Showing posts with label security. Show all posts
Showing posts with label security. Show all posts
Wednesday, May 12, 2010
Accountability:A real story…
Accountability, like common sense, applies to every aspect of information technology.
Several years ago, a company that relied on data that could never be re-created wrote shell scripts to do backups early in the morning when the hosts were less busy. Operators at those machines were told to insert a tape in the drive around midnight and check back at 3:00 a.m. to make certain that a piece of paper had been printed on the printer, signaling the end of the job. If the paper was there, they were to remove the tapes and put them in storage; if the paper was not there, they were to call for support.
The inevitable hard drive crash occurred on one of the hosts one morning, and an IT
"specialist" was dispatched to swap it out. The technician changed the hard drive and
then asked for the most recent backup tape. To his dismay, the data on the tape was two years old. The machine crash occurred before the backup operation ran, he reasoned, but the odds of rotating two years' worth of tapes was pretty amazing. Undaunted, he asked for the tape from the day before, and found that the data on it was also two years old.
Beginning to sweat, he found the late shift operator for that host and asked her if she was making backups. She assured him that she was and that she was rotating the tapes and putting them away as soon as the paper printed out. Questioning her further on how the data could be so old, she said she could verify her story because she also kept the pieces of paper that appeared on the printer each day. She brought out the stack and handed them to him. They all reported the same thing—tape in drive is write protected.
Where did the accountability lie in this true story? The operator was faithfully following
the procedures given to her. She thought the fact that the tape was protected represented a good thing. It turned out that all the hosts had been printing the same message, and none of them had been backed up for a long while.
The problem lay not with the operator, but with the training she was given. Had she been shown what correct and incorrect backup completion reports looked like, the data would never have been lost.
Saturday, April 17, 2010
Three Areas of Information Security Part:3
In the previous post we discussed Informaation Security.In this post we will discuss in detail,the three areas of that:Physical,Operational and Management area.
Understanding Information Security Part:2
This post defines Information Security and it's three areas.
Information Security Part:1
As the indutries are growing bigger and bigger,and information plays a very important role in today's world,we decided to provide people with a complete reference to Security.These are very valuable post which is worth complete attention.Read them and in case you have questions,feel free to ask .Comment your questions for US.
Sunday, April 4, 2010
Internet Information Services (IIS)
What does Internet Information Services do?
Windows Server 2003 Service Pack 1 includes Internet Information Services (IIS), Version 6.0, which makes it possible for you to host your own Web site on the Internet or your intranet.
IIS is an optional component of Windows Server 2003, is not enabled by default, and must be installed separately.
Who does this feature apply to?
This feature applies to the following audiences:
• IT professionals that use IIS to host and administer a Web site.
• Web developers that use IIS to develop Web content.
Internet Information Services 6 (IIS 6) is a powerful platform for hosting web sites on both the public Internet and on private intranets. Creating and configuring web sites and virtual directories are bread-and-butter tasks for IIS Administrators, and in this article we'll walk through the process of doing this using both the GUI (IIS Manager) and using various scripts included with Windows Server 2003. The seven specific tasks we'll walk through will include:
Creating a Web Site
Controlling Access to a Web Site
Configuring Web Site Logging
Configuring Web Site Redirection
Stopping and Starting Web Sites
For sake of interest, we'll explain these tasks in the context of a fictitious company called TestCorp as it deploys IIS for its corporate intranet.
Preliminary Steps
Unlike earlier versions of Microsoft Windows, IIS is not installed by default on Windows Server 2003. To install IIS, open Manage Your Server from the Start menu and add the Application Server role:
Note that for simple security reasons IIS should only be installed on member servers, not domain controllers. The reason is that if you install IIS on a domain controller and your web server becomes compromised, the attacker could gain access to your accounts database and wreak havoc with your network.
Creating a Web Site
The simplest approach is to use a separate IP address to identify each web site on your machine. Let's say our server has five IP addresses assigned to it from the range 172.16.11.220 through 172.16.11.224. Before we create a new Human Resources web site, let's first examine the identify of the Default Web Site. Open IIS Manager in Administrative Tools, select Web Sites in the console tree, and right-click on Default Web Site and open it's properties:
The IP address for the Default Web Site is All Unassigned. This means any IP address not specifically assigned to another web site on the machine opens the Default Web Site instead. A typical use for the Default Web Site is to edit it's default document to display general information like a company logo and how to contact the Support Desk.
