An Attacker Ebooks Catalog
Just as you need to know why a company is designing a security infrastructure, it's also helpful to know the reasons why total strangers seem compelled to make your life as a network administrator that much more difficult. Network attackers, usually referred to colloquially as hackers, attempt to break in to corporate networks for any number of reasons, and sometimes knowing the reason why they are doing so can assist you in defusing the threat and tracking down the perpetrator. The most common, although perhaps not the most obvious, reason for attacking a company's network is to gain fame or notoriety. Whether it is someone seeking acceptance from an online hacker community, or someone who simply wants to see his or her name in the papers, attacks motivated in this manner tend to be extremely public in nature. A common attack in this category is Web site defacement, where an attacker will exploit a vulnerability in a company's Web server and change their default Web page to read...
Numerous techniques are available for an attacker to hijack a wireless network or session. Unlike some attacks, network and security administrators might be unable to tell the difference between the hijacker and a legitimate passenger. If the attacker spoofs as the default gateway or a specific host on the network, all machines trying to get to the network or the spoofed machine will connect to the attacker's machine instead of the gateway or host to which they intended to connect. If the attacker is clever, he will only use this information to identify passwords and other necessary information and route the rest of the traffic to the intended recipients. If he does this, the end users will have no idea that this man in the middle has intercepted their communications and compromised their passwords and information. Another clever attack can be accomplished through the use of rogue APs. If the attacker is able to put together an AP with enough strength, the end users might not be able...
An attacker can gain access to a shared system by starting a different operating system. An attacker can also steal a computer, remove the hard disk, install the disk in another system, and gain access to the stored files. Files that are encrypted by using Encrypting File System (EFS), however, appear as unintelligible characters when the attacker does not have the decryption key.
Pay special attention to the above exercise as you may be asked questions about the distinguished name of the CA
In this type of scenario, there is nothing to prevent an attacker from intercepting the data mid-stream, and replacing the original signature with his or her own, using of course his or her own private key. The attacker would then forward the replacement public key to the unsuspecting party. In other words, even though the data is signed, how can you be sure of who signed it The answer in the Windows PKI is the certificate.
The multiple forest, no trust design is the most secure of all of the forest options. The perimeter network uses a different fc than the internal network. If an attacker is able to compromise the perimeter network, the accounts used within the perimet network do not have permissions within the internal network. This is a very costly scenario to implement, however. Not only you need additional domain controllers and DNS servers to support the infrastructure, the administrative costs increase greatly. Administrators need to maintain multiple accounts and manually maintain connectivity of resources.
Keeping attackers away from the data contained in your database should be of high concern. If an attacker is able to access the records or to damage the database so that it no longer responds correctly to queries, either your clients will become victims of redirection attacks or they will not have the ability to access the hosts with which they were intending to communicate. The following sections cover options that you should consider when attempting to secure both Active Directory-integrated and non-Active Directory-integrated zones.
When we are discussing security, the physical access to the domain controllers is of primary concern. Anyone who has direct access to domain controller hardware could perform attacks on the devices that make up the domain controller. Something as simple as powering off the system will keep users and applications from accessing Active Directory. Service outages could cost companies downtime and lost productivity. Once the system has been powered down, an attacker could restart the system under another operating system. Once the operating system is started, the object permissions will no longer restrict access to the objects, and the attacker can gain access to information that might be deemed confidential. If an attacker has physical access to a domain controller, she could remove the physical media on which the Active Directory database resides. Once removed from the system, the media could be introduced to another system on which attacks could be performed against the database. With...
As with any network service, you need to identify potential security threats. The buzz around Microsoft recently has been their implementation of security at all levels of their products. This security initiative is a good thing for administrators because now the software giant is trying to plug the holes that attackers like to take advantage of, which makes the administrator's job that much easier. Data Modification Data modification is also known as IP spoofing. An attacker modifies the IP address in IP packets that are sent to a DNS server. Because the IP address appears valid, the data is accepted on the network and passed to the DNS server where its attack can be implemented. If this type of attack is successful, data can be modified or damaged, a denial-of-service (DoS) attack can be implemented, or the attacker can implement the first step of a redirection. Denial-of-Service Attacks When an attacker attempts a denial-of-service (DoS) attack , the DNS server is inundated with...
The information in this log file is primarily intended for nonsecurity-related analysis of Web site traffic. For example, members of the marketing team could use this information to determine which partner Web site was directing the highest number of users to the site. You should be familiar with IIS log files, however, because Web sites are a frequent point of entry for attackers, and analyzing IIS log files can reveal that you were attacked by a malicious user, the method the attacker used, and information about the attacker's identity. If you determine that an attack originated from an actual attacker targeting your computer systems, such as an ex-employee or a competitor, you should follow up on the attack. If you decide that the attacker should be punished, you should report the attack to an appropriate law enforcement agency. The Department of Justice's How to Report Internet-Related Crime page is a useful reference, located at IIS usage log information can also be sent directly...
Correct Redirection is when an attacker is able to redirect queries for DNS names to servers under the control of the attacker. One method of redirection is to pollute a DNS server cache with erroneous data. For example, if a query from Contoso requires resolution of the FQDN www.fabrikam.com, and a referral answer provides a resolution for fabrikam.com, the DNS server continues to use the cached data from crooks_r_us.com to resolve further queries for www.fab-rikam.com. If all server caches are secured against pollution, such referrals are rejected. In Windows Server 2003 DNS, caches are secured against pollution by default, but in a high-security environment, you should check that this setting has not been altered. D. Correct Redirection can be accomplished whenever an attacker has writable access to DNS data. Insecure dynamic updates allow computers that do not have computer accounts in Active Directory to register information in DNS.
Attackers implement a DoS attack by flooding a network or server with more traffic than it can handle. Routers and servers eventually become overloaded by attempting to service each packet or request. The attacker's system is usually masqueraded because the sender's IP address is spoofed in the sending packet. This makes it difficult to trace who the attacker really is. Often, the IP address that is spoofed is the address of another victim on the network, creating congestion between two targets that use each other to self-destruct. A variation of the DoS attack is a distributed DoS (DDoS) attack, which is an attack that involves breaking into hundreds or thousands of computers across the Internet, installing DDoS software on each one that allows the attacker to control all these computers, and launching coordinated attacks on victim sites. Usually, bandwidth is completely saturated, router processing capacity is exhausted, and network connectivity is broken.
