Difference between revisions of "Runsafe:Nullify Unneeded Risks"

From WolfTech
Jump to navigation Jump to search
m
 
(15 intermediate revisions by one other user not shown)
Line 6: Line 6:
 
==Nullify Risks From Unneeded Access to Shared Data and Folders==
 
==Nullify Risks From Unneeded Access to Shared Data and Folders==
 
<ul>
 
<ul>
  <li>Microsoft file sharing is often misconfigured. If you don't need Microsoft file sharing, disable it. If you only mean to share files
+
<li>Microsoft file sharing is often misconfigured. If you don't need Microsoft file sharing, disable it. If you only mean to share files in your MP3 or PICS directories, don't share your entire C: drive. Otherwise, your entire computer can be completely controlled (or erased) by someone else, or a virus, in short order. [[Runsafe:Microsoft_Windows_File_Sharing_Risks| Click here for details]].</li>
in your MP3 or PICS directories, don't share your entire C:
+
<li>The same applies for Appleshare and NFS services. Limit shares to folders you create. Don't share your entire hard drive.</li>
drive. Otherwise, your entire computer can be completely controlled (or erased) by
+
<li>It is very important that strong passwords be assigned to Windows NT, 2000, and XP Professional Administrator privileged    accounts. These systems automatically create several shared resources when they are started. These shares are hidden (because they end with the dollar sign character:$) and computer operators may not be aware of them or their associated risks. Using these resources, a privileged account can <b> remotely</b> access the entire hard drive of a computer. If the privileged account's password is weak or nonexistent, this could lead to a total compromise of the computer. Accounts with access
someone else, or a virus, in short order.
 
[http://www.jmu.edu/computing/security/info/msfileshar.shtml Click here for details].</li>
 
  <li>The
 
same applies for Appleshare and NFS services. Limit shares to folders you create. Don't
 
share your entire hard drive.</li>
 
  <li>It is very important that <a href="safeguard.shtml#choose">strong
 
    passwords</a> be assigned to Windows NT, 2000, and XP Professional Administrator privileged
 
     accounts. These systems automatically create several shared resources
 
when they are started. These shares are hidden (because they end with the
 
dollar sign character:$) and computer operators may not be aware of them or
 
their associated risks. Using these resources, a privileged account can <b> remotely</b>
 
 
 
access the entire hard drive of a computer. If the privileged account's password
 
is weak or nonexistent, this could lead to a total compromise of the computer. Accounts with access
 
 
to these shares include:
 
to these shares include:
 
 
<ul>
 
<ul>
  <li>Administrator account on NT, 2000, and XP Professional.</li>
+
<li>Administrator account on NT, 2000, and XP Professional.</li>
  <li>Any member of the Administrator and Backup Operator groups on 2000
+
<li>Any member of the Administrator and Backup Operator groups on 2000 professional</li>
    professional</li>
+
<li>Any member of the Server operator group on 2000 server</li>
  <li>Any member of the Server operator group on 2000 server</li>
 
 
</ul>
 
</ul>
 
</li>
 
</li>
  <li>When creating users in Windows XP setup, all users are created with administrative privileges and no password by                            default. All such accounts will have
+
<li>When creating users in Windows XP setup, all users are created with administrative privileges and no password by                            default. All such accounts will have <b>remote</b> access to the hidden shares on Windows XP Professional                            machines (Windows XP Home machines don't enable the hidden shares by default). On either system, you must set a                            password for each user and, in most cases, should remove them from the administrators group. See [[Runsafe:Microsoft_Windows_File_Sharing_Risks| password setting instructions]] and [http://support.microsoft.com/default.aspx?scid=kb;EN-US;q293834 Microsoft KnowledgeBase article Q293834].</li>
    <b>remote</b> access to the hidden shares on Windows XP Professional                            machines (Windows XP Home machines don't enable the hidden shares by default).
+
<li>Operators can prevent Administrator accounts from accessing the machine from the network by removing the &quot;Access this machine from the network&quot; right from these accounts using the User Manager (NT) or Local Security Policies (2000) configuration tools.</li>
    On either system, you must set a                            password for each user and, in most cases, should remove them from the administrators group. See
+
<li>Advanced operators can partially remove the capability for anonymous network operators to gain a list of the accounts and resources existing on NT and 2000 machines by editing the registry following the procedures described in [http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP Microsoft Knowledgebase article Q143474].</li>
  <a href="http://www.jmu.edu/computing/security/info/msfileshar.shtml">password  
+
<li>Providing shared space on your computer that others are allowed to write to exposes you to the risk of having illegal or inappropriate material stored on your computer. See below.</li>
  setting instructions</a> and
 