Let's use IP address 172.16.11.221 for the Human Resources site and make D:\HR the folder where the home page for this site is stored. To create the HR site, right-click on the Web Sites node and select New --> Web Site. This starts the Web Site Creation Wizard. Click Next and type a description for the site:
Click Next again and specify 172.16.11.221 as the IP address for the site:
Click Next and specify D:\HR as the home folder for the site. We've cleared the checkbox to deny anonymous access to the site because this is an internal intranet so only authenticated users should be able to access it (public web sites generally allow anonymous access):
Click Next and leave only Read access enabled since the Human Resources site will initially only be used to inform employees of company policies:
Click Next and then Finish to create the new web site:
Now let's create another intranet site, this time for Help Desk, which will use IP address 172.16.11.222 and home folder D:\Help. We'll create this one using a script instead of the GUI:
And here's the result:
The script we used here is Iisweb.vbs, one of several IIS administration scripts available when you install IIS on Windows Server 2003. Note that unlike the Web Site Creation Wizard used previously. you can't use this script create a web site with anonymous access disabled. So if you want to disable anonymous access you should do it by opening the properties sheet for the Help Desk site, selecting the Directory Security tab, and clicking the Edit button under Authentication and Access Control. This opens the Authentication Methods box where you can clear the checkbox to disable Anonymous Access and leave Windows Integrated Authentication as the only authentication method available for clients on your network:
Controlling Access to a Web Site
First let's look at how we can control access to our web sites. There are basically four ways you can do this: NTFS Permissions, web permissions, IP address restrictions, and authentication method. NTFS permissions is your front line of defense but it's a general subject that we can't cover in detail here. Web permissions are specified on the Home Directory tab of your web site's properties:
By default only Read permission is enabled, but you can also allow Write access so users can upload or modify files on your site.
Script source access so users can view the code in your scripts (generally not a good idea), or Directory browsing so users can view a list of files in your site (also not a good idea). Web permissions apply equally to all users trying to access your site, and they are applied before NTFS permissions are applied. So if Read web permission is denied but NTFS Read permission is allowed, users are denied access to the site.
IP address restrictions can be used to allow or deny access to your site by clients that have a specific IP address, have an IP address within a range of addresses, or have a specific DNS domain name. To configure this, select the Directory Security tab and click the Edit button under IP Address and Domain Name Restrictions. This opens the following dialog, which by default does not restrict access to your site:
The main thing to watch for here is that denying access based on domain name involves reverse DNS lookups each time clients try to connect to your web site, and this can significantly impact the performance of your site.
The final way of controlling access to your sites is to use the Authentication Methods dialog box we looked at previously:
In summary, the five authentication options displayed here are:
*Anonymous access. Used mainly for web sites on public (Internet) web servers.
*Integrated Windows authentication. Used mainly for web sites on a private intranet.
*Digest authentication. Challenge/response authentication scheme that only works with clients running Internet Explorer 5.0 or later.
*Basic authentication. Older authentication scheme that transmits passwords over the network in clear text, so use this only in conjunction with SSL.
*.NET Passport authentication. Allows users to use their .NET Passport for authentication.
Configuring Web Site Logging
Since web sites are prime targets for attackers, you probably want to log hits to your site to see who's visiting it. By default IIS 6 logs traffic to all content as can be seen on the bottom of the General tab of the properties for a web site or virtual directory:
The default logging format is the W3C Extended Log File Format, and clicking Properties indicates new log files are created daily in the indicated directory. It's a good idea to specify that local time be used for logging traffic as this makes it easier to interpret the logs:
Configuring Web Site Redirection
Sometimes you need to take your web site down for maintenance, and in such cases it's a good idea to redirect all client traffic directed to your site to an alternate site or page informing users what's going on. IIS lets you redirect a web site to a different file or folder on the same or another web site or even to an URL on the Internet. To configure redirection you use the Home Directory tab and choose the redirection option you want to use:
Stopping and Starting Web Sites
Finally, if sites become available you may need to restart IIS to get them working again. Restarting IIS is a last resort as any users currently connected will be disconnected and any data stored in memory by IIS applications will be lost. You can restart IIS using IIS Manager by right-clicking on the server node:
You can also do the same from the command-line using the Iisreset command:
Type iisreset /? for the full syntax of this command. You can also start and stop individual web sites using IIS Manager or the Iisweb.vbs script. And you can stop or start individual IIS services using the net commands, for example net stop w3svc will stop the WWW services only.
