Hardening

When you install a new operating system, your security settings are all set to their default values. The same goes for installing a new web server or a browser. These settings need to be changed to harden the system against attacks or unauthorized access.

File Systems

When you install Windows, all versions have one thing in common: weak security. The obvious example is that after logging in, all users have full control (all permissions) at the root of every drive and at most of the drives' subdirectories and files. NT4 was the first Windows operating system to introduce a distinction between rights and permissions. A right allows the user to access the resources of the operating system itself, such as shutting down the system. A permission allows the user to access the file system's resources, such as reading and writing files. NT4 was also the first Windows product with DAC, which is discussed in more detail later in this chapter.

The Windows default for permissions is for the Everyone group to have full control from the root of each drive down. For a single user station, this is okay, but for a web server or file server, this is not acceptable. If you do not change the permissions, any user who logs in, no matter how, has full control. The easiest way to adjust these permissions is by using Windows Explorer as follows:

Step 1.	Right-click the folder for which you want to change the permission. The pull-down choices are displayed in Figure 7-1. Figure 7-1. Windows Explorer [View full size image]
Step 2.	Select Properties from the pull-down choices. The screen shown in Figure 7-2 displays this option. Figure 7-2. Properties Page
Step 3.	Click the Security tab. The screen shown in Figure 7-3 displays this tab. Figure 7-3. Security Tab

In Figure 7-3, you can see the default for Windows security. Every user logged in to the system has Full Control. This leaves the system wide open to any kind of unauthorized access. Therefore, you need to change those permissions. The case study in this chapter gives you an example of how to change these permissions.

There is much more to securing a web server than hardening the file system. Other things you need to do are

• Set account policies

• Edit group rights

• Rename critical accounts

• Turn on auditing

• Remove or disable unnecessary services

On the Microsoft website, you can find sample information on security. Here is a good starting point if you need additional information: http://www.microsoft.com/technet/Security/tools/default.mspx.

The first four items in the list of tasks for securing the web server will not be discussed in detail in this book.

The last item in the list of tasks for securing the web server is removing or disabling unnecessary services. When you start your PC, many services run in the background. Disable all services that you do not need. Table 7-1 lists the services that you can disable. This is not a complete list, so be careful when disabling these services. Some services might be needed for operation.

Table 7-1. Services

Service Name	Description
ClipBook Viewer[1]	Enables the ClipBook Viewer to create and share pages of data to be viewed by remote computers
Computer Browser	Maintains an up-to-date list of computers on your network and supplies the list to programs that request it
DHCP Client	Manages network configuration by registering and updating IP addresses and Domain Name Server (DNS) names for this computer
DHCP Server	Allocates IP addresses and allows the advanced configuration of network settings
DNS Server	Enables DNS name resolution
Fax Service	Enables you to send and receive faxes
File Server for Macintosh	Enables Macintosh users to store and access files on this Windows server machine
Gateway Service for Netware	Provides access to file and print resources on NetWare networks
Internet Connection Sharing	Provides NAT, addressing, and name resolution services for all computers on your home network
NetMeeting Remote Desktop Sharing	Allows authorized users to remotely access your Windows desktop
Print Server for Macintosh	Enables Macintosh clients to route printing to a print spooler located on a computer running Windows 2000 server
Print Spooler	Queues and manages print jobs
Remote Access Auto Connection Manager	Brings up a dialog box that offers to make a dialup connection to a remote computer when no network access exists
RPC Locator	Provides the name service for RPC clients
Remote Registry Service	Allows remote Registry manipulation
Routing and Remote Access	Offers routing services in local area and WAN environments
RunAs Service	Allows you to run specific tools and programs with different permissions than your current logon provides
SAP Agent	Advertises network services on an IPX network
SMTP	Transports e-mail across the network
Simple TCP/IP Services	Implements support for Echo, Discard, Character Generator (CharGen), Daytime, and Quote of the day (QOTD)
Smart Card	Manages and controls access to a smart card
TCP/IP Print Server	Enables TCP/IP-based printing
Telephony	Provides Telephone API (TAPI) support for programs that control telephony devices
Telnet	Allows a remote user to log on to the system and run console programs using the command line
Windows Time Service	Sets the computer clock

^[1] Using ClipBook Viewer, you can cut or copy information from another program and store it in a page that you can name, save, use again, and share with others.

