Prevent workstation hacking

External attacks on servers are the most publicized forms of hacker breaches; however, even workstations are a threat to your network when the wrong people gain access. Brien Posey tells you how to stop break-ins via your company's workstations.

Hacking is not limited to the server. In fact, the workstation is often the first place a hacker will try to access because from there, he or she can gain insight into how the network is set up. Protecting your network from this type of intrusion is extremely important; however, workstation protection is often overlooked. To help you safeguard your workstations, I’ve come up with some examples of how hackers gain access to workstations and some tips on how to keep unwanted guests from breaking in to them.

What are they looking for?
The type of information a hacker looks for when breaking in to a workstation depends on his or her motivations. The hacker could vandalize the system, break in to the workstation to steal confidential files, or use the workstation as a stepping-stone to a server-level break-in by stealing administrator passwords.

A Windows 2000/NT workstation contains the administrator’s password in encrypted form embedded in the registry. Often, the local administrator’s password is the same as the domain administrator’s password. Therefore, if a hacker wanted to gain domain-level access, he or she would exploit a workstation, extract the section of the registry that contained the passwords, and then copy the registry hive to a spare machine to try to crack the passwords.

It's sometimes even easier for the hacker to steal passwords from a Windows 9x machine. If the administrator has ever logged on to the machine, it will contain a file called ADMINISTRATOR.PWL. The password contained in the PWL file is typically a domain password. The hacker can simply steal the PWL file and use a utility such as Unsecure, which executes a brute-force password hack against the PWL file, to extract the passwords from the file.

Access methods
To break in to a workstation, the hacker needs the user's password. To obtain it, he or she might play the guessing game or even pose as a help desk/support worker to get a user to divulge his or her password. Once a hacker knows the user's password, he or she might look at an organization’s overall security infrastructure before deciding the way to actually break in to the machine. He or she will be looking for any vulnerability that will make the break-in even easier. So you’ll want to examine your network closely to see if any of the areas I list below are potential vulnerabilities within your network.

Physical security
Most network administrators have been conditioned to see hack attempts as an external threat. However, an alarming number of hacks are performed by employees rather than by Internet-based hooligans.

Your best defense is to lock down the local user accounts. For example, if the system is running Windows NT, 2000, or XP, you could restrict the login hours on the local user accounts. You might also implement a domain-level policy that prevents users from logging in to any PC but their own. This will force an audit log entry to be made if someone attempts to log in to the domain through another employee's PC. When your log entries show 15 login attempts from a specific PC at 3:00 A.M., you might want to find out who's logging in and why.

Another security risk is hard drive theft. If someone were to steal the hard drive out of a workstation and install it as a slave drive in his or her home PC, it would be easy to institute a hack from the comfort of his or her own home. While the hacker wouldn’t be physically connected to the network, he or she could still extract passwords from the hard drive to use at a later time

To prevent hardware theft, place case locks and security tape on the workstations. Also, implement a policy where anytime a help desk or support employee opens up a system, he or she must have the trouble ticket signed by a witness who oversaw the operation and was able to verify nothing was stolen. When the operation is complete, new security tape should be placed on the system. While every machine in your organization may not require this level of security, hard drive theft can be a threat, and it pays to keep tabs on certain systems such as executive, finance, and R&D machines.

Network share access
Hackers can also break in to machines from across the network by exploiting the workstation’s share points. All Windows NT/2000 machines contain a hidden share point for each partition. For example, if you wanted to access the C: drive on a machine named WORKSTATION, you could do so through the network path \\WORKSTATION\C$.

Exploiting a network share is a far more common technique used with machines running Windows 9x. A rogue employee could pay a 30-second visit to a Windows 9x workstation and create a share point on each partition. To prevent detection, the employee could even implement a hidden share point by creating a share with a share name that ends in a dollar sign. Once a share point has been established, anyone who knows about the share point can explore the system from a remote location, often without detection.

To counter this type of threat, first, tell users how to spot any unusual share points. Basically, an icon of a hand holding a folder indicates a share point. If the user is running Windows 9x or Windows Me, there shouldn't be any shares at all unless the user has created them, so any shares that the user sees other than the ones that he or she created would be suspicious. If the user is running Windows NT, 2000, or XP, then the only default shares would be the root share on each drive and a couple of hidden system shares that wouldn't be visible to the user at all without a utility.

Tools are available that can help spot unauthorized connections. For example, Windows 98 comes with a utility called Net Watcher, which will display who is connected to which network shares and which files they have open. What makes this utility especially helpful is that you can disconnect users or close files they might have opened illegally.