    <a href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;q293834">                            Microsoft KnowledgeBase article
 
    Q293834</a>.&nbsp;</li>
 
 
 
  <li>Operators can prevent Administrator accounts from accessing the machine
 
    from the network by removing the &quot;Access this machine from the
 
    network&quot; right from these accounts using the User Manager (NT) or Local
 
    Security Policies (2000) configuration tools.</li>
 
  <li>Advanced operators can partially remove the capability for anonymous network
 
    operators to gain a list of the accounts and resources existing on NT and 2000 machines by
 
    editing the registry following the procedures described in <a href="http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP"> Microsoft
 
    Knowledgebase article Q143474.</a></li>
 
  <li>Providing shared space on your computer that others are allowed to write
 
    to exposes you to the risk of having illegal or inappropriate material
 
    stored on your computer. See <a href="#write">below</a>.</li>
 
 
</ul>
 
</ul>
 
==Nullify Risks From Unneeded Account Privileges==
 
==Nullify Risks From Unneeded Account Privileges==
<p>Use the NT/2000/XP Administrator/PowerUser and unix root accounts only when needed for
+
Use the NT/2000/XP Administrator/PowerUser and unix root accounts only when needed for system maintenance. Use a normal user account for all other activities particularly browsing the web and reading email.
system maintenance. Use a normal user account for all other activities
 
particularly browsing the web and reading email.</p>
 
 
==Nullify Risks From Unneeded Code Entry Points==
 
==Nullify Risks From Unneeded Code Entry Points==
<ul>
+
*If you don't need the functionality provided by ActiveX, JavaScript, and Java in your browser and email reader, disable or restrict it.
  <li>If you don't need the functionality provided by ActiveX, JavaScript, and Java
+
*Do not exchange executable email attachments as it promotes unsafe practices. If you need to distribute executables, do so on a web or read-only file server. If you need to collect executables, do so from a web server submission or write-only file server... preferably one where the user is authenticated. Be aware of the risks associated with anonymous, public storage.
in your browser and email reader, <a href="http://www.jmu.edu/computing/info-security/engineering/issues/apps/appsec.shtml">disable or
 
restrict it</a>.</li>
 
  <li>Do not exchange executable email attachments as it promotes unsafe
 
    practices. If you need to distribute executables, do so on a web or
 
    read-only file server. If you need to collect executables, do so from a web
 
    server submission or write-only file server...preferably one where the user
 
    is authenticated. <a href="#write">Be aware of the risks associated with
 
    anonymous, public storage.</a></li>
 
</ul>
 
  
 
==Nullify Risks From Unneeded Network Access==
 
==Nullify Risks From Unneeded Network Access==
 
<ul>
 
<ul>
 
   <li>If you don't need all the services installed and started by the default Linux
 
   <li>If you don't need all the services installed and started by the default Linux
installation,
+
installation, [http://www.tldp.org/HOWTO/Security-HOWTO/network-security.html#AEN828 disable them in the inetd.conf and rc startup configuration files].</li>
  <a href="http://www.tldp.org/HOWTO/Security-HOWTO/network-security.html#AEN828">disable them in the inetd.conf and rc startup configuration
+
   <li>Limit unwanted network communications with a firewall. If your computer is only used to communicate in certain ways,
    files</a>.</li>
+
the consequences of mistakes or defects can be decreased by disabling other, unnecessary communication channels. One way this can be done is through desktop firewalls. Windows 2000, XP, and 2003 come with firewall functionality built-in. In the form of Internet Connection Firewall for Windows XP and 2003 and IPSEC filtering in 2000. Other Windows operators have many commercial and no-cost choices. ZoneAlarm, by [http://www.zonelabs.com ZoneLabs], is free for personal or non-profit use but they specifically exclude educational institutions from this offer. You can, however, use it on a personal computer at home. Keep in mind that <b>all desktop firewalls are vulnerable to locally run code</b>. Some viruses disable them. Linux operators can take advantage of the built in [http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html ipchains] or [http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html iptables] facilities. [[Personal_Firewalls| More information on personal firewalls]].</li>
   <li> Limit unwanted network communications with a firewall. If your computer is only used to communicate in certain ways,
 
the consequences of mistakes or defects can be decreased by disabling other, unnecessary
 
    communication channels. One
 
way this can be done is through desktop firewalls. Windows 2000, XP, and 2003 come with
 
    firewall functionality built-in. In the form of Internet Connection
 
    Firewall for Windows XP and 2003 and IPSEC filtering in 2000.
 