DAC is a means of restricting access to information based on the identity of users and membership in certain groups. Access decisions are typically based on the authorizations granted to a user based on the credentials presented at the time of authentication (username, password, hardware/software token, and so on). In most typical DAC models, owners of information or resources can change permissions at their discretion (thus the name). DAC's drawback is that administrators cannot centrally manage these permissions on files and information stored on the web server. A DAC access control model often exhibits one or more of the following attributes:

• Data owners can transfer ownership of information to other users.

• Data owners can determine the type of access given to other users (read, write, copy, and so on).

• Repetitive authorization fails to access the same resource, or an object generates an alarm and restricts the user's access if auditing is turned on.

• Special add-on or plug-in software must be applied to an HTTP client to prevent indiscriminant copying by users (cutting and pasting of information).

• Users who do not have access to information should not be able to determine its characteristics (file size, filename, directory path, and so on).

Web Servers

A freshly installed web server is a completely defenseless platform. Before you can start using it as a web server, you need to secure it. This section shows you how. After the web server is installed, you can take several steps to secure it: You can prevent access to the server, and you can enable logging to monitor events on your web server.

Logging

Logging is an essential part of maintaining a secure web environment. To enable logging, open Internet Information Services in the Administrative tools menu, expand the tree, right-click Default Web Site, and choose Properties. Then click the Web Site tab to see the screen shown in Figure 7-4.

Near the bottom of the page, make sure that the Enable Logging check box is enabled. Internet Information Services (IIS) supports four log file formats, each with varying types and quantities of data collected. The default, W3C Extended Log File Format, is the most detailed. Now you can click Properties to bring up the screen in Figure 7-5.

In Figure 7-5, you can see that, by default, a new log file will be created every day. The default log file directory is %WinDir%\System32\LogFiles; however, you should change this to point to somewhere elsepreferably to another server. Log files should preferably be archived offline. Intruders usually hide their tracks by altering or deleting the log file. If intruders take control of your PC, a log in this location is vulnerable.

Restricting Access

You can restrict access to a website or to a specific folder of a website on a user-by-user basis or based on IP addresses. To configure access for user authentication, start the Internet Service Manager. Right-click the folder you want to use for basic authentication, which brings up a screen similar to Figure 7-6.

On that screen, select the Directory Security tab. This brings you to a screen like the one in Figure 7-7, where you can edit the authentication method, IP address, or domain name restrictions.

Click Edit for the anonymous access and authentication control to select the authentication method you want to use for that folder, as shown in Figure 7-8.

On the Authentication Methods screen, you can check boxes to indicate that anonymous access is allowed or to select basic authentication, for which the password is sent in clear text. You can also select to have integrated Windows authentication. To use integrated Windows authentication, add all the different users in Windows because IIS uses integrated Windows authentication to grant access to the website.

Access can also be controlled based on a PC's IP addresses. You can set specific addresses, address ranges, or DNS names from which access is either allowed or denied. After you click Edit IP addresses and domain name restrictions, you see a page, as shown in Figure 7-9.

This dialog box needs careful reading. It either grants (the default) or denies access to all addresses except those you add manually. When you click Add, you see a screen as shown in Figure 7-10.

If you want to deny only one particular address, select Single computer; however, you can also restrict access to a group of computers or to a domain name. You can repeat these steps to exclude more than one domain or range.

Browsers

We all use browsers these days, and most of us run third-party plug-ins. This is not necessarily dangerous, but it is always better to keep in mind that malicious people can write plug-ins, too. The most popular scripting languages used for writing plug-ins today are the following:

• Java

• JavaScript

• VBScript

• ActiveX

Be very careful when installing plug-ins, just as you should be when downloading any software program from the Internet.

Security Zones

Because most people using the Internet today use Microsoft Internet Explorer to browse web pages, this chapter covers only that program. Internet Explorer has four zones of security. When you access a resource on another machine, the other machine's zone relative to yours is determined, and the restrictions placed on that zone control the interaction with that resource. Users can set the security policy on their computer. The four zones are as follows:

• Internet Contains all websites that are not placed in another zone.