In modern computer security, a system administrator needs to create a security plan that uses many different mechanisms to protect a network from unauthorized access. Rather than relying solely on a hardware firewall and nothing else, defense in depth would also use strong passwords as well as other mechanisms on local client PCs, in the event that the firewall is compromised. The idea is to create a series of security mechanisms so that if one is circumvented, other systems and procedures are in place to help impede an attacker. Microsoft refers to this practice as an extensive defense model. The key points of this model are the following In discussing security awareness with your user community, one of the most critical issues to consider is that of password strength. A weak password will provide potential attackers with easy access to your users' computers, and consequently the rest of your company's net-work.Well-formed passwords will be significantly more difficult to decipher....
Assumes that initial transactions between clients and servers take place on an open network where most computers are not physically secure, and packets traveling along the wire can be monitored and modified at will. The assumed environment, in other words, is very much like today's Internet, where an attacker can easily pose as either a client or a server, and can readily eavesdrop on or tamper with communications between legitimate clients and servers.
The Authentication Header (AH) does not encrypt the data, but it does provide authentication, integrity, and antireplay for the entire packet. Although the data is in clear text, an attacker cannot modify it. AH uses the HMAC algorithms to sign each packet to ensure integrity. In the AH, a checksum is inserted between the network and transport layer headers. If the receiving computer's checksum does not match that which is in the AH, the packet is discarded. Antireplay is achieved by inserting a sequence number in the AH. AH can be used with or without the Encapsulating Security Payload (ESP).
Your security measures must protect a CA's private key. If an individual is able to obtain the CA's private key, it is possible to build another CA computer with the same key pair, allowing impersonation of the CA and the ability to issue fraudulent certificates that are trusted by all users of your public key infrastructure (PKI). In a worst-case scenario, if the root CA private key is obtained, an attacker can build additional CAs that are trusted by the users and computers within your organization.
BitLocker volume encryption makes sure that data on a disk is never stored in a format that can be useful to an attacker, a thief, or even the new owner of the hardware. By destroying all copies of the encryption key it is possible to render the disk permanently inaccessible. The disk itself can then be reused.
As mentioned previously, a domain or forest can be easily attacked unless a commonsense security model is adopted to protect the forest and its domains. Attackers will attempt to compromise security by obtaining access to administer accounts. Damage can easily be done even without access to the Administrator account. An attacker only needs to crack membership of DnsAdmins to gain access to DDNS and wreak enough havoc to affect a complete denial of service to the organization. Several security measures are thus required to secure the forest and its domains. This security architecture comprises the following measures
Store the files and folders that comprise the content of your Web sites and applications on a dedicated disk volume that does not contain the operating system. Doing this helps prevent directory transversal attacks. Directory transversal attacks occur when an attacker attempts to send the Web server a request for a file that is located in another directory structure. For example, Cmd.exe exists in the systemroot System32 folder. Without the appropriate security settings, an attacker might be able to make a request to systemroot System32 Cmd.exe and invoke the command prompt. If the Web site content is stored on a separate disk volume, such a directory transversal attack cannot work because Cmd.exe does not exist on the same disk volume. The default NTFS permissions for Windows Server 2003 prohibit anonymous users from executing or modifying any files in the systemroot folder and subfolders, so that only an unauthorized authenticated user can perform this type of attack.
Aspect of your network to prevent an attack, whereas an attacker only needs to find a single opening to gain malicious access to your resources. But what about the actual tools that you're using to perform these tasks The very tools and utilities that you use to administer your network can create a huge potential for misuse, allowing malicious attackers to gain administrative access to a machine or an entire network. Imagine what could happen if an attacker gained access to the DNS Management MMC snap-in They could create, delete, or modify host entries to redirect your clients to malicious or compromised Web hosts, and they could view your DNS registrations to obtain a complete picture of your network to use for further attack. Or think about a malicious user finding a way to use DHCP Manager to change scope information, removing or changing address assignment information and rendering your clients incapable of accessing network resources. In perhaps the worst-case scenario, consider...
Nothing you do matters if you do not have a strategy that considers your network's security. Your carefully conceived and implemented systems can be shut down or otherwise overwhelmed by Denial of Service attacks and malware. Your data can be stolen, modified, deleted, or corrupted because of viruses, accidents, or direct attack. A computer can be remotely controlled by a malicious attacker, your Web site modified, or your company's reputation sullied. Worse, unprotected systems and networks can become the source of attacks on other organizations' systems, on critical national infrastructures such as dams, electric power grids, and so on.
Question If you were designing the network infrastructure for Eros, which of the firewall options would you recommend and why Answer The back-to-back firewall option is always the preferred method, although it us is more costly. If an attacker gains access to the forward firewall and breaks into the perimeter network, they st have another firewall to attack.
The disable auto generation feature is turned on by default in Windows 2000 Server and is there to allow for legacy compatibility with 16-bit applications. When this feature is enabled, an attacker needs only 8 characters to refer to any file in the folder structure. Unless you are running 16-bit applications, it is recommended that you turn off this feature. To do this, add NtfsDisab1e8dot3NameCreation (DWORD) as a subkey to the HKLM System CCS Contro1 FileSystem key with a value of one (1). Any existing 8.3 names will remain intact after this key is applied to your system. However, you may decide that you want to keep 8.3 names to support down-level client operating systems, and for the ease of use of 8.3 naming when using the command prompt and when writing scripts.
Warning The technical security control section should only provide highlevel information to the reader and not serve as a guide to an attacker regarding potential weaknesses in the CA's configuration. For example, is it safe to disclose that the CA's key pair is stored on a FIPS 140-2 Level 2 or Level 3 HSM It is not safe to describe the CA's management team members or provide specific vendor information about the HSM.
Because Windows Startup components must be unencrypted for the computer to start, an attacker could gain access to these components, change the code, and then gain access to the computer, thereby gaining access to sensitive data such as BitLocker keys or user passwords as a consequence.
There are several theories on implementing account lockout policies. One recommendation is that account lockout should not be implemented because if the password policies are properly configured, no attacker should be able to guess the password in a reasonable period of time. In addition, enabling account lockout policies greatly increases the possibility of a denial of service occurring if automated attack programs are used to attempt to compromise the server. These programs often test a small number of commonly used passwords, and can result in the lockout of some or all accounts on the server (except the Administrator account, which cannot be locked out).
