551 Symbols A

Johansson_Index.qxd 4/27/05 9:31 AM Page 551

INDEX

Symbols access control lists. AdAware, 412 802.1X See ACLs Address Resolution applying, 272-282 accounts Protocol (ARP) enforcement, 298 administrative security, attacks, 270-271 218-222 addresses A IDS, 52 ranges, 34-36 acceptable use policy lockout, 385 spoofing, 190-191 (AUP), 122 logon events, 384 administration access passwords, 344 attachments, 408-410 anonymous restrictions, services, 421 Help, 151-152 369-372 ASR (attack surface passwords, 225-228, 307 controls (physical reduction), 418-420 applying, 317-325 security), 165-168 dependencies, 222 attacks, 326-332 GUIs, 60 mitigating, 223-228 configuring, 536-539 LUA (least user securing, 427-434 passgen tool, 529-539 access), 398 SRPs (software storage, 307-316 masks, 503 restriction policies), patches remote, 198-200 366-367 advanced techniques, restrictions, 253-257, 264 ACKnowledge packets, 38 97-100 rogue ACLs (access control lists), as risk management, applying 802.1X, 353, 493 83-84 272-282 best practices, 509-513 AU/WSUS, 94 enabling IPsec, layers, 507-509 automatic updates, 94 283-294 security descriptors, building test bed, layer 2/3 protection, 495-506 88-90 269-271 ACS (Audit Collection definition of, 81, 83 network quarantine Services), 458 EMS (enterprise systems, 296-300 active administrative management system), preventing, 267 dependency, 218 95-96 sniffing, 267-268 active attacks, 7 MBSA (Microsoft Web, 198-199 active-automated attacks, 8 Baseline Security active-manual attacks, 9 Analyzer), 93

551 Johansson_Index.qxd 4/27/05 9:31 AM Page 552

552 Index

need for, 79-80 agent recovery, 176 applications security update tools, AH (Authentication analyzing, 415-416 91-93 Header), 286 ASR (attack surface selection of, 96 ALE (annualized loss reduction), 418 slipstreaming, 101-108 expectancy), 119 blocking unnecessary testing security Alerter service, 418 interfaces, 420 updates, 85-87 algorithms, troubleshoot- disabling unnecessary penetration testing, ing, 485 features, 419 28-31 analysis uninstalling rights systems, 513-517 environments, 415-416 unnecessary risk, 113, 118-119 Exchange Server Best components, 418-419 security, 135-136 Practices Analyzer data-protection administrator Tool, 454 mechanisms, 517-518 responsibilities, 18 existing systems, 512 exposed (on hosts), 39 dependencies, 218-222 hacking, 72-73 functionality mitigating services, MBSA (Microsoft restricting browser, 223-228 Baseline Security 402-407 receiving feedback, Analyzer), 93 turning off, 400-402 14-20 penetration testing, 24, hiding, 357 usability, 16-18 28-31 LUA (least user vendor design security needs, 118-128 access), 398 tradeoffs, 19-20 threats, 244, 246, 248 patches, 41, 395-398 system administration, annualized loss expectancy security 135-136 (ALE), 119 baselining systems, administrator password anonymous connections 469-470 policy (APP), 122 (null sessions), 50 evaluating, 467 administrators, 220 anonymous restrictions, reviewing, 471-474, passwords, 536-539 369-372, 384 477-487 responsibilities, 18 anti-malware, 379 servers, 417 ADS (Automated anti-spyware software, 450 services, 421-426 Deployment antivirus policy (AVP), 123 small businesses Services), 101 antivirus software, 450 applying anti-spyware/ Advanced Encryption API (application antivirus software, 450 Standard (AES), 176 programming configuring firewalls, adware, 450 interface), 55 451-453 AES (Advanced APP (administrator controlling automatic Encryption password policy), 122 updating, 449 Standard), 176 application-filtering updating, 448-449 agent-based enumeration, 92 firewalls, 194-195 spyware, 411 Johansson_Index.qxd 4/27/05 9:31 AM Page 553

Index 553

states, 41 hacking multifactor structure of, 42 analyzing, 72-73 authentication, updates, 96 cleaning attackers, 346-348 version information, 40 74-76 overview of, 305-307 Web, 441 detecting initial policies, 345 applying compromise of, physical security, 168 802.1X, 272-282 43-45 SQL Servers anti-spyware/antivirus elevating privileges, customizing, 435 software, 450 46-50 IIS (Internet firewalls, 192-198 footprinting networks, Information IPsec, 283-294 34-43 Services), 441 passwords, 317-325 null sessions, 50-57 troubleshooting, 482 security guides, 362 taking over, 59-71 Authentication Header ARP (Address Resolution passwords, 326-332 (AH), 286 Protocol) attacks, penetration testing, authenticity, 187 270-271 28-31 authorization, 283 ASR (attack surface reflection, 230 automated attacks, 7 reduction), 418-420 spoofing, 190-191 Automated Deployment assessment of penetration target networks, 32 Services (ADS), 101 tests, 24 types of, 7, 9-10 Automatic Update. See associations (security), 283 AU (Automatic Update), AU; updates attachment management, 94, 449 availability, 187-189, 519 408-410 Audit Collection Services avoiding attack surface reduction (ACS), 458 hacking, 521 (ASR), 418-420 auditing, 377 viruses, 13 attackers, Warez, 47 CrashOnAuditFail, 386 AVP (antivirus policy), 123 attacks enabling, 384-385 awareness of security, ARP (Address full privilege, 386 128-129, 149-150 Resolution Protocol), AUP (acceptable use 270-271 policy), 122 B cached credentials, 331 authentication, 283 back-end servers, structure casual attackers, 5 challenge-response of, 42 cross-site scripting, 479 transactions, 229-234 baselining damage (types of), 10, 13 LAN Manager, 375, 383 MBSA (Microsoft DDoS (Distributed mutual, 279 Baseline Security DoS), 188 passwords, 303-305 Analyzer), 93 detecting, 150 applying, 317-325 performance, 90 DoS (denial-of-service), attacks, 326-332 systems, 469-470 188, 243 best practices, 334-344 batching patches, 100 elevation-of-privilege, 243 management, 307-316 Johansson_Index.qxd 4/27/05 9:31 AM Page 554