Summary
In this article I've explained how to create and configure web sites on IIS 6. Most of what we've covered also applies to IIS 5 on Windows 2000 as well.
Windows Server 2003 Service Pack 1 includes Internet Information Services (IIS), Version 6.0, which makes it possible for you to host your own Web site on the Internet or your intranet.
IIS is an optional component of Windows Server 2003, is not enabled by default, and must be installed separately.
Who does this feature apply to?
This feature applies to the following audiences:
• IT professionals that use IIS to host and administer a Web site.
• Web developers that use IIS to develop Web content.
Internet Information Services 6 (IIS 6) is a powerful platform for hosting web sites on both the public Internet and on private intranets. Creating and configuring web sites and virtual directories are bread-and-butter tasks for IIS Administrators, and in this article we'll walk through the process of doing this using both the GUI (IIS Manager) and using various scripts included with Windows Server 2003. The seven specific tasks we'll walk through will include:
Creating a Web Site
Controlling Access to a Web Site
Configuring Web Site Logging
Configuring Web Site Redirection
Stopping and Starting Web Sites
For sake of interest, we'll explain these tasks in the context of a fictitious company called TestCorp as it deploys IIS for its corporate intranet.
Preliminary Steps
Unlike earlier versions of Microsoft Windows, IIS is not installed by default on Windows Server 2003. To install IIS, open Manage Your Server from the Start menu and add the Application Server role:
Note that for simple security reasons IIS should only be installed on member servers, not domain controllers. The reason is that if you install IIS on a domain controller and your web server becomes compromised, the attacker could gain access to your accounts database and wreak havoc with your network.
Creating a Web Site
The simplest approach is to use a separate IP address to identify each web site on your machine. Let's say our server has five IP addresses assigned to it from the range 172.16.11.220 through 172.16.11.224. Before we create a new Human Resources web site, let's first examine the identify of the Default Web Site. Open IIS Manager in Administrative Tools, select Web Sites in the console tree, and right-click on Default Web Site and open it's properties:
The IP address for the Default Web Site is All Unassigned. This means any IP address not specifically assigned to another web site on the machine opens the Default Web Site instead. A typical use for the Default Web Site is to edit it's default document to display general information like a company logo and how to contact the Support Desk.
Let's use IP address 172.16.11.221 for the Human Resources site and make D:\HR the folder where the home page for this site is stored. To create the HR site, right-click on the Web Sites node and select New --> Web Site. This starts the Web Site Creation Wizard. Click Next and type a description for the site:
Click Next again and specify 172.16.11.221 as the IP address for the site:
Click Next and specify D:\HR as the home folder for the site. We've cleared the checkbox to deny anonymous access to the site because this is an internal intranet so only authenticated users should be able to access it (public web sites generally allow anonymous access):
Click Next and leave only Read access enabled since the Human Resources site will initially only be used to inform employees of company policies:
Click Next and then Finish to create the new web site:
Now let's create another intranet site, this time for Help Desk, which will use IP address 172.16.11.222 and home folder D:\Help. We'll create this one using a script instead of the GUI:
And here's the result:
The script we used here is Iisweb.vbs, one of several IIS administration scripts available when you install IIS on Windows Server 2003. Note that unlike the Web Site Creation Wizard used previously. you can't use this script create a web site with anonymous access disabled. So if you want to disable anonymous access you should do it by opening the properties sheet for the Help Desk site, selecting the Directory Security tab, and clicking the Edit button under Authentication and Access Control. This opens the Authentication Methods box where you can clear the checkbox to disable Anonymous Access and leave Windows Integrated Authentication as the only authentication method available for clients on your network:
Controlling Access to a Web Site
First let's look at how we can control access to our web sites. There are basically four ways you can do this: NTFS Permissions, web permissions, IP address restrictions, and authentication method. NTFS permissions is your front line of defense but it's a general subject that we can't cover in detail here. Web permissions are specified on the Home Directory tab of your web site's properties:
By default only Read permission is enabled, but you can also allow Write access so users can upload or modify files on your site.
