General discussion

  • Creator
    Topic
  • #2078396

    Ed Bott’s Microsoft Challenge–11/2/00

    Locked

    by ebott ·

    What would you do if you were placed in charge of Microsoft’s internal network? You’ve undoubtedly heard of the successful break-in that hackers in Eastern Europe staged against the Microsoft servers that hold the company’s crown jewels–source codefor Windows, Office, and next-generation .Net services. Microsoft claims the hackers didn’t get away with anything valuable, but this has to have been a wake-up call for the Redmond giant. TechRepublic members collectively have millions of years of experience managing mission-critical data. How would you protect critical data from unauthorized access? With tens of thousands of users, can you really restrict access using nothing but passwords? Here’s your chance to tell Microsoft how to run a safe, secure network. Be creative, be outrageous, be blunt. Click here to add your input. But don’t delay–this challenge closes at the end of the day on Thursday, November 9.

All Comments

  • Author
    Replies
    • #3790926

      Ed Bott’s Microsoft Challenge–11/2/00

      by otl ·

      In reply to Ed Bott’s Microsoft Challenge–11/2/00

      For a little more security the is a key generator by Security Dynamics that generates a secure ID which must be in sync with your particular ID at the gateway, additional passwords can be added. The numbers are generated by logrithmic code by date.Unknown how often the password restarts in 1 year don’t remember having the same one twice!

    • #3790918

      Ed Bott’s Microsoft Challenge–11/2/00

      by parkerdv ·

      In reply to Ed Bott’s Microsoft Challenge–11/2/00

      The only way to be total secure from any hacker from outside, is to remove all access to the net work from the net. Remove thoose segments from any part of the net work that has the ability to be accessed from the internet. Every day the prime jewels can be attacked, just not when but how is the question.

    • #3790896

      Ed Bott’s Microsoft Challenge–11/2/00

      by erikdr ·

      In reply to Ed Bott’s Microsoft Challenge–11/2/00

      Well,
      Some major layers seem to be lacking from the security mechanism implemented by MS for remote access. Strange enough, the layers _can_ be implemented using offtheshelf MS technology but they are a nuisance for users (especially developers whowanna be quicker than quick…), so it’s often a psychological / attitude problem also.
      1. Implement better AUTHENTICATION. Userid/password might be enough for in-building access, it’s not for remote access. Use some kind of challenge/response system with a 56 or 128-bit key. Even a worm can only see the challenges and responses, not the algorhythm inside the central CHAP server and the employee’s authentication device (e.g. smartcard, standalone calculator, etc. etc.).
      2. Implement better AUTHORISATION. What a user is permitted to do inside the building he’s not automatically permitted to do from outside. E.g. changing any data (Windows source code?) from outside should be forbidden in most cases; the RAS solution, using ISA Server, canblock certain IP adresses when accessing remotely while those addresses are allowed from inside the building.

      Hope this helps Bill & Steve 🙂

      – The Netherlands

    • #3790873

      Ed Bott’s Microsoft Challenge–11/2/00

      by craig it mangaer ·

      In reply to Ed Bott’s Microsoft Challenge–11/2/00

      If I were running a highly sophisticated software development company there are a few things I would do. First would be to seperate all PC’s running and compiling code from the standard network both internal and external. Setup a station in those depts. for access to the rest of the network and internet for any research and internal external communications. Setup a system of two to three firewall layers running on seperate platforms with each layer limiting access ports to only those necessary to accomplish the information passing needed. NAT established at the perimeter goes without saying. DMZ Zones for all servers that are accessed by outside sources via the web. Anyone working in R&D would be behind at least two firewalls allowing access to all points external as needed but making their machines all but invisible from the outside world. In fact for an added layer of security, I would have them use a Terminal server for internet and email for external mail which could have special rules to forward their mail to an internal email system seperate from the first to keep all sensitive mail far from prying eyes, and to eliminate any possible linking back to R&D from external sources. All downloads from the internet and attachments in email would be brought in through a scanning point (an isolated PC) for “cleansing” prior to internal usage. Anyone caught trying to violate rules of conduct for downloading and bringing in outside code would be removed from R&D immediately with dismissal in most cases.

    • #3756135

      Ed Bott’s Microsoft Challenge–11/2/00

      by mservino ·

      In reply to Ed Bott’s Microsoft Challenge–11/2/00

      Have them use a 300 baud connection, there isn’t a hacker in the world that would put up with that kind of wait. But more Seriously…

      For starters I’d make sure the company wasn’t using a Microsoft product for E-mail, it’s the absolute favoriteof hackers , always has been always will be, too easy to work with using VB, while it adds to ease of use for the user it does the same for the hacker. Secondly, I make sure that those “Crown Jewels” weren’t accessible over dial up, no modems 1 less hole. Require that anybody connecting remotely do it over a dedicated internet connection such as DSL with a Static IP adress so that the routers can filter out unauthorized users. Add in some VPN capabilities using highly secure 128 bit encryption on a hardware level, and they would have to have a firewall of their own. Make sure that anyone accessing the “Secure area” use Virus scanning software, and have them update it and run a full scan prior to connecting to the office each time the log in remotely. Run Anti-virus software on all proxy servers, 2 different kinds what one can’t get maybe the other will. I’d also lock out access to any all ports not absolutely necessary over the net. If they can bring it down to 1 per server perfect. the FTP server only is accessible over the FTP Port etc. or better yet, the services are not available over their normal port but on that no one would suspect, high enough to avoid all those scans that hackers like to run. Also Secure ID which uses a constantly changing password isn’t a bad Idea either. I mean after all when it comes to security is there ever really any overkill? Especially when your supreme target A number 1.

