Web Security Information

Important Legal NOTICE!

Click Here To Read Important Legal NOTICE!

1) Securing the Windows Operating System
1) Minimum installation for servers. Do not run any unnecessary services
2) Default installation is bad ie. change Winnt directory name at time of install
3) Do Not installing two copies of Windows NT on the same computer this can lead to many security problems
4) Make sure that you install the most recent Service Pack, before you install any of the hot fixes (Do it on a test system first)
5) Protect yourself with multiple virus protection programs from different venders (On different Servers and desktops)
6) Disable inbound and outbound traffic to your external connections for TCP and UDP ports 135, 137, 139 and UDP port 138 (only allow ports absolutely necessary.
7) If you need RAS make sure that you have Microsoft encrypted authentication on the RAS server on all clients to avoid traffic of un-encrypted passwords. (PPTP)
8) All diskettes, CD’s, Attachments from an external source (Including home PC’s) must be scanned.
9) Physically Secure all servers. Some security in work office area is recommended.
10) Do Not let users open unsolicited e-mail attachments without verifying their source and checking their content first.
11) Failing to install security patches-especially for Microsoft Office, Microsoft Internet Explorer, and Netscape.
12) Installing screen savers or games from unknown sources. Don’t let users down load anything from the NET
13) Make sure you regularly back up data and the Operating System (OS once a week) and testing backups by restoring some files
14) Using a modem while connected through a local area network.
15) Use switches not hubs to stop someone from sniffing your network
16) Use a reputable firewall at any access point to the internet. This includes home PC’s
17) Teach and educate and remind you users for the need of security

2) A checklist for securing your IIS Server Sites
1) Install minimal required Internet services
2) If you need to run the Internet Information Server (IIS), make sure that you block the known vulnerabilities outlined above and also that IIS runs on a stand-alone machine
3) Set appropriate authentication methods
4) Set appropriate IIS log file ACL’s
5) Enable website logging
6) Set IP address/DNS restrictions
7) Validate executable content for trustworthiness
8) Set up Secure Sockets Layer (SSL)
9) Remove non-trusted root Certificates
10) Install IIS on an NT Stand alone server outside the domain
11) Install intrusion detection software
12) Have an updated ERD (run RDISK /S-) if applicable on your version
13) Staying on top of critical updates and security patches
14) Use NTFS Format and Permissions. limit write access on the Web server
15) Remove c:\inetpub\ and iissample, put your website in a unique folder name
16) Rename administrator account
17) Passprop (Resource Kit) the admin account (enabling the admin account to be locked out on remote logons) MS Knowledge Base article Q151082
18) Use very complex and long passwords to stop password-cracking software
19) Unbind NetBIOS from TCP/IP
20) Disable TCP/IP routing
21) Enable auditing on failed logon/logoff
22) Enable TCP/IP filtering/blocking [only ports 80 and 443 (If running SSL)]
23) Set appropriate authentication levels
24) Install minimum services
25) Once-a-week check your Administrators group and list of services regularly. Any service with the word "daemon" in its name probably isn't native to Windows
26) Make sure you have a written security policy Corporate backing. It doesn't make sense to lock down a machine if the higher-ups haven't recognized the Web server as an asset to be protected.
27) Get rid of your Outlook Web Access (OWA). You have antivirus program, content filtering on e-mail, prevent virus attachments. But when you allow OWA, you also allow them to go around all of that security.
28) Use the IIS lockdown tool
29) Uninstall FTP and SMTP if you don't use them. Most people today use HTTP for file transfers
30) Once-a-week do a search of *.bat and *.exe files to see if there are any executables on the Web server(s)
31) IIS security allows you to deny specific IP addresses, a subnet, or even a domain name. Check your log files to see who is trying to hack you.
32) Disable the TSInternetUser account unless you really need it.
33) On the Web server Run netstat -an at the command line. Observe IP addresses that are connected to your machine. If you see IP addresses at a port number higher then 80, then investigate.

