Re: Hardening an ISA Server

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance


"Phillip Windell" <@.> wrote in message
news:exaUPTf7GHA.1256@xxxxxxxxxxxxxxxxxxxxxxx
Yes. But you can't take a "shotgun" approach. Tools like that aren't going
to focus on the ISA, that would be a meaningless thing to do,...it would
need to contact the person on the "outside" to be worth anything. So the
Rule for "Internal-to-localhost" is not going to be any benefit to him.
The
solution is to only allow outbound from "Internal-to-External" for the
specific traffic users need and to not let it be anonymous. They also
can't
seize control of anything if none of the credentials that they know about
will work anymore. That is why users should not "know" any credentials
that
they aren't supposed to know about to get their jobs done and the
credentilas need to be changed or eliminated after they leave.

I think it's much easier than you seem to believe for the hacker. First,
almost everyone lets their internal users out on port 80. That's all the
hacker needs. He sets up his reverse connection server to listen on port
80. You aren't blocking that traffic. Second, the hacker runs on your
internal machine a service, which runs as system. And, lovely, Microsoft's
security model lets any process that runs as system impersonate any user.
McAfee was using this trick on their managed firewall service, a fact that
was almost frightening to watch. You would login as administrator on the
box, and their service would immediately steal your credentials, impersonate
you using the Windows impersonate APIs, and then connect to the network
using your stolen credentials. I complained loudly in a newsgroup here a
few months ago when I found that. With an OS that has such a
transparently unsecure foundation, I don't think I can reasonably stop these
things from happening. The best I can do is to isolate every machine in
such a way that its interactions with other machines are very limited, and
the spread of the infection is at least mitigated.


Another thing is that if you left them with an opportunity to leave such a
tool then "the war is over and you lost".

Show me one company on the planet where virtually every computer on every
desk doesn't have outgoing port 80 access. It's very difficult to prevent
someone from modifying a registry entry that forces the next admin login to
run a trojan, or simply exploits loose access controls on system32 to modify
things directly. The people who do these sorts of things are quite often
administrators.

And any hacker worth his salt is going to carry some hacked up linux boot
disk that will let him mount the file system, ignore NTFS permissions, and
steal the SAM. He takes that home, runs his own computer against it for
two weeks, and then cracks the local administrator password. How many
companies do you know who change their local administrator passwords every
day to prevent such attacks?

Again, as I have said from the start, I don't think that you can prevent the
infection. You can try, but the tools to do it well are not either
available or are not cost effective to implement. You will probably stop
60% of the attacks done by people who are not very careful or bright. I
don't believe the OS in its current state is defendible against an insider
who is competent. The best I can do is to locate the abnormal network
traffic from another machine that I trust early and try to limit the damage
that can be done once the infection takes place by isolating the machine's
access to internal resources as a normal configuration, through a firewall.


If they are even able to do what
you are saying then you are failing in you other secury practices and
trying
to get ISA to cover up those mistakes for you and you are never going to
be
successful that way.

If the goal is to discover the infection, then I would disagree. Without
the firewall log finding the offender is much more difficult. If the goal
is to prevent, then I half-agree. The firewall will protect you from many
things and won't protect you from the obvious avenues, with are port 80 and
443.


If they are ex-employees then there are ways to
indentify them as opposed to it being nearly impossible for "anonymous
people" on the internet, and there are these things called police that can
arrest them :-).

Oh give me a break. I once caught a swindler on eBay red-handed trying to
take $25K from six buyers. I notified them, and the company whose checking
account was being stolen (the guy had printed checks on his laser printer).
When I contacted the FBI, they did exactly ZERO, and they had more questions
for me about who I was than they did about who the criminal was.

There is no justice for anyone except the rich. Rid yourself of the
romantic concept. :) If you are rich, then you can afford lawyers, and
the way justice works in that case is that you keep spending money until the
other party is broke.


If you aren't willing to pursue them, then you might as
well just let them hack the crap out of your network. It is not a "game"
where if they get past all your security attempts they "win" and you just
keep looking for new ways to "win" your self,...you have to go after them
legally and nail them just for "trying" whether they succeed or
not,...that
is an advantage you have over ex-employees that you don'thave with
anonymous
hackers from the internet. All you have to do is find their "tool" they
left
behind (or whatever they attempted),...it doesn't have to actually work
properly for them first.

If someone is persistent about hacking in spite of your catching them and
stopping the initial break in, then yes of course you have to make their
life an unbearable hell.


In the end it is a Human Resource problem as well. You just don't hire
people you can't trust. The old idea that if a guy hacks into your system
you turn around an hire him because he "knows what he is doing" is
non-sense. You just let the fox come live in the henhouse. If a guy breaks
into your system he has no ethics and has no integrity,..you don't turn
around and give them the keys to the kingdom.

Amen. Agreed.

--
Will


.

Relevant Pages

  • Re: How get the computers communicate in XP?
    ... Specially port 445 which is giving problems last day with Zotob worm for example! ... I don't see that Windows Firewall is so configurable as I would like it to be. ... of an infection can save you a lot of trouble. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Tips on blocking difficult services..
    ... you can run all of these protocols over any port ... connected PC, not sat behind a firewall, as I used to have set up. ... provides useful information in so far as I could see the purported IP ... Hence an infection detection. ...
    (comp.security.firewalls)
  • Re: Would a firewall prevent Sasser worm?
    ... any firewall that blocks incoming port 445 will prevent infection ... >]by the Sasser worm. ...
    (comp.security.firewalls)
  • Re: Would a firewall prevent Sasser worm?
    ... any firewall that blocks incoming port 445 will prevent infection ... >]by the Sasser worm. ...
    (alt.computer.security)
  • Re: Would a firewall prevent Sasser worm?
    ... any firewall that blocks incoming port 445 will prevent infection ... >]by the Sasser worm. ...
    (comp.security.misc)