Confidentiality ensures that data is disclosed only to intended recipients. When it is selected, the Encapsulating Security Payload (ESP) format of IPSec packets is used. Packet data is encrypted before transmission, ensuring that the data cannot be read during transmission, even if the packet is monitored or intercepted by an attacker.
A user's password is the first line of defense against unwanted access into network resources. A password policy controls how the passwords can be used within the domain. Users should be informed of the importance of using strong passwords and be told how they can protect their passwords. Strong passwords use more than the standard lowercase letters from the keyboard. A strong password will use a combination of uppercase letters, lowercase letters, numerals, and special characters. Using a combination of these characters increases the possible combinations of characters within the password and dramatically increases the amount of time it will take an attacker to discover what the password is.
Whenever you expose your system to the outside world, you are leaving your environment open to attacks by hackers. To an attacker, a DNS server is fair game just as as a Web server, a mail server, or any other server that is accessible to the outside world is. To take it a step further, we all know very well that attackers do not await us only on the Internet. Chances are that probably at least one employee in your organization is Whether you are dealing with attackers on the Internet, attackers on your internal network, or most likely, both, Microsoft has made some great strides in incorporating security features into Windows Server 2003 DNS. Because DNS administration in a large organization can be very labor intensive, the responsibility for administering the namespace and the servers that support it can be delegated to trusted individuals and groups. Second, with Windows Server 2003, you can configure DNS to secure DNS clients, secure your DNS namespace, protect the services that...
Accepts dynamic update requests only from authorized systems. Once you configure a zone as Active Directory-integrated, you should change the dynamic updates so that only secure updates are allowed. At that point, only members of Active Directory can update the zone records. Once secure updates are turned on, an attacker will not be able to easily add to your database false records that could cause the domain controller to become overloaded as it tries to replicate the changes. Figure 2.7 shows the zone properties for zygort.lcl. Notice that the Dynamic updates option is set to Secure Only.
You should also consider moving the zone files to another partition away from the system files. Such a move would effectively reduce the chance of a zone file being compromised by a buffer overflow and allowing an attacker to browse the files stored on the system partition. Once you move the files to another partition, be sure to adjust the access control list so that only the appropriate DNS administrators and system have access to the files.
A smart card increases protection for a certificate's private key. To compromise a smart card's private key, an attacker must obtain the smart card and know the associated PIN. As added protection, a smart card blocks access the smart card's private key(s) after a designated number of PIN failures. The private key can only be accessed after the smart card is unlocked.
Server Core is a bare installation of Windows Server 2008. A machine provisioned with Server Core has fewer binaries installed, which as a result have a reduced attack interface. With less binary available on the system, the change of vulnerable DLLs is decreased. This will force an attacker to expend more effort in finding a security flaw in one of the Windows DLLs.
During the design of the infrastructure, she determines that she needs to implement a perimeter network to support he SMTP and web servers. After identifying the need for the perimeter network, she returns to the Active Directory design concerned about the security requirements for the perimeter network. Her main concern is the possibility of jeopardizin internal resources if an attacker gains control of a system within the perimeter.
Immediately after installing Windows Server 2003 and IIS 6.0 with the default settings, the Web server is configured to serve only static content. If your Web sites consist of static content and you do not need any of the other IIS components, then the default configuration of IIS minimizes the attack surface of the server. When your Web sites and applications contain dynamic content, or you require one or more of the additional IIS components, you will need to enable additional features. However, you still want to ensure that you minimize the attack surface of the Web server. The attack surface of the Web server is the extent to which the server is exposed to a potential attacker. Each additional Windows Server 2003 and IIS 6.0 component is configured with the most restrictive possible security that will allow the component to still function. However, in providing any functionality, there is still an opportunity for potential attackers to exploit any weakness of the component.
To prevent attackers from gaining access to you network's confidential data, you can use any number of technical, administrative, and physical countermeasures. Physical controls can include a secure safe-deposit box to house items like birth certificates or medical records. From a technical standpoint, users might only be allowed to access confidential data from a specific location, or by using a specific application. The use of cryptography and file encryption can ensure that only the owner of a file can access it, even if it is somehow transferred to a different location. In addition, end-user and administrative training can guard against an attacker using a so-called social engineering attack to obtain access to an employee's username and password. (More on social engineering in a minute.) Mechanisms that are designed to ensure data integrity need to address both attacks on where data is stored, and while data is being transmitted across the network. If an attacker intercepts and...
When enabled, Remote Desktop for Administration opens port 3389 and listens for connection requests. This port is a significant target and is often sought during port scans. Most open ports link to applications that must be attacked in complex ways to permit administrator level access to a computer. This service is designed to actually provide it, which makes it a prime target for attackers. There are several best practices that you should follow to maximize the security of this component. It is important to enforce strong security precautions on all accounts that are enabled to connect using Remote Desktop for Administration. Strong passwords and the use of account lock out are essential to make it difficult for an attacker to successfully use a brute force attack to gain system access. Administrators should be required to log on using a standard user account and perform administrative duties in the session using the Run as feature. This will ensure maximum security of the...
Incorrect Storing passwords using a reversible encryption method, as required for the Challenge Handshake Authentication Protocol, does not alter the fact that the passwords are encrypted when the clients transmit them over the remote access connection. An attacker capturing the packets using Network Monitor would not be able to read the encrypted passwords.
With each other using specially crafted WEP cracking tools to cancel out the key stream, allowing an attacker who knows the contents of one message to easily figure out the contents of the other. Unfortunately, this weakness is the same for both the 40- and 128-bit encryption levels because both use the 24-bit IV
By default, IIS will accept both unencrypted HTTP and encrypted HTTPS requests after a certificate is configured. If you do not want to allow unencrypted requests, open the Web site properties dialog box, click the Directory Security tab, click the Edit button, and then select the Require Secure Channel check box, as shown in Figure 11.3. Optionally, you can select the Require 128-Bit Encryption check box. Today, most clients will support 128-bit encryption, which is very difficult for an attacker to break. If you do not select the Require 128-Bit Encryption check box, clients that support 128bit encryption will still use 128-bit encryption.