      -Mike

    • #3746255

      Ed Bott’s Microsoft Challenge–11/2/00

      by mhawkins ·

      In reply to Ed Bott’s Microsoft Challenge–11/2/00

      Many people would attempt to fix Microsoft’s security breach by using a specific application or hardware designed to fend off attacks. Although technology is part of the answer, untrained or sloppy employees can defeat even the most secure network. They can simply turn off features designed to secure the network. Here are some points to help maintain a secure network:

      ?h Security measures must be universally applied to all network clients; no user can be allowed to circumvent any securityprocedure.
      ?h A corporate policy must clearly state the both the companies security policies and the severe penalties if any breaches are detected.
      ?h Thorough background checks must be conducted on all employees before allowing them to have access to sensitive data.
      ?h Testing procedures must be in place to attempt a “friendly” breach, thus finding weaknesses before hackers outside the company can detect them.

      Security is the responsibility of everyone in an organization. This must be instilled in every employee and security procedures must start before an employee is hired, through a thorough background check and continue until that employee leaves the organization.

    • #3746248

      Ed Bott’s Microsoft Challenge–11/2/00

      by carmel-shane ·

      In reply to Ed Bott’s Microsoft Challenge–11/2/00

      Bill might think about some RedHat Linux Firewalls in between this world and his world!

    • #3746234

      Ed Bott’s Microsoft Challenge–11/2/00

      by dlw6 ·

      In reply to Ed Bott’s Microsoft Challenge–11/2/00

      Security is a trade-off between ease of use for legitimate users/activity and prevention of unauthorized users/activity. It should be a graduated response based on the risk (likelihood of theft/damage and the potential cost of theft/damage).

      Total physical separation of the R&D LAN is the best answer, but it may not be practical for the MS business processes.

      Therefore I propose 3 layers of defense for the corporate network and an additional layer for R&D.

      1. A DMZ between the edge router and a firewall. In the DMZ is the Web Server, a mail server with the “outside” accounts (such as tech support), and a few “honey pots” to lure attackers into giving away their unauthorized status. The firewall should require authentication using Public-Key Encryption for outsiders to get to the corporate intranet.

      2. An adaptive security product (ISS RealSecure is the one I’ve used but there are others) watching the DMZ and critical interior segments. This product monitors in stealth mode to detect suspicious activity and make a number of preconfigured responses in real time. Responses include warning the admins, reconfiguring the firewall, and cutting the connection via TCP Reset.

      3. Periodic, proactive vulnerability testing with a network security scanner. This can detect users who change their configuration and, in the process, create security holes. These scanners provide a comprehensive report based on the vulnerabilities they were configured to find.

      4. For the R&D network, I would add additional security in the form of router access-lists. These are cumbersome to maintain, but in theory the R&D network should be limited access and therefore well within the scope of a small team to control.

      I can’tget into more detail in the space allowed.

      Good fortune,
      Don

    • #3755348

      Ed Bott’s Microsoft Challenge–11/2/00

      by gblaze ·

      In reply to Ed Bott’s Microsoft Challenge–11/2/00

      You have several methods you can use to protect sensitive data,
      1) Use a non-routable protocol on the server with sensitive data.
      2) Segment the network with switches (VLAN) making sure only the people who need to get to the server will.
      3) Use a different subnet for the servers.

    • #3755314

      Ed Bott’s Microsoft Challenge–11/2/00

      by rziminski ·

      In reply to Ed Bott’s Microsoft Challenge–11/2/00

      The obvous answer of seperating mission critical development of new code Physically from the Internet is the first step. Why would development code have access to the rest of the world? Now assuming they did do that?.there are many steps that must be made to secure the rest of the process. I am not a security expert and do not profess to be one but the following are steps I take on all of my servers:

