Although Windows NT and UNIX have many of the same security strengths and weaknesses, a new layer of complexity emerges when you use these two operating systems (OSs) on the same network. This complexity becomes even more prevalent when you connect your mixed network to the Internet. Thus, administrators of mixed NT and UNIX networks need to develop and implement a comprehensive security plan.
Many organizations' NT and UNIX security plans are ineffective. A common mistake is to assume that after you install a firewall and proxy server, your network is secure. This measure is important, but it is only one component in an effective plan. A comprehensive NT and UNIX security plan requires that you not only install firewalls and proxy servers, but also choose your applications carefully, secure your Web server, effectively manage passwords and logons, effectively manage user and group accounts, physically secure your network, ensure data integrity via backups, and monitor applications.
Install Firewalls and Proxy Servers
Firewalls and proxy servers are important tools for securing mixed networks that connect to the Internet. Firewalls use packet filtering to restrict external connections to a limited set of services. Proxy servers let internal users access the Internet but prevent external Internet users from connecting to the network. You can even get a proxy firewall, a hybrid of these two tools.
Although we recommend that you take advantage of the firewall technology, you need to know that firewalls and proxy firewalls aren't hackerproof. Firewall packet filtering is susceptible to router attacks. Frankly, anytime you can apply sophisticated sniffer technology to a router environment, there can be no guarantee that filters will be foolproof. To prevent these attacks, you can reconfigure your router. Although Telnet is a convenient reconfiguration tool, a more secure method is to manually reconfigure the router. (The next section contains more information about why you should not use Telnet.)
The firewall's Simple Network Management Protocol (SNMP) is also susceptible to attacks. An easy-to-guess password for read/write access can leave a router and other network gear vulnerable to reconfiguration, packet filter removal, and other abuses by hackers.
Using proxy services has a downside, but it isn't related to security. Proxy servers and proxy firewalls might degrade access speed to the Internet. You can avoid this performance decrease by using a proxy server or proxy firewall with a cache.
Choose Applications Carefully
Typically, NT and UNIX OSs rely on TCP/IP as the baseline network protocol. As a result, connecting NT and UNIX computers to each other and to the Internet is relatively easy. However, both OSs are prone to the same weaknesses inherent in TCP/IP. Potential security breaches can result when you use TCP/IP-based tools and utilities, such as FTP, Trivial File Transfer Protocol (TFTP), finger utility, Domain Name System (DNS), remote (r)-command utilities, Telnet, and NFS.
FTP. Systems administrators often use this protocol for the anonymous user accounts that don't require password protection. FTP lets most users, including hackers, access a system. Once inside, hackers can easily work their way throughout your network. To guard against FTP attacks, you need to set permissions to read only in the appropriate files in both NT and UNIX.
TFTP. This protocol is a relaxed version of FTP. Typically, users can transfer any file (even system files, such as NT's Registry and UNIX's equivalent, /etc/passwd) without a password. Unless you need TFTP, we strongly recommend that you remove or disable the tftpd file. In UNIX, you need to comment out the entry from the /inetd.conf file in the /etc directory. In NT, you need to check whether anyone has installed third-party software that includes a TFTP service. (NT ships with an FTP service, but not a TFTP service.) If your network has a TFTP service, disable it.
Finger. This utility, which is available for both UNIX and NT, outputs information about a system's users. If hackers provide a first or last name, the utility returns the logon names of users with matching first or last names. If hackers provide an email address, the utility returns user profile information (e.g., the user's full name) and specifies whether the user is currently logged on. After hackers have a list of usernames, the task of systematically discovering passwords becomes the game. Because of these security problems, avoid using this utility.
DNS. A typical DNS server has the primary function of translating computer names into IP addresses. This information can provide just enough data to a hacker to spoof a target system. The dilemma in dealing with the Internet is that IP address information, coupled with domain name resolution, is fundamental for communication. The only viable solution is to maintain discrete DNS servers for external and internal name and IP address resolution. The external DNS server needs to be accessible only to queries about public network data. The internal system needs to be firewall protected and retain all IP address information of the secured environment.
R-command utilities. Several r-command utilities (such as rcp, rlogin, and rsh) for the Berkeley variant of UNIX are useful but replete with security problems. A sniffer can easily capture r-command information because the utilities transmit all information, including usernames and passwords, in plaintext. (For more information about sniffers, see the sidebar "Sniffers: A Common Enemy.") Although many vendors offer r-command utilities as freeware, we recommend that you avoid using them in your mixed network.
