Runsafe:Nullify Unneeded Risks
Whether by operator mistakes, attempts at making computers easy to use, or encouraging open access, our computer's software sometimes grants more access to our computers than is needed. We can decrease risk by eliminating unneeded access to our computers.
- Microsoft file sharing is often misconfigured. If you don't need Microsoft file sharing, disable it. If you only mean to share files in your MP3 or PICS directories, don't share your entire C: drive. Otherwise, your entire computer can be completely controlled (or erased) by someone else, or a virus, in short order. Click here for details.
- The same applies for Appleshare and NFS services. Limit shares to folders you create. Don't share your entire hard drive.
- It is very important that strong passwords be assigned to Windows NT, 2000, and XP Professional Administrator privileged accounts. These systems automatically create several shared resources when they are started. These shares are hidden (because they end with the dollar sign character:$) and computer operators may not be aware of them or their associated risks. Using these resources, a privileged account can remotely access the entire hard drive of a computer. If the privileged account's password is weak or nonexistent, this could lead to a total compromise of the computer. Accounts with access
to these shares include:
- Administrator account on NT, 2000, and XP Professional.
- Any member of the Administrator and Backup Operator groups on 2000 professional
- Any member of the Server operator group on 2000 server
- When creating users in Windows XP setup, all users are created with administrative privileges and no password by default. All such accounts will have remote access to the hidden shares on Windows XP Professional machines (Windows XP Home machines don't enable the hidden shares by default). On either system, you must set a password for each user and, in most cases, should remove them from the administrators group. See password setting instructions and Microsoft KnowledgeBase article Q293834.
- Operators can prevent Administrator accounts from accessing the machine from the network by removing the "Access this machine from the network" right from these accounts using the User Manager (NT) or Local Security Policies (2000) configuration tools.
- Advanced operators can partially remove the capability for anonymous network operators to gain a list of the accounts and resources existing on NT and 2000 machines by editing the registry following the procedures described in Microsoft Knowledgebase article Q143474.
- Providing shared space on your computer that others are allowed to write to exposes you to the risk of having illegal or inappropriate material stored on your computer. See below.
Nullify Risks From Unneeded Account Privileges
Use the NT/2000/XP Administrator/PowerUser and unix root accounts only when needed for system maintenance. Use a normal user account for all other activities particularly browsing the web and reading email.
Nullify Risks From Unneeded Code Entry Points
- Do not exchange executable email attachments as it promotes unsafe practices. If you need to distribute executables, do so on a web or read-only file server. If you need to collect executables, do so from a web server submission or write-only file server... preferably one where the user is authenticated. Be aware of the risks associated with anonymous, public storage.
Nullify Risks From Unneeded Network Access
- If you don't need all the services installed and started by the default Linux installation, disable them in the inetd.conf and rc startup configuration files.
- Limit unwanted network communications with a firewall. If your computer is only used to communicate in certain ways, the consequences of mistakes or defects can be decreased by disabling other, unnecessary communication channels. One way this can be done is through desktop firewalls. Windows 2000, XP, and 2003 come with firewall functionality built-in. In the form of Internet Connection Firewall for Windows XP and 2003 and IPSEC filtering in 2000. Other Windows operators have many commercial and no-cost choices. ZoneAlarm, by ZoneLabs, is free for personal or non-profit use but they specifically exclude educational institutions from this offer. You can, however, use it on a personal computer at home. Keep in mind that all desktop firewalls are vulnerable to locally run code. Some viruses disable them. Linux operators can take advantage of the built in ipchains or iptables facilities. More information on personal firewalls.
- It is very useful to know what programs on our computers listen on the network for other computers to connect to them. In effect, it tells us what doors are open. Two tools useful for checking what programs are listening on what network ports are FPort (Windows) and lsof (unix). The linux command "netstat -anp" will also provide this information. On Windows XP systems, the netstat -o command will show the process ID of listening processes which can then be cross-referenced with the Task Manager to find the program.
Nullify Risks From Unneeded Access to Data in Transit
While we may have control over our own computer's security, we have very little or no control over the security of the path our data may take. As traffic traverses the network, it may pass over and through communications lines and systems which are compromised or poorly maintained. That network traffic may contain passwords and other critical data. To protect the data while it is in transit it should be encrypted.
- At a minimum encourage the encryption of authentication conversations using such technology as SSL, SSH, IMAP, SMTP, POP, and appropriate settings on clients like PC-Anywhere.
- Encourage the encryption of entire sessions when critical data is involved again using technology such as SSL and SSH.
- IPSEC based Virtual Private Networks (VPN) can provide another layer of access control and encryption.
- Do not type sensitive information into untrusted or public computers.
- <a href="http://www.jmu.edu/computing/security/info/wireless.shtml">Follow wireless usage and setup best practices</a>.