554 Index

beds (patch test), building, caches, 244 clients (businesses) 88-90 California law SB 1386 information, storing on Bell-LaPadula model, 225 (public disclosure), 120 servers, 455-458 best practices call detail record protecting PCs, 169-172 ACLs (access control (CDR), 115 clients (networks) lists), 509-513 cardinal points, 102 password policies, 382 Exchange Server Best casual attackers, 5 quarantine, 297 Practices Analyzer CDR (call detail security tweaks Tool, 454 record), 115 anonymous passwords, 334 CERNIC (China Education restrictions, 384 account lockout, 344 and Research blank passwords, 383 disabling LM hashes, Network Information enabling auditing, 335-336 Center), 184 384-385 protecting cached certificates, 284 LAN Manager credentials, 334-335 Certified Information authentication, 383 selection, 337-344 Systems Security limiting malicious Bill Payer service, 216 Professional code, 377-378 black-box tests, 30 (CISSP), 225, 494 removable media, 385 blocking challenge-response SafeDllSearchMode, ICMP echoes, 38 transactions, 229-234 379-382 spyware, 527-528 Character Map tool, 476 SMB message unnecessary characters, passwords, signing, 383 interfaces, 420 307-308, 311-316 VPN, 208 borders, connecting China Education and Clustering Service, 317 routers, 190-191 Research Network clusters, 251 browser functionality, Information Center CMAK (Connection restricting, 402-407 (CERNIC), 184 Manager buffers, troubleshooting, 483 circuit proxies, 195 Administration building circumvention Kit), 300 patch test beds, 88-90 vulnerabilities, 137 code slipstreamed installation CISSP (Certified malicious, 377-378 points, 102-108 Information Systems worms, 13 built-in shares, 510 Security Professional), Cold Fusion Expression 225, 494 Evaluator, 417 C classification systems components CA Unicenters, 95 (security policies), 127 quarantine systems, cached credentials, cleaning attackers, 74, 76 297-300 315-316 clearing virtual RMS (Rights attacks, 331 memory, 387 Management disabling, 386 cleartext data, trou- Services), 516-517 protecting, 334-335 bleshooting, 484 Johansson_Index.qxd 4/27/05 9:31 AM Page 555

Index 555

uninstalling, 418-419 SQL Server network threat modeling unused (turning off customizing processes, 237-238 functionality), 400 authentication, 435 access restriction, compromising networks, dropping stored 253-257, 264 cleaning attackers, procedures, 436-438 documentation, 74-76 hardening, 426-427 238-248 computation, LM hash, 309 securing service segmentation, 248-251 computers accounts, 427-434 passwords (administrators), dealing with stolen, supportability, 416 536-539 173-179 Connection Manager replicating, 88 family (physical Administration Kit security, 114 security), 180 (CMAK), 300 analyzing security protecting (physical connections needs, 118-128 security), 169-172 anonymous (null creating awareness of, small businesses sessions), 50 128-129 applying anti-spyware/ border routers, 190-191 enforcing, 130 antivirus software, 450 outbound, 264 failure of, 116 configuring firewalls, controls false information about 451-453 access (physical guides, 354-363 controlling automatic security), 165-168 identifying threats, 117 updating, 449 remote, 201-202 modifying, 129 protecting, 447-448, cracking, 327-331 necessity of, 115 464-465 CrashOnAuditFail, 386 structure of, 114-115 updating software, credentials tools, 387-391 448-449 cached, 315-316 troubleshooting, 483 conclusions of penetration attacks, 331 SQL Server testing, 29 protecting, 334-335 customizing confidentiality, 178, 185 caches, 386 authentication, 435 configuration critical updates, 83 dropping stored audit settings, 377 cross-site scripting, 45, 479 procedures, 436-438 firewalls for small crypto algorithms, hardening, 426-427 business, 451-453 troubleshooting, 485 securing service passwords (administrators), customization accounts, 427-434 536-539 audit settings, 377 supportability, 416 replicating, 88 defense-depth model, tradeoffs (vendors), security 20-23 19-20 false information about firewalls for small guides, 354-363 business, 451-453 tools, 387-391 troubleshooting, 483 Johansson_Index.qxd 4/27/05 9:31 AM Page 556

556 Index

D denial of service. See DoS false information about damage from attacks dependencies, 215 guides, 354-363 (types of), 10, 13 administrative security, identifying threats, 117 data destruction 218-228 modifying, 129 attacks, 10 overview of, 215-217 necessity of, 115 Data Encryption Standard service accounts, 222 structure of, 114-115 (DESX), 176 types of, 229-234 tools, 387-391 data flow diagrams UNIX, 233 troubleshooting, 483 (DFDs), 238-240 deperimeterization, SQL Server data modification attacks, 210-212 customizing 10, 12 descriptors, security, authentication, 435 data protection for small 495-506 dropping stored businesses, 461-462 DESX (Data Encryption procedures, 436-438 Data Source Name Standard), 176 hardening, 426-427 (DSN), 441 detecting attacks, 150 securing service data-protection deterministic accounts, 427-434 mechanisms, 491-492 passwords, 536 supportability, 416 ACLs (access control development tradeoffs (vendors), lists), 493 audit settings, 377 19-20 best practices, 509-513 defense-depth model, DFDs (data flow layers, 507-509 20-23 diagrams), 238-240 security descriptors, firewalls for small diagrams, DFDs (data flow 495-506 business, 451-453 diagrams), 238-240 applications, 517-518 network threat modeling dialog boxes, Manage rights management processes, 237-238 Add-ons, 397 systems, 513-517 access restriction, digital certificates, security groups, 493 253-257, 264 IPsec, 284 databases documentation, direct tap policy security, 482 238-248 (DTP), 127 troubleshooting, 471-479 segmentation, 248-251 disabling DC (domain controller), passwords (administrators), cached credentials, 386 32, 165 536-539 LM hashes, 335-336, 368 DDoS (distributed replicating, 88 unnecessary features, 419 denial-of-service) security, 114 USB drives, 171 attacks, 188 analyzing security DiscoverHosts, debugging LSA, 53 needs, 118-128 executing, 54 defense-in-depth model, creating awareness of, distributed denial-of- 20-23, 363-364 128-129 service (DDoS) demilitarized zone enforcing, 130 attack, 188 (DMZ), 32 failure of, 116 Johansson_Index.qxd 4/27/05 9:31 AM Page 557

Index 557

Distributed Management domains Eggshell Principle Objects (DMO), 436 cached credentials, (hacking), 31 distribution, password 315-316 ejecting removable length, 324 attacks, 331 media, 385 DMO (Distributed protecting, 334-335 elevating privileges, 46, Management isolation, 294 48, 50 Objects), 436 LM hash value elevation-of-privilege DMZ (demilitarized storage, 368 attacks, 243 zone), 32 Local groups, 493 EMS (enterprise DNS (Domain Name Microsoft, 146 management Server) lookup taking over, 59-67, 69-71 system), 95-96, 223 requests, 37 doors, locking, 167 enabling Do Not Duplicate DoS (denial of service), anonymous restrictions, markings, 167 10, 188, 243 369-372 Document Tracking and downtime, preventing, 99 auditing, 384-385 Administration DPAPI (Windows Data automatic updates, 449 (DTA), 436 Protection API), 179 controls (physical documentation drives, disabling USB, 171 security), 165-168 passwords, 341 dropping stored GUIs, 60 network threat modeling procedures, 436-438 IPsec, 283-285, 287-294 processes, 238-248 DSN (Data Source LUA (least user security policies Name), 441 access), 398 analyzing security DTA (Document masks, 503 needs, 118-128 Tracking and remote access, 198-200 creating awareness of, Administration), 436 restrictions, 253-257, 264 128-129 DTP (direct tap rogue access developing, 114 policy), 127 applying 802.1X, enforcing, 130 dumpinfo, 55 272-282 failure of, 116 enabling IPsec, identifying threats, 117 E 283-294 modifying, 129 e-mail layer 2/3 protection, necessity of, 115 attachment manager, 269-271 structure of, 114-115 408-410 network quarantine domain controller (DC), HTML security, 405-407 systems, 296-300 32, 165 EAP-TLS, 273 preventing, 267 Domain Name Server echoes (ping), 38 sniffing, 267-268 (DNS) lookup education for users, startup keys, 179 requests, 37 152-153 Web, 198-199 EFS (encrypting file encrypting file system system), 175-178, 227 (EFS), 175-178, 227 Johansson_Index.qxd 4/27/05 9:31 AM Page 558

