g'day mates - I am harry brelsford, the author of Windows
Small Business Server 2003 Best PRactices (the infamous purple
book). I amposting up a few pages per day of this book until
SBS 2008 ships for all of us SMB consultants, SBSers, and
Microsoft Small Business Specialists (SBSC). Enjoy the read!
Today I speak towards black htting thyself including packet
sniffing!
harrybbbbb
Harry Brelsford, ceo at smb nation, www.smbnation.com
###
Black Hat Thyself
So, you think you’re an SBS
security hot shot? Perhaps you are. One way to validate whether
you’re “hot or not” is to black hat yourself on
the inside and outside. That’ll tell you exactly how super
you are. In a nutshell, you’d download a port scanner such
as GFI’s LANGuard Network Security Scanner (www.gfi.com)
and run it against yourself. Figure 5-13 shows how such a scan on
the internal LAN might look (revealing tons of information) and
Figure 5-14 shows how such a scan might look when run over the
Internet, showing only the ports you opened via the EICW. (Talk
about a great way to validate your work!)
Figure 5-13
Black
hattin’ on the inside.
Notes:
Visit www.microsoft.com/technet for the
latest updates for any Microsoft product.
Figure 5-14
Black
hattin’ on the outside.
BEST PRACTICE: Perform this activity on each SBS network
you work on (even if it’s only one). Hopefully, you
won’t be too surprised by the outcome (in general, SBSers
don’t like to be surprised in this area). If you’re a
consultant, share the outcome of this black hat exercise with
your clients.
Packet Sniffing
Talk about an MCSE-level exercise that works for us
SBSers as well: packet sniffing. Here you would install the
Network Monitor tool that is native to the underlying Windows
Server 2003 operating system, but not installed by default, and
then sniff around. To install the tool, perform the following
procedure:
1 &nbs
p; Log on
as Administrator on SPRINGERS1 (password is Husky9999!).
2 &nbs
p; Click
Start, Control Panel, Add or Remove Programs.
3 &nbs
p; Select
Add/Remove Windows Components.
1 &nbs
p; Select
Management and Monitoring Tools in the Windows Components
Wizard.
2 &nbs
p; Select
Network Monitor Tools and click OK.
3 &nbs
p; Click
Next.
4 &nbs
p; Insert
Disc #1 when requested.
8. Click Finish. In Figure 5-15, you
can see what the results of a packet sniffing session might look
like. This tool can be used to troubleshoot network problems
(such as logon problems) and to search for rogue devices (such as
another server running network monitoring on your network without
your knowledge).
Figure 5-15
The three-finger salute of TCP/IP
session establishment is shown here in a Network Monitor session.
Look closely at the source and destination address columns
(packets 31-33).
BEST PRACTICE: I used this tool once in early 2003 to
investigate whether Microsoft automatic update sessions were
actually going out into the ether. A client, a well-known
Seattle-based author (not me!),
Visit www.microsoft.com/technet for the
latest updates for any Microsoft product.
believed said updates where going to an
offshore site not controlled by Microsoft. The packet analysis
facilitated by the Network Monitor tool showed the fears were
unfounded. The client then rested easy and allowed his
workstation to be automatically updated. I kinda felt like one of
the central characters in an old US movie called Ghosbusters and
Network Monitor was my tool!
Spam Blocking
Spam blocking fits in the security chapter as well. The
malady of “spam” is well known to readers of this
book as unwanted e-mail traffic. In fact, the perception of
excessive spam on an SBS 2003 network can create unwarranted
criticism about SBS 2003 itself, which just isn’t fair.
Spam
blocking can be divided into two discussion areas: content
filtering and attachment blocking.
Content Filtering
I’ve enjoyed great success using the GFI’s
MailEssentials spam blocking program, which more than anything
else flexes its muscles in the content filtering department. For
example, e-mails with the word “Viagra” are treated
as spam and processed accordingly, which might include deletion,
move to another folder, etc. MailEssentials is shown in Figure
5-16.
Notes:
Figure 5-16
Meet
MailEssentials from GFI. Note that this product is very
aggressive out of the box and will sometimes go too far,
filtering out legitimate messages.
BEST PRACTICE: Because of the false positives and
positive negatives in the world of filtering junk e-mails, the
oft-cited security author Roberta Bragg insists that I tell you
to send filtered mail to a junk mailbox, instead of deleting it!
Right on, Roberta!
Another way to easily engage in a form of content
filtering is to utilize the junk mail feature in Outlook 2003.
This is a MAJOR IMPROVEMENT in Outlook 2003 and is discussed in
Chapter 6.
Attachment Blocking
Of
course, the simplest way to invoke attachment blocking is to
complete the 15th page of the EICW titled “Remove E-mail
Attachments.” I’ll discuss that more in Chapter 6
when you and I look deeper at Exchange Server 2003.
But
meet GFI’s MailEssentials once again. Assuming you own this
application for its effectiveness in the content filtering area,
then consider using it as your attachment blocking tool.
Visit www.microsoft.com/technet for the
latest updates for any Microsoft product.
BEST PRACTICE: The above statement
raises the question about which attachment types to block if
you’re using a third party tool such as MailEssentials.
This list is easily created by looking at and copying the list
from the Remove E-mail Attachments page in the EICW.
And
yet another attachment blocking tool is contained within Outlook
2003 itself. Since I don’t want to spill the beans on
Chapter 6 yet, I’ll wait to discuss it there. Similarly,
you can use the SMTP application filter in ISA Server 2000 to
engage in both content filtering and attachment blocking
(discussed in Chapter 13).
BEST
PRACTICE: I only cite GFI’s spam fighting tool because I
know it. The infamous Stu at Sunbelt Software in Tampa FL
(www.w2knews.com) markets effective spam blocking tools (“I
Hate Spam”) that deserve your purchasing consideration. The
SBS-related newsgroups are also a source of information for
third-party spam fighting applications (see Appendix A for this
information).
Virus Protection
So,
would you consider virus protection a germane security topic? You
betcha! I’ll discuss this much more in Chapter 11 with some
step-by-step procedures using Trend Micro’s OfficeScan
suite solution, but I’d be remiss to have a security
chapter without emphasizing the importance of virus protection as
part of your comprehensive approach to security on your SBS 2003
network.
BEST
PRACTICE: I’ll say it here and again later on. Virus
protection
is
only valid when the data files are up-to-date. More later.
SpyWare
If
you want to be humbled in a hurry, download the spyware detection
applications from www.BulletProofSoft.com. Install its SpyWatch
and SpyWare Remover programs and then, when no one is your
witness, run these programs. You might be shocked to see
what’s been camping out on your SBS network without your
knowledge. Thanks to a student from the Louisville, KY hands-on
lab for that tip! Many apparently harmless Web sites accessed by
your users are
Visit www.smbnation.com for
additional SMB and SBS book, newsletter and conference resources.
really implementing click counters and
other spyware nasties. One of the all time greats (or
“worsts”) was Gator. An instructor with whom
I’ve previously worked on another tour had actually worked
for Gator during the dot-com boom and he sends his profound
apologies!
FTP Site Notification
And now from the hallowed halls of the Harvard Law School! Did
you know that if you dig deep enough into the legal treatise of
USA jurisprudence system, you’ll find that long ago, a
hacker got off the hook because an FTP site at a company said
“Welcome!” Apparently the hacker claimed that he felt
invited in to poke around and destroy things. The legal lesson
learned here? Prevention! Make the introductory screen of your
FTP site say “Authorized Users Only!” or something
just as strong.