  <a href="http://www.jmu.edu/computing/security/startsafe.shtml">See the
 
  StartSafe for Windows page for enabling instructions</a>. Other Windows operators have many commercial and no-cost choices. ZoneAlarm, by  
 
<a href="http://www.zonelabs.com">ZoneLabs</a>, is free for personal or non-profit use but they specifically exclude educational institutions from this offer.
 
    You can, however, use it on a personal computer at home.
 
    Keep in mind that <b>all desktop firewalls are vulnerable to locally run
 
    code</b>. Some
 
    viruses disable them. Linux operators can take advantage of the built in
 
    <a href="http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html"> ipchains</a> or
 
    <a href="http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html"> iptables</a>
 
 
 
    facilities. <a href="http://www.jmu.edu/computing/security/info/pfw.shtml">
 
  More information on personal firewalls</a>.</li>
 
 
   <li> It is very useful to know what programs on our computers listen on the
 
   <li> It is very useful to know what programs on our computers listen on the
 
     network for other computers to connect to them. In effect, it tells us what
 
     network for other computers to connect to them. In effect, it tells us what
 
     doors are open. Two tools useful for checking what programs are listening on what
 
     doors are open. Two tools useful for checking what programs are listening on what
     network ports are
+
     network ports are [http://www.foundstone.com/resources/proddesc/fport.htm FPort] (Windows) and lsof (unix). The linux command &quot;netstat -anp&quot; will also provide this information. On Windows XP systems, the netstat -o command will show the process ID of listening processes which can then be cross-referenced with the Task Manager to find the program.</li>
  <a href="http://www.foundstone.com/resources/proddesc/fport.htm">FPort</a>
+
</ul>
    (Windows) and lsof (unix). The linux command &quot;netstat -anp&quot; will
 
    also provide this information. On Windows XP systems, the netstat -o command
 
    will show the process ID of listening processes which can then be
 
    cross-referenced with the Task Manager to find the program.</li>
 
  
</ul>
 
 
==Nullify Risks From Unneeded Access to Data in Transit==
 
==Nullify Risks From Unneeded Access to Data in Transit==
<p>While we may have control over our own computer's security, we have very
+
While we may have control over our own computer's security, we have very little or no control over the security of the path our data may take. As traffic traverses the network, it may pass over and through communications lines and systems which are compromised or poorly maintained. That network traffic may contain passwords and other critical data. To protect the data while it is in transit it should be encrypted.
little or no control over the security of the path our data may take. As traffic
 
traverses the network, it may pass over and through communications lines and systems
 
which are compromised or poorly maintained. That network traffic may
 
contain passwords and other critical data. To protect the data while it is in
 
transit it should be encrypted.
 
<ul>
 
  <li>At a minimum encourage the encryption of authentication conversations
 
    using such technology as SSL, SSH, IMAP, SMTP, POP, and appropriate settings on clients like
 
    PC-Anywhere.</li>
 
  <li>Encourage the encryption of entire sessions when critical data is involved
 
    again using technology such as SSL and SSH.</li>
 
  <li> IPSEC based Virtual Private
 
    Networks (VPN) can provide another layer of access control and encryption.</li>
 
  <li>Do not type sensitive information into untrusted or public computers.</li>
 
  
  <li><a href="http://www.jmu.edu/computing/security/info/wireless.shtml">Follow  
+
*At a minimum encourage the encryption of authentication conversations using such technology as SSL, SSH, IMAP, SMTP, POP, and appropriate settings on clients like PC-Anywhere.
  wireless usage and setup best practices</a>.</li>
+
*Encourage the encryption of entire sessions when critical data is involved again using technology such as SSL and SSH.
</ul>
+
*IPSEC based Virtual Private Networks (VPN) can provide another layer of access control and encryption.
 +
*Do not type sensitive information into untrusted or public computers.
 +
*<a href="http://www.jmu.edu/computing/security/info/wireless.shtml">Follow wireless usage and setup best practices</a>.
  
 
==Nullify Risks of Anonymous, Public Storage.==
 
==Nullify Risks of Anonymous, Public Storage.==
<p>Avoid using or providing shares and servers that allow
+
Avoid using or providing shares and servers that allow public storage by anonymous users. Anonymous FTP servers and Microsoft shares that can be written to and shared by anonymous users are easily found and often abused. They can be, and often are, used by others to store illegal materials such as child pornography and pirated software. If the materials are found on your computer....
public storage by anonymous users.<p>Anonymous FTP servers and Microsoft shares  
+
 
that can be written to and shared by anonymous users are easily found and often  
+
Another risk associated with these depots is that someone may modify material placed there by others. The original poster of the file may be blamed for something that was later modified and/or the recipients may suffer loss through incorrect information or malicious software.<p>Finally, in today's environment there are many viruses that look for and spread to open shares. On any large network, there are likely to be a few computers infected with one of these viruses. It is highly likely that any open share on the NCSU network will have virus files placed in it by these infected computers. Some of these viruses are tricky. They place themselves in existing files or name themselves in such a way that it is not obvious they are malicious.
abused. They can be, and often are, used by others to store illegal materials  
+
 
