Active defense means actively resisting known methods of attack. Active defenses include these:
Firewalls and
gateways to block dangerous or inappropriate Internet traffic as it
passes between your network and the Internet at large
Encryption and authentication to limit access based on some sort of credentials (such as a password)
Efforts to keep up-to-date on security and risks, especially with respect to Windows 7
When your network is in
place, your next job is to configure it to restrict access as much as
possible. This task involves blocking network traffic that is known to
be dangerous and configuring network protocols to use the most secure
communications protocols possible.
Firewalls and NAT (Connection-Sharing) Devices
Using a firewall is an
effective way to secure your network. From the viewpoint of design and
maintenance, it is also the most efficient tool because you can focus
your efforts on one critical place, the interface between your internal
network and the Internet.
A firewall is a program
or piece of hardware that intercepts all data that passes between two
networks—for example, between your computer or LAN and the Internet. The
firewall inspects each incoming and outgoing data packet and permits
only certain packets to pass. Generally, a firewall is set up to permit
traffic for safe protocols such as those used for email and web
browsing. It blocks packets that carry file-sharing or computer
administration commands.
Network Address
Translation (NAT), the technology behind Internet Connection Sharing and
connection-sharing routers, insulates your network from the Internet by
funneling all of your LAN’s network traffic through one IP address—the
Internet analog of a telephone number. Like an office’s switchboard
operator, NAT lets all your computers place outgoing connections at
will, but it intercepts all incoming connection attempts. If an incoming
data request was anticipated, it’s forwarded to one of your computers,
but all other incoming network requests are rejected or ignored.
Microsoft’s Internet Connection Sharing and hardware Internet Connection
Sharing routers all use a NAT scheme.
The use of either NAT or a
firewall, or both, can protect your network by letting you specify
exactly how much of your network’s resources you expose to the Internet.
Windows Firewall
One of Windows 7’s features is the built-in Windows Firewall software.
Windows Firewall is
enabled, or attached, on any network adapter or dial-up connection that
directly connects to the Internet. Its purpose is to block any traffic
that carries networking-related data, so it prevents computers on the
Internet from accessing your shared files, Remote Desktop, Remote
Administration, and other “sensitive” functions.
Window Firewall by
default blocks all attempts by other computers to reach your computer,
except in response to communications that you initiate yourself. For
example, if you try to view a web page, your computer starts the process
by connecting to a web server out on the Internet. Windows Firewall
knows that the returning data is in response to your request, so it
allows the reply to return to your computer. However, someone “out
there” who tries to view your shared files will be rebuffed. Any
unsolicited, incoming connection will simply be ignored.
This type of
network haughtiness is generally a good thing, except that it would also
prevent you from sharing your computer with people that you do want to
share with. For example, it would block file and printer sharing, Remote
Assistance, and other desirable services. So, Windows Firewall can make
exceptions
that permit incoming connections from other computers on a case-by-case
basis. By that, I mean that it can differentiate connections based on
the software involved (which is discerned by the connection’s port number), and by the remote computer’s network address,
which lets Windows know whether the request comes from a computer on
your own network or from a computer “out there” on the Internet. And
starting with Windows 7, Windows Firewall uses a third criterion for
judging incoming requests: the “public” or “private” label attached to
the network adapter through which the request comes. This is a huge improvement over Windows XP and Vista.
Here’s why: When
you’re at home, the other computers on your network share a common
network address scheme (just as most telephone numbers in a neighborhood
start with the same area code and prefix digits). Those computers can
be trusted to share your files and printers. However, if you take your
computer to a hotel or coffee shop, the computers on your local network
should not be
trusted, even though they will share the same network addressing scheme.
With prior versions of Windows, you had to reconfigure Windows Firewall
every time you moved your computer from one network to another, so that
you didn’t inadvertently expose your shared files to unknown people.