If you need to use r-command utilities, you must encrypt your sensitive data. You can use Secure Hypertext Transfer Protocol (S-HTTP) or Secure Sockets Layer (SSL) to encrypt passwords and data on both UNIX and NT. Don't use HTTP because it is an unencrypted protocol that doesn't prevent sniffing or spoofing.
Telnet. In an internal environment, Telnet is a valuable tool, especially if you need to view data on a mixed NT-UNIX system. However, if you use Telnet outside a secured environment, security breaches can occur because the application transmits passwords, usernames, and other data in plaintext. If you need to use Telnet in an external environment, you must encrypt your sensitive data.
NFS. NFS is available on all variants of UNIX. Many third-party solutions for NT also offer NFS.
This widely used tool lets users locally share file systems on foreign hosts. NFS accomplishes file sharing by exporting a shared file system to a specified server. The NFS server then mounts the file system so that it looks as if it were local to users.
Using NFS can create security problems because after NFS mounts a network file system, that system is open to any user with the proper permissions. Therefore, abuse is possible. If you use NFS, we recommend that you enable all its security features (e.g., restricted read and write permissions). In addition, you need to properly manage user and group permissions. Further, we recommend that you export only those file systems that users require.
Another approach to secure file sharing is to use the broadcast-oriented methods that Microsoft's Server Message Block (SMB) supports to communicate resources. The Common Internet File System (CIFS) on UNIX systems is an extension of SMB. SMB technology is also available for other client platforms, including VMS and Macintosh.
Samba is freeware that uses SMB to permit file system sharing between UNIX and NT systems. However, you need to be careful when using Samba or any other SMB technology. SMB uses NetBIOS to broadcast file information; thus, DOS- and Windows-based users can use NET VIEW, NET USE, and similar utilities to access resources. If you haven't set proper permissions, you might be undermining your network's security.
Secure Your Web Server
A Web server lets users download designated files and run Common Gateway Interface (CGI) scripts. Here are 10 tips for a secure Web server in an NT-UNIX environment:
- Configure the Web server to deny users access to sensitive files.
- Limit the Web server to a specific directory subtree.
- Don't let users access the Web server's password security file.
- Give the Web server software limited system privileges.
- Install a firewall between the Web server and the internal network when the Web server connects to the Internet.
- Don't use UNIX's equivalency files (hosts.equiv) or NT's domain trust relationships to set up trust relationships between the internal host and the external Web server. Otherwise, if hackers get into one system in the domain, all other trusted domains are in jeopardy.
- Make sure CGI scripts perform only the intended task. Remember external Internet users can run these scripts with any parameters they choose.
- Don't let FTP users download CGI scripts to the Web server's file system area. In addition, don't let FTP users download their own scripts. Set the cgi-bin directory permission to read-execute.
- Disable all services that you are not using on the Web server.
- Use S-HTTP or SSL to encrypt passwords and data. Don't use HTTP because it is an unencrypted protocol that doesn't prevent snooping or spoofing.
Effectively Manage Passwords and Logons
To secure your NT-UNIX network, you need to effectively manage the logon process, which starts when users create passwords. In most organizations, the logon name is user friendly and fairly easy to discern (e.g., msmith for Mary Smith). This practice leaves the password as the key to securing access. You must give users guidelines on how to create passwords that hackers won't easily discern. For example, tell users not to create passwords that use their name or use pop culture words (e.g., rollingstone or xfiles). Instead, users need to create passwords consisting of alphanumerics that would make little sense to a third party.
Because the person bent on viewing unauthorized data or destroying files is as likely to be an individual down the hall as a wizard in a remote location, you need to remind users that they must not write or verbalize their passwords. Also, tell users that they need to be aware of those who can observe them typing their password; replicating keystrokes is a simple task.
Hackers maintain a dictionary of words and run an automated process in which the words in their dictionary are tried against a user's account. In NT and many UNIX variants, you can set a lockout option that will freeze a user's account if the person submitting the password surpasses the specified number of logon attempts. In UNIX variants with lockout options, the systems administrator can generally set up the frequency as part of the user management or add user functions. To account for users accidentally typing in the wrong password, we recommend that you set the lockout option at three or four attempts.
The Administrator account in NT doesn't have a lockout option. Microsoft Windows NT Server 4.0 Resource Kit has a lockout utility, PASSPROP/ADMINLOCKOUT. An alternative approach is to change the administrator's logon name to a non-obvious descriptor. Hackers must then identify both the administrator's logon name and password to get into the system. To further frustrate hackers, you can set up a bogus account in User Manager for Domains without rights or privileges under the administrator's old name.
