.
Why Worry? What You Can Do Summary Closing Remarks Part VI: Appendixes Appendix A. Customizing Internet Explorer Error Messages Customizing Messages
• •
Table of Contents
Appendix B. Decoding Base64
Index
Capturing the Data Web Security Field Guide Translating from Base64 BySteve Kalman Appendix C. Contents of the WSFG Web Site Home Page Publisher: Cisco Press Referenced Pages Pub Date: November 08, 2002 Index ISBN: 1-58705-092-7 Pages: 608
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information Publisher: Cisco Press storage and retrieval without written permission from the publisher, except for the Pub Date: November 08,system, 2002 inclusion of brief quotations in a review. ISBN: 1-58705-092-7 Pages: 608 Printed in the United States of America 1 2 3 4 5 6 7 8 9 0
First Printing November 2002 Library of Congress Cataloging-in-Publication Number: 2002101291 Hands-on techniques for securing Windows(r) servers, browsers, and network communications.
Warning and Disclaimer Create effective security policies and establish rules for operating in and maintaining a securityconscious environment This book is designed to provide information about web security. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. Learn how to harden Windows multi-user platforms, including NT, 2000, and XP The information is provided on an "as is" basis. The authors, Cisco Press, and Cisco Systems, Understand secureliability installation options for Windows web servers and how to enhance Inc. shall have neither nor responsibility to any person or entity with respect to any loss security on existing web and FTP server installations or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it. Improve security at the end user's workstation, including web browsers, desktops, and laptops expressed in this book belong to the author and are not necessarily those of Cisco The opinions Systems, Inc. Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority
Trademark Acknowledgments Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists All terms mentioned in this book that are known to be trademarks or service marks have been appropriately Discover capitalized. ways to testCisco the current Press or state Cisco of Systems, security and Inc.keep cannot it up attest to date to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any Learn or to service engagemark. end users as part of the overall network security solution trademark While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. performance or scalability. The more reliant organizations become on the Internet to perform Each book is crafted with care and precision, undergoing rigorous development that involves the daily jobs or conduct transactions, the greater the impact a breach of network security has. Just unique expertise of members from the professional technical community. as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market in the and sale of and If technologies that protect data Readers'leader feedback is development a natural continuation of products this process. you have any comments regarding traveling across the Internet. Yet a network security solution is only as strong as its weakest how we could improve the quality of this book, or otherwise alter it to better suit your needs, link. Network attacks can occur at any point, includingPlease the network connection, thethe firewall, the you can contact us through e-mail at ciscopress.com. make sure to include book title web server, or the client. Hardening the defenses at all these points is key to creating an and ISBN in your message. effective, all-encompassing network security solution.
Feedback Information
We greatly appreciate your assistance.
Publisher
John Wait
Editor-In-Chief
John Kane
Cisco Representative
Anthony Wolfenden
•
Table of Contents
Manager •Cisco Press Program Index Web Security Field Guide Cisco Marketing Communications BySteve Kalman
Sonia Torres Chavez Manager
Tom Geitner
Cisco Marketing Program Manager
Edie Quiroz
Executive Publisher: Editor Cisco Press
Brett Bartow
Pub Date: November 08, 2002
Production Manager
Patrick Kanouse
Development Pages: 608 Editor
Christopher Cleveland
Project Editor
San Dee Phillips
Copy Editor
Marcia Ellett
ISBN: 1-58705-092-7
Technical Editors Hank Mauldin Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Carl Smigielski Create effective security policies and establish rules for operating in and maintaining a Boleslav Sykora security- conscious environment Team Coordinator Tammi Ross Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Book Designer Gina Rexrode Understand secure installation options for Windows web servers and how to enhance Cover Designer Louisa Adair security on existing web and FTP server installations Compositor Mark Shirar Improve security at the end user's workstation, including web browsers, desktops, and Indexer Tim Wright laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Corporate Discover Headquarters ways to test the current state of security and keep it up to date Cisco Systems, Inc. LearnTasman to engage end users as part of the overall network security solution 170 West Drive San Jose, CA 95134-1706 While USA the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. http://www.cisco.com The for successful, public web sites is to encourage access to the site while eliminating Tel: challenge 408 526-4000 undesirable or malicious 800 553-NETS (6387)traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform Fax: 408 526-4100 daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data European Headquarters traveling across the Internet. Yet a network security solution is only as strong as its weakest Cisco Systems Europe link. Network attacks can occur at any point, including the network connection, the firewall, the 11 Rue Camille Desmoulins web server, or the client. Hardening the defenses at all these points is key to creating an 92782 Issy-les-Moulineaux effective, all-encompassing network security solution.
Americas Headquarters • Table of Contents Cisco Systems, Inc. • Index 170 West Tasman Drive Web Security Field Guide San Jose, CA 95134-1706 BySteve Kalman USA http://www.cisco.com Tel:Publisher: 408 526-7660 Cisco Press Fax:Pub 408 527-0883 Date: November 08, 2002 ISBN: 1-58705-092-7 Pages: 608 Asia Pacific Headquarters Cisco Systems Australia, Pty., Ltd Level 17, 99 Walker Street North Sydney NSW 2059 Australia Hands-on techniques for securing Windows(r) servers, browsers, and network communications. http://www.cisco.com Tel: +61 2 8448 7100 Fax: +61 2 9957 4350 Create effective security policies and establish rules for operating in and maintaining a conscious environment CiscosecuritySystems has more than 200 offices in the following countries. Addresses, phone numbers, and fax numbers are listed on the Cisco Web site at Learn how to harden Windows multi-user platforms, including NT, 2000, and XP www.cisco.com/go/offices
of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0010R)
Dedications This book is dedicated to two people who have spent their working lives in public service. • Table of Contents •
Index
The first is my wife, Gail. She is a special education teacher with responsibilities for physically Web Security Field Guide and emotionally handicapped children. She has, over more than 35 years, brightened the lives of By Steve Kalman hundreds of students and their parents. ThePublisher: other isCisco former PressNew York City Mayor, Rudolph Guiliani. During the worst crisis in our time, he emerged as a national Pub Date: November 08, 2002leader of the caliber of Kennedy, Roosevelt, and Churchill. He taught us all lessons in faith, trust, love, and support. After being at risk himself, he led the nation out ISBN: 1-58705-092-7 of the darkness. He became America's Mayor. Pages: 608
Steve Kalman Lords Valley, Pennsylvania June 2002 Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
About the Author Steve Kalman is the principal officer at Esquire Micro Consultants, which offers lecturing, writing, and consulting services. He has more than 30 years of experience in data processing, with strengths in network design and implementation. Steve is an instructor and author for • Table of Contents Learning Tree International and has written and reviewed many networking-related titles. He • Index holds CISSP, CCNA, and CCDA certifications. Web Security Field Guide BySteve Kalman
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
About the Technical Reviewers Hank Mauldin is a consulting engineer for Cisco Systems, Inc., working for the Office of the CTO. He has worked with Cisco for several years, evaluating and designing data networks. His areas of expertise IP routing protocols, quality of service, and network security. Hank is • Table ofinclude Contents currently the program manager for Cisco Network Designer, which is a network design tool. Prior • Index to joining Cisco, he worked for several different system integrators. He has more than 15 years Web Security Field Guide of data networking experience. Hank resides in San Diego, California. He holds a master's BySteve Kalman degree in information system technology from George Washington University. Carl Publisher: Smigielski Cisco Press is a senior network engineer at Aquidneck Management Associates in Newport, Rhode Island. Carl develops Pub Date: November 08, 2002 IT security solutions for military clients, including the Naval Undersea Warfare Center. He has written award-winning security analysis tools used daily by the ISBN: 1-58705-092-7 Naval Pages: Criminal Investigative Service and other investigative organizations. Carl teaches courses 608 on network security technologies, including Intrusion Detection, Cryptography, PKI, Web Security, Virtual Private Networks, and Firewalls. Boleslav Sykora is a recognized security expert. He consults on network and system security issues, dealing with intrusion detection, vulnerability assessment, penetration testing, firewalls, Hands-on forPKI. securing Windows(r) servers, network communications. VPNs, webtechniques servers, and He also instructs on these browsers, subjects atand Learning Tree International, for whom he wrote courses on intrusion detection and Cisco OSPF/BGP routing. Boles is an electrical engineer and holds the CISSP certification. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Acknowledgments When I decided that I wanted to write this book, I sent a short e-mail to Cisco Press Executive Editor, Brett Bartow. We've worked together for years; I've had the privilege of being a technical editor for several Cisco Press books. In that note, I asked him if he could recommend a • Table of Contents publishing house for a book on web security, never thinking that Cisco Press would be • Index interested. Brett immediately came back and said that we could do it together; so we began Web Security Field Guide working on the outline. I am delighted to have had the opportunity to write for Cisco Press. It is BySteve Kalman always a pleasant experience when you get to work with the best. Thanks, Brett. OnePublisher: of the first Cisco things Press I asked Brett to do was to assign Chris Cleveland as development editor. I knew from the08, TE2002 work I've done, and I had the highest respect for his skills and PubChris Date: November dedication. Now, as an author, I've seen how much work he did to the raw material I sent him. ISBN: 1-58705-092-7 Consistency is essential in technical writing, and Chris did (and does) a tremendous amount of Pages: 608 work behind the scenes to make it happen. No author stands alone. Several people and companies played key roles in making this project happen. Among them are Adrian Bryan. Hands-on techniques He is the forauthor securing of aWindows(r) course on web servers, security browsers, given by andLearning networkTree. communications. That course, which I teach from time to time, was the source of the idea for this book. Adrian also graciously provided the material for Appendix B, "Decoding Base64." Create effective security policies and establish rules for operating in and maintaining a conscious AddiesecuritySheridan. She wasenvironment a student in a class I taught as I was still thinking about whether to take on this project. When I mentioned it to her, she said, "Finally, a book that we can actually howthe to harden Windows including NT, 2000, and XPthat use." Learn That was proverbial straw.multi-user Hopefully, platforms, I've produced something that meets definition. Understand secure installation options for Windows web servers and how to enhance onauthor existing and FTP server installations Peter security Vogel. As of web the Learning Tree course on technical writing, Peter put together four intensive days of training on the skills needed to produce everything from a white paper to a end user's workstation, and book Improve like this. security Many of at thethe lessons he taught me haveincluding improvedweb thebrowsers, readabilitydesktops, of this book. laptops Grant Moyle and Mike Covington, who helped with the original outline. Evaluate the pros and cons of installing a certificate server and becoming your own Certification I teach courses onAuthority routing, telecommunications, and security for Learning Tree. This has given me the opportunity to learn from the students which areas are more or less difficult for them to Learn the PIX Firewall and Cisco IOS Firewall architecture and how apply Cisco understand, andCisco which skills are more important than others. Many thanks go to to the founders, standard and extended access lists Eric Garen and David Collins, who created a company that has given me the opportunity to meet and work with scores of the industry's best and brightest professionals. Discover ways to test the current state of security and keep it up to date Internet Security Systems for permission to use its product as an example of a security scanner. Learn to engage end users as part of the overall network security solution Sanctum, Inc. for permission to use its AppShield product to demonstrate web content While the Internet has transformed and improved the way we do business, this vast network and insecurity. its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites to encourage access to the site while eliminating Rhinosoft for permission to use its secure FTP is server and client. undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations on theweb Internet to perform The U.S. National Security Agency (NSA) who have createdbecome an excellent site chock-full of daily jobs or conduct transactions, the greater the impact a breach of network security best practices statements. I've shamelessly adapted, edited, and repurposed several of has. themJust for as Systems has been an innovator in using the Internet to conduct business, so too is it a thisCisco book's audience. market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet aand network solution ismade only as as its weakest The technical editors, Carl, Hank, Boles,security whose comments allstrong the difference. They link. Network attacks can occur at any point, including the network connection, the firewall, theall dedicated computers for several months to the sole task of editing this book—running through web server, or the client. Hardening the defenses at all these points is key to creating an the steps, making suggestions, and correcting errors. The remaining errors are mine, but the effective, all-encompassing network security solution.
credit for all the corrections goes to them with my gratitude for a job well done. Last, but undoubtedly most important, is my wonderful wife of 25 years, Gail. As I get close to deadlines, I get focused on the task at hand to the exclusion of nearly everything else. When, during a conversation, my mind drifted off to something I should have written or could have written better, she was understanding and supportive. (She calls it "Programmer Mode" — just slide the pizzas under the door and wait for him to come out.) Without her unwavering support, my achievements would not only have been impossible, but also pointless. Thanks. •
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Introduction It seems that every day or two brings a report on some new vulnerability or security hole. Administrators are advised on what patch to apply or what workaround to employ. With so many security alerts, we've become complacent in the same way that the daily litany of felonies • Table of Contents reported in the newspapers and on TV has immunized us against the reported news. The KLEZ • Index virus, which made the top-ten lists for three months running in the spring of 2002 could have Web Security Field Guide been prevented with a patch issued fourteen months earlier. BySteve Kalman
Most network administrators are doing the equivalent of driving without insurance. It isn't that they're Publisher: incompetent Cisco Press or that they don't care, but that the demand on them is to show positive results today—to put the fires that are burning now. They don't have the luxury of time to Pub Date: November 08,out 2002 create ISBN: fire prevention plans. 1-58705-092-7 Pages: 608
This book is written for them. In plain language, with lots of examples, it shows how to secure a web server and protect a network from most attacks.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Focus of the Book The focus is on what to do and how to do it, rather than on how it works. Readers of this book will be administrators who have security responsibility without enough dedicated time and training to do the job properly. These readers need solutions rather than theory. This book • Table of Contents supplies them. •
Index
Web Security Field Guide that readers will look only at parts that are pertinent to them, some Under the assumption material is necessarily duplicated. Occasionally, that duplication is in the same chapter. (The BySteve Kalman IIS4/IIS5 installation chapter is a good example.) Other times, the material is spread across several chapters. (Certificates are described and defined in three places, albeit in different Publisher: Cisco Press contexts.) Pub Date: November 08, 2002 ISBN: 1-58705-092-7 Pages: 608
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Audience The main audience for this book is the network administrator who has responsibility for many separate aspects of a company's network—the kind of job that might be held by several people at a larger company. It was written assuming that the audience members would rather learn • Table of Contents how than why. Many of the technical topics are treated with just enough information to make the • Index tutorial parts make sense. Web Security Field Guide BySteve Kalman
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Command Syntax Conventions The conventions used to present command syntax in this book are the same conventions used in theIOS Command Reference. The IOS Command Reference describes these conventions as follows: • Table of Contents •
Index
Web Security Field Guide
Vertical bars (|) separate alternative, mutually exclusive elements.
ISBN: 1-58705-092-7 Braces within brackets [{ }] indicate a required choice within an optional element. Pages: 608
Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command). Italics indicate arguments for which you supply actual values. Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Icons Used in This Book Throughout this book, you will see a number of icons used to designate Cisco and general networking devices, peripherals, and other items. The icon legend that follows explains what these icons represent. • Table of Contents •
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Part I: The Fundamentals of Web Security • •
The most secure computer in the world would be one that is fully configured, then unplugged, encased in plastic, and placed in a bank vault. It would also be the most useless Table computer in the world. As someone responsible for keeping that computer secure, of Contents you need to keep two things in mind: Index
Web Security Field Guide
First—Everything you do to increase the usability of that computer lowers its security .
BySteve Kalman
Second—That trade off is not one-for-one. Some actions lower security a little but usability a lot. Others lower security a lot but raise usability only a little. Your Publisher:raise Cisco Press job is to willingly Pub Date: November 08, 2002 do the former and adamantly resist the latter. In this part, you fill in some blanks that you might have with regard to data communication functions, and ISBN: 1-58705-092-7 you learn about security policies. Pages: 608
Chapter 1 Essential Information for Web Security Administrators Chapter 2 Security Policies Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Chapter 1. Essential Information for Web Security Administrators • of Contents This chapter Table covers the following topics: •
Index
Web Security Field Guide
Two Internetworking Models
BySteve Kalman
Headers Publisher: Cisco Press
Shims Pub Date: November 08, 2002 ISBN: 1-58705-092-7
Above the Transport Layer Pages: 608
Two things are almost certainly true about the vast majority of readers of this book: You know most of the information in this chapter. Hands-on techniques for securing Windows(r) servers, browsers, and network communications. You need to brush up on a few things or, possibly, learn about them for the first time. You will mosteffective likely either skippolicies or skimand most of the material Create security establish rules forhere. operating in and maintaining a security- conscious environment Other chapters, however, assume that you know these fundamentals. If you find that a section assumes knowledge that you don't have, such as how Secure Sockets Layer (SSL) Learn how to harden Windows multi-user platforms, including NT, 2000, and works XP (Chapter 9, "Becoming a Certification Authority [CA]") or what a SYN-Flood is (Chapter 10, "Firewalls"), this is the place to get the details. Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Two Internetworking Models Someone once said, "The only thing worse than no standards is two standards." As you've undoubtedly observed, the world of data communications has an overabundance of cases where two (or three, or more) standards apply to the same process. Sometimes, it makes sense: • of Contents Ethernet andTable Token Ring are two standards for passing data on a medium, and each has • Index advantages and disadvantages when compared to the other. Sometimes, multiple standards Web Guide don'tSecurity make Field sense: Frame Relay has three slightly different Link Management Interface (LMI) types—the correct one to use depends on which company made the switch (and wrote its By Steve Kalman software). Publisher: Cisco Press
Even the terminology used to describe data communication processes and functions is made Pub Date: November 08, 2002 more difficult by the presence of two different models. For example, the OSI reference model has 1-58705-092-7 seven ISBN: layers, and the TCP/IP model has four levels. Because their terminology is used so Pages: 608 pervasively, both are described here.
NOTE Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Almost all technical books and courses discuss (or at least refer to) the OSI reference model its layers. In the industry, even though the model is predominant, Createand effective security policies and establish rules forTCP/IP operating in and maintaining it a has become acceptable to refer to the TCP/IP model as having layers, rather than using security- conscious environment the more correct term, levels. This book follows the industry practice. Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations
OSI Reference Model
Improve security at the end user's workstation, including web browsers, desktops, and The International Organization for Standardization (ISO) developed and promulgated the Open laptops Standards for Interconnection (OSI) reference model. The OSI reference model has seven layers, Evaluate the pros and cons1-1. of installing a certificate server and becoming your own as listed and described in Table Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists
Table 1-1. OSI Reference Model Layers
Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Number Name
Description
7
Application
Communications programs operate here. Some, such as FTP and DHCP, are part of the TCP/IP protocol suite.
6
Presentation Controls the format of the message. For example, conversions from ASCII to EBCDIC would occur here. So, too, would encryption and decryption and compression and expansion.
•
Table of Contents Session Manages the overall communications process and logging in. An Index example is a TCP session, including everything from the first SYN, to Web Security Field Guide the data in between, to the final FIN. Early days of remote terminal BySteve Kalman access also included checkpoint and restart.
5
•
4
Transport
End-to-end integrity is this layer's responsibility. The idea here was to provide host-to-host integrity checking at this layer. (Lower layers Pub Date: November 08, 2002 check hop-to-hop integrity.)
Publisher: Cisco Press
3 2
ISBN: 1-58705-092-7
Network
Addressing and routing operate at this layer.
Data link
The bits are organized into frames and error mechanisms (such as CRC) occur here. Communication protocols, such as Ethernet, Token Ring, HDLC, PPP, and DSL, operate at this layer.
Pages: 608
1 Physical This layer allows the bits to get to the other end by defining the Hands-on techniques for signaling securing speed, Windows(r) voltage servers, levels,browsers, modem frequency, and network andcommunications. connector pins. Create effective security policies and establish rules for operating in and maintaining a A powerful advantage that comes from the layered OSI reference model is the intersecurity- conscious environment changeability of parts. A computer that uses TCP/IP for its transport and network layers can be changed from Token Ring to Ethernet by merelyplatforms, removing including one network and another Learn how to harden Windows multi-user NT, card 2000, andadding XP (plus its drivers). The IP address need not change. Similarly, the same Layer 2 Ethernet network can deliver IP, IPX, and AppleTalk Layer 3. Understand secure installationpackets optionsatfor Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and TCP/IP Model laptops
The TCP/IP model is quite bit simpler. Because it is composed only four layers, Evaluate the pros andacons of installing a certificate server of and becoming your some own of the OSI layer functions have to be combined. Table 1-2 lists the layers and their responsibilities, Certification Authority along with a comparison to the OSI model. Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date
Table 1-2. TCP/IP Model Layers and Functions
Learn to engage end users as part of the overall network security solution Layer Name Function While the Internet has transformed and improved the way we do business, this vast network and its associated technologies opened thebut door to an increasing number and of security Application Same as inhave the OSI model, includes OSI presentation sessionthreats. layer The challenge forresponsibilities successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining Transport End-to-end communications, like OSI's transport layer; adds the capability to performance or scalability. The more reliant organizations become on the Internet to perform address different applications and processes with port numbers daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco SystemsCorresponds has been antoinnovator in using layer; the Internet conduct business, sonodes too is it a Internet the OSI network uses IPtoaddresses to identify market leader in the development and sale of products and technologies that protect data Network Same as OSI's data link layer traveling across the Internet. Yet a network security solution is only as strong as its weakest Interface link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. the defenses all these is key to creating an Unlike the OSI model, theHardening Internet model has no at definition ofpoints the physical layer. effective, all-encompassing network security solution.
This model also defines the objects passed between the layers. Figure 1-1 presents the definitions in context.
• •
Figure Definition of Data Content During Layer-to-Layer Table1-1. of Contents Transitions Index
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Although thesesecurity terms are not end officially by the including OSI, theyweb are browsers, commonly desktops, used along with Improve at the user'sdefined workstation, and both the OSI reference model and the TCP/IP model layer names. To use OSI terminology, the laptops data link layer receives frames from the physical layer and passes datagrams to the network layer.Evaluate The network the pros layer, and in cons turn,of gives installing packets a certificate to the transport server layer, and becoming and the term your message own is used Certification at Layers 5, 6, Authority and 7. In keeping Learn with the Cisco industry PIX conventions, Firewall and Cisco all reference IOS Firewall to layers architecture in the book andare how based to apply on the Cisco OSI reference standard model. and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Headers As data passes down the stack from one layer to the next, a header with a format specific to that layer is added until the frame with all its headers and the data is transmitted. Each layer examines and removes its header as the packet works its way up the stack. Eventually, the data • Table of Contents reaches its application. The next several sections look at headers in detail. •
Index
Web Security Field Guide
Data Link Headers BySteve Kalman
Publisher: by Cisco Press As defined the OSI reference model, the data link layer is responsible for receiving the frame Pub Date: November 08, 2002 from the physical layer and handing it off, as a datagram, to the correct network layer protocol. ISBN: 1-58705-092-7
The IEEE made Pages: 608 a modification to this layer, splitting it into two halves. The lower half, known as the Media Access Control (MAC) sublayer, looks at every frame captured by the physical layer and discards most of them. It retains only those frames addressed to the specific machine on which it is running, to multicasts for which it is a group member, or broadcasts. The MAC layer then hands it off to the Logical Link Control (LLC) layer for further processing, including eventually handing off the datagram to the appropriate network layer protocol. Hands-on techniques for securing Windows(r) servers, browsers, and network communications.
Ethernet II and the Type Field Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Three companies defined Ethernet: Digital, Intel, and Xerox. (The original name for the cable Learnwas howthe to DIX harden Windows multi-user including NT, 2000, andItXP connector connector, the acronym platforms, coming from companies' names.) was later revised to become Ethernet II, but the header was not changed during the revision. Table 1-3 Understand secure installation options for Windows web servers and how to enhance shows the three fields in the header. security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops
1-3. in the Ethernet Data Header EvaluateTable the pros and Fields cons of installing a certificate II server andLink becoming your own Certification Authority DestinationMAC SourceMAC Type Code Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco 6 bytes 6 bytes 2 bytes standard and extended access lists Discover ways to test the current state of security and keep it up to date For many years, the type codes, protocol codes, port numbers, and many other codes and Learn to engagewere end users as in part of assigned the overall networkRFC," security solution number assignments defined "the numbers' which was periodically updated and renumbered. The last of them was RFC 1700. When that process became While the Internet has transferred transformedtoand improvedthat theyou waycan wereach do business, this vast network and unmanageable, it was a database online at its associated technologies have opened the door to an increasing number of security threats. www.iana.org/assignments. The Ethernet type codes are listed there. Three that are used in the The challenge for successful, public web sites is to encourage access to the site while eliminating examples that follow are hexadecimal values 0x0800, 0x0806, and 0x8136, which mean IP, ARP, undesirable or malicious traffic and to provide sufficient levels of security without constraining and IPX, respectively. performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest NOTE link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or prefix the client. the defenses all these hexadecimal points is key numbers to creating Using the 0x isHardening common practice when at presenting in an print. effective, all-encompassing network security solution.
When a frame arrives, the data link header is examined and removed, and the resulting datagram is handed off to the proper network layer process. If, for example, the type code were 0x0800, IP would get it. Similarly, type 0x0806 frames would go to ARP, and type 0x8136 frames would go to IPX. Scores of defined numbers exist, but most of them are assigned to companies that no longer exist and are unused. •
Table of Contents
•
Index
Web Security Field Guide
NOTE
BySteve Kalman
Other protocols, Publisher: Cisco Press
such as IBM Token Ring and Datapoint Arcnet, had their own ways of passing data higher up the stack. Neither protocol had numbers listed in the assigned Pub Date: November 08, 2002 numbers' RFCs. ISBN: 1-58705-092-7
Pages: 608
IEEE 802 Working Group The IEEE 802 workingfor group (formed in February 1980)browsers, took on the of standardizing Hands-on techniques securing Windows(r) servers, andtask network communications. network communications. To that end, they subdivided into several subgroups, each with a specific responsibility. Table 1-4 lists the original subgroups. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
Table 1-4. Initial 802 Working Groups Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations IEEE Number Responsibility Improve security at the end Administration user's workstation, including web browsers, desktops, and 802.1 laptops 802.2[1] Logical Link Control Evaluate [2] the pros and cons of installingaccess a certificate server and becoming your own 802.3 CSMA/CD (Ethernet) Certification Authority 802.4 Token Passing Bus Learn the Cisco PIX Firewall and Cisco IOS Ring Firewall architecture and how to apply Cisco 802.5 Token Passing standard and extended access lists Discover ways to test the current state of security and keep it up to date [1]
ANSI developed the standard for FDDI. It is also a MAC sublayer definition, expecting an 802.2 LLC to support it.
Learn to engage end users as part of the overall network security solution [2]
Modern Ethernet cards are capable of handling Ethernet II and 802.3 Ethernet concurrently. Windows
Whilesystems the Internet transformed and the waybut wecan dobebusiness, vast and default has to sending Ethernet II andimproved listening for either, configuredthis to use onenetwork or the other its associated exclusively.technologies The only trick have is that opened both sender theand door receiver to anmust increasing agree. number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating IEEE 802.3, or .4,malicious and .5 alltraffic defineand theto MAC portion of the data link header. Both theconstraining format and undesirable provide sufficient levels of security without size vary based on the particular access method. However,become all versions feed into a standard performance or scalability. The more reliant organizations on the Internet to perform 802.2 LLC or header. daily jobs conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the NOTE or the client. Hardening the defenses at all these points is key to creating an web server, effective, all-encompassing network security solution.
Both DIX and IBM released some of their patents to the public domain and, as a result, the IEEE standards are quite close to the proprietary versions; in many cases, they can coexist on the same physical network. Datapoint (who had a 70 percent market share at that time) refused to do the same. There was only one 802.4 large-scale experiment (at General Motors) before it faded away. Today, the vast majority of installations are Ethernet-based. •
Table of Contents
•
Index
Web Security Field Guide Table 1-5 shows the fields
in the 802.3 header. If you compare it to Table 1-3, you see that they have By Steve the Kalman same number of bytes. The difference is that the last two bytes in the 802.3 header are the length of the entire frame rather than a type code. Because the lowest type code is hexadecimal 0800, Publisher: Cisco Presswhich is equal to decimal 2048 and is far larger than the maximum Ethernet frame, there is no potential for confusion. Pub Date: November 08, 2002 ISBN: 1-58705-092-7 Pages: 608
Table 1-5. Fields in the 802.3 MAC Sublayer Header DestinationMAC SourceMAC Length Code Hands-on techniques for securing Windows(r) servers, browsers, and network communications. 6 bytes 6 bytes 2 bytes Create effective security policies and establish rules for operating in and maintaining a securityThe 802.2 LLC conscious sublayer isenvironment made up of three fields: Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Source Service Access Point (SSAP) Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP (DSAP) server installations Destination Service Access Point Improve Control security at the end user's workstation, including web browsers, desktops, and laptops The SSAP serves the same purpose for LLC as the Type field does for Ethernet. However, Evaluate the one prosbyte andlong, cons the of installing a different. certificateIn server and own because it is only codes are almost allbecoming cases, theyour DSAP is the sameCertification value as theAuthority SSAP. Table 1-6 lists the most common values. Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date
Table 1-6. Most Common SAP Values
Learn to engage end users as part of the overall network security solution Code Meaning While the Internet has transformed and improved the way we do business, this vast network and 04associated technologies have opened the door IBM its to SNA an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating 06 IP undesirable or malicious traffic and to provide sufficient levels of security without constraining 80 3Com performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just AA SNAP as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a BC Banyan and technologies that protect data market leader in the development and sale of products traveling across the Internet. Yet a network security E0 Novellsolution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Figure 1-2 shows the relationship between 802.2 and the separate MAC sublayers and compares it to Ethernet II. Both the 802.2 and Ethernet II layers deliver datagrams to the network layer.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications.
NOTE Create effective security policies and establish rules for operating in and maintaining a The LLC Control field can be used to establish either of two classes of service. The first, security- conscious environment called Type I, is connectionless service. It works on a best efforts basis. The other, called Type II, is connection-oriented. It is based on SDLC (as developed by IBM in the Learn how to harden Windows multi-user platforms, including NT, 2000, and XP 1960s) and requires acknowledgment of frames sent and received. Because TCP also provides connection-oriented service, IP implementations Type Understand secure installation optionsmost for Windows web serversrely andon how to I. enhance However, some of the non-TCP/IP suites installations do not have a TCP equivalent and need Type security on existing web and FTP server II services. Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Network Layer Headers Certification Authority It might come a surprise, but nearly everyone runs multiple network layer The Learn theas Cisco PIX Firewall and Cisco IOS Firewall architecture and howprotocols. to apply Cisco obvious one is and IP. Less obvious, but lists still part of the TCP/IP suite, is ARP. In addition, it is standard extended access certainly possible and very common to run other networking protocols, such as Novell's IPX or IBM'sDiscover SNA. Because ways to the test Internet the current runs on state IP, of those security otherand networking keep it up protocols to date aren't discussed any further here. Learn to engage end users as part of the overall network security solution The data link layer uses the Ethertype or DSAP fields to determine which of the network layer While the should Internet has transformed and improved the way do business, this DSAP vast network and protocols get the datagram. Note that for TCP/IP onwe non-DIX networks, would have its associated technologies have opened the door to an increasing number of security threats. 0xAA and the Sub Network Access Protocol (SNAP) header would have the SAP value. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform IP daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a IP provides connectionless, best efforts service, routing and and technologies fragmentation, and reassembly. market leader in the development and sale of products that protect data Table 1-7 shows the fields in the IP header. traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Table 1-7. Fields in the IP Header Field Name
Purpose
Version
Always four.
IP Header Len
Length of this header in 4-byte words.
•Type of Service Tableor of Contents Originally intended to prioritize traffic based on delay, throughput, •Differentiated Index Services reliability, and cost. Widely ignored for years, it has been repurposed Web Security Field Guide
to indicate network congestion.
By SteveLength Kalman Total
Length of the entire datagram; maximum value is 65,535 bytes.
Identification
Publisher: Cisco Press
A unique number assigned to each datagram. (All fragments of a single datagram have the same ID.)
Pub Date: November 08, 2002
Flags
ISBN: 1-58705-092-7 Pages: 608
Fragment Offset
The flag can be marked as either: DF=Don't Fragment or MF=More Fragments. Gives this fragment's starting point in the reassembly buffer.
Time to Live (TTL)
Originally intended as a timer, now the TTL is decremented at each router. When zero, the packet is discarded. The TTL prevents endless circulation in the event of routing loops. Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Protocol Says which transport layer service to deliver the packet to. Header Checksum For error recognition. Create effective security policies and establish rules for operating in and maintaining a Source Address IP address of the interface on the sending machine used to transmit securityconscious environment the datagram. Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Destination Address IP address of the interface on the receiving machine to which the datagram was sentfor Windows web servers and how to enhance Understand secure installation options security on existing web and FTP server installations Options Optional, maximum size is 40 bytes. This field is used to implement IP source routing. Improve security at the end user's workstation, including web browsers, desktops, and laptops IP packets do, the of course, traverse Internet. As a result, thereand are becoming a few security Evaluate pros and cons ofthe installing a certificate server your own considerations: Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco Oversized packets— The maximum packet size is 65535 (216 )-1. A packet that exceeds standard and extended access lists that size can crash a computer. The Ping-of-Death was a famous hack that caused many computers running IP the (notcurrent just Windows to hang, or produce unexpected Discover ways to test state ofmachines) security and keep itreboot, up to date results. Most modern operating systems are now immune to this problem, but old (unpatched) Windows 95 and systems couldnetwork still be vulnerable. Learn to engage end users as NT part4 of the overall security solution routing— Before routers invented, datagrams were sentthis across Internet WhileSource the Internet has transformed andwere improved the way we do business, vastthe network and with the addresses of have the gateways (traversal listed innumber the IP header Options field. its associated technologies opened the door topoints) an increasing of security threats. Although for it hasn't been used forencourage many years, the to feature is still available. On The challenge successful, public(legitimately) web sites is to access the site while eliminating Cisco routers, you should this option by using the of nosecurity ip source-route command. undesirable or malicious traffic disable and to provide sufficient levels without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Ping of Death RFC 791 says that IP packets can be no longer than 65,535 bytes including the IP header length (20 octets if no options are present). All the data link protocols have sizes (1500 octets is common), so larger packets must be • maximum frame Table of Contents fragmented. That's the network layer's job, and IP will do this. Packets have to be • Index reassembled at the destination and, again, IP can handle it. Fragmentation is Web Security Field Guide normally done by routers along the path but can also be handled by the sending BySteve Kalman host. IP Publisher: uses theCisco Identification, Press Fragment Offset, Flags, and Length fields to do the reassembly. Pub Date: November 08, 2002 ISBN: 1-58705-092-7
The ping program uses ICMP messages. The ICMP header is 8 octets. A quick Pages: 608 calculation (65,535 less 20 less 8 = 65,507) gives the maximum number of octets that can be sent via the ping program for the destination to return. Attempting to send more might overflow the destination's buffers. This works because the last fragment might have a valid offset and a size such that (offset + size) > 65,535. A simple command that generates this invalid packet by sending more than 65,507 Hands-on for securing Windows(r) servers, browsers, and network communications. octets of techniques data follows: Create effective security policies and establish rules for operating in and maintaining a conscious environment pingsecurity–l 65510 your.test.IP.Address Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations You can try this on your test machine if you want. Just be prepared for a crash. You needImprove a Windows 95 oratNT 4 PC no workstation, service packsincluding applied to getbrowsers, an unpatched security the endwith user's web desktops, and Ping.exe. The ping program that comes with Windows 2000, for example, issues an laptops error message if the data size is more than 65,500. Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority
ARP Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists To communicate from one host to another across a network, the sending station needs to know Discover ways to address. test the current state security and keep up of to the date the destination's MAC Although the of Data Link headers forit all Broadcast Multiple Access (BMA) LANs (Ethernet, Token Ring, and FDDI) differ, they all have at least one thing in Learn to engage end station's users as MAC part of the overall network security solution common—the destination address is at or near the start of the frame and precedes the source address. While the Internet has transformed and improved the way we do business, this vast network and its technologies have the door anknow increasing number of security threats. is Theassociated protocol used to resolve MACopened addresses whento you only the destination's IP address The challenge for successful, public web sites is to encourage access to the site while eliminating called the Address Resolution Protocol (ARP). Table 1-8 lists the fields in the ARP request. undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and Fields sale of products technologies Table 1-8. in theand ARP Header that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Field Name
Purpose
Hardware Address Type
1 = Ethernet II, 6 = 802.2
Protocol Address Type
Always = 0x0806
Hardware Length
Length of the MAC address = 6
Protocol Length
Length of the IP address = 4
•
Table of Contents
•
Index
Operation
1 = Request, 2 = Reply
Source MACField Guide Web Security
MAC address of sending station
By Source Steve Kalman IP Address
Sending station's IP address
Destination MAC Publisher: Cisco Press
Destination IP Address Pub Date: November 08, 2002
Unknown address, typically all 1s, occasionally all 0s Destination station's IP address
ISBN: 1-58705-092-7 Pages: 608
ARP has its own Ethernet type code (0x0806), so when the data link layer is ready to hand off the datagram to the network layer, it goes to ARP rather than to IP. When a station needs to determine the MAC address of another station (assuming it already knows the IP address), it constructs an ARP Request using the destination MAC broadcast Hands-onWhen techniques for securing Windows(r) servers, browsers, network address. it transmits that frame, every station receives andand processes it,communications. but only the station whose IP address matches the destination IP address in the ARP header constructs an ARP reply. It places the MAC address it found in the request's Source MAC address field into the Create MAC effective establish for operating in field. and maintaining a Destination field security and putspolicies its ownand MAC addressrules into the source MAC security- conscious environment Both stations cache the IP address/MAC address pair to facilitate continued communications. to harden multi-usersystems), platforms,the including and XP After Learn a timehow (it varies with Windows different operating addressNT, will2000, be flushed. Understand installation options for networks Windows (ARPs web servers and how to enhance Because the MAC secure address is used only on local don't cross routers), there is little security on existing web and FTP server installations security risk. The small risk that does exist comes from the capability to enter a static (permanent) MAC address into a Windows Registry. Should a bogus address get entered Improve security at the end user's workstation, including web browsers, desktops, and (perhaps the MAC address for the default gateway's IP address), data would be misdirected. This laptops is unlikely and requires access to the user's PC with administrative privileges. Programs such as ISS Internet Security") canyour alertown you to this EvaluateScanner the pros(described and cons in of Chapter installing3,a "Windows certificate System server and becoming risk. Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standardLayer and extended access lists Transport Headers Discover ways to test the current state of security and keep it up to date When IP is finished with a datagram, it strips off its header and delivers the packet to the transport headerend indicated by part its Protocol field. The most security commonsolution protocols are TCP and Learnlayer to engage users as of the overall network UDP, but other protocols also run just above IP. The IGRP, EIGRP, IS-IS, and OSPF routing protocols not use TCP or the standard transportthe layer header. does on whichand While the do Internet has transformed and improved way we do Neither business, thisICMP, vast network ping is based. technologies have opened the door to an increasing number of security threats. its associated The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just NOTE as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data The other two main routing protocols are RIP and BGP. RIP runs over UDP on port 520. traveling across the Internet. Yet a network security solution is only as strong as its weakest BGP runs over TCP on port 179. link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
TCP Transmission Control Protocol (TCP) is a robust, feature-laden transport protocol. Through it, hosts can provide error-checked, guaranteed delivery of messages to application layer protocols. Table 1-9 lists and describes the fields in the TCP header. Two of those fields are Source Port and Destination Port number, and some of the most common ones are described in Table 1-10. •
Table of Contents
•
Index
Web Security Field Guide BySteve Kalman
Publisher: Cisco Press
Field Name
Table 1-9. Fields in the TCP Header Purpose
Pub Date: November 08, 2002
Source Port1-58705-092-7 The port number used by the application layer protocol that generated the ISBN: packet. Pages: 608 Destination Port
The port number used by the application layer protocol that is intended to receive the message. Some common TCP port numbers are listed in Table 1-11.