558 Index

encryption events, logon, 384 SQL Server files, 175-177 Everyone group, 505 customizing PPTP (Point-to-Point Exchange Server 2003, 199 authentication, 435 Transfer Protocol), 36 Exchange Server Best dropping stored end users (security) Practices Analyzer procedures, 436-438 exploits against, 140-141 Tool, 454 hardening, 426-427 involvement vs. executing securing service influence, 142-143 audit settings, 377 accounts, 427-434 protecting, 148-153 defense-depth model, supportability, 416 social engineering, 20-23 tradeoffs (vendors), 137-139, 143-148 DiscoverHosts, 54 19-20 value of passwords, 139 firewalls for small existing systems, enforcement business, 451-453 analyzing, 512 802.1X, 298 LUA (least user access) expected hosts, 37-38 IPsec, 298 applications, 398 expiration (of quarantine systems, 297 network threat modeling passwords), 345 security policies, 130 processes, 237-238 exploits against users, enterprise management access restriction, 140-141 system (EMS), 253-257, 264 exposed applications (on 95-96, 223 documentation, hosts), 39 enumeration, tools, 92 238-248 extended stored procedure environments, analyzing, segmentation, 248-251 (xproc), 47 415-416 passwords (administrators), ESP (encapsulated 536-539 F security payload), 286 replicating, 88 failures, CrashOnAuditFail, evaluation security, 114 386 access masks, 503 analyzing security family PCs (physical applications needs, 118-128 security), 180 baselining systems, creating awareness of, fault trees, 245 469-470 128-129 features, disabling, 419 reviewing, 471-474, enforcing, 130 feedback, receiving, 14-20 477-487 failure of, 116 file encryption key security, 467 false information about (FEK), 175 network threat modeling guides, 354-363 files processes, 237-238 identifying threats, 117 audit settings, 377 access restriction, modifying, 129 defense-in-depth model, 253-257, 264 necessity of, 115 20-23 documentation, structure of, 114-115 DiscoverHosts, 54 238-248 tools, 387-391 encrypting, 175-177 segmentation, 248-251 troubleshooting, 483 Johansson_Index.qxd 4/27/05 9:31 AM Page 559

Index 559

firewalls for small SRPs (software formatting business, 451-453 restriction policies), audit settings, 377 generic rights on, 500 366-367 firewalls for small HOSTS, 527-528 supportability, 416 business, 451-453 LUA (least user access) TIF (temporary Internet passwords (administrators), applications, 398 files), 244 536-539 network threat modeling tradeoffs (vendors), replicating, 88 processes, 237-238 19-20 security access restriction, filtering false information about 253-257, 264 IPsec, 284, 365, 379 guides, 354-363 documentation, traffic, 254-257 tools, 387-391 238-248 firewalls troubleshooting, 483 segmentation, 248-251 applying, 192-198 SQL Server passwords (administrators), malicious code customizing 536-539 (limiting), 378 authentication, 435 replicating, 88 small businesses, dropping stored security, 114 451-453 procedures, 436-438 analyzing security types of, 193 hardening, 426-427 needs, 118-128 Windows XP Service securing service creating awareness of, Pack 2, 256 accounts, 427-434 128-129 first-level zombies, 188 removable media, 385 enforcing, 130 fixes, 83 supportability, 416 failure of, 116 folders, redirecting, 456 FRK (file encryption false information about footprinting networks, 34 key), 175 guides, 354-363 address ranges, 34, 36 full IP VPNs, 203-210 identifying threats, 117 application/OS version full privilege auditing, 386 modifying, 129 information, 40 functionality necessity of, 115 expected hosts, 37-38 restricting browser, structure of, 114-115 exposed applications, 39 402-407 tools, 387-391 host names, 37 turning off, 400-402 troubleshooting, 483 patch states (of functions, LSALogonUser, SQL Server applications and 222 customizing hosts), 41 authentication, 435 public information, G dropping stored 42-43 Gates, Bill, 216 procedures, 436-438 structure (of applications GDR (General hardening, 426-427 and back-end Distribution securing service servers), 42 Release), 103 accounts, 427-434 forewarning, 154 General Distribution Release. See GDR Johansson_Index.qxd 4/27/05 9:31 AM Page 560

560 Index

generating passwords, 228, detecting initial hashing, 306 529-539 compromise of, 43-45 LM hash, 308-313, generic rights (on files), 500 elevating privileges, 335-336 global groups, 493 46-50 NT hash, 314-315 graphical user interface expected hosts, 37-38 passwords, 307 (GUI), 60 exposed applications, 39 precomputed gratuitous ARP replies, 271 footprinting, 34 hashing, 329 group passwords, 341 hosts names, 37 HCL (Hardware Group Policy password null sessions, 50-57 Compatibility policies, 373 patch states (of List), 87 groups applications and Help management, Everyone, 505 hosts), 41 151-152 restrictions, 376-377 public information, HFNetChk Pro, 94 security, 493 42-43 hiding systems, 357 Guel, Michael D., 121 structure (of high security, 361-362 guessing (passwords), applications and hosts, 22 326-327 back-end servers), 42 ASR (attack surface GUI (graphical user taking over, 59-71 reduction), 418 interface), 60 target, 32 blocking unnecessary guides (security) overview of, 31 interfaces, 420 applying, 362 hardening, 416 disabling unnecessary false information about, IIS (Internet features, 419 354-363 Information uninstalling necessity of, 360 Services), 439-444 unnecessary SQL Servers, 426-427 components, 418-419 H customizing expected, 37-38 hackers authentication, 435 exposed applications, 39 definition of, 6 dropping stored names, 37 Warez, 47 procedures, 436-438 patch states, 41 hacking securing service HOSTS file, 527-528 avoiding, 521 accounts, 427-434 hotfixes, 83 Eggshell Principle, 31 TCP, 375-376 Howard, Michael, 471 networks hardware HP OpenView, 95 address ranges, 34-36 firewalls, 196-198 HTML (Hypertext analyzing, 72-73 vulnerabilities, 249 Markup Language), application/OS version Hardware Compatibility e-mail security, information, 40 List. See HCL 405-407 cleaning attackers, hash value storage hubs, 270 74-76 (LM), 368 Johansson_Index.qxd 4/27/05 9:31 AM Page 561