such as child pornography and pirated software. If the materials are found on  
+
If you absolutely must offer anonymous storage, take the following steps:
your computer....<p>Another risk associated with these depots is that someone may
 
modify material placed there by others. The original poster of the file may be
 
blamed for something that was later modified and/or the recipients may suffer
 
loss through incorrect information or malicious software.<p>Finally, in today's
 
environment there are many viruses that look for and spread to open shares. On
 
any large network, there are likely to be a few computers infected with one of
 
these viruses. It is highly likely that any open share on the JMU network will
 
have virus files placed in it by these infected computers. Some of these viruses
 
are tricky. They place themselves in existing files or name themselves in such a
 
way that it is not obvious they are malicious.<p>If you absolutely must
 
offer anonymous storage, take the following steps:
 
 
<ul>
 
<ul>
 
   <li>Post warnings that the service is completely unsecured and that all
 
   <li>Post warnings that the service is completely unsecured and that all
Line 159: Line 71:
 
   <li>Search for better ways to provide the service</li>
 
   <li>Search for better ways to provide the service</li>
 
</ul>
 
</ul>
<p>If you absolutely must use anonymous storage, take the following steps:</p>
+
 
 +
If you absolutely must use anonymous storage, take the following steps:
 
<ul>
 
<ul>
 
   <li>Make sure your anti-virus software is up to date.</li>
 
   <li>Make sure your anti-virus software is up to date.</li>
Line 172: Line 85:
 
   <li>Search for better service providers that don't expose you to these risks</li>
 
   <li>Search for better service providers that don't expose you to these risks</li>
 
</ul>
 
</ul>
<p>Additional information for anonymous FTP servers from Carnegie Mellon's CERT:</p>
 
<ul>
 
  
  <li><a href="http://www.cert.org/tech_tips/anonymous_ftp_abuses.html">http://www.cert.org/tech_tips/anonymous_ftp_abuses.html</a></li>
+
Additional information for anonymous FTP servers from Carnegie Mellon's CERT:
  <li><a href="http://www.cert.org/tech_tips/anonymous_ftp_config.html">http://www.cert.org/tech_tips/anonymous_ftp_config.html</a></li>
+
*http://www.cert.org/tech_tips/anonymous_ftp_abuses.html
  <li><a href="http://www.cert.org/tech_tips/usc20_full.html#10.0">http://www.cert.org/tech_tips/usc20_full.html#10.0</a></li>
+
*http://www.cert.org/tech_tips/anonymous_ftp_config.html
</ul>
+
*http://www.cert.org/tech_tips/usc20_full.html#10.0
 +
 
 
==Disable Music and Peer File Sharing Services==
 
==Disable Music and Peer File Sharing Services==
<p>Running most music sharing programs  
+
Running most music sharing programs [[Personal Firewalls| opens doors on your computer]] that can be accessed by anyone via the network. There are both security and appropriate use issues related to this.
<a href="http://www.jmu.edu/computing/security/info/pfw.shtml#comms">opens doors  
+
 
on your computer</a> that can be accessed by anyone via the network.
+
*A defect may be discovered and exploited in a sharing server just as they are regularly discovered and exploited in web and other servers to take over the machine.
There are both security and appropriate use issues related to this.</p>
+
*Distributing copyright protected materials and illegal materials such as child pornography.
 +
*Viruses and other malicious software are increasingly using peer to peer networks to spread and show up in share lists using innocuous names.
 +
*Having your server become so popular that incoming requests result in overuse of outgoing bandwidth. These types of servers make up a large percentage of outgoing traffic on the NCSU Internet connections and impact academic traffic performance and budget.
  
<ul>
+
The University of Chicago has published [http://security.uchicago.edu/peer-to-peer/no_fileshare.shtml instructions for disabling common music and peer sharing services]. You will still be able to download music and other files but others will not be able to connect to your computer...thus nullifying unneeded risk.
  <li>A defect may be discovered and exploited in a sharing server just as they
 
    are regularly discovered and exploited in web and other servers to take over the machine.</li>
 
  <li>Distributing copyright protected materials and illegal materials such as
 
    child pornography.</li>
 
  <li>Viruses and other malicious software are increasingly using peer
 
  to peer networks to spread and show up in share lists using innocuous names.</li>
 