Sequence Number A 32-bit field that is incremented for each byte that is successfully Hands-on techniques for securing Windows(r) browsers, and recognize network communications. transmitted. Through it, servers, the receiving host can the occurrence of a missing packet. Acknowledgment Create effective security A 32-bitpolicies field that and is establish incremented rules forfor each operating byte that in and is successfully maintaining a Number security- conscious received. environment Through it, the sending host can recognize that transmitted data was not received. Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Offset Number of 4-byte words in the TCP Header (minimum = 5). Understand secure installation for Windows web Notification servers andishow to enhance Reserved Four bits set tooptions zero unless Congestion enabled, in which security on existing web and FTP server installations case the bits indicate that the receiver has cut the window size in half. FlagsImprove securitySix bitsend whose settings control the flow ofweb data. They aredesktops, describedand in at the user's workstation, including browsers, more detail in Table 1-12. laptops Window A number representing the number of bytes that the receiver is willing to Evaluate the pros and cons of installing a certificate server and becoming your own accept at the current time. TCP lowers this size when data is threatening Certification Authority to overwhelm the input buffers. Learn the Cisco PIX Firewall and Cisco IOS Firewall Checksum Used to validate the entire packet. architecture and how to apply Cisco standard and extended access lists Urgent Pointer Offset into the data pointing to the byte following the urgent data. Only when the Urgent flag is set to 1. keep it up to date Discover ways tovalid test the current state of security and Options Generally used in the beginning of conversations to negotiate maximum Learn to engage message end usersand as part of the overall network security solution window sizes (optional). While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining Table 1-10. Common TCP Port Numbers performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
TCPPort Number
Corresponding Application Protocol
7
Echo
13
Date and Time
17
QOTD (Quote of the day)
19
Chargen (Character generator)
•
Table of Contents
•
Index
20
ftp-data
21 Security Field Guide Web
ftp
By 23 Steve Kalman
Telnet
25
Smtp Publisher: Cisco Press
37 Pub Date: November 08, 2002
Time
53
Domain (updates)
80
ISBN: 1-58705-092-7 Pages: 608
http
139
netbios-ssn
179
BGP
443 HTTPS (SSL) Hands-on techniques for securing Windows(r) servers, browsers, and network communications. The first Create foureffective items in security Table 1-10 policies are known and establish as the TCP rulesSmall for operating Services.in They andcan maintaining typically be a foundsecurityin both hosts conscious and routers. environment Although useful at one time (mostly for testing), they are no longer appropriate in a modern environment. Even worse, they are well-known homes of severe Learn how to harden Windows multi-user platforms, 2000,not andused. XP Uninstall security holes that have not been patched, mostly becauseincluding they are NT, typically them at your first opportunity. Chapter 3 tells you how. Understand secure installation options for Windows web servers and how to enhance security on server installations Port numbers areexisting divided web into and two FTP groups. Those under 1024 are reserved and are assigned only by the Internet Assigned Numbers Authority (IANA, cited in the Ethernet Header subsection). security at the end user's workstation, browsers, desktops, and They Improve are known as well-known ports. Numbers aboveincluding 1024 areweb known as ephemeral. When laptops connecting to a server, the client uses the server's well-known port as the destination port and picks an ephemeral port for the server to use for return traffic. It places that ephemeral port Evaluate prosPort andfield. cons One of installing a certificate server and your own number in the the Source of the jobs of both firewalls andbecoming access lists is to permit or Certification Authority deny traffic based on examination of the port numbers. Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date NOTE Learn to engage end users as part of the overall network security solution Because of the time delay between applying for a reserved number and actually getting from IANA, many vendors simply use an arbitrary number from the ephemeral Whileitthe Internet has transformed and improved the way we do business, this vast network and range. This can work when the vendor is the exclusive supplier of bothofthe serverthreats. and its associated technologies have opened the door to an increasing number security client application software. RealAudio is an example. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just Another essential-to-understand field in the TCP header contains the six flag bits. Table 1-11 as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a lists and describes them. market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Table 1-11. Flags and Meanings Flag Name
Interpretation (when = 1)
Urgent (URG)
Urgent Pointer is Valid (rarely used)
Acknowledgment (ACK)
Acknowledgment Number is Valid
•
Table of Contents
Push (PSH) Index Web Security Reset (RST)Field Guide
Flush send queue on network or flush receive queue to the process
BySteve Kalman
Request to establish a connection or part of a positive response to that request
•
Synchronize (SYN) Publisher: Cisco Press
Finish (FIN)
Tear down the connection
Done with transmission
Pub Date: November 08, 2002 ISBN: 1-58705-092-7 Pages: 608
TCP uses the flags to set up, confirm, use, complete, and tear down a connection. Table 1-12 shows some of the key fields and flags used during the life of a connection. A simple Telnet session is used as an example. (The presence of the first letter of a flag's name means it is set to one. If absent, the flag is set to 0.) Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish for operating in and maintaining a Table 1-12. Using Flags to rules Manage a Connection security- conscious environment Source Destination Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Frame Port Port Flags Comment Understand secure installation options for Windows web servers and how to enhance 1 2000on existing 23 to start a connection. Client arbitrarily security web and SFTP server Request installations picks an ephemeral port. First leg of three-way handshake. Improve security at the end user's workstation, including web browsers, desktops, and laptops 2 23 2000 S A Server acknowledges client's packet and requests to open a connection to client: second leg of a Evaluate the pros and cons of installing a certificate server and becoming your own three-way handshake. Server places the sequence Certification Authority number from client (adds 1 in some cases) in the acknowledgment number field and its own Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how toselects apply Cisco arbitrary sequence. standard and extended access lists 3
2000 23 A Client acknowledges server's packet: third and Discover ways to test the current state of security and keep it up to date final leg of a three-way handshake. Client places the sequence number from the server (adds 1 in Learn to engage end users as part of the overall network security solution some cases) in the acknowledgment number field. The TCP now open for data flow. and While the Internet has transformed and improved the connection way we do is business, this vast network its have opened to an increasing number of security threats. 4 associated 23 technologies 2000 A the door Servers often send the application's banner. The challenge for successful, public web sites Because is to encourage access to the site while eliminating of the security vulnerability, this packet undesirable or malicious traffic and to providemay sufficient not belevels sent. of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform 5 23transactions, the A greaterClient sends data or data request.security has. Just daily jobs2000 or conduct the impact a breach of network as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a 6 23 in the 2000 A sale ofServer responds. Steps 5 and 6 repeat often as market leader development and products and technologies that protectas data necessary. traveling across the Internet. Yet a network security solution is only as strong as its weakest link. can occur at any including network connection, the firewall, the 7 Network 23 attacks 2000 A point, F P Either sidethe can terminate the connection. web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
8
2000
23
A
Acknowledgment of connection termination. The other end may still have data to send, so it may not send FIN. This is called graceful close in TCP.
9
2000
23
A F
Connection termination from this (can be either, but usually client's) end.
10
23
2000
•
Table of Contents
•
Index
R This is for recovering from errors and is not used in normal operation. Connection is forcibly reset.
Web Security Field Guide By Steve Kalman Although using
a flag to manage a connection works flawlessly in normal situations, would-be intruders have figured out how to subvert it for their own use. They construct a frame like the firstPublisher: one shown in Table 1-13, send another frame just like it but with a different source port, Cisco Press thenPub another, and so To hide their tracks, they forge someone else's IP address in the Date: November 08,on. 2002 Network Layer header, making it nearly impossible to trace the intruder's actual source address. ISBN: 1-58705-092-7 Pages: 608
Every time one of those frames arrives, the server sets aside memory and other resources to prepare to satisfy the expected upcoming request. If enough of these half-connections arrive in too short a time, the server runs out of space in the listening queue, preventing legitimate connections to that port on the server. This is known generically as a Denial of Service (DoS) attack. Its formal name is a SYN flood attack. Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Web servers are often far more powerful and have much faster Internet connectivity than a single hacker's resources. This makes the large-scale server more impervious to attack. As a Create effective securityHackers policiesfirst anddistribute establish rules for operating in and result, the stakes escalated. a Trojan (see Chapter 11, maintaining "Maintaininga securityconscious environment Security," for definition, details, prevention, and detection discussions) to hundreds or thousands of machines. The Trojan does nothing but monitors the connection, waiting for a command to tell Learn howAttothat harden Windows multi-user NT, attack. 2000, and XP it to go active. moment, all the infected platforms, computersincluding begin a DoS Collectively, this is known as a Distributed Denial of Service (DDoS) attack, and it can be very effective. One of Understand secure installation options for Windows web servers and how to enhance the best-known DDoS events was the simultaneous crippling of eBay, Amazon, and Yahoo in security on existing web and FTP server installations February 2001. Chapter 10 shows how to protect your systems against this misuse of TCP.
UDP
Improve security at the end user's workstation, including web browsers, desktops, and laptops
Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority User Datagram Protocol (UDP) is far, far simpler than TCP. It does its work with a mere four fields.Table 1-13 lists them. Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date
Table 1-13. Fields in the UDP Header
Learn to engage end users as part of the overall network security solution While Internet has transformed and improved the way we do business, this vast network and Field the Name Purpose its associated technologies have opened the door to an increasing number of security threats. Source Port The port number used by the application layer protocol that generated the The challenge for successful, public web sites is to encourage access to the site while eliminating packet. undesirable or malicious traffic and to provide sufficient levels of security without constraining performance scalability. The more become on the Internet to perform Destination or The port number usedreliant by theorganizations application layer protocol that is intended to daily transactions, the greater the impact a breach of network security has. Just Port jobs or conduct receive the message. Some common UDP port numbers are listed in Table 1-14. as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a Length Length of the packet, including the transport header. market leader in the development and sale of products and technologies that protect data traveling acrossFor thevalidation. Internet. Yet a network security solution is only as strong as its weakest Checksum link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Table 1-14. Common UDP Port Numbers UDP Port Number
Corresponding Application Protocol
53
DNS (Inquiry)
67
•
Table of Contents
•69
Index
Web Security Field Guide
123
BySteve Kalman
161, 162
BOOTP (Used by DHCP) Trivial File Transport Protocol (TFTP) Network Time Protocol (NTP) Simple Network Management Protocol (SNMP)
Publisher: Cisco Press Pub Date: November 08, 2002
Application designers, when deciding to use TCP or UDP, check whether or not TCP and its ISBN: 1-58705-092-7 attendant overhead are required. The three general circumstances where that will be the case follow:Pages: 608 When packet loss is acceptable— For example, a DNS inquiry needs no acknowledgment. Should a reply not be forthcoming, the requesting station merely asks again. Hands-on techniques for securing Windows(r) servers, browsers, and network communications. When the data recovery would be useless— For example, a network time request handled by TCP would recover a lost and have retransmitted. result would Create effective security policies and packet establish rules forit operating in andThe maintaining a be the time server's reply to the original request, but received after the delays imposed by the security- conscious environment error recovery functions. Issuing a new request is far more accurate. Learn how to harden Windows multi-user platforms, including NT, 2000, and XP When the application has its own data recovery and acknowledgment process— For example,secure TFTP has both acknowledgment and request for retransmission built in. Understand installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops
TIP
Evaluate the pros and cons of installing a certificate server and becoming your own It is often said that the voice over IP (VoIP) protocol has built-in error transmission Certification Authority above the application layer. If either caller doesn't understand the other, error recovery Learn theisCisco initiated PIX by Firewall sending anda Cisco "What?" IOSmessage. Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date
ICMPLearn to engage end users as part of the overall network security solution As its name While the Internet implies, has thetransformed Internet Control and improved Message the Protocol way we (ICMP), do business, is used to this manage vast network the IP and its associated technologies have opened the door to an increasing number of security threats. network. The challenge for successful, public web sites is to encourage access to the site while eliminating The most common use oftraffic ICMP and is viatothe ping (Packet Internet Groper) program, uses two undesirable or malicious provide sufficient levels of security without which constraining of the ICMP control messages, echo reply. The former is Internet used to ask another IP performance or scalability. Theecho morerequest reliant and organizations become on the to perform machine latter. In more detail, the a host thatawants toof test IP connectivity sends an daily jobstoorgenerate conduct the transactions, the greater impact breach network security has. Just ICMP echo requesthas to another The receiving host constructs an ICMPbusiness, echo reply sends as Cisco Systems been an host. innovator in using the Internet to conduct so and too is it a it to theleader host that started the process. market in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest Because ICMPattacks uses IPcan as its network protocol, it is a routable protocol. link. Network occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an Table 1-15all-encompassing lists the fields in network the ICMPsecurity header solution. and Table 1-16 expands on two of them, the Type effective,
and Code fields.
Table 1-15. Components of the ICMP Header •Field NameTable Purpose of Contents •
Index
Type
Defines the meaning of the message or the category of the message type
Web Security Field Guide
Code
For some types, further defines the message
Checksum
Validates the whole ICMP packet
BySteve Kalman
Publisher: Cisco Press Message Data that assists in dealing with the type and code Pub Date: November 08, 2002 ISBN: 1-58705-092-7 Pages: 608
Table 1-16. ICMP Header Type and Code Fields Type Code Meaning Hands-on techniques for securing Windows(r) servers, browsers, and network communications. 0 0 Echo Reply 3 3
0 Networksecurity Unreachable Create effective policies and establish rules for operating in and maintaining a securityconscious environment 1 Host Unreachable
3
2 Protocol Unreachable Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
3
3 Port Unreachable Understand secure installation options for Windows web servers and how to enhance security 4 on Fragmentation existing webNeeded and FTPand server DF Bit installations Set
3 3 3 3 3 3
5 Source Improve securityRoute at theFailed end user's workstation, including web browsers, desktops, and laptops 6 Destination Network Unknown 7 Destination Host Unknown Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority 8 Source Host Isolated
3
9 Administratively Prohibited Learn theNetwork Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists 10 Host Administratively Prohibited
3
Discover 11 Network ways to test Unreachable the current for state TOS of security and keep it up to date
3
12 to Host Unreachable TOS of the overall network security solution Learn engage end users for as part 3 13 Communication Administratively Prohibited While the Internet has transformed and improved the way we do business, this vast network and 4 associated 0 Source Quench its technologies have opened the door to an increasing number of security threats. The challenge for successful, public sites is to encourage access to the site while eliminating 5 0 Redirect Datagram forweb Network undesirable or malicious traffic and to provide sufficient levels of security without constraining 5 1 Redirect Datagram for Host performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just 5 2 Redirect Datagram for TOS and Network as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a 5 3leaderRedirect Datagram for TOS and market in the development and sale of Host products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest 8 0 Echo Request link. Network attacks can occur at any point, including the network connection, the firewall, the 9 server, 0 Advertisement web orRouter the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
10
0
Router Selection
11
0
Time to Live Exceeded in Transit
11
1
Fragment Reassembly Time Exceeded
12
0
Parameter Problem
12
0
Missing a Required Option
•
12
•
2
Table of Contents
Bad Length
Index
13 Security 0 Timestamp Web Field Guide By 14 Steve Kalman 0
15
0
Request
Timestamp Reply Information Request
Publisher: Cisco Press
16 Pub Date: 0 Information Reply November 08, 2002 17 18 30
ISBN: 0 1-58705-092-7 Address Mask
Request
Pages: 608
0
Address Mask Reply
0
Traceroute
Most sites techniques prohibit ICMP to and fromservers, the Internet as a security precaution. ICMP Echo Hands-on for messages securing Windows(r) browsers, and network communications. Requests can use and even overwhelm border router resources, causing a Denial of Service. ICMP Redirects can corrupt host routing tables; Traceroutes can divulge internal network configuration, Create effective which can security be used policies to plan andother establish attacks. rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Shims Carpenters use shims. They're small pieces of wood that are shoved between doorjambs or windows and the wall or floor into which the doors are being installed to ensure a perfectly square and level installation. •
Table of Contents
• Index In the area of computer technology, shims are pieces of code inserted between two other Web Security Guide programs toField make sure that the output of one matches the expected inputs to the other. BySteve Kalman
IP Security (IPSec) is a shim. It fits between the network and transport layers and provides confidentiality, integrity, and authenticity by defining a Security Association (SA). The SA defines Cisco Press the Publisher: encryption algorithm and the keys to be used by running the Internet Key Exchange (IKE) Pub Date: 08, 2002 protocol, orNovember by referring to a shared key (that is, one already known by both sender and ISBN: 1-58705-092-7 receiver).Figure 1-3 shows the modification to the headers and is called the IPSec transport mode.Pages: The original 608 header structure for a TCP transport is shown in line 1. In line 2, the TCP header and data can be encrypted based on information held in the Encapsulating Security Payload (ESP) header. The entire packet can additionally be integrity-checked and authenticated based on information held in the Authentication Header (AH) or in the ESPv2 authentication field. Encryption and authentication can be used together or separately. AH and ESP headers provide sequence numbering that Windows(r) protects against replay attacks.and Thenetwork details of how they work Hands-on techniques for securing servers, browsers, communications. are beyond the scope of this book, but if you are interested, start with RFCs 2401, 2402, and 2406. Together, they define IP security. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and IPSec XP Figure 1-3. Providing Integrity and Confidentiality with Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and Because of thetechnologies addition of several bytes of and many data frames might need to its associated have opened theheader door to antrailer, increasing number of security threats. be This adds to the already additional overhead involved encrypting Thefragmented. challenge for successful, public web sites is to encourage access tointhe site whileand eliminating decrypting undesirablepayloads. or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data TIPacross the Internet. Yet a network security solution is only as strong as its weakest traveling link. Network attacks can occur at any point, including the network connection, the firewall, the IPSec isor used way, known IPSec Tunnel mode.points It adds a new IP headeranto web server, the another client. Hardening theas defenses at all these is key to creating the original datagram. ESP then encrypts the entire original frame, including the effective, all-encompassing network security solution.
original IP header. This is useful in two cases: A device, such as a router or firewall, is providing the IPSec functionality. This is most often used for network-to-network virtual private networks (VPNs). It is impossible to add software to a device that would cause the IPSec header to be inserted. This is common when dealing with older, legacy devices. •
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Above the Transport Layer Many of the protocols that run above the transport layer have built-in security weaknesses. This section examines enhancements or alternatives to those protocols that shore up the problems. •
Table of Contents
•
Index
Web Security Field Guide
NOTE
BySteve Kalman
Some protocols that might have been discussed in this section, such as FTP and TFTP, are covered in detail in later chapters. To avoid excessive overlap, they have been Pub Date: November omitted here. 08, 2002
Publisher: Cisco Press
ISBN: 1-58705-092-7 Pages: 608
Telnet Telnet is a simple remote terminal protocol that is included with the TCP/IP suite. Hands-on techniques for securing Windows(r) servers, browsers, and network communications. In the early days of mainframe and minicomputer technology, it was common to use dumb terminals (essentially, a keyboard and screen connected by dedicated cable) as user Create effective security policies and establish rules for operating in and maintaining a workstations. With the advent of the ARPANET (the Internet's predecessor) and the proliferation security- conscious environment of microcomputers, it became necessary to provide software that mimicked a dumb terminal. That software is to Telnet. Learn how harden Windows multi-user platforms, including NT, 2000, and XP TelnetUnderstand survives today in many forms.options Every operating system vendor supplies client, secure installation for Windows web servers and how atoTelnet enhance and most supply Telnet servers. Remote connections to Cisco routers and switches, for example, security on existing web and FTP server installations can be made using Telnet. Improve security at the end user's workstation, including web browsers, desktops, and Telnetlaptops has no built-in security. Everything (including authentication) is transmitted in the clear. This was appropriate when the connections were made with special-purpose cables and wiring systems that did allow the media. In today's networked environment, this is a Evaluate thenot pros andsharing cons of of installing a certificate server and becoming your own significant risk. Certification Authority Figure 1-4 shows an Ethereal capture a Telnet session architecture between a host router. Learn the Cisco PIX Firewall and of Cisco IOS Firewall andand howato apply The Cisco screen also shows Ethereal optionlists that causes the data to be reconstructed and presented in a standard and an extended access separate window. Figure 1-5 depicts that reconstruction. The important thing to notice is that both the user access and privileged passwords are sent and and keep displayed Discover ways to test the current state of security it up in to the dateclear. Learn to engage end users as part of the overall network security solution While Figure the Internet hasEthereal transformed and improved the way we TCP do business, thisRecovery vast network and 1-4. Program Requesting Stream its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn1-5. how to harden Windows multi-user platforms, including NT, 2000, andPasswords XP Figure Reconstruction of the Telnet Session, Including Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
TIP Boxes at the end of user input in Figure 1-5 represent carriage returns and line feeds. Remote echo causes double characters. •
Table of Contents
• Index of Telnet exists. When security is required, you can run the session over a No secure version Web Field Guide VPN,Security use IPSec, or use
SSH if the client and server support it. (Some, but not all, Cisco IOS versions By Steve Kalman have SSH support.) In addition, NICs made by Intel (and others) facilitate establishing an IPSec session between any two hosts. Although this would not help when accessing a router, it could be used to secure PC-to-PC communications. Publisher: Cisco Press Pub Date: November 08, 2002 ISBN: 1-58705-092-7
HTTPPages: 608
HTTP is based on TCP running over IP and simulates a dumb terminal connection. Data returned by the HTTP server is formatted in a language called Hypertext M arkup Language (HTML). This is a byte stream of ASCII characters with embedded formatting control commands. Over time, HTML was techniques extended tofor provide additional, compute-intensive resources. Hands-on securing Windows(r) servers, browsers, and network communications. The HTTP process starts with a client making a TCP/IP connection to the host's IP address and port number. If the port number is notand specified, therules default is 80. In most cases, the server Create effective security policies establish for operating in and maintaining a accepts the connection. security is in place (described in Chapter 5, "Enhancing Web Server securityconsciousIfenvironment Security"), the web server checks to see if the client is authorized before allowing access. Learn how to harden Windows multi-user platforms, including NT, 2000, and XP After the TCP/IP connection is established, the client sends a document request consisting of several lines (the secure last of installation which must options be blank) ASCII characters, each by a CR LF Understand forof Windows web servers andterminated how to enhance (carriage return, line feed) pair. Typically, thisinstallations request consists of the word GET, a space, the security on existing web and FTP server document address, and the version of HTTP. The response to a simple GET request is an HTML Improve security at the end user's workstation, including web browsers, desktops, and web page. laptops The server terminates the TCP/IP connection when the entire document has been transferred. Evaluate the prosthe andtransfer cons of by installing a certificate server and becoming your The client might abort breaking the connection before completion by own sending a Certification TCP RST; in whichAuthority case, the server shall not record any error condition. Requests are idempotent. The server need not store any information about the request after disconnection, Learn the Cisco PIX Firewall IOS and Firewall architecture and If how applywants Ciscoto although logging is often done forand bothCisco security marketing purposes. thetoclient standard and extended access lists view a different page from the same web server, the entire process is repeated. From the web server's point of view, no request has any relationship to any other current or previous request. Discover ways to test thesupports current state of security and it to up simulate to date a connectionThe system is stateless. HTTP the use of cookies askeep a way oriented system. (Chapter 7, "Browser Security," discusses cookies in detail.) Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated SSL, TLS, and technologies HTTPS have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious and provide that sufficient levels of security without constraining As the Internet began to traffic be used in to situations required confidentiality, authenticity, and performance or scalability. The more reliant organizations become on the Internet to perform positive identification, a new protocol needed to be created. Netscape (the then leading web daily conduct transactions, thecompany) greater the impactaaprotocol breach of network security has. Just serverjobs andor web browser development created called Secure Sockets Layer as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a (SSL). Over time, Netscape released control of SSL, and the next version, SSLv2 (SSLv3 is now market leader in the development and sale of products and technologies that protect data current), was a joint effort by several major web server vendors. It acts like a shim, operating traveling across Internet. Yet TCP a network is only strongto asSSL, its weakest between TCP andthe HTTP. Because has to security know to solution deliver the dataas directly it has its link. Network attacks can occur at any point, including the network connection, the firewall, own port (443). Figure 1-6 shows how TCP, SSL, and HTTP interact. The combination of SSLthe and web server, or the client. Hardening the defenses at all these points is key to creating an HTTP is known as HTTPS. effective, all-encompassing network security solution.
Figure 1-6. SSL and HTTP Both Rely on TCP
•
Table of Contents
•
Index
Web Security Field Guide BySteve Kalman
Publisher: Cisco Press Pub Date: November 08, 2002 ISBN: 1-58705-092-7
NOTE Pages: 608 Figure 1-1 described several common terms, such as frame and packet. One more term in common use is Protocol Data Unit (PDU). It describes data that is being moved from one protocol to another at the same layer. Figure 1-6 also provides an example of this. The transport layer gave a packet to SSL at the application layer. After SSL decrypted Hands-on for securing servers, browsers,layer. and network communications. it, thetechniques PDU was handed off to Windows(r) HTTP, also at the application It is common practice to draw this handoff as if one protocol was superior or subordinate to the other (based on sequence of events) when, in fact, they're peers. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP SSL's job is to establish secure communications, deliver the server certificate, deliver (if present) the client certificate, verify integrity,options and encrypt or decrypt data stream. Understand secure installation for Windows webthe servers and how to enhance security on existing web and FTP server installations Suppose Melody wants to send a secure message to her brother, Quincy, and wants to be sure that Quincy knows it is at from notworkstation, an impostor.including She would take the following steps: Improve security theher endand user's web browsers, desktops, and laptops 1. Create the message. Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority 2. Calculate and append a message digest. Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists 3. Encrypt the message digest with her private key. (These first three steps make up what asand a signed Discover ways to test the current stateis ofknown security keep message.) it up to date 4. Append certificate to the (Certificates, along solution with public and private Learn toher engage end users assigned part ofmessage. the overall network security keys are discussed in Chapter 9. They verify the identity of the certificate holder and supply public key.) Whiletheir the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. 5. challenge Contact Quincy to open a session get his and send to her certificate toeliminating him. The for successful, public webtosites is tocertificate encourage access the site while undesirable or malicious traffic and to provide sufficient levels of security without constraining 6. Create aor random key (called a session used onlybecome for this on session. performance scalability. The more reliant key) organizations the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just Encrypt the signed message using the session and encrypt the business, session key as7.Cisco Systems has been an innovator in using thekey, Internet to conduct sowith too is it a Quincy's market leader public in the key. development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest 8. Network Transmitattacks the result Quincy. link. canto occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an 9. Quincy can now use Melody's key,solution. obtained from her certificate, to verify the digital effective, all-encompassing networkpublic security
8. 9. signature. Additionally, he will use his private key to decrypt the session key and use the session key to decrypt the message.
To make everyone's lives easier, SSL automates the process. Melody could certainly encrypt the entire message with her private key and then expect Quincy to use her public key to decrypt it. The session key is used to protect her private key. • Table of Contents Cryptographers have long known that the more encrypted text they have on hand, especially if • Index they have matching plaintext, the easier it is to crack the key. Using the method described, the Web Field Guide with the public key is the session key, which is periodically renegotiated. only Security thing encrypted Additionally, By Steve Kalmanyou do not encrypt messages with asymmetric public key cryptography, because it would take about 1000 times longer than using the symmetric session key. In other words, the asymmetric keysPress are used to transmit a session's symmetric key, which is used to quickly Publisher: Cisco encrypt and decrypt the data. Pub Date: November 08, 2002 ISBN: 1-58705-092-7 Pages: 608
NOTE An excellent, very readable book on codes and secret writings is The Code Book by Simontechniques Singh. In for it, he describes how cracking the browsers, German Enigma machine's daily Hands-on securing Windows(r) servers, and network communications. settings was made easier because nearly every message began with the plaintext phrase, "Heil Hitler." Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance NOTE
security on existing web and FTP server installations TLS stands for Transport Layer Security. The following is a quote from its charter. Improve security at the end user's workstation, including web browsers, desktops, and laptops The TLS Working Group was established in 1996 to standardize a 'transport layer' security protocol. The working group began with SSL version 3.0, and in 1999, Evaluate pros and cons ofVersion installing certificate server becoming your own RFC the 2246, TLS Protocol 1.0awas published as aand Proposed Standard. The Certification workingAuthority group has also published RFC 2712, Addition of Kerberos Cipher Suites to Transport Layer Security (TLS) as a Proposed Standard, and two RFCs on the use Learnofthe Firewall and Cisco IOS Firewall architecture and how to apply Cisco TLSCisco withPIX HTTP. standard and extended access lists Notwithstanding the committee members' hard work, the industry has not made the Discover test the currentsupported state of security andservers keep it and up to date shift. SSL ways 3.0 isto still the method by all web web browsers. Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. DNS The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining Most of us remember names far better than numbers. We organize our phone and address books performance or scalability. The more reliant organizations become on the Internet to perform by name. TCP/IP does its addressing based on 32-bit binary numbers. For human convenience, daily jobs or conduct transactions, the greater the impact a breach of network security has. Just they're expressed as a series of four decimal numbers, each less than 256. This is called the as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a dotted decimal, or sometimes, dotted quad representation. Although the decimal is easier, market leader in the development and sale of products and technologies that protect data remembering the IP address for each of the sites you'd like to visit is still too hard. traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks the can Domain occur atName any point, including the network connection, thedescribes firewall, the To ease that burden, System (DNS) was invented. The protocol the web server, or the client. Hardening the defenses at all these points is key to creating an syntax and rules that resolve names into IP addresses. Although it originally just encompassed effective, all-encompassing network security solution.
sites in the U.S., it has long since grown into an international system. DNS was developed when security was not a big issue. All of the network users were members of the military-industrial complex or were research professionals. Those days are gone. Unfortunately, the lack of built-in security has made DNS one of the most-often and easily corrupted protocols. The risk posed by insecure DNS is that messages and mail can be diverted. Suppose that the • Table of Contents network administrator at Example Manufacturing Corporation (example.com) wants to talk to its • Index Internet service provider (ISP), Example Internet Co. (example.net). He composes an e-mail Web and Security sends itField off. Guide His mail server sends a DNS query message to its DNS server looking for Example.net's By Steve Kalman mail server IP address. Unknown to sender and intended receiver, an intruder has corrupted that DNS server, replacing the real IP address with one belonging to him. The DNS response toCisco the Press sender's mail server is the bogus address but, because it looks okay, the mail Publisher: getsPub sent to the intruder, who reads it and forwards it to the ISP. Neither of the authorized Date: November 08, 2002 parties is aware that someone is listening in. ISBN: 1-58705-092-7
Pages: called 608 A solution, DNSSEC, is a secure form of DNS that digitally signs its entries and secures the DNS server update process with cryptography. Unfortunately, only two-thirds of the DNS servers on the Internet are using it.
You can find more information on DNSSEC in RFC 3130, a state-of-the-technology informational RFC. Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a DHCP security- conscious environment TheDynamic Host provides a way including for PCs and IP-based Learn how toControl hardenProtocol Windows(DHCP) multi-user platforms, NT,other 2000, and XP devices to get a dynamic or static IP address, mask, default gateway, DNS server address, and scores of settings and othersecure information. Understand installation options for Windows web servers and how to enhance security on existing web and FTP server installations Microsoft has a robust, GUI-based DHCP server that is in common use. Other vendors, including Cisco,Improve provide security DHCP services in their routers and firewalls. at the end user's workstation, including web browsers, desktops, and laptops A station configured to use DHCP sends a UDP broadcast to the DHCP port (67) hoping that a DHCPEvaluate server will If cons thereof isinstalling one on the same subnet, it will supplying theanswer. pros and a certificate server andreply, becoming your the own necessary configuration information. Otherwise, a router can be configured to act as a DHCP Certification Authority proxy and forward requests to the actual DHCP server. Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco A DHCP server and typically handles onelists or more subnets. Because a DHCP server or a network standard extended access device between the host making a DHCP request and the server might be down, it is common to ways to testThe thetwo current state of security andallocate keep it up to date addresses from have Discover an alternate server. DHCP servers can never overlapping the same subnet. For a given subnet, the primary server allocates at least half (often more) of Learn to engage users asallocates part of the network security solution the addresses, and theend secondary theoverall remainder, if necessary. While transformed way we do business, vastby network Figurethe 1-7Internet shows ahas sample network and withimproved two DHCPthe servers. OSPF Area 1 is this served its ownand its associated technologies have opened the door to an increasing number of security threats. DHCP server. A backup DHCP server is located in Area 0. Router 1A will be configured so that it The challenge successful, public web sites is toon encourage while eliminating forwards DHCPfor requests to both servers for hosts Net1 andaccess Net2. to In the the site normal case, both undesirable or malicious traffic and to provide sufficient levels of security without constraining respond. The client acknowledges the first response but not the second. Because the in-area performance or scalability. The more organizations become on the Internet to perform server is closer, it will be the one thatreliant answers first and whose address is used. However, if it daily jobs or conduct transactions, the greater the impact a breach of network security has. Just becomes unavailable, the Area 0 server allocates an address. as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point,Primary including the network connection, the firewall, the Figure 1-7. Configuration with and Secondary DHCP Servers web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
The risk that comes from DHCP is Windows(r) that open Ethernet such as those oftencommunications. found in Hands-on techniques for securing servers,ports, browsers, and network conference rooms, can be used by visitors to gain access to the internal network. These ports should always be switched so that an unauthorized monitor cannot see any other traffic on the Create effective policies establishfrom rules for operating in andtomaintaining a network. Rather than security forwarding DHCPand addresses those exposed ports the main DHCP securityconscious environment server, the nearest router should supply the DHCP address from a range of addresses that aren't used for trusted locations. That way, you can write filters that give access to the Internet, to Learn how toservers, hardenor Windows platforms, printer, including NT, and XP services. selected intranet perhapsmulti-user a network-attached but not2000, to any other Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations
NAT
Improve security at the end user's workstation, including web browsers, desktops, and Whenlaptops the designers of ARPANET (Bolt, Baranek, and Newman, later to become BBN Planet) first worked on the defense department contract, they elected to use a 32-bit field for addressing. the pros and cons of installing a certificate server and becoming your own They Evaluate chose that size because it was easy to manipulate 32-bit words in the computer they were Certification Authority using for development. The original contract specifications called for "a few dozen" locations. Learn the Cisco PIX Firewall Cisco and IOS HTTP Firewall architecture and howand to apply Ciscoto Until the Internet grew out of the and ARPANET became such a popular easy way standard and extended access lists communicate, this addressing plan was sufficient. As late as mid-1992, only two percent (approximately 40,000) of all Class C addresses and approximately half of all the Class Bs Discover ways to test the current state of security and keep it up to date (approximately 15,000) had been allocated. That all changed within a few short years. The explosive of the Internet threatened to overall use up network all of thesecurity addressable space. Learngrowth to engage end users as part of the solution The publication of RFC offered and a solution wherein an entire A address (10.0.0.0), While the Internet has 1918 transformed improved the way we do Class business, this vast network 16 and Class B addresses (172.16.0.0 to 172.31.0.0), and 256 Class C addresses (192.168.0.0 to its associated technologies have opened the door to an increasing number of security threats. 192.168.255.0) set aside for internal network use. Anyone was to free tosite usewhile thoseeliminating addresses The challenge forwere successful, public web sites is to encourage access the on his internal networks without fear of conflict with another site. There was just one catch. undesirable or malicious traffic and to provide sufficient levels of security without constraining Those addresses could not appear in any Internet routing tables. A on company using to those performance or scalability. The more reliant organizations become the Internet perform addresses could not communicate with any other company. Clearly, that needed to be fixed daily jobs or conduct transactions, the greater the impact a breach of network security has. Just before the schemehas would bean adopted. as Cisco Systems been innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data That's where Network Address Translation (NAT) comes in. A company can go to its ISP and get traveling across the Internet. Yet a network security solution is only as strong as its weakest a small pool of addresses that can appear on the Internet (known as registered or public link. Network attacks can occur at any point, including the network connection, the firewall, the addresses). After that, every host using an RFC 1918 address (they're called private addresses) web server, or the client. Hardening the defenses at all these points is key to creating an must have their private network address translated into a public address before sending it on the effective, all-encompassing network security solution.
Internet. Replies and acknowledgments come back using the public address, and they must be translated back into private addresses. Many devices are capable of handling NAT. However, it is typically done at either a router or a firewall. If a company required as many public addresses as private ones, this work would be pointless. However, a small ratio of public to private is typically all that is needed. Just as a company • Table of Contents might have only a few T1 (North America, 24 trunks each) or E1 (Europe, 30 trunks each) lines • Index of phones, it will find that a few Internet addresses can handle many to serve hundreds Web Security network Field Guide concurrent users. That's because addresses are usually needed only for the few seconds necessary By Steve Kalman to retrieve a web page or send an e-mail. Time can be spent reading a page and deciding where to click next without having a public address allocated. Publisher: Cisco Press Pub Date: November 08, 2002 ISBN: 1-58705-092-7 Pages: 608 NOTE
Cisco and other vendors also support an enhancement called Port Address Translation (PAT). It acts as a multiplier on the size of the private address pool by sharing the same private address with several concurrent public address conversations. The private address clients sharing a single public address choose different ports, Hands-on techniques for securing Windows(r) servers, browsers, andsource network communications. guaranteeing that a packet coming back to the public address can be mapped to the proper internal private address. With over 60,000 to choose from, this isn't a problem. When Createthe effective inevitable security collisions policies occur, andaestablish differentrules public foraddress operating is chosen in and from maintaining the pool. a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP A few stations (such as e-mail servers) need permanent addresses. They can either be assigned Understand installation options fortranslations Windows web and how enhance a public address, secure or the station doing the NAT canservers be configured totoreserve a public security on existing web and FTP server installations address for use by a particular private address. This is known as static NAT. Improve security at endsecurity, user's workstation, including browsers, desktops, NAT is not a substitute forthe good although it does help.web Would-be intruders who and scan all publiclaptops addresses can use the responses they get to draw a map of your network. With NAT in place, the machine associated with a particular address one moment won't be associated with it pros and cons installing a certificate server and becoming your own with a fewEvaluate seconds the later. This can onlyofserve to confuse would-be intruders. Some companies Authority their Certification own registered public addresses use NAT anyway. Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Summary This chapter covered the how-it-works basics that are needed to get the most from this book. With these fundamentals in mind, you're ready to move on to the other chapter in Part I, Chapter 2, "Security Policies." •
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Chapter 2. Security Policies This chapter covers the following topics: • •
Table of Contents
Justifying Security Index
Web Security Field Guide Security Policies BySteve Kalman
If you don't know where you're going, there is no way to calculate the best route to follow. Publisher: Cisco Press
This chapter presents a way for you to decide what your security goals are and establish, Pub Date: November 08, 2002 implement, and enforce the security rules that will help you achieve them. ISBN: 1-58705-092-7 Pages: 608
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Justifying Security Security is expensive. Before allocating funds, senior management will want to know what they are buying, what it will protect, and what alternatives they have. This section presents the tools you need to answer those questions. •
Table of Contents
•
Index
Web Security Field Guide
Security Defined BySteve Kalman
The following is a good definition of security: Publisher: Cisco Press Pub Date: November 08, 2002 "Tools and techniques
that prevent unauthorized people or processes from doing anything with to your data, computers, or peripherals." ISBN:or 1-58705-092-7 Pages: 608
Security is not a firewall or cryptography or a virus scanner; although, they are all components of a security solution. It is a process that examines and then mitigates the risks that arise from your company's day-to-day activities. Hands-on techniques for securing Windows(r) servers, browsers, and network communications.
Kinds of Security Risks
effective securityof policies rules for operating in and maintaining a RisksCreate come in a wide variety forms.and Hereestablish are some examples: security- conscious environment Learnofhow to harden Loss assets (theft) Windows multi-user platforms, including NT, 2000, and XP Understand secure(business installation options for Windows web servers and how to enhance Service disruption interruption) security on existing web and FTP server installations Loss of reputation (disparagement) Improve security at the end user's workstation, including web browsers, desktops, and laptops of recovery (profitability impact) Expenses Shareholders Evaluateexpect the pros managers and constoofprotect installing or enhance a certificate the server value of and thebecoming company.your Security own breaches Certification that affect Authority any of these items violate shareholders' expectations. Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date NOTE Learn tokind engage endisusers as part of the overall network security Another of risk just now emerging: the risk of running afoulsolution of the law. WhileMany the Internet has transformed improved the way we do business, this from vast network and new laws include punitiveand measures (usually fines). Three examples the its associated technologies have opened the door to an increasing number of security threats. United States are Graham-Leach-Billey, which affects U.S. financial institutions and The challenge for successful, publicpolicies web sites is to encourage access Insurance to the sitePrivacy while eliminating requires disclosure of privacy to customers; the Health and undesirable or malicious traffic and to provide sufficient levels of security without Portability Act (HIPPA), which restricts disclosure of health-related data alongconstraining with performance or identifying scalability. information; The more reliant organizations become on the Internet perform personally and the Electronic Communications Privacyto Act daily(ECPA), jobs or conduct transactions, the greater the impact a breach of network security has. Just which specifies who can read whose e-mails under what conditions. as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the Knowing the web server, or theEnemy client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
A common security mistake is to assume that attacks always come from outside your organization. Many companies do the technological equivalent of digging a deep moat around the organization and filling it with hungry alligators, then leaving the interior doors unlocked. You might like to assume that hackers are nearly all pimply-faced, teenagers. This just isn't so. A few artists can find security flaws in systems and exploit them. Some of those talented-butmisguided individuals codify their exploits into scripts and release them on the Internet where a subclass of hackers, known as Script Kiddiez, try to use those scripted exploits. The bad news is • Table of Contents that there are a lot of those "Kiddiez." However, the very fact that they are scripted attacks • Index makes them easy to detect and often fairly simple to defend against. (See Chapter 11, Web Security Field Guide "Maintaining Ongoing Security," for details.) BySteve Kalman
Your ID Badge gets you in through the front door and into your work area. It also prevents you from going Cisco where you are not allowed. As a society, we've had hundreds of years of experience Publisher: Press designing physical security systems (which still get breached, by the way). Computers have been Pub Date: November 08, 2002 with us for only a few decades; computer networks even less time. ISBN: 1-58705-092-7
Pages:study 608 A CSI/FBI (conducted annually, available at www.gocsi.com) states that more than half of all intrusions are by insiders. Security professionals have to work a lot harder to protect their organizations against this class of intruders. By and large, they are more sophisticated computer users. Even worse, they already have valid credentials that allow them access to the network. You have to apply the restricted-area-badge concept to your internal networks, as well. Many of the chapters in this book are specifically aimedservers, at protecting against internal user threat. Hands-on techniques for securing Windows(r) browsers, andthis network communications. Chapter 6, "Enhancing the FTP Server," is a prime example. In it, you learn (among other things) how to encrypt FTP logins so that insiders cannot listen in and steal other users' Create effective security policies and establish rules for operating in and maintaining a credentials. security- conscious environment
Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
The C-I-A Triad
Understand secure installation options for Windows web servers and how to enhance securitysecurity on existing web and FTP A computer professional's job server can be installations described as protecting CIA or maintaining CIA. The letters and their definitions are as follows: Improve security at the end user's workstation, including web browsers, desktops, and laptops Confidentiality— Making sure that data is not disclosed in an unauthorized manner, either Evaluate the or pros and cons of installing a certificate server and becoming your own intentionally unintentionally. Certification Authority Integrity— Giving the following assurances: Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists - Modifications are not made by unauthorized people. Discover ways to test the current state of security and keep it up to date - Unauthorized modifications are not made by authorized people. Learn to engage end users as part of the overall network security solution - The data is internally and externally consistent. (That is, the data matches up with other data with real-world experience.) While the Internet hasand transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. Availability— Providingpublic the reliable andistimely access toaccess data or resources by The challenge for successful, web sites to encourage to computing the site while eliminating appropriate authorized personnel. undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data NOTE traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the The opposite of CIA is D-A-D, which stands for Disclosure, Alteration, and Denial. web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Approaches to Risk Analysis You (or your management) can take five approaches with regard to any risk: • •
Contents AcceptTable the of risk— You must accept the risks in the following two cases: Index
Web Security Field Guide
- You BySteve Kalman
cannot do anything about the risk (for example, a vendor goes out of business or a product is dropped).
Publisher: -Cisco ThePress cost
of mitigation is not economical.