Note
Windows
Firewall has the advantage that it can permit incoming connections for
programs such as Remote Assistance. On the other hand, it’s part of the
very operating system it’s trying to protect, and if either Windows 7 or Windows Firewall gets compromised, your computer’s a goner. If
I had the choice between using Windows Firewall, or an external
firewall device—such as a commercial firewall server or a
connection-sharing router with filter rules—I’d use the external
firewall. But Windows Firewall is definitely better than no firewall at all. |
As you may know, when you
connect your computer to a network for the first time, Windows 7 asks
you whether the network is private or public. As you might guess, a
public network is one where you don’t trust the other connected
computers. This would be an appropriate choice in a coffee shop or
hotel, or for a connection from your computer directly to a DSL or cable
modem. A private network is one where you trust the other computers
that are directly attached. This network might connect to the Internet
through a router, but you can still consider it private, because your local trusted computers can be distinguished by sharing a common network address.
Windows Firewall is
enabled by default when you install Windows 7. You can also enable or
disable it manually by selecting the Change Settings task on the Windows
Firewall window. You also can tell Windows Firewall whether you want it to permit
incoming requests for specific services. If you have a web server
installed in your computer, for example, you need to tell Windows
Firewall to permit incoming HTTP data.
Packet Filtering
If you use a hardware
Internet Connection Sharing router (also called a residential gateway)
or a full-fledged network router for your Internet service, you can
instruct it to block data that carries services you don’t want exposed
to the Internet. This is called packet filtering. You can set this up in addition to NAT, to provide extra protection.
Filtering works like
this: Each Internet data packet contains identifying numbers that
indicate the protocol type (such as TCP or UDP) and the IP address for
the source and destination computers. Some protocols also have an
additional number called a port, which identifies the program that is to
receive the packet. The WWW service, for example, expects TCP protocol
packets addressed to port 80. A domain name server listens for UDP
packets on port 53.
A packet that arrives at
the firewall from either side is examined; then it is either passed on
or discarded, according to a set of rules that lists the protocols and
ports permitted or prohibited for each direction. A prohibited packet
can be dropped silently, or the router can reject the packet with an
error message returned to the sender indicating that the requested
network service is unavailable. If possible, specify the silent
treatment. (Why tell hackers that a desired service is present, even if
it’s unavailable to them?) Some routers can also make a log entry or
send an alert indicating that an unwanted connection was attempted.
Table 1
lists some relevant protocols and ports. If your router lets you block
incoming requests separately from outgoing requests, you should block
incoming requests for all the services listed, unless you are sure
you want to enable access to them. If you have a basic gateway router
that doesn’t provide separate incoming and outgoing filters, you
probably want to filter only those services that I’ve marked with an
asterisk (*).
Table 1. Services That You Might Want to Block
| Protocol | Port | Associated Service |
|---|
| TCP | 20–21 | FTP—File Transfer Protocol. |
| TCP | 22 | SSH—Secure Shell protocol, an encrypted version of Telnet. |
| TCP * | 23 | Telnet—Clear-text passwords are sent by this remote terminal service, which also is used to configure routers. |
| TCP | 53 | DNS—Domain name service. Block TCP mode “zone” transfers, which reveal machine names. |
| TCP+UDP | 67 | BOOTP—Bootstrap protocol (similar to DHCP). Unnecessary. |
| TCP+UDP | 69 | TFTP—Trivial File Transfer Protocol. No security. |
| TCP | 110 | POP3—Post Office Protocol. |
| UDP *TCP
TCP+UDP * | 137–139 | NetBIOS—These ports are used by Microsoft File Sharing. |
| UDP * | 161–2 | SNMP—Simple Network Monitoring Protocol. Reveals too much information and can be used to reconfigure the router. |
| TCP * | 445 | SMB—Windows File Sharing can use port 445 as well as ports 137–139. |
| TCP | 515 | LPD—UNIX printer-sharing protocol supported by Windows. |
| UDP, TCP | 1900, 5000 | Universal Plug and Play—Can be used to reconfigure routers. |
As I said, if you use a
hardware router to connect to the Internet, I can’t show you the
specifics for your device. I can give you a couple of examples, though.
My Linksys cable/DSL–sharing router uses a web browser for
configuration, and there’s a page for setting up filters, as shown in Figure 1. In this figure, I’ve blocked the ports for Microsoft file-sharing services.
If
you use routed DSL Internet service, your ISP might have provided a
router manufactured by Flowpoint, Netopia, or another manufacturer.
These are complex
devices, and your ISP will help you set up yours. Insist that your ISP
install filters for ports 137, 138, 139, and 445, at the very least.
Using NAT or Internet Connection Sharing
By either
name, Network Address Translation (NAT) has two big security benefits.