Script source access so users can view the code in your scripts (generally not a good idea), or Directory browsing so users can view a list of files in your site (also not a good idea). Web permissions apply equally to all users trying to access your site, and they are applied before NTFS permissions are applied. So if Read web permission is denied but NTFS Read permission is allowed, users are denied access to the site.
IP address restrictions can be used to allow or deny access to your site by clients that have a specific IP address, have an IP address within a range of addresses, or have a specific DNS domain name. To configure this, select the Directory Security tab and click the Edit button under IP Address and Domain Name Restrictions. This opens the following dialog, which by default does not restrict access to your site:
The main thing to watch for here is that denying access based on domain name involves reverse DNS lookups each time clients try to connect to your web site, and this can significantly impact the performance of your site.
The final way of controlling access to your sites is to use the Authentication Methods dialog box we looked at previously:
In summary, the five authentication options displayed here are:
*Anonymous access. Used mainly for web sites on public (Internet) web servers.
*Integrated Windows authentication. Used mainly for web sites on a private intranet.
*Digest authentication. Challenge/response authentication scheme that only works with clients running Internet Explorer 5.0 or later.
*Basic authentication. Older authentication scheme that transmits passwords over the network in clear text, so use this only in conjunction with SSL.
*.NET Passport authentication. Allows users to use their .NET Passport for authentication.
Configuring Web Site Logging
Since web sites are prime targets for attackers, you probably want to log hits to your site to see who's visiting it. By default IIS 6 logs traffic to all content as can be seen on the bottom of the General tab of the properties for a web site or virtual directory:
The default logging format is the W3C Extended Log File Format, and clicking Properties indicates new log files are created daily in the indicated directory. It's a good idea to specify that local time be used for logging traffic as this makes it easier to interpret the logs:
Configuring Web Site Redirection
Sometimes you need to take your web site down for maintenance, and in such cases it's a good idea to redirect all client traffic directed to your site to an alternate site or page informing users what's going on. IIS lets you redirect a web site to a different file or folder on the same or another web site or even to an URL on the Internet. To configure redirection you use the Home Directory tab and choose the redirection option you want to use:
Stopping and Starting Web Sites
Finally, if sites become available you may need to restart IIS to get them working again. Restarting IIS is a last resort as any users currently connected will be disconnected and any data stored in memory by IIS applications will be lost. You can restart IIS using IIS Manager by right-clicking on the server node:
You can also do the same from the command-line using the Iisreset command:
Type iisreset /? for the full syntax of this command. You can also start and stop individual web sites using IIS Manager or the Iisweb.vbs script. And you can stop or start individual IIS services using the net commands, for example net stop w3svc will stop the WWW services only.
Summary
In this article I've explained how to create and configure web sites on IIS 6. Most of what we've covered also applies to IIS 5 on Windows 2000 as well.
Wednesday, March 31, 2010
An Introduction to Microsft Active Directory
Let us first consider workgroup networks,and then go to Domains and Active Directory.Workgroups are networks in which each computer can have both server and clinet role.What I mean is that they can both share resources and make use resources shared by other computers.This kind of network is good when we need one in small scale,and when Security is not important.Here,users can easily use network resources,change their settings such as:Usernames,Passwords,... .This is because they have a database called:Local security Database(LSD) on their systems,which stores the local computer'ssecurity information.Every time a user wants to log on,the information provided by that user is comared to those in the LSD.If thet matched,a token in issued to that user and he/she will be allowed to enter the system.(I will exlain the authentication and authorization process in a seperate post).
This kind of network has many shortcomings among which the below things are more important:
- Workgroups increase administrator's workload.Because the admin should set properties on computers one-by-one.Each user account should be created on all of the system to which that specific user need to logon,... .