Pub Date: November 08, 2002
Defend against the risk— You can deploy firewalls, antivirus products, encryption ISBN: 1-58705-092-7 technologies, and so on. You can also establish procedures and policies, as discussed later Pages: 608 in this chapter. Mitigate the risk— Even if you assume that there is no such thing as a web server that cannot be broken into, you still don't have to just accept the risk. Some of the things you can do include the following: Hands-on techniques for securing Windows(r) servers, browsers, and network communications. - You can reduce the harsh effects of a successful break-in by being ready to reinstall Createthe effective security andnotice. establish rules for operating in and maintaining a web server at apolicies moment's security- conscious environment - You can take steps to maintain the web server's security. (This is the subject of Learn Chapter how to harden 11.) Windows multi-user platforms, including NT, 2000, and XP Understand secure installation for Windows web servers and how to enhance - You can regularly audit options its contents. security on existing web and FTP server installations - You can examine its logs. Improve security at the end user's workstation, including web browsers, desktops, and laptops Pass on the risk— You can ensure against the risk (sometimes). Evaluatethe therisk— pros and of only installing a certificate server the andrisk becoming your ownas Ignore Thiscons is the foolish choice. Ignoring is not the same Certification accepting it. Authority Ignoring it is merely hoping that someone else will be attacked. the (accepting, Cisco PIX Firewall and Cisco IOS Firewall and how of to threat apply reduction Cisco ThreeLearn of these mitigating, and passing on thearchitecture risks) are examples standard and extended access lists techniques. Reducing the threat is made easier if the proper security stance is selected. With every defense, you will use one of the following approaches: Discover ways to test the current state of security and keep it up to date Learn to engage(the endparanoid users as approach). part of the overall network security solution Permit nothing WhileProhibit the Internet has transformed and improved we doapproach). business, this vast network and everything not specifically permitted the (theway prudent its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public webprohibited sites is to(the encourage access to the site while eliminating Permit everything not specifically permissive approach). undesirable or malicious traffic and to provide sufficient levels of security without constraining Permit everything (theThe promiscuous approach). performance or scalability. more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just Of the prudent choiceanmakes the most practical sense and is the assumed approach as these, Cisco Systems has been innovator in using the Internet to conduct business, so too isofit this a book. is the one that most vendors For example, Cisco access lists marketItleader in the development andchoose. sale of products and technologies that automatically protect data deny everything not specifically permitted. traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
NOTE The following story is well known among security practitioners. Student–to–instructor: How do you configure a firewall? Instructor–to–Student: Deny everything and wait for the phone to ring. •
Table of Contents
•
Index
Web Security Field Guide BySteve Kalman Solving Security with Technology Publisher: Cisco Press Bruce Schneier, in Secrets and Lies, Digital Security in a Networked W orld , states, Pub Date: November 08, 2002
"If you1-58705-092-7 think that technology will solve your security problems, then you don't understand ISBN: security and you don't understand your problems." Pages: 608
Security includes a necessary mindset for every employee and specified procedures to follow, in addition to technology, to minimize the risk.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Security Policies Security policies help you define the level of security that is acceptable in your organization; they set a standard of care for every employee (and contractor). • Tablehelp of Contents Security policies you plan. Without them, there would be no way to tell which security • Index decisions help increase your security and which are wastes of time and money. Even worse, Web Security Guide there wouldField be no way to identify areas that were overlooked. BySteve Kalman
In this section, you learn what goes into a security policy, how to create one, and how to make sure that it is kept up to date and used effectively. Publisher: Cisco Press
Pub Date: November 08, 2002 ISBN: 1-58705-092-7 Contents of a Security Policy Pages: 608
A security policy is a document. Although typically approved at the highest levels, it is not a high-level document (like a Mission Statement). Your security policy defines the resources that your organization needs to protect and the measures that you can take to protect them. In other words, it is, collectively, the codification of the decisions that went into your security stance. Hands-on techniques for securing Windows(r) browsers, network communications. Policies should be published and distributed toservers, all employees and and other users of your system. Management should ensure that everyone reads, understands, and acknowledges their role in following the policies and in the penalties that violations will bring. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
NOTE Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations When separate policies deal with secure networks, publication of those policies should be restricted to individuals have authorized including access to web those networks. Improve security at the endwho user's workstation, browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Security policies should emphasize what is allowed, not what is prohibited. Where appropriate, Certification Authority examples of permitted and prohibited behavior should be supplied. That way, there is no doubt; if not Learn specifically permitted by theand security it is prohibited. Theand policy should alsoCisco describe the Cisco PIX Firewall Ciscopolicy, IOS Firewall architecture how to apply ways standard to achieve its extended goals. and access lists Example 2-1 isways an example of acurrent security policy for passwords. This is divided into Discover to test the state of security and keep it example up to date several sections, for which Table 2-1 lists the sections and describes their content. Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge Tablefor 2-1. successful, Generic public Description web sites is to ofencourage a Security access Policy's to the siteContents while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Section Name
Content Guide
1.0 Overview
Justifies the reason for the policy and identifies the risks the policy addresses.
2.0 Purpose
Explains why the policy exists and the goal that it is written to accomplish.
3.0 Scope
Defines the personnel covered by the policy. This might range from a single group in a department to the entire company.
•
Table of Contents
•4.0 Policy
This is the policy itself. It is often divided into several subsections. Examples are Index
Web Security Field commonly Guide
used to illustrate points.
By 5.0 Steve Kalman
Defines the penalty for failure to follow the policy. It is usually written as "everything up to and including…" so that a series of sanctions can be applied. Dismissal is typically the most severe penalty but, in a few cases, criminal Publisher: Cisco Press prosecution should be listed as an option. Pub Date: November 08, 2002
Enforcement
6.0 Definitions ISBN: 1-58705-092-7 Any terms that might be unclear or ambiguous should be listed and defined Pages: 608 here. 7.0 Revision History
Dates, changes, and reasons go here. This ties into enforcement in that the infraction should be measured against the rules in place at the time it occurred, not necessarily when it was discovered.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security-2-1 conscious environment Example A Sample Security Policy (Covering Passwords) Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Password Policy Understand secure installation options for Windows web servers and how to enhance 1.0 Overview security on existing web and FTP server installations Passwords are an important aspect of computer security. Theyweb are browsers, the front line of Improve security at the end user's workstation, including desktops, and protection for user accounts. A poorly chosen password may result in the laptops compromise of Example Corporation's entire corporate network. As such, all Example Corporation (including and vendors withand access to Example Evaluateemployees the pros and cons of contractors installing a certificate server becoming your own Corporation systems) are responsible for taking the appropriate steps, as outlined Certification Authority below, to select and secure their passwords. Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco 2.0 Purpose standard and extended access lists The Discover purpose of thisto policy establish a standard forand creation strong passwords, ways test is thetocurrent state of security keep of it up to date the protection of those passwords, and the frequency of change. Learn to engage end users as part of the overall network security solution 3.0 Scope While the Internet has transformed and improved the way we do business, this vast network and The scope of technologies this policy includes all personnel who or are responsible an its associated have opened the door to have an increasing number offor security threats. account (or any of access thatweb supports ortorequires a password) The challenge for form successful, public sites is encourage access toon theany sitesystem while eliminating that residesoratmalicious any Example Corporation facility, has access Example undesirable traffic and to provide sufficient levelstoofthe security without constraining Corporation or network, or stores any non-public Example Corporation performance scalability. The more reliant organizations become on information. the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just 4.0 Policy as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data 4.1 General traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the root, defenses at all points is key to creating an All system-level passwords (e.g., enable, NTthese admin, application effective, all-encompassing network security solution.
administration accounts, etc.) must be changed on at least a quarterly basis. All production system-level passwords must be part of the Information Security Department administered global password management database.
•
All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every six months. The recommended change interval is every four months. Table of Contents
•
Index User accounts that have system-level privileges granted through group programs such as "sudo" must have a unique password from other accounts held by that user. BySteveall Kalman Web Security Field Guide memberships or
Passwords must not be inserted into email messages or other forms of electronic communication.
Publisher: Cisco Press
Pub Date: November 08, 2002
ISBN: 1-58705-092-7 Where SNMP is used, the community strings must be defined as something Pages: other608 than the standard defaults of "public," "private" and "system" and must be different from the passwords used to log in interactively. A keyed hash must be used where available (e.g., SNMPv3).
All user-level and system-level passwords must conform to the guidelines described below. Hands-on techniques for securing Windows(r) servers, browsers, and network communications. 4.2 Guidelines Create effective security policies and establish rules for operating in and maintaining a A. General Password Construction Guidelines Passwords are used for various security- conscious environment purposes at Example Corporation. Some of the more common uses include: user levelLearn accounts, web accounts, emailmulti-user accounts, platforms, screen saver protection, voicemail how to harden Windows including NT, 2000, and XP password, and local router logins. Since very few systems have support for one-time tokens (i.e., dynamic passwords which are for onlyWindows used once), should Understand secure installation options web everyone servers and how be to enhance aware of howon toexisting select strong passwords. security web and FTP server installations Poor, weak passwords characteristics: Improve security athave the the end following user's workstation, including web browsers, desktops, and laptops The password contains lessofthan eight characters Evaluate the pros and cons installing a certificate server and becoming your own Certification Authority The password is a word found in a dictionary (English or foreign) Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco The password is a common usage word such as: standard and extended access lists Discover ways tooftest the current state of security and keep it up to datesports - Names family, pets, friends, co-workers, fantasy characters, teams, etc. Learn to engage end users as part of the overall network security solution - Computer terms and names, commands, sites, companies, hardware, While the Internet has transformed and improved the way we do business, this vast network and software. its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, publicCorporation", web sites is to"EXMC", encourage access to - The words "Example "BigApple" or the anysite while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining derivation. performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or -conduct transactions, the greater the impact a breach of network Birthdays and other personal information such as addresses and security phone has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a numbers. market leader in the development and sale of products and technologies that protect data traveling across the or Internet. a network security solution is only as strong as etc. its weakest - Word numberYet patterns like aaabbb, qwerty, zyxwvuts, 123321, link. Network attacks can occur at any point, including the network connection, the firewall, the web server, -orAny theof client. the above Hardening spelled thebackwards. defenses at all these points is key to creating an effective, all-encompassing network security solution.
- Any of the above preceded or followed by a digit (e.g., secret1, 1secret) Strong passwords have the following characteristics: Contain both upper and lower case characters (e.g., a-z, A-Z)
• •
Have digits and punctuation characters as well as letters e.g., 0-9, Table of Contents !@#$%^&*()_+|~-=\`{}[]:";'<>?,./) Index
Are atField least eight Web Security Guide
alphanumeric characters long.
BySteve Kalman
Are not a word in any language, slang, dialect, jargon, etc.
Publisher: Cisco Press Are not based
on personal information, names of family, etc.
Pub Date: November 08, 2002 ISBN: 1-58705-092-7 Pages: 608
NOTE Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered. One way to do this is create a Hands-on techniques Windows(r) servers, browsers, and communications. password basedfor onsecuring a song title, affirmation, or other phrase. Fornetwork example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn howuse to harden Windows multi-user NOTE: Do not either of these examples as platforms, passwords!including NT, 2000, and XP Understand secure Standards installationDo options forthe Windows web servers how to enhance B. Password Protection not use same password for and Example security on existing web and FTP server installations Corporation accounts as for other non-Example Corporation access (e.g., personal ISP account, option trading, benefits, etc.). Where possible, don't use the same Improve security at the end user's workstation, including web browsers, desktops, and password for various Example Corporation access needs. For example, select one laptops password for the Engineering systems and a separate password for IT systems. Also, select a separate password to beofused for anaNT account server and a UNIX account. your own Evaluate the pros and cons installing certificate and becoming Certification Authority Do not share Example Corporation passwords with anyone, including administrative assistants All passwords areIOS to be treatedarchitecture as sensitive, Confidential Learn or thesecretaries. Cisco PIX Firewall and Cisco Firewall and how to apply Cisco Example Corporation information. standard and extended access lists HereDiscover is a list of don'ts: ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution Don't reveal a password over the phone to ANYONE While the Internet has transformed and improved the way we do business, this vast network and Don't reveal a password in an email message its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating Don't reveal a password to the boss undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more become on the Internet to perform Don't talk about a password in reliant front oforganizations others daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has an innovator in using the Internet conduct business, so too is it a Don't hint at thebeen format of a password (e.g., "my familyto name") market leader in the development and sale of products and technologies that protect data traveling Don't across reveal theaInternet. passwordYet on aquestionnaires network security or security solution forms is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the Don't share password with family members web server, or the aclient. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Don't reveal a password to co-workers while on vacation If someone demands a password, refer them to this document or have them call someone in the Information Security Department. Do not use the "Remember Password" feature of applications (e.g., Eudora, OutLook, Netscape Messenger). • Again, do not Table of Contents write passwords down and store them anywhere in your office. Do not • store passwords Index in a file on ANY computer system (including Palm Pilots or similar Web Security Field Guide devices) without encryption. BySteve Kalman
Change passwords at least once every six months (except system-level passwords which must be changed quarterly). The recommended change interval is every four Publisher: Cisco Press months. Pub Date: November 08, 2002
1-58705-092-7 If an ISBN: account or password is suspected to have been compromised, report the incident Pages: to608 the Information Security Department and change all passwords.
Password cracking or guessing may be performed on a periodic or random basis by the Information Security Department or its delegates. If a password is guessed or cracked during one of these scans, the user will be required to change it. Hands-on techniques for securing Windows(r) servers, browsers, andensure network communications. C. Application Development Standards Application developers must their programs contain the following security precautions. Applications: Create effective security policies and establish rules for operating in and maintaining a securityconscious environmentof individual users, not groups. Should support authentication Learn how harden Windowsinmulti-user including NT, 2000, Should nottostore passwords clear text platforms, or in any easily reversible form.and XP Understand secure options for Windows web and how totake enhance Should provide forinstallation some sort of role management, suchservers that one user can security on existing web and FTP server installations over the functions of another without having to know the other's password. Improve securityTACACS+, at the end RADIUS user's workstation, including websecurity browsers, desktops, and Should support and/or X.509 with LDAP retrieval, laptops wherever possible. Evaluate the prosand andPassphrases cons of installing a certificate and becoming your own D. Use of Passwords for Remote Accessserver Users Access to the Example Certification Authority Corporation Networks via remote access is to be controlled using either a one-time password authentication or a public/private key system with a strong passphrase. Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists E. Passphrases Passphrases are generally used for public/private key authentication. A public/private key system defines a mathematical relationship between the public Discover ways to test the current state of security and keep it up to date key that is known by all, and the private key, that is known only to the user. Without the passphrase to "unlock" the private the user cannot gain access. Learn to engage end users as part key, of the overall network security solution Passphrases are not same as passwords. A passphrase is do a longer version a network and While the Internet hasthe transformed and improved the way we business, this of vast password and is, therefore, more secure. A passphrase is typically composed of its associated technologies have opened the door to an increasing number of security threats. multiple words. of this, a passphrase secureaccess against The challenge for Because successful, public web sites isistomore encourage to"dictionary the site while eliminating attacks." undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform A good passphrase is relatively long and contains a combination of upper and daily jobs or conduct transactions, the greater the impact a breach of network security has. Just lowercase letters and numeric and punctuation characters. An example of a good as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a passphrase: market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest "The*?#>*@TrafficOnTheBridgeWas*!#ThisMorning" link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all points is key to creating an All of the rules above that apply to passwords apply tothese passphrases. effective, all-encompassing network security solution.
5.0 Enforcement Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 6.0 Definitions • •
Terms
Table of Contents Index
Web Security Field Guide Application
Administration BySteve Kalman Account
Definitions Any account that is for the administration of an application (e.g., Oracle database administrator, Notes administrator).
Publisher: Cisco Press Pub Date: November 08, 2002
7.0 Revision History ISBN: 1-58705-092-7 Pages: 608
NOTE Hands-on techniques for securing Windows(r) servers, browsers, and network communications. In part 4.2-A in Example 2-1, there is a line suggesting that the name of the company, the nickname of a nearby town, or a stock symbol (which was unassigned at the time of this writing) poor passwords, they are. Other poor password will a Create effectiveare security policies andand establish rules for operating in andexamples maintaining come fromconscious your ownenvironment environment. For example, the word bulldog is far less secure at securityMack Truck (where it is the company's mascot) than at any other company. You should expand Learn how thattosection hardenwith Windows locallymulti-user bad choices. platforms, If your company includingisNT, national 2000, or and XP international, you need to make it clear that there are classes of bad choices. Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's are workstation, web browsers, desktops, and In large organizations, security policies multipart including documents, each referring to one or more of thelaptops others. For example, in a policy on router security, the section on choosing router access passwords will refer to the password policy. Evaluate the pros and cons of installing a certificate server and becoming your own Certification Policies commonlyAuthority apply to less than all sections of the organization. Policies on acquiring commercial software or running a test lab or training department apply only to segments of the Learnwhereas the Cisco PIX Firewall and IOS Firewall architecture and how apply Cisco company, policies such as an Cisco Information Sensitivity Policy (deals withtokeeping standard and extended access lists confidential company information private) or Password Policies apply across the enterprise. Discover ways to test the current state of security and keep it up to date
Example Security Policies Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the wayA we do starting business, this is vast Several model security policies are available on the web. good place RFCnetwork 2196, and its associated technologies have opened the door to an increasing number of security threats. "Site Security Handbook," which discusses all aspects of security policies, from content The challengeto forimplementation. successful, public web sites is to accesscomes to thefrom site while development Another source ofencourage sample policies SANS.eliminating The direct undesirable or malicious traffic and to provide sufficient levels of security without constraining link is www.sans.org/newlook/resources/policies/policies.htm. If the link breaks, key the title of performance scalability. The Policy more reliant organizations become on thebox Internet perform the page, TheorSANS Security Project, into the search-this-site on theto SANS home daily jobs or conduct transactions, the greater the impact a breach of network security has. Just page.Table 2-2 lists many of the policies you'll find there, along with a description of what as Ciscofor. Systems has been an innovator in using the Internet to conduct business, so too is it a they're market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Table 2-2. Common Security Policies Policy Name Acceptable Encryption •
Description
Provides guidance that limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively. Additionally, provides direction to ensure that applicable laws and regulations are followed. Table of Contents
•Acceptable Use Index
Outlines who can use company-owned computer equipment and networks. covers company computers located on company premises as well as computers located in employee's homes.
Web Security Field GuideIt BySteve Kalman
Analog Line
Explains the analog and ISDN line acceptable use and approval policies and procedures. Separate rules apply to lines that are connected for the sole purpose of sending and receiving faxes and lines that are connected to Pub Date: November 08, 2002 computers. ISBN: 1-58705-092-7
Publisher: Cisco Press
Pages: 608 Application Service Providers
Describes the company's Application Service Providers (ASPs) requirements. (ASPs combine hosted software, hardware, and networking technologies to offer a service-based application.) It refers to and incorporates the separate ASP Standards Policy.
ASP standards Defines the minimum-security criteria that an ASP must meet to be Hands-on techniquesconsidered for securing servers, browsers, and network communications. forWindows(r) use. Audit Provides the authority for members of the Information Security Department Create effectiveteam security policiesaand establish for operating in and a or to conduct security auditrules on any system owned bymaintaining the company security- conscious environment installed on the company's premises. Automatically Prevents the unauthorized or inadvertent disclosure of sensitive Learn how to harden Windows multi-user platforms, including NT, 2000, and XPcompany Forwarded Email information. Understand secure installation options for servers and how to enhance DB Credentials States the requirements forWindows securely web storing and retrieving database security on existing web and FTP server installations usernames and passwords (that is, database credentials) for use by a program that will access a database running on one of the company's Improve security at the end user's workstation, including web browsers, desktops, and networks. laptops Dial-in Access Establishes rules that protect electronic information from being Evaluate the pros and cons ofcompromised installing a certificate server and becoming your own inadvertently by authorized personnel using a dial-in Certification Authority connection. Extranet describes theFirewall policy under which third-party Learn the CiscoThis PIX document Firewall and Cisco IOS architecture and how toorganizations apply Cisco connect to the company's networks for the purpose of transacting business. standard and extended access lists Information Helps employees determine what information can be disclosed to Discover ways to test the current of the security andsensitivity keep it upoftoinformation date Sensitivity nonemployees, as state well as relative that should not be disclosed without proper authorization. Learn to engage end users as part of the overall network security solution Internal Lab Establishes information security requirements for labs to ensure that While the Internet has transformed and improved the way we are do business, this vast network Security confidential information and technologies not compromised, and thatand its associated technologies haveservices opened and the door an increasing number from of security threats. production othertointerests are protected lab activities. The challenge for successful, public web sites is to encourage access to the site while eliminating Anti-Virus Establishes requirements that must be met by all computers connected to undesirable or malicious traffic and to provide sufficient levels of security without constraining the company's networks to ensure effective virus detection and prevention. performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conductEstablishes transactions, the greater impact a breach of network security has. Password a standard for the creating strong passwords, the protection of Just as Cisco Systems hasthose beenpasswords, an innovator in the using the Internet to conduct business, so too is it a Protection and frequency of change. market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Remote Access
Defines standards for connecting to the company's network from any host. These standards are designed to minimize the potential exposure to damages (such as the loss of sensitive or confidential company data, intellectual property, damage to public image, damage to critical internal systems, and so on).
Risk Assessment
Empowers the Information Security Department to perform periodic information security risk assessments to determine areas of vulnerability Table of Contents and to initiate appropriate remediation.
• •
Index
Router and Field Switch Web Security GuideDescribes Security
BySteve Kalman
a required minimal security configuration for all routers and switches connecting to a production network or used in a production capacity.
Server Security Publisher: Cisco Press Establishes standards for the base configuration of internal server equipment that is owned and operated on company premises or at webPub Date: November 08, 2002 hosting locations. ISBN: 1-58705-092-7
Virtual Private Pages: 608 Network
Provides guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the company's corporate network.
Wireless Communication
Establishes standards for access of the company's network via secured wireless communication mechanisms.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications.
Creating Your Own Security Policy
Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Creating security policies is a four-step process: Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Step 1. Decide on your level of trust. Understand secure installation options for Windows web servers and how to enhance Step 2. Define appropriate behavior. security on existing web and FTP server installations Step 3. security Create aat policy review team. Improve the end user's workstation, including web browsers, desktops, and laptops Step 4. Use the work of others. Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority The sections that follow examine each of these steps in greater detail. Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists
Step 1: Decide on Your Level of Trust
Discover ways to test the current state of security and keep it up to date
Assuming that people will do the right thing is easy and tempting. Don't let yourself take this Learn to engage end users as part of the overall network security solution shortcut. Spell out what is expected and what is prohibited. Decide on the controls you will use to measure adherence the good practices that you tobusiness, define. (This to While the Internet has to transformed and improved theare wayabout we do this applies vast network and programs as well as people.) Specify repercussions that will follow if employees do not adhere to its associated technologies have opened the door to an increasing number of security threats. practices. Trustfor different employees in different Those with unprivileged are in a The challenge successful, public web sites is ways. to encourage access to the siteaccess while eliminating different category than those with high levels of access privilege. undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just Step 2: Systems Define Appropriate Behaviorin using the Internet to conduct business, so too is it a as Cisco has been an innovator market leader in the development and sale of products and technologies that protect data traveling across the Yet apassword network policies, security solution is only as strong as its weakest Whether the topic is Internet. email usage, or keeping company secrets, your system's link. Network attacks can occur at any point, including the network connection, the firewall, the users and the people who evaluate them must know what is expected. Your policies are web server, or the client. Hardening the defenses at all these points is key to creating an necessary to support an HR action in the face of inappropriate behavior, or even to prosecute a effective, all-encompassing network security solution.
criminal case in extreme examples.
Step 3: Create a Policy Review Team The members of this team are responsible for drafting new policies and revising existing ones. Table 2-3 describes the representatives and their roles. •
Table of Contents
•
Index
Web Security Field Guide BySteve Kalman
Table 2-3. Members of the Policy Review Team
Publisher: Cisco Press
Representative Duties Pub Date: November 08, 2002 From ISBN: 1-58705-092-7 Management Pages: 608
Someone who can enforce the policy. This is often a senior member of the HR staff.
Information Security Department
Someone who can provide technical insight and research.
User Areas who can view the policies the way user might view them. Hands-on techniques for Someone securing Windows(r) servers, browsers, and anetwork communications. Legal Department Possibly part time, but someone who can review policies with respect to applicable laws. For multinational firms, this review is exponentially Create effective security and establish rules for operating in and maintaining a morepolicies complicated. security- conscious environment Publications Someone who can make suggestions on communicating the policies to Learn how to harden the Windows organization's multi-user members platforms, and getting including their NT,buy 2000, in. and Also,XP a good writer is always helpful. Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations
StepImprove 4: Use the security Work atof theOthers end user's workstation, including web browsers, desktops, and laptops The previous section gave a pointer to a set of policies suitable for a large company. A Evaluate the pros and of installing a sample certificate server and becoming Google.com search turns upcons literally dozens of policies for sale. Amazonyour has own several Certification Authority books. You should investigate these resources and find one that matches your organization's profile. This will save you significant amounts of work. Even more important, it will keep you Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco from accidentally omitting vital areas from consideration. standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution
TIP
While the Internet has transformed and improved the way we do business, this vast network and Information Security Policies Made Easy (Version an excellent book on security its associated technologies have opened the door to an#8), increasing number of security threats. policies by Charles C. Wood, comes with a CD containing policies you can and use. The challenge for successful, public web sites is to encourage access to the siteedit while eliminating The only drawback is its relatively high cost (currently $595 U.S.). undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader infor the Security development and sale of products and technologies that protect data Key Topics Policies traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the Many of the security policies listed in Table 2-2 have key clauses that should be included, as web server, or the client. Hardening the defenses at all these points is key to creating an further described in Table 2-4. effective, all-encompassing network security solution.
Table 2-4. Key Policy Provisions Policy Name
Key Provisions
Tells employees how to use encryption to protect information in transit •Acceptable Table of Contents •Encryption Index
(both over the network and via laptop). Names encryption products, Web Security Field Guide algorithms, and strengths. By Acceptable Steve Kalman Use
Lists appropriate use of computing resources. Users should be made to read and sign. Contains rules for e-mail, newsgroups, web surfing, and Publisher: Cisco Press nonbusiness use. Also states users' responsibilities regarding data in their private spaces. Pub Date: November 08, 2002
AnalogISBN: Line1-58705-092-7 Discusses who can have analog lines installed, for what purpose, and the things that they must do to protect the network while the line is in use. Pages: 608 Application Service Defines minimum-security standards to which ASPs must adhere to be Providers eligible to contract with the company. Automatically Discusses whether accessing, maintaining, and forwarding company e-mail Forwarded Email to private accounts is allowed. Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Information Tells users how to treat company confidential, company officer eyes-only, Sensitivity company trade secret, third-party private and other classifications of Create effective private securityinformation. policies and establish rules for operating in and maintaining a security- conscious environment Internal Lab Sets rules that protect the main network from work done in the lab. Security Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Anti-Virus Lists baseline rules for using antivirus products (AVPs) and frequency of Understand secure installation options for Windows web servers and how to enhance updates. Explains procedure to follow after becoming infected. Includes security on existing web and FTP server installations rules for downloading software and for allowing attachments. Improve security at theminimum end user'slength, workstation, browsers, desktops, and Password Covers changeincluding periods, web techniques for creating good laptops passwords, and mistakes to avoid. Remote Access Acceptable might differ for usersserver working home. your Usingown company Evaluate the pros and cons use of installing a certificate andfrom becoming facilities to reach out to the Internet might or might not be okay. Allowing Certification Authority family members to use the computer and access lines is another decision need to and makeCisco and IOS convey. Learn the Cisco you PIX Firewall Firewall architecture and how to apply Cisco standard and extended access lists Router Security Deals with storage of router passwords and with minimum access control list requirements. Discover ways to test the current state of security and keep it up to date Wireless Deals with maintaining security when sending data across wireless LANs Learn to engageand endthe users as for part of the overall security Communication rules when this mightnetwork or might not be solution done (and, if done, how to implement it). While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or Implementing malicious traffic and to provide sufficient levels of security without constraining Effectively Your Security Policy performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just When you develop policies, you need to balance productivity and security. The goal of all good as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a employees is to get their work done. If you create a rule that the employee thinks is just in the market leader in the development and sale of products and technologies that protect data way, that employee will either ignore it or bypass it. Sometimes, you can implement technical traveling across the Internet. Yet a network security solution is only as strong as its weakest controls to make sure that policies are followed (password change periods, for example), but link. Network attacks can occur at any point, including the network connection, the firewall, the other times you cannot. (A rule about never giving your password to someone else cannot be web server, or the client. Hardening the defenses at all these points is key to creating an enforced by software.) You must make security a part of the corporate culture. effective, all-encompassing network security solution.
This does not have to be done in a punitive way. Here are two examples. A company whose policy called for password-protected screen savers or locked workstations whenever an employee was not using the PC was enforced by having security staff (uniformed guards on patrol) write "tickets"—they looked like parking tickets—and taping them to the monitor. The tickets reminded the users of the rules. The guards were taught how to Ctl-Alt-Del and pick Lock Workstation, and were instructed to do so whenever issuing a ticket. •
Table of Contents
Another company had guards walk around after the close of business looking for laptops left • Index unattended. They took laptops they found and left a "luggage receipt" on the desk saying that Web Security Field Guide the lost luggage could be claimed at the security station. BySteve Kalman
Publisher: Cisco Press Avoiding Failure
Pub Date: November 08, 2002 ISBN: 1-58705-092-7
One sure way to make a policy fail is to apply it unevenly. If certain people, because of their Pages: 608 position or influence, can bypass policies with impunity, the policies will all become unenforceable. You must get management buy-in, even if doing so is painful.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications.
Practice What You Preach Create effective security policies and establish rules for operating in and maintaining a conscious environment As asecurityconsultant, the worst project I took on was a virus extermination task. This was in the early days of networking, small hard drives, and extensive use of floppies. I how to harden Windows platforms, NT, in 2000, XP wentLearn in and disinfected the server, multi-user the workstations, and including every floppy plainand sight. I was not allowed to open desk drawers. I also installed an antivirus product (AVP) Understand installation options forfile.) Windows web servers and how to enhance on every PC. (It secure installed in the autoexec.bat security on existing web and FTP server installations A week later, I was called back because the virus had resurfaced. I found two Improve security at the end user's workstation, including web browsers, and problems. One was that a floppy in a desk drawer was infected, and the otherdesktops, was laptops that the user disabled the AVP because it made the PC take too long to boot up. I redisinfected, this time with permission to open desk drawers and was accompanied Evaluate the pros and cons of installing a certificate server and becoming your own by a security guard. I also recommended that management implement a policy Certification Authority stating that disabling the AVP would result in termination. They agreed. Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco Two weeks after that, I was called back. This time, I traced the problem to the office standard and extended access lists of a vice president of the company who brought an infected floppy from home and disabled the AVP. I asked the CIO if the VP was going to be dismissed. He laughed Discover ways to test the current state of security and keep it up to date and said that the VP was too valuable to let go and that I should just clean it up and forget about Learn to it. engage end users as part of the overall network security solution By the way, there has wastransformed another solution that they the could have During World While the Internet and improved way we employed. do business, this vast network and War II, General George S. Patton was made to apologize publicly to his troops—the its associated technologies have opened the door to an increasing number of security threats. alternative being court martial andweb disgrace. Hetoapologized. been eliminating The challenge for successful, public sites is encourage (That accessmight to thehave site while harder on him than the court martial.) By doing that, General Eisenhower kept undesirable or malicious traffic and to provide sufficient levels of security withouta constraining commander or who really was toomore valuable to organizations lose, but he also madeon it clear that no to perform performance scalability. The reliant become the Internet one was above the rules. I suggested that the company follow this model by daily jobs or conduct transactions, the greater the impact a breach of networkmaking security has. Just the VP send a mea culpa to everyone as an the alternative They as Cisco Systems has beennote an innovator in using Internetto todismissal. conduct business, so too is it a declined. market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest I told them not to call me again. link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Summary This first part of the book set the stage with a chapter on essential information and a chapter on security policies. Part II deals with things you should do to harden the server software before installing a web server. •
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Part II: Hardening the Server A newly installed server is the easiest platform in the world to break into. That applies whether the server is a file server (NT 4, Windows 2000, or Windows XP), a web server (IIS4 orTable IIS5), or any other kind of server (FTP, SNMP, database, and so on). In this part, • of Contents you see several techniques for hardening the three file server platforms. Part III then deals • Index with two web server versions. Web Security Field Guide BySteve Kalmanno There's
such thing as done, but you can be sure that following the suggestions outlined here will yield a result that's much more secure than what you started with.
Publisher: Cisco Press Pub Date: November 08, 2002
Chapter Windows System Security ISBN:31-58705-092-7 ThisPages: is the608 only chapter in this part. This chapter assumes that you know how to install the operating system. In many cases, you'll buy the web server platform with the operating system preinstalled anyway. This chapter focuses on making it secure. Be aware of an underlying assumption—the web server is a standalone machine, not part of a domain. No users are stationed there; only the administrator needs to log in at the console. All other access is through the network. Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Chapter 3. Windows System Security This chapter covers the following topics: • •
Table of Contents
NT 4 Security Index
Web Security Field Guide Windows 2000/XP
Security
BySteve Kalman
All versions of Windows have one thing in common: as installed, they have very weak security. ThePublisher: most egregious example of this is that after logging in, all users have full control (all Cisco Press permissions) at the root of every drive, and nearly all its subdirectories and files. Beyond that, Pub Date: November 08, 2002 some services are extremely open (such as the Messenger Service) and allow the devious to 1-58705-092-7 bypassISBN: logging in. This chapter teaches you about two things: Pages: 608
Which rights and permissions to apply, how to apply them, and how to make sure that newly installed applications don't undo your work How to harden the operating system Hands-on techniques for securing Windows(r) servers, browsers, and network communications. NT 4 was the first Windows operating system to introduce a distinction between rights and permissions. A right applies topolicies accessing resources of for theoperating operatingin system itself, such aas the Create effective security andthe establish rules and maintaining right securityto shut down the system or the right to log on locally. A permission applies to accessing the conscious environment file system's resources, such as reading, modifying, or erasing a file. Learn how to harden Windows multi-user platforms, including NT, 2000, and XP NT 4 was also the first Windows product with Discretionary Access Control (DAC). This enables permissions to besecure set on installation files and folders forfor individual users groups. might have Understand options Windows web and servers and One how user to enhance full control, another mightweb be able to read only the file, and a third might have no access at all. security on existing and FTP server installations To support all the additional file and folder attributes, a new file system called New Technology File System (NTFS) wasatdeveloped. It is workstation, required for DAC. Improve security the end user's including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority
TIP
Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco Microsoft by lists assigning an Access Control List (ACL) to every file and standard implemented and extendedDAC access folder. Each ACL has two subparts. One, the Discretionary Access Control List (DACL) , determines Discover ways which to test persons the current or processes state of have security full, partial, and keep or no it up access to date to the object. The other, called the System Access Control List (SACL), is used to manage logging Learn to engage end users as part of the overall network security solution and auditing. WhileThis thechapter Internetfocuses has transformed on DACLs.and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance In NT 4, eachor workstation scalability.and Theserver more reliant had itsorganizations own databasebecome of userson and thegroups Internet with to which perform DAC dailymanaged. was jobs or conduct As thetransactions, number of stations the greater grew,the centralized impact auser breach accounts of network management security has. became Justa as Cisco Systems requirement. Thishas wasbeen accomplished an innovator by creating in using domains, the Internet which to conduct are made business, up of member so too is it a market leaderand workstations in the servers. development The database and sale of users of products and groups and technologies was centralized thatat protect the domain data traveling across controller. A userthe with Internet. an account Yet ainnetwork the domain security could solution log on is atonly any as member strong(workstation as its weakest or link. Network server) in the attacks domain.can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an In many cases, this was sufficient. larger solution. companies, it was not. They would often have effective, all-encompassing networkFor security
multiple domains based on their size or security needs. These domains could, optionally, be told to trust another domain's users. However, these trusts were one way. For two domains to trust each other, two different trusts had to be established, A to B and B to A. As the number of domains grew, this too became unmanageable. (Mathematically, if every domain trusts every other domain, the number of trusts is N x N–1 where N is the number of domains.) The solution to that problem came with Windows 2000 Server. It is called Active Directory (AD). AD is a Lightweight Directory Access Protocol (LDAP) database loosely based on the X.500 • Table of Contents standard. •
Index
Web Security Field Guide BySteve Kalman
TIP
Publisher: Cisco Press Pub Date: November 08, 2002
X.500 is an international standard created by the ISO for directory databases. ISBN: 1-58705-092-7
Pages: 608
Active Directory simplifies and centralizes the multiple domain, multiple trust overhead that developed with the wide expansion of NT 4-based networks. There's more on this later in the chapter in the section, "Windows 2000/XP Security." Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
NT 4 Security This section examines Windows NT 4's built-in security features and is divided into four parts: Explanation Table of of Contents the NT 4 File System Security Model
• •
Index
Demonstration Web Security Field Guideof
weaknesses and ways to protect against them
BySteve Kalman
Explanation of operating system weaknesses
Publisher: Demonstration Cisco Press
of hardening the operating system
Pub Date: November 08, 2002 ISBN: 1-58705-092-7
NT 4Pages: File608 System Security NT 4 introduced five component parts to its security structure, as defined in Table 3-1.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications.
Table 3-1. NT 4 Security Components Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Acronym Definition how to hardenAccess Windows multi-user platforms, including NT, a 2000, and XP contains DACLLearn Discretionary Control List— Every file and folder has DACL, which ACEs. Understand secure installation options for Windows web servers and how to enhance ACE security Access Controlweb Entry— Eachserver ACE has two parts: the SID to which it applies and the on existing and FTP installations permissions assigned to that SID. Improve security at the end user's workstation, including web browsers, desktops, and SID Security Identifier— The SID is a record locator into the SAM database. SIDs point to laptops the records allocated to users or groups the pros and cons of installing certificate server and becoming yourfor own SAM Evaluate Security Accounts Manager— The aSAM is a database containing records all users Certification Authority and groups. These records refer to each other in the sense that group records list the SIDs of its members while user records list the SIDs of the groups the user Learn belongs the Ciscoto. PIX Firewall and also Ciscomaintain IOS Firewall to apply Cisco to These records otherarchitecture details, suchand as how the rights assigned standard and extended access lists a group or a user's password. SAT Discover Security Access Token— When a user logs in, thekeep system ways to test the current state of security and it upcreates to datea temporary SAT. The SAT contains the user's SID, plus the SID of every group that the user belongs Learn to. to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies thethe door to an increasing of security threats. When a user tries to accesshave a fileopened or folder, SIDs in the SAT arenumber compared to the ACEs in the The challenge for successful, public web sites is to encourage access to the site while eliminating ACL. If the permissions requested are granted by any ACE or by a combination of ACEs, access is undesirable or malicious and to provide sufficient levels security without constraining granted. If not, access is traffic denied. Table 3-2 shows the ACL for aoffolder called New-Web-Pages. performance or scalability. The more reliant organizations become on the Internet to perform Table 3-3 shows the SAT for Wendy Dean, a web developer. If Wendy tries to edit one of the files daily jobs or conduct transactions, the greater the impact a breach of network security has. Just in that folder, the SIDs in her SAT will be compared to the SIDs in her DACL in the following as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a manner: market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. attacks occur anyACE. point, including the network connection, the firewall, the 1. Network Test to see if SIDcan 4086 is inatthe web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing 2. Not there, try SID 101.network security solution. 3.
1. 2. 3. Not there, try SID 305. 4. Match. Grant permissions requested.
•
Table of Contents
•
TIP
Index
Web Security Field Guide BySteve There Kalman is one
special-case ACE called No Access. If this is assigned to a user or group, it overrides any permissions that would have otherwise been granted.
NOTE SATs contain only SIDs, not the names of the objects the SIDs refer to. They are included in these tables for clarity. Also, for the sake of clarity, the SIDs and SATs are overlytechniques simplified.for They are much more complicated than these tables imply. Hands-on securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user including NT, 2000, and XP Table 3-2. DACL for theplatforms, New-Web-Pages Folder Understand secure installation options for Windows web servers and how to enhance SID security on existing web and FTP server Permission installations 305
Full Control Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority
Table 3-3. SAT for a Web Developer
Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists SID Name security and keep it up to date 4086Discover ways to test the current state ofWendy Dean 101 Learn to engage end users as part of the Everyone Group security solution overall network 305 Web Developers Group While the Internet has transformed and improved the way we do business, this vast network and its 938 associated technologies have opened the door WebtoUsers an increasing Group number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. moreBoles, relianta organizations the Internet to perform Table 3-4 shows the SAT forThe Quincy web user whobecome is not a on developer. Should Quincy try daily jobs or conduct transactions, the greater the impact a breach of network security has. Just to access files in the New-Web-Pages folder, the same steps will be repeated, but with no match as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a against his SIDs, access will be denied. market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Table 3-4. SAT for a Web User SID
Name
5377
Quincy Boles
101
Everyone Group
•938
Table of Contents
•
Index
Web Users Group
Web Security Field Guide
Securing the NT 4 File System BySteve Kalman
Cisco Press NT Publisher: 4's default for permissions is that the Everyone group gets full control from the root of each Pubdown. Date: November 08, 2002 drive For a single user workstation, such as a laptop, that might be okay, but this is clearlyISBN: not acceptable 1-58705-092-7for a file server or a web server. If left in place, any user who logged in, no matter Pages:how 608 (even via the anonymous guest-like account created during web server installation) would have full control.
Hands-on TIP techniques for securing Windows(r) servers, browsers, and network communications. In all of the Windows operating systems, a difference exists between All Permissions Create effective security policies and establish rules for operating in and maintaining a and Full Control. The former means Read, Write, Change, and Delete, whereas the security- conscious environment latter means All Permissions plus the ability to change those permissions and to take ownership file or folder. multi-user platforms, including NT, 2000, and XP Learn howof tothe harden Windows Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations You can adjust permissions using Windows Explorer. Right-click the folder where you want your changes to begin and choose Properties. Figure 3-1 shows thisweb action at the web server's Improve security at the end user's workstation, including browsers, desktops, and document root, and Figure 3-2 displays the result. From the tabbed dialog, choose Security to laptops get the screen shown in Figure 3-3. Click the Permissions box to see the current permissions for this folder. the pros and cons of installing a certificate server and becoming your own Evaluate Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard3-1. and extended access lists Explorer to Access the Properties Page Figure Using Windows Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to Figure harden Windows multi-user platforms, including NT, Page 2000, and XP 3-2. WSFGhome\Docs Property Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations
Figure 3-3. Security Tab on the Properties Page
Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance The result shown in Figure 3-4and is the NT 4 security—every user logged in on the security on existing web FTPdefault server for installations system (the Everyone group) has Full Control. This leaves the system wide open to any kind of unauthorized Improve access. security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Figure Authority 3-4. NT 4 Default with Everyone Getting Full Control Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. To correct that, you should first create two groups. One will serve authorized web users and the other will be for developers. To create groups in NT 4, start User Manager for Domains, as Create effective security policies andmenu establish for maintaining a shown in Figure 3-5. Then click the User itemrules to get tooperating the place in toand create a new local securityconscious environment group. This is shown in Figure 3-6. Clicking Create New Local Group gives the dialog shown in Figure 3-7. Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations
Figure 3-5. Starting User Manager for Domains
Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops
Figure 3-7. Creating a Group
Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web or the client. Hardening thea defenses at all these points key you to creating Fill inserver, the group name and, optionally, description; click Add. This is gives a dialoganbox effective, all-encompassing network security solution.
