Do your servers contain critical data that you don’t want to fall into the wrong hands? Of course, they do. These days, servers are more at risk than ever before. They are constantly being attacked by viruses, hackers with malicious intent, and of course by those engaging in corporate espionage. As you can see, server security isn’t an issue to be taken lightly. It’s impossible to completely cover server security in a single Daily Drill Down. After all, countless books have been written on the subject. What I can do, though, is provide you with seven tips for keeping your server safe.
Tip 1: Cover the basics
I know it sounds harsh, but the best advice I can give you when it comes to server security is don’t be an idiot. If hackers or viruses try to attack your network, they will check for common security holes first before moving on to more difficult ways of exploiting your security system. For example, having every security mechanism known to man installed won’t do you much good if all of the data on your server resides on a FAT partition.
Because of this, you need to be sure to cover the basics. Convert to NTFS all partitions on your servers that contain confidential data. Likewise, you should keep your antivirus software up-to-date. We recommend running antivirus software at the server and desktop level. The software should all be set up to automatically download the latest virus definition files on a daily basis. Furthermore, antivirus software is available for Exchange Server. This software scans all inbound messages for infected attachments, and if a virus is found, the message is quarantined before it ever reaches the users.
Another good way to protect your network is to limit network access to users based on the hours that they are normally in the office. A temporary employee who normally works during the day should not be allowed to access the network at 3:00 A.M., unless it’s for a special project that you’ve been made aware of by that employee’s supervisor.
Finally, remember that passwords are the keys for accessing anything on the entire network. Force people to use strong passwords consisting of a mixture of upper- and lowercase letters, numbers, and special symbols. There’s a great utility for doing this located in the Windows NT Server Resource Kit. You should also set the passwords to expire often and require a password length of at least eight characters. If you’ve done all that but are still concerned about password security, try downloading some of the various hacker utilities from the Internet and find out for yourself just how secure those passwords really are.
Tip 2: Protect your backups
Every good network administrator knows that you should back up your servers on a daily basis and store the tape off site in case of a disaster. However, there’s more to a backup than that. Most people don’t realize it, but your backup is actually a huge security hole.
To understand why this is the case, consider the fact that most backups start running around 10:00 or 11:00 P.M. Depending on how much data you’re backing up, the backup normally finishes some time during the middle of the night. Now, imagine that it’s 4:00 A.M. and your backup has just finished running. There’s nothing stopping people from stealing the tape and restoring the data that it contains to an empty server at their house or at your competitor’s office.
However, you can prevent this from happening. First, password-protect the tape and encrypt the data if your backup program supports encryption. Second, schedule the backup program to complete just as you arrive in the morning. That way, if someone sneaks in during the middle of the night to steal the tape, they won’t be able to because the tape is in use. If they eject the tape anyway, the data the tape contains will be worthless.
Tip 3: Use callback with RAS
One of the coolest features of Windows NT is its remote access server (RAS) support. Unfortunately, a RAS server is an open door for a hacker to use to try to enter your system. All hackers need is a phone number, some time, and some patience, and they can break in through a RAS connection. But there are things you can do to secure a RAS server.
The techniques you’ll use will depend greatly on how your remote users work. If the remote users always call from home or a similar consistent location, I suggest using the callback feature, which allows remote users to log in and then disconnects them. The RAS server then calls a predetermined phone number to reconnect the user. Because the phone number is preprogrammed, there’s no chance for a hacker to specify the number the server should call back.
Another option is to limit the remote users to accessing a single server. You can replicate the users’ normal data to a special share point on the RAS server. You can then restrict the remote users to accessing a single server rather than the entire network. This way, if hackers do manage to break in, they will be isolated to a single server, where they can do minimal damage.
One final trick is to use an unexpected protocol on your RAS server. Everyone I know uses TCP/IP as the RAS protocol. Given the nature and typical uses of TCP/IP, this seems like a logical choice. However, RAS also supports IPX/SPX and NetBEUI. If you use NetBEUI as your protocol of choice, you could really confuse an unsuspecting hacker.
Tip 4: Think workstation security
It may seem strange to discuss workstation security in a Daily Drill Down on server security. However, a workstation is nothing more than a portal into the server. Enhanced security on your workstations leads to increased security overall. For starters, I recommend loading Windows 2000 on all the workstations. This is because Windows 2000 is a very secure operating system. If you don’t have the means to do this, at the very least use Windows NT. The advantages of doing this is that you can really lock down the workstations, thus making it difficult or impossible for someone to obtain network configuration information without the proper security credentials.