Index 561

I installation points, IPP (Internet Print ICMP (Internet Control building slipstreamed, Provider), 439 Message Protocol), 38 102-108 IPsec (IP Security), 19 IDS accounts, 52 Institute of Electrical and applying, 283-294 IE (Microsoft Internet Electronic Engineers enforcement, 298 Explorer), 81 (IEEE), 272 ﬁlters, 365, 379 IEEE (Institute of integrity, 178, 186 ipseccmd.exe tool, 291 Electrical and interfaces, 22 ipsecpol.exe tool, 291 Electronic ASR (attack surface IRC (Internet Relay Engineers), 272 reduction), 418 Chat), 64 IIS (Internet Information blocking unnecessary ISA (Internet Security Services), 439-444 interfaces, 420 and Acceleration) IKE (Internet Key disabling unnecessary Server, 451 Exchange), 287 features, 419 ISA Server 2000, 200 implementation of security uninstalling unnecessary ISO Standard 17799, policies, 130 components, 418-419 120-121 indexed administrator functionality (restricting), isolation of domains, passwords, 402-407 applying IPsec, 294 conﬁguring, 537 GUIs, 60 information disclosure Internet Control Message J-K attacks, 10-11, 243 Protocol (ICMP), 38 Kerberos, 284 information protection Internet Information keyloggers, 450 policy (IPP), 124 Services (IIS), keys information resources 439-444 IKE (Internet Key (physical security), 167 Internet Key Exchange Exchange), 287 information security, (IKE), 287 IPsec (IP Security), 284 184-189 Internet Print Provider regeneration, 279 infrastructure resources (IPP), 439 uniqueness, 279 (physical security), 167 Internet Protocol (IP), keystroke loggers, 332 initial compromise (of 203-219 known input (passgen networks), 43, 45 Internet Relay Chat tool), 530-534 initiation of SSL, 231 (IRC), 64 injection (SQL), 45, Internet Security and L 471-479 Acceleration (ISA) labeling, 125 inoculation, 154 Server, 451 LAN Manager input Internet use policies, 463 authentication, 375, 383 known (passgen tool), IP (Internet Protocol), hash value storage, 368 530-534 203-210 laptops validations (SQL), IPP (information dealing with stolen, 472-474 protection policy), 124 173-179 passwords, 174 Johansson_Index.qxd 4/27/05 9:31 AM Page 562

562 Index

small businesses logon definition of, 81, 83 applying anti-spyware/ cached credentials, EMS (enterprise antivirus software, 450 315-316 management system), configuring firewalls, events, 384 95-96 451-453 passwords, 307 MBSA (Microsoft controlling automatic long passwords, selection Baseline Security updating, 449 of, 338 Analyzer), 93 protecting, 447-448, lookup requests (DNS), 37 need for, 79-80 464-465 LSA (Local Security security update tools, updating software, Authority) Secrets, 91-93 448-449 53, 179, 223 selection of, 96 laws of security, 164, LSALogonUser slipstreaming, 101-108 541-549 function, 222 testing security layers LUA (least user updates, 85-87 ACLs (access control access), 398 penetration testing, lists), 507-509 28-31 protecting, 269-271 M rights systems, 513-517 least user access macros, turning off, 401 risk, 113, 118-119 (LUA), 398 malicious code, limiting, security, 135-136 LeBlanc, David, 471 377-378 administrator length, password Manage Add-ons dialog responsibilities, 18 distribution, 324 box, 397 receiving feedback, limiting malicious code management 14-20 (client security attachments, 408-410 usability, 16-18 tweaks), 377-378 Help, 151-152 vendor design LM hash, 308-313, passwords, 225-228, 307 tradeoffs, 19-20 335-336 applying, 317-325 system administration, load balancing, 99 attacks, 326-332 135-136 local groups, 493 configuring, 536-539 manual attacks, 7 Local Security Authority passgen tool, 529-539 masks, access, 503 (LSA) Secrets, storage, 307-316 MBSA (Microsoft Baseline 53, 179 patches Security Analyzer), LocalService, 222 advanced techniques, 93, 454 LocalSystem, 222 97-100 meatspace, 159 locking doors, 167 as risk management, mechanism enforcement, lockout (accounts), 83-84 297 344, 385 AU/WSUS, 94 memory logic of penetration automatic updates, 94 multifactor authentica- tests, 24 building test bed, tion, 347 88-90 virtual, 387 Johansson_Index.qxd 4/27/05 9:31 AM Page 563

Index 563

Messenger service, 419 modifying security, 129, 135-136 Methods, IPsec, 285-287 administrator passwords, administrator Microsoft 538-539 responsibilities, 18 domain records, 146 attachments, 408-410 receiving feedback, release of source Help, 151-152 14-20 code, 11 passwords, 225-228, 307 usability, 16-18 Windows operating applying, 317-325 vendor design system. See Windows attacks, 326-332 tradeoffs, 19-20 operating system configuring, 536-539 system administration, Microsoft Baseline passgen tool, 529-539 135-136 Security Analyzer storage, 307-316 MSADC Sample, 417 (MBSA), 93, 454 patches MSN Bill Payer Microsoft Internet advanced techniques, service, 216 Explorer (IE), 81 97-100 multifactor authentication, Microsoft Security as risk management, 346-348 Bulletin MS04-011 83-84 mutual authentication, 279 (patch), 85 AU/WSUS, 94 Microsoft Systems automatic updates, 94 N Management Server building test bed, names, hosts, 37 (SMS), 95 88-90 NAT (Network Address minimizing reboots, 97-99 definition of, 81, 83 Translation), 287-288 mitigation of services, EMS (enterprise navigation 223-228 management administrator passwords, models system), 95-96 538-539 Bell-LaPadula, 225 MBSA (Microsoft attachments, 408-410 defense-in-depth, 20-23, Baseline Security Help, 151-152 363-364 Analyzer), 93 passwords, 225-228, 307 network threat modeling need for, 79-80 applying, 317-325 processes, 237-238 security update tools, attacks, 326-332 access restriction, 91-93 configuring, 536-539 253-264 selection of, 96 passgen tool, 529-539 documentation, slipstreaming, 101-108 storage, 307-316 238-248 testing security patches segmentation, 248-251 updates, 85-87 advanced techniques, OSI (Open Systems penetration testing, 97-100 Interconnect), 21 28-31 as risk management, modes, IPsec, 285, 287 rights systems, 513-517 83-84 risk, 113, 118-119 AU/WSUS, 94 automatic updates, 94 Johansson_Index.qxd 4/27/05 9:31 AM Page 564

564 Index

building test bed, NetworkHideSharePasswords service accounts, 222 88-90 setting, 358 types of, 229-234 definition of, 81, 83 NetworkNoDialIn Eggshell Principle, 31 EMS (enterprise setting, 358 footprinting, 34 management networks address ranges, 34-36 system), 95-96 attacks, 7 application/OS version MBSA (Microsoft analyzing, 72-73 information, 40 Baseline Security ARP (Address expected hosts, 37-38 Analyzer), 93 Resolution Protocol), exposed applications, 39 need for, 79-80 270-271 host names, 37 security update tools, cached credentials, 331 patch states (of 91-93 casual attackers, 5 applications and selection of, 96 cleaning attackers, hosts), 41 slipstreaming, 101-108 74-76 public information, testing security cross-site scripting, 479 42-43 updates, 85-87 damage (types of), structure (of penetration testing, 10, 13 applications and 28-31 DDoS (Distributed back-end servers), 42 rights systems, 513-517 DoS), 188 hacking risk, 113, 118-119 detecting, 43-45, 150 address ranges, 34-36 security, 129, 135-136 DoS (denial-of-service), analyzing, 72-73 administrator 188, 243 application/OS version responsibilities, 18 elevation-of-privilege, information, 40 receiving feedback, 46-50, 243 cleaning attackers, 14-20 footprinting networks, 74-76 usability, 16-18 34-43 detecting initial vendor design tradeoffs, null sessions, 50-57 compromise of, 19-20 passwords, 326-332 43-45 system administration, penetration testing. See elevating privileges, 135-136 penetration testing 46-50 Web sites (safely), reflection, 230 expected hosts, 37-38 462, 464 spoofing, 190-191 exposed applications, 39 necessity of security, 360 taking over, 59-71 footprinting, 34 Netcat, 47 target networks, 32 hosts names, 37 netsh ipsec, 291. See also types of, 7, 9-10 null sessions, 50-57 IPsec dependencies, 215-217 patch states (of Network Address administrative security, applications and Translation (NAT), 218-222 hosts), 41 287-288 mitigating services, public information, 223-228 42-43 Johansson_Index.qxd 4/27/05 9:31 AM Page 565