3) Securing your Web Server
START SECURING AT INSTALLATION
- Do all installation and setup and patches while it is NOT connected to ANY network
- Never upgrade a Web server - always do a clean install
- Set the appropriate directory access control lists (ACLs) Default Security Template
- Don't make the Web server a member of your domain
- Make sure the administrative account password and name are different than all other servers
- Install all patches and security fixes before installing Web services. - After installing Web services, disable the Web services, and apply all patches and security fixes
- Partition the IIS server so the content of each service (WWW, FTP, etc.) is located on a separate partition or disk.
- LOCK DOWN SERVICES You can disable the following services:
* Alerter
* ClipBook Server
* Computer Browser
* DHCP Client
* Distributed File System
* Distributed Link Tracking Systems
* Client
* FTP Publishing Service (Disable unless users require FTP services.)
* IPSec Policy Agent (Disable unless using IPSec policies.)
* Licensing Logging Service * Logical Disk Manager
Administrator * Service * Messenger
* Net Logon (Disable unless domain users are required to log on to the server.)
* Network DDE
* Network DDE DSDM
* Print Spooler
* Remote Registry Service
* Removable Storage
* RPC Locator (Disable unless users require remote administration.)
* RunAS Service
* Server Service (Disable unless the server runs SMTP or NNTP.)
* Task Scheduler
* TCP/IP NetBIOS Helper
* Telephony
* Windows Installer
* Windows Time
* Workstation Service (Disable unless the server is part of a domain.)
* Remove all of the sample directories and sample scripts:
* \\InetPub\iissamples
* \\InetPub\AdminScripts
* \%Systemroot%\help\iishelp
- securing your directories and user permissions.
- By default, IIS creates the IUSR_computername account.
- Under the security settings for this account, select the User Cannot Change Password and Password Never Expires options.
- This account should be a local account, and only the right to log on locally.
- Remove all other user rights from this account.
- Create two new groups for use with IIS:
-- a WebAdmins group (to define admins who will administer content)
-- a WebUsers group (the primary group for the IUSR_computername account).
- Remove IUSR_computername from the Guests group, and add it to WebUsers group.
- You'll use these groups for setting NTFS permissions.
- Modify the directory permissions on your \\InetPub\wwwroot\directory by removing all default permissions and granting the WebAdmins group Full Control and the WebUsers group Read Permissions.
- If you run any scripts or executables with your Web site, modify those directories to allow the WebUsers group Execute Permissions as well.

4) Hide the Security Log
Hide the current log because it can be altered with WordPad and other tools
HKeyLocalMachine\System\CurrentControlSet\Services\EventLog\Security
Change the File entry to a new path

5) Where is the SAM Stored - Four Locations
- C:\winnt\system32\config
- Emergency Repair Disk (Do not leave it on your desk)
- C:\Winnt\Repair
- Backup Tapes (Off site and in a secure location - Data fire proof safe)
Please make sure all are in a SAFE location all are possible threats to your security.

6) NTFS File & Share Permissions
Share Level Permissions are cumulative except for Deny
File Level Permissions are cumulative except for Deny
Combination of File and Share permissions are most restrictive

7) Windows 2000 Encryption
Q255742 Methods for Recovering Encrypted Data
Q223316 Best Practices for Encrypting File System

8) Windows 2000 RunAs Utility
You do not want to read you e-mail or surf the web logged in with Administrator rights. If you catch a virus, worm or hack it has Adminitrative rights. Logon with normal user right for these functions.
Allows you to be logged on as a regular user then run a program as a user with Administrator rights
1/ Using a Dos command (Prompted for password) RUNAS /user:username command
2/ Hold down SHIFT then RIGHT Click the program
3/ Modify the properties of a short cut
Q225035

9) View Shares on a computer
At a DOS command type:
Net view \\computername
or
Net view TCP\IP-Address

10) UNC path to a share with a User Name and Password
At a DOS command type:
username:password@\\servername\share

11) Create a Difficult Password
- as many characters as you can remember 7 or more
- some Upper Case characters
- and some Lower Case characters
- and some Numbers
- and some weird characters like upper case top row numbers
- Administrators need most difficult passwords
- try using one character from the ascii table (look in Character Map)
- the 1/4 character is Alt and number pad 0188 together
- a Return is Alt and number pad 0182
How to get ready for a security audit

12) The Twenty Most Critical Internet Security Vulnerabilities
The SANS Institute
www.sans.org/top20/ Version 3.21 October 17, 2002
www.sans.org/top20/top20_Oct01.htm Version 2.504 May 2, 2002
www.sans.org/topten.htm Version 1.33 June 25, 2001

13) Steps that home users should use to secure their computers
These steps are also extremely helpful for small offices/home offices (SOHOs), small businesses, remote users, and IT pros:
1. Assess your risks. What do you need to protect. (Privacy and Identity)
2. Use antivirus software. I know you have been told before but check all e-mail attachments
3. Keep software up-to-date. Many security patches for Bios/Operating System/software(Office and explorer)
4. Check your security settings. (File and Print sharing means your vulnerable) also (cookies and java)
5. Use a firewall. (Hardware or software or both)
6. Create strong passwords. ( Upper case / Lower case / Number / wierd character $#@)
7. Conduct routine security maintenance or checkes. (ie. www.grc.com)
www.microsoft.com/security/articles/steps_default.asp

14) MCP Artical on Security Audits 22 things to do.