- Security is in it's lowest level.Users can adjust their system's properties,... as they wish.Imagine a novice logs on to your workgroup.Or a user with devilish wills.The only thing remains for you is the trouble made by these two.
This issues lead to making an other network called :Domain network.With domins you can easily manage thousands of thousands of object in your network;Including :user accounts,group accounts,Computer accounts,Printers,... .How?I tell you.
When you decide to implement a domain,the only thing you need a windows server CD.and a computer to install active directory on it (from that time on,the computer is called domain controller or DC).easy.isn't it?
Now,let us see how it works.
Unlike Workgroups,we don't have LSDs in domain networks.Instead we have something called:Domain Securtiy Database(DSD),in which stored is information about all of the objects on our network;including:User accounts,Group accounts,printers,...).In order to log on to network,users must first join to the domain.From that time on,if a user wants to log on,the information provided by that user will be compared to those stores in DSD.If the matched,the token will be issued and user can log on.
We can increase security by defining policies on the whole domain,so we don't have security issues in the future.Easy life.Isn't it?
And as far as domains are concerned,administrators' workload is decreased too much.because you set everything on one system,just one time.
be content.
Monday, March 29, 2010
Security Groups
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Before modifying any security settings, it is important to take into consideration the default settings.
There are three fundamental levels of security that are granted to users. These are granted to end users through membership in the Administrators, Power Users, or Users groups.
Administrators
The Administrators group is provided to perform computer maintenance tasks. The default permissions allotted to this group allow complete control over the entire system. As a result, only trusted personnel should be members of this group.
Power Users
Members of the Power Users group have more permissions than members of the Users group and fewer than members of the Administrators group. Power Users can perform any operating system task except tasks reserved for the Administrators group. The default permissions that are allotted to the Power Users group allow members of the Power Users group to modify computerwide settings.
When you upgrade from Windows NT 4.0, members of the Restricted Users group are automatically placed in the Power Users group to prevent backward compatibility issues with the applications that your organization used before the upgrade. Many applications used on Windows NT 4.0 required elevated permissions to run correctly. The default Windows 2000, Windows XP Professional, and Windows Server 2003 family security settings for Power Users are very similar to the default security settings for Users in Windows NT 4.0. Any program that a user can run in Windows NT 4.0, a Power User can run in Windows 2000, Windows XP Professional or Windows Server 2003 family.
If you do not want end users to have the elevated permissions of the Power Users group, you can make them members of the Users group and only run applications that belong to the Windows Logo program for Software. If applications that do not belong to the Windows Logo program for Software must be supported, then end users will need to be part of the Power Users group. For information about the Windows Logo program for Software, see the Windows Logo program for Software on the Microsoft Web site [ http://go.microsoft.com/fwlink/?LinkId=3688 ] .
Power Users can:
- Run legacy applications, in addition to applications for Windows 2000, Windows XP Professional, or the Windows Server 2003 family that belong to the Windows Logo program for Software.
- Install programs that do not modify operating system files or install system services.
- Customize systemwide resources including printers, date, time, power options, and other Control Panel resources.
- Create and manage local user accounts and groups.
- Stop and start system services which are not started by default.
Power Users do not have permission to add themselves to the Administrators group. Power Users do not have access to the data of other users on an NTFS volume, unless those users grant them permission.
Caution
- Running legacy programs on Windows 2000, Windows XP Professional, or a member of the Windows Server 2003 family often requires you to modify access to certain system settings. The same default permissions that allow Power Users to run legacy programs also make it possible for a Power User to gain additional privileges on the system, even complete administrative control. Therefore, it is important to deploy applications belonging to the Windows Logo program for Software in order to achieve maximum security without sacrificing program functionality. These programs can run successfully under the Secure configuration that is provided by the Users group.
- Since Power Users can install or modify programs, running as a Power User when connected to the Internet could make the system vulnerable to Trojan horse programs and other security risks.
Users
The Users group is the most secure, because the default permissions allotted to this group do not allow members to modify operating system settings or other users' data.