You can use group policy settings to enforce security-related settings across multiple Windows 2000 and later computers. Password and account lockout group policy items must be linked at the domain level to be effective. Windows Server 2008 creates a Default Domain Policy GPO and links it to the domain level for each domain in the forest. The domain password policy allows administrators to specify a combination of password security options, including how frequently users change their passwords, how long passwords must be, how many unique passwords must be used before a user can reuse one, and how complex passwords must be. Account lockout is used to prevent successful brute force password guessing. If it is not enabled, an attacker can continue to guess username and password combinations very rapidly using software. The proper combination of settings can effectively block these types of security vulnerabilities by either locking the account out permanently or requiring long waiting...
Store hardware related to offline CAs in a separate, secured location. Some companies remove the hard drives from the CA computers and store them in a remote safe, requiring an attacker to gain access to both the server hardware and the server drives before gaining access to an offline CA.
A VPN emulates a secure point-to-point connection, such as an employee who uses an analog modem to dial up the corporate remote access server. Even though the data might travel to any number of third-party locations during its sojourn on the public network, it ends up at the correct endpoint. This is accomplished by wrapping, or encapsulating, the data with enough information for the data to be routed properly to its destination. Once it is received at the destination, it is unpackaged so that the data inside can be read. To the end user, it looks like just another point-to-point connection. The security of a point-to-point link is emulated by encrypting the data that is to be sent.That way, even if packets are captured somewhere on the public network, they are still unusable to the attacker. This combination of encapsulation and encryption make the VPN an attractive alternative to an expensive point-to-point connection.
Account lockout refers, in its broadest sense, to the concept that after several failed logon attempts by a single user, the system should assume that an attacker is attempting to compromise the account by discovering its password and, in defense, should lock the account so no further logons may be attempted. Domain account lockout policies determine the limitations for invalid logons, expressed in a number of invalid logons in a period of time, and the requirements for an account to become unlocked, whether by simply waiting or by contacting an administrator. Table 3-6 summarizes Account Lockout policies. This policy determines the period of time that must pass after a lockout before Active Directory will automatically unlock a user's account. The policy is not set by default because it is useful only in conjunction with the Account Lockout Threshold policy. The policy accepts values ranging from 0 to 99999 minutes, or about 10 weeks. A value of 0 will require the user to contact...
An attacker could attempt to populate the cache on your DNS server with incorrect information in an attempt either to stop name resolution or to redirect clients to incorrect systems. If an attacker were able to populate the cache with an entry that would redirect a client to the wrong DNS server, the client could receive a response to their query that redirected them to a compromised host.
Updates, which allow client systems to add DNS records directly into the database. Dynamic DNS servers can receive malicious or unauthorized updates from an attacker by means of a client that supports the Dynamic DNS (DDNS) protocol if the server is configured to accept unsecured updates. At a minimum, an attacker can add bogus entries to the DNS database at worst, the attacker can overwrite or delete legitimate entries in the DNS database.
By enabling delegated authentication, you can prevent an attacker who gains control of a server from accessing data stored on other servers that require user credentials to access. By requiring that all data be accessed by means of credentials that are delegated to the server for use on the client's behalf, you ensure that the server cannot be compromised and then used to gain access to sensitive information on other servers. However, if the server itself was given access to information stored on other servers, an attacker who gains control of a server would be able to access the information stored on the other servers. When you enable delegated authentication for a computer account by selecting the Trust This Computer For Delegation To Any Service option, delegation is automatically enabled for all services on that computer. Constrained delegation allows administrators to specify particular services from which a computer that is trusted for delegation can request resources. By using...
If a domain controller is placed in a branch office to make authentication more efficient, this introduces several significant risks. A domain controller maintains a copy of all attributes of all objects in its domain, including confidential information related to user passwords If an attacker can access or steal a domain controller, it is possible (although not easy) to identify valid usernames and passwords At the very least, you would need to reset the passwords of every user account in the domain In a large hub site, domain controllers, and other significant servers such as certificate servers, can be kept in a secure room However, the physical security of servers at branch offices is often less than ideal
One of the greatest weaknesses in shared-key authentication is the fact that it provides an attacker with enough information to try to crack the WEP secret key. The challenge, which is sent from authenticator to requestor, is sent in the clear. The requesting client then transmits the same challenge, encrypted using the WEP secret key, back to the authenticator. An attacker who captures both of these packets has two pieces to a three-piece puzzle the cleartext challenge and the encrypted ciphertext of that challenge. The algorithm, RC4, is also known. All that is missing is the secret key. To determine the key, the attacker simply tries a brute-force search of the potential key space using a dictionary attack. At each step, the attacker tries to decrypt the encrypted challenge with a dictionary word as the secret key. The result is then compared against the authenticator's challenge. If the two match, the attacker has determined the secret key. In cryptography, this attack is called a...
Allows administrators to specify particular services from which a computer that is trusted for delegation can request
By enabling delegated authentication, you can prevent an attacker who gains control of a server from accessing data stored on other servers that require user credentials to access. By requiring that all data be accessed by means of credentials that are delegated to the server for use on the client's behalf, you ensure that the server cannot be compromised and then used to gain access to sensitive information on other servers. However, if the server itself was given access to information stored on other servers, an attacker who gains control of a server would be able to access the information stored on the other servers. which a computer that is trusted for delegation can request resources. By using constrained delegation, you can prevent attackers who compromise a server from accessing resources that are not intended to be accessed by that server.
Threats and vulnerabilities to data transmission differ depending on the mode of transmission and the goals of the attacker. The following table describes some of the common threats to data transmission. Example of network Alice sends a message to Bob specifying that she would like to buy 100 shares attack of Contoso Pharmaceuticals, regardless of the price. An attacker who intercepts this information using a packet sniffing program could modify the message to indicate that 1,000 shares should be bought, or the attacker could change the company name to indicate another stock. Additionally, the attacker could store the message and replay the message once a week to Bob.
An attacker can use valid IP addresses in IP packets to destroy data An attacker could potentially see all of an organization's DNS records An attacker can use DoS attacks to alter DNS records When a DNS server is attacked, one possible goal of the attacker is to control the DNS information being returned in response to DNS client queries. In this way, clients can be inadvertently misdirected to unauthorized computers. An attacker can use IP spoofing. In this type of attack, attackers use valid IP addresses in IP packets that they have created to destroy data or to conduct other attacks. An attacker could potentially see all of an organization's DNS records, so that they could identify all of the organization's important computers and IP addresses. An attacker instigating a DoS attack could alter DNS records in legitimate DNS servers to provide invalid addresses in response to client queries. Secure dynamic updates. Unsecure dynamic DNS servers can receive malicious or unauthorized...