Nullify Risks of Anonymous, Public Storage.
Avoid using or providing shares and servers that allow public storage by anonymous users. Anonymous FTP servers and Microsoft shares that can be written to and shared by anonymous users are easily found and often abused. They can be, and often are, used by others to store illegal materials such as child pornography and pirated software. If the materials are found on your computer....
Another risk associated with these depots is that someone may modify material placed there by others. The original poster of the file may be blamed for something that was later modified and/or the recipients may suffer loss through incorrect information or malicious software.
Finally, in today's environment there are many viruses that look for and spread to open shares. On any large network, there are likely to be a few computers infected with one of these viruses. It is highly likely that any open share on the NCSU network will have virus files placed in it by these infected computers. Some of these viruses are tricky. They place themselves in existing files or name themselves in such a way that it is not obvious they are malicious. If you absolutely must offer anonymous storage, take the following steps:
- Post warnings that the service is completely unsecured and that all materials may be tampered with, lost, or may consist of inappropriate or illegal materials.
- Limit the amount of space that can be used through disk quotas or by putting the shared space on a separate partition.
- Restrict access to the service by IP address when possible.
- Monitor the use of the service to assure yourself that your computer is not being used to store illegal materials and that other users of your service are not being exposed to these materials or malicious software.
- Do not allow others to download material from the upload area. Have a responsible party examine the material and move it to a separate, read-only, download area once the material is deemed appropriate. Note that this imposes a certain amount of responsibility, and probably liability, on this person.
- Search for better ways to provide the service
If you absolutely must use anonymous storage, take the following steps:
- Make sure your anti-virus software is up to date.
- Do not place materials in anonymously accessible shared space that you don't want made public or modified.
- Be aware that anything you download from such space could have been modified by anyone and treat the material accordingly.
- Never, ever double-click a file stored in such space to open it. Instead, open the application associated with the file (Word, Excel, Netscape, Winamp, etc.) and then use the application's File->Open menu to open the file.
- Search for better service providers that don't expose you to these risks
Additional information for anonymous FTP servers from Carnegie Mellon's CERT:
Disable Music and Peer File Sharing Services
Running most music sharing programs opens doors on your computer that can be accessed by anyone via the network. There are both security and appropriate use issues related to this.
- A defect may be discovered and exploited in a sharing server just as they are regularly discovered and exploited in web and other servers to take over the machine.
- Distributing copyright protected materials and illegal materials such as child pornography.
- Viruses and other malicious software are increasingly using peer to peer networks to spread and show up in share lists using innocuous names.
- Having your server become so popular that incoming requests result in overuse of outgoing bandwidth. These types of servers make up a large percentage of outgoing traffic on the NCSU Internet connections and impact academic traffic performance and budget.
The University of Chicago has published instructions for disabling common music and peer sharing services. You will still be able to download music and other files but others will not be able to connect to your computer...thus nullifying unneeded risk.
Follow Best Practices Guidelines
Systems providing services over the network (web servers, ftp servers, etc.) should have their configurations tightened to decrease unnecessary access. For example, the services should run under restricted user IDs, be restricted to specific directories, and be very limited in the external programs and system services they are able to access. This type of work is generally best performed by a technician experienced with the particular services and platform being used.
- Center for Internet Security Benchmarks (covers windows, linux, max osx, solaris, hpux, aix, oracle, apache)
- NSA Security Configuration Guides
- Guidelines on Securing Public Web Servers (PDF-National Institute of Standards and Technology)
- Apache Configuration Guidelines (Apache)
- Consider installing and configuring modsecurity on computers running the apache web server.
- Unix Security Checklist from Carnegie Mellon CERT (also includes web, ftp, and other services)
- Anonymous FTP on Unix Configuration Guidelines (CERT)
General web development:
- Open Web Applications Security Project (OWASP)
- SQL Injection White Paper
- CERT's "Understanding Malicious Content Mitigation for Web Developers"
- Microsoft's "HOWTO: Prevent Cross-Site Scripting Security Issues"
- Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication
- PHP Security Consortium
- Secure Programming in PHP
- Use Microsoft's Baseline Security Analyzer tool to check Windows NT, 2000, XP, and 2003 systems for updates and best practices configuration recommendations when the computer:
- Is used to access accounts with elevated privileges.
- Runs remotely accessible services such as web, database, or file shares.
- Microsoft NT, 2000, and IIS Baseline Security Recommendations (Microsoft)
- Microsoft Peer File Sharing Issues
- Microsoft Access Database Security FAQ (Microsoft)
- Microsoft SQL Server
- Use the IIS Lockdown Tool on NT, 2000, and XP computers to disable unneeded access and oft-exploited functionality on IIS Web servers that may be running.
- Microsoft Shared Computer Toolkit for Windows XP