(shown in Figure 3-8) that offers the option of which users to add to the newly created group. If you are a member of a domain, you can choose domain users and groups (by clicking the dropdown box and selecting the appropriate domain) as well as local users. Click the user's name that you want to add (which causes the Add button to go from gray to black), and click Add. The result of all this is shown in Figure 3-9, where Joseph has been made a member of the WebDev (Web Developers) group. •
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists
Figure 3-9. One User Added Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
NOTE Hands-on techniques for securing Windows(r) servers, browsers, and network communications. As stated in the introduction to this part, the assumption is that you are building a stand-alone server. An intranet server does not have to be in the domain. Users who Create effective security policies and establish rules for operating and maintaining a browse to intranet servers will automatically and transparently useinthe anonymous securityconscious environment account. For more internal security, you can change the IIS configuration to have each user's access depend on his user rights and file system permissions. If you do that, Learn how to harden Windows multi-user including NT, 2000, and XP joining the domain is appropriate. It allowsplatforms, administration of all user accounts in one place.Chapter 5, "Enhancing Web Server Security," provides details on how to make Understand that change. secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations If you intend to join the domain and use the access controls covered in Chapter 5, you Improve security atfor theboth end users user'sand workstation, including web browsers, desktops, and must create groups developers using the methods described here. laptops However, if you are creating a standalone server, you need to create only the developers' group and accounts; user access will be handled via the automatically Evaluate the pros and cons of installing a certificate server and becoming your own created Anonymous account. Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Figure 3-10 shows the process repeated to create the WebUsers group. This group should have both users andways developers developers still needand read access Discover to test because the current state of security keep it uptotoverify date that users can access the appropriate sections of the site. You might want to remove developers after the web site isLearn in production. them nowofmakes your job easier later. solution to engageAdding end users asinpart the overall network security While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. Figure 3-10. Group Created The challenge for successful, public web WebUsers sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
After you have the necessary groups created, you can apply group permissions to the web root folder. Repeat the steps shown in Figures 3-1 to 3-3 to get back to the dialog shown in Figure 34 (the starting Directory Permissions dialog, repeated here in Figure 3-11). Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security3-11. policiesStarting and establish rules for operating in and maintaining a Figure Directory Permissions security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform dailyAdd jobsto or bring conduct the greater the impact a breach of network securitygroup has. Just Click up transactions, the list of groups known to your server. Then click the WebDev as Cisco Systems innovator in using the Internet conduct business, so too is it a (scrolling down tohas get been to it),an and click Add. That gives you thetodialog shown in Figure 3-12. marketa leader the development sale of products technologies that protect data When group in is added, the defaultand permission is Read.and Click the down arrow labeled Type of travelingand across the Full Internet. Yet aas network Access choose Control, shown security in Figuresolution 3-13. is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and Figure 3-13. Granting Proper Permissions laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP ClickOK Understand to add this secure group, installation and repeat options this process for Windows to addweb the servers Web Users andgroup how to with enhance Read permissions. securityFigure on existing 3-14 shows web and theFTP result. server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops
Figure 3-14. Interim Permissions for the Docs Folder
Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
After you add the new groups, click Everyone and then Remove to limit access to users in the specified groups. Figure 3-15 shows the result.
•
Table of Contents
•
Index
Figure 3-15. Updated Permissions on the Doc Folder
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and Theselaptops permissions need to be propagated throughout the web site, so click the checkbox next to Replace Permissions on Subdirectories and OK. The result is the warning shown in Figure 316. Click Evaluate Yes to the proceed. pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard andAcknowledging extended access liststhe Warning and Propagating the Changes Figure 3-16. Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a You won't be able to test this until you install the web server. However, if you did try to access market leader in the development and sale of products and technologies that protect data the web server now you wouldn't get in. IIS defaults to access via an anonymous account named traveling across the Internet. Yet a network security solution is only as strong as its weakest IUSR_machine-name (for example, IUSR_pc3). If you're going to rely on anonymous access, you link. Network attacks can occur at any point, including the network connection, the firewall, the have to put that account into the WebUsers group, too. web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
To give a user directory permissions, repeat the steps shown in Figures 3-1 to 3-3, but this time click the Show Users button. That adds individual users to the list for you to select. Choose the Internet Guest account and click Add; then click OK.
•
NOTE Table of Contents
•
Index between access via Internet Explorer (or any other browser) and access Distinguishing (or any other file manager) is essential. In the former case, the BySteve anonymous Kalman account is used and the result is a combination of file system ACL permissions granted to that account plus web server permissions granted to that directory. Publisher: Cisco Press Web Security Field Guide via Windows Explorer
Pub Date: November 08, 2002
In the latter case, access is controlled exclusively by ACL. A user in the domain could ISBN: 1-58705-092-7 map a drive to the web server and read or update web pages when the Everyone group Pages: 608 has Full Control. After making the changes shown here, only web developers can update the site, and only web users can read the contents. Chapter 5 explains how to remove anonymous access for intranet servers.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications.
NT 4 Operating System Security Create effective security policies and establish rules for operating in and maintaining a Theresecurityis a lot more to securing a web server than hardening the file system. Here's a list of other conscious environment things that you need to do: Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Set account secure policies. Understand installation options for Windows web servers and how to enhance security on existing web and FTP server installations Edit group rights. Improve security at the end user's workstation, including web browsers, desktops, and Rename laptops critical accounts. Turn on auditing. Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Remove or disable unnecessary or dangerous services. Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco The sections that examine these standard andfollow extended access liststasks in greater detail. Fortunately, except for the last item, most of the work is done in one program—User Manager for Domains. Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution Setting Account Policies While the Internet has transformed and improved the way we do business, this vast network and Account policies take effect when a new account is created. Settings here revolve around its associated technologies have opened the door to an increasing number of security threats. password and login issues. As shown in Figure 3-17, clicking Policies and then Account in User The challenge for successful, public web sites is to encourage access to the site while eliminating Manager for Domains launches the Account Policies page. undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a 3-17. Policies Menu market leader in the Figure development andUser sale ofManager products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Figure 3-18 shows the result. Several items on that page have already been changed to their recommended Table 3-5 shows the default value and gives an of the Learn howvalues. to harden Windows multi-user platforms, including NT,explanation 2000, and XP suggested change. Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the3-18. end user's workstation, including web browsers, Figure Modified Account Policies Pagedesktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops
Table Account Recommendations Evaluate the pros and3-5. cons of installing Policy a certificate server and becoming your own Certification Authority Account Recommended Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco Policy Default Value Explanation standard and extended access lists Maximum Never 28 days Users should change passwords at least Discover to test the current state of security and keepon it up to date accessed Password Ageways expires every month infrequently machines. Learn to engage end users as part of the overall network security solution Minimum Blank 9 characters Servers should be well protected. Accounts While the Internet has transformed and improved the wayhave we do business, greater this vastthan network Password allowed should passwords eight and its associated technologies have opened the door tocharacters an increasing number ofinsecurity threats. Length to skirt a flaw the password The challenge for successful, public web sites is to encourage to the while eliminating encryption access program thatsite makes shorter undesirable or malicious traffic and to provide sufficient levels far of security passwords easier towithout guess. constraining performance or scalability. The more reliant organizations become on the Internet to perform Minimum Immediate One day Withouta the restriction, users can cycle daily jobs or conduct transactions, the greater the impact breach of network security has. Just Password Age change through a series of passwords as Cisco Systems has been an innovator in using the Internet to conduct business,tosoget tooback is it to a allowed their favorite. This makes that technique market leader in the development and sale of products and technologies that protect data impractical. traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the Password No history 24 passwords Prohibits alternating among a few favorites. web server, or the client. Hardening the defenses at all these points is key to creating an Uniqueness effective, all-encompassing network security solution.
Account Lockout
None
Enabled
Enables the configuration choices in the next three rows of this table.
Lockout After N Bad Attempts
5
3
Users are expected to know their passwords.
Reset Count
15
15
Fifteen minutes is enough time to start the counter over.
30 mins
The Administrator account cannot be locked out forever. Increasing this value also increases help desk calls for password resets from those who cannot or will not wait.
•After
Table of Contents
•
Index
Lockout 15 mins Web Security Field Guide Duration
BySteve Kalman
Publisher: Cisco Press Pub Date: November 08, 2002 ISBN: 1-58705-092-7
Editing Group Rights Pages: 608 NT 4 also assigns rights to groups. Using the same program, click Policies and then User Rights to bring up the User Rights Policy dialog box. Click the down arrow and select Shut down the system, as seen in Figure 3-19, to bring you to the dialog shown in Figure 3-20. Hands-on techniques for securing Windows(r) servers, browsers, and network communications.
to Modify Create effectiveFigure security 3-19. policies Selecting and establishthe rulesRight for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies opened the door to an increasing number of security threats. Figurehave 3-20. Default Groups with the Right The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Delete the Users group. Every account, by default, is made a member of this group. (The difference between Users and the Everyone group is that you can remove members from Users.) Until you remove Users from the rights list, any user can shut down the system. That's a right that should be restricted. Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment TIP Learn howAdvanced to hardenUser Windows including NT, 3-20, 2000,when and XP The Show Rightsmulti-user checkbox platforms, at the bottom of Figure selected, more than doubles the number of rights that can be managed. One of those extra Understand secure installation options for Windows web servers and how to enhance rights is called Debug Programs. By default, only Administrators can use that right. security on existing web and FTP server installations Your web developers might ask you to grant them the right by adding in their group. If possible, resist their efforts. Development should not be done on the production server. Improve security at the end user's workstation, including web browsers, desktops, and Debugging belongs on test machines. laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority
Renaming Critical Accounts
Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists An intruder trying to gain access to a server will often try to break into the Administrator account. This is for two reasons: Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution The account is created by default and, so, is usually there. While the Internet has transformed and improved the way we do business, this vast network and If successful, the intruder will have full control of the system. its associated technologies have opened the door to an increasing number of security threats. The successful, public web sites is to encourage access to the site while eliminating You challenge can thwartfor intruders in two ways: undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily Change jobs or conduct transactions, the greater the impact a breach of network security has. Just the name of the Administrator account. as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a Create a new account and make a member of the Administrators Then data remove the market leader in the development anditsale of products and technologies group. that protect Administrator from groups. security solution is only as strong as its weakest traveling across theaccount Internet. Yet all a network link. Network attacks can occur at any point, including the network connection, the firewall, the Figure 3-21 demonstrates changing the of the Administrator User Manager, web server, or the client. Hardening the name defenses at all these pointsaccount. is key toIncreating an simply click User, click Rename, and changesolution. the name of the Administrator account. Pick a effective, all-encompassing network security
name that matches your naming convention so that if a user does manage to learn the names of the accounts on the computer, the account name itself does not indicate its special nature.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops As previously stated, another popular way to thwart would-be intruders is to create a new account, make it a member of the Administrators group, and remove the Administrator account Evaluate the pros and cons of installing a certificate server and becoming your own from all groups. You can even assign the Administrator account the special No Access file Certification Authority system permission to all files and folders. This way, even if the intruder is successful, nothing is lost. This is the the Cisco recommended technique. The now powerless Administrator account will Cisco still Learn PIX Firewall and Cisco IOS Firewall architecture and how to apply attract would-be hackers. If you log attempted logins to that account, you'll know right away if standard and extended access lists you're under attack. Discover ways to test the current state of security and keep it up to date Learn to Auditing engage end users as part of the overall network security solution Turning On While the Internet has transformed and improved the way we do business, this vast network and NT 4 uses the term auditing in much the same way as other operating systems use the term its associated technologies have opened the door to an increasing number of security threats. logging. Whichever word you use, it is a means to record certain, selected events. Those events The challenge for successful, public web sites is to encourage access to the site while eliminating come in two categories. The easy way to divide them is by things that concern the operating undesirable or malicious traffic and to provide sufficient levels of security without constraining system, such as failed logins or rebooting, and by things that concern files and folders, such as performance or scalability. The more reliant organizations become on the Internet to perform deleting them or taking ownership. daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a To enable either operating system event logging, or file system event logging, start in User market leader in the development and sale of products and technologies that protect data Manager for Domains and click Policies and then Audit. traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks occur at any network connection, firewall, Figure 3-22 shows thecan place to click to point, launchincluding the auditthe dialog. When the dialogthe pops up, thethe Do web server, or the client. Hardening the defenses at all these points is key to creating Not Audit button is checked and the rest of the items are grayed out. Click the Audit an These effective, all-encompassing network security solution.
Events button to get the screen shown in Figure 3-23. From that screen, click both the Success and Failure checkboxes on the File and Object Access line to enable file system auditing.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops
Figure 3-23. Default Auditing Dialog Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Table 3-6 defines the possible auditing choices. Figure 3-24 shows the suggested entries for a web server. All failures are audited, as well as successful changes to File, Security, and Restart. You can audit more, but choosing some of these items (such as successful logins) adds significantly to the web server's log without adding very much to its security. Doing so also risks a denial-of-service attack. When log files fill, servers shut down unless configured otherwise. You must make sure that there is always plenty of room in your log file. •
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and Table 3-6. Auditing Choices in NT-4 laptops Evaluate the pros and cons of installing a certificate server and becoming your own Audit Event Recommended? Success Failure Certification Authority Logon and Not for web servers Records every successful Records failed logon Learn the Cisco PIX Firewall and Cisco IOS including Firewall architecture how to apply Cisco Logoff logon, anonymous and attempts. standard and extended access lists web users. File and Discover ways Yes, tocoupled test thewith current state Coupled of security with file andand keep folder it up to Records date requests to Object Access careful selection of logging, will show when files change files or folders Learn to engage end folders users as thecreated, overall deleted, network or security solution files and topart ofare that failed due to lack of monitor changed; also shows permissions. While the Internet has transformed and improved the way we do business, this vast network and ownership transfer. its associated technologies have opened the door to an increasing number of security threats. Usechallenge of User for Not for web public serversweb sites Records user rights, attempts to do The successful, is towhen encourage access to Records the site while eliminating Rights granted via User Manager, something for which the undesirable or malicious traffic and to provide sufficient levels of security without constraining are organizations employed. right was not performance or scalability. The more reliant become on the Internet to granted. perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just User and No Records successful changes Records unsuccessful as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a Group to groups, including attempts to change market leader in the development and sale of products and technologies that protect data Management creating, deleting, and groups or memberships. traveling across the Internet. Yet a network security solution is only as strong as its weakest editing membership. link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Security Policy Yes Changes
•
Table of Contents
Restart, Yes Index Shutdown and Web Security Field Guide System •
BySteve Kalman
Publisher: Cisco Press Pub Date: November 08, 2002 ISBN: 1-58705-092-7 Process Never for web servers Pages: 608 Tracking
Intruders usually try to make changes to security policies. Recording successful attempts helps reconstruct an intrusion or alert you that one is ongoing.
Having a history of unsuccessful attempts to change security policy helps track down intruders before they succeed.
Normal restarts mark the log with known events. Unexpected restarts show potential misbehaving programs or successful intruders who try to cover their tracks.
Failed restart attempts show intruders who try to cover their tracks and help identify badly misbehaving programs.
Creates an entry every time Creates entries when a program or process starts, processes fail to start. filling logs very quickly.
Changes to the auditing profile are recorded in the security log. You can see the changes using Hands-on techniques for securing Windows(r) servers, browsers, and network the Event Viewer program on the Administrative Tools (Common) menu. Selectcommunications. the Security Log and open the log file entry to see the policy change shown in Figure 3-25. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment
Figure 3-25. Logmulti-user Entry Because a Policy Change Learn how to harden Windows platforms, of including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, After you have all-encompassing turned on auditing network in security User Manager solution. for Domains, you can begin auditing in the
file system. To get to the Properties dialog shown in Figure 3-26, launch Windows Explorer, navigate to and select the directory you want to audit, right-click and choose Properties, and select the Security tab.
Figure 3-26. Auditing on the Security Tab in the Folder's Properties •
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops ClickAuditing to bring up the Directory Auditing box shown in Figure 3-27. You have the ability Evaluate the pros and cons of installing a certificate server and becoming your own to audit the actions of both individual users and group objects. In addition, the choices you make Certification Authority for one object audit don't have to be the same as the choices you make for another. Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists
Figure Default Dialog Discover ways to test 3-27. the current state ofDirectory security andAuditing keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations ClickAdd to bring up the list of users and groups for your server (shown in Figure 3-28), select theEveryone and clickend Add and OK. Because including this is theweb most general group, you'll use it Improve group, security at the user's workstation, browsers, desktops, and whenlaptops you want to audit everyone's actions. The recommended items to audit are shown in the checkboxes in Figure 3-29. Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority
3-28. Users andIOS Groups Audit Candidates Learn theFigure Cisco PIX Firewall and Cisco Firewallas architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
Figure 3-29. Recommended Auditing Selections
Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and
TIP laptops
You can audit the Everyone even if have removed that group's file system Evaluate the pros and cons Group of installing a you certificate server and becoming your own permissions. Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date
NOTE Learn to engage end users as part of the overall network security solution Some folders should always be audited. In particular, three folders under While%systemroot% the Internet has transformed and improved the way webe domonitored business, this vast network and (System, System32, and Repair) should for changes. its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform Removing or Disabling Unnecessary or Dangerous Services daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a The onlyleader foolproof way to guarantee that anofintruder won't a particular piece of software is market in the development and sale products and use technologies that protect data to remove it from your system. When possible, do exactly that. A second-best alternative, traveling across the Internet. Yet a network security solution is only as strong as its weakest especially useful with can a special of programs servicesconnection, is to disablethe them. Examine link. Network attacks occurcategory at any point, includingcalled the network firewall, the the list of services running on your computer and disable the ones that you don't need. Use web server, or the client. Hardening the defenses at all these points is key to creating an Control Panel and then launch the Services to see your computer's list of services. effective, all-encompassing network securityapplet solution.
One service that has a high-risk factor is the Messenger service. It can be used in a social engineering type of attack, fooling cooperative users into doing things that the attacker wants. To disable the Messenger service, launch Control Panel, then the Services applet, and select Messenger. That gives you the dialog box shown in Figure 3-30. Double-click Startup to get to the Service box shown in Figure 3-31 and set the Startup Type to Disabled. Click OK to get back to the main services screen and then click Stop. You get the warning shown in Figure 3-32. Click Yes to complete the task. •
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists
Figure 3-31. Disabling the Messenger Discover ways to test the current state of security and keep it upService to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a Figure 3-32. Stopping the Messenger Service Immediately security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority
Securing the NTPIX 4 Web Server Learn the Cisco Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists In January 2002, Microsoft issued an internal memo saying that security is the top priority, and Discover wanted ways to to test current state of security and This keepmemo it up to date that Microsoft bethe known for its trusted software. was made available to and widely reported in the trade press. Learn to engage end users as part of the overall network security solution Even assuming that this new initiative is wildly successful, it will do nothing for the operating While theand Internet transformed and improved the way weFinding do business, this vast network and systems other has Microsoft software already in distribution. and fixing or removing its associated technologies have opened the door to an increasing number of security threats. vulnerable software is a mandatory step in securing a web server or network. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or the malicious and to provide of security without constraining Accomplishing job bytraffic manual inspection is sufficient simply notlevels possible. New vulnerabilities in old performance or scalability. The more reliant organizations become on the to that perform software and unknown vulnerabilities in both new and old software are so Internet numerous they daily or conduct transactions, the greater theyou impact a one. breach networkseveral security has. Just need jobs a computer to search for them. Fortunately, have In of addition, well-known as Cisco Systems has been innovator in using the aInternet to conduct business, too is it a scanners are available. The an next few pages give you brief overview of the InternetsoScanner market leader in the development and sale of products and technologies that protect data from Internet Security Systems (ISS) operating in the NT 4 environment. traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
NOTE The ISS Internet Scanner is one of several in the field. It is included because it is a leading example in its category. It is a complex program with many more features than are described here.
•
Table of Contents
ISS Internet Scanner comes with about 20 built-in policies. In this context, a policy is a set of • Index potential security holes to check for. Different policies exist because different computers are used Web Security Field Guide in different manners; actions that are everyday, normal occurrences on one might be a security By Steve hole onKalman another. An example of this is something covered earlier in this chapter. NT 4 gives the Everyone group the Full Control permission at the root of each drive. For NT 4 Workstations, this is usually appropriate. For NT 4 Servers, it almost never is. Another reason is that the items Publisher: Cisco Press scanned for on Windows-based computers differ from scans on those running UNIX, and both Pub Date: November 08, 2002 have wildly different scanning needs than routers. Finally, some tests take quite a bit of time ISBN: 1-58705-092-7 (both elapsed time and CPU resources). To accommodate the need to scan everything on some Pages: 608 machines while having the ability to perform less intrusive scans on others, several levels of scans are available. Higher-level numbers are more detailed. With that in mind, the first job is to pick a policy. If the predefined policies don't match your needs, you could decide to build your own, modeling it on one of the existing policies. Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Start Internet Scanner and click OK to create a new session. Figure 3-33 shows the beginning of a session with ISS waiting for policy selection. Clicking Add Policy begins a simple three-step Create effective security policies and establish rules for operating in and maintaining a process: security- conscious environment Step 1. Select a policy to clone. (There is a predefined blank policy for the truly Learn how to harden Windows multi-user platforms, including NT, 2000, and XP adventurous.) Understand installation options for Windows web servers and how to enhance Step 2. Editsecure the policy. security on existing web and FTP server installations Step 3. Name and save it. Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Figure 3-33. ISS Policy Selection Page Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Figure 3-34 illustrates step 1. The built-in L5 NT Web Server policy is a good place to start. SelectLearn L5 NThow Web click Next. Giveplatforms, the sessionincluding a descriptive nameand andXP click Finish. to Server harden and Windows multi-user NT, 2000, From the Policy menu, select Edit Current. Expand Vulnerabilities and then Denial of Understand secure installation options for Windows servers howan to expansion enhance of Service branches. That brings you to the screen in Figureweb 3-35, whichand shows security on existing web and FTP server installations the FTP Vulnerabilities branch. Six commercial FTP servers are listed. One of them is Serv-U, a product discussed in Chapter 6, "Enhancing the FTP Server." ISS users with systems that have Improve therelevant end user's workstation, including webothers browsers, desktops, and Serv-U should security select allatthe tests and make sure that the are deselected. laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification AuthorityFigure 3-34. ISS Sample Policies Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
Figure 3-35. ISS Policy Editing
Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
After making all desired changes and saving the policy, ISS asks for the IP addresses to scan using that policy. This inquiry screen is shown in Figure 3-36. The bulleted entry, Ping valid hosts in your key, needs some special explanation.
Figure 3-36. ISS, Specifying the Destination Addresses to Scan •
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own In one important way, a commercial scanner is like a loaded gun; it can be used for defense or Certification Authority for offense. In the hands of authorized security staff, it can find holes that need to be patched. However, theCisco hands of Firewall an intruder, can IOS just Firewall as easilyarchitecture find holes toand exploit. When you Learninthe PIX and it Cisco how to apply Cisco purchase ISS or any reputable scanner, the vendor needs to know the IP address range that you standard and extended access lists want to scan. If you choose an IANA-registered IP address, you need to prove that you are authorized to scan addresses. When the Discover waysthose to test the current state of registration security andprocess keep it is upcomplete, to date ISS issues you a key that is limited to your range of addresses. (This is sometimes called an IP Lock.) Learn to engage end users as part of the overall network security solution Still, you probably do not want to scan all your machines at the same time. Doing so takes too long network traffic dramatically. Also, is much manageable have one Whileand theincreases Internet has transformed and improved the itway we domore business, this vasttonetwork and report for one technologies machine. That way, you can it over, needed, number to determine if a particular its associated have opened therun door to an as increasing of security threats. security hole isfor patched. Figure 3-37web demonstrates selecting the address or site range of addresses The challenge successful, public sites is to encourage access to the while eliminating to scan. undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development Figure 3-37. and sale ISS, of products Entering andthe technologies Address that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, network communications. After you launch the scan, you might have to handle one or more and warnings, such as the Denial of Service (DoS) warning shown in Figure 3-38. Scanning often causes DoS problems and should be scheduled when least intrusive. (This is establish another reason to operating scan only in one machine at a time.) Create effective security policies and rules for and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
Figure 3-38. ISS, Denial of Service Warning
Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Reputable scanners alert stations that they are being scanned, as shown in Figure 3-39. If you ever see a message like this pop up while you are working (and you're not absolutely sure that the scan is authorized), disconnect from the network immediately and notify your administrator.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops WhenEvaluate the scanthe finishes, ISScons shows security weaknesses by category. Figureyour 3-40own displays pros and of the installing a certificate server and becoming the Vulnerabilities section. Items listed there are categorized as High, Medium, or Low risk and Certification Authority should be attended to in that order. You can also generate a report in a variety of formats, as shown in Figure 3-41.PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco Learn the Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date
Figure 3-40. SS, Displaying the Scan Results Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn howFigure to harden Windows multi-user platforms, including NT, 2000, and XP 3-41. ISS, Generating a Permanent Report Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
NOTE Although you cannot see it in Figure 3-40, the levels of risks are color-coded. The Low risks use a blue circle with an "i" in it, Medium risks have yellow triangles with an "!," and High risks are red with a "-." •
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Windows 2000/XP Security Windows 2000 introduced the Active Directory (AD). An AD holds information about all resources on the network, including the information about users, groups, and rights that NT 4 held in its SAM database. Because of its enterprisewide, global scope, the security surrounding it is more • Table of Contents sophisticated. •
Index
Web Guide EachSecurity recordField (called an object) in the AD can be protected with its own ACL. Like ACLs for files and folders, these ACLs list users and groups and the kind of access they have to particular BySteve Kalman objects. To make the system more secure and less overhead-intensive, a query mechanism called a Global Catalog (GC) is supported. Publisher: Cisco Press
Novemberchanges 08, 2002 brought about by the AD is the new dependence on DNS. In NT 4, OnePub of Date: the biggest ISBN: 1-58705-092-7 DNS was common but not required. NT 4 defaulted to and assumed that it could rely on NetBios names, Pages: although 608 it does support DNS. The AD is a hierarchical organization of domains, organized into forests made up of trees.
The AD tree has the top-level DNS name, and the domains have subordinate names. For example, the General Motors tree (GM.COM) might have domains named Buick.GM.COM, Chevrolet.GM.COM, Pontiac.GM.COM, and so forth. Furthermore, the Chevrolet.GM.COM domain Hands-on techniques for securing Windows(r) servers, browsers, and network communications. might itself be subdivided into domains Trucks.Chevrolet.GM.COM, Cars.Chevrolet.GM.COM, and so on. On the other hand, Isuzu might have its own Isuzu.com tree. Because GM owns Isuzu, thereCreate is a close relationship between and the two trees form a forest. Queries againstathe effective security policiesthem and establish rules for operating in and maintaining GC could look at the entire forest or at a specific tree or domain. Similarly, AD management can security- conscious environment be delegated at those levels, too. Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations
NOTE
Improve security at the end user's workstation, including web browsers, desktops, and Just because AD is available starting with Windows 2000 does not mean that it has to laptops be used. Standalone machines can still exist. Evaluate the pros and cons of installing a certificate server and becoming your own Windows 2000 web servers in the DMZ should be configured as if they were NT 4 Certification Authority servers. Create local users and groups and manage accordingly. Web servers in the trusted Learn the intranet Cisco can PIX belong Firewalltoand theCisco AD, or IOS they Firewall can bearchitecture created as standalones. and how to apply The Cisco decision standardisand based extended on whether access you lists want internal users to access them with their usernames and passwords or by the Anonymous account. Chapter 5 provides Discover ways test the current of security and keep it up to date instructions for to implementing this state decision. Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and 2K/XP File technologies System Security Templates its associated have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security Security Templates are another addition that shipped with Windows 2000.without (To be constraining fair, they were performance or scalability. The more reliant organizations become on the Internet to perform also included in an NT 4 service pack, but not with all of the Windows 2000 functionality.) These daily jobs or conduct transactions, the greater the impact a breach of network security are model security formats that can control rights, permissions, registry entries, group has. Just as Cisco Systems been an innovator in usingofthe Internetare to conduct so too2000 is it a memberships, andhas much more. A large number templates suppliedbusiness, with Windows market leader in the development and sale of products and technologies that protect data (and with Windows XP, which continues to use them). You can find even more templates at traveling across the and Internet. Yet Windows a networksecurity-oriented security solutionsites is only Microsoft's web site at other on as thestrong web. as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
CAUTION
• •
Sophisticated intruders have introduced security templates that intentionally install security holes. They track the IP address of those that visit their web site to download the template and use the holes they planted to launch an attack. If you do download templates, be sure that they come from a reputable source. (One such reputable source, by the way, is www.nsa.gov, where you'll find some truly excellent security Table of Contents resources, including one that is used later in this chapter.) Index
Web Security Field Guide BySteve Kalman
This first subsection on Windows 2000/XP Security introduces you to the default server template. If you wereCisco to apply Publisher: Press it unchanged, your Windows 2000 Server's security would be the same as after a fresh operating system installation. Pub Date: November 08, 2002 ISBN: 1-58705-092-7 Pages: 608
TIP Running the default script weakens security for already running web servers. Take your servertechniques off the network before Windows(r) running it. servers, browsers, and network communications. Hands-on for securing Create effective security policies and establish rules for operating in and maintaining a Running the default scriptenvironment is especially important if you upgraded from NT 4 workstation or securityconscious server rather than performed a fresh install. Upgrades inherit their predecessors' security settings. Learn The how Microsoft to harden templates Windows generally multi-user assume platforms, that the including defaultsNT, are2000, in place, andso XPthey don't change things that are already assumed to be okay. Understand secure installation options for Windows web servers and how to enhance Also, security be aware onthat existing you don't web and haveFTP to run server the installations templates. You could, for example, follow the instructions in the NT 4 sections with the minor modifications needed to adjust to the new Improve security the end User user's workstation, including web browsers, desktops, andand operating system. (For at example, Manager for Domains is gone, but you can add users laptops groups from Computer Management in Control Panel's Administrative Tools.) Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority
Installing Templates
Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco Windows 2000 and significantly the Management Console that came with Service Pack 4 standard extendedenhanced access lists for NT 4. Windows XP added a little more. The easiest way to launch the Management Console with either Discover operating ways tosystem test the is current to use the state Start/Run… of securitydialog and keep box and it upenter to date the program name, mmc, which takes you to the screen shown in Figure 3-42. Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. Figure 3-42. Management Console The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment As installed, the Management Console doesn't do much. You have to add function-specific modules called start adding the security configuration click and Learn howsnap-ins. to hardenTo Windows multi-user platforms, including snap-in, NT, 2000, andConsole XP Add/Remove Snap-in, as shown in Figure 3-43. Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers,Function desktops, and Figure 3-43. Launching the Add/Remove Snap-In laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment From the screen shown in Figure 3-44, click the Add button to get the list of standalone snapins. Scroll to harden the bottom and select Security Configuration Learndown how to Windows multi-user platforms, includingand NT, Analysis; 2000, and then XP click Add, as shown in Figure 3-45. Repeat the process to add the Security Templates; then click installation for Windows servers andtohow enhance CloseUnderstand to give yousecure the screen shown options in Figure 3-46. Click web OK to get back the to main Console security on existing web and FTP server installations screen shown in Figure 3-47. Notice the two snap-ins are loaded. Improve security at the end user's workstation, including web browsers, desktops, and laptops
Figure 3-44. Adding a Snap-in to the Management Console
Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Figure 3-45. The Snap-In List Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops
Figure 3-46. Two Snap-Ins Ready to Add to the Management Console Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Figure 3-47. MMC with Snap-Ins Added Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Security templates can be in any of several locations. Another source of Microsoft supplied templates in C:\WINNT\INF. To add a security template,including right-click Security Templates and Learnishow to harden Windows multi-user platforms, NT, 2000, and XP chooseNew Template Search Path.Figure 3-48 demonstrates this. Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and Figure 3-48. Adding Another Template Location laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
TIP
Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP in server installations folder come with Windows 2000 The Microsoft supplied templates the C:\WINNT\INF Server, but not Windows 2000 Professional. If you're installing on the latter platform, Improve security at the end user's workstation, you can download the templates from Microsoft'sincluding web site.web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Browse to the folder holding the supplemental templates, shown in Figure 3-49, and click OK to bring you to the revised Console shown in Figure 3-50. Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date
Figure 3-49. Browsing for Supplemental Templates
Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation for Windows web servers and how to enhance Figure 3-50.options Revised Management Console security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Expand the new \inf branch, scroll down to the default templates, and select defltsv, which stands for default server and is shown in Figure 3-51. Expand that branch, click the item labeled File System, and scroll down to the item called %SystemRoot% to provide you with the screen shown in Figure 3-52. Double-click that line to bring up a dialog box shown in Figure 353. •
Table of Contents
•
Index
Web Security Field Guide BySteve Kalman
Figure 3-51. Selecting the Default Server Template
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists
Figure 3-52. Displaying the Default Server Items Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Figure 3-53. Template Security Policy Setting Dialog Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
TIP
• •
%SystemRoot% is an environment variable. Environment variables are set on boot up and can be viewed by opening a command prompt and typing the command set. Figure 3-54 shows the environment variables on the Windows 2000 test machine, W2K-Srvr. Table of Contents Index
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists ways to test the current state Edit of security and you keepsee it up date shown in Figure From Discover the dialog shown in Figure 3-53, click Security; thetoscreen 3-55. Although this figure describes the settings if this template is applied, it does not Learn to engage end users as part of the overall network security solution necessarily reflect the current settings. After examining the figure, click Cancel twice to return to the Console. Click Security Configuration and Analysis in the left column; you might have to While the Internet has transformed and improved the way we do business, this vast network and scroll up to see it. You should now see the screen shown in Figure 3-56. its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform Figure 3-55. Proposed File Settings daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority LearnFigure the Cisco3-56. PIX Firewall and Cisco IOS Firewall architecture and howScreen to apply Cisco Security Configuration and Analysis standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment
Analyzing the Server
Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
The Console screen givesinstallation the instructions to for create a newweb database orand open an to existing one. Understand secure options Windows servers how enhance Assuming thaton this is yourweb firstand time through program, you should create a new database. security existing FTP server the installations Right-click the Security and Configuration Analysis scope (resulting in the screen shown in Figure 3-57) and click Open the screen shown Figure 3-58). Typeand in the Improve security at the Database end user's (yielding workstation, including web in browsers, desktops, filename or use the one indicated in the figure as a model, and then click Open. laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority
Figure 3-57. Creating a New Database
Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to hardenFigure Windows3-58. multi-user platforms, NT, 2000, and XP Naming theincluding Database Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Systems has been an template innovatorfile, in using the to conduct business, sopreviously too is it a TheCisco result is a request for the shown in Internet Figure 3-59. Because you have market leader in the development and sale of products and technologies that protect data identified more than one location for the template file, be aware that the open Import traveling Internet. Yet network is only as its Templateacross dialogthe might default toathe wrongsecurity location.solution If so, you needastostrong navigate to weakest the correct link. Network attacks can occur at any point, including the network connection, the the location (C:\Winnt\inf, in this case). Click once on the template called defltsv, clickfirewall, the web server, or the client. Hardening the defenses at all these points is key to creating an checkbox at the lower left to clear the database, and click Open. That brings you back to the effective, all-encompassing network security solution.
Console (see Figure 3-60), ready to analyze or configure your server.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations
Figure 3-60. MMC, Ready to Analyze or Configure the Server
Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Right-clickSecurity and Configuration Analysis scope again (see Figure 3-61), but this time chooseAnalyze Computer Now. You'll be asked for a path for the error log (see Figure 3-62), and you can take the default. Click OK to begin the analysis process. This takes a while. To bide your time, compare your image to the one shown in Figure 3-63. •
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists
Figure 3-62. Naming the Error Log Location
Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. When the analysis process finishes, right-click the Security and Configuration Analysis scope effective security policies and establish for operating andamaintaining againCreate and choose View Log File. Figure 3-64 showsrules the log's first pagein with mismatch a securityconscious environment between the current value of a user right and the template value. Figure 3-65 shows the same log, this time looking at several mismatches in Registry keys. (The particular keys listed for your Learn how to won't harden Windows multi-user platforms, including NT, 2000, and XP such as machine probably match the figure because of the small differences in machines, video and other peripherals, drivers, updates and patches applied, and software installed.) If Understand installation fortake Windows servers how the to enhance you are following secure along on your ownoptions machine, a fewweb moments toand explore log. security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops
Figure 3-64. User Rights Portion of the Analyze Log
Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how Figure to harden3-65. Windows multi-userPortion platforms, NT, 2000, and XP Registry ofincluding the Analyze Log Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Configuring the Server Perform the next step only when you want to set a server's security settings to the installed default. If that is the case, right-click the Security and Configuration Analysis scope (also shown in Figure 3-65) and choose Configure Computer Now. After the configuration is complete, you need to viewTable the log file. (You might need to refresh the log.) • of Contents •
Index
This time, the images Web Security Field Guide from the log file (refer to Figure 3-66 and Figure 3-67) show that the mismatches were corrected. Compare Figures 3-64 and 3-66 for the rights changes and Figures BySteve Kalman 3-65 and 3-67 for the Registry changes. Publisher: Cisco Press Pub Date: November 08, 2002
Figure 3-66. User Rights Portion of the Configure Log
ISBN: 1-58705-092-7 Pages: 608
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and Figure 3-67. Registry Portion of the Configure Log its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment
2K/XP Operating System Security Learn how to harden Windows multi-user platforms, including NT, 2000, and XP ThereUnderstand is a lot more secure to security installation than the options file system. for Windows Although web itservers is easyand to point how to outenhance the obvious pitfalls, security far more on existing traps are web well and hidden. FTP server For this installations reason, running a security scanner is a must. The "Securing the NT 4 Web Server" section earlier in the chapter described running the ISS Improve security the end user's including webWindows browsers, desktops, and Internet Scanner on anat NT 4 server. ISSworkstation, and its competitors have 2000 and Windows laptops as well. Rather than repeat an essentially identical process, you are encouraged to XP products, refer to the NT 4 section. Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority
Modifying Templates forIOS Web Servers Learn theSecurity Cisco PIX Firewall and Cisco Firewall architecture and how to apply Cisco standard and extended access lists The Windows 2000 Server default rights and permissions are far too lenient to be used in a Discover waysIfto test theinstalled current your state server, of security andran keep up to date production server. you just or you theitdefault template described in the previous sections, you will have just such a configuration. You need to make changes to Learn engage end users as part of thesystem. overall network security solution secure bothto the file system and the operating While the Internet transformed and improved way we do business, this vast network and Normally, tracking has down all the changes would be the a never-ending task. As previously mentioned, its associated technologies have opened the door to an increasing number of security threats. the National Security Agency (NSA), a U.S. government agency, has done a lot of the work for The successful, public webtemplate sites is tofile encourage access to the site eliminating you.challenge It createdfor a Windows 2000 Server called W2K_Server.inf, andwhile you can undesirable or malicious traffic and to provide sufficient levels of security without constraining download it without charge from http://nsa1.www.conxion.com/win2k/download.htm. performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling TIPacross the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or change. the client. Hardening the defenses at all these points is on keythe to creating an Web sites You can get to that download page from a link NSA home effective, network security solution. page,all-encompassing www.nsa.gov.
The W2K_Server.inf template will secure a default server. However, the NSA authors have no way of knowing anything about your local security policy or locally installed folders. The good news is that you can edit their template to include that information. Figure 3-68 illustrates the NSA template fully expanded to show all the policies it supports. This • Table of Contents provides a convenient way to examine the configuration settings that you should employ. The • Index policies are as follows: Web Security Field Guide BySteve Kalman
Account Policies
Publisher: Cisco Press
Local Policies
Pub Date: November 08, 2002
Event ISBN: 1-58705-092-7 Log Pages: 608
Restricted Groups System Services Registry Hands-on techniques for securing Windows(r) servers, browsers, and network communications. File System Create effective security policies and establish rules for operating in and maintaining a security- conscious environment
Figure 3-68. NSA Security Template
Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
TIP If you download the NSA template, a good destination is the INF folder. It already has templates in it and you've already added the folder to your Management Console.
•
Table of Contents
Account Policies • Index
Web Security Field Guide
The Account Policies portion of the template is comprised of two parts, Password Policy and BySteve Kalman Account Lockout. Figure 3-69 shows the default Password Policy. The Password age is set at its maximum, 90 days, but a 28-day period makes more sense. Double-click Password Policy to Publisher: Cisco Press bring up the Template Security Policy Setting dialog box, shown in Figure 3-70, where you can November 08, 2002 typePub inDate: the preferred number of days. Click OK to accept your change to the template. ISBN: 1-58705-092-7 Pages: 608
Figure 3-69. Password Policy Page Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining Figure 3-70. Editing a Password performance or scalability. The more reliant organizations become Policy on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
TIP techniques for securing Windows(r) servers, browsers, and network communications. Hands-on The Kerberos policy settings are valid only on a Domain Controller (DC), and the assumption here security is that the web server is not a rules DC. for operating in and maintaining a Create effective policies and establish security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance
TIP security on existing web and FTP server installations Another Improveitem security in Figure at the3-70 end is user's worthworkstation, noting. A checkbox includinglabeled, web browsers, "Define this desktops, Policy and in the laptops Template," is selected by default for nearly every policy in the template. That means that when the template is applied, every security policy included in it will be Evaluateon theyour prosmachine, and consnot of installing a certificate server becoming your installed just the ones you change. If and you would rather setown some Certification item to "leaveAuthority it alone," remember to clear this checkbox. Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists The other part of the Account Policies controls Account Lockout. The NSA default is shown in Discover to test theofcurrent state is of more security and keep it up is torecommended. date Figure 3-71. A ways lockout period 30 minutes conservative and Change this setting using the previous procedure. Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. Figure 3-71. Account Lockout Policy The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
TIP
Understand secure installation options for Windows web servers and how to enhance security on existing webtend and to FTP server their installations If your legitimate users mistype passwords frequently, they will overwhelm the help desk with requests to reset the lockout time. Have the help desk Improve at the end user's workstation, including browsers, and log those security calls. Before agreeing to shorten the time period,web check to see ifdesktops, there isn't laptops some group of users, a department, or a location that is having difficulty. If so, try additional training or supplementary documentation instead. Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco
Localstandard Policies and extended access lists
Discover ways to testhas thethree current state of security and keep it up to date The Local Policies section parts: Learn to engage end users as part of the overall network security solution Audit Policy While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. User Rights Assignments The challenge for successful, public web sites is to encourage access to the site while eliminating Security undesirable orOptions malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform Figure 3-72 thetransactions, Audit Policy.the Auditing successful account logon events can enter has. quiteJust a daily jobs orshows conduct greater the impact a breach of network security bit of redundant log; it, as shownto in conduct Figure 3-73 (failure as Cisco Systemsdata has into beenthe an system innovator inediting using the Internet business, so only), too is is it a recommended. market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an Figure Audit Policy Defaults effective, all-encompassing network3-72. security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
Figure 3-73. Editing Account Logon Events
Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. NOTE Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an Two similar items are often confusing. logon events logs interactive logons, while effective, all-encompassing network securityAudit solution.