      1. Registry backed up.
      2. Administrator logins obscured.
      3. Unneeded and potentially threatening services halted.
      4. Netbios/WINS client binding removed from network Adapter
      5. Legal notice displayed at logon. GUI and FTP logon.
      6. Guest account is disabled
      7. Screen saver used/secured- Set to 5 minutes
      8. Allow only logged-on users to shutdown system
      9. Name of last user hidden
      10. Restrict Anonymous Lookup
      11. Enforce strong user passwords
      12. Password Aging enabled.
      13. Disable lanmanager password hash support
      14. Erase system page file during a clean shut-down
      15. Registry Protected
      16. Event logs secured
      17. Resource sharing secured/ SMB signing enabled.
      18. System auditing enabled
      19. Privileges Auditing enabled, expanded
      20. Cached-logon credentials disabled
      21. Backup copy of SAM in %systemroot%/repair secured
      22. Password registry keys audited
      23. Latest hot-fixes and patches from Microsoft applied.(ftp.microsoft.com/bussys/winnt/winnt-public/fixes)
      24. All instances of ?dvwssr.dll? deleted.
      25. Directory security hardened
      26. Admin account login obfuscated
      27. Turn off NTFS 8.3 Name Generation
      28. System boot time set to zero seconds
      29. OS/2 and POSIX subsystems removed
      30. Remove the IISADMPWD Virtual Directory
      31. Remove Unused Script Mappings
      32. Disable Parent Paths
      33. Move and ACL Critical Files
      34. Run SYSKEY Utility
      35. Unbind NetBIOS from TCP/IP
      36. Configure TCP/IP Filtering

    • #3755308

      Ed Bott’s Microsoft Challenge–11/2/00

      by jay -india ·

      In reply to Ed Bott’s Microsoft Challenge–11/2/00

      Hi..
      As Microsoft Network Chief I will make my system more vulnerable to attacks..open all the sockets for hackers..

      Let everyone take away the source code and improve upon it..My Chiefs in Redmonds will
      understand the value of Open Systems Development. Together Let us Grow!
      Jay India

    • #3755292

      Ed Bott’s Microsoft Challenge–11/2/00

      by pvp ·

      In reply to Ed Bott’s Microsoft Challenge–11/2/00

      The safest bet is total isolation! The entire network involved in the top secret work is isolated from the rest of the world, both physically and net-wise.

      Man-traps secure physical entry/exit; key generators are required even for internal logon.

      If dial-in access is allowed at all, use a callback system that knows a predetermined number.

      And if the internal network doesn’t use TCP/IP for a protocol, it gets really tough to get to!

    • #3733772

      Ed Bott’s Microsoft Challenge–11/2/00

      by web maxtor ·

      In reply to Ed Bott’s Microsoft Challenge–11/2/00

      1) Immediately reduce all inter-company communications to 3 part carbon copy, hand written “Speedy Memos”. Deliver the bottom copy to recipient (which, for security reasons, will degrade naturally over time from exposure to light into unreadable dust), keep the first copy in a manilla folder for future reference (file alphabetically for easy retrieval), keep the originals in a box in your garage (for disaster recovery).

      2) Replace all WIN Servers with Novell and buy a Linux firewall (fast, reliable, secure).

      3) Tell all remote employees (via voice mail) to show up to the office and check out their brand new 100mb connections (BIG productivity boost.)

      4) Relax.

    • #3733693

      Ed Bott’s Microsoft Challenge–11/2/00

      by zaferus ·

      In reply to Ed Bott’s Microsoft Challenge–11/2/00

      The bigger you are the more attractive a target you make. And Microsoft has got to be the king of targets.

      First off all your fancy multimedia servers should be far and away off your main network. They have a ton of ports open so put them behinda stack of DMZ appliances (like a SonicWALL) or a Linux/Unix box, put your packet filters on and hope for the best. These will always be vulnerable so have a backup ready to restore onto it if they get modified or crashed. If you want to get crazyrun a TSR that checks your last modified date on your web pages and restores any pages modified. You just have to make sure you can tell your TSR when YOU modify them! If you need to have a pipe into your main network from here encrypt it heavily and try to pipe it on a separate gateway that doesnt reach the Internet.

      Then put the rest of your network behind a fortress with limited ports. Dont be afraid to have multiple levels of security for the higher security data (like your source code Bill!!). I’d recommend Linux or Unix boxes or an appliance with all but the basic ports shut down and enough CPU muscle to packet filter your network and set your software or appliance to auto-update weekly. Then use NAT or a protocol firewall for simple but effective invisibility to your internal network. If you have remote workers put an encrypted VPN in place there are lots of them out now that work without many (or any) problems. Keep your security simple and tight, you make it complex or fancy and it just makes loopholes.

      Now you just have to worry about security inside your network…

      Steve Hay
      Project Manager
      Compusmart Corporate

    • #3757337

      Ed Bott’s Microsoft Challenge–11/2/00

      by lumbini ·

      In reply to Ed Bott’s Microsoft Challenge–11/2/00

      Be creative, be outrageous, be blunt? O.k.. The best way to prevent Hackers getting at your stuff is to isolate your R&D Machines from the Network completely. Cut em off.. Don’t provide any connectivity from the rest of the wired Network. Leave only what’s necessary connected to the outside and don’t place any important stuff on them.
      Anything that’s connected can be hacked. Remember that man developed the firewalls and another man can always find a loophole.

    • #3855329

      Ed Bott’s Microsoft Challenge–11/2/00

      by ebott ·

      In reply to Ed Bott’s Microsoft Challenge–11/2/00

      This question was auto closed due to inactivity

Viewing 15 reply threads