The Users group provides the most secure environment in which to run programs. On a volume formatted with the NTFS file system, the default security settings on a newly-installed system (but not on an upgraded system) are designed to prevent members of this group from compromising the integrity of the operating system and installed programs. Users cannot modify systemwide registry settings, operating system files, or program files. Users can shut down workstations but not servers. Users can create local groups, but can manage only the local groups that they created. They can run Windows 2000, Windows XP Professional, or a member of the Windows Server 2003 family programs that belong to the Windows Logo program for Software that have been installed or deployed by administrators. Users have full control over all of their own data files (stored at %userprofile%) and their own portion of the registry (located in HKEY_CURRENT_USER).
Note that user-level permissions often do not allow the user to successfully run legacy applications. To run these legacy applications, you must either loosen security to allow members of the Users group to run the applications or you must promote members of the Users group to the Power Users group. Both options decrease the security of your organization. Since members of the Users group are guaranteed to be able to run applications belonging to the Windows Logo program for Software, it is a best practice to only use applications that belong to the Windows Logo program for Software. For more information, see the Windows Logo program for Software on the Microsoft Web site [ http://go.microsoft.com/fwlink/?LinkId=3688 ] .
To secure a system running Windows 2000, Windows XP Professional, or a member of the Windows Server 2003 family, an administrator should:
- Make sure that end users are members of the Users group only.
- Deploy programs that members of the Users group can run successfully, such as programs that belong to the Windows Logo program for Software.
Users will not be able to run most programs written for versions of Windows prior to Windows 2000, because they did not support file system and registry security (such as Windows 95 and Windows 98) or shipped with other default security settings (Windows NT). If you have problems running legacy applications on newly-installed NTFS systems, then do one of the following:
- Install new versions of the applications that belong to the Windows Logo program for Software.
- Move end users from the Users group into the Power Users group.
- Decrease the default security permissions for the Users group. This can be accomplished by using the Compatible security template.
The Anonymous group is no longer a member of the Everyone group
For Windows XP Professional and the Windows Server 2003 family, the Anonymous group is no longer a member of the Everyone group.
When a Windows 2000 system is upgraded to Windows XP Professional or the Windows Server 2003 family, resources with permission entries for the Everyone group (and not explicitly to the Anonymous Logon group) will no longer be available to Anonymous users after the upgrade. In most cases, this is an appropriate restriction on anonymous access. You may need to permit anonymous access in order to support pre-existing applications that require it. If you need to grant access to the Anonymous logon group, you should explicitly add the Anonymous Logon security group and its permissions.
However, in some situations where it might be difficult to determine and modify the permission entries on resources, you can change the Network access: Let Everyone permissions apply to anonymous users [ http://technet.microsoft.com/en-us/library/cc778182(WS.10).aspx ] security setting.
Other groups
- Interactive. This group contains the user who is currently logged on to the computer. During an upgrade to Windows 2000, Windows XP Professional, or the Windows Server 2003 family, members of the Interactive group will also be added to the Power Users group, so that legacy applications will continue to function as they did before the upgrade.
- Network. This group contains all users who are currently accessing the system over the network.
- Backup Operators
Members of the Backup Operators group can back up and restore files on the computer, regardless of any permissions that protect those files. They can also log on to the computer and shut it down, but they cannot change security settings.
Caution- Backing up and restoring data files and system files requires permissions to read and write those files. The same default permissions granted to Backup Operators that allow them to back up and restore files also make it possible for them to use the group's permissions for other purposes, such as reading another user's files or installing Trojan horse programs. Group Policy settings can be used to create an environment in which Backup Operators only can run a backup program. For more information, see the Microsoft Security page on the Microsoft Web site [ http://go.microsoft.com/fwlink/?LinkId=102 ] .
- Backing up and restoring data files and system files requires permissions to read and write those files. The same default permissions granted to Backup Operators that allow them to back up and restore files also make it possible for them to use the group's permissions for other purposes, such as reading another user's files or installing Trojan horse programs. Group Policy settings can be used to create an environment in which Backup Operators only can run a backup program. For more information, see the Microsoft Security page on the Microsoft Web site [ http://go.microsoft.com/fwlink/?LinkId=102 ] .
Subscribe to:
Posts (Atom)