Audit account logon events logs network logons. A failed interactive login is far more important to log (and investigate) than a failed network logon.
• •
TIP
Table of Contents Index
Figure 3-24, in the section discussing turning on NT 4 Auditing, shows the recommended audit settings. You are encouraged to use that figure and the BySteve Kalman surrounding discussion to guide your Windows 2000 and XP configurations. Web Security Field Guide
Publisher: Cisco Press Pub Date: November 08, 2002
Figure 3-74 shows the NSA choices for User Rights security. Many of the rights have ISBN: 1-58705-092-7 appropriately been allocated exclusively to administrators. However, the right to access this Pages: 608 computer from the network should be changed to prevent a wide variety of NetBIOS hacks. Double-clickDeny access to this computer from the network to bring up the screen shown inFigure 3-75. Click Add to launch the pop-up window shown in Figure 3-76. Click the Browse button, and select the group WebUsers. Click OK to deny this group that right. Hands-on techniques for securing Windows(r) servers, browsers, and network communications.
Figure 3-74. User Rights Template
Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network occur atthe any Right point, including the network connection, the firewall, Figureattacks 3-75.can Editing to Access This Computer from the the web server, or the client. Hardening the defenses at all these points is key to creating an Network effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Figure 3-76. Selecting the Group to Deny Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily orshows conduct greater the impact a template—Security breach of network security Figurejobs 3-77 thetransactions, final section the within the Local Policies Options.has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a Accepting it as they wrote it is recommended. market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or Figure the client.3-77. Hardening the Policy defensesSecurity at all these Options points is key to creating an Local Default effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
TIP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations The item that controls renaming the Administrator account is highlighted. In the NT-4 section of this chapter, there is a discussion on the merits of doing just that. (Refer to Improve security at the end user's workstation, including web browsers, desktops, and "Renaming Critical Accounts" subsection.)You are encouraged to read those pages, laptops even if you have no NT-4 servers. Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn Event Logthe Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists
Figure 3-78 shows the Event Log section of the NSA template. The default action to take if log Discover ways to test the current state of security and keep it up to date files fill up is to halt the system. In most cases that's fine, but if you have a server that must always be up, considerend letting it as runpart even theoverall logs fillnetwork up. Thesecurity way to change Learn to engage users ofifthe solutionthe setting is to double-click the bottom item, Shut down the computer when the security audit log is full. That up the has setting box shown in improved Figure 3-79, you select the Disabled Whilebrings the Internet transformed and thewhere way we doshould business, this vast network and button and click OK. its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform Figure 3-78. Default Event Log Page daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows platforms, including Figuremulti-user 3-79. Modifying a RuleNT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining Restricted performanceGroups or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been innovator usingUsers the Internet to conduct so tooremoves is it a The Restricted Groups pagean contains the in Power group element. Thebusiness, NSA template market leader in the development and sale of products and is technologies data all rights and privileges from that group because the group not neededthat on aprotect standalone traveling across theshows Internet. a network server. Figure 3-80 this Yet trivial page. security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
System Services Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations One of the primary jobs to perform when hardening a server is to remove or disable any service Improve security at the end user's including desktops, that isn't needed. The NSA template listsworkstation, all of the services thatweb youbrowsers, should consider but and makes laptops no decisions for you. Figure 3-81 shows one service that you'll never need on a web server (DHCP Client) being removed. Table 3-7 provides a list of services that you can disable on your Evaluate the pros and cons of installing a certificate server and becoming your own web servers. Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists
Figure 3-81. Disabling a Service via the Template
Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment
Table 3-7. Services That Can Be Disabled Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance Service Name Description security on existing web and FTP server installations Clipbook Viewer Enables the Clipbook Viewer to create and share "pages" of data to be Improve securityviewed at the by endremote user's computers. workstation, including web browsers, desktops, and laptops Computer Browser Maintains an up-to-date list of computers on your network and supplies the listcons to programs thata request it. The Computer Browser service Evaluate the pros and of installing certificate server and becoming your own is used by Windows-based computers that need to view network domains and Certification Authority resources. the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco DHCPLearn Client Dynamic Host Configuration Protocol Client manages network standard and extended access lists configuration by registering and updating IP addresses and Domain Name Server (DNS) names for this computer. Discover ways to test the current state of security and keep it up to date DHCP Server Allocates IP addresses and allows the advanced configuration of network Learn to engagesettings. end users as part of the overall network security solution DNS Server DNS name resolutionthe byway answering queries and update requestsand While the Internet hasEnables transformed and improved we do business, this vast network for DNS names. its associated technologies have opened the door to an increasing number of security threats. The to encourage Faxchallenge Service for successful, Enablespublic you toweb sendsites andisreceive faxes. access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining File Server for Enables Macintosh users to store andbecome access files on Internet this Windows server performance or scalability. The more reliant organizations on the to perform Macintosh machine. daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems been an access innovator in using the Internet to on conduct business, so too is it a Gateway Service has Provides to file and print resources Netware networks. market leader in the development and sale of products and technologies that protect data for NetWare traveling across the Internet. Yet a network security solution is only as strong as its weakest Internet address translation (NAT), addressing, link. Network attacks Provides can occurnetwork at any point, including the network connection,and the name firewall, the Connection Sharing resolution services for all computers on your home or small-office web server, or the client. Hardening the defenses at all these points is key to creating annetwork through a dial-up or broadband effective, all-encompassing network security solution. connection.
NetMeeting Remote Allows authorized users to remotely access your Windows desktop from Desktop Sharing another PC over a corporate intranet using Microsoft NetMeeting. Print Server for Macintosh
Enables Macintosh clients to route printing to a print spooler located on a computer running Windows 2000 Server.
Print Spooler
Queues and manages print jobs.
Remote Access Brings up a dialog that offers to make a dialup connection to a remote Table of Contents Auto Connection computer when there is no network access. •Manager Index •
Web Security Field Guide
Remote Procedure Call (RPC) Locator
BySteve Kalman
Provides the name services for RPC clients.
Remote Registry Publisher: Cisco Press Allows remote Registry manipulation. Service Pub Date: November 08, 2002 Routing ISBN: and 1-58705-092-7 Offers routing services in local area and WAN environments. Remote Access Pages: 608 RunAs Service
Allows you to run specific tools and programs with different permissions than your current logon provides.
SAP Agent
Advertises network services on an IPX network.
Hands-on SMTP techniques Simple for securing Mail Transport Windows(r) Protocol servers, transports browsers, e-mail and network across the communications. network. Simple TCP/IP Implements support for Echo, Discard, Character Generator (CharGen), Services and Quote the Dayrules (QOTD). Create effective Daytime, security policies and of establish for operating in and maintaining a securityconscious environment Smart Card Manages and controls access to a smart card inserted into a smart card reader attached to the computer. Learn how to harden Windows multi-user platforms, including NT, 2000, and XP TCP/IP Print Server Enables TCP/IP-based printing using the Line Printer Daemon protocol. Understand secure installation options for Windows web servers and how to enhance Telephony Provides Telephony API (TAPI) support for programs that control security on existing web and FTP server installations telephony devices. Improve securityAllows at theaend user's workstation, including weband browsers, desktops, and Telnet remote user to log on to the system run console programs laptops using the command line. Windows Timethe pros Sets computer clock. Evaluate andthe cons of installing a certificate server and becoming your own Service Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date TIP Learn to security engage end users is asset part theno overall security page. solution The NSA template to of take actionnetwork on the services If you use it to disable any or all the services listed in Table 3-7, you need to remember to activate While the Internet has transformed and improved the way we do business, this vast network and that selection. Figure 3-81 shows you the checkbox (called Define this policy setting in its associated technologies have opened the door to an increasing number of security threats. the template) that you must select. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just Registry as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across Internet. YetAnyone a network solution is only as strong as its weakest The Registry is athe high-risk area. whosecurity can make a change there can wreak havoc. The link. Network attacks can occur at any point, including the network connection, the firewall, the NSA template selects a number of Registry keys with strong security implications and changes web server, or the client. Hardening the defenses at all these points is key to creating an their permissions so that only members of the Administrators group can change them. Figure 3effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and
File System laptops Evaluate thesystem pros and cons of installing certificate server and becoming your own Changing the file permissions is easy.aThe hard part is deciding which files and folders Certification Authority need changing. Although there is no litmus test, a good rule of thumb is that if the folder contains executable files or scripts (such as the Program Files folder or web root), or the file is a Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco system file or utility (such as boot.ini or regedt32.exe), it should be protected with an ACL that standard and extended access lists limits access to authorized users or changes the permissions to the minimum needed. The files mentioned in the previous sentence, for example, need only Read and Execute permissions, not Discover ways to test the current state of security and keep it up to date the Full Control that the Everyone group automatically receives. The example that follows adds the locally webend root to the Learndefined to engage users as NSA part template. of the overall network security solution Figure 3-83 shows has the File System page from the template. Todo add another this file vast or folder to the While the Internet transformed and improved the way we business, network and list, right-click in any empty space to bring up the popup (it is already visible on the page), and its associated technologies have opened the door to an increasing number of security threats. click Add File. for That gives youpublic the window shown Figure 3-84, where navigate the The challenge successful, web sites is toinencourage access to you the site while to eliminating folder that you want to protect. Select it and click OK. undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a Figure 3-83. System market leader in the development and saleFile of products andTemplates technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to hardenFigure Windows3-84. multi-user platforms, including NT, 2000, and XP Adding a New Folder Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
You see a page like the one shown in Figure 3-85. You can see that the default is to give Everyone the Full Control permission. (By the way, this is the permission that will be assigned, not necessarily the one that is currently in place—the Management Console does not check the current ACL.) •
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to the provide sufficient levels ofwant, security withoutthe constraining Edit the list by clicking Add, selecting groups and users you assigning permissions, performance or scalability. The more reliant organizations become on the Internet to that perform and, finally, removing the Everyone group. When you finish, you should have a page looks daily jobs or conduct transactions, the greater the impact a breach of network security has. Just like that shown in Figure 3-86. as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the Figure 3-86. Model Modified Permissions for a New Folder web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco
TIP standard and extended access lists IIS creates two to accounts it isstate installed. One isand thekeep anonymous named Discover ways test thewhen current of security it up to account, date IUSR_machine name. You should add it to the document root directory separately and Learn to engagedown. end users as partin ofhandy the overall security solution of an IIS let it propagate This comes if younetwork choose to take advantage feature that allows individual user authentication. While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levelsthe of second securitybullet without Click OK to get to the setting box shown in Figure 3-87. Click (it constraining begins, performance or scalability. The moreand reliant become on the Internet perform Replace existing permissions…) thenorganizations OK. When you finish making changes,tosave your daily jobs or conduct transactions, theSave. impact breach of network security Just work by right-clicking the templatethe andgreater choosing If ayou prefer, you can keep thehas. original as Cisco an innovator in usingname the Internet conduct business, so too is it a by using Systems Save Ashas andbeen choosing an appropriate for your to altered template. market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server,Figure or the client. Hardening the defenses all these pointsYour is key Changes to creating an 3-87. Confirming and at Propagating effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
One Final Task One more task remains, no matter which operating system you are using. Most of the extensions that you see attached to files are associated with an executable file on your system. Some are harmless, such as .txt, which is associated with Notepad. Others are rather dangerous. For • Table of Contents example, when a file with a .reg extension is launched (double-clicking, typing its name at a • Index command prompt, including it in a batch file, and so on), it starts Regedt32 and causes it to Web Security Field Guide with settings contained in the .reg file. This is too great a risk to leave configure the Registry unpatched. By Steve Kalman To correct it, open Windows Explorer, click Tools, and then click Folder Options, as shown in Publisher: Cisco Press Figure 3-88. This brings up the Folder Options page (Figure 3-89). Click the File Types tab, Pub Date: November 08, 2002 scroll down to the REG extension, and click Change to bring up the box shown in Figure 3-90. 1-58705-092-7 ChooseISBN: Notepad and click OK several times to exit. From that point on, launching a file with the Pages: 608 causes it to open in Notepad. As an administrator, if you want to run a .reg file .reg extension using the Registry Editor, type Regedt32 filename.reg at the command prompt or from the Run dialog box.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications.
Figure 3-88. Opening Folder Options in Windows Explorer
Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data Figure Viewing Associations traveling across the Internet. Yet3-89. a network securityFile solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Figure 3-90. Changing a Dangerous Association Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Table 3-8 shows the other extensions that should be re-associated to run with Notepad. Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations
Table 3-8. Dangerous Extensions
Improve security at the end user's workstation, including web browsers, desktops, and laptops Extension File Type Evaluate the pros and cons of installing a certificate server and becoming your own .inf Setup File Certification Authority .msi Windows Installation File Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco .vbestandard and extended access lists Visual Basic Encoded Script .vbs Discover ways to test the current state of security Visual and Basic Script keep it up to date .wsf
Windows Scripting File Learn to engage end users as part of the overall network security solution .wsh Windows Scripting Host While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Summary This chapter closely examined the issues involved with securing a Windows Server. The first part concentrated on NT 4, whereas the remainder focused on Windows 2000. The same techniques used in Windows 2000 can also be used in Windows XP. •
Table of Contents
• The next partIndex of the book, devoted to web services, contains three chapters, one each on Web Security Field Guide installing the web server, enhancing its security, and securing FTP. BySteve Kalman
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Part III: Installing and Protecting IIS • •
The web server with the largest installed base is Microsoft's Internet Information Server (IIS). The vast majority of those installations are IIS4, but newer sites are beginning to use IIS5. Table of Contents Index
Web Security Field Guide
Chapter 4 IIS Installation This chapter provides instructions for installing IIS4 on NT –4 and IIS5 on both Windows 2000 Server and Windows XP.
BySteve Kalman
Publisher: Cisco Press
Chapter 5 Enhancing Web Server Security Pub Date: November 08, 2002 This chapter covers what happens after the web server software has been installed on the ISBN: 1-58705-092-7 various platforms. The next logical steps are to protect the server as a whole and limit access Pages: 608 to some of its pages. Chapter 6 Enhancing the FTP Server This chapter looks at ways to add SSL to FTP so that well-known FTP security flaws can be avoided. Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Chapter 4. IIS Installation This chapter covers the following topics: • •
Table of Contents
Installing IIS4 Index
Web Security FieldIIS5 Guide Installing BySteve Kalman
This chapter is divided into three parts, each dealing with Microsoft Internet Information Server (IIS) installation. The first part explains IIS4 installation on an NT 4 server, the second shows Publisher: Cisco Press IIS5 installation on Windows 2000 Server, and the third covers installing IIS5 on Windows XP. Pub Date: November 08, 2002 Each portion covers the topic independently without reference to the other. ISBN: 1-58705-092-7
Pages: 608
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Installing IIS4 The prerequisite to installing IIS4 is acquiring the free-for-the-download NT 4 Option Pack. It is a multimegabyte file in self-extracting zip form. After it is installed and unpacked, you are ready to begin. Be sure that you are logged in on an NT 4 server as a member of the local • Table of Contents administrators group. •
Index
Web Security Field Guide
Installing the NT-4 Option Pack BySteve Kalman
Publisher: Cisco Press Pubthe Date: November 08, 2002 Start install by launching the Option Pack's Setup.exe. That generates the warning shown n Figure ISBN: 4-1. 1-58705-092-7 Click Yes. Sufficient field experience has shown that IIS4 runs well on SP6a, the version on the Pages: 608 development machine, so this warning can be safely ignored.
Figure 4-1. Service Pack Warning Message Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations atloads the end user's workstation, including web browsers, desktops, and After Improve the setupsecurity program some files, you are presented with the Option Pack welcome laptops screen (Figure 4-2) and then, as shown in Figure 4-3, the End User License Agreement (EULA). Accept the license agreement before continuing. Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco Figure 4-2. Option Pack Welcome Screen standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
Figure 4-3. IIS4 on NT-4 License Agreement
Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Installing IIS4 on NT-4 ClickingAccept at the EULA screen brings you to the Option Pack installation screen, as shown inFigure 4-4. •
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date
TIP Learn to engage end users as part of the overall network security solution the Option Pack also creates a program group "Windows 4.0network Option and WhileInstalling the Internet has transformed and improved the way wecalled do business, thisNT vast Pack" under the Programs in the Users profile. This group contains several its associated technologies havemenu opened the All door to an increasing number of security threats. subgroupsfor and a program called "Windows NTencourage 4.0 Optionaccess Pack Setup." Clicking The challenge successful, public web sites is to to the site whilethis eliminating program another way to and bring the screen shown in Figure 4-4. without constraining undesirable orismalicious traffic to up provide sufficient levels of security performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a Choosing the Minimum installation, assale shown in Figureand 4-4,technologies is safe and practical. That installs market leader in the development and of products that protect data the web server alone. More importantly, it does not install the dangerous web development traveling across the Internet. Yet a network security solution is only as strong as its weakest tools, such as attacks FrontPage Objects Fusion. should never bethe on firewall, the web the link. Network canExplorer occur at and any Net point, including the They network connection, server. You can install these tools on a development platform in the unlikely event that your web web server, or the client. Hardening the defenses at all these points is key to creating an developers aren't using more sophisticated tools already. effective, all-encompassing network security solution.
The first page from the Minimum installation, shown here as Figure 4-5, asks you to choose a folder for the web server's pages and another folder for the web server's program files. Choose the defaults by clicking Next, but be aware that the home directory location needs to be modified later. The beginning of Chapter 5, "Enhancing Web Server Security," includes a discussion of how to modify the home directory location and why this modification is necessary.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists
TIP Discover ways to test the current state of security and keep it up to date For security purposes, install the web server pages and programs in separate branches Learn to engage end users as part of the overall network security solution of the directory tree or, even better, on different drives. While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating Spend a few minutes looking at the progress bar shown in Figure 4-6 and then proceed to the undesirable or malicious traffic and to provide sufficient levels of security without constraining thank-you screen shown in Figure 4-7. After you click Finish, you'll suffer the inevitable reboot. performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data Figure Completing IIS4security on NT-4 Installation Progress Bar traveling across4-6. the Internet. Yet a network solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
After rebooting, you'll find a new subgroup added to the Windows NT 4.0 Option Pack group on the Start menu. Figure 4-8 shows that subgroup and its two tools, the FrontPage Server Administrator and the Internet Service Manager. This latter tool manages and reconfigures the IIS4 web server. It will soon become one of your most frequently used programs on the web server. You'll probably want to drag its shortcut to the taskbar or the desktop. •
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco Regardless if you the shortcut or not, the next step is to launch the program. Don't be standard andcreate extended access lists surprised that it is called the Microsoft Management Console (MMC). Microsoft uses the MMC as a uniform way toways manage many its Windows systems' including IIS4. Figure Discover to test the of current state ofoperating security and keep features, it up to date 4-9 shows the MMC just after launch. Expand both the top item (called Internet Information Server) andto the next item underneath Information Server (which contains the PC's Learn engage end users as partInternet of the overall network security solution name). While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious and to provide sufficient levels of security withoutPage constraining Figure 4-9. traffic Microsoft Management Console Opening performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment To manage the server, right-click Default Web Site and choose Properties, as shown in Figure 4-10.Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations
Figure 4-10. Managing the IIS4 Web Server
Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment The properties dialog is a page with multiple tabs. Select the Directory Security tab and from that choose Editto under Anonymous Access and Authentication. dialog similar to that Learn how harden Windows multi-user platforms, including A NT, 2000, and XP shown in Figure 4-11 results. Clear the checkbox next to Windows NT Challenge/Response. You Understand secureAnonymous installationAccess optionscheckbox for Windows web servers and how to should leave the Allow selected. (All three options onenhance this popup security on existing web and FTP server installations are discussed in detail in Chapter 5.) Click OK to return to the Properties page. Improve security at the end user's workstation, including web browsers, desktops, and laptops
Figure 4-11. IIS4 Authentication Methods Popup
Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Choose the Home Directory tab. Change the local path to wherever you decide to put the content of your web site. When possible, choose a dedicated, separate physical drive on the web server. In the example shown in Figure 4-12, the D: drive holds the web content. A more complete discussion of this item and its implications is found at the beginning of Chapter 5. •
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date to engage endpage userslocation, as part click of theOK overall network security solution After Learn changing the home to bring up the Inheritance Overrides screen shown in Figure 4-13. With Inheritance Overrides you can force the same authentication type on While Internet has transformed and improved we do business, this vast network and all webthe pages. Individual pages at lower levels canthe be way configured differently, if needed. Click the its associated technologies have opened the door to an increasing number of security threats. Select All button and then OK. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just Figure 4-13. IIS4 Inheritance Override Window as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations When the Management Console page refreshes (see Figure 4-14), you see the folders that Improve at the end user's workstation, web browsers, desktops, and already exist insecurity the home directory. For our purposes,including four directories have been created. They laptops are used in the next two chapters to test the security enhancements that you make. Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority
Figure 4-14. IIS4 Management Console Showing Home Page Folders Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
NOTE
Understand secure installation options for Windows web servers and how to enhance security on existing FTPfour server installations Before installing the web and server, directories and a default home page were created. The home page has links to a single file in each of those directories. They're Improve security at the end including desktops, and mnemonically named and areuser's used workstation, in later chapters to testweb andbrowsers, demonstrate various laptops access options. (If the page defined by the file is displayed, access was successful.) The IPADDRESS page, for example, says, "IPADDRESS is working." When configured, it Evaluate the pros and consreached of installing and becoming your own won't be accessible unless from aa certificate client at anserver authorized IP Address. This Certification Authority subdirectory structure and the home page that accesses it are detailed in Appendix C, "Contents of the WSFG Web Site." Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Installation isn't complete without a test. Start Internet Explorer and put in the PC's name as the URL.Figure 4-15 shows the results. Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. Figure 4-15. Figure 4-15 Security Field Guide in IIS4 The challenge for successful, public Web web sites is to encourage access toHome the sitePage while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Because the home page displays, it is evident that the installation was successful. Learn how to harden Windows multi-user platforms, including NT, 2000, and XP If you're interested in IIS5, read on. If not, you're finished with this chapter. Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Installing IIS5 Unlike its predecessor, you don't need to acquire IIS5 separately. It comes with both Windows 2000 Server and Windows XP Professional. Before beginning the install on either platform, be sure that you are logged in as a member of the local administrators group. •
Table of Contents
• Index on Windows 2000 and Windows XP are nearly the same. However, enough Installation steps Web Security Field Guide subtle differences exist to warrant separate discussions. BySteve Kalman
Windows 2000 Publisher: Cisco Press Installation Pub Date: November 08, 2002 ISBN: 1-58705-092-7
Windows 2000 Pages: 608 Server has a built-in tool called Configure Your Server. Its shortcut is in the Administrative Tools program group, as shown in Figure 4-16.
Figure 4-16. Windows 2000 Configure Your Server Tool
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data NOTE traveling across the Internet. Yet a network security solution is only as strong as its weakest link. These Network attacks can occur that at any including the(or network connection, the firewall, instructions assume IISpoint, was not installed even partially installed) during the web server, or the client. Hardening the defenses at all these points is key to creating an the Windows 2000 Server Installation. If it were, there will be some differences, but effective, all-encompassing network security solution.
you should still be able to follow along.
A wizard launches after you click the shortcut. Click the Web/Media Server item in the left column to expand it (the results are shown in Figure 4-17), and click Web Server to continue. The screen shown in Figure 4-18 tells you to click the underlined Start keyword to launch the Components wizard. That brings you to the screen shown in Figure 4-19. •
Table of Contents
•
Index
Web Security Field Guide
Figure 4-17. Expanding the Web/Media Servers Branch
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists
Figure 4-18. Launch Point for the Windows Components Wizard
Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment
Figure 4-19. IIS5 on W2K Windows Components Selection Tool
Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an TIP effective, all-encompassing network security solution.
As is often the case in Windows, you can get to this point in other ways. Control Panel's Add/Remove Programs followed by Windows Components does the trick, too. You can choose whichever path you prefer.
Click the checkbox next to Internet Information Services (IIS) and click the Details button. •
Table of Contents
Some of the defaults need to be changed to increase security on the publicly accessible server. • Index Clear the checkbox next to FrontPage 2000 Server Extensions. That brings up the warning Web Security Field Guide shown in Figure 4-20. Click Yes and let the dependents go, too. BySteve Kalman
Publisher: Cisco Press
Figure 4-20. IIS Components After Clearing the FrontPage Checkbox Pub Date: November 08, 2002 ISBN: 1-58705-092-7 Pages: 608
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution NOTE WhileFrontPage the Internet has transformed and improved the way but we do thisFor vast network and extensions make web development easier, far business, less secure. example, its associated technologies have opened the door to an increasing number of security threats. they allow users to upload new or modified web pages using the web server itself. This The challenge for successful, public web sites is to encourage access to the site while eliminating is convenient in a development environment but invites trouble when left on a web undesirable or malicious traffic and to provide levels of security constraining server that anyone can access. That's whysufficient they're specifically omittedwithout from the performance or scalability. The more reliant organizations become on the Internet to perform installation here. daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling Make sureacross that neither the Internet. News (NNTP) Yet a network nor FTPsecurity are selected solution (as is shown only as in strong Figure as 4-21) its weakest and click link. Click OK. Network Next attacks in thecan Windows occur Components at any point, screen. including You the receive network a warning connection, message the firewall, asking you the web to beserver, sure that or the the client. Windows Hardening 2000 distribution the defenses diskatisall handy. theseAfter points you've is keyloaded to creating it, click an OK effective, there, too.all-encompassing network security solution.
Figure 4-21. IIS Component Page, Ready for Secure Install
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations
NOTE Improve security at the end user's workstation, including web browsers, desktops, and laptops If you already applied Windows 2000 Service Pack 2, you'll be asked for it rather than the distribution CD. Applying Service Packs, patches, and upgrades are all covered in Evaluate the pros and cons of installing a certificate server and becoming your own detail in Chapter 11, "Maintaining Ongoing Security." Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Spend a few minutes looking at the progress bar shown in Figure 4-22 and then proceed to the completion screen Figure 4-23. Click Finish button the Configure Your Discover waysshown to testinthe current state of the security and keep and it upclose to date Server tool. Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated Figure technologies 4-22. Completing have opened the IIS5 door ontoWindows an increasing2000 number Progress of security Bar threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- 4-23. conscious environment Figure IIS5 on Windows 2000 Successful Completion Page Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data The installation added ana item to the Administrative Tools group called traveling across program the Internet. Yet network security solution is only asprogram strong as its weakest Internet Services Manager. (See Figure 4-24.) This tool manages and reconfigures the IIS5 link. Network attacks can occur at any point, including the network connection, the firewall, the web server. It will soon become one of your most frequently used programs on the web web server, or the client. Hardening the defenses at all these points is key to creating anserver. You'll probably want to dragnetwork its shortcut to the taskbar or desktop. effective, all-encompassing security solution.
Figure 4-24. New Internet Services Manager Menu Item
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Regardless if you create the shortcut or not, the next step is to launch the program. Click the Improveto security at the end user's including web browsers, desktops, and new shortcut get to the screen shown workstation, in Figure 4-25. laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Figure Authority 4-25. IIS5 Internet Services Manager Opening Page Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment To manage the server, right-click the Default Web Site item and choose Properties, as shown inFigure 4-26. Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations
Figure 4-26. Managing the IIS5 Web Server in Windows 2000
Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment The properties dialog is a page with multiple tabs. Select the Directory Security tab and choose Edit how under Access and Authentication. You see dialogand similar Learn toAnonymous harden Windows multi-user platforms, including NT,a2000, XP to Figure 4-27. Clear the checkbox next to Integrated Windows authentication. Make sure that the Understand secure installation options for (All Windows web servers and how are to enhance Anonymous access checkbox is still selected. four options on this popup discussed in security on existing web and FTP server installations detail in the next chapter.) Click OK to return to the Properties page. Improve security at the end user's workstation, including web browsers, desktops, and laptops
Figure 4-27. IIS5 Authentication Methods Popup in Windows 2000 Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority
Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Choose the Home Directory tab. Change the local path to wherever you decide to put the Understand secure options for Windows web separate servers and how to enhance content of your web site.installation When possible, choose a dedicated, physical drive on the web security on existing web and FTP server installations server. In the example shown in Figure 4-28, the D: drive holds the web content. A more complete discussion of this item and its implications is found at the beginning of Chapter 5. Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Figure 4-28. Changing the IIS5 Home Directory in Windows 2000 Certification Authority
Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations After changing the home page, click OK to bring up the Inheritance Overrides screen (shown Improve the end authentication user's workstation, including browsers, and inFigure 4-29)security to force at the same type on all webweb pages. You candesktops, always change laptops individual pages at lower levels later if the situation warrants. Click the Select All button and thenOK. Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture andWindows how to apply2000 Cisco Figure 4-29. IIS5 Inheritance Override Window in standard and extended access lists
Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations When the Internet Service Manager page refreshes (see Figure 4-30) you see the folders that already Improve exist insecurity the home at the directory. end user's For example workstation, purposes, including fourweb directories browsers, have desktops, been created. and They laptops are used in the next two chapters to test the security enhancements that you make. Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority
Figure 4-30. Internet Service Manager with Home Page Folders for Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco Windows 2000 standard and extended access lists
Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
NOTE
Understand secure installation options for Windows web servers and how to enhance security on existing FTPfour server installations Before installing the web and server, directories and a default home page were created. The home page has links to a single file in each of those directories. They're Improve security at the end including desktops, and mnemonically named and areuser's used workstation, in later chapters to testweb andbrowsers, demonstrate various laptops access options. (If the page defined by the file displays, access was successful.) The IPADDRESS page, for example, says, "IPADDRESS is working." When configured, it Evaluate the pros and consreached of installing and becoming your own won't be accessible unless from aa certificate client at anserver authorized IP Address. This Certification Authority subdirectory structure and the home page that accesses it are detailed in Appendix C. Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Installation isn't complete without a test. Start Internet Explorer and enter the PC's name as the Discover ways to test the current state of security and keep it up to date URL.Figure 4-31 shows the results. Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and Figure 4-31. Web have Security Guide Home Page onofthe Windows its associated technologies openedField the door to an increasing number security threats. Server The challenge for successful, public web 2000 sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Because the home page displays, it is evident that the installation was successful. Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure Administration Serverinstallation options for Windows web servers and how to enhance security on existing web and FTP server installations
IIS5 installs onsecurity Windows Server with the Defaultincluding Web Siteweb andbrowsers, the Administration Improve at 2000 the end user's workstation, desktops, Web and Site active. Figure 4-32 shows the Internet Service Manager displaying the two sites. laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority
Figure 4-32. Internet Service Manager Showing Both Installed Web Learn the Cisco PIX Firewall and CiscoServers IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment You can use the Administration Web Site to manage the Default Web Site just as you can use the Properties two Windows key differences follow: Learndialog. how toThe harden multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance The Administration HTML-based, so you use a browser instead of MMC for security on existing Web web Site and is FTP server installations management. Improve security at the end user's workstation, including web browsers, desktops, and By default, the Administration Web Site can be accessed only from the web server itself. laptops To getEvaluate ready tothe access code, you must first takeserver note of thebecoming random port pros the andHTML cons of installing a certificate and yournumber own assigned to the Administration site. In this case, Figure 4-32 shows that the site is running on Certification Authority port 9974. Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco Launch the Administration Web Site lists by starting Internet Explorer and keying in the following standard and extended access URL:http://localhost:9974. That gives you the screen shown in Figure 4-33. Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution
Figure 4-33. Administration Web Site Home Page
While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Click the plus sign next to the Default Web Site link to expand the branch. This is the same list that the Internet produces (see Figure 4-34). Learn how toService hardenManager Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations
Figure 4-34. Administration Web Site Showing Default Site Details Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment To see how the Administration Web Site can be used to manage itself or any other web site on your PC, double-click the underlined link to the platforms, Administration Web Figure Learn how to harden Windows multi-user including NT,Site. 2000, and 4-35 XP shows the result. Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security the endAdministration user's workstation, including webHome browsers, desktops, and Figureat4-35. Web Site Page laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Click the Security link to see the screen shown in Figure 4-36, and click the middle Edit button (IP Address and to Domain Restrictions) to platforms, bring up the dialog box Figure Learn how hardenName Windows multi-user including NT,shown 2000, in and XP 4-37. That page denies access to all requests except those that originate on the local host, 127.0.0.1. securethe installation options Windows webneed servers andits how to enhance If youUnderstand want to manage web server from for another PC, you to add address using this security on existing web and FTP server installations page. Improve security at the end user's workstation, including web browsers, desktops, and laptops
Figure 4-36. Administration Site Security Page
Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to hardenFigure Windows4-37. multi-user platforms, including NT, 2000, and XP Restricting IP Traffic Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
A complete discussion of the IP address-based security feature is found in Chapter 5 in the "IP Address-Based Restrictions" section. If you're interested in IIS5 on Windows XP, read on. If not, you're finished with this chapter.
Windows XP Installation •
Table of Contents
•
Index
The easy Web Security way Field to Guide install IIS5 on Windows XP is to insert the Windows XP distribution CD and let the autorun program give you the screen shown in Figure 4-38. You'll need the CD's contents BySteve Kalman later when the installation copies files from it anyway. If you copied the CD to a disk somewhere, the best alternative is to run the setup.exe file from that location. Publisher: Cisco Press
Pub Date: November 08, 2002 ISBN: 1-58705-092-7 Pages: 608
Figure 4-38. Windows XP's Setup Program
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating NOTEor malicious traffic and to provide sufficient levels of security without constraining undesirable performance or scalability. The more reliant organizations become on the Internet to perform Windows XP Professional, like Windows 2000 Professional, has a limit of one web daily jobs or conduct transactions, the greater the impact a breach of network security has. Just server per PC. Neither NT-4 nor Windows 2000 Server has such a limitation, nor do the as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a new .NET servers. Although the .NET install will reportedly be the same as XP, at the market leader in the development and sale of products and technologies that protect data time of this writing, .NET is still in early beta, and testing that theory isn't possible. The traveling across the Internet. Yet a network security solution is only as strong as its weakest XP installation instructions are included here to assist readers who wind up using this link. Network attacks can occur at any point, including the network connection, the firewall, the book in a new .NET environment. There are likely be more similarities than differences. web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
ClickInstall optional Windows components to bring you to the screen shown in Figure 4-39.
Figure 4-39. IIS5 on XP Windows Components Selection Tool •
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Click the checkbox next to Internet Information Services (IIS) and click the Details button. Certification Authority Some of the defaults need to be changed. Clear the checkbox next to FrontPage 2000 Server Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco Extensions to get to the screen shown in Figure 4-40. standard and extended access lists Discover ways to test the current state of security and keep it up to date
Figure 4-40. IIS Components Clearing FrontPage Checkbox Learn to engage end users as part of After the overall networkthe security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment
NOTE
Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
FrontPage extensions make web development easier, but far less secure. For example, Understand secure installation options for Windows web servers and how to enhance they allow users to upload new or modified web pages using the web server itself. This security on existing web and FTP server installations is convenient in a development environment but invites trouble when left on a web server that anyone can access. That's why they're specifically omitted from the Improve security at the end user's workstation, including web browsers, desktops, and installation here. laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Make sure that neither News (NNTP) nor FTP is selected and click OK. In the Windows Components screen, Next. This where you need the Windows and XP distribution disk. If it is Learn the Cisco click PIX Firewall andisCisco IOS Firewall architecture how to apply Cisco not already in the CD drive, make sure you have access to its contents. standard and extended access lists SpendDiscover a few minutes the progress bar in Figure then proceed to the ways tolooking test theatcurrent state of security and4-41 keepand it up to date completion screen shown in Figure 4-42. Click the Finish button and Exit from the Welcome to Microsoft Windows XP end screen. Learn to engage users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge Figure for successful, 4-41. Completing public web sites IIS5 is toon encourage Windows access XP to Progress the site whileBar eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
Figure 4-42. IIS5 on Windows XP Successful Completion Page
Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations
Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
TheInternet Information Services program manages IIS5 on Windows XP. The shortcut to launch it is fairly well buried. (XP's philosophy seems to be to make things users need easy to find while placing administrator tools in obscure locations.) To get to the shortcut, launch Control Panel, place it in Classic View, and select Administrative Tools. This is shown in Figure 4-43. •
Table of Contents
•
Index
Web Security Field Guide
Figure 4-43. Administrative Tools in Windows XP's Control Panel
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco Figure 4-44 shows various administrative tools, including the IIS shortcut. Right-click it and standard and the extended access lists choosePin to Start Menu, as shown in Figure 4-45, unless you want to go through Control PanelDiscover each time you to want launch thestate program. ways testto the current of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed improved the wayAdministrative we do business, thisTools vast network and Figure 4-44. IIS5 and Shortcut Under its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to4-45. hardenMaking Windows the multi-user includingTool NT, 2000, Figure IIS5platforms, Management Easyand toXP Find Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
ClickInternet Information Services to get to the screen shown in Figure 4-46.
Figure 4-46. IIS5 Internet Services Manager Opening Page
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and To manage the server, expand the tree, right-click the Default Web Sites item, and choose laptops Properties. That gives you the screen shown in Figure 4-47. Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority
Figure 4-47. Managing theIOS IIS5 Webarchitecture Server in Windows XPCisco Learn the Cisco PIX Firewall and Cisco Firewall and how to apply standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations The Properties dialog isata the page with multiple tabs. Even thoughweb IIS5browsers, is supposed to be the same Improve security end user's workstation, including desktops, and for both Windows 2000 and Windows XP, this dialog is slightly different. If you compare Figure laptops 4-47 with the background dialog shown in Figure 4-28 from the section on installing IIS5 on Windows 2000the Server, see of that there are fewer dialog tabs. This is because management Evaluate pros you'll and cons installing a certificate server and becoming your own for some tasks has been moved. For example, the Windows 2000 version has a Performance tab. Certification Authority In Windows XP, those controls are located in the Performance application that is also shown in Figure 4-44the (Administrative Tools and shortcuts). Learn Cisco PIX Firewall Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists The first step in managing the web server is to select the Directory Security tab and choose Edit under Anonymous Access and Authentication. You keep see aitscreen to Figure 4-48. Discover ways to test the current state of security and up to similar date Clear the checkbox next to Anonymous Access and Authentication Control, but make sure that the Learn Anonymous to engageAccess end users checkbox as part is of still the selected. overall (All network four options security on solution this popup are discussed in detail in the next chapter.) Click OK to return to the Properties page. While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious to provide sufficient levels of security constraining Figure 4-48. The traffic IIS5 and Authentication Methods Popupwithout in Windows XP performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Choose the Home Directory tab. Change the local path to wherever you decide to put the Improve security at the end user's workstation, including web browsers, desktops, and content of your web site. When possible, choose a dedicated, separate physical drive on the web laptops server. In the example shown in Figure 4-49, the D: drive holds the web content. A more complete discussion of this item and its implications is found at the beginning of Chapter 5. Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco Figure and 4-49. Changing the IIS5 Home Directory in Windows XP standard extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations After Improve changingsecurity the home click OK workstation, to bring up the Inheritance Overrides screen shown in at page, the end user's including web browsers, desktops, and Figure 4-50 to force the same authentication type on all web pages. You can change lower-level laptops pages independently if your needs warrant it. Click the Select All button and then click OK. Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority
Figure IIS5 Inheritance Override Windowand in how Windows XP Learn the 4-50. Cisco PIX Firewall and Cisco IOS Firewall architecture to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations WhenImprove the Internet Service Manager pageworkstation, refreshes (see Figure web 4-51), you see desktops, the folders that security at the end user's including browsers, and already exist in the home directory. For this book's purposes, four directories have been created. laptops They'll be used in the next two chapters to test the security enhancements that you make. Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco Internet PIX FirewallService and Cisco Manager IOS Firewallwith architecture and how to apply Cisco Figure 4-51. Home Page Folders for standard and extended access listsWindows XP Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
NOTE
Understand secure installation options for Windows web servers and how to enhance security on existing FTPfour server installations Before installing the web and server, directories and a default home page were created. The home page has links to a single file in each of those directories. They're Improve security at the end workstation, including browsers, desktops, and mnemonically named and areuser's be used in later chapters to web test and demonstrate laptops various access options. (If the page defined by the file displays, access was successful.) The IPADDRESS page, for example, says, "IPADDRESS is working." When configured, pros andunless cons of installing a certificate and becoming your own itEvaluate won't bethe accessible reached from a client at server an authorized IP Address. This Certification Authority subdirectory structure and the home page that accesses it are detailed in Appendix C. Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Installation isn't complete without a test. Start Internet Explorer and enter the PC's name as the Discover ways to test the current state of security and keep it up to date URL.Figure 4-52 shows the results. Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and Figure 4-52. Web Security Field Guide Home Page on the Windows XP its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sitesServer is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Because the home page displays, it is evident that the installation was successful. Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Summary This chapter took a careful look at installing IIS4 on NT4 and IIS5 on both Windows 2000 Server and Windows XP Professional. • Table you of Contents Chapter 5 guides through the process of reconfiguring IIS to make it more secure and • Index explains many of the choices that you need to make. Web Security Field Guide BySteve Kalman
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Chapter 5. Enhancing Web Server Security • of Contents This chapter Table covers the following topics: •
Index
Web Security Field Guide
Securing the Web Server
BySteve Kalman
Web Servers Versus Development Servers Publisher: Cisco Press
Locating Document Root Pub Date: November 08, 2002 ISBN: 1-58705-092-7
Logging
Pages: 608
Limiting Access to Your Web Server Miscellaneous Security Enhancements Hosting Multiple for Web ServersWindows(r) servers, browsers, and network communications. Hands-on techniques securing A freshly installed web server is a completely defenseless platform. Before making it available for access, your effective job is to security secure it.policies Here's and how.establish rules for operating in and maintaining a Create security- conscious environment After the web server is installed, you can take several steps to secure it. You can prevent anonymous access by limiting accessmulti-user to those with pre-established and XP passwords, Learn how to harden Windows platforms, including usernames NT, 2000, and those with accounts in the Domain Controller or Active Directory, or those coming from certain IP addresses Understand or networks. secure installation This chapter options covers forthese Windows items. web Forservers the most andpart, how the to enhance steps are the samesecurity whetheron you existing use Internet web and Information FTP serverServer installations Version 4.0 (IIS4) or IIS5. Where slight differences exist, they'll be shown. Improve security at the end user's workstation, including web browsers, desktops, and You can laptops take another step beyond those user-based limitations. You can add Secure Sockets Layer (SSL or, more commonly, HTTPS) to force data encryption, and you can require the Evaluate the prosto and cons of server installing a certificate server and becoming your own browsers that connect your web to present a certificate before being allowed in. Those topicsCertification are coveredAuthority in Chapter 9, "Becoming a Certification Authority (CA)." Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Web Servers Versus Development Servers Web servers, as the term is used in this book, refer to dedicated servers with content that will be accessed over an Internet or intranet using the HTTP protocol. This is in contrast to development • Table Contents servers, which areofworkstations that have IIS loaded onto them so that web developers can test • their work. Index Web Security Field Guide
You might be tempted to do the development work on the public web server, but this is a BySteve Kalman mistake for several reasons: Publisher: Cisco Press Pub Security— Date: November Many 08, 2002 of the
development tools were written assuming that they would never be deployed on the dedicated server. To use them, the developer needs a much higher level of ISBN: 1-58705-092-7 security Pages: 608access than the anonymous, guest-like user account that is used to access pages on the dedicated server. The tools themselves are often installed as services with privileges of their own. Leaving these tools on the web server is like leaving the keys to the store on the sidewalk by the front door.