15) Wireless security
Wireless security called WEP (wired equivalent Privacy) may want to add a VPN
NetStumbler lets users investigate a given WirelessLAN's security. Security administrators can use it to test their sites. www.netstumbler.com

16) Security Operations Guide for Windows 2000 Server

17) Astonsoft released PC DoorGuard
Trojan horse and virus- intrusion software that identifies and deletes Trojan horses that reside on your PC. When the software deletes a Trojan horse, it also inspects the registry and system files, eliminates the Trojan horse, and removes any malicious files that belong to the Trojan horse. PC DoorGuard 2.15 runs on Windows XP, Windows 2000, Windows Me, and Windows 9x systems and costs $29.95. Contact Astonsoft at support@astonsoft.com.
www.astonsoft.com

18) FBI Is working on a program called Magic Lantern
This is a trojan that logs key strokes (Big Brother is watching)
another FBI tool called Carnivore that collects email passing through XP's universal Plug and Play which automatically detects devices connected on the network can be used as a DOS attack

19) Security Alert Message for Cookies Q154360
You may want to delete cookies after every adventure out on the Net

20) How to Use Kiosk Mode in Microsoft Internet Explorer Q154780
To start Internet Explorer in Kiosk mode, click Start, click Run, type the following command in the Open box, and then click OK
iexplore -k {page}
where is the Web page address for the Web page

21) How to Clear the History Entries in Internet Explorer Q157729
1. Quit Internet Explorer.
2. Delete all the values except for the (Default) value from the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs

22) NT 4 path spoofing: example
1) Copy c:\winnt\system32\cmd.exe to the root directory (C:\)
2) Rename cmd in the root to explorer
3) Don’t use the extension (exe), if your extensions are hidden
4) Logoff and log back on (you should only have a DOS screen)
5) To exit this type c:\winnt\explorer.exe
6) Delete Explorer at root of C:

23) How to Use Security Zones in Internet Explorer Q174360

24) The reason most companies do not report netowrk attacks / Hacks
Mistrust of law enforcement agencies--you don't want to be treated as a criminal when you're reporting a crime. Mistrust of the media--you don't want the story twisted and speculated upon. Mistrust in your employer� you'll lose your job or be criticized for not keeping the systems safe. Mistrust of your fellow IT pro--they'll deny any similar problems.

25) You should use a hardware firewall in these situations:
1) A customer needs Internet access on more than one computer.
2) A customer needs a secure connection to a main office.
3) The client is a branch office.
4) A company needs to host e-mail and Web servers.

27) Internet Assigned Numbers Authority (IANA) www.iana.org
It divides all public IP addresses among the Regional Internet Registries (RIRs) to distribute blocks of IP addresses.
There are four RIRs:
* Asia Pacific Network Information Centre (APNIC) for Asia and the Pacific region www.apnic.net
* American Registry for Internet Numbers (ARIN) for North America, parts of the Caribbean, and sub-equatorial Africa www.arin.net
* Latin American and Caribbean Internet Addresses Registry (LACNIC) for Latin America and parts of the Caribbean lacnic.net
* RIPE Network Coordination Centre (RIPE NCC) for Europe, the Middle East, Central Asia, and African countries above the equator www.ripe.net

28) Internet Security is more than firewalls
Internet Security is about more than installing a firewall, disabling cookies, running anti-spyware software, and not opening e-mail attachments from people you don't know. It also means knowing when other people aren't doing these things--and doing something about it. Large, centralized databases represent one of the biggest threats of Internet security. A 2004 study conducted by the FBI and the Computer Security Institute revealed that internal attacks account for more than 50 percent of all organized network security breaches.

29) Firefox Web Browser example
The Mozilla browser Firefox Web browser have increased since US-CERT's reports of IE's weeknesses www.mozilla.org

30) Browse the internet truly anonymously
Firefox called "Torpark." The browser is intended to provide the ultimate in anonymity for browsers, ensuring no files are saved to the computer it runs on (it runs off a USB drive) and using The Onion Router (TOR) network to continually randomize the IP address that Web sites see.
www.torrify.com Torpark program to download
www.onion-router.net

The Twenty Most Critical Internet Security Vulnerabilities by The SANS Institute

A GOOD LIST OF EMAIL ATTACHMENT EXTENTIONS YOU SHOULD BLOCK! Not only because of viruses, trojans and spyware but to fre up band with and stop employees using your equipment for personal uses. Attachment file types blocked by Outlook

Extension	Description
asf	Video file for Windows Media Player
asx	Windows media metafile for redirecting streaming media away from a browser to Windows Media Player
avi	Audio video interleave file
bat	Batch file
cmd	Command file
js	Javascript source code
jse	Javascript
mp3	MPEG audio stream
mpeg	MPEG audio stream
mpg	MPEG audio stream
pps	PowerPoint Slideshow
scr	Screensaver
sd	Audio file
wav	Waveform audio file
wm	Windows media audio/visual file
wma	Windows media audio file
wmd	Windows media download file
wmv	Windows media file
wmx	Audio playlist or Windows media player audio/visual shortcut
wmz	Windows Media compressed skin file
wpl	Draxy Software wallpaper sequencer

Back To Main Page Important Legal NOTICE!

Click Here To Read Important Legal NOTICE!

Updated October 10, 2007
Copyright� 2007 by Dana Shea
Copyright� All rights Reserved. No part of the contents of this site may be reproduced
or transmitted in any form or by any means without written permission.

Any questions or problem links please email