The combination of weaknesses in WEP and the nature of wireless transmission have highlighted the art of spoofing, or interception, as a real threat to wireless network security. Some well-publicized weaknesses in user authentication using WEP have made authentication spoofing just one of an equally well-tested number of exploits by attackers. One definition of spoofing is an attacker's ability to trick the network equipment into thinking that the address from which a connection is coming is one of the valid and allowed machines from its network. Attackers can accomplish this trick in several ways, the easiest of which is to simply redefine the MAC address of the attacker's wireless or network card to a valid MAC address. This can be accomplished in Windows through a simple Registry edit. Several wireless providers also have an option to define the MAC address for each wireless connection from within the client manager application that is provided with the interface. There are several...
The multiple forest, two-way trust design allows trusts to be created between the internal and perimeter forests so that eac forest trusts the other. This design allows for nearly the same level of interoperability between the resources of the two fore as the single forest design allows. Accounts from each forest can be added to groups within the other forest to facilitate efficient access to resources. This design allows extranet access to internal resources, but it also opens up security concei because perimeter accounts can now access internal resources. If an attacker compromises the perimeter network, an account in the perimeter network that has privileges in the internal network could be used to compromise the internal netwo Tip SID Filtering should be turned on between the internal and forests so that an attacker cannot take advantage of us the SIDHistory attribute to gain access to resources.
Attackers with administrative access in one domain gaining administrative access to domains in the forest Buffer overrun attacks. For example, an attacker can elevate privilege and gain administrative access to the entire domain. An attacker who has administrative access in one domain gaining administrative access to every domain in the forest.
Once you've collected all of the incident tracking or forensics information you want, you can now turn to restoring a compromised machine to a healthy state. As with the rest of the Incident Recovery plan, you should document and test these steps beforehand as much as possible so that actual recovery times are as quick as possible, minimizing any downtime for your users. Unfortunately, once a system has been compromised, in many ways you can't trust any of the information that's stored on it because you don't know what the attacker has or has not changed. In most cases, for any system that has been breached, the best and most secure option is to reinstall the operating system from a clean copy of the installation media. Performing a full reinstallation will ensure that the affected system will be free of any Trojans, backdoors, or malicious processes that you might not even be aware of. Reinstallation also ensures that any data that's been restored from a known-good backup is also...
Answer A is not the quickest way to restore the controller to service, because you will lose any application and Registry data stored on the system drive all applications will need to be reinstalled and any shares recreated. Answer C is incorrect because you cannot change the syskey password without knowing the original password. This is designed so that an attacker cannot circumvent syskey security by simply rebooting the server. Answer D is incorrect because transferring the PDC emulator role, although necessary to authenticate any down-level clients, will do nothing to return this controller to service. A. An attacker has deleted the Exchange and SQL executables on your production servers. D. An attacker is perpetrating a DOS attack against your network.
Hardening client operating systems is a critical first step in safeguarding your client operating systems from internal or external intrusion and attackers. At a minimum, this involves the removal of any nonessential tools, utilities, or other administrative options that could be exploited by an attacker to gain access to your systems. The hardening process will also ensure that all necessary security features have been activated and configured correctly for any administrative or nonadministrative user accounts used to gain access to the client system, rather than simply providing easy access to an Administrator account. A term that you'll hear quite often when dealing with computer and information security is the notion of an attack vector. Put simply, an attack vector is the exploit that a malicious user uses to gain access to a system, whether it's through guessing weak passwords or using a buffer overflow attack against an unpatched system. When designing secure systems, one of...
An attacker could modify the server configuration An attacker could hijack NetBIOS names of critical servers An attacker with administrative access could modify WINS server settings An attacker could modify the server configuration. For example, the server could be configured to not give out IP addresses. Or, an attacker could cause clients to be configured with undesirable parameters such as being pointed to a hostile DNS server. An attacker could hijack NetBIOS names of critical servers. An attacker with administrative access could modify WINS server settings.
Restrictions on that person's authority to administer your company's DNS server, he or she may cause as much damage to your DNS records due to a lack of knowledge as any malicious attacker. However, if you have delegated administration and management policies in place, you will be able to better control the authority held by various members of your administrative staff. Another reason that you want to implement this kind of security is to protect your network against actively malicious administrators seeking to harm a network. Having a network management policy in place will also help you secure your network against your own IT staff, if such protection becomes necessary. Network administrators can also be vulnerable to social engineering attacks because of the elevated privileges and permissions that they hold on a network. Say that an attacker obtains the telephone number to your help desk and calls pretending to be the personal assistant to the vice president of sales. The caller...
Network Monitor can show you the SPI and the sequence number, but it won't show you anything else of use. The data contained in the packet is encrypted and therefore cannot be analyzed, regardless of whether the capture is performed by a legitimate administrator or an attacker.
While renaming the Administrator account helps to conceal it, the main reason to do so is to thwart attempts to crack its password. Password policy protects accounts from malicious algorithms that repeatedly try user IDs with various dictionary-generated password suggestions. Given enough time and a large dictionary, an attacker will eventually find the password that accompanies the account. The domain Administrators account can also be renamed manually using the Active Directory Users and Computers console.
This privilege allows its bearer to modify the maximum memory used by a process, and is given by default to administrators. This right can be potentially misused if given to the wrong user account, and can create a DoS attack against your network by setting the memory requirements for a certain process low enough to prevent it from running properly. An attacker can use this the other way around as well, by setting the memory utilization for a process very high so that it consumes all the available memory on a server or workstation.
Once the hacker has the zone data, that person can gather DNS domain names, computer names, and IP addresses for any resource. The hacker can then target servers with sensitive network functions or data. The attacker typically begins the attack by mapping out, or footprinting, the network structure based on captured DNS data. From this information, the attacker can use the structure to determine sensitive servers. Denial-of-service (DoS) A DoS attack occurs when an attacker attempts to Data modification or Once an attacker has successfully footprinted the data modification using valid IP addresses in packets the attacker created in an attempt to pass these packets off as legitimate. This is also called IP spoofing. With a valid IP address and an address that is within the address range of a desired subnet, the attacker can then access network resources including sensitive data. able to redirect DNS name queries to servers under the attacker's control....