  <li>Having your server become so popular that incoming requests result in
 
    overuse of outgoing bandwidth. These types of servers make up a large
 
    percentage of outgoing traffic on the JMU Internet connections and impact
 
  academic traffic performance and budget.</li>
 
</ul>
 
<p>The University of Chicago has published <a href="http://security.uchicago.edu/peer-to-peer/no_fileshare.shtml">instructions
 
for disabling common music and peer sharing services</a>. You will still be able
 
to download music and other files but others will not be able to connect to your
 
computer...thus nullifying unneeded risk.</p>
 
  
 
==Follow Best Practices Guidelines==
 
==Follow Best Practices Guidelines==
<p>Systems providing services over the network (web servers, ftp servers,
+
Systems providing services over the network (web servers, ftp servers, etc.) should have their configurations tightened to decrease unnecessary access. For example, the services should run under restricted user IDs, be restricted to specific directories, and be very limited in the external programs and system services they are able to access. This type of work is generally best performed
etc.) should have their configurations tightened to decrease unnecessary access.
+
by a technician experienced with the particular services and platform being used.
For example, the services should run under restricted user IDs, be restricted to
 
specific directories, and be very limited in the external programs and system
 
services they are able to access. This type of work is generally best performed
 
by a technician experienced with the particular services and platform being
 
used.
 
<ul>
 
  <li><a href="http://www.cisecurity.org">Center for Internet Security
 
  Benchmarks (covers windows, linux, max osx, solaris, hpux, aix, oracle,
 
  apache)</a></li>
 
  <li><a href="http://www.nsa.gov/snac/">NSA Security Configuration Guides</a></li>
 
  <li><a href="http://csrc.nist.gov/publications/nistpubs/800-44/sp800-44.pdf">
 
  Guidelines on Securing Public Web Servers</a> (PDF-National Institute of
 
  Standards and Technology)</li>
 
 
 
  <li><a href="http://httpd.apache.org/docs/misc/security_tips.html">Apache
 
Configuration Guidelines (Apache)</a></li>
 
  <li>Consider installing and configuring <a href="http://www.modsecurity.org/">modsecurity</a> on computers running the
 
  apache web server.</li>
 
  <li><a href="http://www.cert.org/tech_tips/usc20_full.html">Unix Security
 
    Checklist from Carnegie Mellon CERT</a> (also includes web, ftp, and other services)</li>
 
  <li><a href="http://www.cert.org/tech_tips/anonymous_ftp_config.html">Anonymous
 
FTP on Unix Configuration Guidelines (CERT)</a></li>
 
 
 
  <li><a href="rc.shtml">Remote Control Software</a></li>
 
  <li>W<a href="http://www.jmu.edu/computing/security/info/wireless.shtml">ireless
 
  usage and setup tips</a>.</li>
 
  <li>
 
  <a href="http://e-docs.bea.com/wls/docs70/lockdown/practices.html#1128006">BEA
 
 
 
  Systems WebLogic Server (BEA)</a></li>
 
  <li>
 
  Oracle<ul>
 
 
 
  <li>
 
  <a href="http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf">
 
  Oracle Database Security Checklist ( Oracle - November 2005 )</a></li>
 
  <li><a href="http://otn.oracle.com/deploy/security/pdf/oow00/orahack.pdf">Ten
 
  Tips for Oracle Security ( Oracle )</a></li>
 
  <li>
 
  <a href="http://www.oracle.com/technology/deploy/security/oracle9i/pdf/9ir2_checklist.pdf">
 
  Secure Configuration Guide for Oracle 9i ( Oracle )</a></li>
 
 
 
  <li>
 
  <a href="http://www.oracle.com/technology/deploy/security/db_security/index.html">
 
  Oracle Database Security Resources ( Oracle )</a></li>
 
  <li><a href="http://www.petefinnigan.com/orasec.htm">Oracle Security Papers (
 
  PeteFinigan.com )</a></li>
 
  <li><a href="http://www.nextgenss.com/papers/hpoas.pdf">Hackproofing Oracle
 
  Application Server ( NGSSoftware )</a></li>
 
  <li>
 
  <a href="http://www.integrigy.com/info/Integrigy_OracleDB_Listener_Security.pdf">
 
 
 
  Oracle Database Listener Security Guide ( Integrigy )</a></li>
 
</ul>
 
 
 
  </li>
 
  <li>General web development:<ul>
 
  <li><a href="http://www.owasp.org/">Open Web Applications Security Project (OWASP)</a></li>
 
  <li><a href="http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf">SQL
 
  Injection White Paper</a></li>
 
  <li><a href="http://www.cert.org/tech_tips/malicious_code_mitigation.html">
 
 
 
  CERT's &quot;Understanding Malicious Content Mitigation for Web Developers&quot;</a></li>
 