Index 565

structure (of small businesses OpenHack, 19 applications and securing WLANs operating system (OS), back-end servers), 42 (wireless LANs), 22, 40 taking over, 59-71 458-459 optimization target, 32 selecting passwords, 460 administrator passwords, initial compromises, stacks, 159 538-539 43-45 targeting, 13-14, 32 attachments, 408-410 null sessions, 50-57 threat modeling Help, 151-152 perimeters, 32 processes, 237-238 passwords, 225-228, 307, border routers, access restriction, 334-344 190-191 253-255, 257, 264 applying, 317-325 deperimeterization, documentation, attacks, 326-332 210-212 238-248 configuring, 536-539 firewalls, 192-198 segmentation, 248-251 passgen tool, 529-539 full IP VPNs, 203-210 wired, 274-276 storage, 307-316 objectives of wireless, 277-282 patches information security, NetworkService, 222 advanced techniques, 184-189 nonadministrative 97-100 protecting, 183-184 privileges, 484 as risk management, remote access, nondisclosure 83-84 198-200 agreements, 30 AU/WSUS, 94 remote control, NT hash, 314-315 automatic updates, 94 201-202 NTLMv2, 320-322 building test bed, role of networks, null sessions, 50-57 88-90 189-190 definition of, 81, 83 privileges, 46-50 O EMS (enterprise protecting, 521 objectives management rogue access of information system), 95-96 applying 802.1X, security, 184 MBSA (Microsoft 272-282 availability, 187-189 Baseline Security enabling IPsec, confidentiality, 185 Analyzer), 93 283-294 integrity, 186 need for, 79-80 layer 2/3 protection, of security, 31 security update tools, 269-271 offline storage, 456 91-93 preventing, 267 one-time passwords, 348 selection of, 96 quarantine systems, one-way function slipstreaming, 101-108 296-300 (OWF), 306 testing security sniffing, 267-268 Open Systems updates, 85-87 Interconnect, 21 penetration testing, 28-31 Johansson_Index.qxd 4/27/05 9:31 AM Page 566

566 Index

rights systems, 513-517 passgen (password patches risk, 113, 118-119 generator) tool, 228, applications, 41, 395-398 security, 129, 135-136 529-539 batching, 100 administrator passive administrative management responsibilities, 18 dependencies, 219 advanced techniques, receiving feedback, passive attacks, 7 97-100 14-20 passive-automated AU, WSUS, 94 usability, 16-18 attacks, 8 automatic updates, 94 vendor design passive-manual attacks, 8 building test beds, tradeoffs, 19-20 password policy (PP), 122 88-90 system administration, passwords, 303, 305 definition of, 81-83 135-136 authentication, 482 EMS (enterprise options, authentication, 435 best practices, 334 management OS (operating system), account lockout, 344 system), 95-96 22, 40 disabling LM hashes, MBSA (Microsoft OSI (Open Systems 335-336 Baseline Security Interconnect) protecting cached Analyzer), 93 model, 21 credentials, 334-335 need for, 79-80 outbound connections, selection, 337-344 as risk management, preventing, 264 blank, 383 83-84 Outlook Web Access cracking, 328-331 security update tools, (OWA), 199 deterministic, 536 91-93 overflows, troubleshooting documentation, 341 selection of, 96 buffers, 483 group, 341 slipstreaming, 101-108 OWA (Outlook Web guessing, 326-327 testing security Access), 199 laptops, 174 updates, 85-87 OWASP project length distribution, 324 scanners, 91, 396 (http://www.owasp.org), management, updates, 104 478 225-228, 307 path maximum OWF (one-way applying, 317-325 transmission unit function), 306 attacks, 326-332 (PMTU), 38 storage, 307-316 PCs (personal computers) P multifactor authentication, dealing with stolen, packet-filtering 346-348 173-179 firewalls, 193 one-time, 348 family (physical packets overview of, 305-307 security), 180 ACKnowledge, 38 passgen (generating), 228 protecting (physical sniffers, 8 policies, 122, 345, security), 169-172 pass phrases (password 373, 382 selection), 338 selecting, 460 values of, 139 Johansson_Index.qxd 4/27/05 9:31 AM Page 567

Index 567

small businesses perimeters permissions applying anti-spyware/ ASR (attack surface PUBLIC, 523-524 antivirus software, 450 reduction), 418 tools, 512 configuring firewalls, blocking unnecessary personal computers (PCs) 451-453 interfaces, 420 dealing with stolen, controlling automatic disabling unnecessary 173-179 updating, 449 features, 419 family (physical protecting, 447-448, uninstalling security), 180 464-465 unnecessary protecting (physical updating software, components, 418-419 security), 169-172 448-449 borders, 190-191 small businesses PEAP (Protected EAP), 273 deperimeterization, applying anti-spyware/ penetration testing, 23-31 210-212 antivirus software, 450 performance firewalls, 192-198 configuring firewalls, audit settings, 377 full IP VPNs, 203-210 451-453 baselining, 90 functionality controlling automatic firewalls for small (restricting), 402-407 updating, 449 business, 451-453 GUIs (Graphical User protecting, 447-448, passwords (administrators), Interfaces), 60 464-465 536-539 networks, 32 updating software, replicating, 88 objectives of information 448-449 security security, 184 personal identification false information about availability, 187-189 number (PIN), guides, 354-363 confidentiality, 185 168, 303 tools, 387-391 integrity, 186 personally identifiable troubleshooting, 483 protecting, 183-184 information SQL Server remote access, 198-200 (PII), 124 customizing remote control, 201-202 phase two (IPsec), 283 authentication, 435 rogue access physical security, 159-164 dropping stored applying 802.1X, access controls, 165-168 procedures, 436-438 272-282 client PCs, 169-172 hardening, 426-427 enabling IPsec, family PCs, 180 securing service 283-294 laptops (dealing with accounts, 427-434 layer 2/3 protection, stolen), 173-179 supportability, 416 269-271 laws of security, 164 Performance Monitor, 90 network quarantine need for, 181-182 perimeter protection systems, 296-300 policies, 128 policy (PPP), 123, preventing, 267 security tweaks, 362-363 126-127 sniffing, 267-268 USB drives, 171 role of networks, PII (personally identifiable 189-190 information), 124 Johansson_Index.qxd 4/27/05 9:31 AM Page 568