Effectively Manage User and Group Accounts
If hackers breach your NT-UNIX system through a user's account, how you manage permissions and ownership determines the amount of damage that hackers can inflict. Systems with loosely configured rights are prime targets for devastation. If hackers breach NT's Administrator account or UNIX's root superuser account, they can do irreparable damage.
NT and UNIX OSs embrace the same basic principles of permissions and ownership. In both OSs, files can have no permissions or a mixture of read, write, and execute permissions. (NT also has delete, list, change permission, and take ownership options.) In both OSs, ownership is based on the rights of who can administer an object and provide individual user and group privileges. The OSs don't tie ownership with membership unless you instruct them to. In other words, just because a user is a member of a group that has access to an object, you cannot infer that the user has ownership of that object.
Most security problems arise from improperly managing user and group accounts. To let coworkers access information, users typically give them write permissions to their $HOME directory. This permission setting provides an open invitation for anyone to view, change, and copy data.
You can create a more secure system by setting up group rights. You can create NT local and global groups by selecting New Local (or Global) Group in User Manager for Domains. In UNIX, you use the /etc/group file to add system groups and, in turn, give users the ability to add members to those groups and assign file permission levels. Users can assign privileges to a group at the appropriate read, write, and execute levels.
For a highly secure UNIX environment, you can use umask, a UNIX utility that lets you establish default file permissions within a global or user-specific /etc/profile or .profile script. You can also set similar default settings through NT's Permissions dialog box in the Properties file. You can initially protect the users' $HOME directory until they take deliberate action to share files with a designated group. You must encourage users to minimize coworkers' access to their files.
When users share file systems and resources, you must take special measures. As a general rule, you need to maintain the default file system rights that NT and UNIX set on the root, or system, directories. If needed, you can then control permissions to devices on the user and group levels. NT permits excellent gradation of resource permissions.
Physically Secure Your Network
Underestimating the importance of physical security can be a fatal mistake. Popping open the cover of a server is easy. After a hacker is inside, pulling a hard disk takes only seconds, and the organization's data is out the door.
Consider another scenario. With some UNIX variants, possessing the boot disk is like having the key to the castle. If disgruntled employees get a boot disk and gain access to a server's 3.5" drive or CD-ROM drive, they can erase all data on that server or gain access to the root console, opening the door to the entire system.
The same scenario can occur with NT systems that have FAT partitions. Disgruntled employees can easily boot these systems with a DOS disk. Microsoft designed NTFS partitions to prevent such intrusions. However, utilities are now available (such as ntfsdos.exe) that let users boot NT with NTFS.
So what can you do to prevent this type of abuse? Common sense dictates placing servers in a secured room or locking components into place. More sophisticated solutions include the use of smart cards, fingerprint scanners, and digital signatures. Using BIOS-level passwords is another line of defense. And don't forget to disable hardware components when you aren't using them.
Ensure Data Integrity via Backups
Although people do not usually view these tasks as security measures, regularly conducting data backups and securing your data backup system are fundamental to a secure NT-UNIX network. Performing regular backups is critical to restoring operations in the event of a damaging virus or hack job. Equally important is what you do with the backup media. At a minimum, you need to store backup media in a secure environment. Also, you need to consider archiving and storing a second set of backup media in a secure remote location.
Managing software licenses is another task that administrators don't often regard as a security measure. However, licensing is typically one of the largest IS investments. Thus, theft and piracy are major problems. As the systems administrator, you are responsible for distributing the media and preventing unauthorized copying or theft.
As the systems administrator, you are also responsible for removing and preventing the installation of unauthorized applications. Installing software from unknown sources might introduce computer viruses and Trojan horses to your network. (A Trojan horse is a program that supposedly performs one task but does something very different.) Unauthorized software can produce leaks or modify system properties. Even loading network-monitoring tools can open security holes if you install the tools incorrectly.
In case a virus or Trojan horse gets into your system from unauthorized software or another source, you need to carefully maintain proper permissions and ownership policies to minimize damage. Viruses and Trojan horses generally can't cause harm when you deny them access. In addition, installing antivirus software is a good idea. This software is readily available for NT. UNIX antivirus software is slowly becoming commercially available.
Don't Make These Mistakes
The biggest mistake that systems administrators can make is to take security lightly. Another mistake is to underestimate how far a hacker will go to gain access for profit or enjoyment. To secure an NT-UNIX environment, you need to develop and implement a plan that is comprehensive yet unobstructive. A plan incorporating the eight components we've just discussed is a good place to start.