  <li>
 
  <a href="http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q252985&">
 
  Microsoft's &quot;HOWTO: Prevent Cross-Site Scripting Security Issues&quot;</a></li>
 
  <li>
 
  <a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp?frame=true">
 
  Building Secure ASP.NET Applications: Authentication, Authorization, and
 
  Secure Communication</a></li>
 
  
  <li>
+
*[http://www.cisecurity.org Center for Internet Security Benchmarks] (covers windows, linux, max osx, solaris, hpux, aix, oracle, apache)
  <a href="http://phpsec.org/projects/guide/">PHP Security Consortium</a></li>
+
*[http://www.nsa.gov/snac/ NSA Security Configuration Guides]
  <li>
+
*[http://csrc.nist.gov/publications/nistpubs/800-44/sp800-44.pdf Guidelines on Securing Public Web Servers] (PDF-National Institute of Standards and Technology)
  <a href="http://www.zend.com/zend/art/art-oertli.php">Secure Programming in
+
*[http://httpd.apache.org/docs/misc/security_tips.html Apache Configuration Guidelines (Apache)]
  PHP</a></li>
+
*Consider installing and configuring [http://www.modsecurity.org/ modsecurity] on computers running the apache web server.
</ul>
+
*[http://www.cert.org/tech_tips/usc20_full.html Unix Security Checklist from Carnegie Mellon CERT] (also includes web, ftp, and other services)
 +
*[http://www.cert.org/tech_tips/anonymous_ftp_config.html Anonymous FTP on Unix Configuration Guidelines (CERT)]
  
  </li>
+
'''General web development:'''
  <li><a href="http://www.vmware.com/pdf/vmworld04_security.pdf">VMWare</a></li>
+
*[http://www.owasp.org/ Open Web Applications Security Project (OWASP)]
 +
*[http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf SQL Injection White Paper]
 +
*[http://www.cert.org/tech_tips/malicious_code_mitigation.html CERT's &quot;Understanding Malicious Content Mitigation for Web Developers&quot;]
 +
*[http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q252985& Microsoft's &quot;HOWTO: Prevent Cross-Site Scripting Security Issues&quot;]
 +
*[http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp?frame=true Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication]
 +
*[http://phpsec.org/projects/guide/ PHP Security Consortium]
 +
*[http://www.zend.com/zend/art/art-oertli.php Secure Programming in PHP]
  
  <li><b>Microsoft Specific</b></li>
+
'''Microsoft Specific'''
  <li>Use
+
*Use [http://www.microsoft.com/technet/security/tools/mbsahome.mspx Microsoft's Baseline Security Analyzer tool] to check Windows NT, 2000, XP, and 2003 systems for updates and best practices configuration recommendations when the computer:
  <a href="http://www.microsoft.com/technet/security/tools/mbsahome.mspx">Microsoft's Baseline Security Analyzer tool</a> to check Windows NT, 2000, XP,  
+
**Is used to access accounts with elevated privileges.
  and 2003 systems for updates and best practices configuration recommendations  
+
**Runs remotely accessible services such as web, database, or file shares.
  when the computer:<ul>
+
*[http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools.asp Microsoft NT, 2000, and IIS Baseline Security Recommendations (Microsoft)]
  <li>Is used to access accounts with elevated privileges.</li>
+
*[http://www.jmu.edu/computing/security/info/msfileshar.shtml Microsoft Peer File Sharing Issues]
  <li>Runs remotely accessible services such as web, database, or file shares.</li>
+
*[http://support.microsoft.com/support/Access/Content/SECFAQ.asp Microsoft Access Database Security FAQ (Microsoft)]
</ul>
+
*Microsoft SQL Server
  </li>
+
**[http://www.microsoft.com/sql/techinfo/administration/2000/security/securingsqlserver.asp Securing SQL Server 2000 (Microsoft)]]
 
+
**[http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=24 SQL Server Security Checklilst]
  <li><a href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools.asp">Microsoft
+
**[http://www.sqlsecurity.com SQLSecurity.com]
    NT, 2000, and IIS Baseline Security Recommendations (Microsoft)</a></li>
+
*Use the [http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/locktool.asp IIS    Lockdown Tool] on NT, 2000, and XP computers to disable unneeded access and oft-exploited functionality on IIS Web servers that may be running.
  <li><a href="http://www.jmu.edu/computing/security/info/msfileshar.shtml">Microsoft
+
*[http://www.microsoft.com/windowsxp/sharedaccess/default.mspx Microsoft Shared Computer Toolkit for Windows XP]
    Peer File Sharing Issues</a></li>
 
  <li>
 
  <a href="http://support.microsoft.com/support/Access/Content/SECFAQ.asp">Microsoft
 