568 Index

PIN (personal software restriction, 379 probability, 218 identification SRPs (software procedures number), 168, 303 restriction policies), dropping, 436-438 PKI (Public Key 366-367, 420 enforcing security Infrastructure), 226 SSCP (system sensitivity policies, 130 placement of VPN classification processes servers, 206 policy), 127 cracking, 329 PMTU (path maximum UPP (user password hashing, 306 transmission unit), 38 policy), 122 network threat policies WNAP (wireless modeling, 237-238 APP (administrator network access access restriction, password policy), 122 policy), 125 253-257, 264 AUP (acceptable use porn dialers, 450 documentation, policies), 122 possession, 186 238-248 AVP (antivirus policy), 123 PP (password policy), 122 segmentation, 248-251 DTP (direct tap PPP (perimeter protection security, 4 policy), 127 policy), 123, 126-127 profiles, roaming, 455 Internet use, 463 PPTP (Point-to-Point proposed standard IPP (information Transfer Protocol), 36 status, 204 protection policy), 124 precomputed hashes, 329 protected assets passwords, 345, 373, 382 preshared keys, 284 (quarantine systems), physical security, 128 preventing 297 PP (password policy), 122 downtime, 99 Protected EAP (PEAP), 273 PPP (perimeter outbound connections, 264 protecting protection policy), rogue access, 267 administrative accounts, 123-127 applying 802.1X, 224-228 RAP (remote access 272-282 applications, 415-416 policy), 123 enabling IPsec, cached credentials, recovery, 176 283-292, 294 334-335 security layer 2/3 protection, client PCs, 169-172 analyzing security 269-271 computers needs, 118-128 network quarantine applying anti-spyware/ creating awareness of, systems, 296-300 antivirus software, 450 128-129 sniffing, 267-268 configuring firewalls, developing, 114 spoofing, 190-191 451-453 enforcing, 130 privileges controlling automatic failure of, 116 elevating, 46-50 updating, 449 identifying threats, 117 servers, 47, 457 for small businesses, modifying, 129 services, 421-422, 426 447-448, 464-465 necessity of, 115 troubleshooting, 484 updating software, structure of, 114-115 448-449 Johansson_Index.qxd 4/27/05 9:31 AM Page 569

Index 569

data for small remote access, Q businesses, 461-462 198-200 QFE (Quick Fix data-protection remote control, Engineering), 103 mechanisms, 491-492 201-202 quarantine systems, ACLs (access control role of networks, 296-300 lists), 493501, 189-190 Quick Fix Engineering. 505-513 sniffing, 267-268 See QFE incorporating into physical security, 166-168 quick mode (IPsec), 283 applications, 517-518 servers reviewing security for small business, 454 R groups, 493 for storing client RADIUS, 273 rights management information on, ranges, addresses, 34-36 systems, 513-517 455-458 RAP (remote access networks, 521 users, 148-153 policy), 123 securing WLANs Web sites for small rating risk, 84 (wireless LANs), businesses, 462-464 Real Time Communication 458-459 Web-based services, 199 Server (RTC), 317 selecting passwords, 460 protocols reality check, 154 perimeters, 183-184 ARP (Address reboots, minimizing, 97-99 802.1X, 272-282 Resolution Protocol), records applying firewalls, 270-271 CDR (call detail 192-198 ICMP (Internet record), 115 availability, 187-189 Control Message Microsoft domain, 146 confidentiality, 185 Protocol), 38 recovering encrypted files, connecting border IPsec (IP Security), 19 176-177 routers, 190-191 NTLMv2, 320-322 redirecting folders, 456 deperimeterization, PPTP (Point-to-Point reflection attacks, 230 210-212 Transfer Protocol), 36 regeneration (of keys), 279 enabling IPsec, proxies, circuits, 195 registration 283-294 proxy server for security bulletins, 82 full IP VPNs, 203-210 dependencies, 232 Trojans, 63 integrity, 186 public disclosure laws, 120 Reinhold, Arnold, 339 layer 2/3 protection, public information (of relative identifier 269-271 implementation (RID), 226 network quarantine details), 42-43 Release To Manufacturing systems, 296-300 Public Key Infrastructure (RTM), 103 objectives of (PKI), 226 remote access, 198-200. information PUBLIC permissions, See also access security, 184 523-524 remote access policy preventing rogue (RAP), 123 access, 267 Johansson_Index.qxd 4/27/05 9:31 AM Page 570

570 Index

remote control, 201-202 rights RTC (Real Time Remote Installation on files, 500 Communication Services (RIS), 101 management systems, Server), 317 removable media, 385 513-517 RTM (Release To removing service RIS (Remote Installation Manufacturing), 103 privileges, 421-426 Services), 101 replacing encrypted risk management, 83-84, S files, 178 118-119. See also SafeDllSearchMode, replicas, configuring, 88 security policies 379-382 replication, 416 -r mode (passgen tool), salting, 307 replies, gratuitous 534-535 SAM (security accounts ARP, 271 RMS (Windows Rights manager), 179 reports, 23-31 Management SBS (Small Business repudiation, 243 Services), 514-515 Server), 449 requests, unsolicited components, 516-517 scanners ARP, 271 workflow, 515 patches, 91, 396 resetting administrator roaming profiles, 455 SYN, 38 passwords, 538 rogue access vulnerability, 91 resistance training, 153 applying 802.1X, SCE (Security restriction 272-282 Configuration access, 253-257, 264 enabling IPsec, 283-294 Editor), 387-391 anonymous, 369-372, 384 layer 2/3 protection, SCM (Services Control browser functionality, 269-271 Manager), 418 402-407 network quarantine screened subnets, 32 groups, 376-377 systems, 296-300 scripting software policies, 379 preventing, 267 cross-site scripting, 479 SRPs (software sniffing, 267-268 PUBLIC permissions, restriction policies), ROI (return on 523-524 366-367 investment), 360 XSS (cross-site return on investment role of networks, scripting), 45 (ROI), 360 protecting perimeters, SCW (Security reviewing 189-190 Configuration applications, 471-474, rollup (updates), 83 Wizard), 354 477-487 routers SeBCAK (security security groups, 493 borders, 190-191 between chair and revoking PUBLIC DMZ DCs, 33 keyboard), 412 permissions, 523-524 RRAS (Windows Routing secedit.exe tool, 469 RFC 1928, 195 and Remote Access second-level zombies, 188 RID (relative identifier), 226 Services), 207, 458 secrets, LSA, 53, 179, 223 RSA SecureID, 170, 226 SecureID, 170, 226 Johansson_Index.qxd 4/27/05 9:31 AM Page 571