• Local Internet Contains all the websites that are on your company's intranet. Here, you find all sites that have the same domain name as the one your PC is using.

• Trusted sites Contains websites that you trust not to damage your data. If you want to have trusted sites, you need to add them manually.

• Restricted This zone contains websites that you do not trust because they could potentially damage your data. This is also a list created manually.

To change the settings for these four zones in Internet Explorer, choose Tools > Internet Options. On the page that appears, select the Security tab, and you see a page as shown in Figure 7-11.

As you can see in Figure 7-11, there are four predefined security levels. In addition, you have the ability to customize the settings for any or all the zones. Of the web content zones shown in Figure 7-11, the Internet zone is the one you need handle most carefully. The default setting here is Medium, which is not so secure for the World Wide Web. Table 7-2 lists all the security levels with a brief explanation of their purposes.

Table 7-2. Predefined Security Levels for Internet Explorer

Level	Description
High	This is the safest way to browse but also the least functional. Less secure features are disabled. Cookies are disabled. (Some websites do not work.) This is appropriate for sites that might have harmful content.
Medium	Browsing is safe and still functional. Prompts before downloading potential unsafe content. Unsigned ActiveX controls are not downloaded. This is appropriate for most Internet sites.
Medium-low	This is the same as Medium without prompts. Most content is run without prompts. Unsigned ActiveX controls are not downloaded. This is appropriate for sites on your local network (intranet).
Low	Minimal safeguards and warning prompts are provided. Most content is downloaded and run without prompts. All active content can run. Appropriate for sites that you absolutely trust.

Because you cannot set the security level for the Internet zone to High, you must change the custom level. After you click the Custom Level button, you see a screen similar to that in Figure 7-12.

The window that appears has several items you can change, such as the following:

• ActiveX controls and plug-ins

• Cookies

• Downloads

• Microsoft VM

• Miscellaneous

• Scripting

• User authentication

Figure 7-12 shows Scripting. On this screen, you first change the custom settings on the bottom of the screen from Medium to High. At this point, you receive a warning asking if you are sure that you want to make this change. After you click Yes, you can take another look at the scripting options, as shown in Figure 7-13.

As you can see, some settings have changed. All the scripting items have been disabled. Be sure to check your browser every time you install a new version to ensure that these settings are correct. By disabling some features, such as ActiveX, you can occasionally cause a web page to generate an error. Most of the time, it is better to have that error than to let ActiveX run, but in some cases, you know the ActiveX controls can be trusted, and you need to let them work. You can do this by making the site a trusted site and by setting trusted site security so that ActiveX can run. To do that, you need to go back to the Security page of the Internet Options. After you click Trusted sites, you see a page as shown in Figure 7-14.

The default security for a trusted site is Low. You can set security to Medium-low or Medium to increase security. On that same page, you also need to add the site you trust. To do that, click Sites, which brings you to a screen as shown in Figure 7-15.

On that screen, you need to clear the check box requiring HTTPS, type in the domain of the site you trust, and then click Add. At this point, if you try to reload the page with the ActiveX content, it works and the content is visible.

Cookies

As you might already know, HTTP is a stateless protocol. Every time you visit a website, it looks as if that visit to the website is your first because HTTP does not keep track of your web history. To simulate a stateful environment, the HTTP protocol includes features such as cookies. There are two types of cookies:

• Session cookie This cookie is created to keep track of what you buy when, for example, you visit an e-commerce website where you use a shopping cart. After you check out from that website, the session cookie is deleted from your browser memory.

• Persistent cookie When you go to a website and see a personalized welcome message, you know that a persistent cookie is on your PC. These cookies contain information about you and your account. Often, that information is a key that is related only to a database with your profile.

You can manage cookies in several ways. You can delete all your cookies, or you can configure your browser to not accept cookies at any time. This would make browsing the Internet rather difficult because many sites need cookies to function properly. A better solution would be to force all your cookies to be session cookies. You can do this by making the folder where the cookies are stored read-only. Your browser will accept them but will be unable to save them to disk.