Integrity— Ad-hoc changes should never be made to live environments. Web site users Hands-on techniques for broken securing Windows(r) servers, browsers, communications. will not appreciate links or page-not-found messagesand thatnetwork inevitably occur when pages are edited in real time. Create effective security policies and establish for operating maintaining Usability— If the web pages, web server, and rules browser are all on in theand same computer,apage securityconscious environment access times cannot possibly represent the typical user's experience. The LAN will slow those on the intranet down a little. Those on the Internet will be even more constrained by Learn how to harden Windows multi-user platforms, including NT, 2000, and XP network congestion and their own access data rates. In addition, support files, such as dynamic linksecure libraries (DLLs), anywhere in Windows the search path will be delivered the local Understand installation options for web servers and how to to enhance user but might not be available to the remote user. Developers need to measure security on existing web and FTP server installations accessibility and usability in a way that mimics their users' real-world environments. Improve security at the end user's workstation, including web browsers, desktops, and After laptops separating the development machines from those where the web sites are deployed, you need a secure way to transfer pages to the web server. The tool of choice here is secure FTP, a topic Evaluate discussedthe in detail in Chapter "Enhancing the FTPserver Server." pros and cons of 6, installing a certificate and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Locating Document Root When a web page is accessed via its domain name with no other qualifiers (for example, http://pc3.example.com), the web server looks for a page with one of several possible names • of Contentsand so forth) in the document root directory identified during (index.html, Table default.html, • installation. Index Web Security Field Guide
Document root can be located in any of several possible places (in increasing order of security): BySteve Kalman Publisher: Cisco Press As a subdirectory
of the IIS software
Pub Date: November 08, 2002
On the1-58705-092-7 same drive as the IIS software, but in a different directory tree ISBN: Pages: 608
On the same server as the IIS software, but on a different physical drive or partition On a different server A corresponding descriptive list would be Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Subdirectory -> Promiscuous Create effective security policies and establish rules for operating in and maintaining a Same drive -> Permissive securityconscious environment Same server, differentWindows drive ->multi-user Prudent platforms, including NT, 2000, and XP Learn how to harden Different server -> installation Paranoid options for Windows web servers and how to enhance Understand secure security on existing web and FTP server installations The first two options are too insecure. The last is not so much a security choice as it is a loadbalancing option. The third choice is the workstation, one implemented here.web Seebrowsers, the discussions in Chapter Improve security at the end user's including desktops, and 4, "IIS Installation," of Figures 4-12, 4-29, and 4-50 for examples of changing document root in laptops IIS4, IIS5 on Windows 2000 Server, and IIS5 on Windows XP, respectively. Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Logging Maintaining secure logs is essential to a secure web environment. Chapter 11, "Maintaining Ongoing Security," deals with logs in considerable detail, but this is the more appropriate place to learn how to manage web server logging. •
Table of Contents
• Open the IISIndex management program, expand the tree, right-click Default Web Site, and choose Web Security Field Guide Properties. From there, pick the Web Site tab to see the result shown in Figure 5-1. BySteve Kalman
Publisher: Cisco Press
Figure 5-1. Managing Logging Options for IIS Servers
Pub Date: November 08, 2002 ISBN: 1-58705-092-7 Pages: 608
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The forof successful, public web sites is controls to encourage access to thealready site while Nearchallenge the bottom the page is a checkbox that logging. It should be eliminating checked undesirable or malicious traffic and to provide sufficient levels of security without constraining (enabled). IIS supports four log file formats, each with varying types and quantities of data performance scalability. more reliant organizations become on detailed the Internet perform collected. Theordefault, W3CThe Extended Log File Format, is the most and to option-laden. daily jobs or conduct transactions, the greater the impact a breach of network security has.inJust Make sure that it is selected and click the Properties button to bring up the screen shown as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a Figure 5-2. market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an Figure 5-2. Extended Logging Properties Page effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations By default, a new log file will be created every day, starting with the first entry that occurs after midnight. The location is a subdirectory of your %SystemRoot% directory (possibly your WINNT Improve security at the end user's workstation, including web browsers, desktops, and directory). However, you can and should change this to point to another server. One of the main laptops objectives of intruders is to hide their tracks by altering or deleting the log file. If they managed to take control the of your log in location is vulnerable. Byand shunting it off your to another Evaluate pros PC, andacons of this installing a certificate server becoming own location (preferably on the other side of a firewall), you'll have increased security. You can use a Certification Authority share or a Windows-based syslogd for this purpose. Either way, be careful to restrict access to it. The web server should beFirewall able to and writeCisco only IOS to the log file. Most otherand applications should be Learn the Cisco PIX Firewall architecture how to apply Cisco able to read only standard andit.extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Limiting Access to Your Web Server The installation instructions in Chapter 4 set anonymous login as the only way to access web server content. Upon installation, IIS created two user accounts: • •
Table of Contents
IUSR_machine-name Index
Web Security Field Guide
IWAM_machine-name
BySteve Kalman
The former is mostly used for anonymous access and is much like a guest account. The latter is Publisher: Press used by theCisco operating system to start the IIS server and for certain out-of-process tasks, such as executing Pub Date:active November content. 08, 2002 For access over the Internet, this is the easiest option. It allows anyone, anywhere to access your content. ISBN: 1-58705-092-7 Pages: 608
If, however, you want to restrict access to users who have some pre-existing relationship with you, you have some additional choices. You can add user accounts and have the web server validate against those accounts. When you apply these additional restrictions, you can choose to limit them to a part of your documents directory tree rather than the entire web site. Table 5-1 lists the four authentication methods and their limitations and requirements. Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment
Table 5-1. Comparison of Authentication Methods
Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Limitation or Restriction Authentication Methods Understand secure installation options for Windows web servers and how to enhance CanFTP Be server Used by Any Browser, security on existing web and installations Any Computer Requires Windows Improve security at the end user's workstation, including web browsers, desktops, and Basic Challengelaptops Anonymous Authentication Digested Response Evaluate thewithout pros and cons of installing a certificate server and becoming your own Anyone can use Certification Authority prior relationship Learn Cisco Anyone canthe use but PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists requires prior relationship Many users share single Discover waysato test the current state of Optional security and keep it up to date account Learn to engage end users as part of the overall network security solution Internet Standard While the Internet has transformed and improved the way we do business, this vast network and Requires Active Directory its associated technologies have opened the door to an increasing number of security threats. The challenge Requires IIS5for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance MD5 hashed or password scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just Password must be stored as Cisco Systems has beenin an innovator in using the Internet to conduct business, so too is it a clear text in Active market leader in the development and sale of products and technologies that protect data Directoryacross the Internet. Yet a network security solution is only as strong as its weakest traveling link. Network for attacks can occur at any point, including the network connection, the firewall, the Transparent logged-in web server, or the client. Hardening the defenses at all these points is key to creating an users effective, all-encompassing network security solution.
Support for Windows 2000/XP only Passwords hashed and secured
Digested Access available with IIS5. RFC 2617 compares Basic Authentication with • Tableisofnewly Contents Digested Authentication and contains a list of six major weaknesses of this scheme, along with • Index explanations andGuide recommendations for improvement. Digested Authentication is not yet Web Security Field recommended for deployment and is not further discussed in this book. BySteve Kalman
Publisher: Cisco Press
Enabling Basic Authentication Pub Date: November 08, 2002 ISBN: 1-58705-092-7
The following example uses IIS4 on NT 4 for the parts that are common to all three platforms, Pages: 608 with a few examples from IIS5 where needed. Open the Management Console or Internet Services Manager, as appropriate for your platform. For the test case, right-click the folder that you want to use for Basic Authentication. (The example here uses a folder named BASIC that was created just for this purpose.) That brings up Hands-on techniques forshown securing Windows(r) servers, browsers, and communications. a screen similar to that in Figure 5-3. Choose Properties, thennetwork Directory Security, and clickEdit. If you're using IIS4, you see the screen shown in Figure 5-4, but if you used IIS5, you see the screen shown in Figure 5-5. Uncheck Allow Anonymous Access (it was inherited Create effective security andBasic establish rules for operating maintaining during the installation phase) policies and check Authentication. All thisinisand shown in Figurea5-4. security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
Figure 5-3.installation Accessing thefor Properties for how thetoBasic Understand secure options Windows webDialog servers and enhance Authentication Test Page security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Figure 5-5. IIS5 Modified Authentication Methods Page Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance Whensecurity you select Basic Authentication, you see the warning shown in Figure 5-6. The text says on existing web and FTP server installations that the data is not encrypted, but that isn't the same as plain text. It is an intermediate stage known as Base64 encoded. Click to workstation, enable Basic including Authentication. Improve security at the end Yes user's web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Figure 5-6. Password Vulnerability Warning Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web data server, or the client. defenses atwhich all these pointsaisscheme key to that creating an three The is encoded usingHardening a method the called Base64, employs converts effective, all-encompassing network security solution. of ASCII (by taking 6 bits at a time and characters of binary data (24 bits) into four characters
adding two high order 0s). It was originally created to facilitate sending binary files via systems that carried only 7 data bits per byte. A slew of encoders and decoders are available on the Internet, but the handiest decoder is built into WinZip. Appendix B, "Decoding Base64," describes a technique for capturing a user authentication using a popular network monitor and decoding the Base64 encoded data to discover the username and password. After login has been required, build user accounts using the normal account management program for your operating system. They are normal accounts in every way. One of your • Table of Contents essential jobs is to see to it that those accounts cannot be used for any other purpose. An easy • Index way to do this is to grant them the No Access permission for every file and folder except those Web Security Field Guide under document root. Chapter 3, "Windows System Security," covers this process. BySteve Kalman
Figures 5-7 and 5-8 show the process of adding a user in the NT 4 environment and in the Windows 2000 respectively. To create a user in NT 4, start User Manager for Publisher: Ciscoenvironment, Press Domains, click User, and then click New User. In Windows 2000 (and in Windows XP), start Pub Date: November 08, 2002 theComputer Management application, expand the Local Users and Groups branch, and ISBN: 1-58705-092-7 clickUsers, Actions, and then New User. In either case, type in the username and password, Pages: 608 clear the User Must Change Password checkbox, and select the User Cannot Change Password and Password Never Expires checkboxes. Finally, click Add (in NT) or Create (in 2K or XP).
Hands-on techniques for securing Windows(r) servers, browsers, and network communications.
Figure 5-7. Adding a User in NT-4 Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across theFigure Internet.5-8. Yet aAdding network security is only as 2000 strong as its weakest a Usersolution in Windows link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops
TIP
Evaluate the pros and cons of installing a certificate server and becoming your own Be careful about the Password Never Expires setting. Chapter 3 showed how to set a Certification Authority policy that included the maximum duration of passwords on user accounts. These special purpose will and haveCisco different needs. You should have manual reminder Learn the Cisco accounts PIX Firewall IOS Firewall architecture andahow to apply Cisco to yourself to change those passwords periodically (and send the appropriate notices to standard and extended access lists the users of those accounts), but do not force them to expire after some fixed number of days. ways to test the current state of security and keep it up to date Discover Learn to engage end users as part of the overall network security solution To testthe your work, has starttransformed Internet Explorer and access shown Figure 5-9. and While Internet and improved theyour way home we dopage, business, thisinvast network Then access the page you set up opened for Basic Authentication by clicking the second item on your its associated technologies have the door to an increasing number of security threats. home page. This up the loginweb dialog, in Figure 5-10.to Enter the user-name and The challenge for brings successful, public sitesasisshown to encourage access the site while eliminating password you in traffic the previous and sufficient click OK. levels of security without constraining undesirable or created malicious and to step provide performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a Figure Home Basic that Authentication market leader5-9. in theWSFG development andPage, sale of Ready products to andTest technologies protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Figure 5-10. Basic Authentication Password Prompt Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance The result, shown or scalability. in FigureThe 5-11, more demonstrates reliant organizations that the process become worked on thewhen Internet the correct to perform daily jobs or username and conduct password transactions, were entered. the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. NetworkFigure attacks can occurBasic at any Authentication point, including the network connection, the firewall, the 5-11. Successful Access web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment To complete the test, close the browser to clear the cached credentials. Open it again and bring up your home page. Click the Basic Authentication test page link again, but this time Learn how to harden Windows multi-user platforms, including NT, 2000, and XP enter an incorrect username or password. You get three chances before seeing the message shown in Understand secure installation options Figure 5-12. When you finish, you can close for theWindows browser. web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptopsFigure 5-12. Standard Authentication Failed Message Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment
Setting Authentication LearnSecure how to harden Windows multi-user platforms, including NT, 2000, and XP IIS4 calls Understand its secure secure authentication installationoption options NTfor Challenge/Response. Windows web servers IIS5 and calls how it to Integrated enhance Windows security Authentication. on existing In web either and FTP case,server a domain installations controller or Active Directory is required to implement it. Improve security at the end user's workstation, including web browsers, desktops, and In thelaptops IIS4 example shown in Figure 5-13, the entire site is set up for both Anonymous Access and Challenge/Response. This is a way to integrate per-user or per-group NTFS access control Evaluate thesecurity pros andenvironment. cons of installing certificate server and becoming your own lists into the web To doathis, right-click Default Web Site, choose Certification Properties, selectAuthority the Directory Security tab, and click the Edit button in the Anonymous Access section. Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date
Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment When accessing the web server with anonymous access, the user account IUSR_machine-name is used. That account should be granted file system read permission wherever you XP want anyone Learn how to harden Windows multi-user platforms, including NT, 2000, and to be able to access web content. (Some web content requires more rights. A detailed discussion Understand options for Windows webtoservers how to enhance is presented later secure in this installation chapter.) However, when you want restrictand content certain users security on existing web and FTP server installations or groups, remove permission from the anonymous account and grant it to specific users. IIS will try the anonymous user first and if it fails it will try the user's account. If you are on an Improve security the endlogged user'sin, workstation, web browsers, desktops, intranet and the user isatalready the processincluding is transparent. If not, the user willand be laptops prompted for a username, password, and domain name to use. Figure 5-14 shows such a prompt. These credentials should not, of course, be shared. Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco Figure 5-14. Prompt for Challenge Response Authentication standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Restricting Access Based on IP Address Access can also be controlled based on the PC's IP address. You can set specific addresses, address ranges, or DNS names from which access will be either allowed or denied. •
Table of Contents
• Index the WSFG home page, as accessed from a Windows XP-based PC. The third Figure 5-15 shows Web itemSecurity on the Field pageGuide links to the page to be used to test IP access controls, so click that link. BySteve Kalman
Publisher: Cisco Press
Figure 5-15. WSFG Home Page, Ready to Begin Address Test
Pub Date: November 08, 2002 ISBN: 1-58705-092-7 Pages: 608
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Figure 5-16 shows that access is permitted by default. Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. Figure Successful the IP access Address Page The challenge for5-16. successful, public web Access sites is toof encourage to theCheck site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment To prohibit access from the PC whose IP address is 192.168.1.20, launch the IIS management application foldermulti-user where youplatforms, want to setincluding IP address Figure 5-17 Learn and how right-click to harden the Windows NT,restrictions. 2000, and XP shows an example using the folder IPADDRESS. Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, includingApplication web browsers, desktops, and Figure 5-17. IIS Management laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment That brings up the properties dialog. Click the Directory Security tab to get the NT 4 image shown in Figure 5-18. (Windows XP and Windows 2000 have a slightly version.) Learn how to harden Windows multi-user platforms, including NT,different 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations
Figure 5-18. IPADDR Folder at the Directory Security Tab
Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance ClickEdit in the Address Name Restrictions section. That brings you the security onIP existing weband andDomain FTP server installations dialog box shown in Figure 5-19. Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Figure 5-19. Empty Address Restrictions Dialog Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, network security solution. This dialogall-encompassing box needs careful reading. It either grants (the default) or denies access to all
addresses except the ones you add manually. Go ahead and click Add to bring up the screen shown in Figure 5-20.
Figure 5-20. Deny Access on Page for a Single Address •
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a If you just want to deny access to one particular address, you can key it in here. Before doing security- conscious environment that, it is worth the time to explore the other options. You can prohibit access to all stations in a particular clicking the button next toplatforms, Domain Name. That brings theXP performance Learndomain how to by harden Windows multi-user including NT, 2000,up and warning message shown in Figure 5-21. Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations
Figure 5-21. Warning Before Denying including Access web Based on Domain Improve security at the end user's workstation, browsers, desktops, Name and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and After you view the dialog box, click OK to close it, but don't key in a domain name. Instead, click its associated technologies have opened the door to an increasing number of security threats. the button next to Group of Computers. That changes the input fields and gives you the image The challenge for successful, public web sites is to encourage access to the site while eliminating shown in Figure 5-22. Here, you can exclude a range of IP addresses by using an appropriate undesirable or malicious traffic and to provide sufficient levels of security without constraining network number and mask. You can also repeat these steps to exclude more than one range. performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data Figure 5-22. Deny Access Page for a Group of Addresses traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Click the Single Computer button and enter the IP address to restrict, 192.168.1.20. Click OK to get to the completed restrictions list shown here in Figure 5-23. With this restriction in place, all computers will be allowed access except the one at the specified IP address. You can exclude additional single addresses by repeating these steps. You can also combine single addresses and Hands-on securing Windows(r) servers, browsers, and network communications. IP addresstechniques ranges andfor domain names, as needed. Create effective security policies and establish rules for operating in and maintaining a security- conscious Figure environment 5-23. Completed Access Restrictions Page Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. Starting at thefor machine with the prohibited address, bring up access the WSFG home as The challenge successful, public web sites is to encourage to the sitepage whileagain, eliminating shown in Figure 5-24, ready to and test to theprovide new address restriction. the third linkconstraining to initiate the undesirable or malicious traffic sufficient levels ofClick security without test. Figure 5-25 shows the The resulting errorbecome message. performance or scalability. moreaccess reliantforbidden organizations on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling Figure across the 5-24. Internet. WSFG Yet a Home network Page, security Ready solutionto is Finish only as strong Address as its Test weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how toFigure harden Windows multi-user platforms, including NT, 2000, and XP 5-25. Access Forbidden Error Message Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Miscellaneous Security Enhancements IIS has quite a few nooks and crannies where you can find security enhancement options. The next several subsections point them out. • of Contents Whether youTable implement the settings that follow is a matter of experience, judgment, and your • Index Security Policy. The best course of action often depends on the needs and size of your web site, Web Security coupled withField theGuide kind of use (intranet or Internet) you expect. BySteve Kalman
Moving Publisher:the Cisco Metabase Press Pub Date: November 08, 2002
IIS5 (for both Windows 2000 and XP) maintains a database containing all the configuration ISBN: 1-58705-092-7 values, including read and write permissions called the Metabase. (The actual filename is Pages: 608 metaBase.bin.) Its default location is %systemroot%\system32\inetsrv. An intruder who can corrupt or replace the Metabase completely compromises the server. The safest course of action is to move it. Doing so means making a Registry change. Before starting, make sure you have a complete backup copy of the Registry. Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Begin by creating a new location for the Metabase. A likely location is as a new folder under an already existing, well-known, and generally uninteresting folder. A good candidate is the Create effective security policies and establish rules for operating in and maintaining a Windows NT folder under the Program Files folder. Figure 5-26 shows Windows Explorer with the security- conscious environment Program Files folder selected. Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance
Figure 5-26. Windows Explorer Showing the Program Files Folder security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Open the Windows NT folder and add a new folder under it called IIS-Control. The result matches the screen shown in Figure 5-27.
• •
Figure 5-27. Windows Explorer Showing the New IIS-Control Folder Table of Contents Index
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own The next step is to stop the IIS services. In some versions, when IIS is running, the Metabase is Certification Authority open and locked, which would prevent its move. In any case, be conservative. Begin by launching control programand appropriate your platform and expanding the server tree. Learnthe theIIS Cisco PIX Firewall Cisco IOStoFirewall architecture and how to apply Cisco Selectstandard the Default Web Server to begin. Stop the server by using one of two methods: and extended access lists Discover ways to test the current state of security and keep it up to date Click the square box icon highlighted in Figure 5-28. Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and Figure 5-28.the Stopping Server number via Icon its associated technologies have opened door to ana increasing of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a Right-click the server name and choose Stop. security- conscious environment If youLearn have how moretothan oneWindows web server on your platforms, PC, you should repeat this step and for each harden multi-user including NT, 2000, XP of them to stop them all. Understand secure installation options for Windows web servers and how to enhance After security the servers are stopped, launch (Start/Run is probably the easiest way) to get on existing web and FTPRegedit server installations the screen shown in Figure 5-29. Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server Screen and becoming your own Figure 5-29. Regedit Opening Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Expand the HKEY_LOCAL_MACHINE branch and drill down until you get to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InetMgr\Parameters. Learn how to harden Windows multi-user platforms, including NT, 2000,This and is XPshown in Figure 5-30. Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, includingto web browsers, Figure 5-30. Regedit Positioned Add a Keydesktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Add a new key by clicking on Edit, then New, and Key.Figure 5-31 shows this in action and Figure 5-32how shows the result. Learn to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations
Figure 5-31. Adding a New Key in Regedit
Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, 2000, and XP Figure 5-32. Regedit with a Newincluding Empty NT, Key Added Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Change the name of the key to Metadata File. It is case-sensitive and the single space is required. Double-click the word (Default) in the right-hand column. That brings you to the screen shown in Figure 5-33.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Type the new path name, C:\Program Files\Windows NT\IIS-Control into the Value Data field and click OK. Exit out of Regedit to Windows Explorer. in From move the Create effective security policies and and return establish rules for operating andthere, maintaining a file MetaBase.bin to the new folder. Figure 5-34 shows the result. security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand Figure secure installation options for Windows web New serversLocation and how to enhance 5-34. MetaBase.bin in Its security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
To further enhance the security, hide the new folder by right-clicking on IIS-Control, selecting Properties, and clicking the checkbox to make it Hidden, as shown in Figure 5-35.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing of security threats. Restart the servers. This time, click the triangle icon instead of thenumber box. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and Start to provide sufficient levels security constraining Nothing is complete without a test. Internet Explorer andof launch thewithout WSFG home page. performance or scalability. The more reliant organizations become on the Internet to perform Figure 5-36 shows the result. Assuming you get your home web page, IIS is working and is daily or conduct the greater the impact a breach of network security has. Just using jobs the new locationtransactions, for its Metabase. as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point,Page including the network connection, the firewall, the Figure 5-36. WSFG Home After Moving the Metabase web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment
Managing Web Server Access Permissions Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Each Understand page can have secure any installation of four access options permissions. for Windows Directories web servers at lower andlevels how to willenhance inherit permissions securityset onfor existing a parent webdirectory. and FTP server Table 5-2 installations lists the four options and their implications. Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons installing a certificate server and becoming your own Table 5-2.ofWeb Server Access Permissions Certification Authority Permission Security Implication (When Checked) Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Script Source Users can access script source files. This control works in conjunction with Access (not and Write the Permissions. Discover ways toboth test the the Read current state of permissions security and and keepwith it up toExecute date available in IIS4) Readasispart also of selected, users can seesecurity script source (which might Learn to engage When end users the overall network solution contain passwords or other nonpublic material). While the Internet has transformed and improved the way we do business, this vast network and If Write is also selected, users submit new or altered scripts.threats. This its associated technologies have opened the door to can an increasing number of security should be selected only if Remote Authoring is necessary. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic levels security This without constraining Read Users can and see to theprovide source sufficient of pages in this of directory. is necessary for performance or scalability. The more reliant organizations become on the Internet perform most pages. The exception would be for pages where the usertogets to daily jobs or conduct transactions, the that greater the not impact a breach online. of network write something should be retrieved (Likesecurity a postalhas. Just as Cisco Systems has mailbox—you been an innovator in using the Internet to conduct business, too is it a can drop a letter in, but you cannot read it oncesodeposited.) market leader in the development and sale of products and technologies that protect data Write Users can create new files or overwrite files in this traveling across the Internet. Yet a network security solution existing is only as strong as directory. its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the Directory Browsing Allows users to see a hypertext listing of subdirectories (including the web server, or the client. Hardening the defenses at all these points is key to creating an DOS-style ".." link to the parent). This option should NOT be selected. effective, all-encompassing network security solution.
Right-click any folder in your default web site and select Properties or, as done in Figure 5-37, right-clickDefault Web Site, select Properties, and click the Home Directory tab to configure permissions for the entire web site. All pages in or under the home directory will inherit changes you make here. Lower-level pages can be altered individually later, as needed. •
Table of Contents
•
Index
Figure 5-37. Home Directory with Access Set to Read
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution Managing IIS5 Execute Permissions While the Internet has transformed and improved the way we do business, this vast network and Figure 5-38 shows the dropdown box for the thedoor Execute Permissions. Table 5-3 the three its associated technologies have opened to an increasing number of lists security threats. choices and their The challenge for implications. successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just Figure 5-38. IIS5 Execute Permissions as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Table 5-3. Execute Permission Choices Evaluate the pros and cons of installing a certificate server and becoming your own Setting Certification Effect Authority None Neither scripts nor applications can be launched. Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard extended Scripts Only andOnly scriptsaccess whoselists file extensions have previously been mapped to scripting applications can run. Discover ways to test the current state of security and keep it up to date This is the default permission. Learn to engage end users as part of the overall network security solution Use NTFS permissions to prohibit read access to anonymous users to keep the While the Internetscript has transformed improved the way we do business, this vast network and source code and secure. its associated technologies have opened the door to an increasing number of security threats. Scripts and for Allows any application, including both scriptsaccess and compiled files sucheliminating as .dll The challenge successful, public web sites is to encourage to the site while Executablesor malicious and .exe executables to run. sufficient levels of security without constraining undesirable traffic and to provide performance or scalability. The more reliant organizations become on the Internet to perform Thistransactions, should NOT be the homeadirectory If needed forhas. a lower daily jobs or conduct theselected greater at the impact breach oflevel. network security Just directory, be sure in that NTFS access prohibited for anonymous as Cisco Systems level has been an innovator using thewrite Internet to is conduct business, so too is it a users. Failure to do would permit users to submit and runprotect their own market leader in the development andsosale of products and technologies that data executables on your server.security solution is only as strong as its weakest traveling across the Internet. Yet a network link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Managing Application Isolation You can tell IIS how and where (in memory) to run applications launched by various web pages. Table 5-4 lists the three choices and their implications.
•
Table of Contents
•
Index
Table 5-4. Application Protection Choices
Web Security Field Guide BySteve Kalman
Setting
Memory Usage Implication
Low (IIS Cisco Applications run in the same memory space as the IIS process. If the application Publisher: Press Process) crashes, it will take IIS down with it. This is NOT recommended. Pub Date: November 08, 2002 ISBN: 1-58705-092-7 Medium Applications run in a separate memory space than the IIS process, but in the (Pooled) Pages: 608same space as each other. An application crash here will take down all running applications but might not take down the server. When multiple users run the same application, the code space will be shared. This is the default and is recommended.
High Applications run in separate memory spaces, not only from the IIS process but Hands-on foreach securing Windows(r) servers, browsers, and likely network communications. (Isolated)techniques also from other. An application crash here is least to have any affect on any other user or on the web server itself. This choice can use massive amounts of memory and CPU resources, which can put you at risk for denial-ofCreate effective security policies and establish rules for operating in and maintaining a service attacks. security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Figure 5-39 shows the three application protection choices on the dropdown menu in the Home Understand secure installation options for Windows how to enhance Directory tab of the Default Web Site Properties, withweb the servers default and choice highlighted. security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Figure 5-39. Application Protection Choices Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations
Setting Advanced Configuration Options Improve security atSecurity the end user's workstation, including web browsers, desktops, and laptops Also contained in the Home Directory tab is a Configuration button. That leads to a dialog box Evaluate theor pros cons ofextra installing a certificate server and becoming yourprotection own with either three fourand tabs. The tab (Process Options) appears only if High is Certification Authority selected. the Cisco PIXtab, Firewall Cisco IOS Firewall and Protection, how to apply select Cisco In theLearn Home Directory click and the dropdown box nextarchitecture to Application standard and extended access lists High, and click the Configuration button. Two of the Execute Permissions (described in Table 5-3) allow scripts to run if they have been previously mapped. Figure 5-40 shows those Discover ways in to the testfirst the tab current state of security and keep it up to date mappings indicated visible in the resulting dialog. Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and Figure 5-40. Application Configuration Dialog, APP Mappings its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Deleting Unnecessary Application Mappings Certification Authority
Application mappings areFirewall one of the revision between IIS4 and IIS5. In Learn the Cisco PIX andareas Ciscothat IOSunderwent Firewall architecture and how to apply Cisco the older version, mappings listed prohibited HTML commands (known there as Verbs) under standard and extended access lists the heading Exclusions, as shown in Figure 5-41. Verbs on the exclude list prevented .dll programs that ways corresponded tocurrent particular mappings from executing. with this Discover to test the state of security and keep it upThe to problem date scheme is that new verbs could be introduced and would be allowed by default. Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened door to an increasing number of security threats. Figure 5-41. IIS4the Application Verb Exclusions The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations IIS5 takes a more conservative approach. Application mappings are listed along with the verbs that are specifically allowed. theuser's mapping isn't on the list, it is notbrowsers, allowed todesktops, run at all. If it is Improve security at the If end workstation, including web and there,laptops only the verbs listed with it are permitted. Nevertheless, the most often repeated tenet of security is if you don't need it, get rid of it. Application mappings are one of the primary places to implement rule. and If your web site is already running, scan and the folders under your Evaluatethat the pros cons of installing a certificate server becoming your ownweb homeCertification page and list the extensions in use. If it is under construction, ask the developers what Authority their plans are. Be aware that you can also modify the allowed verbs for a specific mapping by clicking the the EditCisco button. mappings that aren't in use by selecting the linetocorresponding Learn PIXDelete Firewall and Cisco IOS Firewall architecture and how apply Cisco to the mapping Remove. standardand andclicking extended accessTable lists 5-5 is a list of extensions and the category of applications that they control. Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and Table 5-5. Application Mappings and Their Functions its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Extension
Application Type
.cdx
Active Channel Definition File
.asa
Active Server Application
.asp
Active Server Page
.cer
•
Table of Contents
•.htw, .ida, .idg Index Web Security Field Guide
Certificates Index Server
.idc
Internet Database Connector
.printer
Internet Printing
Publisher: Cisco Press .htr
Password Changes
BySteve Kalman
Pub Date: November 08, 2002
.stm, ISBN: .shtm, .shtml 1-58705-092-7
Server Side Includes
Pages: 608
Disabling the Sample Applications The IIS default install creates several directories containing sample applications, which could Hands-on techniques for securing Windows(r) servers, browsers, and directories, network communications. provide a severe security hazard. Figure 5-42 shows the IIS4 default and Figure 543 shows the IIS5 equivalent. These directories can be included or omitted during the installation but, if included, they can be removed For all but servers, Createphase, effective security policies and establish rules now. for operating in development and maintaining a they should be removed. Directories can be removed in the right pane of your Default Web Site security- conscious environment by right-clicking the directory and selecting Delete. Be careful, though, because some directories remain (for example, Scripts and _vti _bin if you are using Web Learn must how to harden Windows multi-user platforms, including NT, 2000, andServer XP Extensions). Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end5-42. user's workstation, including web browsers, desktops, and Figure IIS4 Default Directories laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user NT, 2000, and XP Figure 5-43. IIS5 platforms, Default including Directories Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Table 5-6 lists the directory name, its contents, and its default installation location for Windows 2000. The location paths include terms surrounded by percent signs. These are Set Variables and come from the system configuration. They will vary by machine. The easiest way to resolve the particular values assigned is to open a command prompt and type SET.Figure 5-44 shows an example from IIS5 on Windows 2000.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco Table 5-6. Sample Applications standard and extended access lists Discover ways to test the current state of security and keep it up to date IISDirectory Name Contents Location Learn to engage end users as part of the overall network security solution \IISSamples Sample Files %systemdrive%\inetpub\iissamples While the Internet has transformed and improved the way we do business, this vast network and \IISHelp Documentation %windir%\help\iishelp its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage accessfiles\common to the site while eliminating \MSADC Data Access %systemdrive%\program undesirable or malicious traffic and to provide sufficient levels of security without constraining files\system\msadc performance or scalability. The more reliant organizations become on the Internet to perform daily \printers jobs or conduct transactions, Web Based the greater %windir%\web\printers the impact a breach of network security has. Just as Cisco Systems has Printing been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data \IISAdmin Developer %windir%\system32\inetsrv\IISadmin traveling across the Internet. YetTools a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, You mightall-encompassing be surprised to find network that after security rebooting, solution. the deleted printers folder returns
automatically. To really get rid of it, you must do the following: Step 1. Delete the folder in the control program (Internet Services Manager). Step 2. Using Windows Explorer, go to the parent directory, %windir%\web, right-click, and choose Properties. • •
Step 3. In the Security tab, remove all entries in the ACL except Administrator and Table of Contents SYSTEM. Index
Web Security Field Guide
Step 4. Add the WebUsers group (or whatever you named the group that has access to pages) and select the box marked Deny across from the Full Control permission. This automatically marks all the individual permissions as Deny.
BySteveyour Kalman web
Publisher: Cisco Press Pub Date: November 08, 2002
Figure 5-45 shows the App Options page. (It's the App Options tab on the Application Configurations page, if you're not already there.) Make sure that the first checkbox, Enable session state, is checked. This causes Active Server Pages (ASPs) to create a new session for each user. Along with the next option, Session timeout, this limits the time that a script waits for user input. It also for causes a record of terminated sessions to beand written to the Server Event Hands-on techniques securing Windows(r) servers, browsers, network communications. Log. The default is 20 minutes, which is a long time to leave the system open for hacking. Work with your developers to determine the type and duration of the functions that the scripts provide and the Create expected effective usersecurity delay times. policies This and number establish should rulesbefor set operating low enough in and to avoid maintaining denial-ofa service securityproblems, conscious but high environment enough so that users don't need to restart their sessions. Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secureSession installation options for Windows servers andOptions how to enhance Figure 5-45. Timeouts on the web Application Page security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops On that same page is an option Enablea parent paths. Beand surebecoming that this your is NOT checked. Evaluate the pros and conscalled of installing certificate server own It would allow scripts to use the ".." syntax to traverse the directory tree. Certification Authority Figure 5-46the shows a similar optionand on Cisco a tab IOS called Process Options. This is to available only Learn Cisco PIX Firewall Firewall architecture andtab how apply Cisco whenstandard High Application Protection is used and extended access lists (discussed in the section called Managing Application Isolation earlier in this chapter). This page has an option that sets the timeout for CGI scripts. TheseDiscover are generally of test muchthe shorter duration ASP sessions, a shorter ways to current state ofthan security and keep so it up to date timeout is reasonable. The default is 5 minutes (300 seconds). Again, your developers should be able to offer Learn guidance. to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, web sites is toCGI encourage to the site while eliminating Figurepublic 5-46. Setting Scriptaccess Timeouts undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Assigning Web Server Operators Certification Authority During installation, adds the Administrators to architecture the list of Web You Learn the CiscoIIS PIX Firewall and Cisco IOS group Firewall andServer how toOperators. apply Cisco can see this byand selecting the Operators standard extended access lists tab on Default Web Site Properties. This is an appropriate start because it takes Administrator privileges to install the web server; however, for ongoing maintenance, it is inappropriate. Unless changed, Discover ways to test the current state of security andthose keep responsible it up to datefor managing the web server would need to be made members of the Administrators group. This would almost Learn to them engage endrights users and as part of the overall network security certainly give more privileges than they need or shouldsolution have. While the Internet hasthose transformed and administrators improved the way welist do of business, this vast network and The solution is to add web server to the operators for your web site. its associated technologies have opened door to privileges an increasing number of security They would then need appropriate NTFS the file system in the directory named threats. as The challenge successful, public web Chapter sites is to encouragethis access to the site while eliminating document rootfor (and its subdirectories). 3 describes process in detail. undesirable or malicious traffic and to provide sufficient levels of security without constraining Users added to Operators list get reliant the following rights on the web performance or the scalability. The more organizations become onserver: the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a Administer content (add,and delete, market leader in web the development sale change) of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest Control logging link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an Manage default web documents effective, all-encompassing network security solution.
Set web server access permissions Manage expiration dates and times for content Additional rights still held only by Administrators are as follows:
• •
Create or alter virtual directories Table of Contents
ChangeIndex the Anonymous username or password
Web Security Field Guide
Alter the BySteve Kalman
configuration of a web site
Change Application Isolation
Publisher: Cisco Press
Pub Date: November 08, 2002 To accomplish this goal, start the Management program for your platform, choose your web site, and open ISBN: the 1-58705-092-7 Properties dialog. Click the Operators tab. The example here is from IIS5 on Windows 2000 Pages: 608 and is shown in Figure 5-47. Click Add to get to the screen shown in Figure 5-48, and double-click the name of the user or group that is to be given most web server administration privileges. Click OK to save your work. Figure 5-49 shows the result.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications.
Figure 5-47. Default Web Site Operators Page
Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
5-49. Modified Site Operators UnderstandFigure secure installation options forWeb Windows web servers and Page how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops TIP Evaluate cons of installing certificate server If you arethe partpros of aand domain, you can addaDomain Groups to and the becoming Operators your list. Ifown not, Certification Authority you can add only local users. In neither case can new local groups be added. Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hosting Multiple Web Servers So far, this chapter has assumed that there will be only one web site on your server. In most cases, that's true, but there are exceptions. These are sites with multiple logical servers on one physical computer. Windows 2000 Server supports Web hosting, but neither Windows 2000 • TableWindows of Contents Professional nor XP Professional do. On intranets, this is an important benefit for sites • Index that expect to grow dramatically—it is much easier to move a logically separate server than to Web Security Guidenecessary to move a part of a series of integrated web pages. perform theField surgery BySteve Kalman
To create a new web server in IIS5 installed on a Windows 2000 Server, launch Internet Services Manager, right-click the server name, and then choose New and Web Site (see Figure Publisher: Cisco Press 5-50). The Web Site Creation Wizard guides you in creating a new web site. Pub Date: November 08, 2002 ISBN: 1-58705-092-7 Pages: 608
Figure 5-50. Adding a New Logical Web Server
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. All the tasks identified in this chapter work just the same for single server sites as for multiple The challenge for successful, public web sites is to encourage access to the site while eliminating web server sites. However, keep one consideration in mind: undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform Any changes you make at the top level of the Internet Services Manager tree apply to all daily jobs or conduct transactions, the greater the impact a breach of network security has. Just servers defined under it. as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market the development and sale of products technologies that level. protect data No task leader can bein identified as one that you should alwaysand define at the highest However, traveling across the Internet. Yet a network security solution is only as strong as its weakest there are some candidates: link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution. Logging
Session timeouts Authentication Also, keep in mind that there is only one Metabase on a single physical server. Moving it for one moves it for all. •
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Summary This chapter presented ways to harden IIS. Next up is a similar chapter on FTP, including some more secure alternatives to the built-in Microsoft product. •
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Chapter 6. Enhancing the FTP Server This chapter covers the following topics: • •
Table of Contents
Inner Workings of FTP Index
Web Security SecureField FTPGuide BySteve Kalman
Example of Secure FTP Product Publisher: Cisco Press
IIS comes with a free File Transfer Protocol (FTP) Server, yet you were advised in Chapter 4, Date: November 08, 2002 "IISPub Installation," not to install it. Clearly, a better solution exists. ISBN: 1-58705-092-7
FTP isPages: notoriously 608 insecure. Unless you ask carefully, it will try to open a new connection through your firewall or filtering router from the outside. Even if you do manage to avoid that problem, it will still send everything in the clear—and that includes the password you use to log in to the FTP server itself! This chapter shows you how FTP works, the effort to create a new standard defining secure FTP Hands-on techniques for securing Windows(r) servers, browsers, and network communications. servers, and how to acquire and install an FTP server that uses SSL (the same technique that turns HTTP into HTTPS). Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Inner Workings of FTP Unlike most TCP-based protocols, FTP uses two different well-known ports. To make and control the connection, port 21 is used. However, FTP uses port 20 to transfer the data. • Table ofwas Contents When the Internet new and the need for security was low, FTP's structure was an advantage. • Index Commands to read or write a file or group of files used the control channel (port 21), while the Web Field Guide files Security themselves used the data channel (port 20). This plan brought several advantages: BySteve Kalman
Multiple, concurrent data transfers could proceed simultaneously. Publisher: Cisco Press Pub Out-of-band Date: November control 08, 2002information
did not slow the data channel transfer.