    Access Database Security FAQ (Microsoft)</a></li>
 
  <li>Microsoft SQL Server<ul>
 
  <li>
 
  <a href="http://www.microsoft.com/sql/techinfo/administration/2000/security/securingsqlserver.asp">
 
 
 
  Securing SQL Server 2000 (Microsoft)</a></li>
 
  <li><a href="http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=24">SQL  
 
  Server Security Checklilst</a> ( <a href="http://www.sqlsecurity.com">SQLSecurity.com</a>
 
  )</li>
 
</ul>
 
 
 
  </li>
 
  <li>Use the <a href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/locktool.asp">IIS
 
     Lockdown Tool</a>  on NT, 2000, and XP computers to disable unneeded access and oft-exploited functionality
 
    on IIS Web servers that may be running.</li>
 
 
 
  <li><a href="http://www.microsoft.com/windowsxp/sharedaccess/default.mspx">
 
  Microsoft Shared Computer Toolkit for Windows XP</a></li>
 
</ul>
 

Latest revision as of 10:53, 17 March 2006

Whether by operator mistakes, attempts at making computers easy to use, or encouraging open access, our computer's software sometimes grants more access to our computers than is needed. We can decrease risk by eliminating unneeded access to our computers.

Nullify Risks From Unneeded Access to Shared Data and Folders

  • Microsoft file sharing is often misconfigured. If you don't need Microsoft file sharing, disable it. If you only mean to share files in your MP3 or PICS directories, don't share your entire C: drive. Otherwise, your entire computer can be completely controlled (or erased) by someone else, or a virus, in short order. Click here for details.
  • The same applies for Appleshare and NFS services. Limit shares to folders you create. Don't share your entire hard drive.
  • It is very important that strong passwords be assigned to Windows NT, 2000, and XP Professional Administrator privileged accounts. These systems automatically create several shared resources when they are started. These shares are hidden (because they end with the dollar sign character:$) and computer operators may not be aware of them or their associated risks. Using these resources, a privileged account can remotely access the entire hard drive of a computer. If the privileged account's password is weak or nonexistent, this could lead to a total compromise of the computer. Accounts with access to these shares include:
    • Administrator account on NT, 2000, and XP Professional.
    • Any member of the Administrator and Backup Operator groups on 2000 professional
    • Any member of the Server operator group on 2000 server
  • When creating users in Windows XP setup, all users are created with administrative privileges and no password by default. All such accounts will have remote access to the hidden shares on Windows XP Professional machines (Windows XP Home machines don't enable the hidden shares by default). On either system, you must set a password for each user and, in most cases, should remove them from the administrators group. See password setting instructions and Microsoft KnowledgeBase article Q293834.
  • Operators can prevent Administrator accounts from accessing the machine from the network by removing the "Access this machine from the network" right from these accounts using the User Manager (NT) or Local Security Policies (2000) configuration tools.
  • Advanced operators can partially remove the capability for anonymous network operators to gain a list of the accounts and resources existing on NT and 2000 machines by editing the registry following the procedures described in Microsoft Knowledgebase article Q143474.
  • Providing shared space on your computer that others are allowed to write to exposes you to the risk of having illegal or inappropriate material stored on your computer. See below.

Nullify Risks From Unneeded Account Privileges

Use the NT/2000/XP Administrator/PowerUser and unix root accounts only when needed for system maintenance. Use a normal user account for all other activities particularly browsing the web and reading email.

Nullify Risks From Unneeded Code Entry Points

  • If you don't need the functionality provided by ActiveX, JavaScript, and Java in your browser and email reader, disable or restrict it.
  • Do not exchange executable email attachments as it promotes unsafe practices. If you need to distribute executables, do so on a web or read-only file server. If you need to collect executables, do so from a web server submission or write-only file server... preferably one where the user is authenticated. Be aware of the risks associated with anonymous, public storage.

Nullify Risks From Unneeded Network Access

  • If you don't need all the services installed and started by the default Linux installation, disable them in the inetd.conf and rc startup configuration files.
  • Limit unwanted network communications with a firewall. If your computer is only used to communicate in certain ways, the consequences of mistakes or defects can be decreased by disabling other, unnecessary communication channels. One way this can be done is through desktop firewalls. Windows 2000, XP, and 2003 come with firewall functionality built-in. In the form of Internet Connection Firewall for Windows XP and 2003 and IPSEC filtering in 2000. Other Windows operators have many commercial and no-cost choices. ZoneAlarm, by ZoneLabs, is free for personal or non-profit use but they specifically exclude educational institutions from this offer. You can, however, use it on a personal computer at home. Keep in mind that all desktop firewalls are vulnerable to locally run code. Some viruses disable them. Linux operators can take advantage of the built in ipchains or iptables facilities. More information on personal firewalls.
  • It is very useful to know what programs on our computers listen on the network for other computers to connect to them. In effect, it tells us what doors are open. Two tools useful for checking what programs are listening on what network ports are FPort (Windows) and lsof (unix). The linux command "netstat -anp" will also provide this information. On Windows XP systems, the netstat -o command will show the process ID of listening processes which can then be cross-referenced with the Task Manager to find the program.