It is also advisable to simplify your network infrastructure design.This can mean using fewer interfaces and NICs if possible, especially public interfaces. The more interfaces that an infrastructure contains, the more entry points an attacker has available to target similar to a house that has a large number of windows and doors through which a burglar might choose to enter. Arguably the most important security consideration when dealing with a 2003 RRAS router, however, is the handling of routes and routing protocols. In a small network with only one router, the router by definition has first-hand knowledge of each network's address that is attached to it. For example, if two segments A and B are attached to a router and a host on B attempts to send a message to a host on A, the router will know how to reach the destination without any help. However, in a more complicated network with many segments, routers must rely on routing tables to assist them. Routing tables contain entries...
0 D.The pattern here suggests possibly two different attacks.The first event is someone attempting to log in to a disabled account. This could be one of the recently terminated employees or one of the employees on vacation (whose account you temporarily disabled for security purposes) attempting to log in. It's not clear based only on the first event.The next event indicates a successful logon. Since a user will not be able to log in to a disabled account, this success event indicates use of a different account. Without additional information or evidence, it would be reasonable to assume that this might have been a legitimate access by one of the managers. The next two events indicate someone was trying to access a disabled account. Again, this could be a terminated employee (attack) or an employee on vacation (benign event). However, the next event, 529, indicates someone attempted to log on with the wrong username or password. If this were an employee on vacation, this event would...
It uses mutual authentication of both the client and the server. Data is encrypted by using separate session keys for transmitted and received data, which makes it more difficult for an attacker to sniff the traffic and use a brute force attack on the key. The session key generation is not entirely based on the user's password, so a weak password will not necessarily leave the session vulnerable. SecurlD is one of many forms of a token-based authentication method that uses EAP. The user is given a key chain device or card that is synchronized to display a specific number every few seconds. The key chain device or card is synchronized with a SecurlD server. The user must enter the number along with a personal identification number (PIN) and user name, which will then be verified by the SecurlD server. The attacker must steal the token and break the PIN to get access.
The advantage of this configuration is that physical access is required to use the offline CAs. Likewise, if an online CA is compromised, it does not allow an attacker to compromise an offline CA. By deploying the network-attached HSM on a private network, you ease the configuration changes at the online CAs and the network-attached HSM if IP addressing is modified on the corporate network.
All the security in the world can't help if the tools at the administrator's disposal are not properly secured.These tools are designed to allow you to make major modifications to and troubleshoot your network if these tools fall into the wrong hands, they can be used to damage and interrupt business productivity in your organization. Inappropriate use of network management tools (either by administrator themselves or by attackers gaining access to them) can reveal administrative credentials and other sensitive information about your network. Securing the network management process involves a delicate combination of managing people, technology, and policy a well-designed plan takes each of these areas into account to ensure that the network remains secure. The Microsoft management Console (MMC) is not an administrative tool itself, but it provides a framework for various utilities called snap-ins to manage various pieces of the Windows Server 2003 network.You can load a single snap-in...
The domain controller role introduces some security concerns that are not present in other roles. With other roles, much of the security configuration that we perform has to do with securing file systems and defining appropriate methods of authentication, followed by changes limiting local access to resources. These resources, of course, can be such things as files and folders, printers, and other resources we might choose to make available to the users from our organization or to the public, customers, or partners as appropriate to our particular needs and business. When we begin to look at securing the domain controller role, we must also consider what would happen if we were not successful or complete in the work we did to secure this role. Potential problems include exposure of our entire infrastructure and all its resources to attack, theft, or damage. This is because the DC is the role that provides the authentication piece for the security of all the other roles. If an attacker...
Windows 2000, Windows XP, and Windows Server 2003 all included a host-based firewall, often referred to as distributed firewall software or personal firewalls, called Internet Connection Firewall (ICF). Originally designed for home users, businesses found it useful to employ the ICF to provide an additional layer of protection against attack. ICF is a basic firewall program designed to prevent basic intrusion, but it does not include the robust features of full firewall applications. Most third-party firewall applications protect computers from software that could violate user privacy (including spyware,Trojan horses, etc.) or allow an attacker to misuse the target computer. ICF does not provide these features.
In the previous section, we discussed password policies and account lockout policies that increase security over the default Windows Server 2003 settings. However, the standard account logon process is still fairly insecure due to the fact that a malicious attacker only needs a single piece of information a password to log on to the network. This problem is compounded by the fact that users or administrators probably would not detect a stolen password until after it had been used by a hacker to break into the system. Smart cards, which are similar in appearance to credit cards, solve both of these problems.
Always password-protect Remote Assistance. A Remote Assistance invitation that has no password associated with it might be intercepted by an attacker, giving him the capability to remotely interact with a server. For this reason, it is also important to set an expiration time on the invitation.
Using a smart card for network logons provides extremely strong authentication because it requires two factors something the user knows (the PIN), and something the user has (the smart card itself). This system provides stronger authentication than a password alone, since a malicious user would need to have access to both the smart card and the PIN in order to impersonate a legitimate user. It's also difficult for an attacker to perform a smart card attack undetected, because the user would notice that his or her smart card was physically missing.
Packet filtering is not a perfect security solution. It is still possible for intruders to attack a server using the ports and protocols that the firewall lets through, or to find a clever new way to bypass the filters you have in place. In some cases, packet filtering can be an ongoing battle of wits between the protector and a determined attacker. Every time the attacker finds a way to penetrate the filters, the system administrator modifies them to close the opening that is being exploited. Advanced packet filtering requires a detailed understanding of the TCP IP protocols and the applications that use them.
An IPSec packet can use ESP by itself or in combination with AH. When a packet uses both protocols, the ESP header follows the AH header, as shown in Figure 12-7. Although AH and ESP perform some of the same functions, using both protocols provides the maximum possible security for a data transmission. When ESP computes its ICV, it calculates the value only on the information between the ESP header and trailer no IP header fields are included in an ESP ICV. Therefore, it is possible for an attacker to modify the contents of the IP header in an ESP-only packet, and have those changes go undetected by the recipient. AH includes most of the IP header in its ICV calculation, so combining AH with ESP provides more protection than ESP alone.