ISBN: 1-58705-092-7
The control information could not interrupt (or worse, corrupt) the data. Pages: 608 As time went by, security changed from none-needed to optional to must-have. The design of separate control and data channels remained. As a result, FTP was modified to allow a more secure means of establishing the connection between client and server. New nomenclature was added to distinguish the new FTP from the old. Hands-on techniques for securing Windows(r) servers, browsers, and network communications. The original FTP became known as PORT mode FTP, and the new version was named PASV FTP. The next two sections describe them and their differences in detail. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
TIP
Understand secure installation options for Windows web servers and how to enhance security onPASV existing and FTP server installations The letters areweb commonly pronounced as if they spelled out the word passive. You will occasionally see a reference to PORT mode FTP as active FTP or as ACTV FTP, but Improve security the end user's workstation, web browsers, desktops, and these terms do notatexist in any of the standards including documents. laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority
Network Diagram for FTP Examples
Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Figure 6-1 shows the sample network used in this discussion of how FTP works. There is a client at 192.168.1.100 and an FTP server at 172.16.1.101. There is, of course, a router between them. Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution
Figure Network While the Internet has transformed and6-1. improved the wayDiagram we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
•
Table of Contents
•
Index
Web Security Field Guide BySteve Kalman
Publisher: Cisco Press Pub Date: November 08, 2002 ISBN: 1-58705-092-7 PORT Mode FTP Pages: 608
Figure 6-2 shows an FTP session between the client called dell-80 and the FTP server, called ftp.example.com.Figure 6-3 shows Ethereal capturing that same session.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications.
Figure 6-2. FTP Session Using PORT Mode Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining Figure 6-3. Ethereal Capture of a PORT Mode Transfer performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
NOTE
Understand secure installation options for Windows web servers and how to enhance security on existingFTP web and that FTP server installations The command-line client ships with all versions of Windows uses PORT mode. Improve security at the end user's workstation, including web browsers, desktops, and laptops To manage the discussion of the session's steps, the data that made up Figure 6-2 is broken into Evaluate prosEach and of cons installingthat a certificate server becominglines your or own several smallerthe parts. theofexamples follow match upand to individual small Certification Authority groups of lines shown in Figure 6-3. The source and destination names were edited to Client and Server to increase clarity and reduce the line width. By the way, line 12 in the figure came from Learn the Cisco PIX and was Cisco IOS Firewallduring architecture and howItto Cisco NetBIOS (trying to talk toFirewall a host that disconnected this capture). is apply ignored in the standard and extended access lists following discussion. Discover ways to the current state of security keep it up an to ephemeral date Example 6-1 shows thetest connection being initialized. Theand client picked port, in this case port 2631, and connected to the server using the normal FTP port, 21. The capture software Learn to engage end users as part of the overall network security solution automatically translates well-known port numbers to their names, which is why the protocol column uses the name ftp. While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. As discussed in detail in Chapter 1, "Essential Information for Web Security Administrators," TCP The challenge for successful, public web sites is to encourage access to the site while eliminating sessions begin with a three-way handshake. The server played its part by responding from the FTP undesirable or malicious traffic and to provide sufficient levels of security without constraining port to the client on port 2631 (the port that the client set up for the control connection). The performance or scalability. The more reliant organizations become on the Internet to perform client completed the three-way handshake, resulting in an open TCP session. daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data Example 6-1. Opening the Connection traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
No.
Source
Destination
Protocol
Info
1
Client
Server
TCP
2631 > ftp [SYN]
2
Server
Client
TCP
ftp > 2631 [SYN, ACK]
3
Client
Server
TCP
2631 > ftp [ACK]
•
Table of Contents
•
Index
Web Security Field Guide By Steve Kalman Example 6-2 shows
that after the handshake completed, the server responded with its identification. The FTP client acknowledged it (in line 5) and generated a username prompt. After the Publisher: user keyed Ciscoit Press in (anonymous), the client sent line 6 to the server. Pub Date: November 08, 2002 ISBN: 1-58705-092-7
Example 6-2. Requesting and Getting the Username Pages: 608
No.
Source
Destination
Protocol
Info
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. 4 Server Client FTP Response: 220 Serv-U FTP Server v4.0
5 6
for WinSock Create effective security policies and establish rules forready... operating in and maintaining a security- conscious environment Client Server TCP 2631 > ftp [ACK] Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Client Server FTP Request: USER anonymous Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations
Improve security at the end user's workstation, including web browsers, desktops, and Line 7laptops (the first line in Example 6-3) shows the server responding that the User name is okay. Later in this chapter, you will see how to configure a server and add usernames that it will Evaluate the pros and cons of installing a certificate server and becoming your own recognize. Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists
CAUTION Discover ways to test the current state of security and keep it up to date If you are using the FTP server that comes with IIS, you can log in with your domain Learn to engage end users as part of the overall network security solution credentials. As an administrator, you will not have to add a list of authorized users and passwords. this and is a improved major security breach because (as this you vast can see in lineand Whiletheir the Internet hasHowever, transformed the way we do business, network 9) those credentials are passed in the clear. A solution to this problem is offered later in its associated technologies have opened the door to an increasing number of security threats. this chapter. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just The password convention for anonymous FTP login is the e-mail name of the user. Servers can be as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a configured to check the format of the password, but they don't actually verify the address. market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet lines a network security is only as strong asyour its weakest If you're following along with the in Figure 6-2, solution the content of line 10 is on screen, just link. Network attacks can occur at any point, including the network connection, the firewall, the before the ftp> prompt (which is generated by the client). web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
The first command entered by the Windows(r) user is pwd.servers, That command is and common to all versions of UNIX Hands-on techniques for securing browsers, network communications. and is an acronym for PrintWorking Directory. It is the equivalent of the DOS command, cd (with no arguments). In fact, many FTP clients will accept simple DOS commands, such as rename and Create effective security policies establish rules for operating and in maintaining a show dir and translate them into proper FTPand control commands. The first twoinlines Example 6-4 securityconscious environment thepwd command being transmitted to the server and the server's response saying that the client is at the root. Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations
TIP
Improve security at the end user's workstation, including web browsers, desktops, and laptops FTP got its start in the UNIX environment and as a result, it always understands the UNIX file system commands. This is true even if the FTP server is running on a Windows Evaluate the pros and cons of installing a certificate server and becoming your own platform. (This one is running on a Windows 2000 Server.) Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists
Example 6-4. Requesting Data from the Server
Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution No. Source Destination Protocol Info While the Internet has transformed and improved the way we do business, this vast network and its the door to an increasing number of security threats. 12 associated Client technologies Server have opened FTP Request: XPWD The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious to provide sufficient levels of security without constraining 13 Server Clienttraffic and FTP "Response: 257 ""/"" is current directory." performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions,TCP the greater2631 the impact breach of network security has. Just 14 Client Server > ftp a[ACK] as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the developmentFTP and sale of"Request: products and technologies that protect data 15 Client Server PORT 192,168,1,100,10,74" traveling across the Internet. Yet a network security solution is only as strong as its weakest link. can occur atFTP any point, including the200 network the firewall, the 16 Network Server attacks Client Response: PORT connection, Command successful. web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
17
Client
Server
FTP
Request: NLST
This is not the real root of the drive. It is merely the top of the user's directory structure. If there were subdirectories, the user would be free to traverse down to them. However, the server will not allow the user to navigate higher into the real structure. • Table of Contents •
Index
The next command issued by the user is ls, which is the equivalent of DOS's dir. That command Web Security Field Guide generated lines 15 through 17. Line 15 is a PORT command. It asks the server to set up a new By Steve Kalmanusing port 2634 as the destination port on the client. TCP session Publisher: Cisco Press Pub Date: November 08, 2002 ISBN: 1-58705-092-7 NOTE Pages: 608
You should pay special attention to two things in line 15. The first is that the client's IP address is in the PORT command. This creates a problem for those using Network Address Translation (NAT) because the IP address configured into the client is different than the one the server sees across the Internet. Most, but not all, routers and firewalls that do the NAT conversions replace the address in the PORT command with a valid Hands-on techniques for securing will Windows(r) servers, browsers, and network communications. outside address and will forward the data to the client. The Create other effective item ofsecurity interestpolicies is the way andthat establish the client rulesport for operating number isin represented. and maintaining Because a port securitynumbers conscious are 16-bit environment numbers, they have to be represented in two 8-bit bytes. The numbers you see are the decimal equivalents of the contents of each of those bytes. To Learn to harden Windows platforms, including NT, 2000, XP do the how conversion, multiply the multi-user first byte by 256 and add the second byte.and In this example, that would yield 256 x 10 (2560) plus 74, giving 2634. Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security the 20 endare user's workstation, browsers, and 17 in InExample 6-5, lines 19atand simply a responseincluding from theweb server to the lsdesktops, request (line laptops Example 6-4) and the client's acknowledgment. The important lines for this discussion are 18, 21, and 22. They represent a new three-way handshake originating from the server on ftp-data port, Evaluate 20 (line 18). the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco
Example 6-5. the Data Channel standard and Opening extended access lists
Discover ways to test the current state of security and keep it up to date to engage end usersProtocol as part of the overall network security solution No. Learn Source Destination Info While the Internet has transformed the > way we do business, this vast network and 18 Server Client TCP and improved ftp-data 2634 [SYN] its associated technologies have opened the door to an increasing number of security threats. The successful, public is to encourage access toASCII the site while eliminating 19 challenge Server for Client FTP web sites Response: 150 Opening mode data undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliantconnection organizations become on the Internet to perform for /bin/ls. daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Systems has been an innovator in using Internet 20 Cisco Client Server TCP 2631 the > ftp [ACK]to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling acrossServer the Internet. Yet a network security solution is[SYN, only asACK] strong as its weakest 21 Client TCP "2634 > ftp-data link. Network attacks can occur at any point, including the network connection, the firewall, the web client. Hardening at all> these 22 server, Serveror the Client TCP the defenses ftp-data 2634 points [ACK]is key to creating an effective, all-encompassing network security solution.
This connection on port 20 originating outside your network is the security problem. When one of your users initiates a connection, responses are okay. However, outsiders normally have no business starting a transaction. As a result, one of the first steps in configuring a firewall is to block new TCP connections originating outside your network. •
Table of Contents
As with manyIndex solutions, banning outside users from making connections to inside hosts solved a • big problem—but introduced a small one. It broke FTP. The FTP server's response to the ls request Web Security Field Guide tries to open a new connection, and the firewall that was set up to protect the network blocks this BySteve Kalman otherwise legitimate request as a potential threat coming from outside. PASV mode FTP was invented to solve that problem. Publisher: Cisco Press Pub Date: November 08, 2002 ISBN: 1-58705-092-7 Pages: 608
NOTE
The message PORT Command successful in Example 6-4 originated on the server and was sent via the control channel. If the data channel connection initiation had been blocked by the screening router firewall, the session would hang just after that message Hands-on techniques for securing Windows(r) servers, browsers, and network communications. arrived and the user would have had to intervene. Create effective security policies and establish rules for operating in and maintaining a securityconscious The lines in Example 6-6 environment show the data transfer and the normal closing of the data channel session. Some control channel messages are mixed in on lines 26 and 29. Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance
Example Closing Channel security6-6. on existing webthe and Data FTP server installations
Improve security at the end user's workstation, including web browsers, desktops, and laptops No. Source Destination Protocol Info Evaluate the pros and cons of installing a certificate server and becoming your own 23 Certification Server Client Authority FTP-DATA FTP Data: 19 bytes 24 25 26
Learn the Cisco PIX Firewall and Cisco IOS Server Client FTP-DATA FTPFirewall Data: architecture 116 bytes and how to apply Cisco standard and extended access lists Client Server TCP 2634 > ftp-data [ACK Discover ways to test the current state of security and keep it up to date Server Client FTP Response: 226 Transfer complete. Learn to engage end users as part of the overall network security solution
27 Client Server TCP "2634 > ftp-data [FIN, ACK] While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. 28 Server Client TCP ftp-data > 2634 [ACK] The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining 29 Client Server TCP 2631 > ftp [ACK] performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest Finally,Example 6-7 shows the FTP session ending normally as a result of the user sending the link. Network attacks can occur at any point, including the network connection, the firewall, the quit command. web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Example 6-7. Ending the FTP Session
No.
Source
Destination
Protocol
Info
30
Client
Server
FTP
Request: QUIT
•
ServerIndex Client
FTP
Response: 221 Goodbye!
Server
TCP
"2631 > ftp [FIN, ACK]
Server Publisher: Cisco Client Press
TCP
ftp > 2631 [ACK]
Client
TCP
"ftp > 2631 [FIN, ACK]
Server
TCP
2631 > ftp [ACK]
•
31
Table of Contents
Web Security Field Guide BySteveClient Kalman 32
33
Pub Date: November 08, 2002
34 35
Server
ISBN: 1-58705-092-7
Pages: 608
Client
Hands-on techniques for securing Windows(r) servers, browsers, and network communications.
PASV Mode FTP
Create effective policies and establish for operating in and maintaining FTP sessions start outsecurity the same way, whether PASV rules or PORT mode is being used. Example a6-8 securityconscious environment shows the handshake for this PASV session. The client is using port 2645. Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
Example 6-8.secure Establishing Newfor FTP Session Understand installation a options Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and No. laptops Source Destination Protocol Info 1 2 3
Evaluate pros and consTCP of installing a certificate server and becoming your own Client the Server 2645 > ftp [SYN] Certification Authority Server Client TCP "ftp > 2645 [SYN, ACK] Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard extended access Client andServer TCP lists 2645 > ftp [ACK] Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution
The initial login andhas password (in the clear) lines were omitted. are duplicates the lines While the Internet transformed and improved the way we doThey business, this vast of network and shown in Examples 6-2 and 6-3. Due to the pwd command, the first three lines (12 to 14) in its associated technologies have opened the door to an increasing number of security threats. Example 6-4 are duplicates andweb were alsoisomitted. Lines access were renumbered for clarity in these The challenge for also successful, public sites to encourage to the site while eliminating examples. If the client is configured for PASV, it will not send the PORT command, so lines 15 and undesirable or malicious traffic and to provide sufficient levels of security without constraining above in preceding examples are different. performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just Example 6-9 begins on line 4 with the request from the client to the server for a PASV connection. as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a Line 5 shows the server's response, telling the client that it is expecting the client to open a data market leader in the development and sale of products and technologies that protect data channel using port 1043 (4 x 256 plus 19). Lines 6, 7, and 8 show the three-way handshake that traveling across the Internet. Yet a network security solution is only as strong as its weakest the client initiated. link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Example 6-9. Initiating a PASV Mode Transfer
No.
Source
Destination
Protocol
Info
4
Client
Server
FTP
Request: PASV
FTP
"Response: 227 Entering Passive Mode
•
5 •
Table of Contents
ServerIndex Client
Web Security Field Guide
(172,16,1,101,4,19)"
BySteve Kalman
6
Client
Server
TCP
2646 > 1043 [SYN]
TCP
"1043 > 2646 [SYN, ACK]
Publisher: Cisco Press
7
PubServer Date: November 08, 2002 Client ISBN: 1-58705-092-7
8
Client Pages: 608
Server
TCP
2646 > 1043 [ACK]
9
Client
Server
FTP
Request: NLST
10
Server
Client
FTP
Response: 150 Opening ASCII mode data
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. connection for /bin/ls. 11 12
Servereffective Client FTP-DATA FTP Data: 19for bytes Create security policies and establish rules operating in and maintaining a security- conscious environment Server Client FTP-DATA FTP Data: 116 bytes Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations The remainder of the capture was omitted. It simply reported on the success of the transfer and security at the end user's workstation, including web browsers, desktops, and closedImprove the session. laptops That's the big difference between PORT and PASV. In the former, the server initiated the data Evaluate the pros andlatter, cons of installing a certificate own channel, channel connection. In the the server told the clientserver whichand portbecoming to use foryour the data Certification Authority and the client initiated the connection using that port. In PASV mode, the client initiates both the control session and the data session, so the FTP server is always responding, never initiating. This the Cisco router PIX Firewall and Ciscofor IOS Firewall architecture and how to apply Cisco meetsLearn the screening firewall criteria safe computing. standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution NOTE While the Internet has transformed and improved the way we do business, this vast network and Although this plan is a big step toward safe transfers, it isn't enough. Firewalls have its associated technologies have opened the door to an increasing number of security threats. grown far stronger and have more sophisticated security tools to use. A more detailed The challenge for successful, public web sites is to encourage access to the site while eliminating discussion of firewalls and how they work is in Chapter 10, "Firewalls." undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest TIP link. Network attacks can occur at any point, including the network connection, the firewall, the web server, the client. Hardeningwith the defenses atdefaults all thesetopoints key toFigure creating InternetorExplorer (IE—starting version 5) PORT is mode. 6-4an shows effective, all-encompassing network security solution.
the Internet Options Advanced tab (get to it from the Tools menu) focused on the checkbox that forces IE to use PASV mode.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Secure FTP PASV mode FTP went a long way toward solving the security problem—most FTP servers are no more sophisticated than that. However, two big holes remain: •
Table of Contents
The username and password are sent in the clear. Users who access FTP servers with their Index domainField username and password are broadcasting those credentials for all to see. Web Security Guide •
BySteve Kalman
The contents of the files being transferred are also unprotected.
Publisher: Cisco Press Pub Date: November 08, 2002 ISBN: 1-58705-092-7
NOTE Pages: 608
Ethereal is a free, robust, and well-known network analysis tool that can even reconstruct a TCP session. With a single click, the contents of the data transferred to or from the FTP server display on a screen where it can be viewed, printed, or saved. Hands-on techniques for securing Windows(r) servers, browsers, and network communications. There is, however, a solution for protecting the username, password, and file contents being Create You effective security policies rules for in and a transferred. can add the power of and SSL establish and certificates tooperating FTP, making the maintaining entire transaction securityconscious environment secure. Both SSL and certificates are discussed in detail in Chapter 9, "Becoming a Certification Authority (CA)." Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations
NOTE Improve security at the end user's workstation, including web browsers, desktops, and laptops Just as SSL is important to establishing secure and private FTP, it has the same role in SMTP (Mail). send mail way of your LAN to your mail From there, Evaluate the Users pros and cons ofby installing a certificate server andserver. becoming your ownit leaves your company en route to the destination mail server. While still on your LAN, Certification Authority any curious users with a network analysis tool, such as Ethereal, could capture and read of Cisco the e-mail passingand by their SSL-enabled mail servers that. Learnallthe PIX Firewall Ciscostation. IOS Firewall architecture and howprevent to apply Cisco standard and extended access lists Although those same tools could read e-mail while it is traversing the Internet, the quantity traffic of finding a place tokeep plug it inup thetolistening station Discoverof ways to and test the the difficulty current state of security and date lower this risk to nearly nonexistent status. Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. RFC Status The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform Request (RFCs) are the vehicle for a establishing Internetsecurity standards. daily jobsfor orComments conduct transactions, the primary greater the impact breach of network has.New Just standards and modifications to existing ones are created by RFCs being offered for comment as Cisco Systems has been an innovator in using the Internet to conduct business, so too is itand a eventually becoming accepted by the Engineering Force (IETF). market leader in the development andInternet sale of products andTask technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest PASV mode FTP is an example of this process. RFC 959 was the original RFC that defined FTP. link. Network attacks can occur at any point, including the network connection, the firewall, the That RFC also defined the PASV command but left details for future development, which came in web server, or the client. Hardening the defenses at all these points is key to creating an February 1994 with the release of RFC 1579. effective, all-encompassing network security solution.
NOTE
• •
The RFC process has long been formalized. New proposals start out as Internet Drafts and move through several stages of review before getting an RFC number. RFC 2026 describes theofsteps a proposal goes through on the way to becoming an RFC. Table Contents Index
One detail from RFC 2026 might forestall some confusion. RFCs are numbered sequentially as they rise from Internet Drafts to RFC status. However, the date BySteve Kalman assigned to the RFC is based on the date that it was submitted as an Internet Draft. A higher-numbered RFC can have an earlier date than many of those whose numbers Publisher: Cisco precede it. Press Web Security Field Guide
Pub Date: November 08, 2002 ISBN: 1-58705-092-7 Pages: 608
Table 6-1 lists several of the key RFCs dealing with securing FTP.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. NOTE Any RFC can be located at the official repository at www.ietf.org/rfc/rfcxxxx.txt, where Create effective security establish rules for operating in and maintaining a xxxx is the number of thepolicies RFC. A and more convenient location is www.rfcsecurityconscious environment editor.org/rfcsearch.html, where you can search for RFCs by name, number, keyword, or, if you don't mind the delay, even content. Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and Table 6-1. RFCs that Enable Secure FTP laptops pros and cons of installing a certificate server andDate becoming your own RFC Evaluate the Title Certification Authority Number RFC 2228 Security Extensions 1997 Learn the FTP Cisco PIX Firewall and Cisco IOS Firewall architectureOctober and how to apply Cisco standard and extended access lists RFC 2246 The TLS Protocol January 1999 RFC 2389 Discover ways Feature to test negotiation the current mechanism state of for security the File andTransfer keep it up August to date 1998 Protocol Learn to engage end users as part of the overall network security solution Internet Securing FTP with TLS January 2000, revised April Draft 2002 this vast network and While the Internet has transformed and improved the way we do business, its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform dailyNOTE jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market Transport leader in Layer the development Security (TLS) and is an sale IETF of products standardand based technologies on Securethat Sockets protect Layer data traveling (SSL)across version the3.Internet. The biggest Yet adifference network security is that TLS solution uses stronger is only ascryptographic strong as its weakest link. algorithms. Network attacks Support can for occur both at SSL any and point, TLS including is built into the network most modern connection, browsers theand firewall, the web server, servers.or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Example of Secure FTP Product Several secure FTP servers and clients are available for Windows-based computers. This section uses an FTP server called Serv-U and an FTP client called FTP Voyager, both from RhinoSoft.com. You'll learn how to install the server and the client, and how to enable and • Table of Contents control secure FTP. •
Index
Web Security Field Guide BySteve Kalman
NOTE
Publisher: Cisco Press Pub November 08, 2002 AsDate: used here, the term
secure FTP has two meanings. One is that the password is ISBN: 1-58705-092-7 hashed (transformed into a usually shorter fixed-length value or key that represents the Pages: original 608 string). The other is that the contents of the files being transferred can be encrypted using SSL or TLS.
Many clients and servers allow hashed passwords but don't support SSL. This is a good step forward but does not completely fix the problem. As an aside, many FTP clients that do support SSL also hash the password. That's redundant, though not particularly Hands-on techniques for securing Windows(r) servers, browsers, and network communications. harmful. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
No Understand Standardsecure Leads to No Interoperability installation options for Windows web servers and how to enhance security on existing web and FTP server installations It was my intent to use the secure server from RhinoSoft and the client from Insight. security at the endtrying user'sto workstation, web browsers, AfterImprove many hours of frustration get them toincluding work with each other, I desktops, gave up and and laptops switched to RhinoSoft's client, which I've used for years. I also tried Insight's server against both clients. Each server connected flawlessly with its client but Evaluate the pros and conscompany of installing a certificate server and becoming your own refused to talk securely across lines. Both would talk to any nonsecure Certification Authority client, including the DOS-style FTP client. This is a common problem when dealing with technology that isn't yet standardized. Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date
Secure Server Installation
Learn to engage end users as part of the overall network security solution To install Serv-U, the RhinoSoft secure FTP server, the first step is to download the fully While the Internet has version. transformed and improved the way click we dothe business, this vast network functional 30-day trial Go to www.Rhinosoft.com, Serv-U link, and then clickand its associated technologies have opened the door to an increasing number of security threats. the download link and save the program in an appropriate directory. While you're there, get the The challenge for successful, public web sites is to encourage access to the site while eliminating client, FTP Voyager, too. undesirable or malicious traffic and to provide sufficient levels of security without constraining performance FTP servers are or scalability. most often The installed moreinreliant one oforganizations two locations. become The first onisthe as Internet a generaltorepository perform of dailyavailable files jobs or conduct to sometransactions, group of users the(possibly greater the including impactthe a breach general ofpublic). networkThe security other has. common Just as Cisco is location Systems the webhas server. been In anthat innovator case, the in using FTP server the Internet receives to the conduct files that business, make so up too theisweb it a market leader server's content. in the Bothdevelopment cases need additional and sale ofsecurity. products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest Make sure thatattacks you'recan logged in at with administrator rights launch the install the program by the link. Network occur any point, including theand network connection, firewall, clicking it. You'll see an important warning screen,atreproduced here in 6-5. As you'll web server, or the client. Hardening the defenses all these points is Figure key to creating an discover Chapter 9, SSL requires use ofsolution. a certificate. Dozens of firms are willing to sell you effective,inall-encompassing network the security
one, or you can generate your own. Serv-U takes the latter approach and generates its own certificate. It does that after you fill in appropriate fields on one of its pages.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Because there is already information in those pages that is the same for every install, the server generates the default certificate for every installation. This is clearly not secure because all Evaluate the pros and cons of installing a certificate server and becoming your own public and private keys would be the same (and known to every hacker). To make your server Certification Authority certificate unique, you must change the contents of those fields. This message warns you about that risk and tells youPIX how to avoid it. Cisco For now, Next to proceed and withhow the to install. will Learn the Cisco Firewall and IOS click Firewall architecture applyYou Cisco createstandard your own certificate manually after the wizard ends. and extended access lists Figure 6-6 shows a screen you've seen times.and Here, you getto todate choose the installation Discover ways to test that the current state many of security keep it up directory. The default is nearly always correct, so change it if you must but be sure to press Next Learn when to you are ready proceed. engage end to users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, Figurepublic 6-6. web Program sites is to Installation encourage access Location to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. You see the screen shown in Figure 6-7 next. Make sure all the boxes are maintaining checked andaclick Create effective security policies and establish rulesthat for operating in and Next.security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP UnderstandFigure secure installation options for Windows web serversto and how to enhance 6-7. Selecting the Components Install security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
TIP If you want to be able to administer the server from another location, you can repeat the installation and choose the second box, Administrator program files.
• •
Similarly, if you have several FTP servers to install, you can skip the second box on any server where are sure that you don't want to do local administration. Table ofyou Contents Index
Web Security Field Guide By Steve Kalman The files will copy
over quickly, and an installation wizard whose first screen is shown in Figure 6-8 will start automatically. Click Next to begin the wizard. Publisher: Cisco Press Pub Date: November 08, 2002 ISBN: 1-58705-092-7 Pages: 608
Figure 6-8. Beginning the Setup Wizard
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Figure 6-9 is courtesy to users FTP server administrators use screen readers or prefer small Learn toaengage end as part of the overallwho network security solution images with menu items. Enable or disable them as you prefer and click Next to bring you to While the Internet has transformed andNext improved the wayto westart do business, this vast network and the screen shown in Figure 6-10. Click on that page the FTP server already its associated technologies have the (It door tostart an increasing number security threats. installed on your machine for theopened first time. will automatically fromofnow on whenever The reboot challenge successful, you thefor server itself.) public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems hasFigure been an innovator in usingIcon the Internet to conduct business, so too is it a 6-9. Setting Size Preference market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Figure 6-10. for Starting FTP Server Additional Configuration Hands-on techniques securing the Windows(r) servers, for browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated NOTE technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious and tocan provide sufficient levels items. of security without constraining Everything you do intraffic the wizard be done using menu However, using the performance or scalability. The more reliant organizations become on the Internet to perform wizard prevents you from skipping necessary steps. daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling Figure 6-11 across asksthe youInternet. for the IP Yet address a network of the security computer solution on which is only you asare strong installing as its the weakest FTP link. Network server. You can attacks have a can machine occur at where any point, the IP including address varies. the network (This is connection, common on themachines firewall, that the webdialup use server,ororDSL thelines, client.but Hardening not very the common defenses on LANs at all or these publicly points available is key toFTP creating servers.) an The effective,here example all-encompassing uses a fixed address. networkKey security in your solution. server's address and click Next.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP NOTE Understand installation options for Windows and how to enhance If your serversecure has an address but you don't know it, web openservers a command prompt and type security on existing web and FTP server installations ipconfig. For security, don't leave this blank unless you are using a dynamic address. If this field is blank, the FTP server responds to its current IP address, which might Improve at by theaend user's workstation, including web browsers, desktops, and have beensecurity modified hacker. laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Your server needsAuthority a descriptive name. You can use the DNS name or choose another. (The name is used only internally to generate the certificate and does not have to be resolvable externally Learn As theshown Cisco PIX Firewall andkey Cisco IOS Firewall and how toclick apply Cisco with DNS.) in Figure 6-12, in whatever youarchitecture think appropriate and Next. standard and extended access lists Discover ways to test the current state of security and keep it up to date
Figure 6-12. Setting the Descriptive Name Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
The next question, presented in Figure 6-13, takes careful thought. If your FTP server is going to be available to people you don't know (typically over the Internet), you need to allow Hands-on techniques for securing Windows(r) browsers, and accounts network communications. Anonymous access. However, if you know yourservers, users, you can create for them individually (or by group) or let them use Anonymous access. The main difference is in the starting directory. In a later step, you and define the directory that the userinhas access to aftera Create effective security policies establish rules for operating and maintaining connecting. If you define separate user accounts, you can give them access to different security- conscious environment directories. However, if they share an account, they have to share the directory, too. For this example, allow access and click Next. Learn howAnonymous to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations
Figure 6-13. Creating the Anonymous User Account Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
TIP If you change your mind later, remember that from the FTP server's point of view, the anonymous user is just another named account. You can add or remove it as needed.
You are asked (on the screen shown in Figure 6-14) if you want to create a named account. You • Table of Contents want at least one account for updating the FTP server content. The default is to create one, so • Index just click Next. That leads you to the screen shown in Figure 6-15, where you'll be asked for the Web Security Field Guide account name. Key in something appropriate and click Next. ("Developers" is used here.) The By Steve Kalman next page (Figure 6-16) asks for the password. It is case-sensitive. This example uses WSFG, but a more complex password scheme is recommended and examples are in Chapter 12, "The Weakest Link." Publisher: Cisco Key Pressin something you'll remember and click Next. Pub Date: November 08, 2002 ISBN: 1-58705-092-7 Pages: 608
Figure 6-14. Requesting a Named Account
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists
Figure 6-15. Entering the Discover ways to test the current state of security andUser keep itName up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
6-16. Entering thebrowsers, User Password Hands-on techniquesFigure for securing Windows(r) servers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution Then, you are asked for the account's home directory. This is the directory that the user will be While has transformed andin improved the way we the do business, this and vast navigate network to and startedthe in Internet after logging in. You can key the location or click Browse icon it its associated technologies have opened the door to an increasing number of security threats. (shown in Figure 6-17). Click OK after you pick the right location, and click Next to proceed to The challenge for successful, public web sites is to encourage access to the site while eliminating the screen shown in Figure 6-18. undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an6-17. innovator in using the Internet to conduct business, so too is it a Figure Selecting the Home Directory market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation Windows servers Figure options 6-18. for Locking inweb the Userand how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leaderthere in the of products technologies thatjust protect data The question is development whether you and wantsale to lock the userand to the directory you chose. You traveling across the Internet. Yet a network security solution is only as strong as its weakest should select Yes so that the user can access files in the named directory and in any link. Network attacks occur at any point, the network connection, firewall, the subdirectories, but notcan other directories at or including above that level. The default, No, the is only web server, or the client. Hardening the defenses at all these points is key to creating an appropriate for superusers. Click Next to proceed. effective, all-encompassing network security solution.
Most users are not able to manage the FTP server, but the screen shown in Figure 6-19 asks if the user you are defining now is an exception. There are five choices, as listed and defined in Table 6-2. Select the default, No Privilege, and click Next (it is hiding under the drop-down menu in the figure) to get to the screen shown in Figure 6-20, where you end the wizard by clickingFinish.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations
Figure 6-20. Finishing the Wizard Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Table 6-2. FTP Server User Types Privilege Name Use No Privilege
Typical users.
Group Administrator •
In charge of a section of the directory structure, can make new users and give access within that structure but cannot otherwise modify the FTP server Table ofconfiguration. Contents
•
Index
Domain Administrator
A single instance of the Administration program can manage multiple FTP servers, called a Domain. A Domain Administrator can manage one domain but cannot change other, global settings.
Web Security Field Guide BySteve Kalman
System Can manage any aspect of the FTP server. Publisher: Cisco Press Administrator Pub Date: November 08, 2002
Read-only Can see anything that the System Administrator can see but can make no ISBN: 1-58705-092-7 Administrator changes. Pages: 608
When the wizard completes, you have a working FTP server, but you must still do several things to bolster security. You were alerted to the first of them in the wizard's initial screen; you must make the certificate your own. Hands-on techniques for securing Windows(r) servers, browsers, and network communications. When the wizard finishes, you will be viewing the screen shown in Figure 6-21. To edit the certificate and automatically a new one, click Settings (the one just maintaining under Local a Create effective securitygenerate policies and establish rules for operating in and Server, not the one for this particular instance). That presents a series of four tabs in the large security- conscious environment right-hand pane. Click the SSLCertificate tab to get to the screen shown in Figure 6-22. Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security Figure on 6-21. existing Serv-U web and FTP Administrator server installations After Finishing the Wizard Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations The fields you security see in Figure theworkstation, minimum fields needed forbrowsers, a certificate. Make the Improve at the6-22 end are user's including web desktops, and changes appropriate to your site (Figure 6-23 shows a sample) and exit the program with File > laptops Exit. This generates a public and private key pair based on the data you entered and places the publicEvaluate key in athe self-signed pros andX.509 cons of formatted installingcertificate. a certificate It also server generates and becoming a certificate your own request file calledCertification certreq.txt and Authority place it in %systemroot% (typically your C:\WINNT or C:\Windows drive). Theoretically, that file can be sent to a certification authority if you want; however, no function is Learn PIX to Firewall IOS Firewall back architecture and how to apply Cisco currently in the theCisco program importand theCisco signed certificate in. standard and extended access lists Discover ways to test the current state of security and keep it up to date
Figure 6-23. Customizing Your Certificate
Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
NOTE
Understand secure installation options for Windows web servers and how to enhance security 9onexplains existinghow webSSL anduses FTP certificates, server installations Chapter the process of signing certificates, requesting new ones, public and private keys, and much more. Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros cons of settings installingand a certificate server changes. and becoming your own Restart the program to and review key make additional The easiest way to do Certification Authority that is to right-click the new taskbar icon (thick green letter U, near the clock) and click Start Administrator. Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date
NOTE
Learn to engage end users as part of the overall network security solution
As you read through the descriptions of these settings, you see that more is skipped While the Internet has transformed and improved the way we do business, this vast network and than is discussed. That's because these next few paragraphs are designed to alert you its associated technologies have opened the door to an increasing number of security threats. to the kind of features that secure FTP servers offer, not to examine the details of ServThe challenge for successful, public web sites is to encourage access to the site while eliminating U. If you are using a different server, you will have to rely on that server's help and undesirable or malicious traffic and to provide sufficient levels of security without constraining documentation. performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader (the in the development and sale of products and technologies protect data ClickSettings same one as before, under Local Server) and then on that the General tab, if not traveling across the Internet. Yet a network security solution is only as strong as its weakest selected by default. You'll get the screen shown in Figure 6-24. The fields for security and link. Networkare attacks can occur at any point, including the network connection, the firewall, the performance especially important. web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance The security-involved field is labeled Block "FTP_bounce" attacks and FXP. An FXP transfer is security on existing web and FTP server installations from FTP server to FTP server, and it has been abused. Malicious users will copy everything they can from your security server back to end youruser's serverworkstation, (bouncing off of another As you'd imagine, Improve at the including webserver). browsers, desktops, and that quickly uses up all your bandwidth, and shortly after that, all your disk space. Checking this laptops box prevents FTP transfers from happening. Evaluate the pros and cons of installing a certificate server and becoming your own The performance is called Block anti time-out schemes. It keeps FTP clients from sending Certification tab Authority keepalive No Operation (NOOP) commands just to keep the connection alive. Check this one, too, and then the Advanced tab Cisco on theIOS same Settings page. You'll thetoscreen Learn theclick Cisco PIX Firewall and Firewall architecture andget how apply shown Cisco in Figure 6-25. and extended access lists standard Discover ways to test the current state of security and keep it up to date Learn to engageFigure end users as partDomain of the overall network security solution 6-25. Settings: Advanced While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Make sure that the Encrypt Passwords and Enable security boxes are checked. (They should be checked by how default.) TheseWindows store passwords as platforms, MD5 hashes and require Administrator Learn to harden multi-user including NT, 2000, and XP login to the server before allowing modifications, respectively. Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops TIP Evaluate pros on and cons of installing a certificate your When youthe clicked the taskbar icon, you were able server to startand thebecoming FTP server andown make Certification Authority changes without logging into it because the Enable security box wasn't checked on this server. Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists ways to itself test the ofas security keep it up totodate Click Discover the server name (in current the left state pane), shown and in Figure 6-26, continue. On that page, you should make a proactive security setting. The three choices in the Security drop-down Learn to engage end users as part of the overall network security solution box are as follows: While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. Regular FTP only, no SSL/TLS The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining Allow SSL/TLS and regular sessions performance or scalability. The more reliant organizations become on the Internet to perform only SSL/TLS sessions the greater the impact a breach of network security has. Just daily Allow jobs or conduct transactions, as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks Figure can 6-26. occur atConfiguring any point, including SSLthe Use network Requirements connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Pick either of the last two. If you know that all the authorized users of your FTP server have an SSL enabled client, chooseWindows the bottom option. However, some users have Learn how to harden multi-user platforms,if including NT,might 2000,not and XP the ability to use SSL, the middle option will serve you best. Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops NOTE Evaluate the uses pros and a certificate server becoming your own on FTP with TLS port cons 990. of If installing you choose the SSL/TLS onlyand option, the port number Certification Authority that page changes. When using the Allow SSL/TLS and regular sessions option, the port starts out as 21 but changes during the session initiation. Be sure that your Learn theand Cisco PIX access Firewall andallow Ciscoboth IOSports Firewall architecture and how Cisco firewalls router lists through, as covered laterto in apply Chapter standard and extended access lists 10. Discover ways to test the current state of security and keep it up to date to engage end usersthe as FTP partserver of thename overall network security solutiontab to get to the Click Learn the Settings label under and then on the Logging screen shown in Figure 6-27. Logging FTP server activity is essential for the same reasons that While the Internet has transformed and improved the way we do business, this vast network and were discussed in Chapter 5, "Enhancing Web Server Security." However, you should make one its associated technologies have opened the door to an increasing number of security threats. exception. If you have a program that checks the availability of your servers every few minutes The challenge for successful, public web sites is to encourage access to the site while eliminating (by connecting and then closing the connection), you should key the IP address of its host into undesirable or malicious traffic and to provide sufficient levels of security without constraining the Do not log clients from these IPs box. Doing so prevents these maintenance connections performance or scalability. The more reliant organizations become on the Internet to perform from filling up the log. daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest Figure 6-27. Domain Settings: Logging link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Further to the right on the same page is the Advanced tab. If your FTP server is behind a NAT service, youhow need change an entrymulti-user on it. Learn toto harden Windows platforms, including NT, 2000, and XP Unless you tell it otherwise, the FTP options server places its actual IPservers Addressand in its response message Understand secure installation for Windows web how to enhance to client's PASV in Example 6-9). If your internal devices are hidden behind a security onrequest existing(see webline and5FTP server installations router or firewall that translates Internet-accessible registered addresses to internal addresses, Improve security at the including web browsers, and you need to use this field. On end the user's deviceworkstation, doing the NAT translations, you need desktops, to permanently laptops assign a registered address to the FTP server's internal network IP address. (That's called Static NAT and is described in Chapter 1.) Then, as shown in Figure 6-28, put that address in the data pros and cons of installing a certificate server entryEvaluate box nextthe to the Allow passive mode data transfers, useand IP becoming field. That your way,own the client Certification Authority will know what address to use when making the data connection. Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists
Figure 6-28. Adjusting for NAT
Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
NOTE
Understand secure installation options for Windows web servers and how to enhance security on use existing web and FTP server installations You cannot SSL across a NAT-enabled router or firewall. The PORT command or PASV response would be encrypted, so the NAT device would not be able to do the Improve security the of end user's workstation, web browsers, desktops, translations in theat body the FTP message (theincluding headers would be handled okay). and laptops There are firewall proxy services that handle HTTPS (HTTP plus SSL, described in Evaluate9). theThey prosdo and of installingthe a certificate serveratand your own to Chapter socons by terminating SSL connection thebecoming firewall, translating Certification Authority cleartext, scanning the contents as required, and switching back to SSL. No equivalent products are currently available for FTP. Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state security andfor keep it upconnections. to date That completes the work required to get yourofserver ready secure The next thing to do is to install and configure an SSL-enabled client. Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated Secure Client technologies Installation have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic provideclient sufficient levels security without constraining As with the server, installing theand FTPtoVoyager begins withofits download. After acquired, performance or scalability. The more reliant organizations become on the Internet to perform double-click it to begin the installation. You'll see several screens that you've seen many times daily or conduct transactions, greater the impact a breach has. Just beforejobs suggesting that you close allthe other programs, that you agreeof tonetwork the End security User License as Cisco Systems has been innovator using installation the Internetdirectory. to conduct business, soYes too until is it a Agreement (EULA), and thatanyou like the in default Click Next or market leader in the development and sale of products and technologies that protect data you get to the screen shown in Figure 6-29. traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP If you use a proxy server or dialup connection, you should indicate that here. The unusual Understand secure installation web you servers and how to reason enhance decision is whether you want to use options PASV forfor allWindows sites. Unless have a specific to use security on existing web and FTP server installations PORT mode in some places (for example, an exceptionally old FTP server that doesn't do PASV), you should check this box. You can override it later, if needed. Click OK when you are ready to Improve security at the end user's workstation, including web browsers, desktops, and proceed. laptops That brings you to the screen shown in Figure 6-30, where you are asked about your Evaluate the pros and cons of installing a certificate server and becoming your own connection's data rate. This lets the client set aside a properly sized transfer buffer. Click the Certification Authority correct radio button and click Next. You get a question about using FTP Voyager as the default browser, even Internet Explorer. Answer you prefer. No is recommended. Learn thewithin Cisco PIX Firewall and Cisco IOS as Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date
Figure 6-30. Sizing the Transfer Buffer
Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment
NOTE
Learn how to harden Windows multi-user platforms, including NT, 2000, and XP One of the technical editors tested this chapter's steps in a lab that has T1 access. His Understand secure installation options for Windows web servers and how to enhance report follows: security on existing web and FTP server installations When I did the install I never got this screen shot (Fig. 6-30) about transfer Improve security thebecause end user's workstation, including web browsers, and buffer size. Itatwas I chose the T1,…ADSL selection. As a sidedesktops, effect, I did laptops not get the question about the default browser until after it had me select the Finish button. Evaluate the pros and cons of installing a certificate server and becoming your own Certification Your mileageAuthority may vary. Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date
TIP Learn to engage end users as part of the overall network security solution IE works fine for the occasional FTP transfer, whether or not you make FTP Voyager the While the Internet has transformed and improved the way we do business, this vast network and default. However, your users might find it awkward to have a program with a different its associated technologies have opened the door to an increasing number of security threats. look and feel pop up inside IE. Until they get used to the interface, staying with IE's The challenge for successful, public web sites is to encourage access to the site while eliminating built-in FTP facility is probably best. undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a You are left in the Site Profile Manager, as shown in Figure 6-31. FTP Voyager comes with market leader in the development and sale of products and technologies that protect data several FTP sites preconfigured. Click the minus sign next to Sites to close them. Then, click traveling across the Internet. Yet a network security solution is only as strong as its weakest Personal Sites to get to the screen shown in Figure 6-32. From there, click New Site and fill in link. Network attacks can occur at any point, including the network connection, the firewall, the the fields in the right half of the screen. As soon as you name the site, it updates the left side. web server, or the client. Hardening the defenses at all these points is key to creating an Figure 6-33 shows the fields filled in, almost ready to connect to the secure server. effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at 6-32. the endSite user'sProfile workstation, includingPersonal web browsers, desktops, and Figure Manager: Sites laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP If you were creating a profile that did not use SSL, you could connect now. However, to tell the Understand secure installation options for Windows web servers and how to enhance client that you want to use SSL, click Advanced and then Security to bring up the screen security on existing web and FTP server installations shown in Figure 6-34. As you can see, the default is Standard (No Security). The Connect Using box has the following Improve securitythree at thechoices: end user's workstation, including web browsers, desktops, and laptops No Security Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Explicit SSL Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco Implicit SSL standard and extended access lists Discover ways to test the current state of security and keep it up to date
Figure None Learn to engage end users as6-34. part of Default the overallSecurity, network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment These three choices correspond to the choices available on the server configuration page (shown Learn how to harden Windows multi-user platforms, including NT, 2000, and XP inFigure 6-26). The bottom choice, Implicit SSL, means that the client should connect on port 990 using SSL from the start. Explicit SSL (which you should select and shown in Figure 6Understand secure installation options for Windows web servers andishow to enhance 35) means that initialweb connection on theinstallations standard port, 21, but an explicit command to security onthe existing and FTPisserver change to SSL will be issued. Click OK to finish the configuration. Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and Figure cons of 6-35. installing Setting a certificate Explicit server Security and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment LearnFTP how in to harden Windows multi-user platforms, including NT, 2000, and XP Secure Action Understand secure installation options for Windows web servers and how to enhance All that's left is test. If the shown in Figure 6-33 is still on your monitor, click Connect. security ona existing webscreen and FTP server installations If not, use the Connect button at the top of the page. Your result should look like the screen shown in Figure 6-36. The box in the lower left showsincluding the commands and status responses Improve security at the end user's workstation, web browsers, desktops, andas the connection is made, and the FTP server's directory listing is displayed. laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority
Figure 6-36. Successfully Making a Secure Connection Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
NOTE
Understand secure installation options for Windows web servers and how to enhance security web and FTP server installations You needon to existing accept the certificate because it isn't signed by a recognized root certification authority. (Chapter 9 provides further details on this.) Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate and cons of installing a certificate server Connect. and becoming yourthree own Example 6-10 the is anpros Ethereal capture started just before clicking The last Certification Authority commands that can be interpreted are the request to switch to SSL (AUTHSSL), the OK response from the server, and the TCP acknowledgment of the response. None of the rest of the Learn Cisco PIXbecause Firewallitand Cisco IOS including Firewall architecture andand howpassword. to apply Cisco data can bethe interpreted is encrypted, the user name standard and extended access lists Although not shown, the connection is eventually closed, and those commands are returned in the clear. Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and TIP its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating An option on the Tools menu is called Export Site Profiles. After you create and test a undesirable or malicious traffic and to provide sufficient levels of security without constraining secure access profile, you can export it and copy it to the FTP Voyager installation performance or scalability. The more reliant organizations become on the Internet to perform directory or to wherever else you install the client. daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest Example Session in Action link. Network6-10. attacksSecure can occurFTP at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
No.
