Testing,
logging, and monitoring involve testing your defense strategies and
detecting breaches. It’s tedious, but who would you rather have be the
first to find out that your system is hackable: you or “them?” Your
testing steps should include these:
You can’t second-guess
what 100 million potential “visitors” might do to your computer or
network, but you should at least be sure that all your roadblocks stop
the traffic you were expecting them to stop.
Test Your Defenses
Some companies hire
expert hackers to attempt to break into their networks. You can do this,
too, or you can try to be your own hacker. Before you connect to the
Internet, and periodically thereafter, try to break into your own
system. Find its weaknesses.
Go through each of your
defenses and each of the security policy changes you made, and try each
of the things you thought they should prevent.
First, connect to the Internet, visit www.grc.com,
and view the ShieldsUP page. (Its author, Steve Gibson, is a very
bright guy and has lots of interesting things to say, but be forewarned
that some of it is a bit hyperbolic.) This website attempts to connect
to Microsoft Networking and TCP/IP services on your computer to see
whether any are accessible from the outside world. Click the File
Sharing and Common Ports buttons to see whether this testing system
exposes any vulnerabilities. Don’t worry if the only test your computer
fails is the ping test. This is a great tool!
Note
If
you’re on a corporate network, contact your network manager before
trying this. If your company uses intrusion monitoring, this probe might
set off alarms and get you in hot water. |
As a second test, find
out what your public IP address is. If you use a dial-up connection or
Internet Connection Sharing, go to the computer that actually connects
to the Internet, open a Command Prompt window, and type ipconfig.
Write down the IP address of your actual Internet connection (this
number will change every time you dial in, by the way). If you use a
sharing router, you need to get the actual IP address from your router’s
Status page—your computer won’t know. Or, try whatismyipaddress.com (no joke!).
Then enlist the help of a friend or go to a computer that is not on your site but out on the Internet. Open Windows Explorer (not Internet Explorer) and, in the Address box, type \\1.2.3.4, but in place of 1.2.3.4,
type the IP address that you recorded earlier. This attempts to connect
to your computer for file sharing. You should not be able to see any
shared folders, and you shouldn’t even be prompted for a username and/or
password. If you have more than one public IP address, test all of them.
When
you use Internet Explorer to try to view your computer from outside on
the Internet, and you are prompted for a username and password, or
shared folders are visible, Microsoft file sharing services are being
exposed to the Internet. If you have a shared connection to the
Internet, you need to enable Windows Firewall or enable filtering on
your Internet connection. At the very least, you must block TCP/UDP
ports 137–139 and 445. Don’t leave this unfixed. If you have several computers connected to a cable modem with just a hub and no connection-sharing router. |
|
If you have installed a web or FTP server, attempt to view any protected pages without using the correct username or password. With FTP, try using the login name anonymous and the password guest. Try to copy files to the FTP site while connected as anonymous—you shouldn’t be able to.
When
you access your self-hosted website from the Internet using a web
browser or anonymous FTP and can view folders that you thought were
private and protected, be sure that the shared folders are not on a
FAT-formatted disk partition. FAT disks don’t support user-level file
protection. Share only folders from NTFS-formatted disks. Then,
check the folder’s NTFS permissions to be sure that anonymous access is
not permitted. Locate the folders in Windows Explorer on the computer
running IIS. View the folders’ Securities Properties tab. Be sure that
none of the following users or groups is granted access to the folder: Everyone, IUSR_XXXX (where XXXX is your computer name), IUSR, or IIS_IUSRS.
On the folders you wish to protect, grant read and write privileges
only to authorized users. In the IIS management console, you can also
explicitly disable anonymous access to the website’s or a specific
folder. |
|
Use network-testing utilities to attempt to connect to any of the network services you think you have blocked, such as SNMP.
If
you can connect to your computer across the Internet with remote
administration tools such as the Registry editor, with SNMP viewers, or
with other tools that use network services, network services are not
being blocked Look up the
protocol type (for example, UDP or TCP) and port numbers of the
unblocked services, and configure filters in your router to block these
services. Your ISP might be able to help you with this problem. You also
might have disabled Windows Firewall by mistake. |
|
Attempt
to use Telnet to connect to your router, if you have one. If you are
prompted for a login, try the factory default login name and password
listed in the router’s manual. If you’ve blocked Telnet with a packet
filter setting, you should not be prompted for a password. If you are
prompted, be sure the factory default password does not work, because
you should have changed it.
Port-scanning tools are available to perform many of these tests automatically. For an example, see the ShieldsUP web page at www.grc.com. I caution you to use this sort of tool in addition to, not instead of, the other tests I listed here.
Monitor Suspicious Activity
If you use Windows
Firewall, you can configure it to keep a record of rejected connection
attempts. Log on using a Computer Administrator–type account. Choose
Start, All Programs, Administrative Tools, Windows Firewall with
Advanced Security. In the left pane, right-click Windows Firewall with
Advanced Security and select Properties. Select one of the available
profile tabs (Private Profile, in most cases) and click the Customize
button within the Logging area to get to the window shown in Figure 1. Enable logging of dropped packets. You can enable this setting for all profiles if you wish.
Inspect the log file periodically by viewing it with Notepad.
Note
If
you use a dial-up connection, the firewall log is less useful. It will
accrue lots of entries caused by packets left over from connections made
by the dial-up customer who had your temporary IP address before you
got it. They’ll continue to arrive for a while, just as junk mail does
after a tenant moves out. |