Although WEP with dynamic re-keying is secure enough to meet the needs of most organizations, WEP still has security weaknesses. WEP still uses a separate static key for broadcast packets. An attacker can analyze these broadcast packets to build a map of private IP addresses and computer names. WEP keys have to be renewed frequently, which places an additional burden on RADIUS services. Off the Record Dynamic WEP is very secure. Its biggest weakness might be its bad reputation. Often, executives at a company won't allow a wireless deployment because they've heard about the ability for attackers to break through WEP security. Even though standard WEP is not at all easy to exploit, and almost impossible to exploit when dynamic re-keying is used, the publicity WEP's vulnerabilities have received makes WPA even more attractive. There are two encryption options for WPA Temporal Key Integrity Protocol (TKIP) and Advanced Encryption System (AES). TKIP is the encryption algorithm used by WEP,...
Previous versions of Windows could reveal more information than necessary to an attacker when public keys were used to authenticate IPSec connections, but Windows Server 2003 can be configured to exclude the name of the certification authority (CA) to prevent exposure of trust relationships. Now, you can use dynamic addressing to specify the addresses of DHCP servers, DNS servers, WINS servers, and default gateways in IP filters. This allows you to create more restrictive filters than you could with Windows XP or Windows 2000 computers, because you do not have to deploy different filters to different locations just because clients used different network configurations.
Security Alert SSL certificates help reduce the risk of attacks against Domain Name System (DNS). For example, an attacker could compromise your DNS server and add a DNS record for the FQDN www.microsoft.com so that it resolved to the IP address of a rogue Web site. When you went to visit http www.microsoft.com, your requests would actually be sent to the rogue Web site. The rogue Web site could then collect any information you intended to send to www.microsoft.com, which might include personal information or credit card numbers.
Safeguarding the Active Directory database and log files is crucial to maintaining directory integrity and reliability. Moving the Ntds.dit, Edb.log, and Temp.edb files from their default locations will help to conceal them from an attacker if a domain controller is compromised. Furthermore, moving the files off the system volume to a separate physical disk will also improve domain controller performance. If an attacker does gain access to a domain controller, it is likely that the attacker will attempt to discover user credentials by using password-cracking software. The System Key utility (Syskey) provides an extra line of defense against offline password-cracking
For example, consider the common scenario of a user downloading e-mail from a server using Post Office Protocol version 3 (POP3). If IPSec is not enabled, the e-mail client software initiates a connection directly to the e-mail server software. The user name and password will be transmitted in clear text, so that anyone with a protocol analyzer such as Network Monitor can intercept the user's credentials. An attacker who has control of a router can modify the contents of the user's e-mail messages as they are downloaded without being detected.
Domain controllers are responsible for authenticating users on your network. In essence, they hold the keys to the kingdom. If an attacker compromises a domain controller, the attacker can use the information contained in Active Directory to map out network resources and might be able to use the information to access those resources.
Safeguarding DNS servers is essential to any environment with Active Directory because clients use DNS to find their Active Directory servers. When a DNS server is attacked, one possible goal of the attacker is to control the DNS information being returned in response to DNS client queries. In this way, clients can be misdirected to computers controlled by the attacker. Cache poisoning is an example of this type of attack. To use cache poisoning in an attack, an attacker inserts false information into the cache of a DNS server. This results in a legitimate DNS server returning incorrect results, thereby redirecting clients to unauthorized computers. The Windows Server 2003 DNS client service supports Dynamic DNS updates, which allow client systems to add DNS records directly into the database. Dynamic DNS (DDNS) servers can receive malicious or unauthorized updates from an attacker using a client that supports the DDNS protocol if the server is configured to accept unsecured updates....
You should use a firewall to limit the opportunity an attacker has to connect to your domain controllers. Use packet filtering to block all unnecessary traffic to and from your domain controllers. Domain controllers use several different protocols for communicating with clients and peers. Whenever possible, limit the communication so that only the necessary ports are opened between a domain controller and another computer. Table 4.1 shows common domain controller communications and the port numbers used.
When a WAP is configured to use MAC address filtering, it will ignore any messages from wireless cards that use a MAC address not on the approved list. While this does improve security, it has significant manageability drawbacks. First, you must manually maintain the list of MAC addresses on your WAP, which would be impossible to do if you managed more than a dozen computers or multiple WAPs. Second, WAPs typically have limited memory and might not be able to store your organization's complete list of MAC addresses. Third, if an attacker is knowledgeable and determined enough to circumvent your WEP or WPA encryption, the attacker will also be able to identify and spoof an approved MAC address. Disabling SSID broadcasts will prevent the casual computer user from discovering your network, but it does nothing to prevent a skilled attacker from detecting your network. For example, a user with the free Network Stumbler tool installed can quickly identify the SSID of a wireless network that...
For those of us responsible for managing the security of a network, wireless technologies expose severe security weaknesses that we have overlooked for years. Wired networks have relied on physical security to protect the privacy of communications. In other words, the only barrier preventing an attacker from capturing another user's traffic is being unable to physically connect to the user's network. Wired networks almost always rely only on physical security to authorize users to access the network. If you can reach an Ethernet port, you gain complete network access to most companies' intranets. Wireless networks have these weaknesses too, but they lack the inherent physical security of wired networks. In fact, most corporate wireless networks can be accessed by people with mobile computers in the business' parking lot. To make matters worse, attackers have significant motivation to abuse wireless networks. Accessing a wireless network might grant an attacker access to resources on...
Administrators tune the security of server roles to reduce the risk of a malicious attacker compromising a server. For client computer roles, security tuning tends to focus on reducing costs by restricting the desktop environment. Many of the most time-consuming help desk calls occur after a user installs non-standard hardware and software. Fortunately, Microsoft Windows clients that participate in an Active Directory directory service domain can be centrally configured and managed to provide administrators with very granular control over what users can and cannot do.
There are, however, many different types of security vulnerabilities. Some have known exploits that are propagating quickly, and it is critical that these vulnerabilities are quickly fixed. Exploits are worms, viruses, Trojan horses, or other tools that can be used by an attacker to compromise a vulnerable computer. Others are less critical, and the risk of them being exploited isn't high enough to justify the cost of rapidly deploying an update. Vulnerabilities might only apply to a handful of computers on your network, or they might affect every system. To address the wide variety of vulnerabilities, Microsoft provides several different types of updates throughout the lifecycle of a supported product.