Source
Destination
Protocol
Info
1
Client
Server
TCP
2326 > ftp [SYN]
2
Server
Client
TCP
"ftp > 2326 [SYN, ACK]
3
Client
Server
TCP
2326 > ftp [ACK]
•
ServerIndex Client
FTP
Response: 220 Serv-U FTP Server v4.0
•
4
Table of Contents
Web Security Field Guide BySteve Kalman
5
for WinSock ready...
Client Server Publisher: Cisco Press
TCP
2326 > ftp [ACK]
Server
FTP
Request: AUTH SSL
Client
FTP
Response: 234 AUTH command OK.
Pub Date: November 08, 2002
6 7
Client
ISBN: 1-58705-092-7
Pages: 608
Server
Initializing SSL connection. 8 Client Server TCP 2326 > ftp [ACK] Hands-on techniques for securing Windows(r) servers, browsers, and network communications. 9 Client Server FTP 10
Create effective security policies and establish rules for operating in and maintaining a Server Client FTP security- conscious environment
11
Client Server FTP Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
12 13
Server Client FTP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Client Server FTP
14
Improve security at the end user's workstation, including web browsers, desktops, and Server Client FTP laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution
While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Summary This chapter showed you how to improve the security of your FTP transactions. You learned how to give developers secure access to their web server and how to prevent others from eavesdropping. •
Table of Contents
• Index Part IV shows you how to secure the user's workstations. Web Security Field Guide BySteve Kalman
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Part IV: Protecting the User • •
The user is the weakest link in any security scheme. Intruders who are masters in social engineering find ways to trick users into running dangerous code despite all the training and cajoling you do. Script kiddies test all your users' PCs by looking for weak spots. Users Table of Contents bypass Index or disable security to "enhance" their systems.
Web Security Field Guide BySteve Kalman
Chapter 7 Browser Security This chapter focuses on things to do to the browser to enhance security. Topics include Publisher: Cisco Press cookies, and managing the four security zones. dangerous content, Pub Date: November 08, 2002
Chapter 8 Desktop/Laptop Security ISBN: 1-58705-092-7 This chapter focuses on protecting the PC. Topics covered include personal firewalls, virus Pages: 608 scanners, digital signatures, and enforcing security policies.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Chapter 7. Browser Security This chapter covers the following topics: • •
Table of Contents
Dangerous Content Index
Web Security Field Guide The Four Zones BySteve Kalman
Cookies Publisher: Cisco Press
The term dangerous content describes code that is written by an often unknown third party, Pub Date: November 08, 2002 delivered via the Internet to your PC (sometimes without your knowledge or consent), and run ISBN: with the full1-58705-092-7 privileges of your security level. This chapter explains the risks of this dangerous Pages: content and608 shows how to protect against it. A brief discussion of cookies shows how they are used and, unfortunately, abused and provides you with some alternatives to consider.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Dangerous Content Scripting programs have been around a long time. For example, IBM had a program called Script that ran on its mainframes before the IBM PC was even invented. The Script program worked by beginning each line with commands, such as .p to create a new paragraph, or .nl to • Table of Contents indicate a new line. •
Index
Web Security Field Guide In its earliest days, HTTP and HTML were used as a way to replace FTP. The idea was to have a way to read plain text files page by page without having to copy them first. When Tim BernersBySteve Kalman Lee developed the HTTP protocol, he used typical scripting program commands to build the foundation of HTML. Publisher: Cisco Press
Pubnew Date:protocol November followed 08, 2002 the constructs of the scripting languages of the day. Back then, a Tim's ISBN: 1-58705-092-7 browser could be accurately described as a program running the HTTP protocol on your machine that accessed Pages: 608text on a server, formatted it, and used HTML constructs to display it on your monitor.
Over time, Tim and others added to the HTML protocol, driven by the need and desire to include graphics and animation, up-to-the-minute news and stock quotes, music and video, and all the other things that are now a normal part of the online experience. In order to make this possible, Hands-on techniques for securing Windows(r) servers, browsers, and network communications. a fundamental change had to occur. Executable programs had to be written, stored on the server, and delivered to and executed on your machine to enhance your browser's operation. TheseCreate programs weresecurity often written notand by establish the serverrules operator, but by an thirda effective policies for operating in independent and maintaining party.security- conscious environment The first iteration these third-party written applications are helperNT, applications Learn how toofharden Windows multi-user platforms, including 2000, andand XP plug-ins. They're nearly the same thing; a plug-in depends on the browser and uses the browser's memory space to secure function. It cannotoptions stand alone. Shockwave a good example a plug-in. Understand installation for Windows web is servers and how toofenhance security on existing web and FTP server installations A helper application runs in its own space, although it might appear to be running in the browser. Acrobat is a good example. Although a stand-alone exists, when you see it Improve security at the end user's workstation, includingversion web browsers, desktops, and running inside the browser window, you're looking at the helper app. Another example is Excel. laptops You can view an Excel spreadsheet inside your browser even if you don't have the Office product installed Evaluate on your themachine. pros andThat's cons of because installing Microsoft a certificate provides server a helper and becoming app for that your purpose. own Certification Authority The second iteration of these applications is small code segments written in various programming Learn languages the Cisco PIX by web Firewall programmers and Cisco who IOS Firewall have varying architecture degreesand of competence how to applyand Cisco moral character. standard and extended access lists That'sDiscover the risk ways you'retoprotecting test the current againststate hereofinsecurity this section. and keep You don't it up to know datewho wrote the code that you're executing. To complicate matters further, that code can be delivered to you by Learn to engage end users part of overall network security solution visiting a web page, opening an as e-mail, or the by installing software on your PC. While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable NOTEor malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform dailyTry jobsanorexperiment. conduct transactions, Search your the computer's greater the hard impact drives a breach for filesofwith network an .ocx security extension. has. Just as Cisco (That's Systems ActiveX.) has been On my anmachine, innovatorI found in using some the in Internet the Program to conduct Files business, structure so from too is it a market Adobe leader Acrobat, in the DeLorme, development Canon andCamera, sale of products Corel, and andMicrosoft technologies Officethat XP.protect Severaldata were traveling also across in the WINNT\system32 the Internet. Yet afolder. network Yousecurity should see solution similar is only entries. as strong You can as trust its weakest these link. because Network it attacks is fair can to have occur a high at any degree point,ofincluding confidence thein network the companies connection, thatthe produced firewall, the web server, the software. or the However, client. Hardening if you also thesee defenses .ocx files at all anyplace these points else, pay is key careful to creating attention an to effective, the section, all-encompassing "ActiveX," later network in this security chapter. solution.
Over time, the four different kinds of dangerous content that have gained market acceptance are (in increasing order of risk) as follows: Java • •
Table of Contents
JavaScript Index
Web Security Field Guide
VBScript
BySteve Kalman
ActiveX Publisher: Cisco Press Pub Date: November 08, 2002
Java ISBN: 1-58705-092-7 Pages: 608
Java began life in 1991 in the labs at Sun Microsystems as a programming language called OAK. Sun had in mind a language that would control the microcontrollers in toasters, VCRs, microwaves, coffeepots, and other similar devices. The OAK compiler would create bytecode that could run on any of these tiny CPUs. Because it was bytecode, the appliance manufacturers could Hands-on techniques Windows(r) servers, browsers, and network communications. change these chipsetsfor at securing will; the only requirement would be a revised bytecode interpreter. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment
NOTE
Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
Bytecode is an intermediate step between the source code that a programmer Understand secure installation for web Bytecode's servers andadvantages how to enhance generates and object code that options executes onWindows a computer. to the security on existing web and FTP server installations developer are that it can run on any computer that has an interpreter and that it keeps the source code hidden. (The interpreter processes the bytecode and executes it on the Improve security at the end user's workstation, including web browsers, desktops, and computer.) The disadvantage is that it takes time to interpret the code, so the dancing laptops bears dance a little bit slower. Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Because of market forces beyond and the scope this book, architecture the intended and audience Learn the Cisco PIX Firewall Cisco of IOS Firewall how tonever applyadopted Cisco the OAK programming language. The developers, in a stroke of brilliance, repositioned it to work standard and extended access lists in the world of multimedia publishing. It was renamed Java. This repurposing created a problem. Java was now intended to meet two audiences dia-metrically security Discover ways to test the current state of with security and keep itopposed up to date requirements. Learn to engage end users as part of the overall network security solution In one case, Java is designed to be a multipurpose language for creating any application from mail to wordhas processors. These loaded on the client's hard drive and by Whileclients the Internet transformed andprograms improvedare theusually way we do business, this vast network its associated user. technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating In the other or case, Java applications (known as sufficient applets) are designed to bewithout downloaded across undesirable malicious traffic and to provide levels of security constraining the network, perform animations, or do any kind of complex calculations. performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just Because the interpreter wasan originally designed control things like coffee pots and as Cisco Systems has been innovator in usingtothe Internet to conduct business, so too is it a microwaves, security was not a part of the design. Once it was repositioned work indata the world market leader in the development and sale of products and technologies thattoprotect of PCs and the Internet, security had to be grafted on. The developers created a model that traveling across the Internet. Yet a network security solution is only as strong as its weakest included a class loader, a bytecode verifier, and a sandbox that had exclusive access to the the link. Network attacks can occur at any point, including the network connection, the firewall, disks, memory, and peripherals of the client computer. web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
NOTE
• •
Java'sSandbox is a virtual computer inside the browser's executable space where Java bytecode executes. Programs in the sandbox cannot interact with the computer's hardware directly. It was so named because it resembles a child's sandbox where things can beofbuilt and destroyed safely, without affecting the space outside the Table Contents sandbox's borders. Index
Web Security Field Guide BySteve Kalman
Unfortunately, the developers confused security with safety. Java has several safety constructs Publisher: Cisco Press built into the programming language, such as those that keep it from exhausting all of the Pub Date: Novemberor 08, 2002 reading memory segments assigned to other applications. In fact, available memory from these safety measures are just as likely to protect legitimate code from causing a buffer overflow ISBN: 1-58705-092-7 as they are to Pages: 608 keep malware from going into an infinite loop. Not only isn't this security, but it isn't even a totally safe model. Even if it was safe, the model is flawed. Hands-on techniques for securing Windows(r) servers, browsers, and network communications.
JavaScript
Create effective securityfor policies and establish rules for operating in to and maintaining a Netscape created JavaScript a number of reasons, including the need provide an appealing securityconscious environment programming environment that required the use of the Netscape server and browser. (Keep in mind that this was at the height of the browser wars when Microsoft and Netscape were each Learn to harden Windows platforms, and XP ran only adding new how product-specific featuresmulti-user to their browsers andincluding servers.)NT, At 2000, first, JavaScript on Netscape browsers, but that is no longer true. JavaScript was a renaming of Netscape's Understand secure installation options for Windows web servers and how to enhance LiveScript, riding on the coattails of Java's popularity. Sun allowed Netscape to use the security on existing web and FTP server installations terminology because Netscape was the first to license Java from Sun. If you view the source on a very old web page, youatmight stilluser's see references to LiveScript. Improve security the end workstation, including web browsers, desktops, and laptops Microsoft wasn't to be outdone. It created its own version, called Jscript. The bad news for programmers that and Jscript was enough to JavaScript to and minimize the learning curve, Evaluate was the pros cons of close installing a certificate server becoming your own but not close enough to be understood by the opposite company's browsers. Certification Authority JavaScript had majorand improvements over Java: Learn security the Cisco PIXtwo Firewall Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists No method existed to open a connection to a computer other than to the one that served Discover ways to test the current state of security and keep it up to date the JavaScript code. Learn to engage end users as part of the overall network security solution JavaScript provided no way to directly access the client computer's system. While the Internet has transformed and improved the way we do business, this vast network and These limitations were great for security but hindered usability. To meet the demands of its associated technologies have opened the door to an increasing number of security threats. complaining users, Netscape introduced the concept of signed JavaScript applications. Once code The challenge for successful, public web sites is to encourage access to the site while eliminating was signed, access to the host machine's resources was allowed. undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The evident. more reliant organizations become the Internet to perform Over time, other flaws became The general problem is thaton there is no resource daily jobs or conduct transactions, the greater the impact a breach of network security has. Just management in JavaScript. A program can go into an infinite loop. Here's a sample of the logic as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a that can tie up a machine forever: market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, While (1) {or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Display "click OK to continue" Wait for response } •
Table of Contents
•
Index
Web Security Field Guide BySteve Kalman
With luck, you would be able to close the browser. Alternately, you could reboot the machine (and lose all unsaved work in other windows). Whether a browser can be closed depends on Publisher: Cisco Pressmechanisms in the OS. Windows NT/2000/XP allow application of 100 resource allocation Pub Date: November 2002 percent of the CPU. 08, This is in contrast to the various varieties of UNIX, all of which reserve some resources OS processes. ISBN:for 1-58705-092-7 Pages: 608
Another kind of attack comes from memory and swap space overflow. Here's the logic:
Text(0) = "start" Hands-on techniques for securing Windows(r) servers, browsers, and network communications. For I=1 to 1000000 { Create effective security policies and establish rules for operating in and maintaining a Text(I) = text (I-1) + text (I-1) security- conscious environment I = I + 1 Learn how to harden Windows multi-user platforms, including NT, 2000, and XP }
Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations
Improve security at the end user's workstation, including web browsers, desktops, and laptops The result here is the concatenation of the word "start" to itself, the concatenation of the words "startstart" to itself, andand so cons on. This loop quickly uses up all available memory on theown computer, Evaluate the pros of installing a certificate server and becoming your then all of the swap space, and finally crashes the PC. Certification Authority JavaScript suffers from the limitation that cannot break into a running If you Learn also the Cisco PIX Firewall and Cisco IOSyou Firewall architecture and how toprogram. apply Cisco get lucky, you and might close the browser standard extended access listsbefore the system crashes, but you'll find that the stop button doesn't do anything because it won't be checked until after the loop ends. The luck in Discover ways depends to test the of security and keep up to date closing the browser oncurrent the OSstate reading your keystroke oritmouse click during the time slice while it goes to the beginning of the loop in the preceding code. Learn to engage end users as part of the overall network security solution Attacks like these fall into a category called Denial of Service (DoS). JavaScript is particularly While the Internet has of transformed and improved the way we do business, this vast network and vulnerable to this kind attack. its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining VBScript performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just VBScript was Microsoft's answer to JavaScript. It the is a Internet powerfultosubset of Visual Basic. as Cisco Systems has been an innovator in using conduct business, so too is it a market leader in the development and sale of products and technologies that protect data The threatacross that VBScript embedded in HTML security pages offers is that it can usedas to its access any web traveling the Internet. Yet a network solution is only asbe strong weakest page on the network. Attackers have used this feature in HTML-formatted e-mails to open link. Network attacks can occur at any point, including the network connection, the firewall, the connections pagesHardening with malicious content (including ActiveX) and have that web server, to or web the client. the defenses at all these points is keythen to creating an dangerous content download and execute on client PCs. effective, all-encompassing network security solution.
Well known examples of VBScript attacks include Melissa, I-Love-You, and Anna Kournikova.
ActiveX Like the other three dangerous content engines, ActiveX can do animations, popup windows, and execute scripts. thing that sets ActiveX apart from the other engines is that it can also be • TableThe of Contents used to do anything that can be accomplished with a plug-in or helper application. • Index Web Security Field Guide
ActiveX controls fall into two categories. One is relatively benign in that it contains Java bytecode BySteve Kalman that runs under the restrictions of the Java Virtual Machine (This was Microsoft's answer to Sun's proprietary Java.) Publisher: Cisco Press
ThePub other dangerous one. ActiveX controls can contain native machine code. This Date:category November is 08,the 2002 can beISBN: anything written in C, C++, Visual Basic, or Assembler. Those programs could use the 1-58705-092-7 relatively safe ActiveX application programming interfaces (APIs are a library of functions made Pages: 608 available to programmers) or the APIs from any other source, including the Windows Developer's Toolkit. Even more dangerously, malicious programmers can avoid using the APIs altogether and write code that accesses the computer's memory, disk, and peripherals directly. In other words, ActiveX can do anything that the user can do on the machine, with any program on the market. This includes, but is not limited to, the following actions: Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Erasing arbitrary files Create effective security policies and establish rules for operating in and maintaining a securityenvironment Changingconscious file permissions Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Creating shares Understand secure installation options for Windows web servers and how to enhance Sending e-mails security on existing web and FTP server installations Formatting hard drives Improve security at the end user's workstation, including web browsers, desktops, and In anlaptops attempt to mitigate the risk of letting ActiveX loose on the web community, Microsoft created the concept of signed applications. Authors of ActiveX programs obtain a code-signing Evaluate pros and cons of installing a (CA), certificate and becoming your certificate fromthe a public Certification Authority take server the Authenticode Pledge ("Iown promise to Certification Authority be good"), and use that certificate to sign the code. (CAs are discussed in detail in Chapter 9, "Becoming a CA.") Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard andexist extended At least two flaws in thisaccess plan: lists Discover ways to test the current state of security and keep it up to date The pledge is almost completely unenforceable. Learn to engage end users as part of the overall network security solution Unlike other kinds of certificates, code-signing certificates don't expire. While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance TIP or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just Create two accounts for One have administrative privileges; as Cisco Systems has been anyourself. innovator in should using the Internet to conduct business,the so other too is it a should be in a mere user. Keep the icon on the desktop that and remove it from market leader the development andbrowser sale of products andlatter technologies protect data the administrator desktop. keeps you from solution inadvertently a mistake. You traveling across the Internet. YetThat a network security is onlymaking as strong as its weakest never browse as a privileged user. If you do, malicious ActiveX control might the link. should Network attacks can occur at any point, including thea network connection, the firewall, do far more damage. As a regular the only things riskisare the and web server, or the client. Hardening theuser, defenses at all theseyou points key to programs creating an files you own. As an administrator, you risk the entire machine (and possibly the entire effective, all-encompassing network security solution.
network).
NOTE •
Table of Contents
For an interesting story of a programmer, Fred McLain, who wrote an ActiveX control Index called "Internet Exploder" (it does a system shutdown after a 10-second timer elapses) Web Security Field Guide and the trouble he got into because of it, visit his site at BySteve Kalman www.halcyon.com/mclain/ActiveX. Because web pages come and go, you might just want to search for him or his program by name using your favorite search engine. •
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Four Zones In the Microsoft world, security is defined with four different categories called zones. When you access a resource on another machine, the other machine's zone relative to yours is determined, and the restrictions placed on that zone control the interaction with that resource. As a user, you • Table of Contents can set the security policy on your own machine. As an administrator, you can set it on all the • Index machines you control. Web Security Field Guide
The four zones are as follows: BySteve Kalman Publisher: Cisco Press Internet— This
zone contains all the web sites that are not placed in other zones. The occur in this zone, so it should be the one most secured.
Pub Date:dangerous November 08,attacks 2002 most ISBN: 1-58705-092-7
Local Intranet— This zone contains all the web sites that are on your organization's Pages: 608 intranet. In other words, it includes all sites that have the same domain name that your PC is using. Trusted Sites— This zone contains web sites that you trust not to damage your data. Sites must be added to this list manually. Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Restricted— This zone contains web sites that you do not trust because they could potentially damage your computer or its data. Sites must be added to this list manually. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment
Setting for Windows Zone Detection LearnYour how toPC harden multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web have servers to con-figured. enhance For automatic zone detection to work properly, your PC must its and DNShow name security on existing web and FTP server installations That's because there are two ways that Internet Explorer detects if it should use the intranet or the Internet zone. The first way is to look to see if the name you typed has no dots in it. If that's Improve security at the end user's workstation, including web browsers, desktops, and the case, Internet Explorer assumes that it is on your intranet as there would be no way to reach laptops the Internet with an unqualified name. The second way is by comparing the domain name of the site you are visiting with your domain name. If they're equal, the Local Intranet zone settings Evaluate the pros and cons of installing a certificate server and becoming your own apply. If not, control is based on the Internet zone settings. Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists
NOTE Discover ways to test the current state of security and keep it up to date If you access a web its IPofaddress in the URL, the Internet zone settings Learn to engage endserver users via as part the overall network security solution apply, even if the web server is on your own machine. While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating To see if your name traffic is configured, open a sufficient commandlevels prompt and typewithout IPCONFIG /ALL. undesirable orDNS malicious and to provide of security constraining (For Windows 95 workstations, the program is called winipcfg.) If the DNS name is absent, you performance or scalability. The more reliant organizations become on the Internet to perform can enter it via the control panel's network applet. daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a Navigating to the correct place to update the DNS name in NT 4 is simpler than in Windows 2000 market leader in the development and sale of products and technologies that protect data or Windows XP. Figure 7-1 shows what you need to do in Windows NT. traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Figure 7-1. Output of IPCONFIG Command Showing DNS Name
First, start the Network Applet in Control Panel. Then choose the Protocols tab and double-click Hands-on techniques for securing Windows(r) servers, browsers, and network communications. TCP/IP Protocol. A screen with several tabs pops up. Choose the DNS tab. Enter your domain name in the box Create effective security policies and labeled Domain, as illustrated in Figure 7-2establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
Figure 7-2.secure Entering the options DNS Name via the Network Applet in NT-4 Understand installation for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn thethe Cisco PIXtask Firewall and Cisco IOSorFirewall architecture and to how to apply Cisco To accomplish same in Windows 2000 Windows XP, you need start with the standard and extended access lists Control Panel applet called Network and Dial-up Connections. Choose Local Area Connection, right-click, and choose Properties. Discover ways to test the current state of security and keep it up to date From there, double-click Internet Protocol (TCP/IP) and, in the resulting popup, choose Learn to engage end users as part of the overall network security solution Advanced. While the Internet has transformed and improved the way we do business, this vast network and A third popup appears (see Figure 7-3) where you can enter the domain name near the bottom its associated technologies have opened the door to an increasing number of security threats. of the page in the box labeled DNSsuffix for this connection. Again, the sample uses The challenge for successful, public web sites is to encourage access to the site while eliminating example.com. undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a Figure 7-3. Entering the DNS Name via the Network Applet in Windows market leader in the development and sale of products and technologies that protect data 2000 solution is only as strong as its weakest traveling across the Internet. Yet a network security link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution TIP WhileThe theeasy Internet transformed and improved the or way we do business, this vast network and way has to get to either the network applet the network and dial-up settings its associated technologies have opened the door to an increasing number of security threats. applet is to right-click Network Neighborhood or My Network Places (same thing, The challenge for successful, public web sites is to encourage access to the site while eliminating different versions) and choose Properties. undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a Setting Security for the Internet market leader in the development and sale Zone of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest To set securityattacks in Internet Explorer, choose Tools and then Internet Options. the Thenfirewall, select the link. Network can occur at any point, including the network connection, the Security tab. result Hardening looks like that in at Figure 7-4. points There are four web server, orYour the client. the shown defenses all these is key topredefined creating ansecurity settings. addition, you have the ability to customize effective, In all-encompassing network security solution. the settings for any or all of the zones.
Figure 7-4. Security Settings Page in Internet Explorer
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification The Internet zone Authority is where you need to take the most care. The default setting here is Medium, which really isn't secure enough for surfing the "Wild, Wild Web." Your first step is to click the Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco Custom Level button. standard and extended access lists The window that appears has nearly two dozen items that you can secure. Figure 7-5 shows the Discover ways to test current of security and keep it up to date Medium security default forthe three of thestate Scripting options. Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and Figure 7-5. Medium Security Default for the number Scripting Options its associated technologies have opened the door to an increasing of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Your first step is to change to High security. Do this by changing the drop down box from Medium to High secure and clicking Reset. You'll get a warning, as servers shown in Figure Click Yes. Understand installation options for Windows web and how 7-6. to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Figure 7-6. Changing the Security Setting for a Zone Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened theas door to an of security Take another look at the Scripting options, shown in increasing Figure 7-7,number which comes fromthreats. IE5. You The challenge for successful, public web sites is to encourage access to the site while eliminating can see the changes. Active scripting (that's ActiveX running Java bytecode) is still enabled, undesirable malicious traffic to disabled. provide sufficient levelsthat of security without constraining although theor other options haveand been Keep in mind Microsoft has routinely performance or scalability. The more reliant organizations become on the Internet to perform changed its browser's security defaults with every new version. Check your browser's settings daily jobs or conduct transactions, the greater the impact a breach of network security Just against the recommended setting in Table 7-1. If you're running a browser newer than has. IE5.0, as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a don't worry if your current default is already changed to match the recommendation. market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the 7-7. client.High Hardening the defenses at allfor these points is key to creating an Figure Security Default the Scripting Options effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Table 7-1 shows the setting, its meaning, the High security default, and the recommended Understand secure installation options for Windows servers to enhance setting. Only items that need changing are shown. While web it may seem and thathow the recommended security on existing web and FTP server installations changes lower security by enabling items that were disabled by default, that isn't so. All those items are too severe for normal operation (for example, disabling cookies); the users will figure Improve security at the end while user'sthey workstation, browsers,section, desktops, andbe out how to make changes. Then, are in theincluding security web configuration they'll laptops tempted to enable other things that are and should remain disabled. By making the changes ahead of time on their behalf, you've taken a big step toward maintaining overall security. Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority The last item on the list is there because it is a convenient place to explain its purpose. The default is fine, but changing it is an easy way to get your name on every spammer's mailing list. Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date
Table Customizing Zonenetwork Security Settings Learn 7-1. to engage end users as Internet part of the overall security solution in Internet Explorer While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Title
Purpose
Default Recommended
Script ActiveX controls marked safe for Scripting
Allows certain signed ActiveX controls to run.
Enable
Disable
Allow Cookies that are stored on your computer
Enables web sites to write cookies to your profile.
Disable
Enable
Enables web sites to send you temporary cookies.
Disable
Enable
Allows HTTP-based downloads; no effect on FTP.
Disable
Enable
Font Download
Allows truetype fonts.
Prompt
Enable
Active Pub Date: Scripting November 08, 2002
ActiveX running Java bytecode.
Enabled Disable
Also used by FTP. The anonymous option sends your e-mail address to the FTP server.
Prompt
•Allow per-session Table ofcookies Contents •(not stored)Index Web Security Field Guide
Downloads
BySteve Kalman
Publisher: Cisco Press
ISBN: 1-58705-092-7
User Logon Authentication Pages: 608
Prompt
Disabling ActiveX occasionally causes a web page to generate an error. Most of the time, this is Hands-on for securing servers, browsers, network communications. better thantechniques letting it run, but thereWindows(r) are places where you know theand ActiveX controls can be trusted and you need to let them work. A classic example is Microsoft's Windows Update site at windowsupdate.microsoft.com. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Figures 7-8 shows an error message that appears when a blocked ActiveX control fails to run. If you click OKhow to continue, next page likely results in anincluding error. Learn to hardenthe Windows multi-user platforms, NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations
Figure 7-8. Blocked ActiveX Error Message
Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution Figure 7-9 shows the result of a search for an update to Internet Explorer 5.0. The bottom of the While the Internet has transformed and improved the way we do business, this vast network and page has headings for a table, but the contents of the table were not filled in because ActiveX its associated technologies have opened the door to an increasing number of security threats. was blocked. The message, "Error on page" appears in the lower-left corner. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just Figurehas 7-9. Error Generated Because ActiveX Was Blocked as Cisco Systems been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment The solution to this problem is to make www.microsoft.com a trusted site and to set trusted site security so that canWindows run. Go multi-user back into the security including page of the Options Learn how ActiveX to harden platforms, NT,Internet 2000, and XP tool and clickTrusted Sites.Figure 7-10 shows an example. Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at theDefault end user'sSecurity workstation, including web browsers, Figure 7-10. for the Trusted Sitesdesktops, Zone and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations The default security for trusted sites is Low and should be changed to Medium. To do that, drag the scrollbar two notches Apply. Figure 7-11 showsweb thebrowsers, result. Improveup security at the and end click user's workstation, including desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Figure 7-11. Trusted Sites Zone Set to Medium Security Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Finally, click Sites. Clear the checkbox requiring HTTPS, type in the domain name you'll trust, and click Add.security All this has been in Figure 7-12. All that's left to click OK several times Improve at the enddone user's workstation, including webisbrowsers, desktops, and to exit. laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority
Figure 7-12. Adding a Site to the Trusted Sites Zone
Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance When you revisit the download page and re-execute the search, there are neither warnings nor security on existing web and FTP server installations errors.Figure 7-13 shows the result. Note the lower-right corner, where it indicates that this page Improve is in the Trusted securitySites at thezone. end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Figure 7-13. ActiveX in Action on a Microsoft Page Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment
Setting Intranet Learnthe howLocal to harden WindowsZone multi-user platforms, including NT, 2000, and XP The process Understand for setting securesecurity installation in the options Local Intranet for Windows zoneweb is the servers same;and thehow onlytodifference enhance is in the settings. securityTable on existing 7-2 discusses web andthe FTPsettings server installations you should consider changing (starting at the default level, Medium-Low Security). Chapter 5, "Enhancing Web Server Security" covers how to Improve security at the end user's workstation, including weblogon browsers, desktops, andthat set IIS to require NT Challenge/Response authentication. The user setting completes laptops process. Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn CiscoCustomizing PIX Firewall andLocal Cisco IOS Firewall architecture and howSettings to apply Cisco Tablethe7-2. Intranet Zone Security in standard and extended access lists
Internet Explorer
Discover ways to test the current state of security and keep it up to date Title Purpose Default Recommended Learn to engage end users as part of the overall network security solution Download Signed Allows certain signed Prompt Disable unless you sign your While ActiveX theControls Internet hasActiveX transformed controls and to improved run. the way we do business, own. this vast network and its associated technologies have opened the door to an increasing number of security threats. User Logon for successful, Also used by FTP. Intranet The challenge public webThe sites is toAnonymous encourage accessAutomatic to the siteLogon while in eliminating Authentication anonymous option sends Logon (IE5.0 zone (already default in IE undesirable or malicious traffic and to provide sufficient levels of security without constraining your e-mail address to the default) 5.5 and above). performance or scalability. The more reliant organizations become on the Internet to perform server. daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, TIP or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
If several domain names are in use on your intranet (for example, ford.com and lincoln.com or federalexpress.com and fedex.com), you can decide to put those alternate names in the Trusted Sites zone and configure that the same way as you would configure the Intranet zone.
The Restricted Sites zone wasn't mentioned. That's because it is much safer to exclude those • Table of Contents sites from your intranet with settings at your firewall. This is covered in more detail in Chapter • Index 10, "Firewalls." Web Security Field Guide BySteve Kalman
Keeping Your Settings Intact Publisher: Cisco Press
Pub Date: November 08, 2002
As hard as you work to get the settings the way you want, users will work even harder to make ISBN: 1-58705-092-7 improvements. One of the primary tools they have to undo your work is the Automatic Update Pages: 608 feature. Installing an updated version of Internet Explorer puts all the zone settings back to the default. You can, however, disable this feature. Figure 7-14 shows the Internet Options page with the Advanced tab selected. Clear the checkbox next to Automatically check for Internet Explorer updates and you're set. Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create Figure effective 7-14. security Preventing policies and Automatic establish rules Internet for operating Explorer in and maintaining Updates a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Cookies A lot of hype exists about cookies and how they're harmful or create security holes. This short section discusses the truth of the matter and shows how to manage them. •
Table of Contents
•
Index
How Cookies Are Used Web Security Field Guide BySteve Kalman
HTTP is a stateless protocol. Every time you visit a web site it is as if you were never there before. Your PC sets up a new TCP connection and requests a page via the URL. Publisher: Cisco Press Pub Date: November 08,usable, 2002 To make the network the HTTP protocol includes some features that allow it to simulate a statefulISBN: environment. If the page you visit requires you to log in, for example, the username and 1-58705-092-7 password are Pages: 608resubmitted for you every time you return to any page in that domain. The only way to temporarily stop it is to close your browser.
Cookies are used for a similar purpose but come in two categories: session cookies and persistent cookies. Two main rules exist for cookie use. Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Cookies can only be sent back to the domain or site that created them. Create securityby policies and establish rulesa for andpart maintaining Cookieseffective can be created any site that sends you weboperating page (orin even of a web apage, securityconscious environment such as an image or advertising banner). how to harden Windows platforms, 2000, and XP If youLearn visit an e-commerce web site multi-user and add items to yourincluding shoppingNT, cart, a session cookie is created for each item. As you continue shopping, the cookies that you accumulate are returned secure for Windows web site. servers and howyou'll to enhance to theUnderstand web site each timeinstallation you click aoptions link to any page on that Eventually, decide to go security on existing web and FTP server installations to the checkout page. That page gets built by processing the cookies sent to it (they generally contain stock numbers, codes for colors and sizes, or whatever else is pertinent to that sale). Improve security at the end user's workstation, including web browsers, desktops, and After the checkout completes, the session cookie is deleted from your browser memory. laptops Whenever you go to a web site and see a personalized welcome back message, you know that a Evaluate the pros and cons of installing a certificate server and becoming your own persistent cookie was used. Those cookies contain information about you and your account. It Certification Authority might be just your name, or it might be a record locator (key) to a database stored at the web site. In some cases, it might even be a username and password. When these cookies are Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco created, they include an expiration date. That date is set at the web page pro-grammer's standard and extended access lists discretion. Most last decades. Discover ways to test the current state of security and keep it up to date Because cookies can be returned only to the domain or site that created them, there isn't much risk that a cookie will be anyone entitled to seesecurity it. (Some old browsers had bugs Learn to engage enddelivered users as to part of thenot overall network solution that allowed a site to view all of your cookies. It is unlikely that you'll find those browsers still in use today.) While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining How Cookies Are Abused performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just That doesn't mean that cookies are completely safe. The biggest risk comes from the banner ad as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a companies. When you visit a web page that has a banner ad, that ad comes directly from the market leader in the development and sale of products and technologies that protect data advertising company. Here's an edited line from the body of a popular web page: traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Click here Improve security at the end user's workstation, including web browsers, desktops, and Normal page navigation test laptops Click here Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Basic Authentication test Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Click here Discover ways to test state of security and keep it up to date Private access via IPthe orcurrent NT Challenge-Response Learn to engage end users as part of the overall network security solution Click here While the Internet has transformed and improved the way we do business, this vast network and Test SSL here
its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating
undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
NOTE This example is for the XP Pro web server. For NT and W2000 platforms, you need to change the server name xp-pro.example.com in the preceding four lines to the appropriate value. •
Table of Contents
•
Index
The in the Docs directory refers to four subdirectories: Webdefault.htm Security Fieldfile Guide BySteve Kalman
Normal Publisher: Cisco Press
Basic Pub Date: November 08, 2002 ISBN: 1-58705-092-7
SSL
Pages: 608
IPADDR The sections that follow show the subdirectory contents in full detail. Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a market leader in the development and sale of products and technologies that protect data traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
Referenced Pages Each of the four links in the home page refers to a single page in a subdirectory. That page is the same in all four subdirectories except for the font color and the text that appears when the page is accessed. •
Table of Contents
•
Index
Web Security Field Guide
Normal Page Contents BySteve Kalman
Example C-2 lists the contents of the Normal page. This page can be accessed at any time Publisher: Cisco Press without restriction. Pub Date: November 08, 2002 ISBN: 1-58705-092-7 Pages: 608 Example C-2. Contents of Normal Page, Normal.htm
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. Create effective policies and establish rules for operating in and maintaining a <TITLE>WSFG Normalsecurity Navigation Page security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP Understand secure installation options for Windows web servers and how to enhance
security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and laptops
Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority
Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco
standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn security solution While the Internet has transformed improved the way we do business, this vast network and
Normal navigationand works
its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a
market leader in the development and sale of products and technologies that protect data traveling
across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
•
Table of Contents
•
Index
Web Security Field Guide
Basic
BySteve Kalman
The Basic page is used for testing Basic Authentication. Example C-3 lists its contents. Publisher: Cisco Press Pub Date: November 08, 2002
Example ISBN: 1-58705-092-7 C-3. Contents of the Basic Authentication Page, Basic.htm Pages: 608
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. <TITLE>WSFG username and password test Page Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and
laptops Evaluate the pros and cons of installing a certificate server and becoming your own
Certification Authority
Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover ways to test the current state of security and keep it up to date Learn to engage end users as part of the overall network security solution
Username and Password OK
While the Internet has transformed and improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats. The challenge for successful, public web sites is to encourage access to the site while eliminating undesirable or malicious traffic and to provide sufficient levels of security without constraining performance or scalability. The more reliant organizations become on the Internet to perform daily
jobs or conduct transactions, the greater the impact a breach of network security has. Just as Cisco Systems has been an innovator in using the Internet to conduct business, so too is it a
leader in the development and sale of products and technologies that protect data market traveling across the Internet. Yet a network security solution is only as strong as its weakest link. Network attacks can occur at any point, including the network connection, the firewall, the web server, or the client. Hardening the defenses at all these points is key to creating an effective, all-encompassing network security solution.
•
Table of Contents
• IPADDR
Index
Web Security Field Guide By Steve can Kalman Pages be restricted based on IP Address or the Windows login name and password. The code inExample C-4 shows the IP address displayed when configured successfully. Publisher: Cisco Press Pub Date: November 08, 2002
Example C-4. The Restricted Access Page, IP-Name.htm ISBN: 1-58705-092-7 Pages: 608
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. <TITLE>WSFG restricted Page Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and
laptops Evaluate the pros and cons of installing a certificate server and becoming your own
Certification Authority
Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover to test the current state of securityGeneva"> and keep it up to date
Example C-5. Page for Testing SSL, SSL-Test.htm ISBN: 1-58705-092-7 Pages: 608
Hands-on techniques for securing Windows(r) servers, browsers, and network communications. <TITLE>WSFG Secure Page Create effective security policies and establish rules for operating in and maintaining a security- conscious environment Learn how to harden Windows multi-user platforms, including NT, 2000, and XP
Understand secure installation options for Windows web servers and how to enhance security on existing web and FTP server installations Improve security at the end user's workstation, including web browsers, desktops, and
laptops
Evaluate the pros and cons of installing a certificate server and becoming your own Certification Authority
Learn the Cisco PIX Firewall and Cisco IOS Firewall architecture and how to apply Cisco standard and extended access lists Discover to test the current state of securityGeneva"> and keep it up to date