A Sysadmin's Security Basicsby Mike DeGraw-Bertsch
System administrators are no longer alone in their concern for security. The increase in high-profile virus attacks, and a general sense of heightened security, means that executives are likely to have security on their mind. It may be easier than ever to enlist their support for securing our networks and systems, and they may be more likely to put up with some inconvenience for users if it means tighter security.
This article gives an overview of the basics necessary to secure your network, including:
- Email attachments and client settings
- Firewalls and demilitarized zones
- Securing insecure protocols
- Staying informed
Consider this a checklist to reenergize your efforts or to get you started.
The first step in securing your network is to teach users to create secure passwords. All the security in the world is easily bypassed if your CFO's password is "fred."
I also recommend requiring users to change passwords monthly, and not allowing them to reuse one within a one-year period. Some people argue that requiring a password change will encourage users to write down their passwords, eliminating the benefits. I argue that in many environments a user's password is more likely to be hacked than to be read off a hidden sheet of paper. Even so, you can take IBM's purported approach: you write down your password, you're fired.
It's harsh, but with today's threats and the damage that can be caused by a compromised account, it may be worthwhile. Will it increase the calls to IT for forgotten passwords? Perhaps. One way to help combat that is to allow only a person's manager to request a password reset. Or, as I used to say when I worked at the Census Bureau, "No problem, done in two hours."
"Why two hours?"
"Don't forget your password."
Also, make sure your users know not to give their password out over the phone, even if the person claims to be from the IT department. Social engineering is the simplest and most effective way to gain access to a company's network. The same is true for physical site security: make sure strangers can't get into your office space. If that's impossible, make sure your users can identify your IT staff; just because someone has long hair and a wrinkled shirt doesn't necessarily mean they're actually on the IT staff.
For a more detailed explanation of good password policy, read this chapter on Password Problems from Managing Windows NT Logons.) In a Unix environment, run a tool like Crack against your password (better still, shadow) file to weed out any easy-to-guess passwords.
One more thing: administrators, too, need to remember to change all default passwords.
Email Attachments and Client Settings
Attachments have proven quite dangerous. Tell your users not to open any attachment they receive from anyone, unless they were already expecting it. If they receive an attachment that might be legitimate, a quick email or a phone call will confirm if it's legit or not.
I also highly recommend blocking all executable, DLL, and scripts at your mailer, or at least renaming the files so they don't execute if clicked. You can defang attachments with a Procmail filter called the Sanitizer.
Users may think they're safer if they have their macros disabled on Microsoft Windows applications, but they're not. SecurityFocus recently announced that malformed Excel and PowerPoint documents can completely bypass all security checks, allowing macros to run even when supposedly disabled.
If your users rely on Outlook, be sure to apply the appropriate patches. Visit Slipstick Systems for more information on Outlook security.
Firewalls and Demilitarized Zones
Moving on from users and passwords, we next look to the network itself. A firewall is a given these days. A DMZ, or a Demilitarized Zone, should be as well. A DMZ is a haven for machines that are exposed to the real world. The machines in a DMZ can be reached from the corporate LAN or from the outside world. But those DMZ machines cannot reach back into the corporate LAN to contact hosts within.
A firewall and a DMZ are not enough, however. What if someone gains access to your LAN, either physically or by compromising a user account or a partially exposed machine on the LAN? You should disable all the network services you don't plan on using on every machine on your LAN. This minimizes the potential exploits available to an attacker; all the more so since these are the very services you're unlikely to update and patch.
To help identify unused services that are running, try a package like SAINT (Security Administrator's Integrated Network Tool), which automatically scans all the machines on your network and reports open ports and other security risks in a simple Web interface.
Speaking of patches, be sure to apply security updates for the operating system and all the offered services of DMZ and internal machines. Keeping relatively current is also worthwhile--for example, BIND version 8 contains a bug that allows root access to the box, while BIND 9 does not have this problem. And while it takes a bit of effort, it's also worthwhile to keep all of your users' machines current as well.
The rest of this article discusses specific steps you can take to further increase LAN security. Remember, though, that without secure passwords and well-informed users, many other security measures are moot.
Pages: 1, 2