You should use SSL to authenticate your Web servers to the consumer to prevent man-in-the-middle attacks and to encrypt the communications to prevent eavesdropping. SSL only provides protection for the information in transit, however. The private information can still be exposed if your Web servers, or any other servers that have access to the information, are compromised by an attacker. a, d, and e. You can use either IPSec or SSL to authenticate your database server and encrypt the communications between the Web servers and the database servers. Additionally, you can physically secure the network hardware connecting the computers to reduce the opportunity that attackers have for eavesdropping. You can choose to use one, two, or all three of these mechanisms.
Although the role of a DHCP infrastructure server might seem mundane, a DHCP server can actually be used maliciously to compromise the security of DHCP client computers. DHCP clients trust the DHCP server that assigns an IP address to provide them with information about the default gateway and DNS servers. An attacker could place a DHCP server on a network segment and replace the default gateway and DNS server information with the IP addresses of computers owned by the attacker. These computers could then intercept all traffic from the client, allowing the traffic to be analyzed for confidential information and enabling man-in-the-middle attacks. Physical and network security is the only way to ensure that an attacker does not place a rogue DHCP server on your network. However, Windows Server 2003 can limit the
You can click the Settings button on the General tab of the IP security policy properties dialog box to modify the key exchange settings. When you select the Master Key Perfect Forward Secrecy check box, IPSec will negotiate new master key keying material each time a new session key is required. This makes it more difficult for an attacker to decrypt your communications. However, it also adds performance overhead. If you do not select this check box, which is the default setting, new session keys will be derived from the current master key keying material a quicker process.
Can allow an attacker to send packets through a firewall, but it doesn't necessarily allow the attacker to establish a connection with a system on the internal network. ICF supports stateful inspection. Firewalls that include intrusion detection capabilities search through traffic and look for telltale signs of an attack taking place. They can then respond in real time by notifying an administrator, blocking access from the attacker's network, or issuing a counterattack. Intrusion detection is also useful because it includes extensive logging, which might be useful when identifying or prosecuting an attacker.
A The bit number refers to the length of the encryption key. The more digits there are in a key, the longer will take to guess that key by randomly trying different combinations. Stronger encryption techniques make it more difficult to extract the clear-text password through brute-force attacks. In other words, the stronger the encryption, the longer it should take for an attacker to compromise the encrypted password if every possible combination of passwords is to be tried in a given scenario.
It's a fairly bad idea to rely on ANI information for any type of authentication or caller verification. First, caller ID information can be forged. Therefore, if an attacker knew the telephone numbers from which your network accepted calls, they could make their ANI report as one of those numbers and be authenticated into the network.
Rename the Administrator and Guest accounts, change their descriptions, and use complex passwords. Do not use the same name and password on all servers to prevent an attacker from gaining universal access if he or she can successfully crack one name password set. The Guest account is disabled by default ensure this setting is in place.
No matter what your plans for Incident Response are you should disconnect any compromised machine from your network to
Once you've recognized that a security incident is taking place, you should gather as much information as possible about the attack, the attacker, and the system that's being targeted.Take a snapshot of the machine, preferably before rebooting it or removing it from the network, and record a list of all running processes, open network connections, and any files and directories that are being accessed or altered. As we mentioned in the last section, having a baseline to compare this to can be immensely helpful in discovering what has gone amiss on the system in question.You or your system administrators should know which processes and services should (and should not) be running on any production server, and you should also have an idea of what sort of network traffic is normal or acceptable in order to detect any anomalies. Before you begin the recovery process, you'll need to decide whether your primary goal is restore the server to working order as quickly as possible, or to attempt...
Another security measure you can take specific to IIS servers is to place content on a dedicated volume. This prevents an attacker from accessing system files and other critical files that would otherwise be on the same volume as content you are providing to the public via Web services. Providing a dedicated volume with NTFS permissions will limit a hacker's access to critical files and information that could be used to get further into the network.
Today's networks are so diversified and large that it is imperative to understand the vulnerabilities that an attacker can use to create risks within your directory services architecture. One thing you should always keep in mind is that, with user accounts, usernames are easy to guess because they are usually a predictable sequence like First Initial Last Name or some other similar combination.You can make this a bit harder to guess by appending the employee ID to the end of the username, for example, thus making it harder for an attacker to guess. Any additional information you add to the username that is unique to that user makes the username less vulnerable to being guessed. By doing this, if an attacker knows that a particular person works for this company, he or she will have to figure out the second ID appended to the username. Again, keep in mind you are trying to make it harder for a hacker to get any information that can help him or her compromise security on your network....
How do we protect the root CA from being compromised The most common way for an intruder to hack into the CA is via a network attack. Networks in a large enterprise can be very complex therefore, they are very difficult to maintain and audit. This can enable intelligent hackers to penetrate systems through unpatched or undetected loopholes. These loopholes could be simple as a stolen access card belonging to a system administrator, or a sophisticated software algorithm that scans the open ports on an enterprise firewall. A successful attacker could retrieve the private key of the root CA and manipulate or destroy enterprise resources.The important fact is to protect the CA before an intruder strikes.
Placing a rogue AP within range of wireless stations is a wireless-specific variation of a man-in-the-middle attack. If the attacker knows the SSID the network uses (which, as we Using a rogue AP, an attacker can gain valuable information about the wireless network, such as authentication requests, the secret key that is in use, and so on. Often, the attacker will set up a laptop with two wireless adapters, in which the rogue AP uses one card and the other is used to forward requests through a wireless bridge to the legitimate AP. With a sufficiently strong antenna, the rogue AP does not have to be located in close proximity to the legitimate AP. For example, the attacker can run the rogue AP from a car or van parked some distance away from the building. However, it is also common to set up hidden rogue APs (under desks, in closets, and so on) close to and within the same physical area as the legitimate AP. Due to their virtually undetectable nature, the only defense against rogue APs...
Wireless technologies are inherently more vulnerable to attack due to the nature of the network transmissions. Wireless network transmissions are not physically constrained within the confines of a building or its surroundings thus an attacker has ready access to the information in the wireless networks. As wireless network technologies have emerged, they have become the focus of analysis by security researchers and hackers, who have realized that wireless networks can be insecure and often can be exploited as a gateway into the relatively secure wired networks beyond them.
Get All The Support And Guidance You Need To Make Sure You Are Safe In This Crazy World! This Book Is One Of The Most Valuable Resources In The World When It Comes To The Art Of Self Defense The Easy Way! Try not to get ensnared in your own little bubble and be cognizant that there are people outside of your domain. Whether we like it or not there are individuals out there whose aims are not always advantageous.