Index 571

security descriptors, 495-501, HTML e-mail, 405, 407 10 immutable laws of, 505-506 information security, 184 541-549 design management administrators, 220 audit settings, 377 administrator applications defense-in-depth responsibilities, 18 baselining systems, model, 20-23 receiving feedback, 469-470 firewalls for small 14-20 evaluating, 467 business, 451-453 usability, 16-18 reviewing, 471-479, network threat vendor design 482-487 modeling processes, tradeoffs, 19-20 associations, 283 237-248, 264 MBSA (Microsoft awareness, 149-150 passwords (administra- Baseline Security bulletins, 82 tors), 536-539 Analyzer), 93 client tweaks replicating, 88 objectives, 31 anonymous SQL Server, 426-436 passgen tool, 535 restrictions, 384 supportability, 416 passwords, 303-305 blank passwords, 383 tradeoffs (vendors), applying, 317-325 enabling auditing, 19-20 attacks, 326-332 384-385 desktops best practices, 334-344 LAN Manager family (physical management, 307-311, authentication, 383 security), 180 313-316 limiting malicious protecting (physical multifactor code, 377-378 security), 169-172 authentication, password policies, 382 small businesses, 346-348 removable media, 385 447-448, 464-465 overview of, 305-307 SafeDllSearchMode, EFS, 177-178 policies, 345 379-382 firewalls patches, 81 SMB message applying, 192-198 advanced techniques, signing, 383 malicious code 97-100 configuration (limiting), 378 applications, 41, false information about small businesses, 395-398 guides, 354-363 451-453 batching, 100 tools, 387-391 types of, 193 AU, WSUS, 94 databases, 482 Windows XP Service automatic updates, 94 dependencies, 215 Pack 2, 256 building test beds, administrative security, groups, 493 88-90 218-228 guides definition of, 81-83 overview of, 215-217 applying, 362 EMS (enterprise service accounts, 222 necessity of, 360 management types of, 229-234 high, 361-362 system), 95-96 UNIX, 233 Johansson_Index.qxd 4/27/05 9:31 AM Page 572

572 Index

MBSA (Microsoft process, 4 physical security, Baseline Security service accounts, 362-363 Analyzer), 93 427-434 restricted groups, need for, 79-80 small businesses, 447 376-377 as risk management, applying anti-spyware/ restricting access, 254 83-84 antivirus software, 450 SMB message scanners, 91, 396 configuring firewalls, signing, 374 security update tools, 451, 453 SRPs (software 91-93 controlling automatic restriction policies), selection of, 96 updating, 449 366-367 slipstreaming, 101-108 data protection, stopping worms/ testing security 461-462 viruses, 363 updates, 85-87 protecting, 447-448, TCP hardening, updates, 104 464-465 375-376 penetration tests, 24-31 securing WLANs updates physical, 159 (wireless LANs), testing, 85-87 access controls, 458-459 tools, 91-93 165-168 selecting passwords, 460 users client PCs, 169-172 servers, 454-458 exploits against, family PCs, 180 updating software, 140-141 laptops (dealing with 448-449 involvement vs. stolen), 173-179 Web sites, 462-464 influence, 142-143 laws of security, 164 stored procedures, protecting, 148-153 need for, 181-182 436-438 social engineering, policies, 128 tweaks, 354 137, 139-148 security tweaks, anonymous value of passwords, 139 362-363 restrictions, 369-372 vulnerabilities, USB drives, 171 audit settings, 377 155-156 policies avoiding, 385-386 VPN clients, 208 analyzing security defense-in-depth WLANs (wireless needs, 118-128 model, 363-364 LANs), 458-459 creating awareness of, IPsec filters, 365 security accounts manager 128-129 LAN Manager (SAM), 179 developing, 114 authentication, 375 security between chair enforcing, 130 LM hash value and keyboard failure of, 116 storage, 368 (SeBCAK), 412 identifying threats, 117 necessity of, 360 Security Configuration modifying, 129 number of settings, Editor (SCE), necessity of, 115 357-359 387-391 structure of, 114-115 password policies, 373 Johansson_Index.qxd 4/27/05 9:31 AM Page 573

Index 573

Security Configuration ISA (Internet Security disabling unnecessary Wizard (SCW), 354 and Acceleration) features, 419 Security Guidance Server, 451 uninstalling Center, 354 privileges, 47 unnecessary security identifier proxy, 232 components, 418-419 (SID), 373 SBS (Small Business Messenger, 419 SeDebugPrivilege, 53 Server), 449 MSN Bill Payer, 216 segmentation, 248-251 SQL Server privileges, 421-422, 426 selection customizing Web-based, 199 of access controls authentication, 435 Services Control Manager (physical security), dropping stored (SCM), 418 166-168 procedures, 436-438 sessions, null, 50-57 of firewalls, 192-198 hardening, 426-427 shares, built-in, 510 of passwords, 323-325, IIS (Internet showaccs.exe tool, 469 337-344, 460 Information SID (security identifier), 373 of patch management Services), 441 SLA (service level solutions, 96 securing service agreement), 486 senior management, 114. accounts, 427-434 slipstreaming, 101-108 See also management VPN, 206 small business servers Windows Server 2003, computers applications, 417 299-300 applying anti-spyware/ analyzing, 415-416 service level agreement antivirus software, 450 ASR (attack surface (SLA), 486 configuring firewalls, reduction), 418-420 service packs, 82-83, 451, 453 removing service privi- 94, 230 controlling automatic leges, 421-422, 426 services updating, 449 back-end, 42 accounts, 421 protecting, 447-448, DNS lookup requests, 37 dependencies, 222 464-465 enforcement, 297 securing, 427-434 updating software, Exchange Server Best ACS (Audit Collection 448-449 Practices Analyzer Services), 458 data protection, 461-462 Tool, 454 administrative security networks for small businesses dependencies, securing WLANs protecting, 454 223-228 (wireless LANs), storing client Alerter, 418 458-459 information on, ASR (attack surface selecting passwords, 460 455-458 reduction), 418 IPsec protecting, blocking unnecessary 292, 294 interfaces, 420 Johansson_Index.qxd 4/27/05 9:31 AM Page 574

574 Index

servers hiding, 357 Security.com (http:// protecting, 454 LUA (least user www.sqlsecurity.com), storing client access), 398 478 information on, patch states, 41 Server 455-458 patches, 395-398 hardening, 426-434, Web sites, 462-464 security 436-438 Small Business Server baselining systems, IIS (Internet (SBS), 449 469-470 Information smart cards, 347 evaluating, 467 Services), 441 SMB (Serve Message reviewing, 471-474, SRPs (software Block) 477-487 restriction policies), message signing, 230, servers, 417 366-367, 420 374, 383 services, 421-426 SSCP (system sensitivity reflection attacks, 230 small businesses classification Smith, Ben, 5 applying anti-spyware/ policy), 127 -s mode (passgen tool), 535 antivirus software, 450 SSL transactions, 231 SMS (Microsoft Systems configuring firewalls, stacks Management 451-453 with ISA Servers Server), 95 controlling automatic installed, 452 sniffers, 8, 267-268 updating, 449 networks, 159 social engineering, updating, 448-449 RRAS, 207 137-148 spyware, 411 starting service SOCKS, 195-196 structure of, 42 accounts, 222 software updates, 96 startup keys, enabling, 179 analyzing, 415-416 version information, 40 storage ASR (attack surface Web, 441 client information on reduction), 418 software restriction servers, 455-458 blocking unnecessary policies (SRPs), passwords, 307-316 interfaces, 420 366-367, 420 stored procedures, disabling unnecessary source code, release of dropping, 436-438 features, 419 Microsoft, 11 strengthening uninstalling spoofing, 190-191, 243 passwords, 339 unnecessary spyware, 411 STRIDE, 243 components, 418-419 anti-spyware structure data-protection software, 450 of applications and mechanisms, 517-518 blocking, 527-528 back-end servers, 42 exposed (on hosts), 39 SQL (Structured Query of security policies, functionality Language) 114-115 restricting browser, injection, 45, 471-479 substitution (of 402-407 input validations, passwords), 339 turning off, 400-402 472-474 Johansson_Index.qxd 4/27/05 9:31 AM Page 575

