Chris Pugrud wrote:
>
> This really as not as bad of a situation as it seems. Here are a few
> pointers to vastly increasing the security of the system. This is not
> the be all or end all of security. I am sure that there are more steps
> that you can take to increase your security even more. Buyer Beware.
> Your mileage may vary...
>
> Apply sp2 for Windows NT 4.0
> SP2 fixes several bugs in the OS and IIS
> http://www.microsoft.com/ntserversupport/Default-SL.HTM
>
> The machine really should be used only for serving web pages. If you
> can dedicate a singular machine, even a 486, to just tossing HTTP then
> you can greatly increase the security.
> Under Control Panel > Services, Only the following MUST be running for
> a web server:
> EventLog
> FTP Publishing Service (optional)
> Plug and Play (NT 4.0)
> Workstation
> World Wide Web Publishing Service
> Only these services should be set "Automatic". All other services
> should be set "manual." Be careful, your mileage may vary...
>
> Use IIS security
> IIS has some built in allow/deny filtering based on IP address
> Internet Service Manager > WWW Service Properties > Advanced TAB
>
> CGI/BIN is BAD (by default)
> Remove scripts and the HTML Administrator if installed
> Internet Service Manager > Directories
> Ideally only "C:\InetPub\wwwroot" "<home>" is listed. Remove all
> others, especially any that you can not identify.
> While you are there make sure to go to "logging" and set up logs
> Also go c:\InetPub and set security
> NT Explorer > C:\InetPub > right click > properties > security >
> permissions
> Replace Permissions on Subdirectories
> Replace Permissions on Existing Files
> Make Everyone Read (RX)(RX)
> Make Administrator Full Control (All)(All)
> Remove all others
> This sets things up so that only the administrator can make changes
> and they must be made from the machine.
>
> Use the OS security
> NT 4.0 has basic packet filtering built in
> Control Panel > Network > Protocols > TCP/IP > Properties > IP Address
> > Advanced > Enable Security > Configure
> Permit Only (TCP Ports) > Add > 80 (http)
> Permit Only (UDP Ports) > (leave blank)
> Permit Only (IP Protocols) > Add > 6 (TCP)
> This really cuts down what the machine can do. If you need to surf
> from the machine you may need to add 53 to UDP Ports.
> While you in the control panel, also check your bindings:
> Control Panel > Network > Bindings > Show Bindings for "all
> protocols."
> Make sure that "TCP/IP" is Enabled
> Disable all others
> Show bindings for "all adapters"
> Expand the adapter (click the plus box)
> Expand WINS Client
> You may need to Enable Workstation If the networking will not start on
> reboot
> If you do, make sure to disable server and NetBIOS Interface
> Restart your computer
>
> Good day and Good luck
>
> Chris
>
> >-----Original Message-----
> >From: Franke Albert 2 Lt USAFE CSS/SCBS [SMTP:albert .
franke @
ramstein .
af .
mil]
> >Sent: Wednesday, January 08, 1997 3:52 AM
> >To: Firewalls Mailing list
> >Subject: I DON'T HAVE FUNDING FOR A FIREWALL...HELP!!!
> >
> >I am responsible for securing (as well as I can) a DEC Alpha running
> >Windows NT 4.0 and Internet Information Server as our WWW Server. It is
> >sitting as a node on our LAN and everyone in the world can access it. I
> >want a program that I can run on it that will allow/disallow blocks of
> >IP addresses such as 132.244 or .AF.MIL only. Also, I would like (but
> >not as necessary) it to keep detailed logs. I have heard of O'Reiley's
> >WebSite, but I don't know if this will do. I do not have funding for an
> >expensive firewall machine, and it is impracticle to add routers into
> >our LAN. Please help if you have any suggestions. Thanks.
> >
> >albert .
franke @
ramstein .
af .
mil
> >Albert E. Franke, 2Lt, USAF
> >OIC, USAFE Web Tech Support 480-7905
I don't know if you folks caught this or not. He is on a LAN on a
fairly large Air Force Base in Germany. This means not only is his
Website open to attack so are many of the bases computer systems. It
appears that there are larger issues here than meet the eye.
His Security Squadron should be involved as well as the Communications
Squadron that is stationed on the base.
With the military it takes a long while to get anything done unless you
do it yourself on a shoe string. The money comes from above once a year
in a budget process that is antiquated and very slow to adjust to
change. This is one area that changes on as frequent as an hour to hour
basis.
There are initiatives going out from the Pentagon to do things about
this and the President himself has even put out the word to Secure the
Military Systems. However the priority in the field is not on Securing
the Sites. It is on keeping the job they presently have. They are in
the one mistake and your out of the game military. I wish Albert luck.
Hopefully he can get the Base Commanders Attention so that the Comm
Squadron will put in a Firewall at the access point to the internet on
the base. Otherwise the whole base's security on their network is
suspect.
On the other hand there could be security in place and he just is not
aware that it is there. Chances are the previous is the case.
--
Cary
Follow-Ups:
References:
|
|