Another technique you can use is to control who may log in from what workstation. For example, suppose you have an employee named Bob who’s a known troublemaker. Obviously, you wouldn’t want Bob to be able to jump onto a friend’s PC during lunch or plug up his own personal laptop and hack away at the system. Therefore, you should use User Manager for Domains to modify Bob’s account so that he is allowed to log in only from his PC (and during the hours that you specify). Bob is much less likely to attempt to hack the network from his own desk, where he knows that the hack attempt may be traced to him.
Yet another technique is to make the workstation function as either a dumb terminal or as, for lack of a better phrase, a "smart dumb terminal." Basically this means that absolutely no data or applications reside on an individual workstation. In the case of running the PC as a dumb terminal, the server is set up to run Windows NT Terminal Services, and all applications physically run on the server. The only thing that’s ever sent to the workstation is screen refreshes. This means that the only thing on the PC is a minimal Windows installation and a copy of Microsoft’s Terminal Server Client. Using this method is perhaps the most secure network design.
Using a smart dumb terminal means that the programs and data still reside on the server but run on the workstation. All that the workstation contains is a copy of Windows, as well as some icons that point to applications residing on the server. When you click an icon to run a program, the program is run using local resources rather than tying up the server. This means that there is much less overhead placed on the server than if you were to run a full-blown Terminal Server session.
Tip 5: Apply hot fixes
You may not realize it, but Microsoft employs an entire team of programmers whose job is to discover security holes and fix them. Occasionally, these fixes are rolled into one big package and released as a service pack. There are usually two different versions of the service pack: a 40-bit version that’s available to everyone and a 128-bit version that’s only available in the United States and Canada. The 128-bit version uses 128-bit encryption and is much more secure than the 40-bit version. If you’re currently running a 40-bit service pack and live in the United States or Canada, I strongly recommend downloading the 128-bit version.
As you probably know, service packs can sometimes take several months to be released. Obviously, you don’t want to wait any longer than absolutely necessary to apply the fix should a major security hole be discovered. The good news is that you don’t have to wait. Microsoft routinely posts hot fixes on its FTP site. These hot fixes are security patches that have been released since the latest service pack. I recommend checking for hot fixes often. Keep in mind that hot fixes must be applied in chronological order. If you apply the hot fixes out of order, you’ll end up with the incorrect versions of some files, and Windows may cease to function.
Tip 6: Have a strong security policy
Another thing that you can do to improve security is to have a good, strong security policy. Make sure that everyone is aware of it and that the policy is enforced. Such a policy should include harsh penalties for anyone caught trying to load unauthorized software on corporate computers.
If you’re running Windows 2000 Server, it’s possible to delegate special user rights without handing over full administrative control of your server. One good use for this is to give your human resources department the authority to delete or to disable a user account. The HR department can then destroy or disable the appropriate user account before any soon-to-be-former employees know they’re being dismissed. That way, disgruntled employees don’t have a chance to tamper with the system. By using the special user rights, you can grant this authority without their being able to do things such as create user accounts or change permissions.
Tip 7: Double-check your firewall
Our final tip involves taking a closer look at your firewall setup. Your firewall is an important part of your network because it separates your company’s computers from all of the riffraff on the Internet who would do them harm.
The first thing you should do is make sure your firewall discloses no more IP addresses to the outside world than absolutely necessary. You’ll always have at least one IP address visible to the outside world. This IP address is used for all Internet communications. If you have DNS-registered Web servers or e-mail servers, their IP addresses may also need to be visible through the firewall. However, the IP addresses of your workstations and all other servers should be hidden.
You’ll also want to go through the port list and verify that you’ve locked down any ports you aren’t using on a regular basis. For example, TCP/IP port 80 is used for HTTP traffic, so you probably don’t want to block that one. However, port 81 is one that you’ll probably never use and should therefore block. You can find lists on the Internet that describe each port’s purpose in detail.
Server security is a big issue. You don’t want your critical data to be destroyed by a virus or hacker or stolen by someone who would use that data against you. In this Daily Drill Down, I’ve covered seven areas to watch for when doing your next security check.
Brien M. Posey is an MCSE who works as a freelance technical writer and as a network engineer for the Department of Defense. If you’d like to contact Brien, send him an e-mail. (Because of the large volume of e-mail he receives, it's impossible for him to respond to every message. However, he does read them all.)The authors and editors have taken care in preparation of the content contained herein, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.