Index 575

supplicants, 273 theft of laptops, 173-179 traffic supportability, 416 threats filtering, 254-257 SYN scans, 38 analyzing, 244-248 ICMP, 38 SYSKEY, 168 identifying, 117 spoofing, 190-191 system administration, network threat modeling training for users, 152-153 135-136. See also processes, 237-238 transactions administration access restriction, challenge-response, system sensitivity 253-264 229-234 classification policy documentation, SSL, 231 (SSCP), 127 238-248 transfers, zone, 37 systems segmentation, 248-251 Transmission Control analyzing existing, 512 TIF (temporary Internet Protocol (TCP), baselining, 469-470 files), 244 hardening, 375-376 hiding, 357 Tivoli, 95 Transport mode LM hash value tokens, RSA SecureID, 226 (IPsec), 285 storage, 368 tools trees quarantine, 296-300 Character Map, 476 fault, 245 rights management, enumeration, 92 threats, 244-248 513-517 Exchange Server Best Trojan horses, 62, 450 Practices Analyzer troubleshooting T Tool, 454 cross-site scripting, 479 tampering, 243 IIS Lockdown Tool, 440 databases, 471-479 target networks, 13-14, 32 ipseccmd.exe, 291 security TCP (Transmission ipsecpol.exe, 291 authentication, 482 Control Protocol), Netcat, 47 buffer overflows, 483 hardening, 375-376 passgen (password cleartext data, 484 Templates, ACLs (access generator), 529-539 crypto algorithms, 485 control lists), 353 penetration testing, 28 databases, 482 temporary Internet files Performance Monitor, 90 nonadministrative (TIF), 244 permissions, 512 privileges, 484 ten (10) immutable laws of secedit.exe, 469 SLA (service level security, 541-549 security configuration, agreement), 486 testing 387-391 unsafe settings, 483 black-box tests, 30 security updates, 91-93 tunnel mode (IPsec), 285 patches, 88, 90 showaccs.exe, 469 Turkish I, 471 penetration, 23-31 slipstreaming, 101 turning off functionality, security updates, 85-87 update.exe, 100 400-402 text, troubleshooting wipe, 125 tweaks (security), 354 cleartext data, 484 tradeoffs, vendors, 19-20 access, 254 anonymous restrictions, 369-372 Johansson_Index.qxd 4/27/05 9:31 AM Page 576

576 Index

audit setting, 377 types security avoiding, 385-386 of ACLs (access control testing, 85-87 clients lists), 493-494 tools, 91, 93 anonymous of attacks, 7-13 software restrictions, 384 of dependencies, 219, controlling automatic blank passwords, 383 229-234 updating, 449 enabling auditing, of exploits, 140 for small businesses, 384-385 of firewalls, 193 448-449 LAN Manager WSUS (Windows authentication, 383 U Software Update limiting malicious UMO (useless Services), 94 code, 377-378 management UPP (user password password policies, 382 overhead), 360 policy), 122 removable media, 385 unbelievable software URL Scan (IIS), 444 SafeDllSearchMode, claims, 486-487 usability of security 379-382 uninstalling unnecessary management, 16, 18 SMB message components, USB (universal serial signing, 383 418-419 bus), 171 defense-in-depth model, uniqueness (of keys), 279 useless management 363-364 universal groups, 493 overhead (UMO), 360 IPsec filters, 365 UNIX, dependencies, 233 user password policy LAN Manager unnecessary components, (UPP), 122 authentication, 375 uninstalling, 418-419 username storage, 316 LM hash value unnecessary features, users storage, 368 disabling, 419 anonymous restrictions, necessity of, 360 unnecessary interfaces, 369-372 number of settings, blocking, 420 applications 357-359 unsafe security settings, patches, 395-398 password policies, 373 troubleshooting, 483 running as physical security, unsolicited ARP nonadmin, 398 362-363 requests, 271 security restricted groups, unused components exploits against, 376-377 (turning off 140-141 SMB message functionality), 400 involvement vs. signing, 374 update.exe tool, 100 influence, 142-143 SRPs (software updates protecting, 148-153 restriction policies), applications, 96 social engineering, 366-367 automatic updates 137-148 stopping worms/ controlling, 449 value of passwords, 139 viruses, 363 enabling, 449 vulnerabilities, TCP hardening, 375-376 rollup, 83 155-156 Johansson_Index.qxd 4/27/05 9:31 AM Page 577

Index 577

utilities, 188 viruses, 5 Windows Firewall Character Map, 476 antivirus software, 450 (WF), 378 enumeration, 92 avoiding, 13 Windows Management Exchange Server Best stopping, 363 Instrumentation Practices Analyzer worms, 13 (WMI), 99 Tool, 454 VPN (virtual private Windows Rights IIS Lockdown Tool, 440 network), 35 Management ipseccmd.exe, 291 clients, 208 Services (RMS), ipsecpol.exe, 291 full IP VPNs, 203-210 514-515 Netcat, 47 placement of, 206 components, 516-517 passgen (password quarantine, 299-300 workflow, 515 generator), 529-539 vulnerabilities, 6, 155-156 Windows Routing and penetration testing, 28 automated attacks, 7 Remote Access Performance Monitor, 90 circumvention, 137 Services (RRAS), 458 permissions, 512 hardware, 249 Windows Server 2003 secedit.exe, 469 penetration testing, 28 null sessions, 55 security configuration, scanners, 91 VPN quarantine, 387-391 SQL injection, 45, 299-300 security updates, 91-93 474-479 Windows Server 2003 showaccs.exe, 469 XSS (cross-site Service Pack 1, 230 slipstreaming, 101 scripting), 45 Windows Software Update update.exe, 100 Services, 94 wipe, 125 W Windows Update Services Warez, 47 (WUS), 449 V Web access, 198-199 Windows Update (WU), 94 values Web applications, 441 Windows XP Service of information and Web sites Pack 2, 94, 230, 256 services, 118 cross-site scripting, 479 wipe tools, 125 of passwords, 139 for small businesses, wired networks, applying vendor design tradeoffs, 462-464 802.1X, 274-276 19-20 Web-based services, wireless LANs (WLANs), verification of SQL protecting, 199 458-459 injection, 45 WF (Windows Firewall), wireless network access versions, applications/OS, 40 378 policy (WNAP), 125 virtual memory, WiFi Protected Access wireless networks, clearing, 387 (WPA), 279-282 applying 802.1X, virtual private network. Windows operating 277-282 See VPN system, 22 wizards, SCW (Security Windows Data Protection Configuration API (DPAPI), 179 Wizard), 354 Johansson_Index.qxd 4/27/05 9:31 AM Page 578

578 Index

WLANs (wireless LANs), 458-459 WMI (Windows Management Instrumentation), 99 WNAP (wireless network access policy), 125 workﬂow (RMS), 515 worms, 7, 9 defense against, 355-356 IPsec defending against, 289-292 risk management, 84 stopping, 363 viruses, 13 WPA (WiFi Protected Access), 279-282 WSUS (Windows Software Update Services), 94 WU (Windows Update), 94 WUS (Windows Update Services), 449

X-Z XSS (cross-site scripting), 45 Zions, Jason, 412 zombies, 188 zone transfers, 37 Johansson_Index.qxd 4/27/05 9:31 AM Page 579