14.6 Recommendations

Upon performing the assessment exercise, and qualifying the vulnerabilities at hand, a plan should be put forward to improve security. Recommendations fall into two categories: quick wins and long-term recommendations.

14.6.1 Quick Win Recommendations

The quick win recommendations for the immediate improvement of security in this case are as follows, broken down by target host. Cisco IOS router

A router Access Control List (ACL) should be implemented to prevent public access, particularly to the Telnet and SNMP services. NTP doesn't pose a security issue within Cisco IOS at the time of writing, although it would be diligent to filter access to this service also. Solaris mail server

Public access to the OpenSSH service should be filtered, allowing only trusted hosts to connect. OpenSSH should also be upgraded to the latest stable release (3.7.1p2 at the time of writing, available from http://www.openssh.com), to negate the risks posed by the four remote memory manipulation attacks, and the one user enumeration bug.

The Sendmail service should be upgraded to the latest stable release (8.12.10 at the time of writing, available from http://www.sendmail.org) to negate the risks posed by the recent prescan( ) vulnerabilities that can permit a remote compromise. A catch-all email account should also be implemented so that RCPT TO: local user enumeration attacks are no longer effective. Windows 2000 web server

Basic hardening of the IIS 5.0 web service ensures that bugs in components and subsystems that are rarely used aren't remotely exploitable. In particular, the following should be undertaken in this case:

  • Install the latest Windows 2000 service pack and IIS 5.0 security hot fixes.

  • Disable unnecessary ISAPI extensions, including .ida, .idq, and .printer.

  • Install Microsoft URLScan to filter requests and block dangerous HTTP methods. Disable unnecessary ISAPI extensions

You can disable unnecessary ISAPI extensions by clicking through the following Internet Services Manager (ISM) menus and options:

  1. Click into the machine you want to configure under the ISM.

  2. Right-click on the web service instance ("Default Web Site" if installed out-the-box).

  3. Select Properties.

  4. Click the Home Directory tab.

  5. Click Configuration...

  6. Select the ISAPI extensions you wish to remove, as shown in Figure 14-2.

Figure 14-2. Removing ISAPI extensions through the ISM
figs/NSA_1402.gif Install URLScan to block HTTP methods and filter requests

You can disable support for unnecessary HTTP methods (also known as HTTP verbs), and provide ongoing filtering and protection of the IIS web service, by using the Microsoft URLScan tool, available from http://www.microsoft.com/technet/security/tools/URLScan.asp.

By default, URLScan allows only the GET, HEAD, and POST methods to be used and rejects requests for .printer, .ida, .idq, .htr, .htw, and many other unnecessary files. The configuration file can be modified to provide more or less protection, accessible at %windir%\system32\inetsrv\urlscan\urlscan.ini.

14.6.2 Long-Term Recommendations

Long-term recommendations often relate to the entire network, its topology, and more importantly, the nature of the environment and organization. In this case, due to the simplicity of the target network and its small number of hosts, I have no long-term strategic recommendations. However, in large and more complex environments, the following are my long-term recommendations.

Implementing aggressive egress network filtering

Outbound traffic sent from publicly accessible servers to the Internet or other untrusted networks should be filtered. Often, corporate firewalls perform no filtering of outbound traffic flowing from Web, FTP, mail, and other servers. Only allow traffic to specific ports to be sent outbound, which will resist connect-back shellcode and grappling hooks used by hackers and worms (including TFTP to transfer files).

Enforcing a single point of entry into the corporate network for remote users

There can be many entry points (including SSH, Telnet, VNC, Terminal Services, etc.) that are difficult to control and keep secure. Using a single VPN gateway with strong authentication ensures a lot of resilience.

Simplifying the network topology, operating platforms, and services

Environments with many different operating platforms and versions of server software are more often open to attack. For example, a network with five web servers is easily managed and secured if the operating systems and server software are the same, as opposed to one Apache 1.3.24, two IIS 4.0, and two IIS 5.0 servers.

Implementing resilience to brute-force attacks

By enforcing strong passwords across the network and implementing logging and auditing of all accessible services (including POP-3 and others that are commonly targeted for brute force), brute-force attacks can be identified and managed.