 gwionwild colonial boyPremium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
kudos:1 | reply to Kalford
On NT/2k, the attacker would have to try to crack a user account to get into the filesystem of a logged off machine. However, it's been demonstrated that a lot of users use weak passwords, and that anything short of around an 8 character strong password is fairly easy for a skilled cracker to break. First, before anything else, go to user manager, drop down permissions, and remove everyone from "log in over the network." Leave it blank, if you don't have a LAN; otherwise, click on "show users" and grant that permission by user name, not group, to the authorized users.
Also, I strongly suggest using the directory permissions and registry permissions as additional security. You paid for the feature, after all...  ... it's very possible for a cracker to use the notorious "guest" account (disable it unless you use it for something!!!) to exploit the default "everyone/full control" permissions on the filesystem. I've added "network/no access" to my most personal files, and I've walked the tree, and changed "everyone/full control" to "authenticated users/full control" on virtually everything. I've also done much the same with some of the regisry trees. This is all a subject for a book, though, and beyond the scope of a reasonably sized post on this board!
Finally, there are endless possibilities for attacks other than cracking into the filesystem (again, material for a book in itself). A trojan running as a service (yikes!) can run at the permission level of the user who "installed" it (great argument, by the way, for the old Unix chestnut, "never surf root(administrator)"). Null sessions provide a vulnerability to a cracker who knows how to exploit them. The list grows every day. It is absolutely essential to have a firewall component, like ZA(?) or Tiny, that runs as a device or service, on an NT box that often sits online but logged off. Of course, with PPPoE, you may want to disconnect when you log off, too... but that's just not possible on a static IP connection.
Use a router, and set ports 135-139 as blocked at the router, as another good way of maintaining security. My own router blocks DCOM (135) and NetBios (137-139), as well as network printing (515 - not necessary for everyone, but I have one of those nifty networked printers, that has its own NIC and runs 24/7, waiting for jobs from the network... this just keeps some jerk script kiddy from doing something cuddly cute, like sending his entire portfolio of porno art to my printer while I'm out - it's been known to happen.) I also have a router filter for 1027, which is, far as I can tell, used by the scheduler service. It shows up as "possible IRC???" on most port scanners... and a cracker who connected on it thinking he was getting that would be thrilled to DEATH to find himself connected to a cron service on a remote machine!!
Another step I've taken is to set that dummy DMZ host at the router. That diverts attention from the network, and blackholes attempts "into the bitbucket" when they come in.
I've also created a few of my own little diversions, mainly geared towards ensuring that anyone who tries to fingerprint my OS by port usage and TCP/IP configuration will get confusing results. There are just sooo many things worth considering... how do we secure ourselves, but keep a rational balance between our paranoia and usability/convenience? Quite a task...
Sorry for the scatter gun approach, but just started thinking aloud, and decided to share my thoughts... VERY incompletely, granted... still, I hope they help you think out your own plan... best single bit of "quick and easy" advice? "firewall." That and, if it worries you a great deal, either disconnect the network or shut down the machine when you go away. However, with nominal security consciousness, leavng a logged off NT/2k machine should be a lot safer than a logged off 9x machine, and a LOT safer than a logged ON NT box... of course... I do it quite often, actually. Just to be a little surer, in the event someone does get past the router and finds a backdoor through the firewall...
--
Man will occasionally stumble over the truth, but most times he will pick himself up and carry on. - Sir Winston Churchill |
gwionwild colonial boyPremium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
kudos:1 | reply to Kalford
Running service is only really meaningful with a system like NT or 2k. With 9x, real security is so near nonexistent that a service is just as vulnerable as any other process. All a cracker needs to do on 9x... uh... no, I'm not that silly... ...but no, they aren't "true services" or "daemons" in a 9x model. 9x is an exercise in inverted security, designed to be user friendly (read: wide open), and has an easily cracked security mechanism and no concept of permissions or audit whatsoever...
--
Man will occasionally stumble over the truth, but most times he will pick himself up and carry on. - Sir Winston Churchill |
)
