Fake Out
A controlled security challenge still provides valuable lessons.
- By Dian Schaffhauser
- September 01, 2002
As you can tell, this month’s theme in the magazine is security. We offer
an extensive
piece on intrusion detection software and look at four major IDS offerings.
And Roberta Bragg starts a
sometimes-series
on how to harden the Windows network.
The timing is superb, because she and Senior Editor Keith Ward have just
wrapped up the MCP TechMentor Summit on Security. No doubt, if you get
on our Web site or receive our newsletters, you’ve read something about
the Windows
Security Challenge. A team of experts spent the day hardening a “typical”
network using Microsoft security guidelines, which included a Windows
2000 server, Exchange server, SQL Server, IIS and ISA Server. Then they
invited the world to crack into it.
As Keith wrote in his
online wrap-up story, “After 31 hours and 40,000 attacks, the Windows
2000 network set up and hardened...remained uncompromised.”
Naturally, it was rigged. They called on some of the biggest names in
Windows security to effect the hardening—people who aren’t ordinary sys
admins and could really concentrate on the job at hand. Hackers had only
36 hours to crack in—hardly enough time to show real creativity with their
efforts. The system had no end-users, which eliminated a major set of
vulnerabilities. Attendees were discouraged from launching denial-of-service
attacks, as it would have stopped the game for everybody. And those of
us on site were barred from physically touching the network and, say,
walking off with a server.
So doesn’t that make the Challenge merely a meaningless exercise in control
freak behavior? Actually, even under those parameters, the endeavor showed
its weaknesses.
First, the first security guard hired to watch over the network kept
falling asleep. Second, in his exhaustion, one of the hardening experts
left a floppy disk with some passwords on it in one of the drives. Third,
an insider decided to gain physical access to the network in violation
of the stated rules. Security consultant Mark Burnett filled the new security
guard full of soda, waited until he had to go to the bathroom, and changed
the username and password for the administrator account on a server. Truly
cunning behavior.
Steve Riley, a Microsoft security expert who configured security for
the Exchange server, said the attack should serve as a warning to companies.
“The people with the broadest and most thorough access to your company
are the lowest-level employees, the security guards and janitors. It’s
something you’re going to have to think about.”
Even if you do consider the Challenge a fake structure, its artificiality
might be worth emulating. Nothing prevents you from organizing a team
of company experts to harden your Windows network. Concentrate on the
job for a day or a week—however long it takes. Impose restrictions to
reduce internal weaknesses. Figure out stronger separations between the
users and servers. Address the basics, which will take care of most of
the security problems your network will face.
I’d enjoy hearing how your company approaches the challenge of security.
I’m at [email protected].
About the Author
Dian L. Schaffhauser is a freelance writer based in Northern California.