Net Watcher isn't installed by default; you need to open Control Panel, open the Add/Remove Programs properties sheet, and select the Windows Setup tab. Then, scroll through the list of Windows components and select the System Tools option. Click OK, and Windows will install all of the system tools, including Net Watcher. When the installation process completes, you can access Net Watcher from the Start | Programs | Accessories | System Tools menu.

If you’re using Windows XP, instead of using Net Watcher, you'll use the Shared Folders node, the Sessions node, and the Open Files node. Open the Computer Management console in Control Panel. Next, click on Performance And Maintenance, followed by Administrative Tools. When the Administrative Tools window opens, use the Computer Management icon to access the Computer Management console.

When the console opens, navigate to the Shared Folders node. The Shared Folders node contains three subnodes. The Shares node lists all of the shares that are set up on your system, including shares created by the OS for administrative purposes. The Sessions node will display a list of everyone connected to your PC, along with which computer they’re connecting from and how long they’ve been connected. If you see an unauthorized connection, you can terminate the connection by right-clicking the session and selecting the Close Session command from the resulting menu. If you’d prefer to see more detail about what a connected user is doing, go to the Open Files node. The Open Files node displays a list of the files that connected users are accessing.

Preventing unauthorized network shares
While detecting an unauthorized link to a network share is a good start, it’s better to prevent access altogether. The best way to do this is to remove the File And Print Sharing service, except for where it’s absolutely necessary. Ways to remove the service vary among versions of Windows, but all involve going into the network connection’s properties sheet and deselecting or removing the File And Print Sharing service. To remove this service in Windows XP, open Control Panel and select Network And Internet Connections followed by Network Connections. When you do, Windows will display the Network Connections window. Next, right-click the connection you need to modify and select the Properties command from the context menu to open the connection’s properties sheet. On the General tab, select the File And Print Sharing For Microsoft Networks component and click Uninstall.

If you must enable File And Print Sharing on some workstations, you can make it more secure. In Windows 9x, configuring Windows to use user-level security rather than share-level security makes Windows verify who is accessing the share point rather than simply verifying whether or not the user entered a valid password. Share-level passwords can be easily guessed, but once you enable user-level security, a hacker would have to know the user name and password of someone with legitimate access before he or she could gain access to the share point.

You could also take advantage of specific denials. In Windows NT, 2000, and XP environments, specific denials always override specific permissions. You can block access to shares by specifically denying groups of users that should never access the share. In these OSs, it’s considered a better practice to assign these permissions at the file level than at the share level. However, Windows 9x doesn’t support file-level permissions, so you’ll have to assign permissions to the share level.

Modem access
Often, laptops are equipped with modems to allow employees to dial in from home and access files or remotely control the machine, which brings me to another method of workstation hacking—modem hacks. A modem hack attempt is obvious to anyone using the machine when the attack occurs. The user will hear the modem ring and begin the handshake process. The user may also see the modem lights flashing on the screen or see the desktop being remotely controlled.

It would be difficult for a hacker to get away with a modem-based attack during the day, but what is stopping them from executing such an attack when no one is in the office? To foil an after-hours modem attack, remote access software can be configured to require the remote user to enter a password. Some remote access software, like Windows NT or 2000 RAS, can also be configured to hang up after authentication and to dial the user back at a preset phone number.

Users don’t always use the same phone number for access; some users need remote access for business travel. Some remote access software can be configured so the users can dial in and then specify a phone number at which the workstation should call them back. While this technique won’t stop a hacker from accessing the workstation, it will create a log of all of the phone numbers that it has been told to call, along with the date, time, and duration of each call. This log file can then be easily scanned for suspicious phone numbers.

Network access
Your organization’s firewall should almost always stop TCP/IP port attacks coming from the outside world. But even if the attack is internal, you're not out of luck. You can block an attack by installing personal firewall software (such as Norton's personal firewall) on each workstation. Windows XP has firewall software built in, so if you’re using XP, you should enable the firewall feature even if the workstation isn’t directly connected to the Internet.

To enable the XP personal firewall, right-click the network connection you want to secure and then open its properties sheet. Then, select the Advanced tab and the check box in the Internet Connection Firewall section and click OK.

You can make sure the firewall is working by downloading a utility called FScan from the Foundstone Web site. This utility will scan all of the ports on the specified machine to see what type of information it can extract. If the Windows XP firewall is working, the utility shouldn’t be able to get much, if any, information.

Even though workstation hacks aren't as publicized as network hacks, they can be just as dangerous. It's important to protect your company's information on all fronts, so I recommend instituting one or more of the methods I've described.

Editor's Picks