Nullify Risks From Unneeded Access to Data in Transit

While we may have control over our own computer's security, we have very little or no control over the security of the path our data may take. As traffic traverses the network, it may pass over and through communications lines and systems which are compromised or poorly maintained. That network traffic may contain passwords and other critical data. To protect the data while it is in transit it should be encrypted.

  • At a minimum encourage the encryption of authentication conversations using such technology as SSL, SSH, IMAP, SMTP, POP, and appropriate settings on clients like PC-Anywhere.
  • Encourage the encryption of entire sessions when critical data is involved again using technology such as SSL and SSH.
  • IPSEC based Virtual Private Networks (VPN) can provide another layer of access control and encryption.
  • Do not type sensitive information into untrusted or public computers.
  • <a href="http://www.jmu.edu/computing/security/info/wireless.shtml">Follow wireless usage and setup best practices</a>.

Nullify Risks of Anonymous, Public Storage.

Avoid using or providing shares and servers that allow public storage by anonymous users. Anonymous FTP servers and Microsoft shares that can be written to and shared by anonymous users are easily found and often abused. They can be, and often are, used by others to store illegal materials such as child pornography and pirated software. If the materials are found on your computer....

Another risk associated with these depots is that someone may modify material placed there by others. The original poster of the file may be blamed for something that was later modified and/or the recipients may suffer loss through incorrect information or malicious software.

Finally, in today's environment there are many viruses that look for and spread to open shares. On any large network, there are likely to be a few computers infected with one of these viruses. It is highly likely that any open share on the NCSU network will have virus files placed in it by these infected computers. Some of these viruses are tricky. They place themselves in existing files or name themselves in such a way that it is not obvious they are malicious. If you absolutely must offer anonymous storage, take the following steps:

  • Post warnings that the service is completely unsecured and that all materials may be tampered with, lost, or may consist of inappropriate or illegal materials. 
  • Limit the amount of space that can be used through disk quotas or by putting the shared space on a separate partition.
  • Restrict access to the service by IP address when possible.
  • Monitor the use of the service to assure yourself that your computer is not being used to store illegal materials and that other users of your service are not being exposed to these materials or malicious software.
  • Do not allow others to download material from the upload area. Have a responsible party examine the material and move it to a separate, read-only, download area once the material is deemed appropriate. Note that this imposes a certain amount of responsibility, and probably liability, on this person.
  • Search for better ways to provide the service

If you absolutely must use anonymous storage, take the following steps:

  • Make sure your anti-virus software is up to date.
  • Do not place materials in anonymously accessible shared space that you don't want made public or modified.
  • Be aware that anything you download from such space could have been modified by anyone and treat the material accordingly. 
  • Never, ever double-click a file stored in such space to open it. Instead, open the application associated with the file (Word, Excel, Netscape, Winamp, etc.) and then use the application's File->Open menu to open the file.
  • Search for better service providers that don't expose you to these risks

Additional information for anonymous FTP servers from Carnegie Mellon's CERT:

Disable Music and Peer File Sharing Services

Running most music sharing programs opens doors on your computer that can be accessed by anyone via the network. There are both security and appropriate use issues related to this.

  • A defect may be discovered and exploited in a sharing server just as they are regularly discovered and exploited in web and other servers to take over the machine.
  • Distributing copyright protected materials and illegal materials such as child pornography.
  • Viruses and other malicious software are increasingly using peer to peer networks to spread and show up in share lists using innocuous names.
  • Having your server become so popular that incoming requests result in overuse of outgoing bandwidth. These types of servers make up a large percentage of outgoing traffic on the NCSU Internet connections and impact academic traffic performance and budget.

The University of Chicago has published instructions for disabling common music and peer sharing services. You will still be able to download music and other files but others will not be able to connect to your computer...thus nullifying unneeded risk.

Follow Best Practices Guidelines

Systems providing services over the network (web servers, ftp servers, etc.) should have their configurations tightened to decrease unnecessary access. For example, the services should run under restricted user IDs, be restricted to specific directories, and be very limited in the external programs and system services they are able to access. This type of work is generally best performed by a technician experienced with the particular services and platform being used.

General web development:

Microsoft Specific