First, it can be used to hide an entire network behind one IP address.
Then, while it transparently passes connections from you out to the
Internet, it rejects all incoming connection attempts except those that
you explicitly direct to waiting servers inside your LAN. Packet
filtering isn’t absolutely necessary with NAT, although it can’t hurt to
add it.
Caution
Microsoft’s
Internet Connection Sharing (ICS) blocks incoming access to other
computers on the LAN, but unless Windows Firewall is also enabled, it
does not protect the computer that is sharing the Internet connection. If you use ICS, you must enable Windows Firewall on the same connection, or you must use a third-party software firewall application. |
If you have built a
network with another type of router or connection-sharing device, you
must follow the manufacturer’s instructions or get help from your ISP to
set it up.
Add-On Firewall Products for Windows
Commercial products called personal firewalls are designed for use on PCs. These types of products, Norton Internet Security 2009 (www.symantec.com)
for instance, range in price from free to about $60. Now that Windows
includes an integral firewall, add-on products might no longer be
necessary, and I don’t think that it’s worth paying for a software
firewall program for Windows. Windows Firewall is good enough, it’s
free, and it’s built in. It’s far
more important that you keep Windows and all of your add-on
applications up-to-date, and use Windows Defender or a third-party
antivirus/antispyware program.
Secure Your Router
If you use a router for your Internet connection and rely on it to provide network protection, you must make it require a secure password. If your router doesn’t require a password, anyone
can connect to it across the Internet and delete the filters you’ve set
up. (As configured by the manufacturers and ISPs, most
connection-sharing routers do not
require a password, although they typically won’t accept configuration
commands from the Internet, but only from your own network.)
To lock down your router, you have to follow procedures for your specific router. You’ll want to do the following:
Change the router’s
administrative password to a combination of letters, numbers, and
punctuation. Be sure to write it down somewhere, and keep it in a secure
place. (I usually write the password on a sticky label and attach it to
the bottom of the router.)
Change
the SNMP read-only and read-write community names (which are, in
effect, passwords) to a secret word or a very long random string of
random characters; or better yet, follow the next recommendation.
Prohibit write access via SNMP or disable SNMP entirely.
Change all Telnet login passwords, whether administrative or informational.
If you don’t want to
attempt to lock down your router, your ISP should do it for you. If your
ISP supplied your router and you change the password yourself, be sure
to give the new password to your ISP.
Configure Passwords and File Sharing
Windows 7 supports
password-protected and passwordless file sharing. Before I explain this,
I need to give you some background. In the original Windows NT
workgroup network security model, when you attempted to use a network
resource shared by another computer, Windows would see if your username
and password matched an account on that remote computer. One of four
things would happen:
If the
username and password exactly matched an account defined on the remote
computer, you got that user’s privileges on the remote machine for
reading and writing files.
If the username matched but the password didn’t, you were prompted to enter the correct password.
If
the username didn’t match any predefined account, or if you failed to
supply the correct password, you got the privileges accorded to the
Guest account, if the Guest account was enabled.
If the Guest account was disabled—and it usually was—you were denied access.
The problem with this
system is that it required you to create user accounts on each computer
you wanted to reach over the network. Multiply, say, 5 users times 5
computers, and you had 25 user accounts to configure. What a pain!
(People pay big bucks for a Windows Server–based domain network to
eliminate this very hassle.) Because it was so much trouble, people
usually enabled the Guest account.
Windows 7 has a new
feature called the HomeGroup that provides a way around the headaches
of managing lots of user accounts and passwords. When you make a Windows
7 computer a member of a homegroup, it uses a built-in user account
named HomeGroupUser$ when it accesses shared resources on other
computers in the group. The member computers all have this same account
name set up, with the same password (which is derived from the
homegroup’s password in some way), so that all member computers can use
any shared resource. When you share a library, folder, or printer with
the homegroup, Windows gives the user account HomeGroupUser$ permission
to read, or to read and write the files in that folder. It’s a simple,
convenient scheme, but only Windows 7 computers can take advantage of
it.
Note
When
you disable Password Protected Sharing, you get what was called Simple
File Sharing on Windows XP, but with a twist: On XP, when Simple File
Sharing was in effect, every network accessed shared resources using the
Guest account, no matter what username and password they supplied. On
Windows 7, if the remote user’s username matches an account on the
Windows 7 computer and the account has a password set, they’ll be able
to access the shared resources using that account’s privileges. The
Guest account is used only when the remote user’s account doesn’t match
one on the Windows 7 computer, or if the matching account has no
password. If your computer is a member of a Windows domain network, you cannot disable Password Protected Sharing. |
On Windows 7,
another way to avoid password headaches is to entirely disable the use
of passwords for network resources. If you disable Password Protected
Sharing, the contents of the Public folder and all other shared folders
are accessible to everyone on the network, even if they don’t have a
user account and password on your computer, and regardless of the
operating system they’re using. This is ideal if you want to share
everything in your Public folder and do not need to set sharing
permissions for individuals.
From a security
perspective, only a few folders are accessible when Password Protected
Sharing is disabled, and although anybody with access to the network can
access them, the damage an intruder can do is limited to stealing or
modifying just the files in a few folders that are known to be public.
If you do disable Password Protected Sharing, it’s crucial
that you have a firewall in place. Otherwise, everyone on the Internet
will have the same rights in your shared folders as you. (That’s one of
the reasons for Windows Firewall, and why Windows is so adamant about
either installing Windows Firewall or disabling file sharing.)
By default, Windows 7
has Password Protected Sharing enabled, which limits access to the
Public folder and all other shared folders to users with a user account
and password on your computer.
If you want to make the
Public folder accessible to everyone on your network without having to
create for each person an account on every computer, you have four
choices:
If you are on a home
or small office network and you have only (or mostly) Windows 7
computers, you can enable the HomeGroup networking feature.
You
can set up accounts for every user on your computer, so that everyone
will access the shared folder using their own account. You’ll need to be
sure that everyone uses the same password on every computer.
You
can create a special user account, for example, named “share,” and give
people you trust the password to this account. Everyone can use this
same username and password to access the shared folder on your computer.
You
can disable Password Protected Sharing. To do this, click Start,
Control Panel, Network and Internet, Network and Sharing Center,
Homegroup and Sharing Options, Advanced Sharing Options. Under Password
Protected Sharing, click Turn Off Password Protected Sharing, and click
Apply.
Set Up Restrictive Access Controls
Possibly
the most important and difficult step you can take is to limit access
to shared files, folders, and printers. You can use the guidelines shown
in Table 2 to help organize a security review of every machine on your network.
Table 2. Restricting Access Controls
| Access Point | Controls |
|---|
| File Sharing | Don’t
share your computers’ entire hard drives. Share only folders that need
to be shared, and, if possible, choose only folders within your
Documents folder (for simplicity). Use Password Protected Sharing. |
| Passwords | Set up all
accounts to require passwords. You can configure your computers to
require long passwords if you want to enforce good internal security. |
| Partitions | If
you install IIS and want to make a website or FTP site available to the
Internet, set up a separate NTFS partition on your hard drive just for website files. |
| Access Control | Don’t
disable User Account Control. In fact, even with UAC in place, it’s
best not to use Administrator or any other Computer Administrator
account for your day-to-day work. Instead, create a Standard user
account for yourself, and type in an Administrator password when you’re
prompted to. |
| FTP | If
you install a public FTP server, do not let FTP share a FAT-formatted
drive or partition. In addition, you must prevent anonymous FTP users
from writing to your hard drive. |
| SMTP | If you operate an
email server, consider storing incoming mail in a separate partition,
to avoid getting overrun with too much mail. Also, you must prohibit “relaying” from outside SMTP servers to outside domains, lest your server be used as a spam relay site. |
| HTTP (Web) | Don’t
enable both Script/Execute permission and Write permission on the same
folder. Enabling both permissions would permit outside users to install
and run arbitrary programs on your computer. You should manually install
any needed scripts or CGI programs. (The FrontPage extensions can
publish scripts to protected directories, but they perform strong user
authentication before doing so.) |
| SNMP | This
network-monitoring option is a useful tool for large networks, but it
also poses a security risk. If installed, it could be used to modify
your computer’s network settings and, at the very least, will happily
reveal the names of all the user accounts on your computer. Don’t
install SNMP unless you need it, and if you do, change the “community
name” from public to something confidential and difficult to guess.
Block SNMP traffic through your Internet connection with filtering. |
